3 files changed, 62 insertions, 24 deletions

diff --git a/canary-templates/memdmp:estrogen.zone b/canary-templates/memdmp:estrogen.zone
index 0550da8..3478f78 100644
--- a/canary-templates/memdmp:estrogen.zone
+++ b/canary-templates/memdmp:estrogen.zone
@@ -19,7 +19,7 @@
  ┃   correct key, this message certifies that, to the extent of memdmp's knowledge,
  ┃   estrogen.zone and it's operators and administrators have, for...
  ┃   
- ┃   ...git.estrogen.zone, mail.estrogen.zone, ntfy.estrogen.zone:
+ ┃   ...nandcat.estrogen.zone:
  ┃   - obtained 0 law enforcement request(s) for customer/user data, of which,
  ┃   - obtained 0 were legally valid, sent in the correct channels, and resulted
  ┃       in data being turned over
@@ -40,13 +40,16 @@
  ┃   
  ┣━ Kyun ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┅┅┅┅┅┅┅┄┄┄┄┄
  ┃   
- ┃   We have noticed the kyun canary states they have turned over some data.
- ┃   Any of our remote systems may be, in some way, shape or form, compromised.
+ ┃   Data on nandcat, prior to some point before Jan 1st 2026, was stored on Kyun.
+ ┃   Data on yuridick.gay is still stored on Kyun. See below.
+ ┃   
+ ┃   We have noticed the Kyun canary states they have turned over some data.
+ ┃   We have no way to guarantee this does not include old nandcat data.
  ┃   
  ┃   Additionally, their old signing key 120FC25E2A9A3F4784AC6B0EA0B522B4DA201019
  ┃   has expired. It has signed a new key created 10 days after expiration.
  ┃   
- ┃   We are working on mitigating this over time.
+ ┃   All keys on the host, to the extent of our knowledge, have been rotated.
  ┃   
  ┃   see also:
  ┃   git.estrogen.zone/mem-estrogen-zone.git/commit/?id=082a734b95cb8c84e099dc7860d493cea28314b8
@@ -71,17 +74,44 @@
 
  ┏━ External Providers ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┅┅┅┅┅┅┅┄┄┄┄┄
  ┃   
- ┃   Certain services are provided via kyun, which's canary can be found at
+ ┃   Some hosts are run by external organisations and not by us. These
+ ┃   are:
+ ┃   
+ ┃╌╌╌╌ Kyun ╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌
+ ┃   
+ ┃   Certain services are provided via Kyun, which's canary can be found at
  ┃   https://files.kyun.host/canary.txt and must be signed by
  ┃   120F C25E 2A9A 3F47 84AC 6B0E A0B5 22B4 DA20 1019.
  ┃   
  ┃   These services are:
- ┃   - estrogen.zone, git.estrogen.zone, mail.estrogen.zone,
- ┃                    mem.estrogen.zone, ntfy.estrogen.zone
- ┃   - yuridick.gay, n.yuridick.gay
+ ┃   - yuridick.gay (incl. subdomains)
  ┃   
  ┃   Without a valid kyun canary, this canary's validity is void.
  ┃   
+ ┃╌╌╌╌ mvps ╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌
+ ┃   
+ ┃   Certain services are provided via mvps. They do not have a warrant canary
+ ┃   yet.
+ ┃   
+ ┃   These services are:
+ ┃   - nandcat.estrogen.zone
+ ┃     - estrogen.zone static sites (estrogen.zone, feishin.estrogen.zone, static.estrogen.zone)
+ ┃     - estrogen.zone matrix
+ ┃     - v4.estrogen.zone, v6.estrogen.zone
+ ┃     - mail.estrogen.zone, mta-sts.estrogen.zone, mta-sts.neobot.systems
+ ┃     - ntfy.estrogen.zone
+ ┃     - git.estrogen.zone
+ ┃     - load.femboy.cafe
+ ┃   
+ ┃   For these services, you need to have trust in mvps.
+ ┃   
+ ┃   Some of these services (namely Matrix, and for e2ee mails E-Mail) do
+ ┃   cryptography to guarantee security even in the event of a host compromise.
+ ┃   
+ ┃   For mail.estrogen.zone, at-rest GPG encryption for incoming mails can be
+ ┃   enabled, as to ensure emails are secure if the host was not compromised
+ ┃   at the time of receiving the emails.
+ ┃   
  ┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┅┅┅┅┅┅┅┄┄┄┄┄
 
