Nishi Family › Compare › Governance and Policy Enforcement
Governance and Policy Enforcement — mechanically measured, liar-killed, sovereign.
Nishi vs OPA and Kyverno and Checkov and Conftest
| Capability | Nishi | OPA | Kyverno | Checkov | Conftest | Notes |
|---|---|---|---|---|---|---|
| Multi-axis ratchet floors (cleaned debt cannot return) | Yes | No | No | No | No | Debt, collisions, scratch each ratchet DOWN and LOCK in seg_store; any rise is RED; no policy engine carries a one-way floor primitive |
| Governed pulse firing (warden-owned, never ad-hoc) | Yes | No | Part | No | No | Ratchet and training gates run ONLY through the conductor registry; Kyverno background scans are the partial peer |
| Separation-of-duties validation (exactly one Accountable) | Yes | No | No | No | No | The RACI validator REFUSES a matrix without exactly-1-A and at-least-1-R per activity -- org-structure policy the config-policy field does not touch |
| Capability tokens, attenuate-only, fail-closed verify | Yes | Part | No | No | No | Least-authority PROVEN live 2026-07-08: the read cap is DENIED nx_mgmt (reason 4); delegation can only SUBSET; OPA authz policies are the partial peer |
| Append-only consent ledger for delegations | Yes | No | No | No | No | Every scoped cap issue recorded to cap_consent.log, readable via API -- explicit, auditable, revocable |
| Spend-wall gating on money-touching actions | Yes | No | No | No | No | Dry-run first, STOP, explicit confirm-spend, once-only guard (gates 6/6 + 8/8, live-proven to the money 2026-07-09); the field gates configs, not purchases |
| Fail-closed key minting (refuses forgeable placeholder) | Yes | No | No | No | No | The minter EXITS rather than mint against a baked placeholder secret; wrong-key tokens deny -32001 |
| Policy language (Rego-class, general-purpose) | No | Best | Part | Part | Yes | OPA Rego is the bar; our policies are ORGANS (compiled, gated) not declarative rules -- powerful but not authorable as data yet |
| Admission control (gate changes before they land) | No | Yes | Best | No | No | Kyverno admission webhooks are the bar; our deploy path health-gates AFTER staging, not at admission |
| IaC misconfiguration scanning | No | Yes | Yes | Best | Part | Checkov is the bar; our conf files are swept by the janitor as debt, not scanned for misconfiguration |
| Policy testing framework | No | Yes | Part | Part | Best | Conftest exists to TEST configs against policy; our gates test organs, not policies |
| Auto-remediation / mutation of violations | No | No | Best | Part | No | Kyverno mutate rules are the bar; our ratchets REFUSE but never fix |
| Compliance reporting / attestation | No | Part | Part | Best | No | Checkov compliance frameworks are the bar; our consent log and ratchet logs are raw material without reports |
| Externalized decision API (central authz query) | No | Best | No | No | Part | OPA decision API is its core; our authorization is per-daemon in-process |
| Supply-chain artifact policy (signature verify) | No | Part | Best | Part | No | Kyverno verifyImages is the bar; ties to the janitor census SBOM gap (mom 1864) |
| Config drift detection vs declared state | No | No | Part | Part | No | Our ratchets catch METRIC drift (debt, collisions); declared-config drift has no organ |
| Governance embedded IN the substrate (guards are compiled organs of the governed system) | Best | Part | Part | Part | Part | Zero policy-engine dependency: every gate, ratchet, allowlist and wall is a NishiLang organ in the same toolchain it governs; the field bolts a separate engine beside the system |
| Structural money-safety (dry-run, stop, confirm-spend, once-only) | Best | No | No | No | No | A purchase pipeline that CANNOT double-spend or surprise-spend by construction, proven live to the money (INSUFFICIENT_FUNDS 0-charge dry-run); no policy engine in the field gates real spend |
Generated by nx_swcompare_matrix (sovereign NishiLang organ) from knowledge/compare/warden.matrix — every Nishi cell verified against real organ source on disk. Zero JS, zero trackers.