docs: add override hygiene auditing documentation

README.md

@@ -197,6 +197,7 @@ No other free tool combines all of the following: lockfile scanning across npm,
 | SARIF / GitHub Code Scanning output | ✅ | ❌ | ✅ | ✅ | ❌ |
 | JSON output | ✅ | ✅ | ✅ | ✅ | ✅ |
 | Offline/local advisory DB | ✅ | ❌ | ⚠️ | ❌ | ❌ |
+| Override hygiene auditing | ✅ | ❌ | ❌ | ❌ | ❌ |
 
 <sub>✅ = built-in strength · ⚠️ = partial or workflow-dependent · ❌ = not a core strength</sub>
 
@@ -427,7 +428,7 @@ cve-lite overrides /path/to/project --audit-log ./override-audit.ndjson
 
 `--fix` applies fixes as RFC 6902 patches to `package.json`. A chokepoint guard means a fix can only remove, repin, move, or relocate an existing override; it can never invent a new override key. Suggest-only findings (OA004 cross-major, OA005.d/.e, all of OA008) and "proposed" fixes (the OA006 relocate floor) carry no auto-applied patch and are surfaced as recommendations. `--fail-on <severity>` sets the minimum severity that makes the command exit non-zero (default: `critical`).
 
-Full per-rule reference, including the OA005 sub-codes, lives in [`docs/rules/`](docs/rules/README.md). For the programmatic API, see [`docs/api/overrides.md`](docs/api/overrides.md).
+For the full guide with diagrams, per-rule examples, and CI patterns, see the [Override Hygiene Auditing guide](https://owasp.org/cve-lite-cli/docs/override-hygiene). Full per-rule reference including OA005 sub-codes lives in [`docs/rules/`](docs/rules/README.md). For the programmatic API, see [`docs/api/overrides.md`](docs/api/overrides.md).
 
