Add CopilotKit lockfile example and verified case study

[Ayush7614]

Summary

Add a real-world CopilotKit lockfile snapshot and a verified baseline scan case study to CVE Lite CLI.

Motivation

CopilotKit is a major agentic frontend stack (~33.8k GitHub stars) — React, Angular, Vue, mobile, Slack integrations, and makers of the AG-UI Protocol. The upstream repo is a large pnpm + Nx monorepo. A committed lockfile snapshot and documented case study would:

• Extend AI agent / generative UI coverage alongside Mastra, OpenAI Agents JS, Vercel AI SDK, and InsForge
• Show CVE Lite on a large pnpm workspace graph (4,367 resolved packages) with mixed direct and transitive findings
• Demonstrate pnpm workspace-scoped fix commands (pnpm add --filter …) across many packages
• Surface realistic triage complexity: breaking direct upgrades (e.g. vitest@3.2.4 → 4.1.0), deep-chain parent upgrades, and partial path coverage notes
• Provide a side-by-side comparison with pnpm audit on the same lockfile

Preliminary scan (CVE Lite CLI v1.19.2, lockfile-only, 2026-06-08)

Metric	Value
Upstream revision (candidate)	9111a1f2ace20b787e403451182b733ecd761fcb
Lockfile	root pnpm-lock.yaml (pnpm workspace monorepo, Nx)
Resolved packages	4,367
Vulnerable packages	43
Severity	1 critical · 15 high · 25 medium · 2 low
Direct vs transitive	14 direct / 29 transitive
CVE count (deduplicated)	80 CVEs across 43 packages
Fix command groups (preliminary)	8 groups covering 26 packages

Notable findings (preliminary):

• vitest@3.2.4 — critical (direct) — pnpm add --filter … vitest@4.1.0 flagged as breaking (major bump)
• next@16.1.3, @angular/core@19.2.18, react-router@7.13.2, storybook@10.1.11 — high direct/transitive with multi-package pnpm add --filter commands
• Deep transitive chain example — immutable via @graphql-codegen/client-preset → … → @ardatan/relay-compiler with path-specific parent upgrade and remaining-paths note
• Mix of within-range lockfile refresh, parent upgrades, and ⊘ skipped findings across the graph

pnpm audit (same lockfile): 111 vulnerabilities (6 critical · 40 high · 53 moderate · 12 low) — case study should explain deduplication vs CVE Lite’s 43-package view.

Numbers are from a lockfile-only baseline scan and must be re-verified locally before publishing the case study.

Proposed changes

• Add examples/copilotkit/ with root package.json and pnpm-lock.yaml pinned to a specific upstream commit
• Add website/docs/case-studies/copilotkit.md with verified scan results (CVE Lite CLI version, pnpm audit comparison, reproducible commands)
• Bundle project logo under website/static/img/ (from CopilotKit branding/assets — do not rely on external raw URLs that 404)
• Wire the case study into docs sidebar, examples/readme.md, README.md, and CHANGELOG

Scope

• Documentation and example fixture only
• No changes to scanner source code or existing examples
• Baseline only — no fake “after” remediation results

Acceptance criteria

• Lockfile snapshot is pinned to a documented upstream revision
• Case study explains pnpm workspace --filter fix commands and partial monorepo modeling caveats
• Comparison note explains CVE Lite vs pnpm audit (111 entries vs 43 deduplicated packages)
• Baseline findings table matches live scan JSON output
• Logo bundled locally under website/static/img/

---

Claiming this issue — happy to open a PR once maintainers confirm scope. @sonukapoor