fix: address review feedback for #769

- Apply PRIVATE_KEY env-var fallback to UpgradeOptimizer.sol (missed in first pass)
- Add comment on zero-sentinel silent-fallback behaviour in all four scripts
- Remove spurious view modifier from BaseDeploy.run() (violated by vm.readFile)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

onchain/script/UpgradeOptimizer.sol

@@ -12,6 +12,10 @@ import "forge-std/Script.sol";
  *   OPTIMIZER_PROXY=0x... forge script script/UpgradeOptimizer.sol \
  *     --rpc-url <RPC_URL> --broadcast
  *
+ *   Key injection (checked in order):
+ *     1. PRIVATE_KEY env var (hex private key — for CI/CD)
+ *     2. .secret file (BIP-39 seed phrase — for local use)
+ *
  *   The caller must be the proxy admin (the address that called initialize()).
  */
 contract UpgradeOptimizer is Script {
@@ -19,8 +23,12 @@ contract UpgradeOptimizer is Script {
         address proxyAddress = vm.envAddress("OPTIMIZER_PROXY");
         require(proxyAddress != address(0), "OPTIMIZER_PROXY env var required");
 
-        string memory seedPhrase = vm.readFile(".secret");
-        uint256 privateKey = vm.deriveKey(seedPhrase, 0);
+        // PRIVATE_KEY=0 / empty silently falls back to .secret (0 is an invalid secp256k1 key).
+        uint256 privateKey = vm.envOr("PRIVATE_KEY", uint256(0));
+        if (privateKey == 0) {
+            string memory seedPhrase = vm.readFile(".secret");
+            privateKey = vm.deriveKey(seedPhrase, 0);
+        }
         vm.startBroadcast(privateKey);
         address sender = vm.addr(privateKey);