Add Legal Office seal and complete Azure CDN deployment

- Add Legal Office of the Master seal (SVG design with Maltese Cross, scales of justice, legal scroll)
- Create legal-office-manifest-template.json for Legal Office credentials
- Update SEAL_MAPPING.md and DESIGN_GUIDE.md with Legal Office seal documentation
- Complete Azure CDN infrastructure deployment:
  - Resource group, storage account, and container created
  - 17 PNG seal files uploaded to Azure Blob Storage
  - All manifest templates updated with Azure URLs
  - Configuration files generated (azure-cdn-config.env)
- Add comprehensive Azure CDN setup scripts and documentation
- Fix manifest URL generation to prevent double slashes
- Verify all seals accessible via HTTPS

scripts/validation/validate-entra-config.sh

@@ -0,0 +1,172 @@
+#!/bin/bash
+# Validate Entra VerifiedID Configuration
+# Checks all configuration files and environment setup
+
+set -euo pipefail
+
+GREEN='\033[0;32m'
+RED='\033[0;31m'
+BLUE='\033[0;34m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
+log_success() { echo -e "${GREEN}[PASS]${NC} $1"; }
+log_error() { echo -e "${RED}[FAIL]${NC} $1"; }
+log_warning() { echo -e "${YELLOW}[WARN]${NC} $1"; }
+
+cd "$(dirname "$0")/../.."
+
+ERRORS=0
+WARNINGS=0
+
+log_info "Validating Entra VerifiedID Configuration..."
+
+# Check environment variables
+log_info "Checking environment variables..."
+if [ -f ".env" ]; then
+    source .env 2>/dev/null || true
+fi
+
+check_var() {
+    local var=$1
+    local required=${2:-false}
+    
+    if [ -z "${!var:-}" ]; then
+        if [ "${required}" = "true" ]; then
+            log_error "${var} is not set (required)"
+            ((ERRORS++))
+        else
+            log_warning "${var} is not set (optional)"
+            ((WARNINGS++))
+        fi
+    else
+        log_success "${var} is set"
+    fi
+}
+
+check_var "ENTRA_TENANT_ID" true
+check_var "ENTRA_CLIENT_ID" true
+check_var "ENTRA_CLIENT_SECRET" true
+check_var "ENTRA_CREDENTIAL_MANIFEST_ID" true
+check_var "ENTRA_MANIFESTS" false
+check_var "ENTRA_RATE_LIMIT_ISSUANCE" false
+check_var "ENTRA_RATE_LIMIT_VERIFICATION" false
+
+# Validate manifest JSON if set
+if [ -n "${ENTRA_MANIFESTS:-}" ]; then
+    log_info "Validating ENTRA_MANIFESTS JSON..."
+    if echo "${ENTRA_MANIFESTS}" | jq empty 2>/dev/null; then
+        log_success "ENTRA_MANIFESTS is valid JSON"
+    else
+        log_error "ENTRA_MANIFESTS is not valid JSON"
+        ((ERRORS++))
+    fi
+fi
+
+# Check required files
+log_info "Checking required files..."
+REQUIRED_FILES=(
+    "packages/auth/src/entra-verifiedid.ts"
+    "packages/auth/src/entra-verifiedid-enhanced.ts"
+    "services/identity/src/entra-integration.ts"
+    "services/identity/src/entra-webhooks.ts"
+    "packages/monitoring/src/entra-metrics.ts"
+)
+
+for file in "${REQUIRED_FILES[@]}"; do
+    if [ -f "${file}" ]; then
+        log_success "Found: ${file}"
+    else
+        log_error "Missing: ${file}"
+        ((ERRORS++))
+    fi
+done
+
+# Check scripts
+log_info "Checking automation scripts..."
+SCRIPTS=(
+    "scripts/deploy/setup-entra-automated.sh"
+    "scripts/deploy/create-entra-app.sh"
+    "scripts/deploy/configure-env-dev.sh"
+    "scripts/test/test-entra-integration.sh"
+)
+
+for script in "${SCRIPTS[@]}"; do
+    if [ -f "${script}" ] && [ -x "${script}" ]; then
+        log_success "Found and executable: ${script}"
+    elif [ -f "${script}" ]; then
+        log_warning "Found but not executable: ${script}"
+        ((WARNINGS++))
+    else
+        log_error "Missing: ${script}"
+        ((ERRORS++))
+    fi
+done
+
+# Check Kubernetes manifests
+log_info "Checking Kubernetes manifests..."
+K8S_FILES=(
+    "infra/k8s/identity-service-entra-secrets.yaml"
+    "infra/k8s/identity-service-deployment-entra.yaml"
+)
+
+for file in "${K8S_FILES[@]}"; do
+    if [ -f "${file}" ]; then
+        log_success "Found: ${file}"
+    else
+        log_warning "Missing: ${file}"
+        ((WARNINGS++))
+    fi
+done
+
+# Check monitoring configs
+log_info "Checking monitoring configurations..."
+MONITORING_FILES=(
+    "infra/monitoring/prometheus-entra-config.yml"
+    "infra/monitoring/grafana-entra-dashboard.json"
+)
+
+for file in "${MONITORING_FILES[@]}"; do
+    if [ -f "${file}" ]; then
+        log_success "Found: ${file}"
+    else
+        log_warning "Missing: ${file}"
+        ((WARNINGS++))
+    fi
+done
+
+# Test API connectivity (if service is running)
+log_info "Testing API connectivity..."
+if curl -sf http://localhost:4002/health > /dev/null 2>&1; then
+    log_success "Identity service is running"
+    
+    # Test Entra endpoints
+    if curl -sf http://localhost:4002/vc/issue/entra > /dev/null 2>&1; then
+        log_success "Entra issuance endpoint accessible"
+    else
+        log_warning "Entra issuance endpoint not accessible (may require auth)"
+    fi
+else
+    log_warning "Identity service not running locally"
+fi
+
+# Summary
+echo ""
+log_info "Validation Summary:"
+if [ ${ERRORS} -eq 0 ]; then
+    log_success "No errors found!"
+else
+    log_error "${ERRORS} error(s) found"
+fi
+
+if [ ${WARNINGS} -gt 0 ]; then
+    log_warning "${WARNINGS} warning(s) found"
+fi
+
+if [ ${ERRORS} -eq 0 ]; then
+    exit 0
+else
+    exit 1
+fi
+