🚀 EU Parliament Monitor — Future Architecture

🏗️ Architectural Evolution Roadmap with AWS-Native C4 Models
🎯 From Static Site to AWS-Native Serverless Intelligence Platform (2026-2037)

📋 Document Owner: CEO | 📄 Version: 4.1 | 📅 Last Updated: 2026-05-31 (UTC) | 🚀 Release: v1.0.1
🔄 Review Cycle: Quarterly | ⏰ Next Review: 2026-08-31
🏷️ Classification: Public (Open Source European Parliament Monitoring Platform)

---

📚 Architecture Documentation Map

---

🔐 ISMS Policy Alignment

This future architecture is designed to implement all controls from Hack23 AB's ISMS framework as the EU Parliament Monitor platform evolves from a static generator (v1.0.x) toward an AWS-native serverless intelligence platform (v3.0+). Because AWS is already the hosting substrate (Amazon S3 + Amazon CloudFront), each horizon deepens — rather than replaces — the ISMS control surface, moving from edge-only controls toward IAM least-privilege, AWS KMS envelope encryption, and Amazon Bedrock Guardrails for AI neutrality.

Related ISMS Policies

Policy Domain	Policy	Planned Implementation
🔐 Core Security	Information Security Policy	Overall security governance for the AWS-native platform
🛠️ Development	Secure Development Policy	Security-integrated SSDLC across all three horizons
🤖 AI Governance	AI Policy	AI as proposal generator; Bedrock Guardrails; human accountability
🌐 Network	Network Security Policy	Amazon CloudFront, AWS WAF, AWS Shield DDoS protection
🔒 Cryptography	Cryptography Policy	AWS KMS envelope encryption, TLS 1.3, SLSA provenance signing
🔑 Access Control	Access Control Policy	Amazon Cognito identity, IAM least-privilege, MCP authorization
🏷️ Data Classification	Data Classification Policy	European Parliament open-data classification (public only)
🔍 Vulnerability	Vulnerability Management	AWS Security Hub, Amazon Inspector, CodeQL, OpenSSF Scorecard
🚨 Incident Response	Incident Response Plan	Amazon GuardDuty detection, EventBridge-driven response
💾 Backup & Recovery	Backup Recovery Policy	S3 versioning, DynamoDB PITR, Aurora automated backups
🔄 Business Continuity	Business Continuity Plan	Multi-AZ serverless, CloudFront global edge, DR runbooks
🤝 Third-Party	Third Party Management	AWS shared-responsibility, EP MCP & data-source assessment
🏷️ Classification	Classification Framework	Business impact analysis for platform

Compliance Framework Mapping

Framework	Version	Relevant Controls
ISO 27001	2022	A.5.1, A.5.23, A.8.25, A.8.26, A.8.27, A.8.28
NIST CSF	2.0	GV.OC, GV.RM, ID.AM, PR.AT, PR.DS, DE.CM
CIS Controls	v8.1	Control 1-5, 8, 13, 14, 16

---

📋 Executive Summary

This document outlines the architectural evolution of EU Parliament Monitor from a deterministic static-site generator (v1.0.x — already hosted on Amazon S3 + Amazon CloudFront) toward an AWS-native serverless political intelligence / OSINT-operations platform. The journey is deliberately staged across three horizons rather than a single risky jump from static to real-time:

• 🟢 v2.0 — Enhanced Static Intelligence (2026 H2 → 2027): keep the pure static HTML architecture (S3 + CloudFront, build-time generation, gh-aw agentic workflows + the deterministic src/aggregator/** pipeline). Add richer political-landscape dashboards with a party / political-group focus and advanced OSINT tradecraft. No servers are introduced; the moat is analytical quality, neutrality, and evidence-citation.
• 🔵 v3.0+ — AWS-Native Serverless Platform (2028+): layer dynamic intelligence behind the static edge using AWS Lambda, Step Functions, EventBridge, API Gateway, AWS AppSync, Amazon DynamoDB, Aurora Serverless v2, OpenSearch Serverless, Neptune Serverless, Amazon Bedrock (Knowledge Bases + Agents + Guardrails), and Amazon Cognito. The static HTML remains the public, cacheable, low-cost front door.
• ⚪ 10-Year AI Lookahead (2026 → 2037): a model-agnostic abstraction via Amazon Bedrock, annual evaluation of frontier models and competitors (OpenAI, Google, Meta, EU sovereign AI), and resilience to paradigm shifts (quantum AI, neuromorphic computing) through to AGI / post-AGI — all governed by the Hack23 AI Policy (AI proposes, humans remain accountable, no autonomous deploy).

Vision Statement

Transform EU Parliament Monitor into Europe's most trusted, evidence-grounded political-intelligence platform — beginning with the highest-quality static, neutral, source-graded OSINT analysis (v2.0), then evolving into an AWS-native serverless intelligence-operations platform offering natural-language query over a political knowledge graph, real-time EP event ingestion, and an API ecosystem for journalists and researchers (v3.0+) — without ever sacrificing the cacheable, cheap, accessible static front door that makes the data universally available.

Current State (v1.0.x) → v2.0 → v3.0+ Strategic Transformation

Dimension	Current State (v1.0.x)	v2.0 — Enhanced Static (2026 H2-2027)	v3.0+ — AWS Serverless (2028+)	Impact
Architecture	Pure static HTML on S3 + CloudFront	Pure static HTML, richer client dashboards	Static edge + serverless dynamic layer (Lambda/Step Functions)	🟢 Zero-ops scaling
Hosting	Amazon S3 + Amazon CloudFront	Same (S3 + CloudFront)	S3 + CloudFront front door + API Gateway/AppSync backends	🟢 All-in AWS
Data Access	Build-time batch (gh-aw daily)	Build-time batch + pre-baked dashboard datasets	Event-driven ingestion (EventBridge + Kinesis) + batch	🟢 Near-real-time
Analytics	51-template Markdown analysis catalog	Deeper OSINT tradecraft + party/group dashboards	Bedrock RAG + SageMaker prediction + Neptune graph queries	🟢 Intelligence layer
AI	gh-aw + Claude authoring Markdown	Same authoring model, richer analytic templates	Amazon Bedrock (Claude + Nova), Agents, Guardrails	🟢 Model-agnostic
API	No public API (static files only)	Static JSON data endpoints (baked at build)	Amazon API Gateway (REST + WebSocket) + AWS AppSync (GraphQL)	🟢 Third-party ecosystem
Identity	None (anonymous public read)	None (anonymous public read)	Amazon Cognito (journalists / researchers / API consumers)	🟢 Federated auth
Knowledge	Markdown artifacts + manifest.json	Cross-referenced entity / coalition mapping	Amazon Neptune Serverless knowledge graph	🟢 Linked intelligence
Coverage	European Parliament only	European Parliament, deeper political-group depth	EP + multi-parliament expansion	🟢 Comprehensive view
Visualization	Chart.js 4 + D3 7 (vendored)	Richer interactive client dashboards	Server-driven + Amazon QuickSight BI for power users	🟢 Decision support

The strategic insight: AWS is already the substrate, so the platform does not "migrate to cloud" — it deepens its AWS footprint one horizon at a time, keeping the static edge as a permanent, cheap, resilient foundation.

