Add custom Kingfisher container built from sporked feature branches

- Dockerfile: deterministic build from pinned CONTAINER_APP_VERSION + FEATURES
- Merges named feature branches at specific SHAs for reproducibility
- Switch CronJob to custom image with --clone-url-base and --all-organizations
- Add kingfisher to service-versions.yaml (version tracks upstream main SHA)
- Document spork container builds in new how-to card
- Document spork workflow in CLAUDE.md
- Update kingfisher service docs for custom image

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

containers/kingfisher/default.nix

@@ -1,20 +1,66 @@
 # Nix-built Kingfisher secret scanner
-# Built from sporked deploy branch (upstream + local patches)
+# Built from upstream main + sporked feature branches applied as patches.
-# Runs on ringtail (amd64) via nix-container-builder runner
+# Runs on ringtail (amd64) via nix-container-builder runner.
+#
+# How it works:
+#   1. builtins.fetchGit fetches upstream and feature branches at eval time
+#   2. diff generates patches from upstream→feature in a sandboxed derivation
+#   3. buildRustPackage applies patches to the upstream source and builds
+#
+# To update:
+#   1. Update upstreamRev to the new main SHA
+#   2. Rebase feature branches onto new main (mirror-sync does this daily)
+#   3. Update feature revs to the new rebased SHAs
+#   4. Update Cargo.lock if dependencies changed
+#
+# The upstream rev must be an ancestor of each feature rev.
 { pkgs ? import <nixpkgs> { } }:
 
 let
-  version = "1d37d29";
+  version = "165768b";
+  repoUrl = "https://forge.ops.eblu.me/eblume/kingfisher.git";
 
-  src = pkgs.fetchgit {
+  upstreamRev = "165768b5ca9a85c2e8c64bed19bb197e82b45360";
-    url = "https://forge.ops.eblu.me/eblume/kingfisher.git";
+
-    rev = "a4f2fe0337614fca81f7c386de998e5c3e0fc534";
+  features = [
-    hash = "sha256-jeuFzxjnsL/o9Uu9QMUSA77eXI3jm554+Z4NqYm6Q3w=";
+    {
+      name = "clone-url-base";
+      ref = "feature/upstream/clone-url-base";
+      rev = "4d5ce57a12650ec54c41b909f8623a1d395aa0a9";
+    }
+  ];
+
+  # Fetch upstream source at the pinned rev (eval-time, network access)
+  upstreamSrc = builtins.fetchGit {
+    url = repoUrl;
+    ref = "main";
+    rev = upstreamRev;
   };
 
+  # Fetch each feature branch source and generate a patch against upstream
+  featurePatches = map (f:
+    let
+      featureSrc = builtins.fetchGit {
+        url = repoUrl;
+        ref = f.ref;
+        rev = f.rev;
+      };
+    in
+    pkgs.runCommand "spork-${f.name}.patch" {
+      nativeBuildInputs = [ pkgs.diffutils pkgs.gnused ];
+    } ''
+      diff -ruN --no-dereference ${upstreamSrc} ${featureSrc} \
+        | sed -e 's|${upstreamSrc}/|a/|g' -e 's|${featureSrc}/|b/|g' \
+        > $out || true
+    ''
+  ) features;
+
   kingfisher = pkgs.rustPlatform.buildRustPackage {
-    inherit src version;
     pname = "kingfisher";
+    inherit version;
+    src = upstreamSrc;
+
+    patches = featurePatches;
 
     # Cargo.lock is not committed upstream; we vendor a copy alongside default.nix
     cargoLock.lockFile = ./Cargo.lock;
@@ -27,7 +73,7 @@ let
     nativeBuildInputs = with pkgs; [
       cmake
       pkg-config
-      python3  # vectorscan build.rs needs python for cmake
+      python3
     ];
 
     buildInputs = with pkgs; [

service-versions.yaml

@@ -288,7 +288,7 @@ services:
   - name: kingfisher
     type: argocd
     last-reviewed: 2026-03-29
-    current-version: "1d37d29"
+    current-version: "165768b"
     upstream-source: https://github.com/mongodb/kingfisher/releases
     notes: Secret scanner; sporked from upstream with --clone-url-base patch. Version is upstream main SHA.