Case study · v1.0 · published 2026-04-29
IdeaLift, retroactive TIF on a non-compliance product.
Third internal audit under The Integrity Framework v1.0. The reference for what TIF looks like when applied to a product not designed against it. Most dimensions are honestly N/A — and that is the framework working as designed, not failing.
Source documents are public: IdeaLift's INTEGRITY.md and audits/tif-compliance.md.
What was audited
IdeaLift is a Startvest LLC product. Decision intelligence — capture product decisions from Slack, Teams, and Discord; prevent decay; tell the storyline behind why decisions were made. Tiered SaaS. Monorepo: an apps/web Next.js app plus several packages/ workspaces. AI is used for summarization and RICE-style scoring of captured decisions — outputs are advisory enrichments shown to the team that owns the decision, never customer-facing compliance claims.
Headline result
20 dimensions · Layer 1 vetoes (6) + Layer 2 constraints (7) + Layer 3 guardrails (7)
9
Pass
1
Needs update
1
Out-of-segment
9
N/A
The N/A count is high because IdeaLift is correctly outside TIF's primary scope: compliance / verification / attestation tooling. Layer 2 evidence chain integrity, self-attestation isolation, evidence retention; Layer 3 refund-on-failure clause, public methodology page, customer-side compliance owner, accountability community, public kill criteria — all genuinely don't apply.
The framework working as designed: it does not manufacture gaps in products whose category doesn't carry TIF-relevant risk.
The single open product item is the shared whistleblower-mailbox provisioning, tracked at the Startvest portfolio level (the same item that's open across FieldLedger, ClarityLift, HirePosture, and ADAComplianceDocs).
Two findings drove framework revisions
IdeaLift's code substance was clean. The framework's rules around it were not, and the audit drove two revisions.
CRIT-SV-AI-REVIEW-GATECLI initial verdict
vacuous-pass — globs src/**, app/**, services/**, lib/** matched zero files
Manual verification
IdeaLift is a monorepo. Production AI SDK usage lives at apps/web/src/lib/azure-openai.ts, apps/web/src/lib/distribution-cmo.ts, and apps/web/src/app/api/.../ — all of which the v1.5.0 globs missed. Substantively the constraint IS met: generatedByModel and aiReviewedAt markers exist at apps/web/src/lib/distribution-cmo.ts and the route + UI.
Resolution
Bumped base manifest to v1.6.0. Widened globs across six rules (CRIT-SV-NO-SILENT-PASS, HIGH-SV-METHODOLOGY-VERSIONED, HIGH-SV-EVIDENCE-RETENTION, CRIT-SV-NO-PRE-POPULATED-ATTESTATION, CRIT-SV-AI-REVIEW-GATE, INFO-SV-TRUST-PRINCIPLES-LINK) to include monorepo-conventional paths apps/** and packages/**. Validated backwards-compatible against FieldLedger and ClarityLift: no regressions.
HIGH-SV-INTEGRITY-MD-CLAIMS-VERIFIABLE (extended)CLI initial verdict
Outstanding Risks entry claimed Trust Principles link was missing — but the link IS present at apps/web/src/app/privacy/page.tsx:241
Manual verification
ClarityLift's case was forward drift (claim of presence; absent). IdeaLift's was the opposite: reverse drift (claim of absence; present). The v1.5.0 rule scanned only Recent Changes; Outstanding Risks was out of scope.
Resolution
Bumped base manifest to v1.7.0. Extended HIGH-SV-INTEGRITY-MD-CLAIMS-VERIFIABLE to scan multiple sections with configurable policies. New claim-absence policy for Outstanding Risks: any entry asserting something is missing/not-implemented/not-in-place must reference a file path or marker the rule can verify is genuinely absent — either a runnable sidecar assertion (file-not-contains, file-not-exists) or a structural reference. Also added the file-not-exists assertion kind.
The case-study value
FieldLedger was designed-to-TIF. ClarityLift was partial-TIF. IdeaLift is the third archetype: a non-compliance product audited retroactively. Together the three audits cover the complete adoption shape an external user is likely to face. IdeaLift is the most relevant for adopters considering TIF on their own existing products.
Three observations carry forward to that audience:
- N/A is a legitimate result, when honestly justified. It does not mean the rule was waived. It means the constraint genuinely doesn't apply because the product type doesn't expose the failure mode the rule guards against.
- Vacuous-pass is the new silent-pass.When the framework's globs miss real production code, the rule passes when it shouldn't. Watch for it during audits, especially against monorepos and non-standard layouts.
- Drift detection works in both directions. Forward drift (claiming a feature exists when it doesn't) is the obvious case. Reverse drift (claiming a gap exists when it's closed) sounds harmless but is also wrong — the audit history loses fidelity.
Open items at audit close
Two remediation tickets opened on the IdeaLift repo:
integrity@startvest.ai mailbox provisioning + external counsel SLA
Shared across FieldLedger, ClarityLift, HirePosture, ADAComplianceDocs, and IdeaLift. One mailbox + one engagement closes five tickets.
Rename INFO-SV-AI-DISCLOSURE → INFO-IL-AI-DISCLOSURE
Per CRIT-SV-NO-BASE-ID-OVERRIDE, the SV namespace is reserved for the base manifest. Naming hygiene only.
What this teaches
- Retroactive TIF mostly turns into N/A on a non-compliance product. That's not the framework refusing to engage; it's the framework correctly recognizing scope.
- Calibration gaps surface one product at a time, not all at once. The monorepo case wasn't obvious until a monorepo was audited. The reverse-drift case wasn't obvious until reverse drift was found. The portfolio audit cycle calibrates the framework against the matrix of real product shapes.
- Each calibration is one minor version, never a major. v1.6.0 and v1.7.0 are widening (more globs, more sections, more policies) — never narrowing. Existing products that passed before pass after.
Reproducibility
# from a clone of the integrity-cli repo node bin/integrity.mjs check ../IdeaLogger --format=json \ > ../IdeaLogger/audits/tif-compliance.cli-output.json
Note: the local clone directory is IdeaLogger for historical reasons; the GitHub repo is Startvest-LLC/idealift. The product was renamed.
Changelog
- 2026-04-29 — v1.0. Initial publication. Drove base manifest v1.6.0 (monorepo glob widening) and v1.7.0 (CLAIMS-VERIFIABLE extension to Outstanding Risks).