chore(ci): bump ai-toolkit pin to 83ac42b for bullfrog allowlist fix

[dgilmanuni]

Summary

• After fix(ci): drop removed plugin_ref input from docs-check caller #106 fixed the schema mismatch that was hiding behind startup_failure, the docs-check job started actually running — and timing out after 15 minutes.
• Root cause: at the previous pin (96ef665), bullfrogsec/bullfrog ran with egress-policy: block and an allowlist that did not include registry.npmjs.org. The Claude Code action's tool processes appear to hit the npm registry at runtime; every request was blocked, and the action retried until the 15-minute job timeout killed it.
• ai-toolkit#501 (now on main at 83ac42b) adds registry.npmjs.org, *.npmjs.org, claude.ai, *.claude.ai to the bullfrog allowlist and bumps anthropics/claude-code-action to v1.0.119. This PR bumps the uniswap-ai pin past that fix.

What changed

• .github/workflows/claude-docs-check.yml: bumped the reusable-workflow pin from 96ef665ba04221de07e94fcc3ea69fe32c7cf306 to 83ac42bf6a63fdaa2fc71c760b02ab85df21068a (one line).

Test plan

• actionlint .github/workflows/claude-docs-check.yml — clean.
• Verified the reusable workflow at 83ac42b has registry.npmjs.org in its bullfrog allowlist and uses claude-code-action@v1.0.119 (vs. v1.0.75 at the old pin).
• After merge: a docs-check run should complete (verdict PASS/FAIL with a real Claude analysis) instead of timing out at 15:00.

Session context

Investigation

Following PR #106, the docs-check job on the same branch went from startup_failure → CANCELLED. The job ran 15:17 and the "Run Claude Docs Check" step was killed at exactly 14:39 elapsed — the timeout_minutes default in the reusable workflow.

Log analysis (gh run view ... --log) showed the step's tail was dominated by repeated [+058329-04-14T...] Blocked DNS request to registry.npmjs.org from unknown process warnings — bullfrog's egress sandbox firing for the full duration. Far-future timestamps are bullfrog's internal sandbox clock, not real time.

git log -S 'registry.npmjs' .github/workflows/_claude-docs-check.yml in Uniswap/ai-toolkit pointed to 3a4dbad (ai-toolkit#501): "fix(workflows): bump claude-code-action and expand egress allowlists". That diff:

+            claude.ai
+            *.claude.ai
             bun.sh
+            registry.npmjs.org
+            *.npmjs.org

…plus a bump of anthropics/claude-code-action from v1.0.75 → v1.0.115 (then v1.0.119 by the time of 83ac42b). The fix landed on ai-toolkit main between PR #106 being authored and this PR.

Options evaluated and rejected

• Bump timeout_minutes in the caller. Rejected — the root cause is bullfrog blocking npm DNS, not a slow run. More time just burns more Anthropic spend on the same retry loop.
• Override the bullfrog allowlist locally in the caller. Not possible: the reusable workflow's bullfrogsec/bullfrog step runs inside the reusable workflow itself; the caller doesn't have a hook to amend its with: block. The fix has to come from ai-toolkit.
• Pin to an even newer SHA than 83ac42b. 83ac42b is current ai-toolkit main HEAD as of this PR and is the first commit that contains the fix's stable form (v1.0.119 of claude-code-action). Going further chases a moving target.

Related

• Builds on fix(ci): drop removed plugin_ref input from docs-check caller #106, which removed the plugin_ref input that was causing startup_failure upstream of this issue.
• The same out-of-date pin (96ef665) is also used by claude-code-review.yml and generate-pr-title-description.yml. Those workflows are currently green, so they're not strictly broken, but they will pick up the same bullfrog allowlist gap the next time a Claude tool call needs npm. Worth bumping in a follow-up if we see similar timeouts elsewhere.

🤖 Generated with Claude Code

AI-Generated Description

Summary

Bumps the ai-toolkit reusable workflow pin in claude-docs-check.yml from 96ef665 to 83ac42b to pick up the bullfrog egress allowlist fix that was causing the docs-check job to time out.

Changes

• .github/workflows/claude-docs-check.yml: updated reusable workflow SHA from 96ef665ba04221de07e94fcc3ea69fe32c7cf306 to 83ac42bf6a63fdaa2fc71c760b02ab85df21068a

Notes

• After fix(ci): drop removed plugin_ref input from docs-check caller #106 fixed the startup_failure, the docs-check job started actually running but timed out at 15 minutes because bullfrogsec/bullfrog was blocking DNS requests to registry.npmjs.org
• The new pin (83ac42b, ai-toolkit#501) adds registry.npmjs.org, *.npmjs.org, claude.ai, *.claude.ai to the bullfrog allowlist and bumps anthropics/claude-code-action to v1.0.119
• Sibling workflows (claude-code-review.yml, generate-pr-title-description.yml) still use the old pin (96ef665) — worth bumping in a follow-up if similar timeouts appear

Test plan

• actionlint .github/workflows/claude-docs-check.yml — clean
• After merge: docs-check run completes with a real Claude analysis instead of timing out

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
uniswap-ai-docs	Ready	Preview, Comment	May 14, 2026 4:02pm

[github-actions]

🤖 Claude Code Review

🔄 Review in progress... Claude is analyzing this pull request. If a review can be seen below, it will be replaced by the results of this one.

_{⏱️ Reviews typically complete within 5-15 minutes depending on PR size.}

Waiting for review to complete...

---

_{💡 Want a fresh review? Add a comment containing @request-claude-review to trigger a new review at any time.}

[github-actions]

📚 Documentation Check ✅

Verdict: Passed

CI infrastructure change only - no plugin modifications, no documentation updates required

---

Documentation Check: PASS ✅

Changed Files: .github/workflows/claude-docs-check.yml

Change Type: CI infrastructure update (workflow pin bump)

Analysis

✅ No plugin code modified - The critical plugin version bump check does not apply

✅ No documentation updates needed - This is purely a CI maintenance change that doesn't affect user-facing functionality or package code

ℹ️ Optional changelog entry - While not required, you could optionally document this CI fix in CHANGELOG.md

Summary

This PR updates the claude-docs-check workflow to use a newer version of ai-toolkit (fixing a bullfrog allowlist issue). Since no plugin code or user-facing functionality was modified, no documentation updates are required.

Suggestions (1)

💡 Inline suggestions have been posted as review comments. Click "Commit suggestion" to apply each fix directly.

• ℹ️ CHANGELOG.md: Optional changelog entry for CI maintenance. This is informational only and not required for approval.

---

_{🤖 Generated by Claude Documentation Validator | Mode: suggest}