# Metadata Cataloging for Raster/Vector

Enterprise geospatial platforms require deterministic metadata registration to support federated discovery, cross-domain routing, and automated compliance enforcement. Within a modern data mesh paradigm, catalog entries function as immutable infrastructure contracts rather than passive documentation. This cluster details the procedural implementation of raster and vector metadata cataloging under strict Domain-Driven Architecture (DDA) constraints. Platform engineers and GIS data stewards must treat catalog registration as a security boundary, ensuring absolute domain isolation, explicit ownership, and event-driven synchronization. The transition from Data Mesh vs Traditional GIS Architecture mandates that metadata becomes the primary control plane for spatial product distribution, lineage tracking, and access routing.

Figure — Metadata is validated at ingestion and registered idempotently, turning the catalog into the discovery and routing control plane.

flowchart LR
  A["New raster or vector asset"]
  M["Extract metadata: extent, CRS, lineage, quality"]
  V{"Schema valid per ISO 19115 and OGC?"}
  REJ["Reject: pipeline failure"]
  CAT["Federated catalog: idempotent register"]
  DISC["Consumers discover and query"]
  A --> M --> V
  V -->|"no"| REJ
  V -->|"yes"| CAT --> DISC

# Phase 1: Enforce Spatial Domain Boundaries & Routing Logic

Architectural isolation begins at the namespace level. Each spatial product domain must be provisioned with a dedicated metadata partition, isolated compute routing, and explicit tenant identifiers. Configure domain-specific routing tables that map spatial extents (WKT/GeoJSON envelopes) to catalog partitions using deterministic hashing. Implement a routing proxy that intercepts catalog queries, evaluates the requested bounding box against registered domain boundaries, and forwards requests only to authorized partitions. Cross-domain metadata leakage is prevented by enforcing strict network policies and schema-level tenant validation at the ingress layer. Reference Spatial Domain Boundary Design when defining the contractual limits that govern how raster tiles and vector features are partitioned across the mesh.

# Idempotent Domain Provisioning

Domain boundaries must be provisioned idempotently to prevent drift during CI/CD pipeline executions. Use transactional DDL with IF NOT EXISTS guards and deterministic hash-based partitioning keys.

-- Idempotent domain schema provisioning
CREATE SCHEMA IF NOT EXISTS domain_agriculture_vegetation;
ALTER SCHEMA domain_agriculture_vegetation OWNER TO platform_admin;

-- Enforce Row-Level Security (RLS) bound to domain_id
ALTER TABLE domain_agriculture_vegetation.spatial_metadata ENABLE ROW LEVEL SECURITY;
CREATE POLICY domain_isolation_policy ON domain_agriculture_vegetation.spatial_metadata
    USING (domain_id = current_setting('app.current_domain_id', true));

# Routing Proxy Configuration

Deploy a metadata routing sidecar (Envoy/Linkerd) configured with spatial extent matching rules. Route queries via X-Domain-Id and X-Spatial-Extent headers. The proxy must evaluate bounding box intersections before forwarding to the catalog partition.

# Envoy HTTP Router Configuration (Excerpt)
- match:
    headers:
      - name: "x-domain-id"
        string_match: { exact: "domain_agriculture_vegetation" }
    prefix: "/catalog/query"
  route:
    cluster: catalog_partition_ag_veg
    timeout: 3s
  typed_per_filter_config:
    envoy.filters.http.rbac:
      policy:
        action: DENY
        rules:
          - not_id: { any: true } # Fallback deny for cross-domain leakage

# Boundary Validation Middleware

Implement middleware that rejects catalog registrations if the declared CRS, bounding box, or topology rules conflict with the registered domain contract. Middleware must execute synchronously during POST /metadata/register and return 409 Conflict with a structured error payload on mismatch.

# Phase 2: Define Product-Centric Metadata Contracts

Raster and vector datasets require divergent schema definitions that must be codified as versioned contracts. Treat each catalog entry as a data product with explicit SLAs, ownership metadata, and consumption constraints. Define mandatory fields: crs_epsg, spatial_resolution, band_configuration, topology_rule_set, temporal_coverage, data_freshness, and product_owner_id. Implement JSON Schema or Protobuf validation gates that execute synchronously during registration and asynchronously during batch reconciliation. Align schema evolution with Product Thinking for GIS Datasets to ensure metadata directly reflects consumption requirements and SLA guarantees.

