fix(env): safe dotenv sourcing under set -u; report API prefix fallback

- load-project-env: _lpr_dotenv_source / _lpr_source_relaxed so smom-dbis-138/.env
  lines like ${ARBITRUM_MAINNET_RPC} do not abort scripts using set -u
- check-public-report-api: detect /token-aggregation vs apex /api/v1 for networks
- run-completable-tasks: enforce public report API (remove SKIP_EXIT bypass)
- Document verifier behavior in TOKEN_AGGREGATION_REPORT_API_RUNBOOK and verify README

Made-with: Cursor

scripts/lib/load-project-env.sh

@@ -13,24 +13,57 @@ export PROJECT_ROOT
 # err_exit: print message and exit (use when load-project-env is sourced)
 err_exit() { echo "ERROR: $1" >&2; exit 1; }
 
+# Dotenv / shell env snippets may use ${OTHER_VAR} without :- defaults; callers may use set -u.
+_lpr_source_relaxed() {
+  local f="$1"
+  [[ -f "$f" ]] || return 0
+  local _had_u=0
+  [[ -o nounset ]] && _had_u=1
+  set +u
+  # shellcheck disable=SC1090
+  source "$f" 2>/dev/null || true
+  if [[ "$_had_u" -eq 1 ]]; then
+    set -u
+  else
+    set +u
+  fi
+}
+
+_lpr_dotenv_source() {
+  local f="$1"
+  [[ -f "$f" ]] || return 0
+  local _had_u=0
+  [[ -o nounset ]] && _had_u=1
+  set +u
+  set -a
+  # shellcheck disable=SC1090
+  source "$f" 2>/dev/null || true
+  set +a
+  if [[ "$_had_u" -eq 1 ]]; then
+    set -u
+  else
+    set +u
+  fi
+}
+
 # Path validation
 [[ -d "$PROJECT_ROOT" ]] || err_exit "PROJECT_ROOT not a directory: $PROJECT_ROOT"
 [[ -f "${PROJECT_ROOT}/config/ip-addresses.conf" ]] || echo "WARN: config/ip-addresses.conf not found; using defaults" >&2
 
 # 1. Root .env (Cloudflare, Proxmox, etc.)
-[[ -f "${PROJECT_ROOT}/.env" ]] && set -a && source "${PROJECT_ROOT}/.env" 2>/dev/null && set +a
+_lpr_dotenv_source "${PROJECT_ROOT}/.env"
 
 # 2. IP/config from centralized config
-[[ -f "${PROJECT_ROOT}/config/ip-addresses.conf" ]] && source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true
+[[ -f "${PROJECT_ROOT}/config/ip-addresses.conf" ]] && _lpr_source_relaxed "${PROJECT_ROOT}/config/ip-addresses.conf" || true
 
 # 3. smom-dbis-138 .env (PRIVATE_KEY, bridge addrs, RPC) — PRIVATE_KEY is read from this dotenv when not set
-[[ -f "${PROJECT_ROOT}/smom-dbis-138/.env" ]] && set -a && source "${PROJECT_ROOT}/smom-dbis-138/.env" 2>/dev/null && set +a
+_lpr_dotenv_source "${PROJECT_ROOT}/smom-dbis-138/.env"
 
 # 3b. Secure secrets (PRIVATE_KEY) — when not set, try ~/.secure-secrets/private-keys.env
-[[ -z "${PRIVATE_KEY:-}" ]] && [[ -f "${HOME}/.secure-secrets/private-keys.env" ]] && set -a && source "${HOME}/.secure-secrets/private-keys.env" 2>/dev/null && set +a
+[[ -z "${PRIVATE_KEY:-}" ]] && [[ -f "${HOME}/.secure-secrets/private-keys.env" ]] && _lpr_dotenv_source "${HOME}/.secure-secrets/private-keys.env"
 
 # 4. dbis_core config if present
-[[ -f "${PROJECT_ROOT}/dbis_core/config/dbis-core-proxmox.conf" ]] && source "${PROJECT_ROOT}/dbis_core/config/dbis-core-proxmox.conf" 2>/dev/null || true
+[[ -f "${PROJECT_ROOT}/dbis_core/config/dbis-core-proxmox.conf" ]] && _lpr_source_relaxed "${PROJECT_ROOT}/dbis_core/config/dbis-core-proxmox.conf" || true
 
 # 4b. Strip trailing CR/LF from RPC URL vars (editor mistakes; breaks cast/curl)
 for _lpr_k in RPC_URL_138 RPC_URL CHAIN138_RPC CHAIN138_RPC_URL ETHEREUM_MAINNET_RPC \