Agg hooks deployer

[ericneil-sanc]

Aggregator Hook Pool Discovery & Deployment Scripts

Summary

Adds a self-contained TypeScript toolset (aggregator-hooks/) for discovering, deploying, and managing aggregator hook pools across multiple DEX protocols on Uniswap v4.

What's new

Modular protocol architecture — each protocol is a self-contained CreationModule implementing a shared interface (creation-modules/types.ts). Supported protocols:

Module	Protocol
StableSwap	Curve StableSwap
StableSwapNG	Curve StableSwap-NG
FluidDexT1	Fluid Dex T1
FluidDexLite	Fluid Dex Lite
PancakeSwapV3	PancakeSwap V3
Slipstream	Velodrome Slipstream
UniswapV2	Uniswap V2
UniswapV3	Uniswap V3

Historical discovery (historical/) — fetches all pools ever created by each protocol's factory using on-chain event logs, writing results to JSON.

Polling (polling/) — incrementally fetches new pools since the last run, appending to the registry JSON.

Pool creation (src/createPools.ts) — reads the registry JSON and deploys aggregator hooks for each pool via SelfCreateHook.s.sol, with support for:

• Dry-run mode
• Parallel salt mining (--jobs)
• Contract verification (--verify)
• Hardware wallet / external signer support
• Resume from a specific pool index (--start-at)

CLI (src/cli.ts) — shared argument parsing and env var loading for all scripts.

ABIs (abis/) — factory and resolver ABIs for all supported protocols.

Submodule update

• lib/v4-hooks-public updated to main branch (0ec65960) — previously pinned to OZ-fixes-slipstream-pancake.

Tooling

• Prettier configured to match repo style (singleQuote: true, Prettier defaults for everything else).
• npm run format available in aggregator-hooks/.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​ethers@​6.16.0
	npm/​tsx@​4.21.0
	npm/​@​types/​node@​22.19.11
	npm/​typescript@​5.9.3
	npm/​prettier@​3.8.3
	npm/​dotenv@​17.3.1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Install-time scripts: npm esbuild during postinstall Install script: postinstall Source: node install.js From: aggregator-hooks/package-lock.json → npm/tsx@4.21.0 → npm/esbuild@0.27.3 ℹ Read more on: This package | This alert | What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild@0.27.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		System shell access: npm esbuild in module child_process Module: child_process Location: Package overview From: aggregator-hooks/package-lock.json → npm/tsx@4.21.0 → npm/esbuild@0.27.3 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild@0.27.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm dotenv with module fs Module: fs Location: Package overview From: aggregator-hooks/package-lock.json → npm/dotenv@17.3.1 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/dotenv@17.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic module loading: npm esbuild Location: Package overview From: aggregator-hooks/package-lock.json → npm/tsx@4.21.0 → npm/esbuild@0.27.3 ℹ Read more on: This package | This alert | What is dynamic require? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid dynamic imports when possible. Audit the use of dynamic require to ensure it is not executing malicious or vulnerable code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild@0.27.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm esbuild with module fs Module: fs Location: Package overview From: aggregator-hooks/package-lock.json → npm/tsx@4.21.0 → npm/esbuild@0.27.3 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild@0.27.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic module loading: npm ethers Location: Package overview From: aggregator-hooks/package-lock.json → npm/ethers@6.16.0 ℹ Read more on: This package | This alert | What is dynamic require? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid dynamic imports when possible. Audit the use of dynamic require to ensure it is not executing malicious or vulnerable code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ethers@6.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm get-tsconfig with module fs Module: fs Location: Package overview From: aggregator-hooks/package-lock.json → npm/tsx@4.21.0 → npm/get-tsconfig@4.13.6 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/get-tsconfig@4.13.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic module loading: npm prettier Location: Package overview From: aggregator-hooks/package-lock.json → npm/prettier@3.8.3 ℹ Read more on: This package | This alert | What is dynamic require? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid dynamic imports when possible. Audit the use of dynamic require to ensure it is not executing malicious or vulnerable code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/prettier@3.8.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm prettier with module fs/promises Module: fs/promises Location: Package overview From: aggregator-hooks/package-lock.json → npm/prettier@3.8.3 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/prettier@3.8.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm prettier with module fs Module: fs Location: Package overview From: aggregator-hooks/package-lock.json → npm/prettier@3.8.3 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/prettier@3.8.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[philipjames44]

couple of small notes but overall looks good