Every repository boundary is a governance boundary. Violate the boundary, violate the governance.
A junior engineer pushes a commit. Somewhere inside a governed repository, a nested .git directory appears — a repository inside a repository. The outer repo can’t track the inner one. The inner repo changes silently. The audit trail has a gap. Nobody notices for three weeks.
This actually happened. And the fix wasn’t a code review. It was a structural rule.
The Rule
One root = one repo = one governance boundary
No nested git repositories. No orphaned directories pretending to be repos. No ambiguous ownership. Every directory that matters has a .git boundary, and every .git boundary is governed.
The only exception: submodules. A submodule stores a gitlink — a specific commit hash — in the outer repository. The outer repo pins the exact state of the inner repo. Change the inner repo and the outer repo notices: the gitlink changes, the diff appears, governance captures it.
Anything else is a ticking bomb.
Why It Breaks
When a git repository contains another git repository without submodules:
The outer repo goes blind. It sees a directory, not a history. Commits in the inner repo are invisible to the outer repo’s governance.
Audits have gaps. “What was the state of this system on March 15?” The outer repo can answer for its files. The inner repo is a black hole. The audit trail stops at the boundary.
Drift becomes invisible. The inner repo can change — new files, deleted files, modified logic — without the outer repo recording a single byte of change. Silent drift. The worst kind.
How We Learned This
During workspace normalization, nested .git directories were found inside the governed root. Repositories inside repositories, untracked, unversioned, ungoverned. The outer repo’s LEDGER had gaps. Audits would have holes.
The fix: normalize every root to a 1:1 repo mapping. Nested repos become submodules (governed) or move to sibling positions (independent). No exceptions. No “we’ll fix it later.”
The pattern has held since. When the filesystem IS the governance boundary, code organization becomes self-enforcing. An ungoverned directory in a governed repo is like a room without a door in a building with a fire code — the inspector finds it, every time.
Figures
| Context | Type | Data |
|---|---|---|
| post | flow-chain | nodes: Root → Org → Scope → Terminal |
CANONIC — The filesystem is the org chart. The repo is the boundary.