diff --git a/containers/kingfisher/default.nix b/containers/kingfisher/default.nix
index d707c84..2d89984 100644
--- a/containers/kingfisher/default.nix
+++ b/containers/kingfisher/default.nix
@@ -1,66 +1,20 @@
 # Nix-built Kingfisher secret scanner
-# Built from upstream main + sporked feature branches applied as patches.
-# Runs on ringtail (amd64) via nix-container-builder runner.
-#
-# How it works:
-#   1. builtins.fetchGit fetches upstream and feature branches at eval time
-#   2. diff generates patches from upstream→feature in a sandboxed derivation
-#   3. buildRustPackage applies patches to the upstream source and builds
-#
-# To update:
-#   1. Update upstreamRev to the new main SHA
-#   2. Rebase feature branches onto new main (mirror-sync does this daily)
-#   3. Update feature revs to the new rebased SHAs
-#   4. Update Cargo.lock if dependencies changed
-#
-# The upstream rev must be an ancestor of each feature rev.
+# Built from sporked deploy branch (upstream + local patches)
+# Runs on ringtail (amd64) via nix-container-builder runner
 { pkgs ? import <nixpkgs> { } }:
 
 let
-  version = "165768b";
-  repoUrl = "https://forge.ops.eblu.me/eblume/kingfisher.git";
+  version = "1d37d29";
 
-  upstreamRev = "165768b5ca9a85c2e8c64bed19bb197e82b45360";
-
-  features = [
-    {
-      name = "clone-url-base";
-      ref = "feature/upstream/clone-url-base";
-      rev = "4d5ce57a12650ec54c41b909f8623a1d395aa0a9";
-    }
-  ];
-
-  # Fetch upstream source at the pinned rev (eval-time, network access)
-  upstreamSrc = builtins.fetchGit {
-    url = repoUrl;
-    ref = "main";
-    rev = upstreamRev;
+  src = pkgs.fetchgit {
+    url = "https://forge.ops.eblu.me/eblume/kingfisher.git";
+    rev = "a4f2fe0337614fca81f7c386de998e5c3e0fc534";
+    hash = "sha256-jeuFzxjnsL/o9Uu9QMUSA77eXI3jm554+Z4NqYm6Q3w=";
   };
 
-  # Fetch each feature branch source and generate a patch against upstream
-  featurePatches = map (f:
-    let
-      featureSrc = builtins.fetchGit {
-        url = repoUrl;
-        ref = f.ref;
-        rev = f.rev;
-      };
-    in
-    pkgs.runCommand "spork-${f.name}.patch" {
-      nativeBuildInputs = [ pkgs.diffutils pkgs.gnused ];
-    } ''
-      diff -ruN --no-dereference ${upstreamSrc} ${featureSrc} \
-        | sed -e 's|${upstreamSrc}/|a/|g' -e 's|${featureSrc}/|b/|g' \
-        > $out || true
-    ''
-  ) features;
-
   kingfisher = pkgs.rustPlatform.buildRustPackage {
+    inherit src version;
     pname = "kingfisher";
-    inherit version;
-    src = upstreamSrc;
-
-    patches = featurePatches;
 
     # Cargo.lock is not committed upstream; we vendor a copy alongside default.nix
     cargoLock.lockFile = ./Cargo.lock;
@@ -73,7 +27,7 @@ let
     nativeBuildInputs = with pkgs; [
       cmake
       pkg-config
-      python3
+      python3  # vectorscan build.rs needs python for cmake
     ];
 
     buildInputs = with pkgs; [
diff --git a/service-versions.yaml b/service-versions.yaml
index 6e67b24..57586f1 100644
--- a/service-versions.yaml
+++ b/service-versions.yaml
@@ -288,7 +288,7 @@ services:
   - name: kingfisher
     type: argocd
     last-reviewed: 2026-03-29
-    current-version: "165768b"
+    current-version: "1d37d29"
     upstream-source: https://github.com/mongodb/kingfisher/releases
     notes: Secret scanner; sporked from upstream with --clone-url-base patch. Version is upstream main SHA.