docs(knowledge): Reference Transition Scenarios (RTS-001..003) + ISO9001->CRA pattern

Three ANONYMIZED reference transition scenarios (no real company names stored) = canonical
regression scenarios that test the KNOWLEDGE, not just the engine. Each pins an Expected
Outcome (expected_likely_covered + expected_delta); every commit must reproduce it (identical
or better).

- RTS-001 automotive supplier (TISAX+ISO27001) -> CRA: mature ISMS, standard CRA delta.
- RTS-002 classic machine builder (ISO9001) -> CRA: only process discipline -> MUCH larger delta
  (10 missing vs 3 covered). New TP-ISO9001-CRA-v1 pattern (different shape).
- RTS-003 networked machine builder (ISMS) -> CRA: highlights the Data Act.

Data Act is modelled as UNCERTAIN (a hypothesis), never a fixed gilt/gilt-nicht: the generator
checks the engine SURFACES the uncertainty + the deciding question (generates_usage_data) and
never wrongly ASSERTS applicability. All three RTS PASS.

Non-runtime knowledge + reference harness -> no deploy (ADR-001). Names deliberately absent.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

backend-compliance/knowledge/reference_transition_scenarios/RTS-003.yaml

@@ -0,0 +1,54 @@
+# Reference Transition Scenario — ANONYMIZED ARCHETYPE ONLY (no real company names stored).
+id: RTS-003
+archetype: "Machine builder with an ISMS and networked products — connected machines that may generate usage data"
+note: "Anonymized typical starting situation; illustrative only. Highlights the Data-Act uncertainty."
+
+reference_company:
+  sector: mechanical_engineering
+  known_certifications: [ISO27001]   # ISMS ~ ISO 27001
+  product_traits:
+    is_machine: true
+    is_component: false
+    has_embedded_software: true
+    connected_to_internet: true
+    has_remote_access: true
+    generates_usage_data: null       # UNKNOWN -> the Data-Act deciding question
+    market: [EU]
+
+transition_goal:
+  from: [ISO27001]
+  to:
+    - target: CRA
+      pattern: TP-ISO27001-CRA-v1
+    - target: MaschinenVO
+      pattern: null
+      note: pattern_pending
+    - target: DataAct
+      pattern: null
+      note: uncertain_hypothesis     # NOT asserted — see expected_outcome.data_act
+
+expected_outcome:
+  cra:
+    pattern: TP-ISO27001-CRA-v1
+    expected_likely_covered_at_least:
+      - incident_management
+      - technical_vulnerability_management
+      - secure_development_lifecycle
+      - access_control_and_authentication
+      - security_logging_and_monitoring
+    expected_delta_at_least:
+      - sbom_creation
+      - coordinated_vulnerability_disclosure
+      - security_update_support_period
+      - secure_signed_update_distribution
+      - exploited_vuln_and_incident_reporting
+      - product_cyber_risk_assessment
+      - ce_conformity_assessment_and_technical_documentation
+  data_act:
+    expectation: uncertain            # the core correction: a connected machine MAY fall under the Data Act
+    deciding_questions: [generates_usage_data, connected_product, data_act_scope]
+    rationale: >
+      A networked machine is MORE likely to fall under the Data Act than a pure component, but it is NOT
+      a settled fact — it depends on usage-data generation, user access, and scope. The Reference Suite
+      checks that the engine recognises the RIGHT uncertainty and asks the deciding question, NOT that it
+      writes a fixed gilt/gilt-nicht.