docs(knowledge): TKP 4-level lifecycle + 3 enrichments + ISMS->TISAX (genericity proof)

Transition KNOWLEDGE Patterns (renamed term -- curated knowledge, not an algorithm):
- 4 maturity levels: draft -> reviewed -> validated (domain expert) -> proven (field). "approved"
  dropped; target is validated. TP-ISO27001-CRA set to reviewed (L2).
- 3 enrichments per pattern: confidence_source: relationship (curated, not an LLM estimate ->
  computed-not-stored); why_asked (customer-facing: why the source does not suffice here); dropped_if
  (what makes the question unnecessary). Applied to TP-ISO27001-CRA.
- New TP-ISMS-TISAX (draft): different character -- info-security module mostly covered; delta is
  automotive-specific (prototype protection, TISAX labels, VDA ISA self-assessment, ENX assessment,
  Art. 28 data protection). Proves the architecture is GENERIC, not CRA-tailored.
- Reference scenario 4 generalized to loop over ALL patterns through RS-005: both carried (CRA
  17->17, TISAX 13->13) -> a living genericity + regression test for every future pattern.

Non-runtime knowledge + reference harness -> no deploy (ADR-001). Next: ISO9001->IATF16949.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

backend-compliance/reference_scenarios/reference_scenario_suite_v1.md

@@ -145,38 +145,28 @@ _ILLUSTRATIVES Mapping: ISO27001 -> incident_response, supplier_management, asse
 | Master Capability Registry | **PASS** | computed confidence, policy-versioniert |
 | cap ↔ MCAP Linking | **TODO** | zwei Vokabulare unverbunden → RS-003 |
 
-## Szenario 4 — Transition ISO27001 → CRA (RS-005 + Pattern TP-ISO27001-CRA-v1)
+## Szenario 4 — Transition (RS-005 fährt JEDEN Knowledge Pattern)
 
-_Frage: „Ich bin ISO27001-zertifiziert — was fehlt mir für den CRA?"_
+_Genericity-Beweis: derselbe Algorithmus trägt jeden Transition Knowledge Pattern, nicht nur den CRA._
 
-**Input:** ISO27001-zertifiziert (Pattern TP-ISO27001-CRA-v1) → 8 ISMS-Capabilities inferred; Ziel CRA.
+**ISO/IEC 27001 → TISAX** _(TP-ISMS-TISAX-v1, status=draft)_
+> 13 zu klären, 0 bereits abgedeckt, 8 vermutlich vorhanden, 5 fehlt, 0 n/a, 0 nicht im Korpus.
+- Delta zuerst (HIGH): data_protection_processing_on_behalf, prototype_protection, tisax_assessment_via_enx, tisax_label_scope_selection, vda_isa_self_assessment
+- vermutlich abgedeckt: information_security_management, access_control_and_authentication, asset_and_configuration_management, incident_management, supplier_security, cryptography, physical_security, security_awareness_training
+- Pattern getragen: **ja** (13 caps → 13 coverage + 13 requests)
 
-**Expected Transition Assessment (RS-005 v0 gegen den Pattern):**
-> Ziel CRA · 17 zu klären, 0 bereits abgedeckt, 8 vermutlich vorhanden, 9 fehlt, 0 n/a, 0 nicht im Korpus.
-
-**Delta zuerst (HIGH — fehlt einem ISO-27001-only-Hersteller):**
-- `ce_conformity_assessment_and_technical_documentation` — intent=request_evidence, Nachweis=['technical_documentation', 'declaration_of_conformity']
-- `coordinated_vulnerability_disclosure` — intent=verify_existence, Nachweis=['cvd_policy']
-- `exploited_vuln_and_incident_reporting` — intent=verify_existence, Nachweis=['reporting_procedure']
-- `product_cyber_risk_assessment` — intent=verify_existence, Nachweis=['product_risk_assessment']
-- `public_security_advisories` — intent=verify_existence, Nachweis=['advisory_process']
-- `sbom_creation` — intent=determine_sbom_maturity, Nachweis=['sbom']
-- `secure_by_default_no_default_credentials` — intent=verify_existence, Nachweis=['config_export', 'test_report']
-- `secure_signed_update_distribution` — intent=verify_existence, Nachweis=['config_export', 'test_report']
-- `security_update_support_period` — intent=determine_duration, Nachweis=['support_policy', 'product_lifecycle_policy']
-
-**Aus ISO27001 vermutlich abgedeckt (Produkt-Nachweis bestätigen):** incident_management, technical_vulnerability_management, supplier_security, access_control_and_authentication, cryptography, security_logging_and_monitoring, secure_development_lifecycle, asset_and_configuration_management
-
-**Architektur-Test — trägt RS-005 den Pattern vollständig?** 17 Pattern-Capabilities → 17 Coverage + 17 Question-Requests → **ja, vollständig getragen**.
+**ISO/IEC 27001 → Cyber Resilience Act** _(TP-ISO27001-CRA-v1, status=reviewed)_
+> 17 zu klären, 0 bereits abgedeckt, 8 vermutlich vorhanden, 9 fehlt, 0 n/a, 0 nicht im Korpus.
+- Delta zuerst (HIGH): ce_conformity_assessment_and_technical_documentation, coordinated_vulnerability_disclosure, exploited_vuln_and_incident_reporting, product_cyber_risk_assessment, public_security_advisories, sbom_creation, secure_by_default_no_default_credentials, secure_signed_update_distribution, security_update_support_period
+- vermutlich abgedeckt: incident_management, technical_vulnerability_management, supplier_security, access_control_and_authentication, cryptography, security_logging_and_monitoring, secure_development_lifecycle, asset_and_configuration_management
+- Pattern getragen: **ja** (17 caps → 17 coverage + 17 requests)
 
 **Architecture Coverage**
 
 | Layer | Status | Hinweis |
 |---|---|---|
-| Pattern-Load (YAML) | **PASS** | TP-ISO27001-CRA-v1 (draft, gold-standard) |
-| Company 2A (habe) | **PASS** | ISO27001 → 8 inferred caps |
-| RS-005 Planning Engine | **PASS** | Pattern → TransitionQuestionRequests |
-| Transition ISO27001→CRA | **PASS** | 9 Delta-Fragen (HIGH) + 8 zu bestätigen |
+| Transition ISOIEC27001→TISAX | **PASS** | draft · 5 HIGH-Delta + 8 zu bestätigen |
+| Transition ISOIEC27001→Cyber Resilience Act | **PASS** | reviewed · 9 HIGH-Delta + 8 zu bestätigen |
 | RS-005.1 Renderer (Fragetext) | **TODO** | verschoben — Engine liefert nur Requests |
 
 ## Gaps → Epics (Backlog — nur erfasst, NICHT implementiert)
@@ -190,6 +180,6 @@ _Frage: „Ich bin ISO27001-zertifiziert — was fehlt mir für den CRA?"_
 
 ## Suite-Status (Roll-up)
 
-- Coverage-Zellen gesamt: **25**
-- PASS: **17** · PARTIAL: 3 · UNSUPPORTED: 1 · TODO: 3 · N/A: 1 · NEEDS_FACTS: 0
+- Coverage-Zellen gesamt: **23**
+- PASS: **15** · PARTIAL: 3 · UNSUPPORTED: 1 · TODO: 3 · N/A: 1 · NEEDS_FACTS: 0
 - Fortschritt = PASS-Anteil steigt, wenn Epics RS-001…004 landen (objektiver Maßstab, kein LOC).