Yes, renv will attempt to bootstrap itself when an R session is launched for that project.
This is indeed the case.
In my humble opinion, this would be too heavy-handed. We do not want to automatically install all of the packages recorded within renv.lock without some explicit user gesture. Users can invoke renv::restore() to restore their project library based on what's defined in the lockfile.
Package sources are stored within the lockfile. That is, given the renv.lock lockfile, renv will be able to download and install packages from their declared sources.
You could, but I wouldn't recommend this unless you were sure you and your collaborators were working in identical environments. (This would likely work on Windows, but would likely break on different versions on macOS / Linux)
Sorry, it's likely your colleague attempted to clone and use your project when I had failed to tag the most recent commit of renv on GitHub. It should be fixed now.