# Contract Schema Definition (JSON Schema)

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "SpatialProductMetadata",
  "type": "object",
  "required": ["product_id", "domain_id", "crs_epsg", "spatial_resolution", "temporal_coverage", "product_owner_id"],
  "properties": {
    "product_id": { "type": "string", "format": "uuid" },
    "domain_id": { "type": "string", "pattern": "^domain_[a-z0-9_]+$" },
    "crs_epsg": { "type": "integer", "minimum": 1000, "maximum": 9999 },
    "spatial_resolution": { "type": "number", "exclusiveMinimum": 0 },
    "band_configuration": { "type": "array", "items": { "type": "string" } },
    "topology_rule_set": { "type": "string", "enum": ["none", "planar", "network", "3d_solid"] },
    "temporal_coverage": { "type": "object", "properties": { "start": { "format": "date-time" }, "end": { "format": "date-time" } } },
    "data_freshness_sla_minutes": { "type": "integer", "minimum": 0 },
    "product_owner_id": { "type": "string", "format": "email" }
  },
  "additionalProperties": false
}

# Versioning & Lifecycle Alignment

Metadata contracts must evolve alongside Spatial Product Versioning Strategies. Implement a monotonic version counter (schema_version) and enforce backward compatibility checks. When a breaking change occurs, trigger a parallel catalog migration rather than an in-place mutation. Spatial Product Lifecycle Management dictates that deprecated contracts remain queryable for a defined retention window (e.g., 90 days) to prevent downstream pipeline failures.

# Phase 3: Idempotent Workflows & Security Policy Enforcement

Catalog registration must be strictly idempotent. Duplicate submissions, network retries, or out-of-order event deliveries must resolve to a single canonical state. Implement hash-based deduplication using SHA-256(product_id || crs_epsg || bounding_box_hash || schema_version) as the primary conflict resolution key.

# Idempotent Registration Pipeline

def register_metadata(payload: dict) -> dict:
    # 1. Generate deterministic idempotency key
    idempotency_key = hashlib.sha256(
        f"{payload['product_id']}|{payload['crs_epsg']}|{payload['spatial_extent_hash']}".encode()
    ).hexdigest()

    # 2. Check existing state (UPSERT with conflict resolution)
    query = """
        INSERT INTO spatial_metadata (idempotency_key, payload, domain_id, created_at, updated_at)
        VALUES (%s, %s, %s, NOW(), NOW())
        ON CONFLICT (idempotency_key)
        DO UPDATE SET
            payload = EXCLUDED.payload,
            updated_at = NOW()
        RETURNING id, status;
    """
    return db.execute(query, (idempotency_key, json.dumps(payload), payload['domain_id']))

# Security Policy Enforcement (OPA/Rego)

Enforce Cross-Team Governance Workflows by evaluating catalog mutations against Open Policy Agent (OPA) rules. Policies must validate tenant ownership, CRS compliance, and data classification tags before allowing persistence.

package catalog.security

import rego.v1

default allow = false

allow if {
    input.method == "POST"
    input.path == ["catalog", "register"]
    input.user.domain_id == input.body.domain_id
    input.user.role in ["data_steward", "platform_engineer"]
    input.body.crs_epsg in [4326, 3857, 32610, 32611, 32612] # Approved enterprise CRS list
    not "restricted" in input.body.tags
}

# Diagnostic Procedures & Failure Modes

Platform engineers must maintain deterministic diagnostic pathways for catalog failures. The following steps isolate common failure modes in production environments:

1. Routing Proxy Rejection (HTTP 403/404)

   • Verify X-Domain-Id header matches the provisioned schema.
   • Check Envoy access logs for RBAC_DENIED events.
   • Validate spatial extent intersection: SELECT ST_Intersects(ST_MakeEnvelope(...), domain_boundary) FROM domain_registry;
   • Remediation: Update routing table or adjust domain boundary WKT. Restart sidecar with --hot-restart.

2. Schema Validation Failure (HTTP 400)

   • Inspect JSON Schema validation error payload for missing required fields or additionalProperties violations.
   • Cross-reference CRS against enterprise approved list.
   • Remediation: Patch payload to match contract. If contract changed, increment schema_version and trigger parallel migration.

3. RLS Permission Denial (PostgreSQL 42501)

   • Confirm app.current_domain_id session variable is set correctly at connection initialization.
   • Verify policy attachment: SELECT * FROM pg_policies WHERE tablename = 'spatial_metadata';
   • Remediation: Ensure connection pool middleware injects tenant context. Audit application-level connection pooling configuration.

4. Idempotency Key Collision

   • Check spatial_metadata table for existing idempotency_key.
   • Compare updated_at timestamps to detect stale retries.
   • Remediation: If payload matches, return 200 OK with existing record ID. If payload differs, reject with 409 Conflict and require explicit version bump.

# Operational Compliance & Continuous Validation

Catalog integrity requires continuous reconciliation. Schedule asynchronous batch jobs that validate registered metadata against source storage (e.g., object storage manifests, PostGIS geometry extents). Flag drift events and route them to a governance queue for manual or automated remediation. Adhere to Best practices for spatial metadata catalogs to maintain audit trails, enforce retention policies, and guarantee that every raster tile and vector feature remains discoverable, compliant, and securely routed across the enterprise mesh.