Founder guide

How to write an INTEGRITY.md (in half a day)

An INTEGRITY.md is a public file at the root of your repo or product website where you self-map your product against the six Layer 1 vetoes of the Integrity Framework. The directory uses it to qualify your product for the Bronze tier. A thoughtful founder takes about half a day. The hard part is not the writing; it is being honest about the trade-offs the framework asks you to name.

Step 1 — Read the framework first

The framework is short and forkable, published under CC BY 4.0 at claritylift.ai/framework/v1. You only strictly need the six Layer 1 vetoes for an INTEGRITY.md, but read all three layers — the deeper architectural and operational sections explain why the vetoes are shaped the way they are.

Skim the directory's own INTEGRITY.md on the way through. It is the gold-standard example: the directory is itself a product evaluated against the framework, and it carries a real disclosed conflict of interest (operator-as-listee) for Veto 2, which is a useful pattern to study before you write yours.

Step 2 — Copy the template

Save this as INTEGRITY.md at the root of your repo, or as a page at /integrity on your product website.

# INTEGRITY.md — <Product Name>

**Product:** <Product Name> (<product-url>)
**Operator:** <Org or solo-founder name>
**Framework version evaluated against:** 1.0
**Self-evaluation tier:** Bronze
**Last updated:** <YYYY-MM-DD>

<One paragraph: what the product does, who it's for, and why a trust signal
matters for buyers in your segment.>

---

## Layer 1 vetoes — self-mapping

### Veto 1 — Artifact versus outcome

**Pass / Disclosed conflict / Fail.** <Two to four sentences. Does the product
sell the underlying outcome, or does it sell a certification artifact that
buyers mistake for the outcome? If the latter, the product fails this veto.>

### Veto 2 — Independence

**Pass / Disclosed conflict / Fail.** <Who reviews the product's work? Is the
reviewer paid by the verified entity? If structural independence isn't
possible, name the conflict directly and describe how it's contained.>

### Veto 3 — Verifiability

**Pass.** <How can a buyer verify the claims the product makes? URL of a
public artifact, a runnable check, a versioned methodology page — name the
specific evidence a buyer can read or run.>

### Veto 4 — AI accountability

**Pass.** <Who owns the decisions the product's AI surfaces? If a human is in
the loop, name the gate. If outputs are presented as authoritative, name the
review process. "We use AI" is not an answer.>

### Veto 5 — Pricing-rigor alignment

**Pass.** <Is there any pricing pressure that would lower review rigor? Free
tier with paid badge? Per-seat pricing that incentivizes inflating headcount?
Name the pressure or its absence directly.>

### Veto 6 — The TechCrunch test

**Pass with named risk.** <What's the most likely critical headline 18 months
out? Write it. Then write the defense. If you can't write a defense without
hand-waving, this veto fails — go fix the underlying issue before listing.>

---

## Version

0.1 — <YYYY-MM-DD> — Initial self-mapping.

## Changelog

### 0.1 — <YYYY-MM-DD>
- Initial INTEGRITY.md created.

Step 3 — Work through the six vetoes

Each veto asks one question. Answer in two to four sentences. Three legitimate verdicts:

• Pass — no conflict, no failure mode triggered.
• Pass with disclosed conflict — the conflict exists, is named directly, and is contained.
• Fail — fix the underlying issue before listing. The directory will not accept a Fail.

Veto 1 — Artifact versus outcome

Does the product sell the underlying outcome, or a certification artifact buyers mistake for the outcome? Selling the badge is the failure mode. Selling the work that produces the badge is the pass. Compliance products that ship a PDF and call it done fail; ones that produce the underlying record and the PDF as a downstream artifact pass.

Veto 2 — Independence

Who reviews the product's work? Is the reviewer paid by the verified entity? If structural independence isn't possible, name the conflict directly and describe how it is contained. The directory itself uses this pattern: Startvest is both operator and listee, the conflict is named in every Startvest listing, and an external evaluator is named as the long-term path. That is acceptable. Hiding it is not.

Veto 3 — Verifiability

How can a buyer verify the product's claims without taking your word for it? Name a public artifact, a runnable check, or a versioned methodology page. "Trust us" is the failure mode. A URL a buyer can read or a CLI they can run is the pass.

Veto 4 — AI accountability

If your product surfaces AI output, who owns the decision? Name the human review gate, the audit log, or the explicit boundary where the AI output stops being authoritative. Products that present AI output as final without a review gate fail. Products with no AI surface can declare this veto N/A with one sentence of reasoning.

