For host=node runs, approvals validated command context but did not pin executable identity for non-path-like argv[0] tokens (for example tr). If PATH resolution changed after approval, execution could run a different binary.

A previously approved action could execute a different executable than the operator approved.

Node system.run approvals now require immutable systemRunPlan data, and path-token commands are pinned to canonical executable identity (realpath) across approval and execution.