docs: add Twenty lockfile example and verified case study (#505)

README.md

@@ -226,8 +226,9 @@ CVE Lite CLI has been evaluated against real open-source projects to verify that
 - [n8n](https://owasp.org/cve-lite-cli/docs/case-studies/n8n) — verified baseline scan of a workflow automation pnpm monorepo (3,746 packages, 32 findings at revision `e2e0394`) with one direct `turbo` fix, four command groups, and email/editor transitive clusters
 - [CamoFox Browser](https://owasp.org/cve-lite-cli/docs/case-studies/camofox-browser) — verified baseline scan of an AI agent browser automation npm graph (435 packages, 2 findings at revision `ce3a3b0`) with dual `qs` fix strategies — within-range `npm update qs` and parent `npm install express@4.22.2`
 - [Storybook](https://owasp.org/cve-lite-cli/docs/case-studies/storybook) — verified baseline scan of a Yarn Berry monorepo (3,008 packages, 92 findings at revision `cc19ae1`) spanning cross-framework sandbox templates, five critical transitive chains, and one direct vite fix command
+- [Twenty](https://owasp.org/cve-lite-cli/docs/case-studies/twenty) — verified baseline scan of an open-source CRM Yarn Berry monorepo (5,451 packages, 105 findings at revision `fc90b4b`) with 0 direct findings, six critical test-stack chains, and four Nx parent-upgrade command groups
 
-In-repo lockfile fixtures for Astro, Turborepo, Visual Studio Code, Gatsby, Vercel AI SDK, Mastra, Lit, LangChain.js, OpenAI Agents JS, n8n, CamoFox Browser, and Storybook live under [`examples/`](examples/readme.md) — clone the repo and scan immediately without downloading full upstream checkouts.
+In-repo lockfile fixtures for Astro, Turborepo, Visual Studio Code, Gatsby, Vercel AI SDK, Mastra, Lit, LangChain.js, OpenAI Agents JS, n8n, CamoFox Browser, Storybook, and Twenty live under [`examples/`](examples/readme.md) — clone the repo and scan immediately without downloading full upstream checkouts.
 
 These are not demos. They are documented scans against real codebases with real findings, recorded before and after applying fix commands.
 

examples/readme.md

@@ -30,7 +30,6 @@ Small curated projects committed to the repository. Clone the repo and scan imme
 | `wrong-parent` | npm | 3-level transitive chain where the immediate parent's range already covers the fix — expects `npm update js-cookie`, not a parent bump. |
 | `no-findings` | npm | Clean project with no known vulnerabilities — demonstrates success output. |
 | `dev-only-finding` | npm | Vulnerable package that only appears in devDependencies — classified as a direct finding in full scans and excluded by `--prod-only`. |
-| `multiple-versions-same-pkg` | npm | Same package at two installed versions (`lodash@3.10.1` via karma, `lodash@4.17.20` direct) — each version must appear as a separate finding. |
 | `any fixture` + `.cve-lite/baseline.json` | any | Run `cve-lite . --ratchet` on any fixture to establish a baseline. Rescan without the flag to see only new findings. `.cve-lite/` directories should NOT be committed from example fixtures. |
 | `mal-private-registry` | npm | `node-ipc@9.2.3` with `resolved` pointing to a private registry — demonstrates `Unverifiable (private source)` output for MAL- advisories where the artifact origin cannot be confirmed. |
 | `pnpm-mal-private-registry` | pnpm v9 | `node-ipc@9.2.3` resolved from a private registry — demonstrates `Unverifiable (private source)` detection for pnpm v9 lockfiles. |
@@ -136,6 +135,14 @@ Lockfile-only snapshot from [storybookjs/storybook](https://github.com/storybook
 |---|---|---|---|
 | `storybook` | Yarn Berry | https://github.com/storybookjs/storybook | Cross-framework UI tooling monorepo — 3,008 packages, 92 findings. |
 
+## In-repo snapshot: Twenty
+
+Lockfile-only snapshot from [twentyhq/twenty](https://github.com/twentyhq/twenty) at revision `fc90b4ba8bb0a5d7c12c846fe9b2305527a0f7a8`. Commits `package.json` and `yarn.lock` only — no application source. [Case study](../website/docs/case-studies/twenty.md).
+
+| Folder | Package Manager | Source | Purpose |
+|---|---|---|---|
+| `twenty` | Yarn Berry | https://github.com/twentyhq/twenty | Open-source CRM Nx monorepo — 5,451 packages, 105 findings (0 direct). |
+
 ## Local-only examples
 