Veto 5 — Pricing-rigor alignment

Does your pricing model create financial pressure to lower review rigor? Free-tier-with-paid-badge fails. Per-seat pricing that incentivizes inflating headcount fails. Free-or-flat-rate-or-usage-based passes. Name the pressure honestly; if it exists, name the structural protection that contains it.

Veto 6 — The TechCrunch test

What is the most likely critical headline against your product 18 months out? Write the headline. Then write the defense. If you can't write a defense that holds up without hand-waving, the veto fails — go fix the underlying issue before you list. This is the veto most founders find hardest. It is also the one that catches the real failure modes.

Step 4 — Publish to a public URL

Commit to your public repo, or publish at a stable URL on your product site. The directory verifies the credential by reading the URL — what matters is that it is public and that the URL stays valid.

If you go the website route, give it a sensible permanent slug: /integrity is the convention. The directory will use that URL on your listing.

Step 5 — Submit to the directory

Open the form at /submit/form and paste the URL. Review SLA is 14 calendar days from submission. You will get one of three responses: approved with a publish date, changes requested with specific gaps, or rejected with the reason.

Prefer email or GitHub PR? Both paths still work — see the submit page for both.

What gets rejected on review

• Cosmetic fills.A section that names the veto but doesn't answer the question. Reviewers look for the substantive claim, not the heading.
• Hand-waved Veto 6. A defense that requires the reader to assume good faith on a non-trivial claim is not a defense. Re-write the headline harder; write the defense against the harder version.
• Hidden conflicts.Veto 2 fails if the conflict exists but is not named. The directory's own INTEGRITY.md names the operator-as-listee conflict in the second sentence of Veto 2; that is the bar.
• AI-generated content presented as authoritative.AI as a drafting aid is fine. AI-generated INTEGRITY.md text the founder hasn't internalized fails Veto 4 by definition.
• Self-attested Silver claims with no public credential URL. Silver is verified, not declared. If you're claiming Silver, the integrity-cli output URL or the methodology page URL must be public and reachable.

A worked example

The cleanest worked example is the directory's own INTEGRITY.md — it deliberately includes a real disclosed conflict (operator-as-listee under Veto 2) so founders can see the "Pass with disclosed conflict" pattern applied honestly. Read it at github.com/Startvest-LLC/theintegrityframework/blob/master/INTEGRITY.md. The four Startvest product INTEGRITY.md files (linked from each listing) are also useful — they show four different products at different tiers handling the same vetoes differently.

Frequently asked questions

How long does writing an INTEGRITY.md actually take?

Half a day for a thoughtful founder. Most of the time goes into Veto 6 (the TechCrunch test) — writing the most likely critical headline against your product is the part that catches founders off guard. The other five vetoes are mechanical once you have an honest answer to each.

Where should I host my INTEGRITY.md?

Either at the root of your public repo (github.com/your-org/your-repo/blob/main/INTEGRITY.md) or at a stable URL on your product website (e.g., yourproduct.com/integrity). Both are accepted. The directory verifies by reading the URL — what matters is that it is publicly accessible and stays accessible.

What does "Pass with disclosed conflict" mean?

Some vetoes have legitimate edge cases. The directory operator itself is also a listee — that is a real conflict of interest. Naming the conflict directly and describing how it is contained is acceptable. Hiding it is not. "Pass" means no conflict; "Pass with disclosed conflict" means the conflict exists and is named and contained; "Fail" means the conflict cannot be honestly contained.

Do I need to write the INTEGRITY.md myself, or can AI write it?

You write it. AI-generated INTEGRITY.md content presented as authoritative fails Veto 4 by definition. AI as a drafting aid is fine, but the final text must be yours and you must stand behind every claim in it. The directory rejects cosmetic mappings on review.

What if one of the six vetoes does not apply to my product?

Address it anyway. If a veto genuinely does not apply (e.g., your product has no AI component and Veto 4 is N/A), say so explicitly and explain why. "N/A — this product has no AI surface; the Layer 4 review gate is not applicable." A blank section gets rejected; an honest N/A with reasoning gets accepted.

Can I claim Silver in my INTEGRITY.md, or does that come later?

Claim the tier you actually qualify for. Bronze requires only the INTEGRITY.md. Silver requires the INTEGRITY.md plus one of: integrity-cli green against your public repo, or a public methodology page with a versioned changelog. If your product has the Silver credential, claim it; the directory will verify before publishing the badge.