Axis 5: Procedures
SME Onboarding
The entry for SMEs into Git-native compliance follows a stepwise path:
- Initialize Git repository — Structure with
.gitcover/directory, V7GUID configuration - Select OSCAL catalog — GoBD baseline, BSI modules, or individual profile
- Activate OPA policies — Pre-receive hooks for validation before commit
- Set up GPG signing — One GPG key pair per actor
- Start evidence chain — Assign first V7GUIDs, begin prev-hash chaining
For Entrepreneurs from Side-Business Level
The entry can begin with a very simple setup: GCDMS for evidence archiving, GCPN for evidence chains. Expand later: OSCAL policies, OPA validation, multi-tenant.
Interactive Onboarding: The "Compliance City"
Instead of classical questionnaires, onboarding takes place as a modular construction following the concept of a city on a Lego baseplate. Every architectural decision and every functional requirement corresponds to a building block or a set (Lego set) that is stored and versioned as a structured module in the newly initialized default Git repository.
The analogy for the user:
- The baseplate: The empty Git repository freshly created for the tenant in its infrastructure. It provides the standardized framework (the studs) on which everything docks.
- The building blocks: Modular configuration and service files. Only when a block snaps into place (Git commit) does the corresponding function or compliance check become active.
Phase 1 — Lay out baseplate (Initialization & Identity):
The system automatically creates the default repository for the tenant. The onboarding assistant determines the company's identity. The data is stored in a structured manner in the 'TOP' (Tenant Organization Profile) repository — the first Git commit is already the first auditable compliance process. Incidentally: Tenants can naturally also be organized hierarchically, like the corporate structures they belong to.
| Building Block | Technical Equivalent | Purpose |
|---|---|---|
| Baseplate | git init --object-format=sha256 |
Basis of all tenant activities in the 'TOP' Git repository and directory |
| Town Hall | ./.gitcover |
GitCover Dot-Directory where the Tenant Dictionaries and Configurations reside |
Phase 2 — Infrastructure wiring (utility network):
The assistant captures the IT landscape: laptop workstation, file server, cloud-first or hybrid infrastructure. Parameters such as internet connection, domain, storage paths, etc. flow into the infrastructure information and prepare paths for cross-connections (others.json).
Phase 3 — Erect buildings (functional scope):
The user decides modularly which regulatory areas their city should secure:
| Building Block | Scope | Action |
|---|---|---|
| Marketplace (GoBD/AO basis) | Mandatory for every SME — procedure documentation | e.g. Module & folder /compliance/gobd/ is activated |
| Bank & Cash (financial accounting) | Journal management, general ledgers, bank interfaces | e.g. Module & folder /finance/journal/ and /finance/ledgers/ is activated |
| Factory Gate (security/NIS2) | Optional extended IT security and reporting obligations | e.g. Module & folder /compliance/nis2/ is activated |
The user never sees configuration files or code at any point. Since every step immediately produces a clean Git commit, the system is fully audit-proof per GoBD and AO from the very first minute.
Tenant Isolation and Access Control
OIDC Claims and others.json
Linking OIDC claims with others.json is the royal road for multi-tenant, layperson-safe compliance environments. In others.json the following accumulate:
- Canonical routes to the tenant's own Git repositories
- Cross-connections to Git repositories of other tenants, if the tenant is a member of a group
Access is controlled via OIDC claims (roles and custom claims such as tenant_id and group memberships). An inlet pipeline reads others.json depending on the user claim and injects the allowed paths as a system prompt:
You are the GitCover Agent for Tenant X. You have exclusive access to the following repositories: [Path 1], [Path 2]. Do not execute commands outside these directories.
For the end user, this security apparatus remains invisible. They log in, see their familiar work environment, and the AI automatically knows where it may operate.
AI-Assisted Data Entry via Form Bridging
Chat interfaces are suitable for contexts and analyses, not for strict data type capture (IBANs, postal codes, OSCAL schemas). GCBoK therefore recommends a form bridging approach:
- AI recognizes need: The user says "I want to add a new business premises."
- Dynamic form URL: The AI outputs a link to a validated web input form (Blazor WASM/PWA), coupled with session and user management.
