UK Local Authority AI-Assisted Planning Portal

IMMUTABLE STATIC ANALYSIS: UK Local Authority AI-Assisted Planning Portal

This section provides a rigorous, engineering-focused examination of the static properties of the proposed AI-Assisted Planning Portal. Static analysis, in this context, refers to the evaluation of the system’s architecture, codebase, and compliance posture without executing the runtime environment. We assess the system’s inherent immutability—its resistance to change, drift, and unauthorized modification—which is critical for maintaining audit trails, regulatory compliance, and algorithmic accountability in a public-sector digital service.

1. Architectural Immutability & Deployment Topology

The portal is architected on a Declarative, Immutable Infrastructure model, leveraging Infrastructure as Code (IaC) via Terraform and Kubernetes (K8s) manifests. The core principle is that no manual configuration changes are permitted in production. Every change, from a database schema update to a model weight adjustment, must pass through a GitOps pipeline.

Architecture Diagram (High-Level Static View):

graph TD
    subgraph "GitOps Source of Truth (GitHub/GitLab)"
        A[IaC Manifests] --> B[Application Code]
        C[Model Registry (DVC/MLflow)] --> D[Model Binaries & Configs]
    end

    subgraph "CI/CD Pipeline (Immutable Artifacts)"
        E[Static Analysis & Linting] --> F[Build & Containerize]
        F --> G[Vulnerability Scan (Trivy)]
        G --> H[Sign & Attest (Cosign)]
    end

    subgraph "Production Environment (UK Sovereign Cloud)"
        I[Kubernetes Cluster] --> J[Ingress Controller (Envoy)]
        J --> K[Planning API (Go/Rust)]
        K --> L[AI Inference Service (ONNX Runtime)]
        L --> M[PostgreSQL (RDS)]
        K --> N[Audit Log Service (Immutable Ledger)]
    end

    H --> I
    C --> L

Technical Breakdown:

• Immutable Containers: All services (Planning API, AI Inference, Audit Log) are compiled into hardened, minimal-base (Distroless) container images. These images are built once, signed with Sigstore/Cosign, and never mutated post-deployment. A hash mismatch between the deployed image and the registry triggers an automatic rollback.
• Stateless AI Inference: The AI model (e.g., a fine-tuned BERT for document classification) is loaded as a read-only volume mount. The inference service is stateless; all state (user sessions, planning applications) resides in the PostgreSQL cluster. This prevents model drift from being introduced via runtime state manipulation.
• Network Policy Immutability: Kubernetes NetworkPolicies are defined as code. The AI service can only communicate with the Audit Log service and the database. No egress to the public internet is permitted from the inference pod, preventing data exfiltration or model poisoning via external calls.

Pros:

• Deterministic Deployments: Every deployment is a bit-for-bit replica of the tested artifact.
• Auditability: The exact state of the system at any point in time can be reconstructed from the Git history.
• Rollback Speed: Reverting to a previous immutable artifact takes seconds, not hours.

Cons:

• Cold Start Latency: Immutable infrastructure can lead to longer pod startup times if models are large (e.g., >2GB).
• Storage Bloat: Storing every signed image version requires a robust container registry retention policy.
• Operational Rigidity: Emergency hotfixes require a full CI/CD pipeline run, which can be a bottleneck during critical incidents.

2. Code-Level Static Analysis & Invariants

The application codebase (Go for backend, Rust for performance-critical AI preprocessing) undergoes a multi-layered static analysis enforced at the commit hook and CI level.

