Research Project: GitCover.IdP

Official Recognition

The research project "Git-native Compliance for SMEs: Experimental development of an integrated identity and compliance management system with taxonomic identifier system (V7GUID)" was recognized by DLR Projektträger / BSFZ as an eligible R&D project under § 6 FZulG (German Research Tax Allowance Act).

Attribute Value
Case number 288-335-338/2026-1
Decision (positive) 22.04.2026
Research type Self-operated experimental development
Duration 01.01.2025 - 31.12.2026
Certification body BSFZ at DLR Projektträger, Bonn

Research Content

Investigation of whether Gitea-based Git repositories can serve as a Single Source of Truth (SSOT) for an integrated identity and compliance management system for SMEs.

Core Hypotheses

ID Hypothesis Research Risk
H1 Git organizations can represent OAuth2 clients and permissions and manage >1,000 users No reference implementation for >100k objects known
H2 End-to-end policy compliance chain: OPA-Rego -> OSCAL Assessment Results -> Evidence Hierarchical permissions on flat Rego policies are complex
H3 Deterministic Git structures as containment vessel for autonomous AI agents No reliable standards for deterministic AI containment exist

Novelty Characteristics

ID Characteristic Reference
N1 V7GUID Dual-Identifier: Integration of taxonomy into UUIDv7 Patent application 10 2025 003 091.6
N2 AI Guard-Rails: Cryptographic Git chains to tame autonomous agents GCUCB; VPRM concept
N3 GCEP Protocol: Advisory Locks and bundle signing for multi-repo sync Patent application 10 2025 003 359.1

BSFZ Research Questions F1-F5 (Frascati-qualified)

# Research Question Uncertainty
F1 V7GUID lookup O(1) with >10^6 objects in shared memory? Hash collisions, NUMA effects
F2 NativeAOT code from OSCAL/OPA YAML binary-compatible with memory layout? Schema evolution
F3 Typed bus improves LLM result quality vs. JSON text? No benchmark exists
F4 Cross-container shared memory compatible with GoBD? Mutability vs. audit
F5 Energy consumption per compliance workflow measurably reducible? Metrics missing

Relevance for GCBoK

The BSFZ-recognized research project demonstrates the scientific-technical novelty of the GitCover core architecture from an official perspective and strengthens the normative authority of GCBoK:

  1. V7GUID as a patented identification system (N1)
  2. GCEP/GCAL as a lock coordination mechanism (N3)
  3. AI Guard-Rails via deterministic Git structures (N2)

This threefold confirmation (patent application + BSFZ certificate + utility model) is the empirical foundation for GCBoK's claim to positioning as a normative terminology authority.

Phase 2 — AI Safety Research (from 2026)

From 2026, the focus expands to the security of AI infrastructures. The research thesis: Deterministic Git structures (V7GUID) can serve as physical guard rails for autonomous AI agents — instead of stochastic, injectable prompts.

Delineation from the Previous Project

Dimension Previous Project (2025–2026) New Project (from 2026/2027)
Subject Identity management, IdP, PGP/V7GUID, GoBD/GDPR AI governance, guardrails instead of prompts, MCP agent
Technical uncertainty Context manipulation of identity Determinism vs. stochastic AI control; prompt injection resistance via Git gate
Building block in GCBoK Identity & compliance core Tooling & guardrail layer (GCUCB)
Reference framework ISO/IEC 24773 OWASP LLM Top 10, Harness Engineering, MCP

The content shift from the topic "Gitea as IdP" to "Git repos as AI guardrails instead of prompts" via GCUCB requires a separate BSFZ certification as a new research project. The delineation at the work package level ensures that both projects remain cleanly separated and the research tax allowance recognition is not jeopardized.

Research Questions (Phase 2)

  1. Determinism vs. Stochastics: To what extent can the control of an AI agent be deterministically captured through a versioned Git guardrail repo, so that deviations from policy are detected at build time (not just at prompt time)?
  2. Prompt Injection Resistance: How far does a Git-native guardrail layer (signed, immutable, enforced via Git hook/OPA) protect against the "lethal trifecta" (private data + untrusted content + exfiltration)?
  3. MCP as Policy Enforcement Point: Can an MCP server with UI resource and iframe UI act as a policy gate that only exposes approved (signed) tools/contexts?
  4. Auditability: Is the Git commit history of the guardrail repo usable as a GoBD-compliant audit trail for AI decisions?

Note: The research and prototype developments by AFJD (Axel Franz Johann Druschel) are conducted on a self-operated basis outside of GCC working hours. The IP remains with AFJD; GCC is granted usage rights on a contractual basis. This separation secures the non-profit status of GCC (no concealed commercial business operation).

See also: FZulG applications and financial planning on the GCC landing page.