 ## AI assistant integration (`install-skill`)
 

examples/cal-com/package.json

@@ -0,0 +1,233 @@
+{
+  "name": "calcom-monorepo",
+  "version": "0.0.0",
+  "private": true,
+  "workspaces": [
+    "apps/*",
+    "apps/api/*",
+    "packages/*",
+    "packages/embeds/*",
+    "packages/features/*",
+    "packages/app-store",
+    "packages/app-store/*",
+    "packages/platform/*",
+    "packages/platform/examples/base",
+    "example-apps/*"
+  ],
+  "scripts": {
+    "app-store-cli": "yarn workspace @calcom/app-store-cli",
+    "app-store:build": "yarn turbo build --filter=@calcom/app-store-cli",
+    "app-store:watch": "yarn app-store-cli watch",
+    "app-store": "yarn app-store-cli cli",
+    "create-app": "yarn app-store create",
+    "edit-app": "yarn app-store edit",
+    "withEmbedPublishEnv": "NEXT_PUBLIC_EMBED_LIB_URL='https://app.cal.com/embed/embed.js' NEXT_PUBLIC_WEBAPP_URL='https://app.cal.com' yarn",
+    "publish-embed": "yarn withEmbedPublishEnv workspace @calcom/embed-core build && yarn withEmbedPublishEnv workspace @calcom/embed-snippet build && yarn workspaces foreach --from=\"@calcom/embed*\" npm publish --access=public",
+    "delete-app": "yarn app-store delete",
+    "create-app-template": "yarn app-store create-template",
+    "edit-app-template": "yarn app-store edit-template",
+    "delete-app-template": "yarn app-store delete-template",
+    "build": "turbo run build --filter=@calcom/web...",
+    "build:ai": "turbo run build --filter=\"@calcom/ai\"",
+    "clean": "find . -name node_modules -o -name .next -o -name .turbo -o -name dist -type d -prune | xargs rm -rf",
+    "db-deploy": "turbo run db-deploy",
+    "db-seed": "turbo run db-seed",
+    "db-studio": "yarn prisma studio",
+    "deploy": "turbo run deploy",
+    "dev:all": "turbo run dev --filter=\"@calcom/web\" --filter=\"@calcom/website\" --filter=\"@calcom/console\"",
+    "dev:ai": "turbo run dev --filter=\"@calcom/web\" --filter=\"@calcom/api-proxy\" --filter=\"@calcom/ai\"",
+    "dev:api": "turbo run dev --filter=\"@calcom/web\" --filter=\"@calcom/api-proxy\"",
+    "dev:api:console": "turbo run dev --filter=\"@calcom/web\" --filter=\"@calcom/api-proxy\" --filter=\"@calcom/console\"",
+    "dev:console": "turbo run dev --filter=\"@calcom/web\" --filter=\"@calcom/console\"",
+    "dev:swagger": "turbo run dev --filter=\"@calcom/api-proxy\" --filter=\"@calcom/swagger\"",
+    "dev:website": "turbo run dev --filter=\"@calcom/web\" --filter=\"@calcom/website\"",
+    "dev:trigger": "turbo run dev:trigger --filter=\"@calcom/features\"",
+    "deploy:trigger:prod": "turbo run deploy:trigger:prod --filter=\"@calcom/features\"",
+    "deploy:trigger:staging": "turbo run deploy:trigger:staging --filter=\"@calcom/features\"",
+    "dev": "turbo run dev --filter=\"@calcom/web\"",
+    "dx": "turbo run dx",
+    "i-dev": "infisical run -- turbo run dev --filter=\"@calcom/web\"",
+    "i-dx": "infisical run -- turbo run dx",
+    "i-gen-web-example-env": "infisical secrets generate-example-env --tags=web > .env.example",
+    "i-gen-app-store-example-env": "infisical secrets generate-example-env --tags=appstore > .env.appStore.example",
+    "embed-tests-quick": "turbo run embed-tests-quick",
+    "embed-tests": "turbo run embed-tests",
+    "env-check:app-store": "dotenv-checker --schema .env.appStore.example --env .env.appStore",
+    "env-check:common": "dotenv-checker --schema .env.example --env .env",
+    "format": "biome format --write .",
+    "heroku-postbuild": "turbo run @calcom/web#build",
+    "lint:fix": "turbo lint:fix",
+    "lint:report": "turbo lint:report",
+    "lint": "turbo lint",
+    "postinstall": "husky install && turbo run post-install",
+    "pre-commit": "lint-staged",
+    "predev": "echo 'Checking env files'",
+    "prisma": "yarn workspace @calcom/prisma prisma",
+    "start": "turbo run start --filter=\"@calcom/web\"",
+    "tdd": "vitest watch",
+    "e2e": "NEXT_PUBLIC_IS_E2E=1 yarn playwright test --project=@calcom/web",
+    "e2e:app-store": "NEXT_PUBLIC_IS_E2E=1 QUICK=true yarn playwright test --project=@calcom/app-store",
+    "e2e:embed": "NEXT_PUBLIC_IS_E2E=1 yarn playwright test --project=@calcom/embed-core",
+    "e2e:embed-react": "QUICK=true yarn playwright test --project=@calcom/embed-react",
+    "test-e2e": "yarn db-seed && yarn e2e",
+    "test-e2e:app-store": "yarn db-seed && yarn e2e:app-store",
+    "test-e2e:embed": "yarn db-seed && yarn e2e:embed",
+    "test-e2e:embed-react": "yarn db-seed && yarn e2e:embed-react",
+    "test-playwright": "yarn playwright test --config=playwright.config.ts",
+    "test": "TZ=UTC vitest run",
+    "test:ui": "TZ=UTC vitest --ui",
+    "type-check": "turbo run type-check",
+    "type-check:ci": "turbo run type-check:ci --log-prefix=none",
+    "web": "yarn workspace @calcom/web",
+    "changesets-add": "yarn changeset add",
+    "changesets-version": "yarn changeset version",
