Add OpenAI Agents JS lockfile example and verified case study

CHANGELOG.md

@@ -5,8 +5,9 @@ All notable changes to CVE Lite CLI will be documented in this file.
 ## [Unreleased]
 
 ### Docs
+- OpenAI Agents SDK (JavaScript) case study added with verified baseline scan of a pnpm lockfile snapshot (`examples/openai-agents-js/`, 1,683 packages, 31 findings at revision `f76fc19`), including all-transitive parent-tracing narrative and CVE Lite CLI vs `pnpm audit` comparison.
 - Visual Studio Code case study added with verified baseline scan of a root npm lockfile snapshot (`examples/vscode/`, 1,374 packages, 9 findings at revision `bc678ca`), including CVE Lite CLI vs `npm audit` comparison.
-- Examples readme, docs sidebar, and README updated to reference the VS Code fixture and case study.
+- Examples readme, docs sidebar, and README updated to reference the OpenAI Agents JS and VS Code fixtures and case studies.
 
 ## [1.18.1] - 2026-05-27
 

README.md

@@ -213,8 +213,9 @@ CVE Lite CLI has been evaluated against real open-source projects to verify that
 - [Astro](https://owasp.org/cve-lite-cli/docs/case-studies/astro) — verified baseline scan of a modern pnpm monorepo (2,228 packages, 34 findings at revision `221bb4b`) with a critical transitive SDK chain and four generated fix command groups
 - [Turborepo](https://owasp.org/cve-lite-cli/docs/case-studies/turborepo) — verified baseline scan of a build-system pnpm monorepo (1,776 packages, 13 findings at revision `c85d410`) with a critical no-fix sandbox beta, all-transitive risk, and zero auto-generated fix commands on this snapshot
 - [Visual Studio Code](https://owasp.org/cve-lite-cli/docs/case-studies/vscode) — verified baseline scan of the VS Code root npm lockfile (1,374 packages, 9 findings at revision `bc678ca`) with two direct Anthropic SDK advisories, a high-severity gulp toolchain chain, and two generated fix command groups
+- [OpenAI Agents SDK (JavaScript)](https://owasp.org/cve-lite-cli/docs/case-studies/openai-agents-js) — verified baseline scan of a pnpm AI-agent monorepo (1,683 packages, 31 findings at revision `f76fc19`) with 0 direct findings, MCP/Daytona parent clusters, and one generated `verdaccio` parent-upgrade command
 
-In-repo lockfile fixtures for Astro, Turborepo, and Visual Studio Code live under [`examples/`](examples/readme.md) — clone the repo and scan immediately without downloading full upstream checkouts.
+In-repo lockfile fixtures for Astro, Turborepo, Visual Studio Code, and OpenAI Agents JS live under [`examples/`](examples/readme.md) — clone the repo and scan immediately without downloading full upstream checkouts.
 
 These are not demos. They are documented scans against real codebases with real findings, recorded before and after applying fix commands.
 

