From 74bcdaff28e591e39b0162e5f45a9618f25133ed Mon Sep 17 00:00:00 2001
From: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
Date: Mon, 18 Aug 2025 17:23:28 -0300
Subject: [PATCH] sec: remove 'go' from safe programs (#820)

It could be used to prompt inject commands e.g. `go test -exec`.

Plus, we don't have other languages there, so I think we remove Go as
well.

Ideally, we could ask haiku if the command is read only or not, and ask
for perms based on that, but for now I think this will do.

Thanks Will Vandevanter for the report.

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
---
 internal/llm/tools/safe.go | 15 ---------------
 1 file changed, 15 deletions(-)

diff --git a/internal/llm/tools/safe.go b/internal/llm/tools/safe.go
index fe693127055d9fe644948814d8ec8ae08704633b..b0e6635393632390cba1e09d1d5df336fb1979cb 100644
--- a/internal/llm/tools/safe.go
+++ b/internal/llm/tools/safe.go
@@ -52,21 +52,6 @@ var safeCommands = []string{
 	"git show",
 	"git status",
 	"git tag",
-
-	// Go
-	"go build",
-	"go clean",
-	"go doc",
-	"go env",
-	"go fmt",
-	"go help",
-	"go install",
-	"go list",
-	"go mod",
-	"go run",
-	"go test",
-	"go version",
-	"go vet",
 }
 
 func init() {