[Feature Request] Support for change metadata and exception review tracking

[ISchisel-LFI]

Problem Statement

gcgit provides excellent technical change tracking via Git, but security teams also need to track business context and compliance metadata:

• Review dates for exceptions (whitelists, rule threshold changes)
• Approval workflows (who requested, who approved)
• Business justification for changes
• Proactive alerts when exceptions need re-evaluation

Currently, gcgit captures what changed technically, but not why it changed or when it should be reviewed.

Proposed Solutions (Open to Feedback)

Option A: YAML Frontmatter

Allow optional metadata block in pulled YAML files:

# gcgit-metadata (preserved across pulls)
review_date: 2026-07-15
created_by: security-team
justification: "Required for legacy payroll system"
approval_ticket: JIRA-1234

# Original configuration (managed by gcgit)
rule_name: suspicious_process_execution
threshold: 10
whitelist:
  - C:\Custom\exec.exe

Option B: Sidecar Metadata Files

Generate .meta.yaml alongside each config file:

correlation-rules/
  ├── failed_login_detection.yaml        # Technical config (gcgit-managed)
  ├── failed_login_detection.meta.yaml   # Business context (user-managed)

Option C: Post-Pull Hook

Add hook support for custom metadata collection:

# .gcgit/hooks/post-pull.sh
# Triggered after each pull, prompts user for metadata if file changed

Use Case

Compliance requirement: All security exceptions must be reviewed every 6 months. We need to track which configurations are exceptions and alert when reviews are due.

Current Workaround

Maintaining parallel tracking in GitHub Issues or external spreadsheets, manually linked to Git commits.

Question

Would the maintainers be open to native metadata support, or is the recommendation to handle this externally? Happy to contribute a PR if there's interest.

[simonsigre]

Thank you for this feedback, awesome let me have a look.