Chore: weekly repo cleanup

.markdownlint.json

@@ -40,7 +40,8 @@
       "CertifiedProtocolsWrapper",
       "MermaidRenderer",
       "DevOnly",
-      "BadgeLegend"
+      "BadgeLegend",
+      "ExportAllCerts"
     ]
   },
   "MD037": false,

docs/pages/ai-security/ai-browsers.mdx

@@ -25,7 +25,7 @@ import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } fr
 AI browsers are interfaces that enable models to interact with external content, such as web pages, APIs, and online
 data sources. While they expand the model's context and capability, they also broaden the attack surface by introducing
 unvalidated, dynamic inputs from the open web. Traditional security assumptions about trusted networks and static
-inputs do not hold. 
+inputs do not hold.
 
 ## Real-Time Inspection and Enforcement
 

docs/pages/ai-security/prompt-injection-defenses.mdx

@@ -26,12 +26,13 @@ As LLMs execute based on statistical patterns rather than explicit checks, malic
 cause the model to ignore safety instructions, reveal sensitive data, or perform unintended actions. Effective
 mitigation requires intercepting and sanitizing inputs at the execution layer rather than relying solely on upstream
 policies or prompt templates. Security controls should classify and constrain inputs before they are interpreted by a
-model. 
+model.
 
 ## On-Chain Data as Untrusted Input
 
 In smart contract tooling, DAO governance assistants, and wallet agents, prompt injection can lead to incorrect
-transaction construction or misleading governance actions. Inputs originating from on-chain data or community proposals should be treated as untrusted by default.
+transaction construction or misleading governance actions. Inputs originating from on-chain data or community
+proposals should be treated as untrusted by default.
 
 ## Consider using
 

docs/pages/certs/index.mdx

@@ -21,4 +21,3 @@ title: "Certs"
 - [SFC: Workspace Security](/certs/sfc-workspace-security)
 - [Certification Guidelines](/certs/certification-guidelines)
 - [Contributing to SEAL Certifications](/certs/contributions)
-- [Certified Protocols](/certs/certified-protocols)

