feat(scripts): add testnet deploy script and CI validation

.github/workflows/deploy-validation.yml

@@ -0,0 +1,50 @@
+name: Deploy Script Validation
+
+on:
+  push:
+    branches: [main, develop]
+    paths:
+      - "scripts/deploy_testnet.sh"
+      - "scripts/deploy_mainnet.sh"
+      - ".github/workflows/deploy-validation.yml"
+  pull_request:
+    branches: [main, develop]
+    paths:
+      - "scripts/deploy_testnet.sh"
+      - "scripts/deploy_mainnet.sh"
+      - ".github/workflows/deploy-validation.yml"
+
+jobs:
+  shellcheck:
+    name: ShellCheck syntax
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install shellcheck
+        run: sudo apt-get install -y shellcheck
+      - name: Lint deploy_testnet.sh
+        run: shellcheck -S warning scripts/deploy_testnet.sh
+      - name: Lint deploy_mainnet.sh
+        run: shellcheck -S warning scripts/deploy_mainnet.sh
+
+  dry-run-testnet:
+    name: Dry-run deploy_testnet.sh
+    runs-on: ubuntu-latest
+    needs: shellcheck
+    env:
+      # Stub values — no real network calls in DRY_RUN=1 mode
+      STELLAR_SECRET_KEY: SCZANGBA5RLMPI7AZ3CKWNUK47UFBIZFFNMF4KCLCNB63JPUCLCXBGC
+      DRY_RUN: "1"
+    steps:
+      - uses: actions/checkout@v4
+      - name: Validate script inputs (dry run)
+        run: bash scripts/deploy_testnet.sh
+
+  dry-run-mainnet:
+    name: Dry-run deploy_mainnet.sh (syntax only)
+    runs-on: ubuntu-latest
+    needs: shellcheck
+    steps:
+      - uses: actions/checkout@v4
+      - name: Bash syntax check
+        run: bash -n scripts/deploy_mainnet.sh

docs/deployment.md

@@ -0,0 +1,67 @@
+# Deployment Scripts
+
+| Script | Target | Notes |
+|--------|--------|-------|
+| `deploy_testnet.sh` | Stellar testnet | Supports `DRY_RUN=1` for CI validation |
+| `deploy_mainnet.sh` | Stellar mainnet | Requires interactive confirmation; irreversible |
+| `deploy.sh` | local / testnet | General-purpose; set `NETWORK=testnet` for testnet |
+
+---
+
+## Required Inputs
+
+All scripts read configuration from environment variables or a `.env` file at the project root.
+
+| Variable | Required | Default | Description |
+|----------|----------|---------|-------------|
+| `STELLAR_SECRET_KEY` | Yes | — | Stellar secret key (`S...`, 56 chars) |
+| `INITIAL_TOKEN_SUPPLY` | No | `1000000000` | Tokens minted to admin on init |
+| `TOKEN_NAME` | No | `CosmosVote` | Human-readable token name |
+| `TOKEN_SYMBOL` | No | `VOTE` | Ticker symbol |
+| `TOKEN_DECIMALS` | No | `7` | Decimal places (7 is standard for Stellar) |
+| `MIN_PROPOSAL_BALANCE` | No | `0` | Minimum token balance to create a proposal |
+| `PROPOSAL_COOLDOWN` | No | `0` | Seconds between proposals per address |
+| `RESTRICT_ADMIN_VOTE` | No | `false` | Prevent admin from voting on own proposals |
+
+---
+
+## Testnet Deployment
+
+```bash
+cp .env.example .env
+# Edit .env — set STELLAR_SECRET_KEY at minimum
+
+bash scripts/deploy_testnet.sh
+```
+
+### Dry Run (validates inputs without network calls)
+
+```bash
+DRY_RUN=1 bash scripts/deploy_testnet.sh
+```
+
+The dry-run mode checks:
+- All required variables are present
+- Numeric variables contain only digits
+- `RESTRICT_ADMIN_VOTE` is `true` or `false`
+- `STELLAR_SECRET_KEY` matches the Stellar secret key format
+
+---
+
+## Mainnet Deployment
+
+```bash
+bash scripts/deploy_mainnet.sh
+```
+
+You will be prompted to type `deploy mainnet` to confirm. Mainnet transactions are irreversible — review all parameters before running.
+
+---
+
+## CI Validation
+
+The [Deploy Script Validation](.github/workflows/deploy-validation.yml) workflow runs automatically on every PR that modifies a deploy script:
+
+1. **ShellCheck** — static analysis for syntax and common shell bugs (`-S warning`)
+2. **Testnet dry run** — executes `deploy_testnet.sh` with `DRY_RUN=1` and stub credentials
+3. **Mainnet syntax check** — `bash -n deploy_mainnet.sh` (no execution, no network calls)