# Reference Transition Scenario — canonical regression scenario (NOT a test fixture).
# ANONYMIZED ARCHETYPE ONLY — no real company names are stored in the system; illustrative.
# Each RTS pins an Expected Outcome so every commit must reproduce it (identical or better).

id: RTS-001
archetype: "Automotive supplier with a mature ISMS — embedded electronics + software, CE products, OEM supply chain"
note: "Anonymized typical starting situation; illustrative only."

reference_company:
  sector: automotive_supply
  known_certifications: [TISAX, ISO27001]
  product_traits:
    is_machine: false            # component / embedded supplier
    is_component: true
    has_embedded_software: true
    connected_to_internet: true
    has_remote_access: true
    generates_usage_data: null   # UNKNOWN -> a deciding question, not an assertion
    market: [EU]

transition_goal:
  from: [TISAX, ISO27001]
  to:
    - target: CRA
      pattern: TP-ISO27001-CRA-v1     # executed through RS-005 below
    - target: MaschinenVO
      pattern: null
      note: applicability_uncertain   # a pure component is usually NOT a machine -> see expected_outcome.maschinenvo

expected_outcome:
  cra:
    pattern: TP-ISO27001-CRA-v1
    # The mature ISMS reduces effort here (most info-security capabilities probably covered).
    expected_likely_covered_at_least:
      - incident_management
      - supplier_security
      - secure_development_lifecycle
      - asset_and_configuration_management
      - security_logging_and_monitoring
      - access_control_and_authentication
    # ... but the CRA product-cyber delta remains.
    expected_delta_at_least:
      - sbom_creation
      - coordinated_vulnerability_disclosure
      - security_update_support_period
      - secure_signed_update_distribution
      - exploited_vuln_and_incident_reporting
      - product_cyber_risk_assessment
      - ce_conformity_assessment_and_technical_documentation
  maschinenvo:
    expectation: uncertain            # a pure component is usually NOT a machine -> NOT asserted
    deciding_questions: [is_machine, is_safety_component, partly_completed_machinery]
    rationale: >
      The Machinery Regulation applies to machines, safety components and partly completed machinery.
      A pure embedded component is usually out of scope, but a SAFETY component is not — so applicability
      is itself a deciding question. The engine must ask (is_safety_component?), not assert gilt/gilt-nicht.
      Contrast RTS-003, where is_machine: true makes MaschinenVO a settled second target with real convergence.
  data_act:
    expectation: uncertain            # NEVER a fixed gilt/gilt-nicht
    deciding_questions: [generates_usage_data, connected_product, data_act_scope]
    rationale: "A connected component MAY fall under the Data Act; applicability depends on usage-data generation + scope. The engine must SURFACE this uncertainty and ask, not assert."