feat(ecdsa): add deployment infrastructure for beta staker consolidation

Add complete deployment workflow for Allowlist integration and operator
weight migration with support for Ownable2StepUpgradeable pattern.

Changes:
- Add deployment script for WalletRegistry V2 upgrade with atomic
  initializeV2 execution via upgradeToAndCall pattern
- Fix Allowlist deployment to defer ownership transfer until after
  weight initialization (prevents Ownable2Step pendingOwner issue)
- Update weight initialization script to use actual contract owner
  and complete two-step ownership transfer to governance at end
- Configure Sepolia and Mainnet named accounts for proper deployment
  authority (0x68ad60CC for Sepolia, 0x716089 for Mainnet deployer)
- Add allowlist operator weights data with accumulated stakes from
  consolidated beta staker groups (1.3B total T vs 743M individual)
- Add .env configuration infrastructure with template and gitignore
  rules to protect private keys

Technical notes:
- Script 17 uses upgradeToAndCall to atomically upgrade proxy and
  call initializeV2, preventing front-running window
- Script 16 defers to actual contract owner() instead of assuming
  governance, fixing Ownable2StepUpgradeable compatibility
- Beta staker weights accumulate all T stake from provider groups
  (e.g., P2P: 200M T from 6 operators vs 20M T from staying node)
- Ownership transfer initiates at script end but requires governance
  to call acceptOwnership() to complete (two-step pattern)

Files:
- solidity/ecdsa/deploy/17_upgrade_wallet_registry_v2.ts (new)
- solidity/ecdsa/deploy/15_deploy_allowlist.ts (ownership fix)
- solidity/ecdsa/deploy/16_initialize_allowlist_weights.ts (owner fix)
- solidity/ecdsa/deploy/data/allowlist-weights.json (new)
- solidity/ecdsa/.env.example (new)
- solidity/ecdsa/.gitignore (env protection)
- solidity/ecdsa/hardhat.config.ts (named accounts)

Author: lrsaturnino

solidity/ecdsa/.env.example

@@ -0,0 +1,47 @@
+# =============================================================================
+# Environment Configuration for keep-core/solidity/ecdsa
+# =============================================================================
+# Copy this file to .env and fill in your values.
+# NEVER commit .env files with private keys!
+# =============================================================================
+
+# -----------------------------------------------------------------------------
+# RPC Endpoint (required for Sepolia and Mainnet)
+# -----------------------------------------------------------------------------
+# Use Alchemy, Infura, or another provider
+# Example: https://eth-sepolia.g.alchemy.com/v2/YOUR_API_KEY
+# Example: https://eth-mainnet.g.alchemy.com/v2/YOUR_API_KEY
+CHAIN_API_URL=
+
+# -----------------------------------------------------------------------------
+# Sepolia Configuration
+# -----------------------------------------------------------------------------
+# Comma-separated list of private keys (without 0x prefix)
+# The first key should correspond to: 0x68ad60CC5e8f3B7cC53beaB321cf0e6036962dBc
+ACCOUNTS_PRIVATE_KEYS=
+
+# -----------------------------------------------------------------------------
+# Mainnet Configuration
+# -----------------------------------------------------------------------------
+# Single private key for the deployer account (without 0x prefix)
+# Should correspond to: 0x716089154304f22a2F9c8d2f8C45815183BF3532
+CONTRACT_OWNER_ACCOUNT_PRIVATE_KEY=
+
+# -----------------------------------------------------------------------------
+# Contract Verification (optional but recommended)
+# -----------------------------------------------------------------------------
+# Get your API key from https://etherscan.io/myapikey
+ETHERSCAN_API_KEY=
+
+# -----------------------------------------------------------------------------
+# Forking Configuration (optional, for local testing)
+# -----------------------------------------------------------------------------
+# URL for forking mainnet state (requires archive node access)
+# FORKING_URL=https://eth-mainnet.g.alchemy.com/v2/YOUR_API_KEY
+# FORKING_BLOCK=
+
+# -----------------------------------------------------------------------------
+# External Deployments (optional)
+# -----------------------------------------------------------------------------
+# Set to "true" to use external contract deployments
+# USE_EXTERNAL_DEPLOY=false

solidity/ecdsa/.gitignore

@@ -13,3 +13,13 @@ deployments/*
 
 # OpenZeppelin
 .openzeppelin/unknown-*.json
+
+# Environment variables (NEVER commit private keys!)
+.env
+.env.local
+.env.*.local
+.env.sepolia
+.env.mainnet
+
+# Migration results (may contain sensitive info)
+migration-results.json

solidity/ecdsa/deploy/15_deploy_allowlist.ts

@@ -24,17 +24,27 @@ const func: DeployFunction = async (hre: HardhatRuntimeEnvironment) => {
     }
   )
 
-  // Transfer ownership to governance if specified and different from deployer
-  if (governance && governance !== deployer) {
-    await helpers.ownable.transferOwnership("Allowlist", governance, deployer)
-  }
+  // IMPORTANT: Do NOT transfer ownership here!
+  // Allowlist uses Ownable2StepUpgradeable which requires two steps:
+  // 1. transferOwnership(newOwner) - sets pendingOwner
+  // 2. acceptOwnership() - new owner must call to complete transfer
+  //
+  // If we transfer here, script 16 would fail because:
+  // - governance becomes pendingOwner (not owner)
+  // - deployer is still the actual owner
+  // - script 16 would try to use governance signer → onlyOwner fails
+  //
+  // Ownership transfer is handled at the END of script 16 after weights are set.
 
   // Log deployment information
   console.log(`Allowlist deployed at: ${allowlist.address}`)
   console.log(
     `Allowlist proxy admin: ${proxyDeployment.receipt.contractAddress}`
   )
-  console.log(`Allowlist owner: ${await allowlist.owner()}`)
+  console.log(`Allowlist owner: ${await allowlist.owner()} (deployer)`)
+  if (governance && governance !== deployer) {
+    console.log(`Ownership will be transferred to governance (${governance}) after weights initialization`)
+  }
 
   return true
 }