Code Pattern: Immutable Audit Log Entry (Go)

// AuditEntry represents an immutable record of a planning decision.
// Once created, this struct is serialized and written to an append-only ledger.
// No setter methods are exposed after construction.
type AuditEntry struct {
    timestamp   time.Time
    applicationID string
    action      string // e.g., "AI_RECOMMENDATION", "OFFICER_OVERRIDE"
    modelVersion string
    inputHash   [32]byte // SHA-256 of the input document
    outputHash  [32]byte // SHA-256 of the AI output
    signature   []byte   // ECDSA signature from the signing service
}

// NewAuditEntry is the sole constructor, enforcing immutability.
func NewAuditEntry(appID, action, modelVer string, input, output []byte) (*AuditEntry, error) {
    // ... validation logic ...
    entry := &AuditEntry{
        timestamp:   time.Now().UTC(),
        applicationID: appID,
        action:      action,
        modelVersion: modelVer,
        inputHash:   sha256.Sum256(input),
        outputHash:  sha256.Sum256(output),
    }
    // Sign the entry before returning
    sig, err := signEntry(entry)
    if err != nil {
        return nil, err
    }
    entry.signature = sig
    return entry, nil
}

// ToBytes serializes the entry for ledger storage. No mutators exist.
func (e *AuditEntry) ToBytes() []byte {
    // deterministic serialization using protobuf
}

Static Analysis Toolchain:

• go vet & staticcheck: Catch common bugs and stylistic issues.
• gosec: Inspects for security vulnerabilities (e.g., SQL injection, hardcoded credentials).
• revive: Enforces project-specific linting rules (e.g., no global variables, no init() functions).
• cargo-audit (Rust): Scans Rust dependencies for known CVEs.
• Custom Invariant Checker: A bespoke static analyzer ensures that no function in the AI service can call os.Exec, net.Dial, or write to the filesystem outside of the /tmp directory. This is enforced via an Abstract Syntax Tree (AST) walker.

Compliance Framework Alignment:

• NIST SP 800-53 (AC-6, AU-2): The code pattern above directly implements least privilege (no setters) and audit record generation.
• UK Government Digital Service (GDS) Standards: The use of immutable, signed audit logs satisfies the "Make things secure" and "Make things open" standards by providing a verifiable, non-repudiable trail.

3. Compliance & Regulatory Static Verification

The portal must comply with the UK’s Equality Act 2010, GDPR, and the emerging AI Regulation (2026) . Static analysis is used to verify compliance before code reaches production.

Compliance-as-Code (CaC) using OPA (Open Policy Agent):

We embed Rego policies into the CI pipeline to statically verify the portal’s configuration and code against regulatory requirements.

Example Rego Policy: GDPR Right to Erasure (Data Minimization)

package compliance.gdpr

# Rule: The AI inference service must not store raw input data.
# It must only store the hash and the decision.
violation[msg] {
    service := input.resources[_]
    service.kind == "Deployment"
    service.metadata.labels["app"] == "ai-inference"
    # Check for any volume mount that persists beyond the pod lifecycle
    mount := service.spec.template.spec.containers[_].volumeMounts[_]
    mount.mountPath != "/tmp"
    msg := sprintf("AI service '%s' has a persistent volume mount at '%s'. Raw data may be retained, violating GDPR Art. 5(1)(e).", [service.metadata.name, mount.mountPath])
}

Static Verification Points:

1. Model Card Verification: The CI pipeline parses the model-card.yaml file. It checks that the training_data field includes a statement of consent, that bias_metrics are reported, and that the intended_use is limited to "planning application triage" as defined by the Local Authority.
2. Data Flow Diagram (DFD) Analysis: A static DFD is generated from the codebase (using tools like pytd or manual annotations). This DFD is checked against a pre-approved template. Any data flow that crosses a trust boundary (e.g., from the UK Sovereign Cloud to a third-party LLM API) is flagged as a violation.
3. Dependency License Scanning: FOSSA or ort (OSS Review Toolkit) statically analyzes all dependencies (Go modules, Rust crates, Python packages) for license compatibility (e.g., GPL vs. LGPL) and known security vulnerabilities. This is a hard gate in the pipeline.

Pros:

• Shift-Left Compliance: Catches regulatory violations at the commit stage, not after a costly audit.
• Automated Evidence Generation: The output of the static analysis pipeline serves as direct evidence for an ICO (Information Commissioner's Office) audit.
• Reduced Human Error: Eliminates the risk of a developer accidentally misconfiguring a data retention policy.

