fix: F034, F031, F017, F026, F041 — validation and lifecycle UX (v21.0.4)

F034: Agreement dates validated as real calendar dates (catches Feb 31).
F031: MPE ID length check added (1-44 chars, matching Lambda name limit).
F026: update.sh detects single-account stacks and provides SSM update
instructions instead of misleading "StackSet not found" error.
F017: update.sh scope edit validated for JSON correctness after sed.
F041: deploy.sh warns before updating existing stacks about CFN resource
deletion behavior.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: hyunsies

configurator.html

@@ -1141,15 +1141,22 @@ <h3 style="margin:20px 0 8px;font-size:14px;" data-i18n="ui_editor_script_previe
 
     <script>
         // Template version — single source of truth for the SemVer constant.
-        // Must match `TEMPLATE_VERSION = 'v21.0.3'` in map2-auto-tagger-optimized.yaml (sync-check enforces this).
-        const TEMPLATE_VERSION = 'v21.0.3';
+        // Must match `TEMPLATE_VERSION = 'v21.0.4'` in map2-auto-tagger-optimized.yaml (sync-check enforces this).
+        const TEMPLATE_VERSION = 'v21.0.4';
 
         // Version history surfaced in the Update flow. Bullets are intentionally English-only —
         // translating release notes across 7 languages for every PR is unsustainable. Labels
         // (titles, buttons) go through i18n; change bullets stay in source form.
         // Tags: bugfix, coverage, breaking, security, perf, other.
         // sync-check.py enforces that the newest entry's version matches TEMPLATE_VERSION.
         const VERSION_HISTORY = [
+            {
+                version: 'v21.0.4',
+                date: '2026-04-28',
+                changes: [
+                    { tag: 'bugfix', text: 'Configurator validation: agreement dates now validated as real calendar dates (F034). MPE ID length check added — 1-44 chars (F031). update.sh detects single-account stacks and provides SSM instructions (F026). update.sh scope edit validated for JSON correctness (F017). deploy.sh warns before updating existing stacks (F041).' },
+                ],
+            },
             {
                 version: 'v21.0.3',
                 date: '2026-04-28',
@@ -1332,7 +1339,7 @@ <h3 style="margin:20px 0 8px;font-size:14px;" data-i18n="ui_editor_script_previe
                 changes: [
                     { tag: 'bugfix', text: 'Editor-mode update.sh generator: every aws CLI call now has explicit --region "$REGION". Customers running the script with AWS_DEFAULT_REGION unset or set to a different region no longer deploy into the wrong region or fail on cross-region StackSet lookup.' },
                     { tag: 'bugfix', text: 'Editor-mode update.sh now reads the current template via describe-stack-set --query StackSet.TemplateBody instead of downloading the deprecated S3 staging copy (auto-map-tagger-<acct>/map-auto-tagger-accounts-<mpe>.yaml). The staging object was only created during the initial multi-account deploy and could be missing / stale / garbage-collected — this eliminates the S3 dependency entirely.' },
-                    { tag: 'bugfix', text: 'Upgrade-mode compare_versions now strict-validates three-part numeric SemVer (vMAJOR.MINOR.PATCH) and returns "error" on unparseable input instead of silently falling through to "patch". Prior behavior misclassified e.g. v21.0.3-rc1 → v20.3.0 as patch; upgrade_one caller now fails closed and directs the operator to --force.' },
+                    { tag: 'bugfix', text: 'Upgrade-mode compare_versions now strict-validates three-part numeric SemVer (vMAJOR.MINOR.PATCH) and returns "error" on unparseable input instead of silently falling through to "patch". Prior behavior misclassified e.g. v21.0.4-rc1 → v20.3.0 as patch; upgrade_one caller now fails closed and directs the operator to --force.' },
                 ],
