🛡 SOVEREIGN OPA HELIX
MEROSTONE POLICY ENGINE · KCF EA-1..82 · MECord CRDs · PEMOS/EOSE FLEET · DAY 93
"MEROSTONE instead of Rego. Every admission decision γ₁-anchored. Every policy non-repudiable."
γ₁ = 14.134725141734693 · SOSTLE L0–L7 · FC1 AIRLOCK · 82 KCF CONTROLS · 11 MECRDS KINDS
⛓ XML SPINE HUB ⚙ KCF ARENA ⬡ BONIXER HELIX 🗿 MEROSTONE 🔗 WITNESS CHAIN 📚 LIBRARY
OPA (REGO) vs SOVEREIGN OPA (MEROSTONE) · FULL COMPARISON

Open Policy Agent uses Rego (a Datalog-like language) for k8s admission control. PEMOS replaces every layer with sovereign equivalents: MEROSTONE instead of Rego, PEMLAAM fermentation instead of bundles, LOCO scoring instead of a Rego interpreter, MECord CRDs instead of Gatekeeper templates. The anchor is γ₁ = 14.134725141734693 — every decision is timestamped and non-repudiable.

DIMENSIONOPA (REGO)SOVEREIGN OPA (MEROSTONE)
Policy LanguageRego (Datalog-like)MEROSTONE L1/L2/L3
Policy StorageBundles / OCIPEMLAAM FC1→FC2→FC3
Evaluation EngineRego interpreterLOCO scoring + bonixer
Admission ControlGatekeeper webhookKCF EA-1..73 + MECord CRDs
Policy Testingconftestbonixer (0 passes = correct)
Distributed EvalOPA decision logPEMCLAU GraphRAG (2-hop)
AnchorNone (arbitrary)γ₁ = 14.134725141734693
SovereigntyNoneSOSTLE L0–L7, FC1 airlock at L4/L5
LineageNoneDCJ + LABR + TRB (non-repudiable)
k8s IntegrationGatekeeper CRDsMECRDS (11 CRD kinds)
Scopek8s admissionk8s + k3s + docker + AKS + GKE + EKS
WHY MEROSTONE WINS ON SOVEREIGNTY
γ₁ FLOOR
Every policy evaluation, every admission decision, every block event is timestamped with γ₁ = 14.134725141734693. Rego has no such anchor. An adversary cannot replay a past admission without the γ₁ serial mismatch being detectable.
SOSTLE LAYERS
OPA operates at one layer. MEROSTONE enforces at every SOSTLE wall L0–L7. Crossing L4→L5 requires FC1 airlock. Crossing L5→L6 requires CLO approval. No policy bundle can bypass these walls.
NON-REPUDIABILITY
OPA decision logs are advisory. MEROSTONE results are filed to DCJ, LABR, and TRB. Any DENY event is a court record. Any ADMIT with WATCH conditions is bonixer-tracked. Nothing disappears.
82 KCF CONTROLS
OPA has no concept of controls — it just runs Rego. MEROSTONE enforces 82 KCF controls at evaluation time. EA-68 (admission gate), EA-69 (constraint registry), EA-70 (control plane sovereignty) are baked in — not optional plugins.
MEROSTONE POLICY ENGINE · 3 LAYERS · L1 SYNTACTIC → L2 SEMANTIC → L3 PRAGMATIC
L1 — SYNTACTIC
Input validation gate · γ₁ schema check
Every incoming resource request is first parsed against the γ₁ schema. Required fields: kind, namespace, image (for workloads). Missing fields immediately trigger L1 REJECT — no semantic evaluation attempted. γ₁ = 14.134725141734693 is stamped on the input receipt.
L2 — SEMANTIC
LOCO scoring + KCF evaluation → PASS / WATCH / FAIL
Each applicable KCF control is evaluated against the resource. EA-4 (γ₁-anchored timestamps), EA-8..15 (SOSTLE walls), EA-49 (AKS sovereign baseline), EA-68 (admission gate), EB-8 (vulnerability scan attestation), EC-9..13 (tenant/cloud gates) all fire here. LOCO scores each control: PASS / WATCH / FAIL. Any FAIL propagates to L3 as DENY.
L3 — PRAGMATIC
Fleet action · PASS → proceed · WATCH → bonixer · FAIL → block + FC1
L3 takes the L2 verdict and executes fleet action. ADMIT: resource proceeds, γ₁ serial issued. HOLD: admission paused, bonixer examination required (EA-22 — 0 passes = correct). DENY: resource blocked, FC1 event fired, DCJ entry created. No silent failures. All DENY events are court records.
INTERACTIVE MEROSTONE DEMO · CLIENT-SIDE SIMULATION
Paste or edit a resource JSON below. Click EVALUATE to run MEROSTONE L1→L2→L3.
L2 KCF EVALUATION RESULTS:
KCF COMPLETE REGISTRY · 82 CONTROLS · EA-1..73 + EB-1..12 + EC-1..13 + EX-1..6
ACTIVE = 63 original EA + 6 EX SRE bench controls. PENDING RATIFICATION = 19 new controls from repo analysis (Day 93).
IDNAMESOSTLE LAYERSOURCESTATUS
FLEET SCOPE · WHERE SOVEREIGN OPA APPLIES
GKE/EKS + EXTERNAL
EX-1..6 gate
EC-9..13
AKS pemos-system
pemos-io · kantai
EA-49, EA-50
k3s LHVCP
k3d kind-local
EA-55,68,69
LOCAL SILOS
msi01/yone/msclo
forge/lilo
EA-8..15
γ₁
FLOOR
γ₁ FLOOR (INNER CORE)
Anchorγ₁ = 14.134725141734693
ControlsEA-4 (γ₁-anchored timestamps)
ScopeAll evaluation — no exception
LOCAL SILOS (RING 2)
Nodesmsi01 · yone · msclo · forge · lilo
ControlsEA-8 (L0 Wall) through EA-15 (L7 Crown)
EnforcementSOSTLE walls L0–L7
k3s / k3d (RING 3)
ClustersLHVCP k3s · k3d kind-local
ControlsEA-55 (LHVCP health) · EA-68 (admission) · EA-69 (registry)