Add optional Hunter invariant workflow (value-conservation regression guardrail)

[hunterinvariants]

Optional, self-contained GitHub Action that gates PRs on a value-conservation invariant suite for the hook. Delete the workflow file to remove it; nothing else changes.

It generates a Foundry invariant harness, fuzzes the hook against seven value-conservation properties (no free swap round-trip, LP can always withdraw, callbacks reject non-PoolManager, no draining the shared PoolManager, sane fee bound, no free LP round-trip, no phantom liquidity), and fails the PR only on a real break. Too-thin coverage reports INCONCLUSIVE, not PASS; a build or config problem reports ERROR, never a fabricated violation.

Safe on untrusted PRs: ffi forced off, only the generated suite runs (your tests are untouched), no network, no telemetry, deterministic (no LLM). The action is commit-pinned.

Fuzzing, not a proof or an audit. Fully opt-in.

[semgrep-code-uniswap]

An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. Github, foundry, and uniswap made github actions are exempt.

🎈 Fixed in commit e55ac1e 🎈

[hunterinvariants]

Updated per the Semgrep suggestion: the action is now pinned to the v3 release commit SHA (11d54eb6cc298810e08336fb84da0f6dc1b40352) instead of a mutable tag. Also bumped to v3 — the state-integrity invariant is now default-on (7 properties). Still fully optional; delete the workflow file to remove.

[semgrep-code-uniswap]

An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. Github, foundry, and uniswap made github actions are exempt.

🧹 Fixed in commit 38127f5 🧹

[hunterinvariants]

Hi - small update on this PR; no action needed unless it's useful.

This adds one optional CI workflow that runs Hunter's value-conservation invariant suite on this repo's hook(s) on each PR: no free swap round-trip, the hook can't drain the PoolManager, LPs can always withdraw, sane fee bounds, callbacks reject non-PoolManager callers. It's a safety floor, explicitly not a full audit.

You can see the result for this repo without approving CI - it's on the public board: https://hunterinvariants.github.io/hunter-invariants/leaderboard.html (this repo's hook shows a green PASS, exercised across thousands of fuzzed value-bearing ops). The Action was also run end-to-end on a fork to verify the full CI path.

Since it's a third-party action, the safety basics: it makes no network calls, forces ffi off (so a hook can't shell-exec on your runner), runs only its own generated suite (your own tests are excluded from the build), is time-bounded, and is now pinned to an immutable commit SHA rather than a moving tag.
Fully optional - delete the workflow file to remove it.

No pressure at all - happy to adjust anything or close it. Just wanted to make it easy to evaluate.