feat(risk): render risk posture across all surfaces (Arc B parity)

[saagpatel]

Arc B — risk render parity

Surfaces the already-computed risk posture across the render surfaces that were missing it, so all surfaces tell the same risk story.

What changed

• build_risk_lookup(output_dir) — new canonical per-repo risk reader (report_enrichment.py); _extract_risk_posture now derives from it (one fewer truth-JSON parse).
• Markdown reporter — new ### Risk Posture aggregate section + per-repo **Risk Tier:** line (was the only surface with zero risk).
• HTML dashboard — per-repo Risk column in the All Repos table; replaced a duplicate inline truth parse with build_risk_lookup.
• Excel Repo Detail — risk tier as hidden column 79 + a "Risk Posture" card section.
• Excel Dashboard — "Elevated Risk" KPI.

Verification

• 2219 passed, 2 skipped; ruff clean (src + tests).
• make workbook-gate automated checks pass (manual desktop-Excel signoff pending as usual).
• TDD per surface.

Reviewer disclosures

1. reporter.py diff is large but mostly ruff format normalization. The file had drifted from the project formatter; the PostToolUse ruff format hook normalized it (quote style + line wrapping). The actual risk logic is ~30 lines; the rest is semantics-preserving formatting.
2. Pre-existing keying limitation (NOT introduced here, follow-up filed mentally). risk_lookup keys by portfolio-truth display_name (local dir name) while consumers look up by audit metadata.name (GitHub repo name). For repos where these differ (~24% in a sample; includes spaced names like "Devil's Advocate", "Signal & Noise"), risk renders blank. This is the same convention the already-shipped All Repos risk column uses, so it is pre-existing and shared — this PR makes the other four surfaces consistent with All Repos, not worse. The real fix is cross-source identity reconciliation (display_name ↔ GitHub name), a separate arc that also touches the shipped path.