fix(ORCH-058): parametrize staging_check in --build-staging + explicit staging target

Round-3 review follow-up on c53d625 (P1/P2):

- P1: --build-staging now runs staging_check via parametrized
  STAGING_CONTAINER / STAGING_CHECK_PATH / STAGING_CHECK_MODE (default
  orchestrator-staging / bind-mount path / stub) instead of hardcoding
  $TARGET_SERVICE + the script path. docker exec runs INSIDE the staging
  container (ORCH-048 canonical: B6 registry isolation), after health,
  before exit 0. Fail-closed: any non-zero -> exit 1. STAGING only (8501).
- P2a: rebuild_staging_image now passes the STAGING target EXPLICITLY
  (TARGET_SERVICE/TARGET_PORT/COMPOSE_PROFILE/STAGING_CONTAINER) so the
  self-rebuild can never drift onto prod 8500 if hook defaults change (AC-9).
- P2b: TC-09 caller<->hook contract tests assert the ssh command carries
  GIT_SHA + BUILD_CONTEXT + the staging target and never the prod 8500 one;
  no-ssh-host fails closed.
- P3: consolidated the three duplicate README footers into one.
- Docs (golden source): DEPLOY_HOOK.md step 4 + env rows, README footer,
  CHANGELOG, Dockerfile ARG GIT_SHA="" comment, .env.example freshness block.

Validates exactly the artefact later BUILD-ONCE retagged to prod (AC-4,
ADR-001 step 3). 632 tests pass, ruff clean, bash -n OK.

Refs: ORCH-058

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.env.example

@@ -72,6 +72,19 @@ ORCH_DEPLOY_PROD_TARGET_IMAGE=orchestrator-orchestrator
 ORCH_DEPLOY_PROD_COMPOSE_PROFILE=
 ORCH_DEPLOY_PROD_PREV_IMAGE_FILE=.deploy-prev-image-prod
 
+# ORCH-058: staging-image provenance before the BUILD-ONCE prod retag (INV-FRESH).
+# Guarantees the staging image promoted to prod is the EXACT artefact rebuilt from the
+# validated commit — two layers, self-hosting only:
+#   A (liveness): QG sub-check `check_staging_image_fresh` on the deploy-staging->deploy
+#     edge rebuilds orchestrator-orchestrator-staging from the validated commit + recreates
+#     8501; FAIL -> rollback to development. (builds/recreate STAGING only, never prod.)
+#   B (safety):  the Dockerfile stamps `org.opencontainers.image.revision`; the prod hook
+#     fail-closes (exit 1) before `docker tag` if SOURCE_IMAGE's label != EXPECTED_REVISION.
+#   ENABLED -> single kill-switch for A+B as a WHOLE (never "B without A"); false -> legacy.
+#   REPOS   -> CSV of repos where the gate is REAL; empty -> only self-hosting (orchestrator).
+ORCH_IMAGE_FRESHNESS_ENABLED=true
+ORCH_IMAGE_FRESHNESS_REPOS=
+
 # ORCH-053: stuck-task reconciler (sweeper for lost webhooks). A background daemon
 # replays a missed stage transition through the SAME gates/handlers a webhook would,
 # fixing tasks that got stuck on a dropped event (502 on rebuild, no Plane/Gitea
@@ -88,16 +101,3 @@ ORCH_RECONCILE_INTERVAL_S=120
 ORCH_RECONCILE_GRACE_DEFAULT_S=600
 ORCH_RECONCILE_GRACE_OVERRIDES_JSON=
 ORCH_RECONCILE_NOTIFY_UNBLOCK=true
-
-# ORCH-058: staging-image provenance before the BUILD-ONCE retag to prod. Closes the
-# "silent stale promote" bug (LESSONS_ORCH-036 §4): retag promoted the staging image
-# to prod without proving it was built from the validated commit. Two layers (A+B),
-# self-hosting only, gated as a WHOLE by a single switch (no "B without A" deadlock):
-#   A (liveness) -> QG sub-check check_staging_image_fresh rebuilds the staging image
-#     from the validated commit on the deploy-staging->deploy edge (after merge-gate).
-#   B (safety)   -> deploy-hook fail-closes (exit 1) before `docker tag` if SOURCE_IMAGE
-#     OCI revision label != EXPECTED_REVISION (the validated SHA).
-#   ENABLED -> single kill-switch for the WHOLE feature; false -> legacy build-once.
-#   REPOS   -> CSV of repos where the feature is REAL; empty -> only self-hosting.
-ORCH_IMAGE_FRESHNESS_ENABLED=true
-ORCH_IMAGE_FRESHNESS_REPOS=