On Windows ACPX paths, wrapper resolution for .cmd/.bat could fall back to shell execution in ways that allowed cwd influence to alter execution behavior.

In affected Windows ACPX configurations, this could enable command execution integrity loss through cwd-influenced wrapper resolution.

Wrapper resolution now prefers explicit PATH/PATHEXT entrypoint resolution and unwrapped Node/EXE execution, with strict fail-closed handling enabled by default for unresolvable wrapper cases.