- Encapsulated input: The user fills out the form — hard-validated before saving.
- Direct write to Git: The form writes the result as a structured file directly into the working directory of the tenant repository and triggers the commit.
- AI takes over again: The MCP server reports "file updated," the AI confirms in chat.
Advantage: Validation before saving protects the single source of truth. LLMs do not manipulate the write process. Git hook/OPA validation is triggered immediately.
The .gitcover/ Directory Structure
The .gitcover/ directory in the root of a GitCover repository is the central archive for all non-code artifacts. It serves audit-proof integrity, compliance (GoBD/AO), and audit trail management.
Directory Layout
.gitcover/
├── issues/ # Gitea Issues as .v7g.md
├── projects/ # Project management data
├── time_tracking/ # Time tracking and effort records
├── workflows/ # Workflow states and approvals
├── compliance/
│ ├── oscals/ # OSCAL documents (System Security Plans)
│ ├── opa/ # OPA rules (Rego policies)
│ └── hooks/ # Git hooks for automation
├── audit/
│ ├── signatures/ # Cryptographic signatures
│ ├── timestamps/ # Timestamps (ELSTER/Bundesanzeiger)
│ └── logs/ # Protocols
└── README.md # Documentation of the structure
File Naming Convention
General format: {uuidV7}_{human-readable-key}_{description}.v7g.md
| Artifact Type | Example | Rationale |
|---|---|---|
| Issue | 018e312f-..._#123_Bugfix-Login.v7g.md |
UUIDv7 for sortability, # for identification |
| Project | 018e312f-..._Project-X.v7g.md |
Unique, temporally sortable |
| Time tracking | 018e312f-..._2026-06-29_Axel-D.v7g.md |
Date and user in plain text |
| Sidecar (PDF/DOCX) | Invoice_2026.pdf.v7g.md |
Metadata for the original document |
Metadata Schema (.v7g.md Frontmatter)
---
uuid: 018e312f-3e4f-7000-8000-000000000000
key: "#123"
type: "issue"
title: "Bugfix: Login Module"
original_source: "Gitea"
original_repo_hash: "a1b2c3d4e5f6..."
related_commits: ["abc123", "def456"]
related_elements:
project: "Project-X"
milestone: "v1.0"
forensic_attributes:
created_at: "2026-06-29T12:00:00Z"
updated_at: "2026-06-29T14:30:00Z"
created_by: "Axel D."
compliance:
gobd_relevant: true
audit_trail: true
signature: "GPG signature hash"
timestamp: "ELSTER-2026-06-29-120000"
---
Automation through Git Hooks and Webhooks
GitCover repos are automatically configured with hooks/webhooks during init or tenant onboarding:
post-commit: Updates.gitcover/on new commitspre-push: Validates.gitcover/before push- Webhooks: Issue creation, project changes, time tracking — each triggers export as
.v7g.md - Compliance claim: Immediate activation of OSCAL/OPA mechanisms
The versioning of these hooks/webhooks also occurs via Git, so changes are traceable and auditable (self-referential, versioned, audit-proof). The hooks themselves can be versioned code artifacts that reside in .gitcover/hooks/ and are updated as needed, documented in compliance with GoBD or NIS2.
Issue Archiving: Gitea DB to Git Fact Base
Problem Statement
Gitea issues are database entries — not native Git objects. They are not versioned and cannot be reconstructed if the Gitea database is lost. Commits reference issues only textually (Fixes #123); this reference is not interpreted by Git.
Solution: Automated Export as .v7g.md
The workflow from Gitea database to audit-proof fact base:
- Gitea issue created → Webhook triggers export
- Export as .v7g.md → Save in
.gitcover/issues/ - Extract metadata → UUID, hashes, signatures
- Git commit with signature →
git commit -S - OSCAL/OPA validation → Compliance check
- Timestamp → ELSTER/Bundesanzeiger integration (if required)
OPA Example Rule for Issue Validation
package gcbok.compliance
violation[msg] {
input.path == "issues"
file := input.files[_]
not startswith(file.name, "018") # UUIDv7 check
msg := sprintf("Issue %s hat keine gueltige UUIDv7 im Dateinamen", [file.name])
}
GoBD/AO Compliance
| GoBD Requirement | Implementation in .gitcover/ |
|---|---|
| Traceability | Every change is logged in .gitcover/audit/logs/ |
| Immutability | .v7g.md files are never overwritten but versioned |
| Retention obligation | 10 years (DE) — .gitcover/ as central archive |
| Evidence function | .v7g.md files as digital evidence |
| Auditability | Signatures and timestamps enable forensic validation |
Audit-Readiness
Audit-readiness means: Every audit can take place at any time — without follow-up preparation.
