The audit-native agent runtime UK councils can actually procure.

Four skills shipping in v0.1

• DSAR skill — UK GDPR Article 15 requests. Intake, system search, third-party redaction with pre/post hash proof, response letter draft.
• FOI skill — FOIA 2000 requests. Qualification, s.12 £450 cost-limit check, department search plan, compliant response with exemption rationale and appeal rights.
• EIR skill — Environmental Information Regulations 2004. Reg 12 / Reg 13 exception analysis with the mandatory public-interest test, Reg 7 extension awareness, response draft on the EIR-specific timetable.
• AI Act skill — EU AI Act risk classification, full Annex IV technical documentation generator, and Article 27 Fundamental Rights Impact Assessment for public-authority deployers. Rides the 2 August 2026 high-risk obligation deadline.
• Cryptographic audit log — append-only, SHA-256 hash-chained JSONL. Tamper-evident by design. EU AI Act Article 12 ready. Every action across every skill writes to the same chain.
• Human-in-the-loop gate — every draft response blocks on a logged sign-off. Article 14 enforced structurally, not optionally.
• Model router — Claude / GPT / Gemini / Ollama. Zero US-lab dependency if you run Ollama locally.
• Next.js admin UI — pending sign-offs, live audit feed, chain-verified badge.
• Stack-portable skills — civiclaw skills live in the .claude/skills/ format Microsoft now supports natively in VS Code 1.109+ and GitHub Copilot CLI. Same skill, three IDEs, one audit chain.

Tiers

The unfair advantage no other vendor has

Most agentic-AI vendors have to construct synthetic training data to improve their skills. civiclaw doesn't.

Every DSAR, FOI, EIR and EU-AI-Act case the runtime processes ships a labelled trajectory: the regulatory mapping declared by the skill, the agent's reasoning at each stage, the named officer's sign-off or rejection under Article 14, and the outcome. That is a supervised-learning dataset of real council-grade compliance ground truth, generated automatically as a by-product of normal use.

Each civiclaw skill ships a quarterly model card: accuracy on real (de-identified) cases, regression versus the previous prompt revision, distribution of human-override reasons. Pair the audit chain with DSPy/GEPA prompt optimisation and the skills compile into something demonstrably better than what a consultant can hand-write.

No other vendor in this space can make this claim. They don't have the audit primitive — so they can't have the corpus.

Why it wins procurement

• UK-incorporated vendor, UK-hosted infrastructure, ICO-registered
• Cyber Essentials Plus posture from line one of code
• Auditable, tamper-evident log — the regulator's favourite artefact
• Open source, so your DPO can verify what the agent actually does
• Model-agnostic — you're not locked to one US lab's pricing power

Who it's for

• UK local authorities preparing for G-Cloud 15 (awards 17 September 2026)
• Council DPOs looking at DSAR backlogs and wondering if AI can help without creating a new headache
• Combined authorities and NHS Trusts that need on-prem or UK-region only
• Anyone inside gov / public-sector procurement who's been burnt by US SaaS vendors