  ┏━ Canary Deadline ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┅┅┅┅┅┅┅┄┄┄┄┄
@@ -137,7 +167,7 @@
  ┃   If you wish to use this canary, or one derived thereof, for your own
  ┃   services, you must comply with the licencse below (SPDX: BSD-3-Clause):
  ┃   
- ┃   Copyright 2024 memdmp
+ ┃   Copyright 2024-2026 memdmp
  ┃   
  ┃   Redistribution and use in source and binary forms, with or without
  ┃   modification, are permitted provided that the following conditions
diff --git a/src/app.css b/src/app.css
index c522036..1c34312 100644
--- a/src/app.css
+++ b/src/app.css
@@ -65,6 +65,11 @@
 }
 @utility quicklink {
   @apply text-accent-primary transition-all afterunderline-accent-primary hover:afterunderline-hoverstate active:afterunderline-hoverstate focus:afterunderline-hoverstate hover:text-white active:text-white focus:text-white outline-0;
+  /* a11y: primary is not perfectly visible in light theme under AA/AAA, let's fix that by giving it more artificial contrast */
+  [data-blog-theme="light"] &:not(:active):not(:hover):not(:focus) {
+    /* remember we're inverted in light theme */
+    text-shadow: 0px 0px 1.2px #fff8;
+  }
 }
 
 @utility internal-header-active {
@@ -227,6 +232,8 @@
 }
 [data-blog-theme=light] {
   @apply invert hue-rotate-180;
+  /* minor change to barely get into AA for headlines */
+  --color-accent-primary: #f46061;
 }
 [data-blog-theme] {
   transition-property: filter;
diff --git a/static/canaries/memdmp:estrogen.zone b/static/canaries/memdmp:estrogen.zone
index 0866acc..a704626 100644
--- a/static/canaries/memdmp:estrogen.zone
+++ b/static/canaries/memdmp:estrogen.zone
@@ -4,15 +4,15 @@ Hash: SHA512
  ┏━ Date & Time Information ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┅┅┅┅┅┅┅┄┄┄┄┄
  ┃   
  ┃   Canary was created at:
- ┃   2026-01-14 00:48:24 (UTC)
+ ┃   2026-02-05 13:36:04 (UTC)
  ┃   
  ┣━ Proof of Date & Time ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┅┅┅┅┅┅┅┄┄┄┄┄
  ┃   
  ┃   Latest Monero block hash:
- ┃   f4eaf2305351edb9ea8c545aa4bfc6d690041e0f3e8152eed77e4063c6348a0d
+ ┃   185e8d296e59688a799b690c53ddb5dbf4b93e9510083aa7906fbdb49acd424b
  ┃   
  ┃   Latest Linux kernel.org `master` commit:
- ┃   b54345928fa1dbde534e32ecaa138678fd5d2135
+ ┃   f14faaf3a1fb3b9e4cf2e56269711fb85fba9458
  ┃   
  ┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┅┅┅┅┅┅┅┄┄┄┄┄
 