examples/openai-agents-js/package.json

@@ -0,0 +1,102 @@
+{
+  "private": true,
+  "name": "openai-agents-js",
+  "version": "0.0.1",
+  "scripts": {
+    "clean": "node scripts/clean-package-dists.mjs && tsc-multi --clean",
+    "prebuild": "pnpm -F @openai/* -r prebuild",
+    "build": "pnpm clean && tsc-multi",
+    "build:ci": "pnpm run prebuild && pnpm clean && tsc-multi --maxWorkers 1 && pnpm run postbuild",
+    "postbuild": "pnpm -r -F @openai/* bundle",
+    "packages:dev": "tsc-multi --watch",
+    "docs:dev": "pnpm -F docs dev",
+    "docs:translate": "pnpm -F docs translate",
+    "docs:build": "pnpm -F docs build",
+    "docs:scripts:check": "pnpm exec tsc --pretty false --project docs/tsconfig.scripts.json",
+    "test": "CI=1 NODE_ENV=test vitest",
+    "test:coverage": "NODE_ENV=test vitest run --coverage",
+    "test:examples": "pnpm -r build-check",
+    "test:integration": "NODE_ENV=test vitest run --config=vitest.integration.config.ts",
+    "test:watch": "NODE_ENV=test vitest --watch",
+    "dev": "tsx scripts/dev.mts",
+    "format": "prettier --write \"packages/**/*.ts\" \"examples/**/*.ts\" \"integration-tests/**/*.ts\"",
+    "format:changed": "node scripts/prettier-changed.mjs",
+    "lint": "eslint",
+    "lint:fix": "eslint --fix",
+    "examples:basic": "pnpm -F basic start",
+    "examples:agents-as-tools": "pnpm -F agent-patterns start:agents-as-tools",
+    "examples:agents-as-tools-conditional": "pnpm -F agent-patterns start:agents-as-tools-conditional",
+    "examples:agents-as-tools-structured": "pnpm -F agent-patterns start:agents-as-tools-structured",
+    "examples:deterministic": "pnpm -F agent-patterns start:deterministic",
+    "examples:parallelization": "pnpm -F agent-patterns start:parallelization",
+    "examples:human-in-the-loop": "pnpm -F agent-patterns start:human-in-the-loop",
+    "examples:input-guardrails": "pnpm -F agent-patterns start:input-guardrails",
+    "examples:output-guardrails": "pnpm -F agent-patterns start:output-guardrails",
+    "examples:streamed": "pnpm -F agent-patterns start:streamed",
+    "examples:streamed:human-in-the-loop": "pnpm -F agent-patterns start:human-in-the-loop-stream",
+    "examples:routing": "pnpm -F agent-patterns start:routing",
+    "examples:customer-service": "pnpm -F customer-service start",
+    "examples:realtime-demo": "pnpm -F realtime-demo dev",
+    "examples:realtime-next": "pnpm -F realtime-next dev",
+    "examples:research-bot": "pnpm -F research-bot start",
+    "examples:financial-research-agent": "pnpm -F financial-research-agent start",
+    "examples:tools-computer-use": "pnpm -F tools start:computer-use",
+    "examples:tools-codex": "pnpm -F tools start:codex",
+    "examples:tools-codex-same-thread": "pnpm -F tools start:codex-same-thread",
+    "examples:tools-file-search": "pnpm -F tools start:file-search",
+    "examples:tools-tool-search": "pnpm -F tools start:tool-search",
+    "examples:tools-web-search": "pnpm -F tools start:web-search",
+    "examples:tools-shell": "pnpm -F tools start:shell",
+    "examples:tools-container-shell": "pnpm -F tools start:container-shell",
+    "examples:tools-container-shell-inline": "pnpm -F tools start:container-shell-inline",
+    "examples:tools-apply-patch": "pnpm -F tools start:apply-patch",
+    "examples:sandbox-basic": "pnpm -F sandbox start:basic",
+    "examples:sandbox-handoffs": "pnpm -F sandbox start:handoffs",
+    "examples:sandbox-memory": "pnpm -F sandbox start:memory",
+    "examples:sandbox-memory-multi-agent-multiturn": "pnpm -F sandbox start:memory-multi-agent-multiturn",
+    "examples:sandbox-agent-capabilities": "pnpm -F sandbox start:sandbox-agent-capabilities",
+    "examples:sandbox-agent-with-tools": "pnpm -F sandbox start:sandbox-agent-with-tools",
+    "examples:sandbox-agents-as-tools": "pnpm -F sandbox start:sandbox-agents-as-tools",
+    "examples:sandbox-coding-task": "pnpm -F sandbox start:coding-task",
+    "examples:sandbox-resume": "pnpm -F sandbox start:resume",
+    "examples:sandbox-unix-local-pty": "pnpm -F sandbox start:unix-local-pty",
+    "examples:sandbox-unix-local-runner": "pnpm -F sandbox start:unix-local-runner",
+    "examples:start-all": "node scripts/run-example-starts.mjs",
+    "examples:tool-filter": "tsx examples/mcp/tool-filter-example.ts",
+    "changeset:validate-prompt": "node .agents/skills/changeset-validation/scripts/changeset-prompt.mjs",
+    "changeset:validate-lite": "node scripts/changeset-validation-lite.mjs",
+    "changeset:validate-result": "node .agents/skills/changeset-validation/scripts/changeset-validation-result.mjs",
+    "changeset:assign-milestone": "node .agents/skills/changeset-validation/scripts/changeset-assign-milestone.mjs",
+    "ci:publish": "pnpm publish -r --no-git-checks --access public",
+    "bump-version": "changeset version && pnpm -F @openai/* prebuild",
+    "prepare": "husky",
+    "clear:deps": "rm -rf node_modules && pnpm -r exec rm -rf node_modules",
+    "local-npm:reset": "rm -rf .cache/verdaccio/storage",
+    "local-npm:start": "verdaccio --config verdaccio-config.yml",
+    "local-npm:publish": "pnpm -r publish --registry http://localhost:4873 --force --no-git-checks"
+  },
+  "devDependencies": {
+    "@changesets/cli": "^2.31.0",
+    "@eslint/js": "^9.39.4",
+    "@types/node": "22.19.13",
+    "@typescript-eslint/eslint-plugin": "^8.59.4",
+    "@typescript-eslint/parser": "^8.59.4",
+    "@vitest/coverage-v8": "^3.2.4",
+    "concurrently": "^9.2.1",
+    "eslint": "^9.39.4",
+    "eslint-config-prettier": "^10.1.8",
+    "eslint-plugin-unused-imports": "^4.4.1",
+    "execa": "^9.6.1",
+    "husky": "^9.1.7",
+    "playwright": "^1.60.0",
+    "prettier": "^3.8.3",
+    "rimraf": "^6.1.3",
+    "tsc-multi": "^1.1.0",
+    "tsx": "^4.22.3",
+    "typescript": "^5.9.3",
+    "typescript-eslint": "^8.59.4",
+    "verdaccio": "^6.7.1",
+    "vitest": "^3.2.4"
+  },
+  "packageManager": "pnpm@11.0.9+sha512.34ce82e6780233cf9cad8685029a8f81d2e06196c5a9bad98879f7424940c6817c4e4524fb7d38b8553ceed48b9758b8ebaf1abd3600c232c4c8cf7366086f38"
+}