---

📅 Three-Horizon Implementation Roadmap

gantt
    title EU Parliament Monitor Evolution Roadmap (2026 H2 - 2030)
    dateFormat YYYY-MM

    section v2.0 Enhanced Static
    Party and Group Landscape Dashboards :v2a, 2026-07, 4M
    OSINT Tradecraft Depth (ICD 203)     :v2b, 2026-08, 5M
    Coalition Mathematics and Scorecards :v2c, 2026-10, 4M
    Electoral and Seat Projection Views  :v2d, 2027-01, 4M
    51-Template Catalog Hardening        :v2e, 2027-02, 3M

    section v3.0 AWS Serverless Foundation
    Cognito Identity and API Gateway     :v3a, 2028-01, 4M
    DynamoDB and Aurora Serverless v2    :v3b, 2028-02, 4M
    EventBridge and Step Functions ETL   :v3c, 2028-04, 5M
    AppSync GraphQL API Ecosystem        :v3d, 2028-06, 4M

    section v3.x AWS Intelligence Layer
    Neptune Serverless Knowledge Graph   :v3e, 2028-09, 6M
    Bedrock Knowledge Bases and Agents   :v3f, 2029-01, 6M
    OpenSearch Serverless Vector Search  :v3g, 2029-03, 4M
    SageMaker Predictive Models          :v3h, 2029-06, 5M

    section v3.x Expansion
    Multi-Parliament Ingestion           :v3i, 2029-09, 6M
    QuickSight BI and Public API GA      :v3j, 2030-01, 4M
Copy

---

🏗️ C4 Level 1: Future System Context Diagram

Transformation: From an isolated static site to an integrated AWS-native intelligence ecosystem — while the public still reads cacheable static HTML.

C4Context
    title Future EU Parliament Monitor - System Context (v3.0+)

    Person(citizen, "European Citizen", "Reads neutral political intelligence via fast static pages and interactive dashboards")
    Person(journalist, "Journalist", "Queries the API and knowledge graph for story research, authenticated via Cognito")
    Person(researcher, "Academic Researcher", "Runs bulk analytical queries over voting history and coalition graphs")
    Person(developer, "Developer", "Consumes public REST and GraphQL APIs to build civic-tech applications")

    System_Boundary(epm, "EU Parliament Monitor (AWS)") {
        System(staticEdge, "Static Intelligence Edge", "Amazon S3 + CloudFront. 14-language static HTML, baked dashboards, public data files")
        System(serverlessCore, "Serverless Intelligence Core", "API Gateway, AppSync, Lambda, Step Functions, DynamoDB, Aurora, Neptune, OpenSearch")
        System(aiLayer, "AI Intelligence Layer", "Amazon Bedrock Knowledge Bases, Agents, Guardrails, SageMaker, Comprehend, Translate")
    }

    System_Ext(epmcp, "European Parliament MCP", "european-parliament-mcp-server 1.3.x, 60+ tools, sliding and fixed-window feeds")
    System_Ext(worldbank, "World Bank MCP", "World Development Indicators, optional economic context")
    System_Ext(imf, "IMF REST API", "WEO and FM forecasts via native fetch")
    System_Ext(cognito, "Amazon Cognito", "User pools and federated identity for authenticated consumers")
    System_Ext(bedrock, "Amazon Bedrock", "Foundation models - Anthropic Claude, Amazon Nova - model-agnostic")
    System_Ext(github, "GitHub Actions + gh-aw", "Agentic content authoring and SLSA-provenant CI/CD")

    Rel(citizen, staticEdge, "Reads", "HTTPS")
    Rel(journalist, serverlessCore, "Queries", "REST / GraphQL over HTTPS")
    Rel(researcher, serverlessCore, "Bulk queries", "GraphQL / Athena")
    Rel(developer, serverlessCore, "Integrates", "Public API")

    Rel(serverlessCore, cognito, "Authenticates via", "OIDC")
    Rel(aiLayer, bedrock, "Invokes models via", "Bedrock Runtime")
    Rel(serverlessCore, aiLayer, "Calls", "Internal")
    Rel(staticEdge, serverlessCore, "Hydrates from", "Cached API")

    Rel(serverlessCore, epmcp, "Ingests", "MCP / HTTPS")
    Rel(serverlessCore, worldbank, "Enriches with", "MCP / HTTPS")
    Rel(serverlessCore, imf, "Enriches with", "REST / HTTPS")
    Rel(github, staticEdge, "Publishes static build to", "OIDC deploy")
    Rel(github, serverlessCore, "Deploys IaC to", "OIDC deploy")
Copy

Key context shifts versus the current system:

• The static edge persists as the universal front door. Even in v3.0+, the majority of citizen traffic is served as cached static HTML from CloudFront — cheap, fast, and resilient.
• Authenticated consumers (journalists, researchers, developers) gain access to dynamic APIs gated by Amazon Cognito, enabling a sustainable API ecosystem without exposing the platform to abuse.
• AI moves in-platform via Amazon Bedrock rather than build-time-only authoring, enabling natural-language query and managed RAG over the EP corpus — but always behind Bedrock Guardrails for neutrality and GDPR.

---

🏗️ C4 Level 2: Future Container Diagram

Transformation: A permanent static edge plus a serverless dynamic layer. Every infrastructure element is an AWS-managed, zero-ops service.