| Prerequisite | Git-native Fulfillment |
|---|---|
| Complete audit trail | Git history (commit log) |
| Verifiable identities | GPG signatures |
| Temporal sortability | V7GUID timestamps |
| Machine-readable evidence | OSCAL Assessment Results |
| Policy conformance | OPA validation results |
GoBD Year-End Close
The GoBD year-end close with Git-native compliance:
- Close period — Freeze Git branch
FY2026(tag) - Validate evidence chain — Check V7GUID chaining (script)
- Generate OSCAL Assessment Results — Automated from OPA validations
- GPG seal issuance — Closing commit with CEO signature
- Archiving —
.v7g.zipcontainer, v7g-export
NIS2 Risk Analysis
The NIS2 risk analysis on a Git basis:
- Asset inventory — Git repositories as asset register
- Risk identification — OPA policies for threat scenarios
- Assessment — V7GUID classification for risk categories
- Mitigation — Pre-receive hooks for policy enforcement
- Report — OSCAL Assessment Results as NIS2 evidence
AI Server Integration in the LAN
Architecture Principle
GCBoK describes a reference model for integrating a headless AI server in the LAN that centrally provides LLM inference and RAG-supported compliance agents. The AI environment runs in an isolated container environment (Rootless Podman) but couples to natively installed services on the host for inference and web search.
SSH Script Host (OSSH)
For demanding tasks (code compilation, Git operations, compliance checks) that go beyond the container sandbox, the agent uses an SSH Script Host — a controlled, key-based breakout to the host system:
- Agent decides: "Execute dotnet-build"
- SSH channel: encrypted connection via
id_rsa.pubto host user - Native process: command is executed in the real OS context
- Stream return: stdout/stderr are returned as text stream
- Agent analyzes: compiler output in LLM context
Security requirement: The SSH key generated in the container must be installed on the host in authorized_keys. Communication occurs purely via standard data streams (stdin, stdout, stderr) — without file transfer.
Consistent Path Addressing (FQN)
To avoid path inconsistencies between workstation, container, and script host, file server shares are mounted at identical mount points on all systems. AI agents and human developers reference identical absolute path specifications at all times.
Multi-Device Capability
Through centralization on the AI server, multiple end devices can access the same environment in parallel:
- The developer starts a code analysis on the desktop
- They track the agent's progress in real time on the smartphone via VPN
- No mutual blocking — the script host opens separate, short-lived shell processes
Share Frontends: Nextcloud as Read-Only Frontend
Role Distribution
| Component | Role | GCBoK Compliance |
|---|---|---|
| GCDMS | Primary storage location for compliance artifacts in Git | Complete |
| GCPN | Policy validation (OPA/Rego) and compliance rules | Complete |
| GCUCB | Context bus for AI agents, OPA validators, audit systems | Complete |
| Nextcloud | Only for shares/permissions (external users, mobile access) | Limited |
Conditions for Use
Nextcloud can be used selectively for shares in a GCBoK-based environment if:
- Read-only shares only — No changes via Nextcloud; all mutations run through Git
- Git integration — Nextcloud mounts Git repos as external storage (WebDAV, S3 Gateway, or GCSYNC)
- Policy validation — GCPN defines access rules (OPA/Rego); Nextcloud only implements them
- Audit logging — Nextcloud logs are forwarded to GCAL (Syslog/Loki)
- Open-source compliance — Community Edition only, no proprietary plugins
Exclusion Criteria
- Write access via Nextcloud (violates Git-native storage)
- Proprietary Nextcloud extensions (violates OSS principles)
- Missing Git integration (Nextcloud must be able to access Git repos)
See also: Templates for OSCAL catalogs and OPA policies in Axis 6: Templates.