
`exec.Command` creates a `*exec.Cmd` that represents an external process. The arguments are passed directly to `execve` - no shell is involved, so shell metacharacters are inert. Run the command with `Output` (captures stdout), `Run` (waits for completion), or `Start` + `Wait` (async).

<ExamplePair>
<ExampleProse>

`Cmd.Output` runs the command, waits for it to finish, and returns stdout as a byte slice. `Cmd.CombinedOutput` captures both stdout and stderr together.

</ExampleProse>
<ExampleCode>

```go
package main

import (
    "fmt"
    "os/exec"
)

func main() {
    out, err := exec.Command("ls", "-la", "/tmp").Output()
    if err != nil {
        fmt.Println("error:", err)
        return
    }
    fmt.Print(string(out))
}
```

</ExampleCode>
</ExamplePair>

<ExamplePair>
<ExampleProse>

`Cmd.Start` launches the process asynchronously. `Cmd.Wait` blocks until it exits and collects the exit code. Use this pattern when you want to do other work while the subprocess runs, or when you need to stream output.

</ExampleProse>
<ExampleCode>

```go
package main

import (
    "fmt"
    "os/exec"
)

func main() {
    cmd := exec.Command("sleep", "1")
    if err := cmd.Start(); err != nil {
        fmt.Println("start error:", err)
        return
    }
    fmt.Println("process started, pid:", cmd.Process.Pid)

    if err := cmd.Wait(); err != nil {
        fmt.Println("wait error:", err)
        return
    }
    fmt.Println("process finished")
}
```

</ExampleCode>
</ExamplePair>

<ExamplePair>
<ExampleProse>

Pipe stdout and stderr for streaming output. Attach `os.Stdin` to allow the subprocess to receive user input.

</ExampleProse>
<ExampleCode>

```go
package main

import (
    "fmt"
    "os"
    "os/exec"
)

func main() {
    cmd := exec.Command("go", "version")
    cmd.Stdout = os.Stdout
    cmd.Stderr = os.Stderr

    if err := cmd.Run(); err != nil {
        fmt.Println("error:", err)
        return
    }
}
```

</ExampleCode>
</ExamplePair>

<InProduction>
Never interpolate user input into `exec.Command` as a shell string - pass arguments as separate strings (`exec.Command("ls", "-la", userPath)`) which are exec'd directly without a shell interpreter. Shell injection (`exec.Command("sh", "-c", "ls "+userInput)`) is the most common security vulnerability in process-spawning code and allows arbitrary command execution when `userInput` contains shell metacharacters. For the rare case where you genuinely need a shell (pipelines, glob expansion), validate and sanitize input aggressively or use a subprocess allowlist. Always set a timeout via `context.WithTimeout` and pass the context to `exec.CommandContext` - a subprocess that hangs indefinitely holds the goroutine and its resources. Check the error from `cmd.Wait`: it is non-nil for non-zero exit codes, which are often meaningful (grep returns 1 when no match is found). To capture the exit code specifically, use `var exitErr *exec.ExitError; errors.As(err, &exitErr)` and inspect `exitErr.ExitCode()`.
</InProduction>


exec.Command runs a subprocess - use separate string arguments, not shell interpolation, to prevent command injection from user-supplied input.

Spawning Processes


`syscall.Exec` (or `golang.org/x/sys/unix.Exec` on Unix) replaces the running process with a new executable. Unlike `exec.Command`, there is no child process - the current process image is overwritten. On success it never returns.

<ExamplePair>
<ExampleProse>

`exec.LookPath` resolves a binary name to a full path using `$PATH`, which `syscall.Exec` requires. Pass the full argument list as the second argument - by convention `args[0]` is the binary name.

</ExampleProse>
<ExampleCode>

```go
package main

import (
    "fmt"
    "os"
    "os/exec"
    "syscall"
)

func main() {
    binary, err := exec.LookPath("ls")
    if err != nil {
        fmt.Println("could not find ls:", err)
        os.Exit(1)
    }

    args := []string{"ls", "-la", "/tmp"}
    env := os.Environ()

    // This call does not return on success.
    if err := syscall.Exec(binary, args, env); err != nil {
        fmt.Println("exec failed:", err)
        os.Exit(1)
    }
}
```

</ExampleCode>
</ExamplePair>

<ExamplePair>
<ExampleProse>

A common use case: a launcher or supervisor that re-execs itself after downloading an updated binary. Run any cleanup before calling `Exec` - deferred functions will not run.

