11. Open Questions (next brainstorming targets)

Numbering is stable (used as a reference identity elsewhere). Resolved items are kept struck-through; their resolution lives in the cited document and the linked ADR.

1. ~~Build vs. adapt the sync backbone.~~ RESOLVED (ADR-0001, sync §6.1): build a thin custom Rust service on logical decoding; borrow pgactive/SymmetricDS patterns, do not depend on them.
2. ~~Storage model.~~ RESOLVED (ADR-0001, data-model §3.5): hybrid event envelope — typed envelope columns where invariants/identity/sync/matching bind; Cairn-native JSONB clinical bodies; FHIR is a façade only.
3. ~~Dynamic sync scopes.~~ RESOLVED (ADR-0004, sync §6.4): scope is an administrative prefetch hint, not an authority; a transfer triggers acquisition, not reassignment; access follows legitimate-need + audit; the surviving requirement is honest assembly-state disclosure. The case also surfaced the bitemporal time model and the acknowledged-uncertainty principle — ADR-0003, data-model §3.6/§3.7.
4. Schema migrations across a fleet of offline nodes: version-skew tolerance window; forward-compatible event formats.
5. ~~Tombstones & retention.~~ RESOLVED (ADR-0005, data-model §3.8, security §7.1): erasure is redistribution of key-custody, not deletion of data — crypto-shredding (destroy the DEK, never mutate the append-only log) on an encryption-capable body slot, exposed as a policy-neutral severity ladder (hide → sequester → deniable sealed-escrow deletion → audited crypto-shred → best-effort oblivion). Deletion is best-effort and declared, never guaranteed; the honest ceiling is "to our knowledge, we have erased all copies in our existence." Absorbs the ADR-0004 surplus-copy-GC follow-on (per-node key custody erases one node's copy while the rightful holder keeps theirs).
6. Attachment strategy: inline vs. content-addressed blob store with lazy sync.
7. Locale-pluggable matcher comparators: define the extension point (comparator API, weight configuration, evaluation harness per deployment).
8. ~~Visibility-scope semantics on links.~~ RESOLVED (ADR-0006, identity §5.9, sync §6.4, security §7, data-model §3.5): replication is never the confidentiality boundary — a safety-relevant sensitive episode replicates unconditionally (yes, it reaches the node); confidentiality lives only in key-custody + visibility + envelope-abstraction. A sealed body emits a de-identified, severity-graded safety projection (mechanical from coded fields) so decision-support warns without disclosing; coarseness is set by a graded, multi-source, append-only sensitivity stream (blacklist + grading system + human editability — Cairn ships the mechanism, policy combines them). Break-glass is audited key-use, partition-honest. Also answers the ADR-0005 rung-1 follow-on (what safety metadata remains while a body is sealed).
9. Armed write-context interaction model: concrete possession-semantics design (§5.8) that passes the paper-parity benchmark at ED pace — "picking up a chart" must cost ≤ its paper equivalent (~seconds, zero cognitive overhead) without degrading into reflexive click-through.
10. Notification economy: contamination-cascade and history-arrival alerts (§5.4, §5.5) are safety-critical but additive; define a priority taxonomy so they don't drown in routine noise.
11. ~~In-database vs. application-layer merge boundary.~~ RESOLVED (ADR-0001, language-substrate §9.4): structural invariants + identity event algebra + all projections in Postgres (trigger-maintained incremental tables); thin Rust daemon ships/applies but carries no merge logic; matcher stays Python-advisory; per-projection Rust escape hatch on measured Pi-performance need.
12. Authentication vs. paper-parity tension: shared-workstation login is the largest parity violation in deployed EHRs (§1.2 vs. §7); adjudicate explicitly — fast/proximity sessions enabled by local-first state vs. security posture.