docs: add compliance-reporting product page, link docs to netchecks site

Add a product/landing page for netchecks-compliance at
/docs/compliance-reporting with pricing, frameworks, and quick start.
Link from annotations and architecture docs to docs site pages
instead of private GitHub repo.

Author: hardbyte

docs/src/components/Layout.jsx

@@ -29,6 +29,7 @@ const navigation = [
             {title: 'Custom Validation Rules', href: '/docs/custom-validation-rules'},
             {title: 'External Data', href: '/docs/external-data'},
             {title: 'Alerting', href: '/docs/alerting'},
+            {title: 'Compliance Reporting', href: '/docs/compliance-reporting'},
             {title: 'Compliance Annotations', href: '/docs/compliance-annotations'},
         ],
     },

docs/src/pages/docs/architecture-guide.md

@@ -27,7 +27,7 @@ provide a convenient way to expose metrics, view the results, and generate notif
 ## Compliance Reporting
 
 For organizations that need to map active network test results to compliance framework controls,
-the **netchecks-compliance** add-on reads
+the [netchecks-compliance](/docs/compliance-reporting) add-on reads
 `PolicyReport` results and `NetworkAssertion` annotations to generate audit-ready compliance
 reports (PDF/HTML/JSON) for frameworks including PCI-DSS v4.0, SOC 2, and CIS Kubernetes Benchmark.
 

docs/src/pages/docs/compliance-annotations.md

@@ -7,7 +7,7 @@ description: Annotate NetworkAssertions with compliance framework control IDs fo
 
 Netchecks supports compliance annotations on `NetworkAssertion` resources. These annotations map
 your active network tests to specific compliance framework controls, enabling automated generation
-of audit-ready compliance reports via the **netchecks-compliance** add-on.
+of audit-ready compliance reports via [netchecks-compliance](/docs/compliance-reporting).
 
 ## Supported Annotations
 
@@ -76,7 +76,7 @@ Multiple NetworkAssertions can map to the same control — all results are aggre
 
 ## Generating Reports
 
-Install the **netchecks-compliance** CLI:
+Install the [netchecks-compliance](/docs/compliance-reporting) CLI:
 
 ```bash
 pip install netchecks-compliance

docs/src/pages/docs/compliance-reporting.md

@@ -0,0 +1,90 @@
+---
+title: Compliance Reporting
+description: Generate audit-ready compliance reports from netchecks test results.
+---
+
+# Compliance Reporting
+
+**netchecks-compliance** is a paid add-on that takes netchecks `PolicyReport` results and produces
+compliance reports mapped to specific framework controls. The output is evidence an auditor can
+directly reference in a SOC 2 Type 2 report or PCI-DSS ROC.
+
+## The Problem
+
+Organizations running Kubernetes need to prove their network security controls actually work — not
+just that policies exist. Every KSPM tool checks whether `NetworkPolicy` objects exist and are
+correctly configured. None of them verify that traffic is actually blocked in practice.
+
+Netchecks fills the testing gap — it actively sends traffic and validates results. **netchecks-compliance**
+bridges those test results to auditor-ready compliance evidence.
+
+## Supported Frameworks
+
+| Framework | Key Controls | Tier |
+|---|---|---|
+| **CIS Kubernetes Benchmark** | 5.3.1, 5.3.2 | Community (Free) |
+| **PCI-DSS v4.0** | 1.2.1, 1.3.2, 11.3.4, 11.3.4.1 | Pro |
+| **SOC 2 Type II** | CC6.6, CC6.7, CC7.1 | Pro |
+
+## Output Formats
+
+| Format | Use Case |
+|---|---|
+| **PDF** | Hand to auditor. Print-ready. Primary deliverable. |
+| **HTML** | Self-contained single-file. View in browser. Share internally. |
+| **JSON** | GRC platform integration (Vanta, Drata, Secureframe). |
+
+## How It Works
+
+1. **Annotate** your `NetworkAssertion` resources with [compliance annotations](/docs/compliance-annotations)
+   to map tests to compliance framework controls.
+2. The netchecks operator runs the tests as usual, producing `PolicyReport` resources.
+3. **netchecks-compliance** reads both the `NetworkAssertion` annotations and `PolicyReport` results,
+   maps them to framework controls, and generates a compliance report.
+
+Reports include:
+- **Executive summary** — overall compliance posture (X/Y controls passing), critical findings
+- **Per-control detail** — control ID, description, status (PASS/FAIL/NOT_ASSESSED), evidence count,
+  last tested timestamp, mapped NetworkAssertions, finding details
+- **Attestation footer** — tool version, SHA-256 integrity hash, automation statement
+
+## Quick Start
+
+```bash
+pip install netchecks-compliance
+
+# Free CIS report (no license required)
+netchecks-compliance report \
+  --framework cis-k8s \
+  --format pdf \
+  --output cis-report.pdf
+
+# PCI-DSS report (requires Pro license)
+netchecks-compliance report \
+  --framework pci-dss-v4 \
+  --namespace payments \
+  --format pdf \
+  --output pci-report.pdf \
+  --license license.jwt \
+  --organization "Acme Corp" \
+  --environment "Production"
+
+# List available frameworks and controls
+netchecks-compliance frameworks
+```
+
+## Pricing
+
+| Tier | What's Included |
+|---|---|
+| **Community (Free)** | CIS Kubernetes Benchmark reports. JSON output. CLI generation. |
+| **Pro ($500/cluster/month)** | All frameworks. PDF + HTML + JSON. Up to 5 clusters. |
+| **Enterprise (custom)** | Unlimited clusters. Custom frameworks. OSCAL output. |
+
+Contact [brian@hardbyte.nz](mailto:brian@hardbyte.nz) for Pro and Enterprise licenses.
+
+## Next Steps
+
+- [Compliance Annotations](/docs/compliance-annotations) — how to annotate your NetworkAssertions
+- [Example manifests](https://github.com/hardbyte/netchecks/tree/main/operator/examples/compliance) — PCI-DSS, SOC 2, and CIS example NetworkAssertions
+- [Architecture Guide](/docs/architecture-guide) — how netchecks works end-to-end