fix: address promote-attacks review feedback (#974)

- cleanup_worktree: add `git branch -D $BRANCH` to prevent stale local
  branch refs accumulating on push failure (bug fix)
- .netrc parser: replace fragile line-count awk with field-iteration
  approach that handles both multi-line and single-line .netrc formats
- ETH formatting: pass values as argv to python3 instead of interpolating
  into the code string, removing the injection surface
- mktemp -u: generate path without pre-creating directory; git worktree
  add creates it, avoiding the "already exists" error on some git versions
- mkdir -p guard before cp to attacks destination directory
- sed portability: `s/-\+/-/g` → `s/--*/-/g` (POSIX-compliant)
- red-team.sh: capture PIPESTATUS[0] from promote-attacks pipe and emit
  a distinct warning log line when promotion fails

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

scripts/harb-evaluator/promote-attacks.sh

@@ -75,7 +75,7 @@ log "  extracted : $ETH_EXTRACTED wei"
 # ── Resolve Codeberg API token ───────────────────────────────────────────────
 API_TOKEN="${CODEBERG_TOKEN:-}"
 if [[ -z "$API_TOKEN" ]] && [[ -f "${HOME:-/home/debian}/.netrc" ]]; then
-  API_TOKEN=$(awk '/codeberg.org/{getline;getline;print $2}' \
+  API_TOKEN=$(awk '{for(i=1;i<=NF;i++){if($i=="machine")m=$(i+1); if($i=="password"&&m=="codeberg.org"){print $(i+1);exit}}}' \
     "${HOME:-/home/debian}/.netrc" 2>/dev/null || true)
 fi
 if [[ -z "$API_TOKEN" ]]; then
@@ -197,7 +197,7 @@ log "Novel attack type: $ATTACK_TYPE"
 CANDIDATE_SLUG=$(printf '%s' "$CANDIDATE" \
   | tr '[:upper:]' '[:lower:]' \
   | sed 's/[^a-z0-9-]/-/g' \
-  | sed 's/-\+/-/g;s/^-//;s/-$//' \
+  | sed 's/--*/-/g;s/^-//;s/-$//' \
   | cut -c1-30)
 
 BASE_NAME="${ATTACK_TYPE}-${CANDIDATE_SLUG}"
@@ -215,21 +215,24 @@ DEST_RELPATH="onchain/script/backtesting/attacks/${BASE_NAME}.jsonl"
 log "Destination: $DEST_RELPATH"
 
 # ── Format ETH values for human-readable output ──────────────────────────────
-ETH_X=$(python3 -c "print(f'{int(\"$ETH_EXTRACTED\") / 1e18:.4f}')" 2>/dev/null \
+ETH_X=$(python3 -c 'import sys; print(f"{int(sys.argv[1]) / 1e18:.4f}")' \
-  || echo "$ETH_EXTRACTED wei")
+  "$ETH_EXTRACTED" 2>/dev/null || echo "$ETH_EXTRACTED wei")
-ETH_B=$(python3 -c "print(f'{int(\"$ETH_BEFORE\") / 1e18:.4f}')" 2>/dev/null \
+ETH_B=$(python3 -c 'import sys; print(f"{int(sys.argv[1]) / 1e18:.4f}")' \
-  || echo "$ETH_BEFORE wei")
+  "$ETH_BEFORE" 2>/dev/null || echo "$ETH_BEFORE wei")
 
 # ── Git: create branch + commit in a temporary worktree ──────────────────────
 DATE_TAG=$(date -u +%Y%m%d-%H%M%S)
 BRANCH="red-team/${ATTACK_TYPE}-${CANDIDATE_SLUG}-${DATE_TAG}"
-TMPWT=$(mktemp -d)
+# Use mktemp -u: generate a unique path without creating it, so git worktree add
+# can create the directory itself (pre-existing directories cause git to error).
+TMPWT=$(mktemp -u)
 
 cleanup_worktree() {
   local rc=$?
   cd "$REPO_ROOT" 2>/dev/null || true
   git worktree remove --force "$TMPWT" 2>/dev/null || true
   git worktree prune --quiet 2>/dev/null || true
+  git -C "$REPO_ROOT" branch -D "$BRANCH" 2>/dev/null || true
   rm -rf "$TMPWT" 2>/dev/null || true
   exit $rc
 }
@@ -243,6 +246,7 @@ log "Creating worktree branch: $BRANCH ..."
 git -C "$REPO_ROOT" worktree add -b "$BRANCH" "$TMPWT" "origin/master" --quiet
 
 # Copy attack file into the isolated worktree
+mkdir -p "$(dirname "$TMPWT/$DEST_RELPATH")"
 cp "$ATTACKS_FILE" "$TMPWT/$DEST_RELPATH"
 
 cd "$TMPWT"

scripts/harb-evaluator/red-team.sh

@@ -778,7 +778,11 @@ SUMMARY_EOF
       --profile "$OPTIMIZER_PROFILE" \
       --eth-extracted "$DELTA" \
       --eth-before "$LM_ETH_BEFORE" 2>&1 | while IFS= read -r line; do log "  $line"; done
+    PROMOTE_EXIT="${PIPESTATUS[0]}"
     set -e
+    if [[ "$PROMOTE_EXIT" -ne 0 ]]; then
+      log "  WARNING: promote-attacks.sh exited with code $PROMOTE_EXIT — PR was not created"
+    fi
   fi
 
   exit 1