feat(rts): extend Reference Transition Scenarios to multi-regulation (CRA + MaschinenVO)

Roadmap item 2: the RTS now pin MaschinenVO + convergence Expected Outcomes, so the
convergence USP is a living regression, not just a one-off section.

- RTS-003 (machine + ISMS, networked): full multi-regulation archetype — maschinenvo
  expected_delta + convergence expected_multi_target (links TP-ISO27001-CRA-MaschinenVO-v1).
  Generator runs the convergence pattern through RS-005: 4/4 machine-safety delta MISSING +
  4/4 expected multi-target caps converge. PASS.
- RTS-001 (component): MaschinenVO modeled as `uncertain` (a pure component is usually not a
  machine; deciding question is_safety_component) — engine must never assert it applies. Honest,
  parallel to the Data-Act handling.
- RTS-002 (machine, QMS-only): MaschinenVO `applies` (is_machine) but LOW convergence — no ISMS
  means the cyber side is entirely delta, so few caps are shared. The honest contrast that the
  convergence USP rewards companies who already run an ISMS.
- generator: per-RTS maschinenvo/convergence Soll-Ist checks; convergence pattern run once and
  reused. Data Act stays `uncertain` everywhere, never asserted.

All 3 RTS PASS. 18 tests (transition+company), mypy --strict clean, check-loc 0.
Non-runtime (knowledge + reference harness) -> no deploy (ADR-001).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

backend-compliance/reference_scenarios/reference_scenario_suite_v1.md

@@ -185,26 +185,30 @@ _Anonymisierte Archetypen (KEINE Firmennamen). Jeder RTS pinnt ein Expected Outc
 - Expected Delta erfüllt: **ja** (7/7 Soll-Delta in der Ist-Lücke)
 - Expected likely_covered erfüllt: **ja**
 - Data Act: Engine sagt **uncertain** (Soll: uncertain; nie asserted) → ok
+- MaschinenVO: Soll **uncertain** (Komponente, deciding: is_safety_component) → Engine asserted nicht: ok
 
 **RTS-002** — Classic machine builder with only a QMS — precision systems, CE products, no ISMS
 > Start ISO9001 → CRA. 13 zu klären, 0 bereits abgedeckt, 3 vermutlich vorhanden, 10 fehlt, 0 n/a, 0 nicht im Korpus.
 - Expected Delta erfüllt: **ja** (9/9 Soll-Delta in der Ist-Lücke)
 - Expected likely_covered erfüllt: **ja**
 - Data Act: Engine sagt **uncertain** (Soll: uncertain; nie asserted) → ok
+- MaschinenVO **gilt** (is_machine): Safety-Delta machine_safety_risk_assessment, mechanical_safety_and_guards, operating_instructions_and_safety_information — **geringe Konvergenz ohne ISMS** (RS-004 reg-map-Gate offen)
 
 **RTS-003** — Machine builder with an ISMS and networked products — connected machines that may generate usage data
 > Start ISO27001 → CRA. 17 zu klären, 0 bereits abgedeckt, 8 vermutlich vorhanden, 9 fehlt, 0 n/a, 0 nicht im Korpus.
 - Expected Delta erfüllt: **ja** (7/7 Soll-Delta in der Ist-Lücke)
 - Expected likely_covered erfüllt: **ja**
 - Data Act: Engine sagt **uncertain** (Soll: uncertain; nie asserted) → ok
+- MaschinenVO **gilt** (is_machine): 4/4 Safety-Delta in der Ist-Lücke (Convergence-Pattern) → ok
+- Konvergenz CRA∩MaschinenVO: 4/4 erwartete Multi-Target-Caps → ok (4 von 12 Capabilities decken >= 2 Regelwerke gleichzeitig ab (CRA + MaschinenVO).)
 
 **Architecture Coverage**
 
 | Layer | Status | Hinweis |
 |---|---|---|
-| RTS-001 (TISAX→CRA) | **PASS** | 7/7 Delta-Soll · likely_covered ok · DataAct=uncertain |
-| RTS-002 (ISO9001→CRA) | **PASS** | 9/9 Delta-Soll · likely_covered ok · DataAct=uncertain |
-| RTS-003 (ISO27001→CRA) | **PASS** | 7/7 Delta-Soll · likely_covered ok · DataAct=uncertain |
+| RTS-001 (TISAX→CRA+MaschVO) | **PASS** | 7/7 Delta-Soll · likely_covered ok · DataAct=uncertain · MaschVO=uncertain(ok) |
+| RTS-002 (ISO9001→CRA+MaschVO) | **PASS** | 9/9 Delta-Soll · likely_covered ok · DataAct=uncertain · MaschVO=applies (geringe Konvergenz, kein ISMS) |
+| RTS-003 (ISO27001→CRA+MaschVO) | **PASS** | 7/7 Delta-Soll · likely_covered ok · DataAct=uncertain · MaschVO=applies 4/4 Safety-Delta · Konvergenz ok |
 
 ## Regulatory Convergence — CRA + MaschinenVO (Cross-Regulation Capability Mapping)