[Change] Explainable Risk Rollups (single score, traceable) — Δ6

[djm81]

Why

Every ceremony (standup, refinement, sprint summary, PI planning, release readiness) needs a consistent risk model with explainable inputs. Today risk is mentioned piecemeal in extensions but not modeled or wired. A single risk rollup mechanism—dependency criticality, policy failures, complexity flags, capacity overage, aging/WIP violations—makes all commands "exceptions-first" by default and gives teams one place to see "what might blow up."

What Changes

• Introduce a Risk model with inputs: dependency criticality, policy failures (DoR/DoD/flow), complexity flags, capacity overage, aging/WIP violations.
• Produce a single rollup score (low/medium/high) with traceable contributions: JSON output with input contributions, reasons, and evidence pointers.
• Integrate risk rollup into standup, refinement, sprint-summary, and (when available) PI summary so each command can surface risk section.
• Policy Engine (feat(openspec): code review bug-finding and sidecar venv fix #176) and dependency analysis ([Change] Spec-Kit Change Proposal Bridge & Backlog Extension Sync #116) feed risk inputs; sprint-planning ([Change] Traceability Runtime Queries And Orphan Detection Follow-Up #170) and complexity/splitting ([Change] Full-Chain Validation Runtime Engine Follow-Up #171) contribute capacity and complexity signals.
• Documentation (agile-scrum-workflows) for risk model and rollup usage.

Acceptance Criteria

• Risk model aggregates configurable inputs (dependency criticality, policy failures, complexity, capacity, aging/WIP).
• Rollup score (low/medium/high) with JSON output including contributions (source, reason, evidence pointer).
• Risk section integrable into backlog daily, refine, sprint-summary when data available.
• Docs updated (agile-scrum-workflows).

---

OpenSpec Change Proposal: risk-rollups