C4Container
    title Future EU Parliament Monitor - Container Diagram (v3.0+)

    Person(citizen, "Citizen", "Reads static pages and dashboards")
    Person(consumer, "Authenticated Consumer", "Journalist / researcher / developer")

    System_Boundary(epm, "EU Parliament Monitor on AWS") {

        Container_Boundary(edge, "Static Intelligence Edge") {
            Container(s3, "Static Site Bucket", "Amazon S3", "14-language HTML, baked dashboard JSON, data-download manifests")
            Container(cf, "CDN + Edge Logic", "Amazon CloudFront + CloudFront Functions / Lambda@Edge", "Global cache, security headers, routing")
            Container(waf, "Edge Protection", "AWS WAF + AWS Shield", "OWASP rules, rate limiting, DDoS")
        }

        Container_Boundary(api, "API and Identity Layer") {
            Container(apigw, "REST + WebSocket API", "Amazon API Gateway", "Public REST and real-time WebSocket endpoints")
            Container(appsync, "GraphQL API", "AWS AppSync", "Typed graph queries, subscriptions for live updates")
            Container(cognito, "Identity Provider", "Amazon Cognito", "User pools, federated auth, scoped API keys")
        }

        Container_Boundary(compute, "Serverless Compute and Orchestration") {
            Container(lambda, "Function Fleet", "AWS Lambda (Node.js 26 / TS)", "API resolvers, ingestion, aggregator parity logic")
            Container(sfn, "Workflow Orchestration", "AWS Step Functions", "Analysis pipelines, multi-stage ETL, agentic flows")
            Container(events, "Event Backbone", "Amazon EventBridge + Kinesis + SQS/SNS", "EP event fan-out, decoupled processing")
        }

        Container_Boundary(data, "Data and Knowledge Stores") {
            Container(dynamo, "Hot Store", "Amazon DynamoDB (+ DAX)", "Single-table entities, sessions, low-latency reads")
            Container(aurora, "Relational Store", "Amazon Aurora Serverless v2 (PostgreSQL)", "Voting history, procedures, time-series")
            Container(opensearch, "Search + Vector", "Amazon OpenSearch Serverless", "Full-text + semantic vector search over corpus")
            Container(neptune, "Knowledge Graph", "Amazon Neptune Serverless", "MEPs, groups, committees, dossiers, votes")
            Container(lake, "Data Lake", "Amazon S3 + AWS Glue + Amazon Athena", "Raw + curated open data, ad-hoc analytics")
        }

        Container_Boundary(ai, "AI Intelligence Layer") {
            Container(bedrock, "Foundation Models", "Amazon Bedrock", "Claude / Nova, model-agnostic inference")
            Container(kb, "Managed RAG", "Bedrock Knowledge Bases", "Grounded retrieval over EP corpus + analysis artifacts")
            Container(agents, "Agentic OSINT", "Bedrock Agents", "Tool-using analytic workflows")
            Container(guardrails, "AI Safety", "Bedrock Guardrails", "Neutrality, PII/GDPR, hallucination control")
            Container(sagemaker, "Custom ML", "Amazon SageMaker", "Voting prediction, anomaly detection")
        }
    }

    System_Ext(epmcp, "European Parliament MCP", "60+ tools")
    System_Ext(econ, "World Bank MCP + IMF REST", "Economic context")
    System_Ext(gha, "GitHub Actions + gh-aw", "CI/CD + agentic authoring")

    Rel(citizen, cf, "Reads", "HTTPS")
    Rel(cf, s3, "Serves origin", "HTTPS")
    Rel(cf, waf, "Filtered by", "Inline")
    Rel(consumer, apigw, "Calls REST/WS", "HTTPS")
    Rel(consumer, appsync, "Queries GraphQL", "HTTPS")
    Rel(apigw, cognito, "Authorizes via", "JWT")
    Rel(appsync, cognito, "Authorizes via", "JWT")

    Rel(apigw, lambda, "Invokes", "Sync")
    Rel(appsync, lambda, "Resolves via", "Sync")
    Rel(events, sfn, "Triggers", "Event")
    Rel(sfn, lambda, "Orchestrates", "Task")
    Rel(lambda, dynamo, "Reads/writes", "SDK")
    Rel(lambda, aurora, "Queries", "Data API")
    Rel(lambda, opensearch, "Searches", "HTTPS")
    Rel(lambda, neptune, "Traverses", "Gremlin / SPARQL")
    Rel(lambda, kb, "Retrieves grounded context", "Bedrock")
    Rel(kb, bedrock, "Generates via", "Runtime")
    Rel(agents, guardrails, "Constrained by", "Inline")
    Rel(agents, bedrock, "Invokes", "Runtime")
    Rel(sagemaker, aurora, "Trains on", "Snapshot")

    Rel(events, epmcp, "Ingests", "MCP")
    Rel(lambda, econ, "Enriches with", "MCP / REST")
    Rel(gha, s3, "Publishes build", "OIDC")
    Rel(gha, lambda, "Deploys IaC", "OIDC")
Copy

Container design principles:

1. Static-first, dynamic-behind. The CloudFront/S3 edge is never removed. Dynamic responses are cached aggressively at the edge so that the serverless layer scales to demand spikes (e.g., a plenary vote going viral) without linear cost growth.
2. Zero-ops, pay-per-use. Every store and compute element is serverless (Lambda, Step Functions, DynamoDB on-demand, Aurora Serverless v2, OpenSearch Serverless, Neptune Serverless). There are no Kubernetes clusters and no long-running servers to patch — eliminating an entire class of operational and security toil.
3. Aggregator parity. The deterministic src/aggregator/** rendering logic is ported into Lambda functions, preserving the v1.0.x guarantee that no AI authors HTML directly — AI proposes Markdown/analysis, deterministic code renders output.
4. Defence in depth. AWS WAF + Shield at the edge, Cognito + IAM for authorization, AWS KMS for encryption at rest, and Bedrock Guardrails for AI output safety.

---

🏗️ C4 Level 3: Future Component Diagram

Focus: the Bedrock-backed Intelligence / OSINT Service — the heart of the v3.0+ value proposition — and how it composes managed AWS services to answer a natural-language political-intelligence query while preserving neutrality and evidence-citation.