+    "changesets-release": "NODE_OPTIONS='--max_old_space_size=12288' turbo run build-npm --filter=@calcom/atoms && yarn changeset publish",
+    "lint-staged": "lint-staged"
+  },
+  "devDependencies": {
+    "@biomejs/biome": "2.3.10",
+    "@changesets/changelog-github": "0.5.1",
+    "@changesets/cli": "2.29.4",
+    "@faker-js/faker": "9.2.0",
+    "@jetstreamapp/soql-parser-js": "6.1.0",
+    "@playwright/test": "1.57.0",
+    "@prisma/internals": "6.16.2",
+    "@snaplet/copycat": "4.1.0",
+    "@testing-library/jest-dom": "5.17.0",
+    "@testing-library/react": "16.0.1",
+    "@vitest/coverage-v8": "4.1.8",
+    "@vitest/ui": "4.1.8",
+    "c8": "7.13.0",
+    "checkly": "latest",
+    "dotenv-checker": "1.1.5",
+    "husky": "9.1.7",
+    "i18n-unused": "0.13.0",
+    "jest-diff": "29.7.0",
+    "jest-summarizing-reporter": "1.1.4",
+    "lint-staged": "12.5.0",
+    "mailhog": "4.16.0",
+    "next-router-mock": "0.9.12",
+    "node-gyp": "10.2.0",
+    "node-ical": "0.16.1",
+    "prismock": "1.35.3",
+    "resize-observer-polyfill": "1.5.1",
+    "tsc-absolute": "1.0.0",
+    "turbo": "2.7.1",
+    "typescript": "5.9.3",
+    "vitest": "4.1.8",
+    "vitest-fetch-mock": "0.4.5",
+    "vitest-mock-extended": "3.1.0"
+  },
+  "resolutions": {
+    "webpack": "5.104.1",
+    "systeminformation": "5.31.0",
+    "path-to-regexp@^8.0.0": "8.4.0",
+    "path-to-regexp@0.1.12": "0.1.13",
+    "@isaacs/brace-expansion": "5.0.1",
+    "types-ramda": "0.29.4",
+    "@apidevtools/json-schema-ref-parser": "9.0.9",
+    "@types/react": "18.0.26",
+    "@types/react-dom": "^18.0.9",
+    "@types/node": "^20.17.23",
+    "next-i18next@^13.2.2": "patch:next-i18next@npm%3A13.3.0#./.yarn/patches/next-i18next-npm-13.3.0-bf25b0943c.patch",
+    "libphonenumber-js": "patch:libphonenumber-js@1.12.38#./.yarn/patches/libphonenumber-js+1.12.38.patch",
+    "dayjs@1.11.2": "patch:dayjs@npm%3A1.11.4#./.yarn/patches/dayjs-npm-1.11.4-97921cd375.patch",
+    "dayjs@^1": "patch:dayjs@npm%3A1.11.4#./.yarn/patches/dayjs-npm-1.11.4-97921cd375.patch",
+    "dayjs@^1.8.29": "patch:dayjs@npm%3A1.11.4#./.yarn/patches/dayjs-npm-1.11.4-97921cd375.patch",
+    "import-in-the-middle": "1.13.1",
+    "react@19.2.0": "19.2.4",
+    "react@19.2.1": "19.2.4",
+    "react@19.2.2": "19.2.4",
+    "tar-fs": "2.1.4",
+    "rollup": "4.59.0",
+    "jpeg-js": "0.4.4",
+    "validator": "13.15.22",
+    "form-data": "4.0.4",
+    "axios": "1.15.0",
+    "follow-redirects": "1.16.0",
+    "protobufjs": "7.5.5",
+    "shell-quote": "1.8.4",
+    "jws": "4.0.1",
+    "jsonwebtoken": "9.0.0",
+    "sha.js": "2.4.12",
+    "qs": "6.14.2",
+    "typeorm": "0.3.27",
+    "node-forge": "1.4.0",
+    "picomatch@3.0.1": "3.0.2",
+    "picomatch@^2.0.4": "2.3.2",
+    "picomatch@^2.2.1": "2.3.2",
+    "picomatch@^2.2.3": "2.3.2",
+    "picomatch@^2.3.1": "2.3.2",
+    "picomatch@^4.0.2": "4.0.4",
+    "picomatch@^4.0.3": "4.0.4",
+    "@modelcontextprotocol/sdk": "1.26.0",
+    "hono": "4.12.12",
+    "express-rate-limit": "8.2.2",
+    "svgo": "4.0.1",
+    "js-yaml": "4.1.1",
+    "mdast-util-to-hast": "13.2.1",
+    "prismjs": "1.30.0",
+    "react-devtools-core": "4.28.4",
+    "formidable": "2.1.3",
+    "serialize-javascript": "7.0.5",
+    "@adobe/css-tools": "4.3.2",
+    "jsondiffpatch": "0.7.2",
+    "min-document": "2.19.1",
+    "tar": "7.5.11",
+    "lodash": "4.18.1",
+    "lodash-es": "4.18.1",
+    "@lingo.dev/_compiler/fast-xml-parser": "5.5.9",
+    "fast-xml-parser": "5.5.9",
+    "bn.js": "4.12.3",
+    "minimatch@10.0.3": "10.2.4",
+    "multer": "2.1.1",
+    "flatted": "3.4.2",
+    "socket.io-parser": "4.2.6",
+    "vite": "6.4.2",
+    "defu": "6.1.5",
+    "immutable": "3.8.3",
+    "@hono/node-server": "1.19.13",
+    "@xmldom/xmldom@0.9.8": "0.9.9",
+    "@xmldom/xmldom@^0.8.1": "0.8.12",
+    "@xmldom/xmldom@^0.8.5": "0.8.12",
+    "@xmldom/xmldom@^0.8.8": "0.8.12",
+    "@xmldom/xmldom@^0.8.10": "0.8.12",
+    "yaml@2.8.1": "2.8.3",
+    "yaml@^2.0.0": "2.8.3",
+    "yaml@^2.1.1": "2.8.3",
+    "yaml@^2.3.1": "2.8.3",
+    "yaml@^2.3.4": "2.8.3",
+    "yaml@^2.4.2": "2.8.3",
+    "yaml@2.0.0-1": "2.8.3",
+    "ajv@8.12.0": "8.18.0",
+    "ajv@~8.12.0": "8.18.0",
+    "ajv@~8.13.0": "8.18.0",
+    "ajv@^8.0.0": "8.18.0",
+    "ajv@^8.6.3": "8.18.0",
+    "ajv@^8.17.1": "8.18.0",
+    "ajv@^6.12.5": "6.14.0",
+    "brace-expansion@^5.0.2": "5.0.5",
+    "brace-expansion@^2.0.1": "2.0.3",
+    "brace-expansion@^2.0.2": "2.0.3"
+  },
+  "packageExtensions": {
+    "ink@3.2.0": {
+      "dependencies": {
+        "ws": "7.5.10"
+      }
+    }
+  },
+  "engines": {
+    "npm": ">=7.0.0",
+    "yarn": ">=4.12.0"
+  },
+  "prisma": {
+    "schema": "packages/prisma/schema.prisma",
+    "seed": "ts-node --transpile-only ./packages/prisma/seed.ts"
+  },
+  "packageManager": "yarn@4.12.0",
+  "syncpack": {
+    "filter": "^(?!@calcom).*",
+    "semverRange": ""
+  }
+}