You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Every Read tool call in a Claude Code session emits this non-blocking warning:
PreToolUse:Read hook error
Failed with non-blocking status code: error:
Cannot find package 'yaml' from '/Users/ianmarr/.pai/hooks/SecurityValidator.hook.ts'
Status is non-blocking, so the Read still succeeds — but the warning fires on every Read across the entire session, polluting output and obscuring real errors.
Root cause
SecurityValidator.hook.ts imports the third-party yaml package:
But there is no package.json or node_modules resolvable from ~/.pai/hooks/ upward:
$ ls /Users/ianmarr/.pai/package.json /Users/ianmarr/.pai/node_modules
ls: /Users/ianmarr/.pai/node_modules: No such file or directory
ls: /Users/ianmarr/.pai/package.json: No such file or directory
$ ls /Users/ianmarr/.pai/hooks/package.json /Users/ianmarr/.pai/hooks/node_modules
ls: /Users/ianmarr/.pai/hooks/node_modules: No such file or directory
ls: /Users/ianmarr/.pai/hooks/package.json: No such file or directory
Bun resolves npm imports starting from the source file's directory and walking up. With no node_modules containing yaml anywhere on that path, the hook crashes during import.
Scope
Likely affects more than just SecurityValidator.hook.ts. The same pattern exists in Releases/v4.0.3+/.claude/hooks/SecurityValidator.hook.ts:66, so this is not runtime-only drift — fresh installs of v4.0.3+ should hit the same issue unless the install path arranges yaml to be resolvable. Worth auditing every hook in ~/.pai/hooks/*.ts for third-party imports (17 hooks present) to scope the full failure surface.
Reproduction
Have PAI v4.0.3+ installed with hooks at ~/.pai/hooks/.
Start any Claude Code session.
Trigger any tool that fires PreToolUse:Read (e.g. read any file).
Observe Cannot find package 'yaml' from '/Users/ianmarr/.pai/hooks/SecurityValidator.hook.ts' warning.
Suggested directions (not committing to one)
(a) Add package.json + bun-install at runtime root. Place a minimal ~/.pai/package.json declaring yaml (and any other hook deps), run bun install during install, and ensure ~/.pai/node_modules is populated. Most direct fix.
(b) Resolve from ~/.claude/. If ~/.claude/ already has node_modules with yaml, configure Bun resolution roots so ~/.pai/hooks/*.ts can import from ~/.claude/node_modules. Avoids duplicating deps.
(c) Bundle deps into the hook.bun build --bundle the hook so all imports are inlined. No runtime resolution needed but loses easy patching.
(d) Eliminate the dep.yaml is only used to parse patterns.yaml (security pattern definitions). Could swap for a JSON file or hand-written parser if the format is small enough. Reduces dependency surface.
Investigation context
Hook mtime: 7 Apr 20:31 — predates current PAI work; not introduced by recent PRs.
Same import { parse as parseYaml } from 'yaml'; line is present in repo at Releases/v4.0.3+/.claude/hooks/SecurityValidator.hook.ts:66 — so the fix needs to land in the shipped artefact, not just the runtime.
Symptom
Every
Readtool call in a Claude Code session emits this non-blocking warning:Status is
non-blocking, so the Read still succeeds — but the warning fires on every Read across the entire session, polluting output and obscuring real errors.Root cause
SecurityValidator.hook.tsimports the third-partyyamlpackage:But there is no
package.jsonornode_modulesresolvable from~/.pai/hooks/upward:Bun resolves npm imports starting from the source file's directory and walking up. With no
node_modulescontainingyamlanywhere on that path, the hook crashes during import.Scope
Likely affects more than just
SecurityValidator.hook.ts. The same pattern exists inReleases/v4.0.3+/.claude/hooks/SecurityValidator.hook.ts:66, so this is not runtime-only drift — fresh installs of v4.0.3+ should hit the same issue unless the install path arrangesyamlto be resolvable. Worth auditing every hook in~/.pai/hooks/*.tsfor third-party imports (17 hooks present) to scope the full failure surface.Reproduction
~/.pai/hooks/.PreToolUse:Read(e.g. read any file).Cannot find package 'yaml' from '/Users/ianmarr/.pai/hooks/SecurityValidator.hook.ts'warning.Suggested directions (not committing to one)
package.json+ bun-install at runtime root. Place a minimal~/.pai/package.jsondeclaringyaml(and any other hook deps), runbun installduring install, and ensure~/.pai/node_modulesis populated. Most direct fix.~/.claude/. If~/.claude/already hasnode_moduleswithyaml, configure Bun resolution roots so~/.pai/hooks/*.tscan import from~/.claude/node_modules. Avoids duplicating deps.bun build --bundlethe hook so all imports are inlined. No runtime resolution needed but loses easy patching.yamlis only used to parsepatterns.yaml(security pattern definitions). Could swap for a JSON file or hand-written parser if the format is small enough. Reduces dependency surface.Investigation context
7 Apr 20:31— predates current PAI work; not introduced by recent PRs.import { parse as parseYaml } from 'yaml';line is present in repo atReleases/v4.0.3+/.claude/hooks/SecurityValidator.hook.ts:66— so the fix needs to land in the shipped artefact, not just the runtime.Readin the session triggered the warning.