@@ -22,7 +22,7 @@ Hash: SHA512
  ┃   correct key, this message certifies that, to the extent of memdmp's knowledge,
  ┃   estrogen.zone and it's operators and administrators have, for...
  ┃   
- ┃   ...git.estrogen.zone, mail.estrogen.zone, ntfy.estrogen.zone:
+ ┃   ...nandcat.estrogen.zone:
  ┃   - obtained 0 law enforcement request(s) for customer/user data, of which,
  ┃   - obtained 0 were legally valid, sent in the correct channels, and resulted
  ┃       in data being turned over
@@ -43,13 +43,16 @@ Hash: SHA512
  ┃   
  ┣━ Kyun ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┅┅┅┅┅┅┅┄┄┄┄┄
  ┃   
- ┃   We have noticed the kyun canary states they have turned over some data.
- ┃   Any of our remote systems may be, in some way, shape or form, compromised.
+ ┃   Data on nandcat, prior to some point before Jan 1st 2026, was stored on Kyun.
+ ┃   Data on yuridick.gay is still stored on Kyun. See below.
+ ┃   
+ ┃   We have noticed the Kyun canary states they have turned over some data.
+ ┃   We have no way to guarantee this does not include old nandcat data.
  ┃   
  ┃   Additionally, their old signing key 120FC25E2A9A3F4784AC6B0EA0B522B4DA201019
  ┃   has expired. It has signed a new key created 10 days after expiration.
  ┃   
- ┃   We are working on mitigating this over time.
+ ┃   All keys on the host, to the extent of our knowledge, have been rotated.
  ┃   
  ┃   see also:
  ┃   git.estrogen.zone/mem-estrogen-zone.git/commit/?id=082a734b95cb8c84e099dc7860d493cea28314b8
@@ -79,8 +82,6 @@ Hash: SHA512
  ┃   120F C25E 2A9A 3F47 84AC 6B0E A0B5 22B4 DA20 1019.
  ┃   
  ┃   These services are:
- ┃   - estrogen.zone, git.estrogen.zone, mail.estrogen.zone,
- ┃                    mem.estrogen.zone, ntfy.estrogen.zone
  ┃   - yuridick.gay, n.yuridick.gay
  ┃   
  ┃   Without a valid kyun canary, this canary's validity is void.
@@ -94,9 +95,9 @@ Hash: SHA512
  ┃   where the time of publishing is defined as the lowest one of:
  ┃   - The date & time at the top of the canary
  ┃   - The creation time of the monero hash at the top of this canary
- ┃       (https://localmonero.co/blocks/block/f4eaf2305351edb9ea8c545aa4bfc6d690041e0f3e8152eed77e4063c6348a0d)
+ ┃       (https://localmonero.co/blocks/block/185e8d296e59688a799b690c53ddb5dbf4b93e9510083aa7906fbdb49acd424b)
  ┃   - The creation time of the linux kernel commit at the top of this canary
- ┃       (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b54345928fa1dbde534e32ecaa138678fd5d2135)
+ ┃       (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f14faaf3a1fb3b9e4cf2e56269711fb85fba9458)
  ┃   
  ┃   If the date & time are wildly out of line, or are outside of the key
  ┃   signing this file's validity range, this canary is to be discarded.
@@ -172,8 +173,8 @@ Hash: SHA512
  ┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┅┅┅┅┅┅┅┄┄┄┄┄
 -----BEGIN PGP SIGNATURE-----
 
-iHUEARYKAB0WIQS1RnePBrvMjsFn2zzZGXBkh7i23gUCaWbn3gAKCRDZGXBkh7i2
-3oGJAQDc2VXZ30RyyfrJlbEPPgMSE2q1fWuHttJr6hzf4Ws1PQEA88MSoq6kXRnu
-OUuD2ChP0V0MCeAdLX2wZST+LJ2wYgE=
-=hZMP
+iHUEARYKAB0WIQS1RnePBrvMjsFn2zzZGXBkh7i23gUCaYSdFgAKCRDZGXBkh7i2
+3nezAQDYCjfn2kfQOc49T35yBZoLLUkYDkv5UBdLVsALYMI0kwEA6zzBSpvvRwDf
+SGB2K/GMFaql3aKsR/tk2xtypb+CswQ=
+=Jnm5
 -----END PGP SIGNATURE-----