Add Legal Office seal and complete Azure CDN deployment

- Add Legal Office of the Master seal (SVG design with Maltese Cross, scales of justice, legal scroll)
- Create legal-office-manifest-template.json for Legal Office credentials
- Update SEAL_MAPPING.md and DESIGN_GUIDE.md with Legal Office seal documentation
- Complete Azure CDN infrastructure deployment:
  - Resource group, storage account, and container created
  - 17 PNG seal files uploaded to Azure Blob Storage
  - All manifest templates updated with Azure URLs
  - Configuration files generated (azure-cdn-config.env)
- Add comprehensive Azure CDN setup scripts and documentation
- Fix manifest URL generation to prevent double slashes
- Verify all seals accessible via HTTPS

docs/training/ENTRA_VERIFIEDID_TRAINING.md

@@ -0,0 +1,241 @@
+# Entra VerifiedID Integration - Team Training Guide
+
+## Training Overview
+
+This guide provides training materials for the operations and development teams on the Entra VerifiedID integration.
+
+## Training Objectives
+
+By the end of this training, team members should be able to:
+1. Understand Entra VerifiedID integration architecture
+2. Deploy and configure the integration
+3. Monitor and troubleshoot issues
+4. Perform common operations
+5. Handle emergencies
+
+## Training Modules
+
+### Module 1: Architecture Overview (30 minutes)
+
+#### What is Entra VerifiedID?
+- Microsoft's managed service for verifiable credentials
+- Issues W3C-compliant verifiable credentials
+- Provides QR codes for mobile wallet integration
+- Handles credential lifecycle management
+
+#### Integration Architecture
+```
+Client → Identity Service → Entra VerifiedID API
+                ↓
+         Database (tracking)
+                ↓
+         Event Bus (notifications)
+                ↓
+         Monitoring (metrics)
+```
+
+#### Key Components
+- **EntraVerifiedIDClient**: Base client for API communication
+- **EnhancedEntraVerifiedIDClient**: Enhanced with retry and multi-manifest
+- **Webhook Handler**: Processes status updates
+- **Metrics**: Prometheus metrics for monitoring
+
+### Module 2: Deployment (45 minutes)
+
+#### Prerequisites
+- Azure subscription access
+- Kubernetes cluster access
+- Key Vault access
+
+#### Deployment Steps
+1. **Azure Configuration**
+   ```bash
+   ./scripts/deploy/setup-entra-automated.sh
+   ```
+
+2. **Environment Setup**
+   ```bash
+   ./scripts/deploy/configure-env-dev.sh
+   ```
+
+3. **Staging Deployment**
+   ```bash
+   ./scripts/deploy/deploy-staging.sh
+   ```
+
+4. **Production Deployment**
+   ```bash
+   ./scripts/deploy/deploy-production.sh
+   ```
+
+#### Hands-On Exercise
+- Deploy to staging environment
+- Verify deployment
+- Test credential issuance
+
+### Module 3: Operations (45 minutes)
+
+#### Daily Operations
+- Health checks
+- Monitoring dashboards
+- Log review
+
+#### Common Operations
+- Issue credential manually
+- Check credential status
+- Verify credential
+- View metrics
+
+#### Hands-On Exercise
+- Issue a test credential
+- Monitor metrics
+- Check logs
+
+### Module 4: Monitoring & Troubleshooting (60 minutes)
+
+#### Key Metrics
+- Issuance success rate
+- API latency
+- Error rates
+- Webhook processing
+
+#### Common Issues
+1. **Credential Issuance Failing**
+   - Check Entra credentials
+   - Verify API permissions
+   - Check network connectivity
+
+2. **Webhooks Not Received**
+   - Verify webhook URL configuration
+   - Check firewall rules
+   - Review webhook logs
+
+3. **High Latency**
+   - Check network connectivity
+   - Review retry configuration
+   - Check Entra API status
+
+#### Troubleshooting Workflow
