feat(staging): deterministic staging-runner replacing LLM deployer on deploy-staging (ORCH-115)

Replace the LLM `deployer` agent on the `deploy-staging` stage (self-hosting
orchestrator) with a deterministic staging-runner intercepted in launch_job
BEFORE _spawn (the deploy-finalizer / post-deploy-monitor reserved-agent
precedent). The runner executes the SAME staging suite, maps the exit-code to
`staging_status:` via the existing self_deploy.map_exit_code_to_status contract,
writes 15-staging-log.md, and initiates the UNCHANGED check_staging_status gate
exactly as a finished LLM-deployer would.

Invariant (NFR-1): this replaces only the *producer* of the artifact — the
artifact contract, the gate / _parse_staging_status / check_staging_status name,
STAGE_TRANSITIONS, the machine-verdict key `staging_status:` and the DB schema are
byte-for-byte unchanged. Additive, under a kill-switch + repo-scope CSV,
never-raise, fail-safe back to the LLM path.

Two-level outcome (D5, anti ORCH-110): suite executed -> verdict -> advance
(FAILED -> the existing deploy-staging -> development rollback + developer-retry,
same as a FAILED LLM verdict); tool-error (suite did not execute) -> bounded DEFER
-> fail-closed FAILED + alert on exhaustion (infra != code fault; never a silent
advance / false green).

First implemented slice of the LLM determinization roadmap (ORCH-118 A6,
replace-deterministic-now).

- New leaf src/staging_runner.py (never-raise; proc_group tree-kill + timeout)
- launch_job intercept + _run_staging_runner_job (mirror _run_deploy_finalizer_job)
- config: ORCH_STAGING_RUNNER_* keys (enabled/repos/timeout/infra-retry budget)
- GET /queue staging_runner observability block
- docs: llm-call-sites/roadmap/usage-policy (A6 implemented; machine blocks +
  single-transport invariant intact), deployer.md (LLM branch -> fallback),
  CLAUDE.md, CHANGELOG.md, overview (tech-pipeline/tech-agents/tech-quality-security),
  .env.example
- tests/test_orch115_staging_runner.py (TC-01..TC-13); LLM anti-drift green (TC-14)

Refs: ORCH-115

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.env.example

@@ -557,6 +557,27 @@ ORCH_COVERAGE_EPSILON=0.5
 ORCH_COVERAGE_TOOL_FAIL_CLOSED=false
 ORCH_COVERAGE_RUN_TIMEOUT_S=900
 
+# ORCH-115: deterministic staging-runner replacing the LLM `deployer` on the
+# `deploy-staging` stage (self-hosting orchestrator). Intercepted in launch_job
+# BEFORE _spawn (deploy-finalizer / post-deploy-monitor precedent): runs the same
+# staging suite, maps exit-code -> staging_status:, writes 15-staging-log.md and
+# initiates the UNCHANGED check_staging_status gate. Replaces only the producer of
+# the artifact; the gate / STAGE_TRANSITIONS / DB schema are byte-for-byte unchanged.
+# See ADR-001-deterministic-staging-runner.md / adr-0048.
+#   STAGING_RUNNER_ENABLED            -> kill-switch; false -> the prior LLM deployer
+#                                        runs on deploy-staging via _spawn 1:1.
+#   STAGING_RUNNER_REPOS              -> CSV scope; empty -> self-hosting only.
+#   STAGING_RUNNER_TIMEOUT_S          -> wall-clock budget for the docker-exec suite
+#                                        (malformed/non-positive -> default 600 + WARNING).
+#   STAGING_RUNNER_INFRA_MAX_RETRIES  -> tool-error (suite did NOT execute) bounded DEFER
+#                                        budget before a fail-closed FAILED (anti ORCH-110).
+#   STAGING_RUNNER_INFRA_RETRY_DELAY_S-> delay before the re-queued deployer job.
+ORCH_STAGING_RUNNER_ENABLED=true
+ORCH_STAGING_RUNNER_REPOS=
+ORCH_STAGING_RUNNER_TIMEOUT_S=600
+ORCH_STAGING_RUNNER_INFRA_MAX_RETRIES=2
+ORCH_STAGING_RUNNER_INFRA_RETRY_DELAY_S=30
+
 # ORCH-057 (follow-up ORCH-040): legacy root-owned ownership detect + actionable
 # worktree error. After the uid migration (user: "1000:1000") legacy root:root files
 # in /repos broke worktree creation under uid 1000 with a raw "Permission denied".