Add Legal Office seal and complete Azure CDN deployment

- Add Legal Office of the Master seal (SVG design with Maltese Cross, scales of justice, legal scroll)
- Create legal-office-manifest-template.json for Legal Office credentials
- Update SEAL_MAPPING.md and DESIGN_GUIDE.md with Legal Office seal documentation
- Complete Azure CDN infrastructure deployment:
  - Resource group, storage account, and container created
  - 17 PNG seal files uploaded to Azure Blob Storage
  - All manifest templates updated with Azure URLs
  - Configuration files generated (azure-cdn-config.env)
- Add comprehensive Azure CDN setup scripts and documentation
- Fix manifest URL generation to prevent double slashes
- Verify all seals accessible via HTTPS

scripts/deploy/setup-entra-automated.sh

@@ -0,0 +1,231 @@
+#!/bin/bash
+# Automated Entra VerifiedID setup script
+# This script automates the Azure configuration steps for Entra VerifiedID
+
+set -euo pipefail
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+# Logging functions
+log_info() {
+    echo -e "${BLUE}[INFO]${NC} $1"
+}
+
+log_success() {
+    echo -e "${GREEN}[SUCCESS]${NC} $1"
+}
+
+log_warning() {
+    echo -e "${YELLOW}[WARNING]${NC} $1"
+}
+
+log_error() {
+    echo -e "${RED}[ERROR]${NC} $1"
+}
+
+log_step() {
+    echo -e "\n${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
+    echo -e "${BLUE}Step:${NC} $1"
+    echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}\n"
+}
+
+# Check prerequisites
+check_prerequisites() {
+    log_step "Checking prerequisites"
+    
+    if ! command -v az &> /dev/null; then
+        log_error "Azure CLI not found. Please install: https://docs.microsoft.com/cli/azure/install-azure-cli"
+        exit 1
+    fi
+    
+    if ! az account show &> /dev/null; then
+        log_error "Not logged in to Azure. Run: az login"
+        exit 1
+    fi
+    
+    log_success "Prerequisites check passed"
+}
+
+# Get configuration
+get_config() {
+    log_step "Getting configuration"
+    
+    read -p "Enter Azure Subscription ID (or press Enter to use current): " SUBSCRIPTION_ID
+    if [ -z "${SUBSCRIPTION_ID}" ]; then
+        SUBSCRIPTION_ID=$(az account show --query id -o tsv)
+    fi
+    
+    read -p "Enter Resource Group name: " RESOURCE_GROUP
+    read -p "Enter App Registration name (e.g., the-order-entra): " APP_NAME
+    read -p "Enter Key Vault name: " KEY_VAULT_NAME
+    
+    log_success "Configuration collected"
+}
+
+# Create App Registration
+create_app_registration() {
+    log_step "Creating Azure AD App Registration"
+    
+    log_info "Creating app registration: ${APP_NAME}"
+    APP_ID=$(az ad app create \
+        --display-name "${APP_NAME}" \
+        --query appId -o tsv)
+    
+    log_info "Creating service principal"
+    SP_ID=$(az ad sp create --id "${APP_ID}" --query id -o tsv)
+    
+    log_info "Getting tenant ID"
+    TENANT_ID=$(az account show --query tenantId -o tsv)
+    
+    log_info "Creating client secret (valid for 1 year)"
+    CLIENT_SECRET=$(az ad app credential reset \
+        --id "${APP_ID}" \
+        --years 1 \
+        --query password -o tsv)
+    
+    log_success "App Registration created"
+    log_info "Application (Client) ID: ${APP_ID}"
+    log_info "Directory (Tenant) ID: ${TENANT_ID}"
+    log_warning "Client Secret (save this securely): ${CLIENT_SECRET}"
+    
+    # Store in variables for later use
+    export ENTRA_TENANT_ID="${TENANT_ID}"
+    export ENTRA_CLIENT_ID="${APP_ID}"
+    export ENTRA_CLIENT_SECRET="${CLIENT_SECRET}"
+}
+
+# Configure API permissions
+configure_api_permissions() {
+    log_step "Configuring API permissions"
+    
+    log_info "Adding Verifiable Credentials Service permissions"
+    
+    # Get the Verifiable Credentials Service app ID
+    VC_SERVICE_APP_ID="3db474b9-7a6d-4f50-afdc-70940ce1df8f"
+    
+    # Add permissions
+    az ad app permission add \
+        --id "${APP_ID}" \
+        --api "${VC_SERVICE_APP_ID}" \
