Harden deployment env flows and surface external blockers

scripts/deployment/preflight-chain138-deploy.sh

@@ -35,16 +35,19 @@ else
 fi
 
 # 3) Load env for RPC and nonce checks (no secrets printed)
-[[ -f "${PROJECT_ROOT}/config/ip-addresses.conf" ]] && source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true
-set -a
-source "$SMOM/.env"
-set +a
+if [[ -f "$SMOM/scripts/lib/deployment/dotenv.sh" ]]; then
+  # shellcheck disable=SC1090
+  source "$SMOM/scripts/lib/deployment/dotenv.sh"
+  load_deployment_env --repo-root "$PROJECT_ROOT"
+else
+  [[ -f "${PROJECT_ROOT}/config/ip-addresses.conf" ]] && source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true
+  set -a
+  source "$SMOM/.env"
+  set +a
+fi
 
 RPC="${RPC_URL_138:-http://192.168.11.211:8545}"
-if [[ -z "${PRIVATE_KEY:-}" ]]; then
-  echo "FAIL: PRIVATE_KEY not set in $SMOM/.env." >&2
-  exit 1
-fi
+require_private_key_env "Set PRIVATE_KEY in $SMOM/.env, repo .env, or ~/.secure-secrets/private-keys.env." || exit 1
 
 # 4) RPC: must be Core (chainId 138 = 0x8a)
 echo ""
@@ -62,7 +65,7 @@ fi
 echo "OK   RPC (Core): $RPC (chainId 138)."
 
 # 5) Nonce: warn if pending > latest (stuck txs)
-DEPLOYER=$(cast wallet address --private-key "$PRIVATE_KEY" 2>/dev/null) || { echo "FAIL: cast wallet address failed. Check PRIVATE_KEY in .env." >&2; exit 1; }
+DEPLOYER="$(derive_deployer_address)" || { echo "FAIL: Could not derive deployer address from PRIVATE_KEY." >&2; exit 1; }
 NONCE_PENDING=$(cast nonce "$DEPLOYER" --rpc-url "$RPC" --block pending 2>/dev/null) || true
 NONCE_LATEST=$(cast nonce "$DEPLOYER" --rpc-url "$RPC" --block latest 2>/dev/null) || true
 # Normalize to decimal (cast may return hex 0xN or decimal N)