C4Component
    title Intelligence and OSINT Service - Component Diagram (v3.0+)

    Container_Boundary(svc, "Intelligence / OSINT Service (AWS Lambda + Step Functions)") {

        Component(queryApi, "Query Resolver", "AWS Lambda (TS)", "Validates request, applies Cognito scopes, rate limits")
        Component(intentRouter, "Intent Router", "AWS Lambda", "Classifies query: dashboard, graph traversal, RAG, prediction")
        Component(graphResolver, "Knowledge Graph Resolver", "AWS Lambda", "Builds Gremlin/SPARQL over MEP-group-committee-vote graph")
        Component(ragOrchestrator, "RAG Orchestrator", "Bedrock Knowledge Bases", "Retrieves grounded EP corpus + analysis artifacts")
        Component(agentRunner, "OSINT Agent Runner", "Bedrock Agents", "Tool-using analytic workflow - ACH, source grading")
        Component(predictor, "Prediction Component", "Amazon SageMaker endpoint", "Voting outcome and coalition probability")
        Component(neutralityGate, "Neutrality + GDPR Gate", "Bedrock Guardrails", "Blocks partisan framing, PII, hallucination")
        Component(citationBuilder, "Evidence Citation Builder", "AWS Lambda", "Attaches ICD 203 confidence + Admiralty source grades")
        Component(cacheWriter, "Edge Cache Writer", "AWS Lambda", "Bakes static JSON to S3 for CloudFront reuse")
    }

    ContainerDb(neptune, "Amazon Neptune Serverless", "Knowledge graph")
    ContainerDb(opensearch, "Amazon OpenSearch Serverless", "Full-text + vector")
    ContainerDb(aurora, "Amazon Aurora Serverless v2", "Voting history")
    Container(bedrock, "Amazon Bedrock", "Foundation models")
    Container(s3, "Amazon S3 + CloudFront", "Static edge cache")
    System_Ext(epmcp, "European Parliament MCP", "Source feeds")

    Rel(queryApi, intentRouter, "Routes validated query")
    Rel(intentRouter, graphResolver, "Graph intent")
    Rel(intentRouter, ragOrchestrator, "Knowledge intent")
    Rel(intentRouter, predictor, "Forecast intent")
    Rel(graphResolver, neptune, "Traverses", "Gremlin")
    Rel(ragOrchestrator, opensearch, "Retrieves vectors", "kNN")
    Rel(ragOrchestrator, bedrock, "Generates grounded answer")
    Rel(agentRunner, epmcp, "Collects fresh OSINT", "MCP")
    Rel(agentRunner, bedrock, "Reasons via")
    Rel(predictor, aurora, "Features from")
    Rel(ragOrchestrator, neutralityGate, "Filtered by")
    Rel(agentRunner, neutralityGate, "Filtered by")
    Rel(neutralityGate, citationBuilder, "Passes safe output")
    Rel(citationBuilder, cacheWriter, "Emits cited artifact")
    Rel(cacheWriter, s3, "Bakes static JSON")
Copy

Why this composition matters (the Economist test): a journalist asking "Has the EPP–S&D grand coalition weakened on environmental files since the 2024 election?" triggers the Intent Router, which fans the question to the Knowledge Graph Resolver (Neptune traversal of EPP/S&D MEPs ↔ ENVI dossiers ↔ roll-call votes) and the RAG Orchestrator (grounded retrieval of committed coalition-dynamics analysis artifacts). The OSINT Agent Runner can pull fresh roll-call data via the EP MCP. Crucially, every generated sentence passes the Neutrality + GDPR Gate (Bedrock Guardrails — rejecting partisan framing and any non-public personal data) before the Evidence Citation Builder attaches ICD 203 confidence bands and Admiralty source grades. The final cited artifact is baked to S3 so the next citizen who asks the same question is served a cached static answer at edge cost — the static-first principle applied even to AI output.

---

🏗️ C4 Level 4: Future Deployment Diagram

Transformation: A multi-AZ, multi-Region serverless deployment fronted by a global CloudFront edge, deployed entirely through OIDC-federated GitHub Actions (no long-lived cloud credentials).

C4Deployment
    title Future EU Parliament Monitor - AWS Deployment (v3.0+)

    Deployment_Node(edge, "Global Edge", "Amazon CloudFront PoPs (worldwide)") {
        Deployment_Node(edgeFn, "Edge Compute", "CloudFront Functions / Lambda@Edge") {
            Container(edgeLogic, "Edge Logic", "JS", "Security headers, routing, A/B, geo")
        }
        Container(cdnCache, "CDN Cache", "CloudFront", "Cached static HTML + baked JSON")
    }

    Deployment_Node(primary, "AWS Region - eu-west-1 (Primary)", "Ireland") {
        Deployment_Node(azs, "Multi-AZ Serverless", "3 Availability Zones") {
            Deployment_Node(s3node, "Storage", "Amazon S3") {
                Container(siteBucket, "Site + Data Lake", "S3", "Static site, curated data, backups (versioned)")
            }
            Deployment_Node(computeNode, "Serverless Compute", "Managed") {
                Container(lambdaFleet, "Lambda Fleet", "AWS Lambda", "Resolvers, ingestion, aggregator")
                Container(stepFns, "Step Functions", "AWS Step Functions", "Pipelines + agentic flows")
                Container(eventBus, "EventBridge + Kinesis", "Event backbone", "EP event ingestion")
            }
            Deployment_Node(dataNode, "Managed Data", "Multi-AZ") {
                ContainerDb(ddb, "DynamoDB", "On-demand + DAX", "Hot entities")
                ContainerDb(auroraNode, "Aurora Serverless v2", "PostgreSQL", "Voting history")
                ContainerDb(osNode, "OpenSearch Serverless", "Search + vector", "Corpus index")
                ContainerDb(neptuneNode, "Neptune Serverless", "Graph", "Political knowledge graph")
            }
            Deployment_Node(aiNode, "AI Services", "Managed") {
                Container(bedrockNode, "Amazon Bedrock", "Models + KB + Agents + Guardrails", "Inference")
                Container(sageNode, "Amazon SageMaker", "Endpoints", "Custom ML")
            }
        }
    }

    Deployment_Node(dr, "AWS Region - eu-central-1 (DR)", "Frankfurt") {
        Container(drReplica, "DR Replicas", "S3 CRR, DynamoDB Global Tables, Aurora replica", "Warm standby")
    }

