Add custom Kingfisher container built from sporked deploy branch

- Dockerfile: multi-stage Rust build with Boost/vectorscan, debian-slim runtime
- Switch kustomization from upstream ghcr.io image to registry.ops.eblu.me
- Add kingfisher to service-versions.yaml (version tracks upstream main SHA)
- Document spork workflow in CLAUDE.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

CLAUDE.md

@@ -121,6 +121,18 @@ from upstream.
 
 Ask user to mirror on forge first, then clone to `~/code/3rd/<project>/`.
 
+### Sporked Projects
+
+Some mirrored projects are "sporked" — a floating-branch soft-fork strategy
+where local patches are continuously rebased on top of upstream. See
+[[spork-strategy]] and [[create-a-spork]] for the full methodology.
+
+Sporked projects live in `~/code/3rd/<project>/` with three remotes:
+`origin` (eblume/ fork on forge), `mirror` (mirrors/ on forge), `upstream`
+(canonical). The `blumeops` branch is the default; `deploy` merges everything.
+
+Create a new spork: `mise run spork-create <mirror-name>`
+
 ## Task Discovery
 
 ```fish

argocd/manifests/kingfisher/cronjob.yaml

@@ -17,7 +17,7 @@ spec:
               type: RuntimeDefault
           containers:
             - name: kingfisher
-              image: ghcr.io/mongodb/kingfisher:kustomized
+              image: registry.ops.eblu.me/blumeops/kingfisher:kustomized
               command: ["/bin/sh", "-c"]
               args:
                 - |

argocd/manifests/kingfisher/kustomization.yaml

@@ -11,5 +11,5 @@ resources:
   - cronjob.yaml
 
 images:
-  - name: ghcr.io/mongodb/kingfisher
-    newTag: "1.91.0"
+  - name: registry.ops.eblu.me/blumeops/kingfisher
+    newTag: kustomized

containers/kingfisher/Dockerfile

@@ -0,0 +1,42 @@
+# Kingfisher — built from sporked deploy branch
+# Multi-stage: Rust build with vectorscan/Boost, then minimal Alpine runtime
+ARG CONTAINER_APP_VERSION=latest
+
+# --- Build stage ---
+FROM rust:1.92-bookworm AS build
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        cmake pkg-config libboost-dev git ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /build
+
+ARG CONTAINER_APP_VERSION
+RUN git clone --branch deploy \
+        https://forge.ops.eblu.me/eblume/kingfisher.git . \
+    && git checkout "${CONTAINER_APP_VERSION}"
+
+RUN cargo build --release \
+    && install -m 0755 target/release/kingfisher /usr/local/bin/kingfisher
+
+# Quick smoke-test
+RUN kingfisher --version
+
+# --- Runtime stage ---
+FROM debian:bookworm-slim
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        git ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY --from=build /usr/local/bin/kingfisher /usr/local/bin/kingfisher
+
+RUN groupadd -r app && useradd -r -g app -d /app app \
+    && mkdir -p /app && chown app:app /app
+
+USER app
+WORKDIR /app
+
+RUN kingfisher --version
+
+ENTRYPOINT ["kingfisher"]

docs/changelog.d/feature-kingfisher-container.feature.md

@@ -0,0 +1 @@
+Build custom Kingfisher container from sporked deploy branch, replacing upstream image with locally-built version including --clone-url-base patch.

service-versions.yaml

@@ -285,6 +285,13 @@ services:
     upstream-source: https://github.com/prowler-cloud/prowler/releases
     notes: CIS Kubernetes Benchmark scanner; weekly CronJob on minikube-indri
 
+  - name: kingfisher
+    type: argocd
+    last-reviewed: 2026-03-29
+    current-version: "1d37d29"
+    upstream-source: https://github.com/mongodb/kingfisher/releases
+    notes: Secret scanner; sporked from upstream with --clone-url-base patch. Version is upstream main SHA.
+
   - name: forgejo
     type: ansible
     last-reviewed: 2026-03-28