docs/pages/config/contributors.json

@@ -23,7 +23,7 @@
       { "name": "Issue-Opener-5", "assigned": "2024-08-22" },
       { "name": "Issue-Opener-10", "assigned": "2024-08-24" },
       { "name": "Issue-Opener-25", "assigned": "2024-09-25" },
-      { "name": "Active-Last-7d", "lastActive": "2026-02-10" }
+      { "name": "Active-Last-7d", "lastActive": "2026-03-10" }
     ]
   },
   "fredriksvantes": {
@@ -101,7 +101,8 @@
       { "name": "Contributor-5", "assigned": "2025-01-09" },
       { "name": "Contributor-10", "assigned": "2025-04-10" },
       { "name": "First-Review", "assigned": "2025-08-11" },
-      { "name": "Issue-Opener-5", "assigned": "2025-08-12" }
+      { "name": "Issue-Opener-5", "assigned": "2025-08-12" },
+      { "name": "Dormant-90d+", "lastActive": "2025-12-08" }
     ]
   },
   "tebayoso": {
@@ -171,7 +172,7 @@
       { "name": "Framework-Steward", "assigned": "2025-07-15", "framework": "Security Testing" },
       { "name": "First-Contribution", "assigned": "2025-07-15" },
       { "name": "Contributor-5", "assigned": "2025-07-31" },
-      { "name": "Dormant-90d+", "lastActive": "2026-07-31" }
+      { "name": "Dormant-90d+", "lastActive": "2025-07-31" }
     ]
   },
   "pinalikefruit": {
@@ -204,7 +205,8 @@
     "role": "contributor",
     "description": "Frameworks Contributor",
     "badges": [
-      { "name": "First-Contribution", "assigned": "2025-10-29" }
+      { "name": "First-Contribution", "assigned": "2025-10-29" },
+      { "name": "Dormant-90d+", "lastActive": "2025-12-01" }
     ]
   },
   "dickson": {
@@ -226,7 +228,9 @@
       { "name": "Contributor-10", "assigned": "2025-12-01" },
       { "name": "Contributor-25", "assigned": "2026-02-09" },
       { "name": "First-Review", "assigned": "2025-08-11" },
-      { "name": "Active-Last-7d", "lastActive": "2026-02-09" }
+      { "name": "Reviewer-10", "assigned": "2026-02-24" },
+      { "name": "Reviewer-25", "assigned": "2024-03-01" },
+      { "name": "Active-Last-30d", "lastActive": "2026-03-02" }
     ]
   },
   "blackbigswan": {
@@ -349,7 +353,7 @@
     "badges": [
       { "name": "Framework-Steward", "assigned": "2025-12-17", "framework": "SEAL Certs" },
       { "name": "First-Review", "assigned": "2026-01-26" },
-      { "name": "Active-Last-7d", "lastActive": "2026-02-09" }
+      { "name": "Active-Last-30d", "lastActive": "2026-02-09" }
     ]
   },
   "geoffrey": {
@@ -440,7 +444,7 @@
       { "name": "Contributor-25", "assigned": "2025-11-15" },
       { "name": "First-Review", "assigned": "2025-08-12" },
       { "name": "Reviewer-10", "assigned": "2025-09-12" },
-      { "name": "Active-Last-7d", "lastActive": "2026-02-10" }
+      { "name": "Active-Last-7d", "lastActive": "2026-03-11" }
     ]
   },
   "gunnim": {
@@ -455,8 +459,7 @@
     "role": "contributor",
     "description": "Frameworks Contributor",
     "badges": [
-      { "name": "First-Contribution", "assigned": "2026-01-21" },
-      { "name": "Active-Last-30d", "lastActive": "2026-01-22" }
+      { "name": "First-Contribution", "assigned": "2026-01-21" }
     ]
   },
   "madjin": {
@@ -472,7 +475,7 @@
     "description": "Frameworks Contributor",
     "badges": [
       { "name": "First-Contribution", "assigned": "2025-12-16" },
-      { "name": "Active-Last-7d", "lastActive": "2026-02-09" }
+      { "name": "Active-Last-30d", "lastActive": "2026-02-09" }
     ]
   },
   "monperrus": {
@@ -487,8 +490,7 @@
     "role": "contributor",
     "description": "Frameworks Contributor",
     "badges": [
-      { "name": "First-Contribution", "assigned": "2026-01-21" },
-      { "name": "Active-Last-30d", "lastActive": "2026-01-21" }
+      { "name": "First-Contribution", "assigned": "2026-01-21" }
     ]
   },
   "munamwasi": {
@@ -503,7 +505,7 @@
     "role": "contributor",
     "description": "Frameworks Contributor",
     "badges": [
-      { "name": "First-Contribution", "assigned": "2026-02-20" }
+      { "name": "First-Contribution", "assigned": "2026-02-27" }
     ]
   },
   "jubos": {
@@ -516,7 +518,10 @@
     "company": null,
     "job_title": null,
     "role": "contributor",
-    "description": "Frameworks Contributor"
+    "description": "Frameworks Contributor",
+    "badges": [
+      { "name": "First-Contribution", "assigned": "2026-02-27" }
+    ]
   },
   "masterfung": {
     "slug": "masterfung",
@@ -528,7 +533,10 @@
     "company": null,
     "job_title": null,
     "role": "contributor",
-    "description": "Frameworks Contributor"
+    "description": "Frameworks Contributor",
+    "badges": [
+      { "name": "First-Contribution", "assigned": "2026-02-27" }
+    ]
   },
   "quillaudits": {
     "slug": "quillaudits",
@@ -557,7 +565,39 @@
     "badges": [
       { "name": "First-Contribution", "assigned": "2025-12-03" },
       { "name": "Issue-Opener-5", "assigned": "2026-02-05" },
-      { "name": "Active-Last-7d", "lastActive": "2026-02-10" }
+      { "name": "Active-Last-30d", "lastActive": "2026-02-10" }
+    ]
+  },
+  "davidthegardens": {
+    "slug": "davidthegardens",
+    "name": "davidthegardens",
+    "avatar": "https://avatars.githubusercontent.com/davidthegardens",
+    "github": "https://github.com/davidthegardens",
+    "twitter": null,
+    "website": null,
+    "company": null,
+    "job_title": null,
+    "role": "contributor",
+    "description": "Frameworks Contributor",
+    "badges": [
+      { "name": "First-Contribution", "assigned": "2025-04-10" },
+      { "name": "Dormant-90d+", "lastActive": "2025-11-18" }
+    ]
+  },
+  "00xwizard": {
+    "slug": "00xwizard",
+    "name": "00xwizard",
+    "avatar": "https://avatars.githubusercontent.com/00xwizard",
+    "github": "https://github.com/00xwizard",
+    "twitter": null,
+    "website": null,
+    "company": null,
+    "job_title": null,
+    "role": "contributor",
+    "description": "Frameworks Contributor",
+    "badges": [
+      { "name": "First-Contribution", "assigned": "2025-09-18" },
+      { "name": "Dormant-90d+", "lastActive": "2025-09-18" }
     ]
   }
 }

docs/pages/contribute/index.mdx

@@ -14,4 +14,3 @@ title: "Contribute"
 - [Contributing Guide](/contribute/contributing)
 - [Spotlight Zone](/contribute/spotlight-zone)
 - [Becoming a Framework Steward](/contribute/stewards)
-- [Champions](/contribute/champions)

docs/pages/devsecops/isolation/capability-based-isolation.mdx

@@ -22,15 +22,20 @@ import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } fr
 <TagList tags={frontmatter.tags} />
 <AttributionList contributors={frontmatter.contributors} />
 
