feat: comprehensive project structure improvements and Cloud for Sovereignty landing zone

- Add Cloud for Sovereignty landing zone architecture and deployment
- Implement complete legal document management system
- Reorganize documentation with improved navigation
- Add infrastructure improvements (Dockerfiles, K8s, monitoring)
- Add operational improvements (graceful shutdown, rate limiting, caching)
- Create comprehensive project structure documentation
- Add Azure deployment automation scripts
- Improve repository navigation and organization

docs/deployment/azure/cdn-setup.md

@@ -0,0 +1,209 @@
+# Azure CDN Setup for Credential Seals
+
+**Last Updated**: 2025-01-27  
+**Status**: Complete and Operational
+
+## Overview
+
+Complete guide for setting up Azure CDN infrastructure for Order of St John credential seal images. This setup provides high-performance, globally distributed hosting for credential images used in Entra VerifiedID credentials.
+
+## Quick Start
+
+**One-Command Setup:**
+```bash
+./scripts/deploy/setup-azure-cdn-complete.sh
+```
+
+This automates:
+1. ✅ Azure quota checking
+2. ✅ Infrastructure creation (Storage Account, Container, CDN Profile, Endpoint)
+3. ✅ File upload (all seal PNG files)
+4. ✅ Manifest URL updates
+
+## Prerequisites
+
+1. **Azure CLI installed**
+   ```bash
+   # Install Azure CLI
+   curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
+   ```
+
+2. **Logged in to Azure**
+   ```bash
+   az login
+   az account set --subscription <subscription-id>
+   ```
+
+3. **Required Permissions**
+   - Contributor or Owner role on subscription
+   - Storage Account Contributor
+   - CDN Contributor
+
+## Architecture
+
+```
+Azure Subscription
+├── Resource Group: theorder-rg-dev
+├── Storage Account: theordercdn12439 (or similar)
+│   └── Container: images (public blob access)
+├── CDN Profile: theorder-cdn-dev-profile
+│   └── CDN Endpoint: theorder-cdn-dev-endpoint
+│       └── Origin: Storage Account blob endpoint
+```
+
+## Manual Setup Steps
+
+### Step 1: Check Azure Quotas
+
+```bash
+./infra/scripts/azure-check-cdn-quotas.sh
+```
+
+This checks:
+- Storage accounts quota
+- CDN profiles quota
+- CDN endpoints quota
+- Resource group limits
+
+### Step 2: Create Infrastructure
+
+```bash
+./infra/scripts/azure-cdn-setup.sh
+```
+
+This creates:
+- Storage account with public blob access
+- Storage container named "images"
+- CDN profile (Standard_Microsoft SKU)
+- CDN endpoint pointing to storage account
+
+### Step 3: Upload Seal Images
+
+```bash
+./scripts/deploy/upload-seals-to-azure.sh
+```
+
+Uploads all PNG seal files to the storage container.
+
+### Step 4: Update Manifest URLs
+
+```bash
+./scripts/deploy/update-manifest-seal-urls.sh
+```
+
+Updates all manifest templates with CDN URLs.
+
+## Configuration
+
+### Storage Account Settings
+
+- **Account Tier**: Standard
+- **Replication**: LRS (dev/stage), GRS (production)
+- **Public Access**: Enabled (for CDN)
+- **TLS Version**: TLS 1.2 minimum
+
+### CDN Settings
+
+- **SKU**: Standard_Microsoft
+- **HTTPS**: Enabled
+- **Compression**: Enabled
+- **Caching**: Optimized for static content
+
+### CORS Configuration
+
+```bash
+az storage cors add \
+  --services b \
+  --methods GET HEAD \
+  --origins "*" \
+  --allowed-headers "*" \
+  --exposed-headers "*" \
+  --max-age 3600
+```
+
+## URLs
+
+### Direct Blob Storage URL
+```
+https://<storage-account>.blob.core.windows.net/images/<seal-file>.png
+```
+
+### CDN URL (Recommended)
+```
+https://<cdn-endpoint>.azureedge.net/images/<seal-file>.png
+```
+
+### Current Configuration
+- **Storage Account**: `theordercdn12439`
+- **CDN Endpoint**: `theordercdn12439.azureedge.net`
+- **Base URL**: `https://theordercdn12439.blob.core.windows.net/images/`
+
+## Seal Files
+
+### Available Seals
+1. `digital-bank-seal.png` - Digital Bank of International Settlements
+2. `iccc-seal.png` - International Criminal Court of Commerce
+3. `iccc-provost-marshals-seal.png` - ICCC Provost Marshals
+4. `diplomatic-security-seal.png` - Diplomatic Security Service
+5. `legal-office-seal.png` - Legal Office of the Master
+
+### File Sizes
+- 200x200px: For credential logos (default)
+- 400x400px: High-resolution displays
+- 800x800px: Print/embossing
+
+## Troubleshooting
+
+### CDN Not Propagating
+- CDN propagation can take 10-60 minutes
+- Use direct blob URL as fallback
+- Check CDN endpoint status: `az cdn endpoint show`
+
+### Access Denied
+- Verify container access type is "blob" (public)
+- Check storage account public access is enabled
+- Verify CORS configuration
+
+### Quota Exceeded
+- Review quota report: `azure-cdn-quota-report.txt`
+- Request quota increase via Azure portal
+- Consider using existing storage account
+
+## Maintenance
+
+### Update Seal Images
+1. Convert new SVG to PNG: `./scripts/tools/convert-svg-to-png.sh`
+2. Upload to Azure: `./scripts/deploy/upload-seals-to-azure.sh`
+3. Update manifests: `./scripts/deploy/update-manifest-seal-urls.sh`
+
+### Monitor Usage
+```bash
+az storage account show-usage \
+  --name <storage-account> \
+  --resource-group <resource-group>
+```
+
+### Cost Optimization
+- Use LRS for dev/stage (lower cost)
+- Enable CDN compression
+- Set appropriate cache headers
+- Monitor and optimize file sizes
+
+## Security
+
+- ✅ HTTPS only (CDN enforces)
+- ✅ CORS configured
+- ✅ Public read-only access
+- ✅ No write access from public
+- ✅ Storage account firewall (optional)
+
+## Related Documentation
+
+- [Entra VerifiedID Setup](./entra-verifiedid.md)
+- [Deployment Overview](../overview.md)
+- [Seal Design Guide](../../design/ORDER_SEALS_DESIGN_GUIDE.md)
+
+---
+
+**Note**: This guide consolidates information from multiple Azure CDN setup files. Historical setup documents have been archived in `docs/archive/deployment/azure-cdn/`.
+