 Full project clones used for real-world testing. Not committed to this repo — clone each separately into `examples/` for local use.
@@ -176,7 +183,6 @@ node dist/index.js examples/wrong-parent --verbose
 node dist/index.js examples/no-findings
 node dist/index.js examples/dev-only-finding --verbose
 node dist/index.js examples/dev-only-finding --verbose --prod-only
-node dist/index.js examples/multiple-versions-same-pkg --verbose
 node dist/index.js examples/lima-site --verbose
 
 # In-repo snapshot: Astro
@@ -215,6 +221,9 @@ node dist/index.js examples/camofox-browser --verbose --all
 # In-repo snapshot: Storybook
 node dist/index.js examples/storybook --verbose --all
 
+# In-repo snapshot: Twenty
+node dist/index.js examples/twenty --verbose --all
+
 # Local-only (clone first)
 node dist/index.js examples/analog --verbose
 node dist/index.js examples/nest --verbose

examples/twenty/package.json

@@ -0,0 +1,76 @@
+{
+  "private": true,
+  "devDependencies": {
+    "@nx/jest": "22.5.4",
+    "@nx/js": "22.5.4",
+    "@nx/react": "22.5.4",
+    "@nx/storybook": "22.5.4",
+    "@nx/vite": "22.5.4",
+    "@nx/web": "22.5.4",
+    "@types/react": "^18.2.39",
+    "@types/react-dom": "^18.2.15",
+    "@yarnpkg/types": "^4.0.0",
+    "concurrently": "^8.2.2",
+    "http-server": "^14.1.1",
+    "nx": "22.5.4",
+    "oxfmt": "0.50.0",
+    "tsx": "^4.17.0",
+    "verdaccio": "^6.3.1"
+  },
+  "engines": {
+    "node": "^24.5.0",
+    "npm": "please-use-yarn",
+    "yarn": ">=4.0.2"
+  },
+  "license": "AGPL-3.0",
+  "name": "twenty",
+  "packageManager": "yarn@4.13.0",
+  "resolutions": {
+    "graphql": "16.8.1",
+    "type-fest": "4.10.1",
+    "typescript": "5.9.3",
+    "nodemailer": "8.0.4",
+    "graphql-redis-subscriptions/ioredis": "^5.6.0",
+    "@lingui/core": "5.1.2",
+    "@types/qs": "6.9.16",
+    "@wyw-in-js/transform@npm:0.6.0": "patch:@wyw-in-js/transform@npm%3A0.7.0#~/.yarn/patches/@wyw-in-js-transform-npm-0.7.0-ba641dc99f.patch",
+    "@wyw-in-js/transform@npm:0.7.0": "patch:@wyw-in-js/transform@npm%3A0.7.0#~/.yarn/patches/@wyw-in-js-transform-npm-0.7.0-ba641dc99f.patch",
+    "@opentelemetry/api": "1.9.1",
+    "chokidar": "^3.6.0"
+  },
+  "version": "0.2.1",
+  "nx": {},
+  "scripts": {
+    "docs:generate": "tsx packages/twenty-docs/scripts/generate-docs-json.ts",
+    "docs:generate-navigation-template": "tsx packages/twenty-docs/scripts/generate-navigation-template.ts",
+    "docs:generate-paths": "tsx packages/twenty-docs/scripts/generate-documentation-paths.ts",
+    "start": "npx concurrently --kill-others 'npx nx run-many -t start -p twenty-server twenty-front' 'npx wait-on tcp:3000 && npx nx run twenty-server:worker'"
+  },
+  "workspaces": {
+    "packages": [
+      "packages/twenty-front",
+      "packages/twenty-server",
+      "packages/twenty-emails",
+      "packages/twenty-ui",
+      "packages/twenty-utils",
+      "packages/twenty-zapier",
+      "packages/twenty-website",
+      "packages/twenty-docs",
+      "packages/twenty-e2e-testing",
+      "packages/twenty-shared",
+      "packages/twenty-sdk",
+      "packages/twenty-front-component-renderer",
+      "packages/twenty-client-sdk",
+      "packages/twenty-cli",
+      "packages/create-twenty-app",
+      "packages/twenty-oxlint-rules",
+      "packages/twenty-companion",
+      "packages/twenty-claude-skills"
+    ]
+  },
+  "prettier": {
+    "singleQuote": true,
+    "trailingComma": "all",
+    "endOfLine": "lf"
+  }
+}