docs: add Cline Bun lockfile example and verified case study

[Ayush7614]

Document cline/cline at 9d59de4 (1,518 packages, 5 findings) with Bun workspace lockfile coverage, bun audit comparison, and modeling caveats.

Closes #583

Summary

• Adds lockfile-only snapshot examples/cline/ from cline/cline@9d59de4 (root package.json + bun.lock)
• Documents verified baseline scan in website/docs/case-studies/cline.md — AI coding-agent / IDE tooling coverage on a Bun workspaces monorepo (1,518 packages, 5 findings)
• 0 critical · 1 high · 2 medium · 2 low — lean graph with mixed outcomes: OSV fix hints present, 0 auto-generated fix command groups (Bun workspace path modeling caveats documented)
• Side-by-side comparison with bun audit on the same lockfile (6 vulnerability entries vs 5 deduplicated packages)
• Bundles Cline logo at website/static/img/cline-logo.png

Case-study-only PR — no shared-file edits (index.md, sidebars.ts, README.md, examples/readme.md, CHANGELOG.md, root lockfile) per updated CONTRIBUTING guidance.

Why this change

Cline (~63k GitHub stars) is a widely adopted autonomous coding agent (SDK, IDE extension, CLI). A committed Bun workspace lockfile snapshot extends CVE Lite coverage into AI agent tooling at meaningful scale — distinct from existing bun-simple / bun-workspace fixtures — and documents how CVE Lite behaves on real-world Bun monorepo graphs vs bun audit.

What changed

• examples/cline/package.json + examples/cline/bun.lock pinned to upstream revision 9d59de4
• website/docs/case-studies/cline.md with verified scan results, bun audit comparison, manual bun add --filter … remediation notes, and baseline findings table
• website/static/img/cline-logo.png (bundled locally from Cline branding assets)

Verified scan output

Parsed 1518 packages from bun-lock (bun.lock)
Found 5 packages (6 CVEs) with known OSV matches
Critical: 0 | High: 1 | Medium: 2 | Low: 2
0 command groups — all 5 findings skipped (Bun workspace path modeling)

Notable findings:

• esbuild@0.27.7 — high (transitive · dev) via Vite webview workspaces (new vs issue preliminary scan at v1.19.2)
• postcss@8.4.31 — medium, file-type@16.5.4 — medium, @ai-sdk/provider-utils@3.0.25 — low, diff@8.0.2 — low

bun audit (same lockfile): 6 vulnerabilities (1 high · 2 moderate · 3 low) — totals align after CVE Lite deduplication (esbuild reports two advisories as one package row).

Validation

• npm run build
• node dist/index.js examples/cline --verbose --all — 5 findings, 0 command groups, 1518 packages parsed
• bun audit run from examples/cline/ — workspace paths documented in case study
• Case study numbers match live scan JSON (cve-lite-scan-2026-06-14T22-07-53.json)
• Full 5-row baseline findings table included
• Docusaurus site builds (CI)

User-facing impact

Does this change:

• affect scanning behavior
• affect output formatting
• affect JSON output
• affect docs only

Notes

Issue #583 preliminary scan (v1.19.2, 2026-06-08) reported 4 findings / 2 fix groups with direct postcss and diff classification. Verified scan at v1.22.0 reports 5 findings (esbuild advisory additions) and 0 auto fix groups on this lockfile-only Bun workspace snapshot — the case study documents this delta and recommends pairing CVE Lite with bun audit for workspace filter targets.

cc: @sonukapoor

[sonukapoor]

The Bun workspace coverage is exactly what was missing from the portfolio and the bun audit comparison table is well done - clearly explains the deduplication difference.

Two things needed before this merges:

Every case study ends with a ## Want your project reviewed? section - it's the last required section in the template and it's missing here. Please add it after ## Fixture scope. The standard text is in the other case studies (e.g. presenton.md's closing section is a good reference).

The ## Fixture scope section is a good addition and can stay - it just needs to sit before ## Want your project reviewed?, not instead of it.

Branch is behind main - please rebase with git fetch origin && git rebase origin/main && git push --force-with-lease.