feat(rts): extend Reference Transition Scenarios to multi-regulation (CRA + MaschinenVO)

Roadmap item 2: the RTS now pin MaschinenVO + convergence Expected Outcomes, so the convergence USP is a living regression, not just a one-off section. - RTS-003 (machine + ISMS, networked): full multi-regulation archetype — maschinenvo expected_delta + convergence expected_multi_target (links TP-ISO27001-CRA-MaschinenVO-v1). Generator runs the convergence pattern through RS-005: 4/4 machine-safety delta MISSING + 4/4 expected multi-target caps converge. PASS. - RTS-001 (component): MaschinenVO modeled as `uncertain` (a pure component is usually not a machine; deciding question is_safety_component) — engine must never assert it applies. Honest, parallel to the Data-Act handling. - RTS-002 (machine, QMS-only): MaschinenVO `applies` (is_machine) but LOW convergence — no ISMS means the cyber side is entirely delta, so few caps are shared. The honest contrast that the convergence USP rewards companies who already run an ISMS. - generator: per-RTS maschinenvo/convergence Soll-Ist checks; convergence pattern run once and reused. Data Act stays `uncertain` everywhere, never asserted. All 3 RTS PASS. 18 tests (transition+company), mypy --strict clean, check-loc 0. Non-runtime (knowledge + reference harness) -> no deploy (ADR-001). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-27 09:26:01 +02:00
parent 5fde7690a5
commit a0f72fc39b
5 changed files with 102 additions and 15 deletions
@@ -25,7 +25,7 @@ transition_goal:
      pattern: TP-ISO27001-CRA-v1     # executed through RS-005 below
    - target: MaschinenVO
      pattern: null
-      note: pattern_pending           # no MaschinenVO pattern yet
+      note: applicability_uncertain   # a pure component is usually NOT a machine -> see expected_outcome.maschinenvo

 expected_outcome:
  cra:
@@ -47,6 +47,14 @@ expected_outcome:
      - exploited_vuln_and_incident_reporting
      - product_cyber_risk_assessment
      - ce_conformity_assessment_and_technical_documentation
+  maschinenvo:
+    expectation: uncertain            # a pure component is usually NOT a machine -> NOT asserted
+    deciding_questions: [is_machine, is_safety_component, partly_completed_machinery]
+    rationale: >
+      The Machinery Regulation applies to machines, safety components and partly completed machinery.
+      A pure embedded component is usually out of scope, but a SAFETY component is not — so applicability
+      is itself a deciding question. The engine must ask (is_safety_component?), not assert gilt/gilt-nicht.
+      Contrast RTS-003, where is_machine: true makes MaschinenVO a settled second target with real convergence.
  data_act:
    expectation: uncertain            # NEVER a fixed gilt/gilt-nicht
    deciding_questions: [generates_usage_data, connected_product, data_act_scope]
@@ -22,7 +22,7 @@ transition_goal:
      pattern: TP-ISO9001-CRA-v1
    - target: MaschinenVO
      pattern: null
-      note: pattern_pending
+      note: applies_machine_safety    # is_machine: true -> settled second target (machine safety side)

 expected_outcome:
  cra:
@@ -44,6 +44,16 @@ expected_outcome:
      - exploited_vuln_and_incident_reporting
      - ce_conformity_assessment_and_technical_documentation
    expected_delta_much_larger_than: RTS-001   # regression: ISO9001 leaves more open than ISO27001
+  maschinenvo:
+    expectation: applies              # is_machine: true -> settled (not uncertain like RTS-001's component)
+    expected_delta_at_least:
+      - machine_safety_risk_assessment
+      - mechanical_safety_and_guards
+      - operating_instructions_and_safety_information
+    low_convergence_note: >
+      Unlike RTS-003, a QMS-only builder gets almost NO CRA<->MaschinenVO convergence: with no ISMS the
+      cyber side is entirely in the delta, so few capabilities are shared between the two regulations.
+      The convergence USP rewards companies that ALREADY have an ISMS — that is the honest contrast.
  data_act:
    expectation: uncertain
    deciding_questions: [connected_product, generates_usage_data, data_act_scope]
@@ -21,8 +21,8 @@ transition_goal:
    - target: CRA
      pattern: TP-ISO27001-CRA-v1
    - target: MaschinenVO
-      pattern: null
-      note: pattern_pending
+      convergence_pattern: TP-ISO27001-CRA-MaschinenVO-v1   # multi-target pattern now exists
+      note: covered_by_convergence_pattern
    - target: DataAct
      pattern: null
      note: uncertain_hypothesis     # NOT asserted — see expected_outcome.data_act
@@ -44,6 +44,26 @@ expected_outcome:
      - exploited_vuln_and_incident_reporting
      - product_cyber_risk_assessment
      - ce_conformity_assessment_and_technical_documentation
+  maschinenvo:
+    # The machine is in scope of the Machinery Regulation (is_machine: true) -> a real second target.
+    convergence_pattern: TP-ISO27001-CRA-MaschinenVO-v1
+    expected_delta_at_least:
+      - machine_safety_risk_assessment                       # mechanical safety, ISO 12100
+      - mechanical_safety_and_guards
+      - operating_instructions_and_safety_information
+      - protection_against_corruption_of_safety_functions    # Annex III 1.1.9 = the cyber-safety bridge
+  convergence:
+    # The USP: capabilities that satisfy CRA AND MaschinenVO at once (covers_targets [CRA, MaschinenVO]).
+    convergence_pattern: TP-ISO27001-CRA-MaschinenVO-v1
+    targets: [CRA, MaschinenVO]
+    expected_multi_target_at_least:
+      - product_cyber_risk_assessment
+      - protection_against_corruption_of_safety_functions
+      - secure_signed_update_distribution
+      - ce_conformity_assessment_and_technical_documentation
+    rationale: >
+      ONE capability covers requirements in BOTH regulations — the convergence finding. The engine must
+      surface these as shared, so the customer sees "N of M new measures satisfy CRA and MaschinenVO at once".
  data_act:
    expectation: uncertain            # the core correction: a connected machine MAY fall under the Data Act
    deciding_questions: [generates_usage_data, connected_product, data_act_scope]