Arc G — risk identity keying (cross-source)

Fixes the pre-existing limitation surfaced by Arc B's code review: risk is computed in portfolio truth (keyed by local-dir display_name) but every render consumer iterates audit data (keyed by GitHub metadata.name). For repos whose dir name ≠ GitHub repo name, risk rendered blank on every surface — including the already-shipped All Repos column.

Fix (mirrors the existing _select_security_entry GHAS join)

• Persist the GitHub slug into truth: add IdentityFields.repo_full_name (additive, from _git_remote_full_name, already captured at scan time but previously dropped).
• Multi-key the risk lookups by slug + display_name in both build_risk_lookup (report_enrichment.py) and load_risk_truth (excel_export_truth_helpers.py), so consumers keying by metadata.name resolve.
• Aggregate safety: the slug alias shares the same entry object; _extract_risk_posture dedups by identity and load_risk_truth increments posture once per project — no double-counting (verified: posture sum == project count).

Measured impact

On a real audit report, repos resolving risk went 86% → 96% — 12 repos recovered (signal-noise, devils-advocate, PhantomFrequencies, seismoscope, …) that were silently blank everywhere. 121/129 truth projects now carry the slug (the 8 without have no GitHub remote).

Verification

• 2222 passed, 2 skipped; ruff clean.
• New tests: slug-keying + display-name-keying both resolve; posture not inflated by aliases.
• Additive schema field (backward-compatible; old snapshots default to "").