feat: Medical stress test (safety+security coupled) + Missing Convergence report (Phase Ω #3)

Medical before Payment: the harder scientific test (safety AND security coupled, full lifecycle,
deep risk/evidence demands). ISO 13485 runs through the SAME engine as ISO 27001 -> CRA, only new
data, 0 runtime. The key result: IEC 81001-5-1 (health-software security) pulls in the SAME security
MCAPs as the CRA, so Medical REUSES cyber capabilities (the safety/security coupling appears as
capability reuse) while adding 7 genuinely new medical caps (clinical evaluation, software safety
classification, ISO 14971 risk file, benefit-risk). rejected_assumptions intact.

Effect on the convergence core: secure_signed_update_distribution 18 -> 24 and
technical_vulnerability_management 17 -> 23, now spanning 3 domains (cyber + industrial + medical) —
the core visibly GROWS, exactly the convergence signal.

New 5th report: MISSING CONVERGENCE — deterministic (no ML) token-cluster detector for potential
structural duplications: a name token shared by >=3 MCAPs across >=2 distinct sources is flagged for
EXPERT REVIEW (never auto-merged). Surfaces e.g. the `risk` cluster (6 risk MCAPs across 6 sources)
and `security`/`software`; single-source decompositions are filtered out. Complements Suspicious by
looking at cross-source duplication, not single MCAPs.

Also records the durable modelling rule extracted from the frequency fix: evidence is attributed to
its ORIGIN; its value against a target is computed later (relevance(evidence,target)). Ledger now 8
sources, Architecture Stability 8/8 = 100%. Non-runtime -> no deploy. 29 tests pass, check-loc 0.

backend-compliance/tests/test_mcap_convergence_analysis.py

@@ -38,23 +38,36 @@ def test_runs_end_to_end():
 def test_core_is_cross_cutting_not_frequency():
     out = _run()
     core = _section(out, "## 1. Core MCAPs")
-    # the most cross-cutting capability tops the Core report
-    assert "`secure_signed_update_distribution` | **18** |" in core
+    # the most cross-cutting capability tops the Core report; with Medical it now spans 3 domains
+    assert "`secure_signed_update_distribution` | **24** |" in core
     assert "technical_vulnerability_management" in core
     # a high-frequency BUT single-domain management cap must NOT be in Core (frequency != impact)
     assert "conduct_internal_environmental_audits" not in core
 
 
-def test_all_four_reports_present():
+def test_all_five_reports_present():
     out = _run()
-    for header in ["## 1. Core MCAPs", "## 2. Emerging MCAPs", "## 3. Isolated MCAPs", "## 4. Suspicious MCAPs"]:
+    for header in ["## 1. Core MCAPs", "## 2. Emerging MCAPs", "## 3. Isolated MCAPs",
+                   "## 4. Suspicious MCAPs", "## 5. Missing Convergence"]:
         assert header in out
 
 
+def test_missing_convergence_flags_cross_source_duplication():
+    out = _run()
+    mc = _section(out, "## 5. Missing Convergence")
+    # the 'risk' token clusters several distinct risk MCAPs across many sources -> a review candidate
+    assert "Token `risk`" in mc
+    assert "maintain_risk_management_file_iso14971" in mc and "product_cyber_risk_assessment" in mc
+    assert "KEIN Auto-Merge" in out
+    # single-source decompositions (all-environmental) must be filtered out (>=2 sources required)
+    assert "Token `environmental`" not in mc
+
+
 def test_isolated_and_suspicious_are_review_tools():
     out = _run()
     iso = _section(out, "## 3. Isolated MCAPs")
-    assert "issue_battery_passport" in iso or "measure_air_emissions" in iso
+    assert "Review: spezialisiert ODER Konvergenz übersehen" in iso
+    assert "conduct_clinical_evaluation" in iso or "cybersecurity_management_system" in iso
     susp = _section(out, "## 4. Suspicious MCAPs")
     assert "zu grob" in susp and "zu fein" in susp