TinyAMM: push swap_received and deposit functions upstream

[alexanderkoh]

Description

We added swap_received() and deposit() to TinyAMM to solve the Soroban nested auth problem (contracts calling contracts that call require_auth). These functions accept pre-transferred tokens and don't require caller auth.

Changes made (in /tmp/tinyamm, not committed upstream)

• swap.rs: Added swap_received(sell_token, sell_amount, min_buy, recipient) — same math as swap_exact_in but no require_auth, no transfer(from=trader), just sends output to recipient
• lib.rs: Added deposit(to, amount0, amount1) — same LP math as add_liquidity but no require_auth, no token transfers (tokens already in contract)

Why

TinyAMM's swap_exact_in calls trader.require_auth() then token.transfer(trader, self, amount). When the Campaign Manager is the trader, it can't authorize these nested calls cleanly via authorize_as_current_contract(). The _received variants follow the same pattern as Hoops adapters (shallow-auth: pre-transfer then operate).

Action items

• Push changes to github.com/alexanderkoh/tinyamm
• Add tests for swap_received and deposit
• Consider security: swap_received has no auth — anyone can trigger a swap using tokens already in the contract. This is safe because you'd need to transfer tokens first, but document it.
• Add lp_transfer auth — currently has no require_auth which is a security issue