    Deployment_Node(identity, "Identity + Security", "Account-wide") {
        Container(cognitoNode, "Amazon Cognito", "User pools", "Federated auth")
        Container(secNode, "Security Plane", "GuardDuty, Security Hub, CloudTrail, KMS, Secrets Manager", "Detection + crypto + audit")
        Container(obsNode, "Observability", "CloudWatch + X-Ray", "Metrics, traces, logs")
    }

    Deployment_Node(cicd, "CI/CD", "GitHub Actions + gh-aw") {
        Container(pipeline, "OIDC Pipeline", "GitHub Actions", "SLSA 3 build, CodeQL, IaC deploy")
    }

    Rel(cdnCache, siteBucket, "Origin fetch", "HTTPS")
    Rel(pipeline, siteBucket, "Publishes static", "OIDC")
    Rel(pipeline, lambdaFleet, "Deploys IaC", "OIDC")
    Rel(eventBus, lambdaFleet, "Triggers", "Event")
    Rel(siteBucket, drReplica, "Replicates", "S3 CRR")
    Rel(ddb, drReplica, "Replicates", "Global Tables")
    Rel(lambdaFleet, cognitoNode, "Validates JWT", "HTTPS")
    Rel(lambdaFleet, bedrockNode, "Invokes", "Runtime")
    Rel(secNode, lambdaFleet, "Monitors", "Continuous")
    Rel(obsNode, lambdaFleet, "Traces", "X-Ray")
Copy

Deployment guarantees:

• Primary in eu-west-1, warm DR in eu-central-1 using S3 Cross-Region Replication, DynamoDB Global Tables, and Aurora cross-Region replicas — both within EU jurisdiction for data-residency alignment.
• No standing credentials. GitHub Actions deploys via OIDC federation into scoped IAM roles; secrets live in AWS Secrets Manager; all data at rest is encrypted with AWS KMS customer-managed keys.
• Static edge survives backend outage. If the serverless core degrades, CloudFront continues serving the last-baked static intelligence — the platform fails open for reading, closed for writing.

---

🚀 Technology Migration Plan

The plan translates each current component into its v2.0 and v3.0 form. Because the system is already on AWS, v2.0 is largely additive (no new infra) and v3.0 deepens the AWS-native serverless footprint. The mapping below supersedes the prior (obsolete) multi-cloud / polyglot plan; CloudFlare, Kubernetes, MongoDB, Neo4j, Kafka, Apollo, and Firebase references are retired.

v1.0.x → v2.0 (Enhanced Static — no servers introduced)

Current Component (v1.0.x)	v2.0 Evolution	Delivery Model	Outcome
Static HTML on S3 + CloudFront	Same edge; richer pre-rendered pages	Build-time (gh-aw + aggregator)	Faster, still static
Chart.js 4 + D3 7 in-article charts	Party / political-group landscape dashboards, cohesion + coalition heatmaps, alliance network graphs	Client-side, data baked at build	Decision-grade visuals
51-template analysis catalog	Deeper templates: electoral-domain, coalition-mathematics, voter-segmentation	Markdown artifacts	Analytical breadth
OSINT methodology docs	ICD 203 confidence, Admiralty source grading, Kent/WEP bands, ACH operationalized in every artifact	Stage-B analysis	Tradecraft rigor
Political threat methodology	5-framework integrated model (STRIDE explicitly rejected for political analysis)	Markdown artifacts	Methodological clarity
Entity / actor mapping	Richer coalition / actor / dossier cross-referencing	manifest.json + cross-reference-map	Linked context
EP MCP batch pulls	Same MCP pulls, broader tool coverage, pre-baked dashboard datasets	gh-aw scheduled	Quality moat

v2.0 thesis: the differentiator is analytical quality, not real-time infrastructure. Every dashboard dataset is computed at build time and shipped as static JSON — preserving the cheap, cacheable, zero-ops edge while dramatically deepening political-intelligence depth.

v2.0 → v3.0+ (AWS-Native Serverless Intelligence Platform)

Capability	v2.0 (Static)	v3.0+ AWS Service	Migration Notes
Edge delivery	Amazon CloudFront + S3	Amazon CloudFront + S3 + CloudFront Functions / Lambda@Edge	Edge persists; add edge logic
Compute	Build-time only	AWS Lambda + AWS Step Functions	Serverless, zero-ops (replaces Kubernetes framing)
Event bus	None	Amazon EventBridge + Amazon Kinesis + SQS/SNS	Replaces Kafka framing
REST/WebSocket API	Static JSON files	Amazon API Gateway (REST + WebSocket)	Replaces Socket.io framing
GraphQL API	None	AWS AppSync	Replaces Apollo framing
Identity	Anonymous read	Amazon Cognito	Replaces self-managed auth
Document/hot store	manifest.json files	Amazon DynamoDB (+ DAX)	Replaces MongoDB / Redis framing
Relational / time-series	None (Markdown)	Amazon Aurora Serverless v2 (PostgreSQL)	Replaces TimescaleDB / Postgres framing
Search	Client-side filter	Amazon OpenSearch Serverless (full-text + vector)	Replaces Elasticsearch framing
Knowledge graph	Cross-reference Markdown	Amazon Neptune Serverless	Replaces Neo4j framing
Data lake / analytics	Committed artifacts	Amazon S3 + AWS Glue + Amazon Athena + QuickSight	New analytics tier
AI authoring	gh-aw + Claude (build-time)	Amazon Bedrock + Knowledge Bases + Agents + Guardrails	Replaces OpenAI/LangChain framing; model-agnostic
Custom ML	None	Amazon SageMaker + Amazon Comprehend	Replaces "Python/FastAPI ML service" framing
Translation	Build-time 14-language	Amazon Translate (14+ languages)	Managed, on-demand
Notifications	None	Amazon SNS / Amazon Pinpoint	Replaces Firebase framing
Observability	CI logs	Amazon CloudWatch + AWS X-Ray	Replaces Datadog / New Relic framing
Security ops	CodeQL + Scorecard	AWS Security Hub + Amazon GuardDuty + Amazon Inspector + AWS WAF/Shield + AWS KMS	Cloud-native defence in depth

Migration Sequencing & Risk Controls

1. Strangler-fig pattern. New AWS services are introduced behind the static edge; static HTML remains authoritative until each dynamic path is proven.
2. Aggregator parity tests. Lambda-rendered output is byte-diffed against the v1.0.x src/aggregator/** output before cutover — neutrality and determinism are non-negotiable.
3. Cost guardrails. AWS Budgets + Cost Anomaly Detection on every new serverless service; on-demand and serverless capacity to avoid idle spend.
4. Reversibility. Each horizon is independently shippable and reversible; a failed v3.0 component degrades gracefully to v2.0 static behavior.

