feat: comprehensive project structure improvements and Cloud for Sovereignty landing zone

- Add Cloud for Sovereignty landing zone architecture and deployment
- Implement complete legal document management system
- Reorganize documentation with improved navigation
- Add infrastructure improvements (Dockerfiles, K8s, monitoring)
- Add operational improvements (graceful shutdown, rate limiting, caching)
- Create comprehensive project structure documentation
- Add Azure deployment automation scripts
- Improve repository navigation and organization

docs/deployment/azure/cdn-configuration.md

@@ -0,0 +1,251 @@
+# CDN Configuration for Credential Seals
+
+## Current Status
+
+**CDN Provider**: Not yet configured (placeholder URLs in use)  
+**Default URL Pattern**: `https://cdn.theorder.org/images/`  
+**Status**: Ready for CDN configuration
+
+## Available CDN Options
+
+Based on the infrastructure setup, the following CDN options are available:
+
+### 1. Azure Blob Storage + CDN (Recommended for Azure Infrastructure)
+
+**Why**: The infrastructure is primarily Azure-based (Azure Storage, AKS, Key Vault)
+
+**Configuration**:
+```bash
+# Azure Blob Storage with CDN
+CDN_BASE_URL=https://<storage-account>.blob.core.windows.net/images/
+# Or with Azure CDN
+CDN_BASE_URL=https://<cdn-endpoint>.azureedge.net/images/
+```
+
+**Upload Script** (Azure):
+```bash
+# Using Azure CLI
+az storage blob upload \
+  --file "${png_file}" \
+  --container-name images \
+  --name "${png_file}" \
+  --account-name <storage-account> \
+  --auth-mode login
+
+# Set public access
+az storage blob set-permission \
+  --container-name images \
+  --name "${png_file}" \
+  --public-access blob \
+  --account-name <storage-account>
+```
+
+### 2. AWS S3 + CloudFront (If using AWS)
+
+**Why**: The storage package supports S3 (`@aws-sdk/client-s3`)
+
+**Configuration**:
+```bash
+CDN_BASE_URL=https://<bucket>.s3.<region>.amazonaws.com/images/
+# Or with CloudFront
+CDN_BASE_URL=https://<cloudfront-id>.cloudfront.net/images/
+```
+
+**Upload Script** (AWS):
+```bash
+# Using AWS CLI
+aws s3 cp "${png_file}" \
+  "s3://<bucket>/images/${png_file}" \
+  --acl public-read \
+  --content-type image/png
+```
+
+### 3. Cloudflare R2 (Modern Alternative)
+
+**Why**: Cost-effective, S3-compatible API
+
+**Configuration**:
+```bash
+CDN_BASE_URL=https://<account-id>.r2.cloudflarestorage.com/images/
+# Or with Cloudflare CDN
+CDN_BASE_URL=https://<custom-domain>/images/
+```
+
+**Upload Script** (Cloudflare R2):
+```bash
+# Using rclone
+rclone copy "${png_file}" \
+  r2:images/ \
+  --s3-provider Cloudflare \
+  --s3-access-key-id <key> \
+  --s3-secret-access-key <secret>
+```
+
+### 4. GitHub Pages / Static Hosting
+
+**Why**: Simple, free for public repos
+
+**Configuration**:
+```bash
+CDN_BASE_URL=https://theorder.github.io/assets/images/
+```
+
+### 5. Custom Domain CDN
+
+**Why**: Full control, custom branding
+
+**Configuration**:
+```bash
+CDN_BASE_URL=https://cdn.theorder.org/images/
+```
+
+## Recommended Configuration
+
+### For Azure Infrastructure (Current Setup)
+
+**Recommended**: Azure Blob Storage + Azure CDN
+
+1. **Create Storage Account**:
+   ```bash
+   az storage account create \
+     --name theordercdn \
+     --resource-group <rg> \
+     --location westeurope \
+     --sku Standard_LRS \
+     --kind StorageV2
+   ```
+
+2. **Create Container**:
+   ```bash
+   az storage container create \
+     --name images \
+     --account-name theordercdn \
+     --public-access blob
+   ```
+
+3. **Create CDN Profile** (Optional):
+   ```bash
+   az cdn profile create \
+     --name theorder-cdn \
+     --resource-group <rg> \
+     --sku Standard_Microsoft
+   ```
+
+4. **Set CDN Base URL**:
+   ```bash
+   export CDN_BASE_URL=https://theordercdn.blob.core.windows.net/images/
+   # Or with CDN
+   export CDN_BASE_URL=https://<cdn-endpoint>.azureedge.net/images/
+   ```
+
+## Current Configuration
+
+### Default URLs (Placeholder)
+
+All manifest templates currently use:
+```
+https://cdn.theorder.org/images/
+```
+
+### Files Using CDN URLs
+
+- `manifests/entra/default-manifest-template.json`
+- `manifests/entra/financial-manifest-template.json`
+- `manifests/entra/judicial-manifest-template.json`
+- `manifests/entra/diplomatic-manifest-template.json`
+
+### Update Script
+
+To update all manifest templates with your CDN URL:
+```bash
+CDN_BASE_URL=https://your-cdn.com/images \
+  ./scripts/deploy/update-manifest-seal-urls.sh
+```
+
+## Upload Script Template
+
+The upload script template is located at:
+```
+assets/credential-images/png/upload-to-cdn.sh
+```
+
+**Current Status**: Template (needs customization)
+
+**To Customize**:
+1. Edit `assets/credential-images/png/upload-to-cdn.sh`
+2. Add your CDN provider's upload commands
+3. Set credentials/environment variables
+4. Run the script
+
+## Next Steps
+
+1. **Choose CDN Provider**
+   - Azure Blob Storage + CDN (recommended for Azure infrastructure)
+   - AWS S3 + CloudFront (if using AWS)
+   - Cloudflare R2 (cost-effective alternative)
+   - Custom domain CDN
+
+2. **Configure CDN**
+   - Create storage account/container
+   - Set up CDN endpoint (optional)
+   - Configure public access
+   - Set CORS headers (if needed)
+
+3. **Upload Files**
+   - Customize `upload-to-cdn.sh`
+   - Upload all PNG files
+   - Verify HTTPS and public access
+
+4. **Update Configuration**
+   - Set `CDN_BASE_URL` environment variable
+   - Run `update-manifest-seal-urls.sh`
+   - Update manifest templates
+
+5. **Test**
+   - Verify URLs are accessible
+   - Test image loading
+   - Test credential issuance
+
+## Environment Variables
+
+Set these for CDN configuration:
+
+```bash
+# CDN Base URL
+export CDN_BASE_URL=https://your-cdn.com/images
+
+# Azure (if using)
+export AZURE_STORAGE_ACCOUNT=theordercdn
+export AZURE_STORAGE_KEY=<key>
+export AZURE_STORAGE_CONTAINER=images
+
+# AWS (if using)
+export AWS_S3_BUCKET=theorder-images
+export AWS_REGION=eu-west-1
+
+# Cloudflare R2 (if using)
+export R2_ACCOUNT_ID=<id>
+export R2_ACCESS_KEY_ID=<key>
+export R2_SECRET_ACCESS_KEY=<secret>
+```
+
+## Security Considerations
+
+1. **HTTPS Required**: All CDN URLs must use HTTPS
+2. **Public Access**: Images must be publicly accessible
+3. **CORS**: Configure CORS if needed for cross-origin requests
+4. **Content-Type**: Ensure correct `image/png` content type
+5. **Cache Headers**: Set appropriate cache headers
+
+## References
+
+- [Azure Blob Storage](https://docs.microsoft.com/en-us/azure/storage/blobs/)
+- [Azure CDN](https://docs.microsoft.com/en-us/azure/cdn/)
+- [AWS S3](https://docs.aws.amazon.com/s3/)
+- [Cloudflare R2](https://developers.cloudflare.com/r2/)
+
+---
+
+**Last Updated**: [Current Date]  
+**Status**: Ready for CDN configuration
+