BuildZoom ETL — the data's journey, in human language API → Bronze → Silver → Gold · audit notes · 2026-05-19 hover any dotted term for plain-English

4b · The temporal contract — why we need event_date + observation_period

Property ID identifies the parcel — a permanent thing. Owner identifies who lived there, and owners change over time. To answer "who owned this property when the permit started" we need both: a property key AND a time anchor. The schema today exposes property ID but no canonical time anchor — eight date columns, no contract.

This proposal would derive two columns in Gold, used by every downstream consumer the same way. None of this exists today.

With this contract every model joins the same way: gold.property_id == rem.property_id AND rem.period == gold.observation_period. The owner returned is who lived there the month before the permit started — no leakage, no per-consumer divergence.

None of this exists today. The current Silver job is structurally a join — it consolidates the four Bronze tables into a denormalized fact, but its cleaning work is minimal: uppercase CITY and STREET, cast COUNTY_FIPS to int, coalesce missing STATE to "00", keep the latest status. Everything else flows through to Gold unchanged. Result: Gold is still dirty — future dates survive, OCR typos survive, status case-variants survive, sentinel values survive, outlier JOB_VALUE survives.

Each downstream consumer ends up re-doing the same cleaning work locally — inconsistently. This is exactly the kind of repeated work a tier is supposed to eliminate.

What the cleaning layer would do

Two architectural choices

This layer also becomes the natural home for the rename (issue #1), the permit_category enum (issue #2), the date sanitize fix (issue #3), the event_date + observation_period contract (section 4b), the status normalization (issue #5), the outlier flagging (issue #7). Today these are scattered across "Bronze sanitize is too loose," "Silver doesn't normalize," and "every consumer re-derives." A cleaning layer collapses them into one job with one contract.

None of this exists today. The current pipeline's observability is self-contained: DynamoDB tables (buildzoom_etl_logs, buildzoom_qa_metrics) + Slack webhook + CloudWatch. To know "did anything fail this week?" or "what's the trend of completeness scores?" requires logging into DynamoDB and writing queries.

The requirement: every Bronze / Cleaning / Silver / Gold / Platinum QA run should write its result to the central matrix hub on Eritwini (clarify platform name) so observability lives where the rest of the company already looks — not in pipeline-specific logs that only DE can read.

What "matrix hub integration" means concretely

Why this matters (beyond convenience)

• Cross-team visibility. DS and analytics teams shouldn't need DE help to verify upstream health. Today they do.
• Audit trail. Compliance / external review can read the matrix-hub log without ever touching pipeline infrastructure.
• Trend detection. Slack alerts catch acute failures; the matrix hub catches slow drifts (completeness score sliding from 88 → 82 → 76 over six weeks).
• Single source of operational truth. Same pattern as for product KPIs and business metrics — pipeline health should live in the same place.

None of this exists today. The current repo has Bronze, Silver, Gold — no Platinum tier. Today every downstream model materializes its own feature snapshots and labels, divergently. This section describes what would close that gap.

What Platinum should produce

Why a separate tier (and not a richer Gold)

• Gold serves many consumers. Adding model-specific as-of joins or label decisions to Gold would force every consumer to inherit them. Platinum is consumer-specific (per-vertical, per-spec_v).
• Spec lives with the domain. Whether a permit "counts" depends on the model's question (REPLACEMENT-only roofing vs all-permits HVAC). That decision belongs with the data scientist, not the data engineer.
• Reproducibility. A Platinum manifest pins (Gold vintage SHA, spec version, feature_set version, contract violations at build time, row counts per drop rule). Every training run is auditable from a single JSON.

Estimated achievable: 40-60 % wall-clock reduction + 30-50 % cost reduction on the Gold layer alone (the most expensive). Numbers are agent estimates; require real billing data to confirm.

