feat: certify lesser-body templates through the consumer path

[aron23]

What changed

• preflight published lesser-body managed templates for deterministic CloudFormation contract violations before the body runner starts
• certify published lesser-body releases through the real consumer path by running the managed helper with --no-execute-changeset and recording the template-certification artifact in managed evidence
• preserve uploaded lesser-body helper and CloudFormation failure detail in operator-visible update state instead of collapsing everything to a generic runner failure
• align the lesser-body release contract, managed release readiness/certification docs, portal contract, and recovery docs with the new template-certification and failure-detail behavior

Why

lesser-host admitted lesser-body v0.2.3 and only learned the published template was invalid after the body runner had already started. That left operators with a late rollout failure instead of an earlier contract rejection, and it hid the actionable CloudFormation error behind a generic runner message.

This PR closes that gap by rejecting invalid templates earlier, certifying published templates through the exact consumer path we depend on, and keeping the underlying template/helper failure visible when a rollout still fails.

Impact

• bad lesser-body releases are blocked earlier
• readiness cannot advance without real lesser-body template-certification evidence
• operator-visible update state keeps the actionable root cause for body template/helper failures

Validation

• GOTOOLCHAIN=auto go test ./internal/provisionworker ./scripts/managed-release-certification ./scripts/managed-release-readiness -count=1
• cd cdk && npm ci --include=dev && npm run build && node --test dist/test/provision-runner-buildspec.test.js
• GOTOOLCHAIN=auto bash gov-infra/verifiers/gov-verify-rubric.sh

Closes #129
Closes #130
Closes #131
Closes #132
Closes #133
Closes #134