Implement secure mainnet deployment strategy

[crtahlin]

Summary

Current deployment setup uses a plain private key in .env (TESTNET_DEPLOYER_PRIVATE_KEY). This is acceptable for testnets but insufficient for mainnet deployments.

Current state

• .env file with TESTNET_DEPLOYER_PRIVATE_KEY — testnets only
• Same key used across Sepolia, Chiado, Base Sepolia
• Key stored as plaintext in local file (gitignored)

Requirements for mainnet

Evaluate and implement one or more of:

• Hardware wallet (Ledger/Trezor) via @nomicfoundation/hardhat-ledger — key never leaves device
• Multisig (Gnosis Safe) — deployer proposes, multiple signers approve
• Cloud KMS (AWS KMS / GCP KMS) — key material stays in HSM
• Separate env vars — at minimum, distinct MAINNET_DEPLOYER_PRIVATE_KEY to prevent accidental cross-environment use

Acceptance criteria

• Mainnet deployment uses a method where private key is not stored as plaintext
• Clear separation between testnet and mainnet deployment flows
• Documentation updated with mainnet deployment instructions
• Deployment checklist for mainnet launches