docs: add CopilotKit lockfile example and verified case study

[Ayush7614]

Document CopilotKit/CopilotKit at 9111a1f (4,367 packages, 48 findings) with pnpm workspace fix commands, pnpm audit comparison, and baseline table.

Closes #582

Summary

• Adds lockfile-only snapshot examples/copilotkit/ from CopilotKit/CopilotKit@9111a1f (root package.json + pnpm-lock.yaml)
• Documents verified baseline scan in website/docs/case-studies/copilotkit.md — agentic frontend / AG-UI Protocol coverage on a large pnpm + Nx monorepo (4,367 packages, 48 findings)
• 2 critical · 18 high · 26 medium · 2 low — mixed direct/transitive split with 4 fix command groups covering 7/48 findings on first pass
• Side-by-side comparison with pnpm audit on the same lockfile (117 vulnerability entries vs 48 deduplicated packages)
• Bundles CopilotKit logo at website/static/img/copilotkit-logo.svg

Case-study-only PR — no shared-file edits (index.md, sidebars.ts, README.md, examples/readme.md, CHANGELOG.md, root lockfile) per updated CONTRIBUTING guidance.

Why this change

CopilotKit (~34k GitHub stars) is a major agentic frontend stack (React, Angular, Vue, mobile, Slack) and maker of the AG-UI Protocol. A committed pnpm workspace lockfile snapshot extends CVE Lite's AI agent / generative UI coverage at meaningful scale — with realistic triage complexity: breaking direct upgrades, deep transitive chains, and partial monorepo modeling caveats.

What changed

• examples/copilotkit/package.json + examples/copilotkit/pnpm-lock.yaml pinned to upstream revision 9111a1f
• website/docs/case-studies/copilotkit.md with verified scan results, pnpm audit comparison, pnpm --filter fix commands, and full 48-row baseline findings table
• website/static/img/copilotkit-logo.svg (bundled locally from CopilotKit branding assets)

Verified scan output

Parsed 4367 packages from pnpm-lock (pnpm-lock.yaml)
Found 48 packages (84 CVEs) with known OSV matches
Critical: 2 | High: 18 | Medium: 26 | Low: 2
4 command groups ready across 7 packages (1 critical, 2 high, 1 medium)
Running all commands above should fix 7 of 48 findings.

Key generated commands:

pnpm add --filter ./examples/v2/react/demo --filter ./packages/core --filter ./packages/react-core ... vitest@4.1.0
pnpm add --filter ./examples/v2/angular/storybook --filter ./examples/v2/react/storybook --filter ./examples/v2/vue/storybook storybook@10.2.10
pnpm update --recursive --no-save axios && pnpm update --recursive --no-save picomatch && pnpm update --no-save tmp
pnpm update --recursive --no-save brace-expansion && pnpm update --recursive --no-save follow-redirects

Notable findings:

• vitest@3.2.4 — critical (direct · dev) — breaking major bump to 4.1.0 across 20 workspace packages
• storybook@10.1.11 — high (direct) — filtered upgrade to 10.2.10
• shell-quote@1.8.3 — critical (transitive) — ⊘ no auto fix command
• immutable@5.1.4, next@16.x, @angular/core@19.2.18, react-router@7.13.2 — high transitive clusters

pnpm audit (same lockfile): 117 vulnerabilities (7 critical · 43 high · 54 moderate · 13 low)

Validation

• npm run build
• node dist/index.js examples/copilotkit --verbose --all — 48 findings, 4 command groups, 7/48 coverage
• pnpm audit run from examples/copilotkit/ — counts documented in case study
• Case study numbers match live scan JSON (cve-lite-scan-2026-06-14T22-19-20.json)
• Full 48-row baseline findings table included
• Docusaurus site builds (CI)

User-facing impact

Does this change:

• affect scanning behavior
• affect output formatting
• affect JSON output
• affect docs only

Notes

Issue #582 preliminary scan (v1.19.2, 2026-06-08) reported 43 findings / 14 direct / 8 fix groups. Verified scan at v1.22.0 reports 48 findings / 2 direct / 4 fix groups due to OSV advisory updates (e.g. additional esbuild rows) and current direct/transitive classification on this lockfile snapshot — all numbers in the case study match live scan JSON.

cc: @sonukapoor

[sonukapoor]

Strong fixture and solid baseline data - the 48-row findings table is complete and the pnpm audit comparison is well done. Same two issues as #660:

Before vs After table needs remediation rows. You already have the four command groups in the PR description - run them against examples/copilotkit/ one at a time, rescan after each, and record the results as rows.

Missing final section - add ## Want your project reviewed? at the end (copy from any existing study).

## Scan verification - fold this into ## Scan command as prose or a sub-section rather than a separate ## heading. The content is useful, it just breaks the required section order.

[sonukapoor]

Good coverage of the pnpm + Nx workspace scan. A few structural issues to fix:

The ## Scan verification section breaks the required section order - that content belongs inside ## Scan command rather than as its own top-level section. Please fold the reproduce commands and scan metadata into that section.

## Remaining risk needs a trailing qualifier - every other case study uses ## Remaining risk after [what was done]. Since no remediation was applied here, something like ## Remaining risk after baseline scan works.

The ## Want your project reviewed? closing section is missing - please add it as the final section.

The Before vs After table has only the baseline row. The spec requires measured after-pass rows - please run the fix command groups one at a time, rescan after each, and record the counts as new rows.

Branch is behind main - please rebase with git fetch origin && git rebase origin/main && git push --force-with-lease.