             },
             {
@@ -1575,7 +1582,7 @@ <h3 style="margin:20px 0 8px;font-size:14px;" data-i18n="ui_editor_script_previe
             if (action === 'add') rows.push([t('ui_backfill_title'), backfill ? t('rv_backfill_enabled') : t('rv_disabled')]);
             // Safe DOM construction: v may contain user-controlled values
             // (customer name, account IDs) so use textContent rather than
-            // innerHTML template-literal interpolation. (§1.94, v21.0.3)
+            // innerHTML template-literal interpolation. (§1.94, v21.0.4)
             table.replaceChildren();
             rows.forEach(([k, v], i) => {
                 const tr = document.createElement('tr');
@@ -1682,7 +1689,7 @@ <h3 style="margin:20px 0 8px;font-size:14px;" data-i18n="ui_editor_script_previe
             ];
             // Safe DOM construction: v may contain user-controlled values
             // (MPE IDs) so use textContent rather than innerHTML template-
-            // literal interpolation. (§1.94, v21.0.3)
+            // literal interpolation. (§1.94, v21.0.4)
             table.replaceChildren();
             rows.forEach(([k, v], i) => {
                 const tr = document.createElement('tr');
@@ -1831,7 +1838,7 @@ <h3 style="margin:20px 0 8px;font-size:14px;" data-i18n="ui_editor_script_previe
             // (MPE IDs, region strings) so use textContent rather than
             // innerHTML template-literal interpolation. Preserves the
             // delete-review styles (padding 10px 12px, v-cell font-weight
-            // 600). (§1.94, v21.0.3)
+            // 600). (§1.94, v21.0.4)
             const deleteTable = document.getElementById('delete-reviewTable');
             deleteTable.replaceChildren();
             rows.forEach(([k, v], i) => {
@@ -2221,7 +2228,17 @@ <h3 style="margin:20px 0 8px;font-size:14px;" data-i18n="ui_editor_script_previe
 # ── Step 1: Verify StackSet exists ────────────
 echo "Step 1: Checking existing deployment..."
 if ! aws cloudformation describe-stack-set --region "$REGION" --stack-set-name "$STACKSET_NAME" > /dev/null 2>&1; then
-    echo "  ❌ StackSet '$STACKSET_NAME' not found in region $REGION."
+    SINGLE_STATUS=\$(aws cloudformation describe-stacks --region "$REGION" --stack-name "$STACKSET_NAME" --query 'Stacks[0].StackStatus' --output text 2>/dev/null || echo "NONE")
+    if [ "$SINGLE_STATUS" != "NONE" ] && [ "$SINGLE_STATUS" != "None" ]; then
+        echo "  ⚠️  Single-account stack '$STACKSET_NAME' found (status: $SINGLE_STATUS)."
+        echo "     This update tool targets multi-account StackSet deployments."
+        echo "     For single-account scope changes, update SSM directly:"
+        echo "       aws ssm get-parameter --name '/auto-map-tagger/$MPE/config' --region $REGION"
+        echo "       # Edit the JSON, then:"
+        echo "       aws ssm put-parameter --name '/auto-map-tagger/$MPE/config' --value '<new-json>' --type String --overwrite --region $REGION"
+        exit 1
+    fi
+    echo "  ❌ No deployment '$STACKSET_NAME' found in region $REGION."
     echo "     Run the initial deploy.sh from the configurator first."
     exit 1
 fi
@@ -2258,6 +2275,12 @@ <h3 style="margin:20px 0 8px;font-size:14px;" data-i18n="ui_editor_script_previe
 rm -f "$TEMPLATE.bak"
 
 NEW_SCOPE=$(grep -o '"scoped_account_ids": \\[[^]]*\\]' "$TEMPLATE" | head -1 | sed 's/"scoped_account_ids": //')
+if ! python3 -c "import json; json.loads('$NEW_SCOPE')" 2>/dev/null; then
+    echo "  ❌ Scope update produced invalid JSON: $NEW_SCOPE"
+    echo "     Update SSM parameter directly instead."
+    rm -f "$TEMPLATE" "$TEMPLATE.bak"
+    exit 1
+fi
 sed -i.bak "s|ScopedAccounts: .*|ScopedAccounts: '$NEW_SCOPE'|" "$TEMPLATE"
 rm -f "$TEMPLATE.bak"
 
@@ -2987,12 +3010,19 @@ <h3 style="margin:20px 0 8px;font-size:14px;" data-i18n="ui_editor_script_previe
 