---

⚠️ Risk Assessment & Mitigation

Risk	Horizon	Likelihood	Impact	Mitigation
Scope creep dilutes v2.0 quality moat	v2.0	Medium	High	Freeze infra; invest only in analytical depth + dashboards
AWS serverless cost overrun under viral load	v3.0	Medium	High	Edge caching of dynamic responses, AWS Budgets, on-demand scaling
AI hallucination / partisan drift	v3.0	Medium	Critical	Bedrock Guardrails, human accountability per AI Policy, citation gate
GDPR breach via personal data leakage	All	Low	Critical	Public MEP roles only; Guardrails PII filter; Macie scanning
Vendor lock-in to AWS	v3.0+	Medium	Medium	Model-agnostic Bedrock; standard interfaces (SQL, Gremlin, OpenAPI)
Determinism lost when AI enters runtime	v3.0	Medium	High	Aggregator-parity diffing; AI proposes, deterministic code renders
EP MCP / source feed instability	All	Medium	Medium	Cached corpus, sliding-window retries, source-grade transparency
Frontier model disruption / competitor leap	10-yr	High	Medium	Annual model evaluation; Bedrock abstraction; rapid swap
Quantum threat to cryptography	10-yr	Low	High	Plan AWS KMS post-quantum migration; crypto-agility
Multi-Region DR failover gap	v3.0+	Low	High	Global Tables, S3 CRR, periodic DR game-days

---

📈 Success Metrics & KPIs

Metric	Current (v1.0.x)	v2.0 Target	v3.0+ Target	Measurement
Analytical artifacts per run	51-template catalog	+12 extended templates	Continuous AI-assisted	manifest.json
Evidence-citation coverage	High (manual)	≥ 95% paragraphs cited	≥ 98% (Guardrails-enforced)	Stage-C QA
Page load (p75)	< 1.5s static	< 1.2s static	< 1.2s static edge	CloudWatch RUM
Languages supported	14	14	14+ (Amazon Translate)	Build output
API consumers	0	0 (static JSON)	100+ authenticated	Cognito + API Gateway
Knowledge-graph entities	N/A	Cross-ref Markdown	1M+ nodes/edges	Neptune metrics
Time-to-insight (NL query)	N/A	N/A	< 5s cached / < 30s cold	X-Ray traces
AI neutrality pass rate	N/A (build-time)	N/A	≥ 99% Guardrails pass	Bedrock Guardrails
Availability	99.9% (edge)	99.9%	99.95% (multi-AZ)	CloudWatch
Cost per 1k requests	Edge-only (low)	Edge-only (low)	Cached-dynamic (bounded)	AWS Cost Explorer

---

🔒 ISMS Compliance

The AWS-native evolution strengthens, rather than dilutes, ISMS posture:

• Confidentiality. All data is public EU open data; AWS KMS encrypts at rest; Cognito + IAM least-privilege gate dynamic APIs; Bedrock Guardrails and Amazon Macie prevent PII leakage (GDPR — public MEP roles only).
• Integrity. SLSA 3 provenance on builds, deterministic aggregator rendering (AI never authors HTML), AWS CloudTrail immutable audit, content signing.
• Availability. Multi-AZ serverless, CloudFront global edge, multi-Region DR (S3 CRR + DynamoDB Global Tables), graceful degradation to static.
• Accountability (AI Policy). AI is a proposal generator; humans approve; there is no autonomous deployment. Every AI artifact is traceable to a reviewable Markdown source and a graded source chain.
• Detection & Response. Amazon GuardDuty, AWS Security Hub, Amazon Inspector, and EventBridge-driven automated runbooks per the Incident Response Plan.

ISMS Objective	Control Mechanism (AWS-native)	Framework Reference
Least-privilege access	IAM roles, Cognito scopes, OIDC deploy	ISO 27001 A.5.15; NIST PR.AA
Encryption everywhere	AWS KMS (rest), TLS 1.3 (transit)	ISO 27001 A.8.24; NIST PR.DS
AI safety & neutrality	Bedrock Guardrails, human sign-off	AI Policy; ISO 27001 A.5.1
Continuous monitoring	CloudWatch, X-Ray, GuardDuty, Security Hub	NIST DE.CM; CIS 8
Supply-chain integrity	SLSA 3, CodeQL, OpenSSF Scorecard, Inspector	ISO 27001 A.8.28; NIST PR.PS
Resilience & recovery	Multi-AZ/Region, S3 CRR, PITR, DR game-days	ISO 27001 A.5.30; NIST RC.RP

---

🕵️ Intelligence Capability Architecture (2026 → 2037)

The architecture above describes the platform. This section describes the intelligence capability the platform exists to deliver — mapped onto the same AWS-native serverless substrate so the vision stays buildable. The organising principle is the classic OSINT intelligence cycle — direction → collection → processing → analysis → production → dissemination → feedback — specialised for European parliamentary politics and compressed by AI at every stage. The durable moat is analytic quality, neutrality, and provenance, never raw infrastructure. The full conceptual catalogue lives in FUTURE_MINDMAP.md; this section is its architectural realisation.

Guardrail invariant (AI Policy): every capability below is AI-proposes, human-approves. There is no autonomous publication of an intelligence assessment, no profiling beyond public parliamentary roles, and no data outside the PUBLIC open-data boundary.

