diff --git a/onchain/script/BaseDeploy.sol b/onchain/script/BaseDeploy.sol
index 8748f22..9779dfb 100644
--- a/onchain/script/BaseDeploy.sol
+++ b/onchain/script/BaseDeploy.sol
@@ -3,8 +3,9 @@ pragma solidity ^0.8.19;
 import "forge-std/Script.sol";
 
 contract BaseDeploy is Script {
-    function run() public view {
+    function run() public {
         // Base data
+        // PRIVATE_KEY=0 / empty silently falls back to .secret (0 is an invalid secp256k1 key).
         uint256 privateKey = vm.envOr("PRIVATE_KEY", uint256(0));
         if (privateKey == 0) {
             string memory seedPhrase = vm.readFile(".secret");
diff --git a/onchain/script/BootstrapVWAPPhase2.s.sol b/onchain/script/BootstrapVWAPPhase2.s.sol
index d33953f..566cdd2 100644
--- a/onchain/script/BootstrapVWAPPhase2.s.sol
+++ b/onchain/script/BootstrapVWAPPhase2.s.sol
@@ -36,6 +36,7 @@ contract BootstrapVWAPPhase2 is Script {
         address lmAddress = vm.envAddress("LM_ADDRESS");
         LiquidityManager lm = LiquidityManager(payable(lmAddress));
 
+        // PRIVATE_KEY=0 / empty silently falls back to .secret (0 is an invalid secp256k1 key).
         uint256 privateKey = vm.envOr("PRIVATE_KEY", uint256(0));
         if (privateKey == 0) {
             string memory seedPhrase = vm.readFile(".secret");
diff --git a/onchain/script/DeployBase.sol b/onchain/script/DeployBase.sol
index dc76f5f..3078d45 100644
--- a/onchain/script/DeployBase.sol
+++ b/onchain/script/DeployBase.sol
@@ -37,6 +37,7 @@ contract DeployBase is Script {
     IUniswapV3Pool public pool;
 
     function run() public {
+        // PRIVATE_KEY=0 / empty silently falls back to .secret (0 is an invalid secp256k1 key).
         uint256 privateKey = vm.envOr("PRIVATE_KEY", uint256(0));
         if (privateKey == 0) {
             string memory seedPhrase = vm.readFile(".secret");
diff --git a/onchain/script/UpgradeOptimizer.sol b/onchain/script/UpgradeOptimizer.sol
index fc09284..39fe192 100644
--- a/onchain/script/UpgradeOptimizer.sol
+++ b/onchain/script/UpgradeOptimizer.sol
@@ -12,6 +12,10 @@ import "forge-std/Script.sol";
  *   OPTIMIZER_PROXY=0x... forge script script/UpgradeOptimizer.sol \
  *     --rpc-url <RPC_URL> --broadcast
  *
+ *   Key injection (checked in order):
+ *     1. PRIVATE_KEY env var (hex private key — for CI/CD)
+ *     2. .secret file (BIP-39 seed phrase — for local use)
+ *
  *   The caller must be the proxy admin (the address that called initialize()).
  */
 contract UpgradeOptimizer is Script {
@@ -19,8 +23,12 @@ contract UpgradeOptimizer is Script {
         address proxyAddress = vm.envAddress("OPTIMIZER_PROXY");
         require(proxyAddress != address(0), "OPTIMIZER_PROXY env var required");
 
-        string memory seedPhrase = vm.readFile(".secret");
-        uint256 privateKey = vm.deriveKey(seedPhrase, 0);
+        // PRIVATE_KEY=0 / empty silently falls back to .secret (0 is an invalid secp256k1 key).
+        uint256 privateKey = vm.envOr("PRIVATE_KEY", uint256(0));
+        if (privateKey == 0) {
+            string memory seedPhrase = vm.readFile(".secret");
+            privateKey = vm.deriveKey(seedPhrase, 0);
+        }
         vm.startBroadcast(privateKey);
         address sender = vm.addr(privateKey);