Nishi FamilyCompare › Governance and Policy Enforcement

Nishi vs the Field

Governance and Policy Enforcement — mechanically measured, liar-killed, sovereign.

Nishi vs OPA and Kyverno and Checkov and Conftest

How this is scored. Every Nishi cell is measured: the generator reads the real organ source on disk and requires the implementing symbol to exist (no self-grading). Competitor cells record documented capability presence. Best=leads this axis, Yes=present, Part=partial, No=absent. This is capability presence, not depth or scale: the majors lead on index size and neural ranking. Nishi's genuine exceeds are the sovereignty / neutrality / determinism axes.
CapabilityNishiOPAKyvernoCheckovConftestNotes
Multi-axis ratchet floors (cleaned debt cannot return)YesNoNoNoNoDebt, collisions, scratch each ratchet DOWN and LOCK in seg_store; any rise is RED; no policy engine carries a one-way floor primitive
Governed pulse firing (warden-owned, never ad-hoc)YesNoPartNoNoRatchet and training gates run ONLY through the conductor registry; Kyverno background scans are the partial peer
Separation-of-duties validation (exactly one Accountable)YesNoNoNoNoThe RACI validator REFUSES a matrix without exactly-1-A and at-least-1-R per activity -- org-structure policy the config-policy field does not touch
Capability tokens, attenuate-only, fail-closed verifyYesPartNoNoNoLeast-authority PROVEN live 2026-07-08: the read cap is DENIED nx_mgmt (reason 4); delegation can only SUBSET; OPA authz policies are the partial peer
Append-only consent ledger for delegationsYesNoNoNoNoEvery scoped cap issue recorded to cap_consent.log, readable via API -- explicit, auditable, revocable
Spend-wall gating on money-touching actionsYesNoNoNoNoDry-run first, STOP, explicit confirm-spend, once-only guard (gates 6/6 + 8/8, live-proven to the money 2026-07-09); the field gates configs, not purchases
Fail-closed key minting (refuses forgeable placeholder)YesNoNoNoNoThe minter EXITS rather than mint against a baked placeholder secret; wrong-key tokens deny -32001
Policy language (Rego-class, general-purpose)NoBestPartPartYesOPA Rego is the bar; our policies are ORGANS (compiled, gated) not declarative rules -- powerful but not authorable as data yet
Admission control (gate changes before they land)NoYesBestNoNoKyverno admission webhooks are the bar; our deploy path health-gates AFTER staging, not at admission
IaC misconfiguration scanningNoYesYesBestPartCheckov is the bar; our conf files are swept by the janitor as debt, not scanned for misconfiguration
Policy testing frameworkNoYesPartPartBestConftest exists to TEST configs against policy; our gates test organs, not policies
Auto-remediation / mutation of violationsNoNoBestPartNoKyverno mutate rules are the bar; our ratchets REFUSE but never fix
Compliance reporting / attestationNoPartPartBestNoCheckov compliance frameworks are the bar; our consent log and ratchet logs are raw material without reports
Externalized decision API (central authz query)NoBestNoNoPartOPA decision API is its core; our authorization is per-daemon in-process
Supply-chain artifact policy (signature verify)NoPartBestPartNoKyverno verifyImages is the bar; ties to the janitor census SBOM gap (mom 1864)
Config drift detection vs declared stateNoNoPartPartNoOur ratchets catch METRIC drift (debt, collisions); declared-config drift has no organ
Governance embedded IN the substrate (guards are compiled organs of the governed system)BestPartPartPartPartZero policy-engine dependency: every gate, ratchet, allowlist and wall is a NishiLang organ in the same toolchain it governs; the field bolts a separate engine beside the system
Structural money-safety (dry-run, stop, confirm-spend, once-only)BestNoNoNoNoA purchase pipeline that CANNOT double-spend or surprise-spend by construction, proven live to the money (INSUFFICIENT_FUNDS 0-charge dry-run); no policy engine in the field gates real spend
coverage 500/1000EXCEEDS 2PRESENT 7ABSENT 9
Honest verdict. The Nishi warden governs by CONSTRUCTION rather than by rule file: ratchet floors make cleaned debt structurally unable to return, capability tokens are attenuate-only with fail-closed verification (least-authority proven live -- a read cap is DENIED admin reason 4), the RACI validator enforces exactly-one-Accountable separation of duties, money-touching actions sit behind a dry-run-first spend wall, and every one of these guards is a compiled organ in the same substrate it governs. What it lacks is the field's generality: no policy LANGUAGE (our policies are organs, not Rego), no admission control, no IaC scanning, no policy testing framework, no auto-remediation, no compliance reporting, no externalized decision API. The climb: a data-driven policy spec the conductor can evaluate (policies as data per doctrine), violation reports on the compare plane, then admission-style gates on the deploy path.

Generated by nx_swcompare_matrix (sovereign NishiLang organ) from knowledge/compare/warden.matrix — every Nishi cell verified against real organ source on disk. Zero JS, zero trackers.