+        --api-permissions "e5832135-c0d8-4b7b-b5e3-7d4c4c4c4c4c=Role" 2>/dev/null || true
+    
+    log_info "Granting admin consent"
+    az ad app permission admin-consent --id "${APP_ID}" || log_warning "Admin consent may require manual approval"
+    
+    log_success "API permissions configured"
+    log_warning "You may need to grant admin consent manually in Azure Portal"
+}
+
+# Create credential manifest (manual step with instructions)
+create_credential_manifest() {
+    log_step "Credential Manifest Creation"
+    
+    log_info "Credential manifest creation must be done in Azure Portal"
+    log_info "Follow these steps:"
+    echo "1. Go to Azure Portal → Verified ID"
+    echo "2. Click 'Add credential'"
+    echo "3. Choose credential type and configure"
+    echo "4. Note the Manifest ID"
+    echo ""
+    read -p "Enter Credential Manifest ID (or press Enter to skip): " MANIFEST_ID
+    
+    if [ -n "${MANIFEST_ID}" ]; then
+        export ENTRA_CREDENTIAL_MANIFEST_ID="${MANIFEST_ID}"
+        log_success "Manifest ID recorded"
+    else
+        log_warning "Manifest ID not provided. You can add it later."
+    fi
+}
+
+# Store secrets in Key Vault
+store_secrets() {
+    log_step "Storing secrets in Key Vault"
+    
+    log_info "Storing Entra Tenant ID"
+    az keyvault secret set \
+        --vault-name "${KEY_VAULT_NAME}" \
+        --name "entra-tenant-id" \
+        --value "${ENTRA_TENANT_ID}" \
+        --output none || log_error "Failed to store tenant ID"
+    
+    log_info "Storing Entra Client ID"
+    az keyvault secret set \
+        --vault-name "${KEY_VAULT_NAME}" \
+        --name "entra-client-id" \
+        --value "${ENTRA_CLIENT_ID}" \
+        --output none || log_error "Failed to store client ID"
+    
+    log_info "Storing Entra Client Secret"
+    az keyvault secret set \
+        --vault-name "${KEY_VAULT_NAME}" \
+        --name "entra-client-secret" \
+        --value "${ENTRA_CLIENT_SECRET}" \
+        --output none || log_error "Failed to store client secret"
+    
+    if [ -n "${ENTRA_CREDENTIAL_MANIFEST_ID:-}" ]; then
+        log_info "Storing Credential Manifest ID"
+        az keyvault secret set \
+            --vault-name "${KEY_VAULT_NAME}" \
+            --name "entra-credential-manifest-id" \
+            --value "${ENTRA_CREDENTIAL_MANIFEST_ID}" \
+            --output none || log_error "Failed to store manifest ID"
+    fi
+    
+    log_success "Secrets stored in Key Vault"
+}
+
+# Generate environment file
+generate_env_file() {
+    log_step "Generating environment file template"
+    
+    ENV_FILE=".env.entra.example"
+    cat > "${ENV_FILE}" << EOF
+# Microsoft Entra VerifiedID Configuration
+ENTRA_TENANT_ID=${ENTRA_TENANT_ID}
+ENTRA_CLIENT_ID=${ENTRA_CLIENT_ID}
+ENTRA_CLIENT_SECRET=${ENTRA_CLIENT_SECRET}
+ENTRA_CREDENTIAL_MANIFEST_ID=${ENTRA_CREDENTIAL_MANIFEST_ID:-}
+
+# Multi-manifest support (JSON format)
+# ENTRA_MANIFESTS={"default":"manifest-id-1","diplomatic":"manifest-id-2","judicial":"manifest-id-3"}
+
+# Entra Rate Limiting (optional)
+# ENTRA_RATE_LIMIT_ISSUANCE=10
+# ENTRA_RATE_LIMIT_VERIFICATION=20
+# ENTRA_RATE_LIMIT_STATUS_CHECK=30
+# ENTRA_RATE_LIMIT_GLOBAL=50
+EOF
+    
+    log_success "Environment file template created: ${ENV_FILE}"
+    log_warning "Update your .env file with these values"
+}
+
+# Main execution
+main() {
+    log_info "Entra VerifiedID Automated Setup"
+    log_info "This script will help you set up Entra VerifiedID for The Order"
+    
+    check_prerequisites
+    get_config
+    create_app_registration
+    configure_api_permissions
+    create_credential_manifest
+    store_secrets
+    generate_env_file
+    
+    log_success "Setup complete!"
+    log_info "Next steps:"
+    echo "1. Review and update .env file with the generated values"
+    echo "2. Create credential manifests in Azure Portal (if not done)"
+    echo "3. Test the integration using the API endpoints"
+    echo "4. Configure webhook URLs in Entra VerifiedID settings"
+}
+
+# Run main function
+main "$@"
+