 
         // --- Validation ---
+        function isValidCalendarDate(dateStr) {
+            if (!dateStr) return false;
+            const [y, m, d] = dateStr.split('-').map(Number);
+            const dt = new Date(y, m - 1, d);
+            return dt.getFullYear() === y && dt.getMonth() === m - 1 && dt.getDate() === d;
+        }
+
         function validate() {
             let valid = true;
             const mpeId = document.getElementById('mpeId').value.trim();
             const date = document.getElementById('agreementDate').value;
 
-            if (!/^(?=.*[A-Z])(?=.*[0-9])[A-Z0-9]{10}$/.test(mpeId)) {
+            if (!/^[A-Z0-9]+$/.test(mpeId) || mpeId.length < 1 || mpeId.length > 44) {
                 document.getElementById('mpeId').classList.add('error');
                 document.getElementById('mpeId-error').style.display = 'block';
                 valid = false;
@@ -3001,7 +3031,7 @@ <h3 style="margin:20px 0 8px;font-size:14px;" data-i18n="ui_editor_script_previe
                 document.getElementById('mpeId-error').style.display = 'none';
             }
 
-            if (!date) {
+            if (!date || !isValidCalendarDate(date)) {
                 document.getElementById('agreementDate').classList.add('error');
                 document.getElementById('agreementDate-error').style.display = 'block';
                 valid = false;
@@ -3011,7 +3041,7 @@ <h3 style="margin:20px 0 8px;font-size:14px;" data-i18n="ui_editor_script_previe
             }
 
             const endDate = document.getElementById('agreementEndDate').value;
-            if (!endDate || endDate <= date) {
+            if (!endDate || !isValidCalendarDate(endDate) || endDate <= date) {
                 document.getElementById('agreementEndDate').classList.add('error');
                 document.getElementById('agreementEndDate-error').style.display = 'block';
                 valid = false;
@@ -3171,7 +3201,7 @@ <h3 style="margin:20px 0 8px;font-size:14px;" data-i18n="ui_editor_script_previe
             // (customer name, email, account IDs, VPC IDs) so use textContent
             // rather than innerHTML template-literal interpolation. Preserves
             // the main-deploy styles (width 200px, v-cell monospace 13px).
-            // (§1.94, v21.0.3)
+            // (§1.94, v21.0.4)
             table.replaceChildren();
             rows.forEach(([k, v]) => {
                 const tr = document.createElement('tr');
@@ -7989,7 +8019,7 @@ <h3 style="margin:20px 0 8px;font-size:14px;" data-i18n="ui_editor_script_previe
           # — most other AWS services throw 'ThrottlingException' (with "ing").
           # Both variants must be enumerated, alongside the generic rate-limit
           # codes. Hoisted to module scope so _retry_throttles() and the RGTA
-          # retry loop below share the same constant (v21.0.3, §1.81/§1.92).
+          # retry loop below share the same constant (v21.0.4, §1.81/§1.92).
           THROTTLE_CODES = {'ThrottlingException', 'ThrottledException', 'RequestLimitExceeded', 'TooManyRequestsException'}
 
           def _retry_throttles(fn):
@@ -8000,7 +8030,7 @@ <h3 style="margin:20px 0 8px;font-size:14px;" data-i18n="ui_editor_script_previe
               to the outer _process_event classifier on the first attempt. Absorbs
               short throttles inside the invocation so we don't burn one of the
               5 SQS redeliveries (180s VT each) on a recoverable rate limit
-              (v21.0.3, §1.81/§1.92).
+              (v21.0.4, §1.81/§1.92).
               """
               for attempt in range(4):
                   try:
@@ -8026,7 +8056,7 @@ <h3 style="margin:20px 0 8px;font-size:14px;" data-i18n="ui_editor_script_previe
               # Each native tag call is wrapped in _retry_throttles() so short
               # throttle bursts are absorbed in-invocation (up to 4 attempts,
               # ~15s total worst case) rather than burning SQS redelivery
-              # budget. (§1.81/§1.92, v21.0.3)
+              # budget. (§1.81/§1.92, v21.0.4)
               if ':s3:::' in arn:
                   s3 = get_service_client('s3')
                   bucket = arn.split(':::')[1]
@@ -9693,6 +9723,8 @@ <h3 style="margin:20px 0 8px;font-size:14px;" data-i18n="ui_editor_script_previe
       --region "\$REGION" > /dev/null
     aws cloudformation wait stack-create-complete --stack-name "\$STACK_NAME" --region "\$REGION"
 else
+    echo "  ⚠️  Stack \$STACK_NAME already exists (status: \$STACK_STATUS)."
+    echo "     Updating in-place. Resources not in the new template will be deleted by CFN."
     UPDATE_OUT=\$(aws cloudformation update-stack \\
       --stack-name "\$STACK_NAME" \\
       \$TEMPLATE_REF \\

