Deterministic env bootstrap without shell copy-plus-sed glue

• the repo needs one .env or .env.local bootstrap step before normal setup
• key replacement, stale-key removal, or secret generation should be contract-owned
• the current lane is shell copy, sed, or ad hoc env-file mutation glue

• it turns a repo pattern into something humans, CI, and agents can read the same way
• it makes the next command obvious instead of implied by README drift
• it keeps readiness, setup, and execution explainable in receipts and diagnostics

Use this when env bootstrap is one deterministic host-file mutation and should stay inspectable in the contract.

The example uses one finite action task and one workflow prepare.task edge instead of a shell wrapper.

version: 1project:  name: action-ensure-env-file  description: Focused example for deterministic env bootstrapexecution:  default_context: host  contexts:    host:      backend: nativeenv:  vars:    DATABASE_URL:      required: truetasks:  setup:env:    context: host    action:      kind: ensure_env_file      path: .env.local      template: .env.example      vars:        APP_ENV:          value: local          mode: replace        DATABASE_URL:          from_env: DATABASE_URL          mode: replace        APP_SECRET:          random:            bytes: 24            encoding: hex        LEGACY_FLAG:          mode: removeworkflows:  default: local-env  local-env:    prepare:      task: setup:env

Use ensure_env_file when the lane owns one env file.

Use template_mode: replace when ota should re-derive the whole file from a template before applying declared keys.

If setup needs more than one deterministic setup action, move up to action.kind: ensure_bundle instead of wrapping ensure_env_file in shell glue.