Yes, the AST structures in the `analyzer` package are intended to be read-only, and I don't expect that to change.
Many people assume that the best way to write code editing applications is to build an AST, modify the AST, then write the AST out as source code. But after many decades of experience writing such tools we have come to realize that it's actually much easier to modify the source code directly and then rebuild the AST from source in order to continue editing. The biggest difficulty you face when modifying the AST is keeping the AST consistent with what the analyzer would have produced. The more complex the language the more true this is, and Dart is fairly complex from an analysis perspective because of flow analysis, type inference, and other such non-local features. And if your modifications produce an AST that's different than what the analyzer would have produced then you're effectively having to support two subtly different AST representations, which increases your implementation and maintenance burdens.
The approach of modifying the source directly and rebuilding the ASTs is what the `analysis_server` uses to power our IDE support. The class `ChangeBuilder`, in the `analyzer_plugin` package, contains support code (used by server) to make it easier to handle some of the more subtle editing situations correctly, such as keeping imports correct when adding references to types or other top-level declarations, and you might find that support useful if you decide to explore using this approach.
We make no guarantees about code in the `src` folder. In particular, we don't guarantee that we won't make breaking changes in that code without bumping the major version number of the package.
While we would prefer that you didn't use the internal implementation details at all, we obviously can't enforce that, so if you do decide to use them the only way you can protect yourself against breakages is to use a version constraint for the `analyzer` package that allows for a single version. That will prevent you and your users (assuming you publish your package) from getting bug fixes, but will also protect against unexpected breakage.