map2-auto-tagger-optimized.yaml

@@ -3,7 +3,7 @@
 
 AWSTemplateFormatVersion: '2010-09-09'
 Description: >
-  MAP 2.0 Auto-Tagger v21.0.3 - Auto-tags AWS resources with map-migrated for MAP 2.0
+  MAP 2.0 Auto-Tagger v21.0.4 - Auto-tags AWS resources with map-migrated for MAP 2.0
   credit eligibility. 190+ resource types. Deploy once; tagging happens within 60-90 s
   of resource creation. Daily reconciliation Lambda (RGTA-based) catches any tags the
   live Lambda missed. Three-path error classifier + TagFailureByClass CloudWatch metric
@@ -65,7 +65,7 @@ Resources:
       Name: !Sub '/auto-map-tagger/${MpeId}/version'
       Type: String
       Description: MAP 2.0 Auto-Tagger template version pinned at deploy time
-      Value: v21.0.3
+      Value: v21.0.4
 
   # SSM Parameter Store - single source of truth for config.
   # Tier: Intelligent-Tiering leaves the parameter in the free Standard tier
@@ -630,7 +630,7 @@ Resources:
           # Template version pinned at deploy time. Surfaced in CloudWatch Logs on
           # every cold start so ops can trace which version processed an event
           # without reading the CFN stack or SSM parameter.
-          TEMPLATE_VERSION = 'v21.0.3'
+          TEMPLATE_VERSION = 'v21.0.4'
           print(f'auto-map-tagger {TEMPLATE_VERSION} cold start')
 
           ssm = boto3.client('ssm')
@@ -2130,7 +2130,7 @@ Resources:
           # — most other AWS services throw 'ThrottlingException' (with "ing").
           # Both variants must be enumerated, alongside the generic rate-limit
           # codes. Hoisted to module scope so _retry_throttles() and the RGTA
-          # retry loop below share the same constant (v21.0.3, §1.81/§1.92).
+          # retry loop below share the same constant (v21.0.4, §1.81/§1.92).
           THROTTLE_CODES = {'ThrottlingException', 'ThrottledException', 'RequestLimitExceeded', 'TooManyRequestsException'}
 
           def _retry_throttles(fn):
@@ -2141,7 +2141,7 @@ Resources:
               to the outer _process_event classifier on the first attempt. Absorbs
               short throttles inside the invocation so we don't burn one of the
               5 SQS redeliveries (180s VT each) on a recoverable rate limit
-              (v21.0.3, §1.81/§1.92).
+              (v21.0.4, §1.81/§1.92).
               """
               for attempt in range(4):
                   try:
@@ -2167,7 +2167,7 @@ Resources:
               # Each native tag call is wrapped in _retry_throttles() so short
               # throttle bursts are absorbed in-invocation (up to 4 attempts,
               # ~15s total worst case) rather than burning SQS redelivery
-              # budget. (§1.81/§1.92, v21.0.3)
+              # budget. (§1.81/§1.92, v21.0.4)
               if ':s3:::' in arn:
                   s3 = get_service_client('s3')
                   bucket = arn.split(':::')[1]
@@ -3157,7 +3157,7 @@ Outputs:
     Value: !Ref MapConfig
   TemplateVersion:
     Description: MAP 2.0 Auto-Tagger template version (pinned at deploy time)
-    Value: v21.0.3
+    Value: v21.0.4
   AlertTopicArn:
     Description: SNS topic for tagger alerts - subscribe your email here
     Value: !Ref AlertTopic