v1.4.0: tier field in check JSON output (#2)

Adds a top-level "tier" string to the JSON returned by `check
--format=json`. Computed deterministically from severity counts:

- silver: 0 CRITICAL + 0 HIGH
- bronze: 0 CRITICAL + ≥1 HIGH
- fail:   ≥1 CRITICAL

This is the CLI-green Silver path the directory site already uses as
one of its two Silver gates. The other Silver path (public methodology
page with Version + Changelog headings) requires a remote URL fetch and
remains directory-side. The CLI does not opine on that.

Motivation: integrity-md-action and the directory previously computed
their own tier labels from raw counts, drifting independently. One
source of truth means the badge the action publishes and the tier the
directory awards are always the same string.

Exported computeTier(counts) so external tooling can pin the mapping
without scraping JSON.

Base manifest unchanged (still v1.10.0). No rule additions, removals,
or shape changes — purely an additive JSON output field.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: tjpinder

README.md

@@ -60,6 +60,16 @@ update both sides.
 - `2` — one or more HIGH findings (only when `--strict`)
 - `3` — usage error
 
+### Tier (JSON output, v1.4.0+)
+
+The JSON payload returned by `check --format=json` includes a top-level `tier` field, derived from the severity counts so tooling doesn't have to reimplement the mapping:
+
+- `"silver"` — no CRITICAL and no HIGH findings (CLI-green path)
+- `"bronze"` — no CRITICAL but one or more HIGH findings
+- `"fail"` — one or more CRITICAL findings
+
+The directory's other Silver path — a public methodology page with `Version` + `Changelog` headings — is intentionally not computed here. It requires a remote URL fetch and lives in the directory site.
+
 ## Badge
 
 Once your product is listed in the directory at a Bronze or Silver tier, you can embed a tier badge in your README so prospective buyers can verify the listing in one click.

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@startvest/integrity-cli",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "description": "CLI for The Integrity Framework. Run the v1.0 assertion suite against any repo, generate badge markdown, browse and submit listings to the Integrity Framework Directory. Pure ESM, zero runtime dependencies.",
   "type": "module",
   "bin": {

src/cli.mjs

@@ -145,13 +145,16 @@ async function cmdCheck(argv) {
   const results = metaRuleResult ? [metaRuleResult, ...scanResults] : scanResults;
   const counts = countBySeverity(results);
 
+  const tier = computeTier(counts);
+
   if (flags.format === 'json') {
     const payload = {
       framework: 'Startvest Integrity Framework',
       baseVersion: base.version,
       repoRoot,
       sources: { base: !flags.noBase, repoManifests: repoFiles },
       counts,
+      tier,
       results,
     };
     process.stdout.write(`${JSON.stringify(payload, null, 2)}\n`);
@@ -233,3 +236,15 @@ function countBySeverity(results) {
   }
   return counts;
 }
+
+// Tier derived from severity counts. Matches the green-build path of the
+// directory's tier gates: Silver via CLI-green (no CRITICAL, no HIGH),
+// Bronze when a published integrity.md exists but HIGH findings remain,
+// fail when any CRITICAL is unresolved. The methodology-page Silver path
+// is intentionally not computed here — it requires a remote URL fetch
+// and lives in the directory site, not in this CLI.
+export function computeTier(counts) {
+  if ((counts?.CRITICAL ?? 0) > 0) return 'fail';
+  if ((counts?.HIGH ?? 0) > 0) return 'bronze';
+  return 'silver';
+}