Add Legal Office seal and complete Azure CDN deployment

- Add Legal Office of the Master seal (SVG design with Maltese Cross, scales of justice, legal scroll)
- Create legal-office-manifest-template.json for Legal Office credentials
- Update SEAL_MAPPING.md and DESIGN_GUIDE.md with Legal Office seal documentation
- Complete Azure CDN infrastructure deployment:
  - Resource group, storage account, and container created
  - 17 PNG seal files uploaded to Azure Blob Storage
  - All manifest templates updated with Azure URLs
  - Configuration files generated (azure-cdn-config.env)
- Add comprehensive Azure CDN setup scripts and documentation
- Fix manifest URL generation to prevent double slashes
- Verify all seals accessible via HTTPS

docs/deployment/AZURE_CDN_SETUP.md

@@ -0,0 +1,259 @@
+# Azure CDN Setup for Credential Seals
+
+Complete guide for setting up Azure CDN infrastructure for Order of St John credential seal images.
+
+## Quick Start
+
+**One-Command Setup:**
+```bash
+./scripts/deploy/setup-azure-cdn-complete.sh
+```
+
+This automates:
+1. ✅ Quota checking
+2. ✅ Infrastructure creation
+3. ✅ File upload
+4. ✅ Manifest URL updates
+
+## Prerequisites
+
+1. **Azure CLI installed**
+   ```bash
+   # Install Azure CLI
+   curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
+   ```
+
+2. **Logged in to Azure**
+   ```bash
+   az login
+   az account set --subscription <subscription-id>
+   ```
+
+3. **Required Permissions**
+   - Contributor or Owner role on subscription
+   - Ability to create resource groups
+   - Ability to create storage accounts
+   - Ability to create CDN profiles
+
+## Step-by-Step Setup
+
+### Step 1: Check Quotas
+
+```bash
+./infra/scripts/azure-check-cdn-quotas.sh
+```
+
+This checks:
+- Storage account quota
+- CDN profile quota
+- Resource group quota
+- CDN endpoint quota
+
+**Output**: `azure-cdn-quota-report.txt`
+
+### Step 2: Set Up Infrastructure
+
+```bash
+./infra/scripts/azure-cdn-setup.sh
+```
+
+This creates:
+- Resource group: `the-order-cdn-rg`
+- Storage account: `theordercdn<timestamp>`
+- Storage container: `images` (public blob access)
+- CDN profile: `theorder-cdn-profile`
+- CDN endpoint: `theorder-cdn-endpoint`
+
+**Output**: `azure-cdn-config.env`
+
+### Step 3: Upload Files
+
+```bash
+./scripts/deploy/upload-seals-to-azure.sh
+```
+
+Uploads all PNG files to Azure Blob Storage.
+
+### Step 4: Update Manifest URLs
+
+```bash
+source azure-cdn-config.env
+CDN_BASE_URL="${CDN_BASE_URL_CDN}" ./scripts/deploy/update-manifest-seal-urls.sh
+```
+
+## Infrastructure Components
+
+### Storage Account
+
+- **Name**: `theordercdn<timestamp>` (globally unique)
+- **SKU**: Standard_LRS
+- **Public Access**: Enabled for blob access
+- **CORS**: Configured for GET, HEAD, OPTIONS
+
+### Storage Container
+
+- **Name**: `images`
+- **Access Type**: Blob (public read access)
+- **Purpose**: Store credential seal PNG files
+
+### CDN Profile
+
+- **Name**: `theorder-cdn-profile`
+- **SKU**: Standard_Microsoft
+- **Purpose**: CDN profile for image delivery
+
+### CDN Endpoint
+
+- **Name**: `theorder-cdn-endpoint`
+- **Origin**: Storage account blob host
+- **Compression**: Enabled (gzip, deflate)
+- **Cache**: 1 day default
+
+## Configuration File
+
+After setup, `azure-cdn-config.env` contains:
+
+```bash
+# Storage Account
+AZURE_STORAGE_ACCOUNT=theordercdn123456
+AZURE_STORAGE_KEY=<key>
+AZURE_STORAGE_CONTAINER=images
