docs(ORCH-058): add CHANGELOG entry, .env.example flags, fix README status

Close AC-11 documentation gap left by the prior developer run: the
ORCH-058 feature (staging-image provenance before BUILD-ONCE retag) was
implemented and green but never recorded in the golden-source docs.

- CHANGELOG.md: add the ORCH-058 [Unreleased]/Added entry (layers A+B,
  validated_revision anchor, check_staging_image_fresh, EXPECTED_REVISION
  hook guard, new ORCH_IMAGE_FRESHNESS_* flags, ADR/test refs).
- .env.example (canon): document ORCH_IMAGE_FRESHNESS_ENABLED /
  ORCH_IMAGE_FRESHNESS_REPOS, mirroring the ORCH-036/043/053 precedent.
- docs/architecture/README.md: footer note design -> реализовано, aligning
  it with the already-updated section.

Refs: ORCH-058

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.env.example

@@ -88,3 +88,16 @@ ORCH_RECONCILE_INTERVAL_S=120
 ORCH_RECONCILE_GRACE_DEFAULT_S=600
 ORCH_RECONCILE_GRACE_OVERRIDES_JSON=
 ORCH_RECONCILE_NOTIFY_UNBLOCK=true
+
+# ORCH-058: staging-image provenance before the BUILD-ONCE retag to prod. Closes the
+# "silent stale promote" bug (LESSONS_ORCH-036 §4): retag promoted the staging image
+# to prod without proving it was built from the validated commit. Two layers (A+B),
+# self-hosting only, gated as a WHOLE by a single switch (no "B without A" deadlock):
+#   A (liveness) -> QG sub-check check_staging_image_fresh rebuilds the staging image
+#     from the validated commit on the deploy-staging->deploy edge (after merge-gate).
+#   B (safety)   -> deploy-hook fail-closes (exit 1) before `docker tag` if SOURCE_IMAGE
+#     OCI revision label != EXPECTED_REVISION (the validated SHA).
+#   ENABLED -> single kill-switch for the WHOLE feature; false -> legacy build-once.
+#   REPOS   -> CSV of repos where the feature is REAL; empty -> only self-hosting.
+ORCH_IMAGE_FRESHNESS_ENABLED=true
+ORCH_IMAGE_FRESHNESS_REPOS=