docs(knowledge): Reference Transition Scenarios (RTS-001..003) + ISO9001->CRA pattern

Three ANONYMIZED reference transition scenarios (no real company names stored) = canonical
regression scenarios that test the KNOWLEDGE, not just the engine. Each pins an Expected
Outcome (expected_likely_covered + expected_delta); every commit must reproduce it (identical
or better).

- RTS-001 automotive supplier (TISAX+ISO27001) -> CRA: mature ISMS, standard CRA delta.
- RTS-002 classic machine builder (ISO9001) -> CRA: only process discipline -> MUCH larger delta
  (10 missing vs 3 covered). New TP-ISO9001-CRA-v1 pattern (different shape).
- RTS-003 networked machine builder (ISMS) -> CRA: highlights the Data Act.

Data Act is modelled as UNCERTAIN (a hypothesis), never a fixed gilt/gilt-nicht: the generator
checks the engine SURFACES the uncertainty + the deciding question (generates_usage_data) and
never wrongly ASSERTS applicability. All three RTS PASS.

Non-runtime knowledge + reference harness -> no deploy (ADR-001). Names deliberately absent.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

backend-compliance/reference_scenarios/generate.py

@@ -35,7 +35,7 @@ from compliance.capability import (
 )
 from compliance.reasoning.enums import Confidence
 from compliance.transition_reasoning import (
-    TransitionContext, TransitionGoal, TargetType, TargetRequirement, assess_transition,
+    TransitionContext, TransitionGoal, TargetType, TargetRequirement, assess_transition, CoverageStatus,
 )
 import os
 import yaml
@@ -279,6 +279,63 @@ for _pf in _pat_files:
 _t_rows.append(("RS-005.1 Renderer (Fragetext)", "TODO", "verschoben — Engine liefert nur Requests"))
 coverage_table(_t_rows)
 