-> 🔑 **Key Takeaway**: Capability-based isolation replaces broad ambient permissions with short-lived, task-scoped grants tied to context, so compromised workflows cannot exceed narrowly defined actions.
+> 🔑 **Key Takeaway**: Capability-based isolation replaces broad ambient permissions with
+> short-lived, task-scoped grants tied to context, so compromised workflows cannot exceed
+> narrowly defined actions.
 
-Capability-based isolation limits what automation can do by granting **specific actions under explicit conditions**, instead of broad ambient privileges.
+Capability-based isolation limits what automation can do by granting
+**specific actions under explicit conditions**, instead of broad ambient
+privileges.
 
 In practice: do not give a job “admin” rights when it only needs “read dependency metadata” or “upload artifact to one path”.
 
 ## Why this matters in DevSecOps
 
-Many incidents are privilege-shape failures, not code execution failures: compromised workflows succeed because credentials are too broad.
+Many incidents are privilege-shape failures, not code execution failures: compromised workflows
+succeed because credentials are too broad.
 
 Capability scoping reduces blast radius by ensuring that even successful compromise has constrained impact.
 
@@ -96,12 +101,12 @@ Capability revocation should be immediate and automated for suspicious activity.
 
 ## References
 
-- NIST SP 800-53 Rev. 5 (least privilege and access control): https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final
-- NIST SSDF (SP 800-218): https://csrc.nist.gov/pubs/sp/800/218/final
-- NIST glossary, *Least Privilege*: https://csrc.nist.gov/glossary/term/least_privilege
-- Kubernetes, *Role Based Access Control*: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
-- Kubernetes, *Pod Security Standards*: https://kubernetes.io/docs/concepts/security/pod-security-standards/
-- SLSA specification: https://slsa.dev/spec/v1.0/
+- [NIST SP 800-53 Rev. 5 (least privilege and access control)](https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final)
+- [NIST SSDF (SP 800-218)](https://csrc.nist.gov/pubs/sp/800/218/final)
+- [NIST glossary, *Least Privilege*](https://csrc.nist.gov/glossary/term/least_privilege)
+- [Kubernetes, *Role Based Access Control*](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
+- [Kubernetes, *Pod Security Standards*](https://kubernetes.io/docs/concepts/security/pod-security-standards/)
+- [SLSA specification](https://slsa.dev/spec/v1.0/)
 
 ---
 

docs/pages/devsecops/isolation/execution-sandboxing-practical-guide.mdx

@@ -24,7 +24,10 @@ import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } fr
 <TagList tags={frontmatter.tags} />
 <AttributionList contributors={frontmatter.contributors} />
 
-> 🔑 **Key Takeaway**: Start by defining trust zones, then apply matching controls that keep untrusted validation isolated from release paths while enforcing ephemeral runners, short-lived credentials, and deny-by-default egress.
+> 🔑 **Key Takeaway**: Start by defining trust zones, then apply matching
+> controls that keep untrusted validation isolated from release paths
+> while enforcing ephemeral runners, short-lived credentials,
+> and deny-by-default egress.
 
 This guide translates sandboxing principles into concrete controls for real CI/CD environments.
 
@@ -95,7 +98,9 @@ Only grant elevated scopes per job when required.
 
 ### Important workflow safety note
 
-Avoid using `pull_request_target` to run untrusted code with privileged context unless you fully understand and constrain checkout, permissions, and secret access behavior.
+Avoid using `pull_request_target` to run untrusted code with privileged context
+unless you fully understand and constrain checkout, permissions,
+and secret access behavior.
 
 ## 3) Secrets and identity controls
 
@@ -114,7 +119,8 @@ Avoid using `pull_request_target` to run untrusted code with privileged context
 
 ### Segregate high-impact secrets
 
-Signing keys, registry publish credentials, and production deploy tokens should be available only in protected environments with approval gates.
+Signing keys, registry publish credentials, and production deploy tokens
+should be available only in protected environments with approval gates.
 