+1. Check service health
+2. Review logs
+3. Check metrics
+4. Verify configuration
+5. Test connectivity
+
+#### Hands-On Exercise
+- Simulate common issues
+- Practice troubleshooting
+- Use diagnostic commands
+
+### Module 5: Emergency Procedures (30 minutes)
+
+#### When to Disable Integration
+- Critical security issue
+- Entra API outage
+- Data corruption
+
+#### Disable Procedure
+```bash
+# Scale down service
+kubectl scale deployment identity-service -n the-order-prod --replicas=0
+
+# Or disable routes
+kubectl set env deployment/identity-service ENTRA_TENANT_ID="" -n the-order-prod
+```
+
+#### Rollback Procedure
+```bash
+kubectl rollout undo deployment/identity-service -n the-order-prod
+```
+
+#### Hands-On Exercise
+- Practice disable procedure
+- Practice rollback
+- Verify service recovery
+
+## Training Materials
+
+### Documentation
+- [Deployment Checklist](../deployment/ENTRA_VERIFIEDID_DEPLOYMENT_CHECKLIST.md)
+- [Operational Runbook](../operations/ENTRA_VERIFIEDID_RUNBOOK.md)
+- [Integration Guide](../integrations/MICROSOFT_ENTRA_VERIFIEDID.md)
+
+### Scripts
+- `scripts/deploy/setup-entra-automated.sh`
+- `scripts/deploy/deploy-staging.sh`
+- `scripts/test/test-all-entra-features.sh`
+- `scripts/validation/validate-entra-config.sh`
+
+### Test Environment
+- Staging environment for hands-on practice
+- Test credentials for safe experimentation
+
+## Assessment
+
+### Knowledge Check
+1. What are the required environment variables?
+2. How do you check if Entra integration is working?
+3. What metrics indicate a problem?
+4. How do you disable the integration in an emergency?
+
+### Practical Assessment
+1. Deploy to staging
+2. Issue a test credential
+3. Troubleshoot a simulated issue
+4. Perform a rollback
+
+## Resources
+
+### Internal
+- Runbook: `docs/operations/ENTRA_VERIFIEDID_RUNBOOK.md`
+- Troubleshooting: See runbook troubleshooting section
+- On-call procedures: [Contact Information]
+
+### External
+- [Microsoft Entra VerifiedID Docs](https://learn.microsoft.com/en-us/azure/active-directory/verifiable-credentials/)
+- [Azure Portal](https://portal.azure.com)
+- [Azure Support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade)
+
+## Training Schedule
+
+### Recommended Training Plan
+- **Week 1**: Architecture and Deployment (2 hours)
+- **Week 2**: Operations and Monitoring (2 hours)
+- **Week 3**: Troubleshooting and Emergencies (2 hours)
+- **Week 4**: Assessment and Certification (1 hour)
+
+### Follow-Up
+- Monthly review sessions
+- Quarterly updates on new features
+- Annual recertification
+
+## Questions & Answers
+
+### Common Questions
+
+**Q: What happens if Entra API is down?**
+A: The integration will retry automatically. If all retries fail, errors are logged and metrics are updated. Consider disabling integration if outage is prolonged.
+
+**Q: How do we rotate client secrets?**
+A: Create new secret in Azure Portal, update in Key Vault, restart service. See runbook for detailed steps.
+
+**Q: Can we use multiple credential types?**
+A: Yes! Configure `ENTRA_MANIFESTS` environment variable with JSON mapping. Use `manifestName` parameter in API calls.
+
+**Q: How do we monitor success rates?**
+A: Use Grafana dashboard or Prometheus queries. Alert on success rate < 95%.
+
+## Certification
+
+To be certified on Entra VerifiedID operations, team members must:
+1. Complete all training modules
+2. Pass knowledge check (80% or higher)
+3. Successfully complete practical assessment
+4. Demonstrate ability to troubleshoot common issues
+
+---
+
+**Training Version**: 1.0
+**Last Updated**: [Current Date]
+**Next Review**: [Date + 3 months]
+