feat(rts): extend Reference Transition Scenarios to multi-regulation (CRA + MaschinenVO)

Roadmap item 2: the RTS now pin MaschinenVO + convergence Expected Outcomes, so the
convergence USP is a living regression, not just a one-off section.

- RTS-003 (machine + ISMS, networked): full multi-regulation archetype — maschinenvo
  expected_delta + convergence expected_multi_target (links TP-ISO27001-CRA-MaschinenVO-v1).
  Generator runs the convergence pattern through RS-005: 4/4 machine-safety delta MISSING +
  4/4 expected multi-target caps converge. PASS.
- RTS-001 (component): MaschinenVO modeled as `uncertain` (a pure component is usually not a
  machine; deciding question is_safety_component) — engine must never assert it applies. Honest,
  parallel to the Data-Act handling.
- RTS-002 (machine, QMS-only): MaschinenVO `applies` (is_machine) but LOW convergence — no ISMS
  means the cyber side is entirely delta, so few caps are shared. The honest contrast that the
  convergence USP rewards companies who already run an ISMS.
- generator: per-RTS maschinenvo/convergence Soll-Ist checks; convergence pattern run once and
  reused. Data Act stays `uncertain` everywhere, never asserted.

All 3 RTS PASS. 18 tests (transition+company), mypy --strict clean, check-loc 0.
Non-runtime (knowledge + reference harness) -> no deploy (ADR-001).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

backend-compliance/knowledge/reference_transition_scenarios/RTS-003.yaml

@@ -21,8 +21,8 @@ transition_goal:
     - target: CRA
       pattern: TP-ISO27001-CRA-v1
     - target: MaschinenVO
-      pattern: null
-      note: pattern_pending
+      convergence_pattern: TP-ISO27001-CRA-MaschinenVO-v1   # multi-target pattern now exists
+      note: covered_by_convergence_pattern
     - target: DataAct
       pattern: null
       note: uncertain_hypothesis     # NOT asserted — see expected_outcome.data_act
@@ -44,6 +44,26 @@ expected_outcome:
       - exploited_vuln_and_incident_reporting
       - product_cyber_risk_assessment
       - ce_conformity_assessment_and_technical_documentation
+  maschinenvo:
+    # The machine is in scope of the Machinery Regulation (is_machine: true) -> a real second target.
+    convergence_pattern: TP-ISO27001-CRA-MaschinenVO-v1
+    expected_delta_at_least:
+      - machine_safety_risk_assessment                       # mechanical safety, ISO 12100
+      - mechanical_safety_and_guards
+      - operating_instructions_and_safety_information
+      - protection_against_corruption_of_safety_functions    # Annex III 1.1.9 = the cyber-safety bridge
+  convergence:
+    # The USP: capabilities that satisfy CRA AND MaschinenVO at once (covers_targets [CRA, MaschinenVO]).
+    convergence_pattern: TP-ISO27001-CRA-MaschinenVO-v1
+    targets: [CRA, MaschinenVO]
+    expected_multi_target_at_least:
+      - product_cyber_risk_assessment
+      - protection_against_corruption_of_safety_functions
+      - secure_signed_update_distribution
+      - ce_conformity_assessment_and_technical_documentation
+    rationale: >
+      ONE capability covers requirements in BOTH regulations — the convergence finding. The engine must
+      surface these as shared, so the customer sees "N of M new measures satisfy CRA and MaschinenVO at once".
   data_act:
     expectation: uncertain            # the core correction: a connected machine MAY fall under the Data Act
     deciding_questions: [generates_usage_data, connected_product, data_act_scope]