Intelligence-Cycle Reference Pipeline (v3.0+)

flowchart LR
    subgraph DIR["Direction"]
        pir["PIR and Collection Plan (DynamoDB)"]
        iw["Indications and Warning Watchlist"]
    end
    subgraph COL["Collection"]
        epmcp["EP MCP Harvester (Lambda)"]
        doceo["DOCEO Roll-Call Capture"]
        ext["Council OECD Eurostat UN Pull"]
        asr["Debate ASR (Transcribe)"]
    end
    subgraph PROC["Processing"]
        entity["Entity Resolution (Comprehend)"]
        kgraph["Knowledge Graph (Neptune)"]
        embed["Embeddings + Vector Index (OpenSearch)"]
    end
    subgraph ANA["Analysis"]
        ach["Multi-Agent ACH (Bedrock Agents)"]
        forecast["Forecast Models (SageMaker)"]
        fimi["Counter-FIMI Detection"]
        redteam["Red-Team / Devils Advocate Agent"]
    end
    subgraph PROD["Production"]
        grade["Source Grading + WEP Calibration"]
        c2pa["Content Authenticity Signing (C2PA)"]
        brief["BLUF Briefs + Dashboards"]
    end
    subgraph DISS["Dissemination and Feedback"]
        edge["Static Edge + API + Alerts"]
        human["Human Accountability Gate"]
    end
    pir --> epmcp
    iw --> doceo
    epmcp --> entity
    doceo --> entity
    ext --> entity
    asr --> entity
    entity --> kgraph
    entity --> embed
    kgraph --> ach
    embed --> ach
    ach --> forecast
    ach --> fimi
    ach --> redteam
    forecast --> grade
    fimi --> grade
    redteam --> grade
    grade --> c2pa
    c2pa --> brief
    brief --> human
    human --> edge
    edge -.feedback.-> pir
Copy

Capability → AWS Service → Horizon → Operative Benefit

Each capability is anchored to an existing house methodology and a governing control, so "visionary" never means "ungoverned".

Intelligence Capability	Primary AWS Service(s)	Feasibility / Horizon	Operative Benefit (Why)
Collection management + PIR	DynamoDB plan store, EventBridge tasking, Lambda collectors	🟢 v2.0 pilot → 🔵 v3.0	Collect against requirements, not opportunistically; auditable coverage and gap tracking
Indications and Warning (I&W)	Kinesis + Lambda detectors, DynamoDB watchlist, SNS alerts	🔵 v3.0 (2028)	Be early and calibrated on coalition collapse, whip rebellions, rushed trilogues
Political knowledge graph + link analysis	Amazon Neptune Serverless	🔵 v3.0	Multi-hop influence tracing across MEP↔group↔committee↔dossier↔lobby
Roll-call + behavioural analytics	Aurora Serverless v2, SageMaker	🟢 v2.0 → 🔵 v3.0	All-MEP scorecards, defection detection, cohesion indices
Predictive coalition / passage models	SageMaker, Bedrock	🔵 v3.0 (2028–30)	WEP-banded outcome forecasting with competing hypotheses
Counter-FIMI / DISARM framing	Comprehend, Bedrock Agents, OpenSearch	⚪ v3.2 (2031+)	Detect coordinated narrative manipulation around EP activity — defensive only
Integrity / conflict-of-interest analytics	Aurora, Neptune, Bedrock	🔵 v3.1 (2029)	Surface lobby-to-vote and revolving-door patterns from PUBLIC declarations
Verbatim speech intelligence	Amazon Transcribe, Comprehend, Translate	🔵 v3.1 (2029)	Convert 24-language debate oratory into stance / framing-drift signals
Multi-agent ACH + red-teaming	Bedrock Agents + Guardrails, Step Functions	🔵 v3.0	Structured competitive analysis catches overconfidence before publication
Content authenticity (C2PA)	KMS signing, S3, CloudFront	⚪ v3.2 (2031+)	Readers can verify what the platform actually said; anti-poisoning
Model-neutrality assurance	Bedrock model eval, SageMaker Clarify	⚪ continuous	Audit political lean; benchmark sovereign / EU models; keep AI from meaning biased
Natural-language intelligence query	AppSync, Bedrock KB, OpenSearch	🔵 v3.0	Analysts ask the corpus in natural language with cited evidence

Architectural Principles for the Intelligence Layer

1. Provenance is a first-class asset. Every claim carries an evidence chain from primary EP source to published sentence; Neptune stores the graph, S3 + CloudTrail store the immutable manifest, and v3.2 signs outputs with C2PA content credentials.
2. The static edge stays the public front door. Even the deepest dynamic intelligence is baked or cached to static HTML/JSON for citizens; dynamic query and alerting are layered behind Cognito for journalists and researchers.
3. Determinism for trust, AI for scale. The deterministic aggregator renders neutral output; AI proposes hypotheses, gradings, and forecasts that a human adjudicates. No model is a single authority — red-team and devil's-advocate agents are wired into the Step Functions analysis graph.
4. Graceful degradation to descriptive truth. If predictive or counter-FIMI layers are unavailable, the platform degrades to sourced, descriptive reporting — never to unsourced speculation.

---

🔮 Visionary Architecture Roadmap 2027-2037

Over the decade, the architecture is engineered to absorb annual AI model upgrades and competitive shifts without re-platforming, because Amazon Bedrock provides a model-agnostic abstraction: Anthropic Claude, Amazon Nova, and future foundation models (including EU sovereign AI offerings) are swappable behind a stable inference interface, with Bedrock Guardrails enforcing neutrality regardless of the underlying model.

AI Model Evolution — DevSecOps & Development Perspective

Year	AI Model	DevSecOps Capability Evolution
2026	Opus 4.6–4.9	🟢 AI-assisted code review, automated test generation, agentic CI/CD workflows
2027	Opus 5.x	🔵 Predictive vulnerability detection, intelligent dependency management
2028	Opus 6.x	🟣 Multi-modal security analysis (code + architecture + runtime), automated threat modeling
2029	Opus 7.x	🟠 Autonomous security pipeline orchestration, self-healing build systems
2030	Opus 8.x	🔴 Near-expert automated security review, AI-driven architecture validation
2031–2033	Opus 9–10.x / Pre-AGI	⚪ Autonomous secure development lifecycle management
2034–2037	AGI / Post-AGI	⭐ Transformative software engineering with built-in security assurance

Assumptions: major AI model upgrades arrive annually; competitors (OpenAI, Google, Meta, EU sovereign AI) are evaluated at each release; the architecture is designed to accommodate potential paradigm shifts (quantum AI, neuromorphic computing). The full cross-perspective analysis lives in the Hack23 Information Security Strategy § AI Model Evolution Strategy; governance follows the AI Policy — AI proposes, humans remain accountable, and there is no autonomous deployment.