+# ── Reference Transition Scenarios (RTS) — canonical regression (Soll/Ist + knowledge) ───
+w("## Reference Transition Scenarios (RTS) — kanonische Regression (Soll/Ist)")
+w("")
+w('_Anonymisierte Archetypen (KEINE Firmennamen). Jeder RTS pinnt ein Expected Outcome; jeder Commit muss es reproduzieren (identisch oder besser). Data Act = `uncertain`, nie fix „gilt/gilt-nicht"._')
+w("")
+_rts_dir = os.path.join(os.path.dirname(__file__), "..", "knowledge", "reference_transition_scenarios")
+_pat_d2 = os.path.join(os.path.dirname(__file__), "..", "knowledge", "transition_patterns")
+_pat_by_id = {}
+for _pf in sorted(os.listdir(_pat_d2)):
+    if _pf.startswith("transition_pattern_") and _pf.endswith(".yaml"):
+        with open(os.path.join(_pat_d2, _pf), encoding="utf-8") as _h:
+            _pp = yaml.safe_load(_h)
+        _pat_by_id[_pp["id"]] = _pp
+_rts_rows: List[Row] = []
+for _rf in sorted(f for f in os.listdir(_rts_dir) if f.startswith("RTS-") and f.endswith(".yaml")):
+    with open(os.path.join(_rts_dir, _rf), encoding="utf-8") as _f:
+        RTS = yaml.safe_load(_f)
+    _cra = RTS["expected_outcome"]["cra"]
+    _pat = _pat_by_id[_cra["pattern"]]
+    _src = RTS["reference_company"]["known_certifications"][0]
+    _have = [a["capability"] for a in _pat["likely_covered"]]
+    _map = {_src: CapabilityMappingEntry(capability_ids=_have, confidence=Confidence.MEDIUM)}
+    _profile = build_company_profile(
+        CompanyContext(company_id="rts", certifications=[Certification(certification_id=_src)]), _map)
+    _reqs = [TargetRequirement(capability_id=a["capability"]) for a in _pat["likely_covered"]]
+    _reqs += [TargetRequirement(capability_id=d["capability"], question_intent=d.get("needed_information", "verify_existence"))
+              for d in _pat["delta_requirements"]]
+    _a = assess_transition(TransitionContext(company_id="rts", target=TransitionGoal(target_id="CRA")), _reqs, _profile)
+    _actual_missing = {c.capability_id for c in _a.coverage if c.status == CoverageStatus.MISSING}
+    _exp_delta = set(_cra["expected_delta_at_least"])
+    _exp_cov = set(_cra["expected_likely_covered_at_least"])
+    _delta_ok = _exp_delta <= _actual_missing
+    _cov_ok = _exp_cov <= set(_a.summary.probably_covered)
+    # Data Act: the engine must SURFACE uncertainty, never ASSERT "applies".
+    _tr = RTS["reference_company"]["product_traits"]
+    _P = P(name="rts", product_type=PT.MACHINERY if _tr.get("is_machine") else PT.HARDWARE,
+           markets=_tr.get("market", ["EU"]), economic_operator_role=Role.MANUFACTURER,
+           lifecycle_phase=LP.PLACING_ON_MARKET, is_machine=_tr.get("is_machine"),
+           is_component=_tr.get("is_component"), has_embedded_software=_tr.get("has_embedded_software"),
+           connected_to_internet=_tr.get("connected_to_internet"), has_remote_access=_tr.get("has_remote_access"),
+           generates_usage_data=_tr.get("generates_usage_data"))
+    _rmap = render_regulatory_map(_P)
+    _appl = {v.regulation_id for v in _rmap.applicable_regulations}
+    _unc = {v.regulation_id for v in _rmap.uncertain_regulations}
+    _da = "applicable" if "DataAct" in _appl else ("uncertain" if "DataAct" in _unc else "excluded/absent")
+    _da_ok = "DataAct" not in _appl   # never wrongly asserted as applicable
+    _ok = _delta_ok and _cov_ok and _da_ok
+    w("**%s** — %s" % (RTS["id"], RTS["archetype"]))
+    w("> Start %s → CRA. %s" % ("+".join(RTS["reference_company"]["known_certifications"]), _a.summary.headline))
+    w("- Expected Delta erfüllt: **%s** (%d/%d Soll-Delta in der Ist-Lücke)" % ("ja" if _delta_ok else "NEIN", len(_exp_delta & _actual_missing), len(_exp_delta)))
+    w("- Expected likely_covered erfüllt: **%s**" % ("ja" if _cov_ok else "NEIN"))
+    w("- Data Act: Engine sagt **%s** (Soll: uncertain; nie asserted) → %s" % (_da, "ok" if _da_ok else "FEHLER (asserted!)"))
+    w("")
+    _rts_rows.append(("%s (%s→CRA)" % (RTS["id"], _src), "PASS" if _ok else "PARTIAL",
+                      "%d/%d Delta-Soll · likely_covered %s · DataAct=%s" % (len(_exp_delta & _actual_missing), len(_exp_delta), "ok" if _cov_ok else "NEIN", _da)))
+coverage_table(_rts_rows)
+
 # ── Epics + roll-up ───────────────────────────────────────────────────────
 w("## Gaps → Epics (Backlog — nur erfasst, NICHT implementiert)")
 w("")

backend-compliance/reference_scenarios/reference_scenario_suite_v1.md

@@ -161,14 +161,51 @@ _Genericity-Beweis: derselbe Algorithmus trägt jeden Transition Knowledge Patte
 - vermutlich abgedeckt: incident_management, technical_vulnerability_management, supplier_security, access_control_and_authentication, cryptography, security_logging_and_monitoring, secure_development_lifecycle, asset_and_configuration_management
 - Pattern getragen: **ja** (17 caps → 17 coverage + 17 requests)
 
+**ISO 9001 → Cyber Resilience Act** _(TP-ISO9001-CRA-v1, status=draft)_
+> 13 zu klären, 0 bereits abgedeckt, 3 vermutlich vorhanden, 10 fehlt, 0 n/a, 0 nicht im Korpus.
+- Delta zuerst (HIGH): access_control_and_authentication, ce_conformity_assessment_and_technical_documentation, coordinated_vulnerability_disclosure, exploited_vuln_and_incident_reporting, product_cyber_risk_assessment, sbom_creation, secure_development_lifecycle, secure_signed_update_distribution, security_update_support_period, technical_vulnerability_management
+- vermutlich abgedeckt: document_and_change_control, supplier_evaluation, release_and_approval_process
+- Pattern getragen: **ja** (13 caps → 13 coverage + 13 requests)
+
 **Architecture Coverage**
 