1. shared/utils.py is a 2 853-line megamodule

It contains Config, schemas, S3 helpers, DynamoDB helpers, checkpoint logic, Hudi write helpers, transformations, Slack helpers, and three near-duplicate QA classes (BuildingPermitsQA, SilverMasterQA, GoldMasterQA — ~85 % identical, including a bug fix made in Silver/Gold but missing from Bronze around _hoodie_* column filtering). Every change has high blast radius and every test requires booting Spark + faking AWS. Split into shared/{spark,config,s3,dynamodb,hudi,qa,notifications}.py with a thin BronzePipeline / SilverPipeline / GoldPipeline base class to absorb the partition-loop boilerplate (currently copy-pasted 4×) and the Spark-session builder (currently copy-pasted 7×).

2. The execution model assumes serial Step Functions and no human re-runs

Nothing in code enforces "one writer per table". Protection is by convention — README says "ONLY when no ETL jobs are running"; CLAUDE.md says "don't edit mid-run". A senior shop would put a DynamoDB-backed lock around each (table_name, partition) and around the clustering job, with TTL and ownership records, and would make every put_item use ConditionExpression. Until that exists, the _V1 / _V2 versioning scheme is the only rollback you have — and snapshot deletion in Gold (issue 11a #8 above) erases it.

3. Idempotency is partial and silently asymmetric across layers

Bronze uses upsert with a non-deterministic timestamp precombine — safe but expensive on re-run. Silver runs full-refresh upsert — safe but rewrites the entire universe per run. Gold uses bulk_insert — fast but not idempotent if a single partition re-runs (no built-in dedup). Three layers behave differently under the same Step Functions retry policy. Standardize on one strategy per layer with documented retry semantics and surface "this partition has been written N times this snapshot" in DynamoDB so monitoring catches partial-success retries.

4. No CI / lint config — the pipeline ships to prod with no static analysis gate

No ruff, no mypy, no black, no requirements.txt visible. Dead imports, misspelled Hudi options, missing type hints, and dead args accumulate without anyone noticing. This is the cheapest single fix on the entire list — a 1-hour add-CI PR catches future regressions of every category in 11a / 11c.

The medallion pattern is conceptually appropriate for this domain — permit data does benefit from a raw mirror, a denormalized fact, and an enriched serving layer. But the implementation has not internalized what each tier owes the next. Bronze does Silver work; Silver does Gold work and also re-does Bronze work it shouldn't trust; Gold does platform work (Athena DDL) and business decisions (match-method priority) that should be a thin policy layer above pure data. The contracts between layers are implicit — no manifest, no version pin, no schema enum — and the moment a downstream consumer wants to ask "is the data I'm reading consistent?" they cannot.

The structural ceiling is single-vendor, single-domain, single-region naming. The codebase is shaped like a one-shot data engineering project for BuildZoom-Roofing, not like a platform. Adding a second vendor doubles the surface area. Adding a second enrichment provider requires schema changes everywhere FA_PROPERTYID appears. Adding a second region requires editing string literals in 5+ files. The Roofing_* prefix, the hard-coded us-east-1, and the _V1 suffix together signal that the team is not yet thinking in terms of a long-lived platform.

A re-design starting today would: (1) name Bronze + Silver after vendor + entity (buildzoom.permits_raw, buildzoom.permits_facts), reserve domain language ("Roofing", "Solar") for Gold serving views; (2) make the precombine key a deterministic source_file_etag + row_number, never current_timestamp(), so re-runs are bit-identical; (3) split entity-resolution out of Gold into a "match candidates" intermediate with match_method + match_score columns, and let Gold be a thin policy view; (4) replace the VERSION_SUFFIX = "_V1" pattern with a snapshot/manifest table that records {bronze_commit, silver_commit, fa_period, std_addr_commit} per run, with retention policy and rollback; (5) move shared/utils.py into 3–4 cohesive modules and treat each layer's input/output schema as a versioned contract, not a Python switch statement; (6) make Step Functions parameterized over {vendor, domain} so a second vertical is a config change, not a fork.

The medallion isn't wrong. The implementation has just not invested in the contracts between tiers — and contracts, not technology, are what makes a lakehouse maintainable as it grows.