You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While fixing #156 (yaml import warning), discovered that SecurityValidator has been silently fail-open since the v3.0 → v4.x refactor.
Root causes
Two independent regressions, both must be fixed for the validator to function:
yaml package not resolvable from ~/.pai/hooks/. PR SecurityValidator hook fires PreToolUse:Read error: missing 'yaml' package in ~/.pai/ #156 silences the import-time crash via lazy dynamic import + try/catch fail-open, but parseYaml permanently resolves to null because Bun resolves dynamic imports relative to the script file. From ~/.pai/hooks/, await import('yaml') rejects regardless of cwd. The hook always returns the empty fail-open config.
patterns.example.yaml no longer ships. The file exists only in older releases (Releases/v2.3/, v2.4/, v2.5/, v3.0/). It was dropped from Releases/v4.0.3+/. Even if yaml were resolvable, loadPatterns() would still fall through to the no-patterns fail-open branch.
Net effect
For every PreToolUse:Bash, PreToolUse:Read, PreToolUse:Edit, PreToolUse:Write call:
The hook executes
loadPatterns() returns the permissive empty config
validateBashCommand() and validatePath() always return { action: 'allow' }
No commands are blocked, no paths are protected, no security events are logged
All blocked-pattern, zero-access-path, and confirm-pattern protections are inactive.
Required changes
(a) Make yaml resolvable from ~/.pai/hooks/ — likely add ~/.pai/package.json declaring yaml as a dep + bun install step in the PAI installer, OR bundle yaml into the hook via bun build.
(b) Restore patterns.example.yaml under Releases/v4.0.3+/.claude/PAISECURITYSYSTEM/ (or wherever codePath('PAI', 'PAISECURITYSYSTEM', 'patterns.example.yaml') resolves to in the v4 layout) and have the installer copy it to the live runtime.
(c) Add a verification ISC: pattern matching actually triggers on a known-blocked test input (e.g. rm -rf / returns exit 2, ~/.ssh Read returns exit 2).
Severity
Medium-to-high. Users on PAI v4.0.3+ may believe SecurityValidator is protecting them when it isn't. No live exploit known, but the documented blocked/zeroAccess/noDelete protections silently do nothing.
Finding
While fixing #156 (yaml import warning), discovered that SecurityValidator has been silently fail-open since the v3.0 → v4.x refactor.
Root causes
Two independent regressions, both must be fixed for the validator to function:
yamlpackage not resolvable from~/.pai/hooks/. PR SecurityValidator hook fires PreToolUse:Read error: missing 'yaml' package in ~/.pai/ #156 silences the import-time crash via lazy dynamic import + try/catch fail-open, butparseYamlpermanently resolves tonullbecause Bun resolves dynamic imports relative to the script file. From~/.pai/hooks/,await import('yaml')rejects regardless of cwd. The hook always returns the empty fail-open config.patterns.example.yamlno longer ships. The file exists only in older releases (Releases/v2.3/,v2.4/,v2.5/,v3.0/). It was dropped fromReleases/v4.0.3+/. Even ifyamlwere resolvable,loadPatterns()would still fall through to the no-patterns fail-open branch.Net effect
For every PreToolUse:Bash, PreToolUse:Read, PreToolUse:Edit, PreToolUse:Write call:
loadPatterns()returns the permissive empty configvalidateBashCommand()andvalidatePath()always return{ action: 'allow' }All blocked-pattern, zero-access-path, and confirm-pattern protections are inactive.
Required changes
yamlresolvable from~/.pai/hooks/— likely add~/.pai/package.jsondeclaringyamlas a dep +bun installstep in the PAI installer, OR bundleyamlinto the hook viabun build.patterns.example.yamlunderReleases/v4.0.3+/.claude/PAISECURITYSYSTEM/(or wherevercodePath('PAI', 'PAISECURITYSYSTEM', 'patterns.example.yaml')resolves to in the v4 layout) and have the installer copy it to the live runtime.rm -rf /returns exit 2,~/.sshRead returns exit 2).Severity
Medium-to-high. Users on PAI v4.0.3+ may believe SecurityValidator is protecting them when it isn't. No live exploit known, but the documented
blocked/zeroAccess/noDeleteprotections silently do nothing.References
Releases/v3.0/.claude/skills/PAI/PAISECURITYSYSTEM/patterns.example.yaml