Skip to main content
OrcaRouter’s compliance plane is built so you can understand your posture before you pay for it. Reading the framework catalog and your readiness rollup is free on every tier — including the free plan — so you can size a SOC 2 or HIPAA effort against your real workspace before spending a dollar. The actions that change behavior or produce a shareable artifact — installing a pack, taking it live, and exporting evidence beyond the demo report — require a paid plan. This page is the precise customer-facing map of that boundary: which compliance actions are free, which require a paid plan, and which role each one needs.

1. The compliance plan limits, at a glance

Every gate below is enforced server-side. The console hides paid actions behind an upgrade prompt, but the API does the same check — a direct call to a gated route on a free plan comes back unsuccessful with an “Upgrade to…” message, so there is no way to route around the paywall.

Free — read your posture

Browse the framework catalog, list installed packs, and read your readiness rollup and declared residency region. Any workspace member can do this on any plan, at no cost.

Paid — change your posture

Installing a pack, setting up a control, taking a pack live, and exporting CSV/JSON or a second report require a paid plan and the workspace Admin role.
Two gates stack on the write actions: a role gate (workspace Admin) and a plan gate (paid). The catalog and readiness reads need neither — they are open to every member on every tier.

2. What’s free on every tier

The reads that let you understand where you stand cost nothing. These are session-authenticated console views (your login, not a relay key), readable by any workspace member:
Open Compliance in the console and review every available framework and its controls. No plan, no Admin role — any member can read it.
The readiness view shows per-control coverage for your workspace against a trailing window of real traffic. It’s the number you use to decide whether a framework is worth installing — and it’s free.
Any member can list the packs already installed in the workspace and read the workspace’s declared data-residency region. Reading is free; changing residency is Admin-only.
The free catalog and readiness reads are enough to scope a real compliance effort — see frameworks for the full list of what’s in the catalog before you commit to a plan.

3. What a paid plan unlocks

These are the actions that materialize policy, change enforcement behavior, or produce a distributable artifact. Each requires a paid plan and the Admin role, checked on the server:
ActionGateWhat it does
Install a packPaid + AdminMaterializes the framework’s guardrail and firewall rules into your workspace
Set up a controlPaid + AdminAuto-configures a single gateway control on an installed pack
Go livePaid + AdminFlips installed rules from observe to live enforcement (guardrail block / mask, firewall deny)
Export CSV / JSONPaid + AdminGenerates a non-PDF signed report format
2nd+ reportPaid + AdminThe first PDF report is free; every report after it is paid
Installing a pack is itself a paid action. A pack materializes editable guardrail and firewall policies into your workspace — that’s the value the paywall protects, so the install route is plan-gated on the server, not just go-live. Read the catalog and readiness for free; installing is where the paid plan begins.

4. The one free report

Compliance reports are the sellable artifact, so the model is built to let you see one before you buy: a free-plan workspace can generate exactly one PDF report to demo the artifact end-to-end. After that, every additional report — and any CSV or JSON export at all — requires a paid plan.
Generate a single PDF signed report for free. It is fully real: Ed25519-signed and publicly verifiable like any paid report. A report that fails to render does not burn the allowance — only a usable report counts against the cap of one.
Verification is always free and accountless. Once any report exists — free or paid — anyone you share it with can confirm its signature without an OrcaRouter login. The generation is the gated step; trust in the artifact is open to the world.

5. One concrete example

Here is the full free-to-paid arc for a single framework, driven entirely from the console:
1

Browse and read readiness (free, any member)

Open Compliance, pick a framework, and read its readiness rollup against your trailing traffic. No plan, no Admin role. These map to the member-readable reads:
# Read-only, session-authenticated (UserAuth) — driven from the console.
GET /api/compliance/catalog
GET /api/compliance/readiness
2

Install the pack (paid plan, Admin)

From the framework card, choose Install. On a paid plan with the Admin role, the pack materializes its guardrail and firewall rules in observe posture. On a free plan this comes back unsuccessful with an upgrade prompt — the server enforces the same gate the UI shows.
# Paid + Admin, server-gated. Driven from the console.
POST /api/compliance/packs/{key}/install
3

Watch in observe, then go live (paid plan, Admin)

With the pack installed, watch what it would block against real traffic, then flip it to enforce when the numbers look right. See observe vs enforce for how to read the gap.
POST /api/compliance/packs/{key}/golive
Every route shown here authenticates with your console session (UserAuth) — not an sk-orca-… relay key. Relay keys are only for /v1/* model calls. You drive all compliance configuration from the console; the routes are shown only to make the free / paid boundary explicit.

6. How the gate fails

Two design choices keep the boundary tight and predictable:
  • The plan check fails closed. If a workspace’s plan can’t be resolved, it’s treated as the free tier — gating fails toward locked, never toward accidentally unlocking a paid action.
  • The block is a clean, unsuccessful response. A gated action on a free plan comes back with success: false and an upgrade message, not a partial or silent success. Nothing is half-applied: an install that’s blocked materializes no rules.
If you’re deciding whether compliance is worth a plan upgrade, do all your evaluation in the free tier first: read the catalog, read readiness, and generate the one free PDF report. That’s the full artifact and the full posture picture — paid is for acting on it.

7. Where to go next

Observe vs enforce

The posture boundary in detail — watch what a pack would do before it blocks anything.

Install a pack

Materialize a framework’s guardrail and firewall rules — the first paid step.

Signed report

The Ed25519-signed evidence artifact — one free, unlimited on a paid plan.

Shared responsibility

What the gateway enforces versus what stays your decision.
Read your posture for free; pay to act on it. The catalog and readiness are open on every tier so the upgrade decision is informed — and the gate that follows is enforced on the server, not just in the UI.