[codex] Legalize lesser-body managed deploy template defaults

[aron23]

Summary

• replace illegal non-string managed-template defaults with explicit string SSM path parameters and CloudFormation dynamic references
• align the release manifest, deploy helper, and published-release verifier around the same legal parameterization strategy
• fail repo-local verification and CI when a managed template regresses to object-valued Parameters.*.Default entries, and document the contract

Root cause

v0.2.3 published managed templates that encoded some CloudFormation parameter defaults as intrinsics instead of plain strings. aws cloudformation deploy rejects those templates before it can create a change set, so repo-local artifact verification needed to enforce the CloudFormation legality rule directly.

Impact

• the managed lesser-body-managed-*.template.json assets now contain only CloudFormation-legal string defaults
• the release helper passes explicit SSM path overrides that preserve the intended stage-specific lookup behavior
• producer verification now catches both checksum-manifest regressions and non-string managed-template defaults before publish
• the docs now describe the canonical default/parameter contract and the post-publish verification entrypoint

Checks

• GOTOOLCHAIN=auto go test ./...
• GOTOOLCHAIN=auto bash scripts/verify_release_assets.sh v0.0.0-test dist/release-issue106-final
• bash scripts/check_release_asset_checksum_regression.sh v0.0.0-test dist/release-issue106-final
• bash scripts/check_managed_template_default_regression.sh v0.0.0-test dist/release-issue106-final
• ruby -e 'require "yaml"; YAML.load_file(".github/workflows/ci.yml"); YAML.load_file(".github/workflows/release.yml")'
• bash -n scripts/verify_published_release_assets.sh
• ./deploy-lesser-body-from-release.sh --dry-run --no-execute-changeset --stack-name lesser-dev-lesser-body --asset-bucket example-artifacts-bucket --app customapp --stage dev --base-domain example.com from dist/release-issue106-final

Issue mapping

• Closes [Immutable Deploys][M13.1] Replace illegal non-string managed-template parameter defaults #107
• Closes [Immutable Deploys][M13.2] Rework managed template parameterization for legal SSM lookup defaults #108
• Closes [Immutable Deploys][M13.3] Reject non-string CloudFormation parameter defaults in producer verification #109
• Closes [Immutable Deploys][M13.4] Document the managed-template parameter-default contract #110
• Refs [Immutable Deploys][M13] Make published lesser-body managed templates valid for the real deploy path #106
• Prepares [Immutable Deploys][M13.5] Publish and verify a patched lesser-body release #111; the actual patched GitHub release and AWS-backed post-publish --no-execute-changeset verification still need the post-merge tag/release step.