Add OpenAI Agents JS lockfile example and verified case study

[Ayush7614]

Summary

Add a real-world OpenAI Agents SDK (JavaScript) monorepo lockfile snapshot and a verified baseline scan case study to CVE Lite CLI.

Motivation

The OpenAI Agents SDK is a lightweight TypeScript framework for multi-agent workflows and voice agents. Its pnpm monorepo includes core packages, examples, and integration tests. A committed lockfile snapshot and documented case study would:

• Add OpenAI agent framework coverage to the AI case study portfolio
• Show how CVE Lite CLI handles a high-visibility pnpm monorepo with mostly transitive high-severity findings
• Document verified baseline findings, fix command groups, and remaining risk without applying remediation
• Provide a side-by-side comparison with pnpm audit on the same lockfile

Preliminary scan (CVE Lite CLI v1.18.1, lockfile-only, 2026-05-28)

Metric	Value
Upstream revision (candidate)	f76fc19fba03dfbecf34ffd92302543b3b1d4890
Lockfile	pnpm-lock.yaml
Resolved packages	1,683
Vulnerable packages	29 (44 OSV advisory matches)
Severity	13 high · 16 medium
Direct vs transitive	0 direct / 29 transitive

Numbers are from a lockfile-only baseline scan and must be re-verified locally before publishing the case study.

Proposed changes

• Add examples/openai-agents-js/ (or examples/openai-agents/) with package.json and pnpm-lock.yaml pinned to a specific upstream commit
• Add website/docs/case-studies/openai-agents-js.md with verified scan results (CVE Lite CLI version, pnpm audit comparison, reproducible commands)
• Bundle OpenAI Agents logo under website/static/img/ (do not rely on external raw URLs)
• Wire the case study into docs sidebar, README, examples/readme.md, and CHANGELOG

Scope

• Documentation and example fixture only
• No changes to scanner source code or existing examples
• All scan metrics must be reproduced locally before publishing (baseline only — no fake “after” remediation results)

Acceptance criteria

• Lockfile snapshot is pinned to a documented upstream revision
• Case study includes scan verification section with reproduce commands
• Comparison note explains CVE Lite vs native audit count differences (if totals differ)
• Baseline findings table matches live scan JSON output
• Logo is bundled locally under website/static/img/

[sonukapoor]

One thing to think about here - 0 direct findings means every fix requires tracing a parent upgrade, which limits how actionable the write-up can be for the maintainer. The case study can still show the transitive tracking feature clearly, but keep that framing in mind. For future suggestions, repos with at least one direct finding tend to make stronger case studies.

[Ayush7614]

PR for closing issue #501