 ## 4) Network egress control
 
@@ -220,16 +226,16 @@ Have a playbook for:
 
 ## References
 
-- NIST SP 800-190, *Application Container Security Guide*: https://csrc.nist.gov/pubs/sp/800/190/final
-- NIST SP 800-204A, *Building Secure Microservices-based Applications Using Service-Mesh Architecture*: https://csrc.nist.gov/pubs/sp/800/204/a/final
-- NIST SSDF (SP 800-218): https://csrc.nist.gov/pubs/sp/800/218/final
+- [NIST SP 800-190, *Application Container Security Guide*](https://csrc.nist.gov/pubs/sp/800/190/final)
+- [NIST SP 800-204A, *Building Secure Microservices-based Applications Using Service-Mesh Architecture*](https://csrc.nist.gov/pubs/sp/800/204/a/final)
+- [NIST SSDF (SP 800-218)](https://csrc.nist.gov/pubs/sp/800/218/final)
 
-- GitHub Actions security hardening: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions
-- Docker, *Docker Engine Security*: https://docs.docker.com/engine/security/
-- Kubernetes, *Network Policies*: https://kubernetes.io/docs/concepts/services-networking/network-policies/
-- Kubernetes, *Pod Security Standards*: https://kubernetes.io/docs/concepts/security/pod-security-standards/
-- Linux kernel documentation, *Seccomp BPF*: https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html
-- SLSA specification: https://slsa.dev/spec/v1.0/
+- [GitHub Actions security hardening](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions)
+- [Docker, *Docker Engine Security*](https://docs.docker.com/engine/security/)
+- [Kubernetes, *Network Policies*](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
+- [Kubernetes, *Pod Security Standards*](https://kubernetes.io/docs/concepts/security/pod-security-standards/)
+- [Linux kernel documentation, *Seccomp BPF*](https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html)
+- [SLSA specification](https://slsa.dev/spec/v1.0/)
 
 ---
 

docs/pages/devsecops/isolation/execution-sandboxing.mdx

@@ -23,9 +23,14 @@ import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } fr
 <TagList tags={frontmatter.tags} />
 <AttributionList contributors={frontmatter.contributors} />
 
-> 🔑 **Key Takeaway**: Execution sandboxing reduces blast radius by running automation in ephemeral least-privilege environments and enforcing isolation across process, filesystem, identity, and network, with stronger boundaries for higher-risk workflows.
+> 🔑 **Key Takeaway**: Execution sandboxing reduces blast radius by running
+> automation in ephemeral least-privilege environments and enforcing isolation
+> across process, filesystem, identity, and network, with stronger boundaries
+> for higher-risk workflows.
 
-Execution sandboxing means running workloads inside controlled boundaries so that compromise of a job, script, or tool does **not** become compromise of your platform.
+Execution sandboxing means running workloads inside controlled boundaries
+so that compromise of a job, script, or tool does **not** become compromise
+of your platform.
 
 In DevSecOps, this applies to:
 
@@ -82,7 +87,9 @@ Treat these as separate enforcement planes:
 
 ### 2) Use ephemeral runners
 
-Each job should run on fresh infrastructure and be destroyed after completion. Avoid shared mutable state and persistent credentials between jobs.
+Each job should run on fresh infrastructure and be destroyed after
+completion. Avoid shared mutable state and persistent credentials
+between jobs.
 
 ### 3) Restrict privileged paths
 
@@ -98,15 +105,15 @@ Build, sign, publish, and deploy should be distinct stages with explicit policy
 
 ## References
 
-- NIST SP 800-190, *Application Container Security Guide*: https://csrc.nist.gov/pubs/sp/800/190/final
-- NIST SP 800-53 Rev. 5, *Security and Privacy Controls*: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final
+- [NIST SP 800-190, *Application Container Security Guide*](https://csrc.nist.gov/pubs/sp/800/190/final)
+- [NIST SP 800-53 Rev. 5, *Security and Privacy Controls*](https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final)
 
-- Docker, *Docker Engine Security*: https://docs.docker.com/engine/security/
-- Kubernetes, *Pod Security Standards*: https://kubernetes.io/docs/concepts/security/pod-security-standards/
-- Linux kernel documentation, *Seccomp BPF*: https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html
-- gVisor documentation: https://gvisor.dev/docs/
-- Kata Containers documentation: https://github.com/kata-containers/documentation
-- Firecracker documentation: https://github.com/firecracker-microvm/firecracker/tree/main/docs
+- [Docker, *Docker Engine Security*](https://docs.docker.com/engine/security/)
+- [Kubernetes, *Pod Security Standards*](https://kubernetes.io/docs/concepts/security/pod-security-standards/)
+- [Linux kernel documentation, *Seccomp BPF*](https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html)
+- [gVisor documentation](https://gvisor.dev/docs/)
+- [Kata Containers documentation](https://github.com/kata-containers/documentation)
+- [Firecracker documentation](https://github.com/firecracker-microvm/firecracker/tree/main/docs)
 
 ---