Model-Agnostic Abstraction via Amazon Bedrock

flowchart LR
    subgraph App["Intelligence / OSINT Service"]
        router["Inference Router (Lambda)"]
        gr["Bedrock Guardrails"]
    end
    subgraph Bedrock["Amazon Bedrock (Stable Interface)"]
        claude["Anthropic Claude"]
        nova["Amazon Nova"]
        sov["EU Sovereign / Future Models"]
        kb["Knowledge Bases (RAG)"]
        ag["Agents (Tool Use)"]
    end
    router --> gr
    gr --> claude
    gr --> nova
    gr --> sov
    router --> kb
    router --> ag
    kb --> claude
    ag --> claude
    claude -.swap.-> nova
    nova -.swap.-> sov
Copy

The router selects the best model per task (cost, latency, capability) and can hot-swap providers with no application change — the platform's hedge against both vendor lock-in and the rapid obsolescence of any single frontier model.

Paradigm-Shift & AGI Considerations

• 2027–2029 — Multi-model orchestration & predictive intelligence. Bedrock routes across competing models; SageMaker forecasts voting/coalition outcomes; Neptune + OpenSearch power natural-language graph query at scale.
• 2030–2033 — Autonomous analytic agents (human-supervised). Bedrock Agents run multi-step OSINT tradecraft (ACH, source grading) with mandatory human sign-off; self-healing serverless pipelines reduce operational toil toward zero. No autonomous publication — the human-accountability gate holds.
• 2034–2037 — AGI / post-AGI integration. Should general intelligence emerge, it is integrated as a bounded decision-support capability behind Guardrails and the AI Policy, never as an unaccountable actor. Crypto-agility (AWS KMS) prepares for post-quantum migration; the architecture assumes the substrate changes (quantum/neuromorphic) but the governance does not.

AWS + AI Evolution Timeline

timeline
    title AWS-Native + AI Evolution (2026-2037)
    2026 : v1.0.x static on S3 + CloudFront : gh-aw + Claude authoring
    2027 : v2.0 enhanced static dashboards : Deep OSINT tradecraft (ICD 203)
    2028 : v3.0 serverless foundation : Cognito + API Gateway + DynamoDB + Aurora
    2029 : v3.x intelligence layer : Neptune + Bedrock KB/Agents + OpenSearch + SageMaker
    2030 : Multi-parliament + public API GA : QuickSight BI, near-expert AI review
    2031 : Autonomous pipelines (supervised) : Pre-AGI secure SDLC management
    2034 : AGI-era decision support : Bounded, Guardrail-governed, human-accountable
    2037 : Post-AGI transformative engineering : Quantum-safe, neutrality preserved
Copy

Technology Evolution Path

mindmap
  root((AWS-Native Architecture 2027-2037))
    AI Layer Evolution
      2027 Multi-Model Orchestration
        Bedrock model routing and fallback
        Opus 5.x plus competitor evaluation
      2029 Autonomous Agents Supervised
        Bedrock Agents tool use
        Human sign-off mandatory
      2032 Cognitive Platform
        Reasoning and causal inference
        Guardrail-enforced neutrality
      2035 AGI Decision Support
        Bounded general intelligence
        Accountable not autonomous
    Infrastructure Evolution
      2027 Serverless Static Plus
        S3 plus CloudFront edge
        Lambda and Step Functions behind
      2029 Event-Driven Serverless
        EventBridge and Kinesis ingestion
        Zero-ops managed services
      2032 Self-Scaling Serverless
        On-demand DynamoDB and Aurora v2
        Cost-bounded autoscaling
      2035 Quantum-Ready
        AWS KMS post-quantum crypto
        Crypto-agile design
    Data Evolution
      2027 Knowledge Graph
        Neptune Serverless MEP graph
        Cross-parliament linking ready
      2029 Vector and Semantic Search
        OpenSearch Serverless kNN
        Bedrock Knowledge Bases RAG
      2032 Real-Time Intelligence
        Streaming analytics via Kinesis
        Predictive SageMaker pipelines
      2035 Universal Democratic Data
        Multi-parliament corpus
        Amazon Translate live layer
Copy

Competitive & Disruption Considerations

Scenario	Probability	Architectural Response
New dominant LLM provider emerges	High	Hot-swap via Bedrock model-agnostic router
Open-source LLMs match commercial	High	Bedrock + custom SageMaker hybrid inference
EU sovereign AI becomes mandated	Medium	Pluggable behind Bedrock abstraction; data stays in EU Regions
AGI achieved before 2035	Medium	Bounded decision-support behind Guardrails + AI Policy
EU mandates parliament transparency APIs	Medium	Become reference implementation via AppSync/API Gateway
Competing transparency platforms emerge	Medium	Differentiate on neutrality, source-grading, evidence quality
Quantum computing breaks current crypto	Low-Medium	AWS KMS post-quantum migration; crypto-agility
AWS pricing / strategy shift	Low-Medium	Standard interfaces (SQL, Gremlin, OpenAPI) preserve portability

---

📚 References & Dependencies

Current State Documentation

• Current Architecture
• Current Data Model
• Current Flowchart
• Security Architecture
• Threat Model

Future State Documentation

• Future Data Model
• Future Flowchart
• Future State Diagram
• Future Mindmap
• Future SWOT Analysis
• Future Security Architecture
• Future Threat Model
• Future Workflows

External References

• European Parliament Open Data Portal & European Parliament MCP Server (european-parliament-mcp-server)
• World Bank MCP (World Development Indicators) & IMF REST API (WEO/FM)
• Amazon Bedrock — foundation models, Knowledge Bases, Agents, Guardrails
• AWS Serverless — Lambda, Step Functions, API Gateway, AppSync, EventBridge
• Amazon Neptune Serverless, Amazon OpenSearch Serverless, Amazon DynamoDB, Amazon Aurora Serverless v2
• Amazon Cognito, AWS WAF, AWS KMS
• Hack23 AI Policy
• Model Context Protocol (MCP) Specification
• ISO 27001:2022, NIST CSF 2.0, CIS Controls v8.1

---

✅ Approval

Role	Name	Signature	Date
CTO	[Name]	___	2026-05-31
CEO	[Name]	___	2026-05-31
CISO	[Name]	___	__

---

Document Status: ✅ APPROVED FOR PLANNING
Next Review: 2026-08-31 (Quarterly)
Classification: Public

---

This document represents the strategic technical vision for EU Parliament Monitor's evolution from a deterministic static-site generator into an AWS-native serverless political-intelligence platform. Implementation requires executive approval, budget allocation, and phased resource commitment across the three horizons (v2.0 enhanced static, v3.0+ AWS serverless, and the 10-year AI lookahead). All analysis uses public open data only and is politically neutral by design.