Cons:

• Policy Maintenance Overhead: Rego policies must be updated as regulations evolve (e.g., the 2026 AI Act amendments).
• False Positives: Overly strict policies can block legitimate development velocity.
• Complexity: Requires specialized knowledge of both compliance and policy-as-code tooling.

4. Immutable Model Registry & Versioning

The AI model itself is treated as an immutable artifact. We use DVC (Data Version Control) combined with an MLflow Model Registry stored on an S3-compatible object store within the UK Sovereign Cloud.

Static Model Verification Pipeline:

graph LR
    A[New Model Candidate] --> B{Static Analysis Gate}
    B --> C[Check Model Format (ONNX)]
    B --> D[Verify Model Signature]
    B --> E[Run Static Bias Scan (e.g., AI Fairness 360)]
    B --> F[Check Model Card Completeness]
    C --> G[Register in MLflow as 'Staging']
    D --> G
    E --> G
    F --> G
    G --> H[Human-in-the-Loop Approval]
    H --> I[Promote to 'Production' (Immutable Tag)]

Key Immutability Properties:

• Content-Addressable Storage: The model binary is stored using its SHA-256 hash as the key. Any modification to the model file results in a new hash and a new version. The production tag in MLflow is a pointer to an immutable hash; it cannot be overwritten, only moved to a new hash.
• Signed Model Weights: The model is signed using the Local Authority’s Hardware Security Module (HSM) key. The inference service verifies this signature at startup. If the signature is invalid or missing, the service refuses to load the model.
• Static Bias Scan: Before a model is promoted to production, a static analysis tool (e.g., IBM AI Fairness 360) runs on the model’s training data and architecture. It checks for disparate impact across protected characteristics (age, disability, race) as defined by the Equality Act. The results are stored as a metadata artifact alongside the model.

Pros:

• Reproducibility: Every inference can be traced back to an exact, immutable model version.
• Audit Trail: The full lineage of the model (training data, hyperparameters, evaluation metrics) is captured and immutable.
• Security: Prevents supply chain attacks where a malicious actor swaps a model file.

Cons:

• Storage Costs: Storing every version of a large model (e.g., a 7B parameter LLM) is expensive.
• Version Explosion: Frequent retraining can lead to a large number of versions, complicating management.
• Static Bias Scans are Limited: They can only detect bias in the training data and model architecture, not emergent bias from user interaction in production.

---

FAQ: Immutable Static Analysis

Q1: How does immutable infrastructure handle emergency security patches (e.g., a zero-day in the Go runtime)? A: The process is automated. A new base image (e.g., golang:1.22.5) is built and signed. The CI pipeline automatically triggers a rebuild of all dependent services. The GitOps controller (e.g., ArgoCD) detects the new image hash and performs a rolling update. The entire process, from patch release to deployment, can be completed in under 30 minutes, with full auditability.

Q2: Can the static analysis pipeline be bypassed for urgent planning decisions? A: No. The pipeline is a hard gate. There is no "emergency bypass" switch. This is by design to maintain the integrity of the audit trail. If a critical bug is found, the only path is to create a hotfix branch, which still must pass all static analysis checks (linting, security, compliance). The pipeline is optimized for speed (under 5 minutes for a typical change) to minimize disruption.

Q3: How do you handle the static analysis of third-party AI models (e.g., a pre-trained NLP model from Hugging Face)? A: All third-party models are first converted to ONNX format. They are then run through a static analysis suite that includes: (1) a model architecture scanner to detect known vulnerabilities (e.g., pickle deserialization risks), (2) a dependency scan for the model’s runtime, and (3) a data flow analysis to ensure the model does not contain hidden network calls. Models that fail these checks are rejected.

Q4: What happens if the static compliance policy (Rego) itself has a bug? A: The Rego policies are stored in a separate Git repository and are subject to the same immutable infrastructure principles