</ExampleProse>
<ExampleCode>

```go
package main

import (
    "fmt"
    "os"
    "os/exec"
    "syscall"
)

func reexec(newBinary string) error {
    path, err := exec.LookPath(newBinary)
    if err != nil {
        return fmt.Errorf("look path: %w", err)
    }
    return syscall.Exec(path, os.Args, os.Environ())
}

func main() {
    // Perform any cleanup before re-exec; defer won't run after Exec.
    fmt.Println("handing off to updated binary")
    if err := reexec("/usr/local/bin/myapp-new"); err != nil {
        fmt.Println("re-exec failed:", err)
        os.Exit(1)
    }
}
```

</ExampleCode>
</ExamplePair>

<InProduction>
`syscall.Exec` is for process-replacing wrappers - supervisors that re-exec on config reload, entrypoints that hand off to a different binary after initial setup, or shims that wrap another program. It does not return on success: any deferred functions, goroutines, and open file descriptors (other than those explicitly inherited) are lost. Do not use it as a substitute for `exec.Command` when you just want to run a subprocess and wait for it. On Linux the process keeps its PID, which is useful for PID-file-based process managers. Always flush logs and close non-inherited resources before calling `Exec` - there is no cleanup window after it succeeds. On non-Unix systems (Windows), `syscall.Exec` is not available; use `exec.Command` + `os.Exit` as an approximation, accepting that the process image is not replaced in place.
</InProduction>


syscall.Exec (or unix.Exec) replaces the current process image entirely - deferred functions never run, so use it only when you intentionally want to hand off to another binary.

Exec'ing Processes


`context.Context` carries a cancellation signal, a deadline, and optional key-value metadata through a call stack. Pass it as the first argument to any function that does I/O or calls an external service - the convention is enforced by linters and expected by the entire stdlib.

<ExamplePair>
<ExampleProse>

`context.WithCancel` returns a derived context and a cancel function. Calling cancel broadcasts the cancellation to every goroutine holding the context. Always call cancel - if you forget, the parent context leaks the child until the parent itself is cancelled.

</ExampleProse>
<ExampleCode>

```go
package main

import (
    "context"
    "fmt"
    "time"
)

func doWork(ctx context.Context, id int) {
    for {
        select {
        case <-ctx.Done():
            fmt.Printf("worker %d stopped: %v\n", id, ctx.Err())
            return
        case <-time.After(200 * time.Millisecond):
            fmt.Printf("worker %d tick\n", id)
        }
    }
}

func main() {
    ctx, cancel := context.WithCancel(context.Background())
    defer cancel()

    go doWork(ctx, 1)
    go doWork(ctx, 2)

    time.Sleep(600 * time.Millisecond)
    cancel()
    time.Sleep(100 * time.Millisecond)
}
```

</ExampleCode>
</ExamplePair>

<ExamplePair>
<ExampleProse>

`context.WithTimeout` cancels the context automatically after the duration. `context.WithDeadline` does the same with an absolute time. Both return a cancel function - call it with `defer` to release resources when the operation finishes before the deadline.

</ExampleProse>
<ExampleCode>

```go
package main

import (
    "context"
    "fmt"
    "time"
)

func fetchData(ctx context.Context) (string, error) {
    // Simulate a slow operation
    select {
    case <-time.After(2 * time.Second):
        return "data", nil
    case <-ctx.Done():
        return "", ctx.Err()
    }
}

func main() {
    ctx, cancel := context.WithTimeout(context.Background(), 500*time.Millisecond)
    defer cancel()

    result, err := fetchData(ctx)
    if err != nil {
        fmt.Println("error:", err) // context deadline exceeded
        return
    }
    fmt.Println("result:", result)
}
```

</ExampleCode>
</ExamplePair>

<ExamplePair>
<ExampleProse>

`context.WithValue` attaches request-scoped metadata. Use a private key type to avoid collisions across packages. Retrieve values with `ctx.Value(key)` and assert the type.

</ExampleProse>
<ExampleCode>

```go
package main

import (
    "context"
    "fmt"
)

type contextKey string

const traceIDKey contextKey = "traceID"

func handleRequest(ctx context.Context) {
    traceID, ok := ctx.Value(traceIDKey).(string)
    if !ok {
        fmt.Println("no trace ID in context")
        return
    }
    fmt.Println("handling request with trace ID:", traceID)
}

func main() {
    ctx := context.WithValue(context.Background(), traceIDKey, "abc-123")
    handleRequest(ctx)
}
```

</ExampleCode>
</ExamplePair>

<InProduction>
Always accept `context.Context` as the first parameter of functions that do I/O or call external services - the convention is so universal that `go vet` flags violations. Never store a context in a struct field; contexts are request-scoped and must flow through the call stack, not be held across requests. Use `context.WithTimeout` for outbound HTTP calls, database queries, and gRPC calls - the zero-timeout default in `net/http` has caused countless production incidents where a slow downstream service held goroutines open indefinitely. Check `ctx.Done()` in long-running loops so cancellation is propagated promptly rather than only at the next I/O boundary. `context.WithValue` is for request-scoped metadata (trace IDs, auth info, request IDs) only - it is not a mechanism for passing optional function parameters, which belong in function signatures. Use a private unexported key type (a named `type contextKey string`) to avoid key collisions between packages that share a context.
</InProduction>


context.WithCancel / WithTimeout / WithDeadline propagate cancellation and deadlines through the call stack - pass context as the first argument to any function that does I/O.