Add Cline lockfile example and verified case study

[Ayush7614]

Summary

Add a real-world Cline lockfile snapshot and a verified baseline scan case study to CVE Lite CLI.

Motivation

Cline is a widely adopted autonomous coding agent (~62.9k GitHub stars) — available as an SDK, IDE extension, and CLI assistant. The upstream repo is a Bun workspace monorepo with a root bun.lock. A committed lockfile snapshot and documented case study would:

• Extend AI coding-agent / IDE tooling coverage alongside CopilotKit, Mastra, OpenAI Agents JS, and CamoFox
• Show CVE Lite on a Bun lockfile at meaningful scale (1,518 resolved packages) — distinct from existing bun-simple / bun-workspace fixtures
• Demonstrate Bun workspace-scoped fix commands (bun add --filter …) for direct deps across nested workspace paths
• Surface mixed outcomes: actionable direct fixes, transitive ⊘ skipped findings (file-type, @ai-sdk/provider-utils), and lean overall risk (4 findings)
• Provide a side-by-side comparison with bun audit on the same lockfile

Preliminary scan (CVE Lite CLI v1.19.2, lockfile-only, 2026-06-08)

Metric	Value
Upstream revision (candidate)	9d59de4a4cfdcadc23a79bd03e8b531207cf2640
Lockfile	root bun.lock (Bun workspaces monorepo)
Resolved packages	1,518
Vulnerable packages	4
Severity	0 critical · 0 high · 2 medium · 2 low
Direct vs transitive	2 direct / 2 transitive
CVE count (deduplicated)	4 CVEs across 4 packages
Fix command groups (preliminary)	2 groups covering 2 packages (2 of 4 findings)

Notable findings (preliminary):

• postcss@8.4.31 — medium (direct) — bun add --filter apps/cline-hub/src/webview --filter apps/examples/desktop-app --filter apps/examples/vscode/src/webview postcss@8.5.10
• diff@8.0.2 — low (direct) — bun add diff@8.0.3
• file-type@16.5.4 — medium (transitive) — OSV fix hint present but no auto-generated fix command (⊘)
• @ai-sdk/provider-utils@3.0.25 — low (transitive) — ⊘ skipped (major-bump fix hint 4.0.0)

bun audit (same lockfile): 4 vulnerabilities (2 moderate · 2 low) — totals align closely with CVE Lite’s deduplicated view.

Numbers are from a lockfile-only baseline scan and must be re-verified locally before publishing the case study.

Proposed changes

• Add examples/cline/ with root package.json and bun.lock pinned to a specific upstream commit
• Add website/docs/case-studies/cline.md with verified scan results (CVE Lite CLI version, bun audit comparison, reproducible commands)
• Bundle project logo under website/static/img/ (from Cline branding/assets — do not rely on external raw URLs that 404)
• Wire the case study into docs sidebar, examples/readme.md, README.md, and CHANGELOG

Scope

• Documentation and example fixture only
• No changes to scanner source code or existing examples
• Baseline only — no fake “after” remediation results

Acceptance criteria

• Lockfile snapshot is pinned to a documented upstream revision
• Case study explains Bun workspace --filter fix commands and partial monorepo modeling caveats
• Comparison note explains CVE Lite vs bun audit alignment (4 vs 4)
• Baseline findings table matches live scan JSON output
• Logo bundled locally under website/static/img/

---

Claiming this issue — happy to open a PR once maintainers confirm scope. @sonukapoor