a47564934d
A failed cp/mkdir in the deploy-configs step was previously swallowed (the step had no set -e), so a broken config copy could still reach the validate step. The five-key guard catches empty secrets but not a failed copy. -u also catches a typo'd env var name. Raised in review (Sara, Tobias). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>