logic-huntlisted

# Logic Hunt Find the bugs taint and SAST structurally cannot: **logic flaws**. There's no injection token to grep for — the code is syntactically fine and does the wrong *thing*. This track hunts broken atomicity, skippable state transitions, authorization-by-omission, replay, and business-rule abuse (negative amounts, rounding theft, quantity underflow) by taking a property the system should uphold and adversarially trying to break it. 1. Run `node "${CLAUDE_PLUGIN_ROOT}/scripts/cmd/logic-hunt-prepare.mjs" --target "<repo root>"`. It seeds candidates from the **system invariants** `/deep-context` extracted (the strongest seed) plus ripgrep probes for logic-bug-prone shapes (money, state assignment, transactions, ownership checks, check-then-act, idempotency). If it warns there are no deep-context invariants, run `/deep-context` first for materially better coverage. 2. For each candidate the logic-hunter agent states the intended property, finds the operations that touch it, and **attempts a concrete violation** — then assigns `violation` / `holds` / `not-an-invariant` / `needs-more-evidence`. 3. Write the draft to `draftPath` and run the `assembleCommand`. The host validates the closed verdict set (a `holds` must name the enforcement; a `violation` must carry the ordered break scenario + evidence) and promotes `violation` verdicts into `findings.json` (status `open`). 4. Report the violations: the property, the operation sequence that breaks it, an