feat: Medical stress test (safety+security coupled) + Missing Convergence report (Phase Ω #3)

Medical before Payment: the harder scientific test (safety AND security coupled, full lifecycle,
deep risk/evidence demands). ISO 13485 runs through the SAME engine as ISO 27001 -> CRA, only new
data, 0 runtime. The key result: IEC 81001-5-1 (health-software security) pulls in the SAME security
MCAPs as the CRA, so Medical REUSES cyber capabilities (the safety/security coupling appears as
capability reuse) while adding 7 genuinely new medical caps (clinical evaluation, software safety
classification, ISO 14971 risk file, benefit-risk). rejected_assumptions intact.

Effect on the convergence core: secure_signed_update_distribution 18 -> 24 and
technical_vulnerability_management 17 -> 23, now spanning 3 domains (cyber + industrial + medical) —
the core visibly GROWS, exactly the convergence signal.

New 5th report: MISSING CONVERGENCE — deterministic (no ML) token-cluster detector for potential
structural duplications: a name token shared by >=3 MCAPs across >=2 distinct sources is flagged for
EXPERT REVIEW (never auto-merged). Surfaces e.g. the `risk` cluster (6 risk MCAPs across 6 sources)
and `security`/`software`; single-source decompositions are filtered out. Complements Suspicious by
looking at cross-source duplication, not single MCAPs.

Also records the durable modelling rule extracted from the frequency fix: evidence is attributed to
its ORIGIN; its value against a target is computed later (relevance(evidence,target)). Ledger now 8
sources, Architecture Stability 8/8 = 100%. Non-runtime -> no deploy. 29 tests pass, check-loc 0.

backend-compliance/tests/test_mcap_convergence_analysis.py

@@ -38,23 +38,36 @@ def test_runs_end_to_end():
 def test_core_is_cross_cutting_not_frequency():
     out = _run()
     core = _section(out, "## 1. Core MCAPs")
-    # the most cross-cutting capability tops the Core report
-    assert "`secure_signed_update_distribution` | **18** |" in core
+    # the most cross-cutting capability tops the Core report; with Medical it now spans 3 domains
+    assert "`secure_signed_update_distribution` | **24** |" in core
     assert "technical_vulnerability_management" in core
     # a high-frequency BUT single-domain management cap must NOT be in Core (frequency != impact)
     assert "conduct_internal_environmental_audits" not in core
 
 
-def test_all_four_reports_present():
+def test_all_five_reports_present():
     out = _run()
-    for header in ["## 1. Core MCAPs", "## 2. Emerging MCAPs", "## 3. Isolated MCAPs", "## 4. Suspicious MCAPs"]:
+    for header in ["## 1. Core MCAPs", "## 2. Emerging MCAPs", "## 3. Isolated MCAPs",
+                   "## 4. Suspicious MCAPs", "## 5. Missing Convergence"]:
         assert header in out
 
 
+def test_missing_convergence_flags_cross_source_duplication():
+    out = _run()
+    mc = _section(out, "## 5. Missing Convergence")
+    # the 'risk' token clusters several distinct risk MCAPs across many sources -> a review candidate
+    assert "Token `risk`" in mc
+    assert "maintain_risk_management_file_iso14971" in mc and "product_cyber_risk_assessment" in mc
+    assert "KEIN Auto-Merge" in out
+    # single-source decompositions (all-environmental) must be filtered out (>=2 sources required)
+    assert "Token `environmental`" not in mc
+
+
 def test_isolated_and_suspicious_are_review_tools():
     out = _run()
     iso = _section(out, "## 3. Isolated MCAPs")
-    assert "issue_battery_passport" in iso or "measure_air_emissions" in iso
+    assert "Review: spezialisiert ODER Konvergenz übersehen" in iso
+    assert "conduct_clinical_evaluation" in iso or "cybersecurity_management_system" in iso
     susp = _section(out, "## 4. Suspicious MCAPs")
     assert "zu grob" in susp and "zu fein" in susp
 

backend-compliance/tests/test_medical_stress_test.py

@@ -0,0 +1,58 @@
+"""Medical stress test — safety + security coupled (Phase Ω #3).
+
+Pins the harder joint test: ISO 13485 runs through the SAME engine (0 runtime, data only), and IEC
+81001-5-1 (health-software security) pulls in the SAME security MCAPs as the CRA — so Medical REUSES
+cyber capabilities (the safety/security coupling shows up as capability reuse) while adding genuinely
+new medical-specific caps (clinical evaluation, software safety classification, ISO 14971 risk file).
+"""
+
+from __future__ import annotations
+
+import os
+import subprocess
+import sys
+
+
+def _run():
+    root = os.path.join(os.path.dirname(__file__), "..")
+    r = subprocess.run(
+        [sys.executable, "reference_scenarios/medical_stress_test.py"],
+        cwd=root, env={**os.environ, "PYTHONPATH": "."}, capture_output=True, text=True,
+    )
+    assert r.returncode == 0, r.stderr
+    return r.stdout
+
+
+def test_runs_end_to_end_zero_runtime():
+    out = _run()
+    assert "Medical Stress Test" in out
+    assert "0 neue Runtime-Klassen" in out
+
+
+def test_safety_security_coupling_reuses_cyber_caps():
+    out = _run()
+    assert "Wiederverwendete Cyber-Capabilities (4)" in out
+    for cap in ["secure_signed_update_distribution", "technical_vulnerability_management",
+                "access_control_and_authentication", "sbom_creation"]:
+        assert cap in out
+    assert "IEC 81001-5-1" in out
+
+
+def test_genuinely_new_medical_capabilities():
+    out = _run()
+    assert "Neu (7)" in out
+    for cap in ["conduct_clinical_evaluation", "classify_software_safety_iec62304",
+                "maintain_risk_management_file_iso14971", "perform_benefit_risk_analysis"]:
+        assert cap in out
+
+
+def test_rejected_assumptions_present():
+    out = _run()
+    assert "ISO 13485 does NOT produce clinical evidence" in out
+    assert "the same security caps as the CRA" in out
+
+
+def test_no_real_company_names():
+    out = _run().lower()
+    for name in ["eto", "owis", "winterhalter", "medtronic", "siemens"]:
+        assert name not in out