feat: comprehensive project structure improvements and Cloud for Sovereignty landing zone

- Add Cloud for Sovereignty landing zone architecture and deployment
- Implement complete legal document management system
- Reorganize documentation with improved navigation
- Add infrastructure improvements (Dockerfiles, K8s, monitoring)
- Add operational improvements (graceful shutdown, rate limiting, caching)
- Create comprehensive project structure documentation
- Add Azure deployment automation scripts
- Improve repository navigation and organization

docs/architecture/SOVEREIGNTY_LANDING_ZONE_SUMMARY.md

@@ -0,0 +1,189 @@
+# Cloud for Sovereignty Landing Zone - Executive Summary
+
+**Date**: 2025-01-27  
+**Management Group**: SOVEREIGN-ORDER-OF-HOSPITALLERS  
+**Status**: Architecture Complete - Ready for Deployment
+
+## Overview
+
+A comprehensive Cloud for Sovereignty landing zone architecture designed using Azure Well-Architected Framework principles, spanning all non-US commercial Azure regions to ensure data sovereignty, compliance, and operational resilience.
+
+## Key Metrics
+
+- **Regions**: 7 non-US commercial Azure regions
+- **Management Groups**: 11 hierarchical groups
+- **Policies**: 5 compliance policies + 1 initiative
+- **Virtual Networks**: 14 (7 hub + 7 spoke)
+- **Subnets**: 42 total
+- **Security**: 7 Azure Firewalls, 14 private endpoints
+- **Estimated Cost**: $10,850-20,000/month (depending on environment)
+
+## Well-Architected Framework Compliance
+
+### ✅ Cost Optimization
+- Right-sized resources per region
+- Reserved instance planning
+- Cost allocation tags
+- Budget alerts and governance
+
+### ✅ Operational Excellence
+- Infrastructure as Code (Terraform)
+- Automated deployments
+- Centralized logging
+- Runbooks and playbooks
+
+### ✅ Performance Efficiency
+- Regional proximity for low latency
+- CDN for global content delivery
+- Auto-scaling capabilities
+- Performance monitoring
+
+### ✅ Reliability
+- Multi-region redundancy
+- Availability Zones
+- Automated failover
+- RTO: 4 hours, RPO: 1 hour
+
+### ✅ Security
+- Zero-trust architecture
+- Defense in depth
+- Data encryption (at rest and in transit)
+- Identity and access management
+- Security monitoring
+
+## Cloud for Sovereignty Features
+
+### Data Residency
+- All data remains within specified regions
+- Resource location policies enforced
+- Storage geo-replication controls
+
+### Data Protection
+- Customer-managed keys (CMK)
+- Azure Key Vault with HSM
+- Private endpoints for all services
+
+### Compliance
+- GDPR compliance
+- eIDAS compliance
+- Regional compliance requirements
+- Audit logging (90 days retention)
+
+### Operational Control
+- Management group hierarchy
+- Policy-based governance
+- Role-based access control (RBAC)
+
+## Regional Deployment
+
+### Supported Regions
+
+1. **West Europe** (Netherlands) - Primary region
+2. **North Europe** (Ireland) - Secondary region
+3. **UK South** (London) - UK workloads
+4. **Switzerland North** (Zurich) - Swiss workloads
+5. **Norway East** (Oslo) - Nordic workloads
+6. **France Central** (Paris) - French workloads
+7. **Germany West Central** (Frankfurt) - German workloads
+
+### Per-Region Components
+
+- Hub Virtual Network (gateway, firewall, management subnets)
+- Spoke Virtual Network (application, database, storage subnets)
+- Azure Firewall (Standard SKU)
+- Key Vault (Premium SKU with private endpoint)
+- Storage Account (with private endpoint)
+- Log Analytics Workspace
+
+## Management Group Hierarchy
+
+```
+SOVEREIGN-ORDER-OF-HOSPITALLERS
+├── Landing Zones
+│   ├── Platform
+│   ├── Sandbox
+│   └── Workloads
+├── Management
+│   ├── Identity
+│   ├── Security
+│   └── Monitoring
+└── Connectivity
+    ├── Hub Networks
+    └── Spoke Networks
+```
+
+## Compliance Policies
+
+1. **Allowed Locations**: Restricts to non-US commercial regions
+2. **Deny US Regions**: Explicitly denies US regions
+3. **Require Data Residency Tag**: Tracks data residency
+4. **Require Encryption at Rest**: Customer-managed keys
+5. **Require Resource Tags**: Governance and cost management
+
+## Deployment Phases
+
+### Phase 1: Foundation (Weeks 1-2)
+- Management group hierarchy
+- Identity and access management
+- Core networking
+- Key Vault setup
+- Log Analytics workspaces
+
+### Phase 2: Regional Deployment (Weeks 3-6)
+- Primary region (West Europe)
+- Secondary region (North Europe)
+- Geo-replication
+- Monitoring setup
+
+### Phase 3: Multi-Region Expansion (Weeks 7-10)
+- Remaining 5 regions
+- Regional failover
+- CDN endpoints
+- Traffic routing
+
+### Phase 4: Workload Migration (Weeks 11-14)
+- Application migration
+- Application networking
+- Application monitoring
+- Performance optimization
+
+### Phase 5: Optimization (Weeks 15-16)
+- Cost optimization
+- Performance tuning
+- Security hardening
+- Documentation
+
+## Quick Start
+
+```bash
+# 1. Load environment
+source infra/scripts/azure-load-env.sh
+
+# 2. Deploy landing zone
+./infra/scripts/deploy-sovereignty-landing-zone.sh
+
+# 3. Verify deployment
+az group list --query "[?contains(name, 'az-')]"
+```
+
+## Documentation
+
+- **Architecture**: `docs/architecture/CLOUD_FOR_SOVEREIGNTY_LANDING_ZONE.md`
+- **Deployment Guide**: `docs/deployment/azure/SOVEREIGNTY_LANDING_ZONE_DEPLOYMENT.md`
+- **Module Docs**: `infra/terraform/modules/regional-landing-zone/README.md`
+
+## Success Criteria
+
+- ✅ All 7 regions deployed
+- ✅ Management group hierarchy established
+- ✅ Compliance policies enforced
+- ✅ Private endpoints configured
+- ✅ Monitoring active
+- ✅ Cost tracking enabled
+- ✅ Security hardened
+
+---
+
+**Last Updated**: 2025-01-27  
+**Next Review**: After Phase 1 deployment
+