 | Layer | Status | Hinweis |
 |---|---|---|
 | Transition ISOIEC27001→TISAX | **PASS** | draft · 5 HIGH-Delta + 8 zu bestätigen |
 | Transition ISOIEC27001→Cyber Resilience Act | **PASS** | reviewed · 9 HIGH-Delta + 8 zu bestätigen |
+| Transition ISO9001→Cyber Resilience Act | **PASS** | draft · 10 HIGH-Delta + 3 zu bestätigen |
 | RS-005.1 Renderer (Fragetext) | **TODO** | verschoben — Engine liefert nur Requests |
 
+## Reference Transition Scenarios (RTS) — kanonische Regression (Soll/Ist)
+
+_Anonymisierte Archetypen (KEINE Firmennamen). Jeder RTS pinnt ein Expected Outcome; jeder Commit muss es reproduzieren (identisch oder besser). Data Act = `uncertain`, nie fix „gilt/gilt-nicht"._
+
+**RTS-001** — Automotive supplier with a mature ISMS — embedded electronics + software, CE products, OEM supply chain
+> Start TISAX+ISO27001 → CRA. 17 zu klären, 0 bereits abgedeckt, 8 vermutlich vorhanden, 9 fehlt, 0 n/a, 0 nicht im Korpus.
+- Expected Delta erfüllt: **ja** (7/7 Soll-Delta in der Ist-Lücke)
+- Expected likely_covered erfüllt: **ja**
+- Data Act: Engine sagt **uncertain** (Soll: uncertain; nie asserted) → ok
+
+**RTS-002** — Classic machine builder with only a QMS — precision systems, CE products, no ISMS
+> Start ISO9001 → CRA. 13 zu klären, 0 bereits abgedeckt, 3 vermutlich vorhanden, 10 fehlt, 0 n/a, 0 nicht im Korpus.
+- Expected Delta erfüllt: **ja** (9/9 Soll-Delta in der Ist-Lücke)
+- Expected likely_covered erfüllt: **ja**
+- Data Act: Engine sagt **uncertain** (Soll: uncertain; nie asserted) → ok
+
+**RTS-003** — Machine builder with an ISMS and networked products — connected machines that may generate usage data
+> Start ISO27001 → CRA. 17 zu klären, 0 bereits abgedeckt, 8 vermutlich vorhanden, 9 fehlt, 0 n/a, 0 nicht im Korpus.
+- Expected Delta erfüllt: **ja** (7/7 Soll-Delta in der Ist-Lücke)
+- Expected likely_covered erfüllt: **ja**
+- Data Act: Engine sagt **uncertain** (Soll: uncertain; nie asserted) → ok
+
+**Architecture Coverage**
+
+| Layer | Status | Hinweis |
+|---|---|---|
+| RTS-001 (TISAX→CRA) | **PASS** | 7/7 Delta-Soll · likely_covered ok · DataAct=uncertain |
+| RTS-002 (ISO9001→CRA) | **PASS** | 9/9 Delta-Soll · likely_covered ok · DataAct=uncertain |
+| RTS-003 (ISO27001→CRA) | **PASS** | 7/7 Delta-Soll · likely_covered ok · DataAct=uncertain |
+
 ## Gaps → Epics (Backlog — nur erfasst, NICHT implementiert)
 
 | Epic | Titel | schliesst Coverage-Luecke |
@@ -180,6 +217,6 @@ _Genericity-Beweis: derselbe Algorithmus trägt jeden Transition Knowledge Patte
 
 ## Suite-Status (Roll-up)
 
-- Coverage-Zellen gesamt: **23**
-- PASS: **15** · PARTIAL: 3 · UNSUPPORTED: 1 · TODO: 3 · N/A: 1 · NEEDS_FACTS: 0
+- Coverage-Zellen gesamt: **27**
+- PASS: **19** · PARTIAL: 3 · UNSUPPORTED: 1 · TODO: 3 · N/A: 1 · NEEDS_FACTS: 0
 - Fortschritt = PASS-Anteil steigt, wenn Epics RS-001…004 landen (objektiver Maßstab, kein LOC).