up the blokcing tasks

docs/legal/crypto-compliance-review.md

@@ -1,6 +1,6 @@
 # Crypto Compliance Review · License & Export Analysis
 
-**Status:** DRAFT
+**Status:** IN REVIEW (legal sign-off pending)
 **Date:** 2025-12-07
 **Owners:** Security Guild, Legal
 **Unblocks:** RU-CRYPTO-VAL-05, RU-CRYPTO-VAL-06
@@ -93,9 +93,39 @@ crypto:
 
 ### 2.4 Documentation Requirements
 
-- [ ] Document that CSP is "customer-provided" in installation guide
-- [ ] Add EULA notice that CSP licensing is customer responsibility
-- [ ] Include CSP version compatibility matrix (CSP 4.0/5.0)
+- [x] Document that CSP is "customer-provided" in installation guide
+- [x] Add EULA notice that CSP licensing is customer responsibility
+- [x] Include CSP version compatibility matrix (CSP 4.0/5.0)
+- [x] Provide license acceptance/test procedure for Linux CSP service and Windows runners
+
+### 2.5 License Acceptance & Validation (customer-provided CSP)
+
+**Linux (native CSP, headless)**
+
+1. Place vendor `.tgz`/`.deb` bundles under `<repo>/opt/cryptopro/downloads` (mounted read-only into `/opt/cryptopro/downloads`).
+2. Set `CRYPTOPRO_ACCEPT_EULA=1` only if you hold a valid license and agree to the vendor terms.
+3. Install CSP packages with `ops/cryptopro/install-linux-csp.sh` (offline by default; respects arch filtering).
+4. Build the HTTP wrapper with the same EULA flag:
+   ```bash
+   docker build -t cryptopro-linux-csp \
+     --build-arg CRYPTOPRO_ACCEPT_EULA=1 \
+     -f ops/cryptopro/linux-csp-service/Dockerfile .
+   docker run --rm -p 18080:8080 cryptopro-linux-csp
+   ```
+5. Validate license/keyset with the wrapper endpoints (fail closed if unlicensed):
+   - `GET /health` (binary present)
+   - `GET /license` (mirrors `csptest -keyset -info`; surfaces license/keyset errors)
+   - `POST /keyset/init` (optional: creates empty keyset to silence container warnings)
+
+**Windows (native CSP)**
+
+1. Install licensed CryptoPro CSP on the runner/host.
+2. Accept the EULA during installation; ensure the license is activated per vendor tooling (`csptest -license -view`).
+3. Set `STELLAOPS_CRYPTO_PRO_ENABLED=1` and configure `StellaOps:Crypto:CryptoPro:Keys` with certificate handle/thumbprint.
+4. Run the guarded tests: `./scripts/crypto/run-cryptopro-tests.ps1` (skips when the env flag or CSP is missing). **No Windows HTTP wrapper/Wine path is shipped; only native CSP on Windows, and the Linux CSP service uses customer-provided `.deb` binaries.**
+5. Capture test output + `csptest -keyset -info` in sprint evidence for RU-CRYPTO-VAL-04/06 closure.
+
+**EULA reminder:** StellaOps never distributes CSP binaries or license keys; operators must provide and accept the vendor EULA explicitly via the flags above. If licensing review is deferred, note explicitly in sprint records that licensing remains customer responsibility.
 
 ## 3. Export Control Analysis
 
@@ -228,8 +258,9 @@ Running CryptoPro CSP DLLs under Wine for cross-platform testing:
 
 - [x] Document fork licensing (MIT) ← This document
 - [x] Document CryptoPro distribution model ← This document
-- [ ] Add attribution to NOTICE.md
-- [ ] Update installation guide with CSP requirements
+- [x] Add attribution to NOTICE.md
+- [x] Update installation guide with CSP requirements and license acceptance steps
+- [x] Document CSP license validation flow (Linux wrapper + Windows runner)
 
 ### Short-term