eden-staging-vs-managed-boundaries-draft

Staging vs managed production � boundary rules (draft)

Linear	EDEN-1714
Repository artifact	knowledge/clients/eden/governance-martech-delivery-model/eden-staging-vs-managed-boundaries-draft.md
Status	Draft � Brainforge + Eden sign-off required.

Planes

Plane	Intended use	Examples
Innovation / staging (eden-marketing-architecture-implementation and designated agent repos)	Fast iteration, experiments, README/beads guardrails, isolated BigQuery scratch datasets	Agent PRs, prototype Dagster, Segment staging configs
Managed production (analytics, eden-os-rimo, listed managed infra)	Hardened pipelines, governed dbt, identity-critical paths	dbt merges, Cloudflare prod after review, promotion packets

Hard rules

1. No agent direct-to-production outside the promotion contract (packet + approvals).
2. Experimental BigQuery tables must live in clearly non-production datasets or projects (naming convention TBD) and must not be referenced by managed dbt without promotion.
3. Cloudflare workers / identity stitching: staging-first deploys; production requires Brainforge review (blast radius).

Examples: must route through managed path

• Changing a mart consumed by Ads or finance dashboards.
• IAM expansion for automation principals.
• Segment tracking plan changes that affect governed events.
• Any Cloudflare route affecting stitched identity.

Open questions (human)

• Additional repos joining managed list in Phase 1?
• Exact naming convention for �scratch� vs �governed� BigQuery datasets.