Add Lit lockfile example and verified case study

[Ayush7614]

Summary

Add a real-world Lit monorepo lockfile snapshot and a verified baseline scan case study to CVE Lite CLI.

Motivation

Lit is a widely used web components library with a large npm monorepo spanning lit, lit-html, lit-element, and labs packages. A committed lockfile snapshot and documented case study would:

• Add web components coverage to the case study portfolio (complementing framework and AI SDK examples)
• Show how CVE Lite CLI handles a mature npm package-lock.json monorepo with a broad transitive vulnerability surface
• Document verified baseline findings, fix command groups, and remaining risk without applying remediation
• Provide a side-by-side comparison with npm audit on the same lockfile

Preliminary scan (CVE Lite CLI v1.18.1, lockfile-only, 2026-05-28)

Metric	Value
Upstream revision (candidate)	20afabd3c5bfd49fdcdf1b8518e05c7f99a46db6
Lockfile	package-lock.json
Resolved packages	2,059
Vulnerable packages	99 (159 OSV advisory matches)
Severity	5 critical · 52 high · 33 medium · 9 low

Numbers are from a lockfile-only baseline scan and must be re-verified locally before publishing the case study.

Proposed changes

• Add examples/lit/ with package.json and package-lock.json pinned to a specific upstream commit
• Add website/docs/case-studies/lit.md with verified scan results (CVE Lite CLI version, npm audit comparison, reproducible commands)
• Bundle Lit logo under website/static/img/ (do not rely on external raw URLs)
• Wire the case study into docs sidebar, README, examples/readme.md, and CHANGELOG

Scope

• Documentation and example fixture only
• No changes to scanner source code or existing examples
• All scan metrics must be reproduced locally before publishing (baseline only — no fake “after” remediation results)

Acceptance criteria

• Lockfile snapshot is pinned to a documented upstream revision
• Case study includes scan verification section with reproduce commands
• Comparison note explains CVE Lite vs native audit count differences (if totals differ)
• Baseline findings table matches live scan JSON output
• Logo is bundled locally under website/static/img/

[sonukapoor]

Before starting on this one - worth thinking about what story the findings tell. The most useful case studies have at least one direct dependency finding with a clear fix command, or something unexpected in a high-profile project. 99 findings is a large surface - make sure the write-up leads with the most actionable findings rather than the raw count. Look forward to seeing what you find.

[Ayush7614]

PR for closing issue #499