+AZURE_RESOURCE_GROUP=the-order-cdn-rg
+AZURE_LOCATION=westeurope
+
+# CDN
+AZURE_CDN_PROFILE=theorder-cdn-profile
+AZURE_CDN_ENDPOINT=theorder-cdn-endpoint
+AZURE_CDN_ENDPOINT_URL=<endpoint-url>
+
+# URLs
+CDN_BASE_URL_BLOB=https://theordercdn123456.blob.core.windows.net/images/
+CDN_BASE_URL_CDN=https://<endpoint>.azureedge.net/images/
+CDN_BASE_URL=${CDN_BASE_URL_CDN:-${CDN_BASE_URL_BLOB}}
+```
+
+## URLs
+
+### Blob Storage URL (Immediate)
+```
+https://<storage-account>.blob.core.windows.net/images/
+```
+
+### CDN URL (After Propagation)
+```
+https://<cdn-endpoint>.azureedge.net/images/
+```
+
+**Note**: CDN endpoint takes 10-15 minutes to fully propagate.
+
+## Quota Requirements
+
+Minimum quotas needed:
+- **Storage Accounts**: 1 available
+- **CDN Profiles**: 1 available
+- **CDN Endpoints**: 1 available per profile
+- **Resource Groups**: 1 available
+
+## Cost Estimation
+
+Approximate monthly costs (West Europe):
+- **Storage Account**: ~$0.02/GB/month
+- **CDN Profile**: ~$0.04/GB egress
+- **Blob Storage**: ~$0.0004/GB/month
+
+For credential images (~17 files, ~200KB each = ~3.4MB total):
+- **Storage**: ~$0.0001/month
+- **CDN**: Depends on traffic (first 5GB free/month)
+
+**Total**: ~$0-5/month depending on traffic
+
+## Terraform Option
+
+Alternatively, use Terraform:
+
+```bash
+cd infra/terraform
+terraform init
+terraform plan -target=azurerm_storage_account.cdn_images
+terraform apply -target=azurerm_storage_account.cdn_images
+```
+
+## Verification
+
+### Check Storage Account
+```bash
+az storage account show \
+  --name <storage-account> \
+  --resource-group the-order-cdn-rg
+```
+
+### Check Container
+```bash
+az storage container show \
+  --name images \
+  --account-name <storage-account> \
+  --account-key <key>
+```
+
+### Check CDN Endpoint
+```bash
+az cdn endpoint show \
+  --name theorder-cdn-endpoint \
+  --profile-name theorder-cdn-profile \
+  --resource-group the-order-cdn-rg
+```
+
+### Test File Access
+```bash
+curl -I https://<storage-account>.blob.core.windows.net/images/digital-bank-seal.png
+```
+
+## Troubleshooting
+
+### Quota Exceeded
+- Request quota increase: https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade
+- Or use existing storage account
+
+### Storage Account Name Taken
+- Script auto-generates unique name with timestamp
+- Or specify: `AZURE_STORAGE_ACCOUNT=<custom-name>`
+
+### CDN Endpoint Not Ready
+- Wait 10-15 minutes for propagation
+- Check status in Azure Portal
+- Use blob URL temporarily
+
+### Files Not Accessible
+- Verify container has public blob access
+- Check CORS configuration
+- Verify file upload succeeded
+
+## Security
+
+- **HTTPS**: All URLs use HTTPS
+- **Public Access**: Only blob read access (no write)
+- **CORS**: Configured for cross-origin requests
+- **Storage Key**: Keep secure, use managed identity in production
+
+## Production Recommendations
+
+1. **Use Managed Identity** instead of storage keys
+2. **Enable CDN HTTPS** with custom domain
+3. **Set up monitoring** for CDN usage
+4. **Configure alerts** for quota limits
+5. **Use Azure Key Vault** for secrets
+
+## Next Steps
+
+After setup:
+1. ✅ Verify files are accessible
+2. ✅ Update manifest templates
+3. ✅ Test credential issuance
+4. ✅ Monitor CDN usage
+5. ✅ Set up custom domain (optional)
+
+---
+
+**Last Updated**: [Current Date]  
+**Status**: Ready for deployment
+