sigil: masks, wards, and one polite no-op
2026-06-10
https://tinksoft.com/log/sigil-masks-and-wards/
-----------------------------------------

Sigil more than doubled this week, 770 lines to about 1,900, and most of
the new weight is in the parts you touch.

## the new TUI

`tui/tui.go` and `tui/styles.go` got rewritten, and `tui/screens.go` is
new. The interface is now a proper four-screen flow: a spinner while the
scan runs, editable paths, a scrollable review list with a detail panel,
and toasts when something happens. The review screen shells out to
[locket](/projects/locket/) for real now.

That last part matters because I also deleted the old TUI flow, which
removed findings without ever calling locket. Code that pretends to do the
dangerous part is worse than no code at all. It went into the void
unmourned.

## masks everywhere

Every finding now passes through `Masked()` before it reaches any surface:
CLI output, the TUI, both report formats. A secret scanner that prints
secrets in plaintext is just a leak with extra steps.

## the scanner got wiser

- A `.gitignore` parser built on the stdlib (`scan/gitignore.go`), so the
  scanner respects the same rules git does
- Binary-file sniffing, lockfile skipping, `_test.go` skipping
- A 1MB line buffer for files that have no business being one line, and
  always are

## two bugs I'm glad are dead

First, the flag parsing bug. `--exit-code` parsed without complaint and
then did nothing, which means the pre-commit hook has been a polite no-op
since the day I wrote it. Every commit it "checked" sailed through. Fixed
in `main.go`, along with proper `--fix`, `--version`, and `--help`.

Second, quote injection in `ManualCommand`. The tool that guards secrets
could be handed a quote character and made to run something else. A
security tool with an injection bug is a special kind of shame, and it's
patched.

Honorable mention: the AWS secret regex used to flag every hash in
`go.sum`, which trained me to ignore its warnings entirely. It now
requires actual aws context before it speaks. An alarm that always rings
is furniture.

## housekeeping

Tests landed for the locket client, both report formats, the gitignore
parser, and the TUI. The repo gained a real `.gitignore` and an MIT
`LICENSE`. And `sigil.exe`, two stale reports, and a forgotten
`test_config.py` are deleted and untracked, because compiled binaries
belong in releases, not in git history.

All tests green. Self-scan clean. The ward holds.