✨ feat: Refactor scorecard serve cmd

[Fix3dP0int]

What kind of change does this PR introduce?

feature

• PR title follows the guidelines defined in our pull request documentation

What is the current behavior?

The current serve uses Go’s built-in http package, which lacks modern features. And It fails to correctly aggregate the total score, and parameters and details cannot be retrieved properly.

What is the new behavior (if this is a feature change)?**

This PR refactors the serve component by migrating the original CLI-based parameter input to a RESTful API interface. Additionally, I replaced the native net/http logic with the chi router, which is lightweight yet expressive and well-suited for modular HTTP services in Go.

• Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Related to #4627

[spencerschrock]

Don't have time to look in-depth, but wanted to make one comment:

The current serve uses Go’s built-in http package, which lacks modern features

What features specifically? Go 1.22 made good strides at least for the routing
https://go.dev/blog/routing-enhancements

[Fix3dP0int]

Sorry. I'm unfamiliar with new features of Go. It seems that chi isn't necessary. I will revert it. Thx.

[spencerschrock]

At a high level this looks like what we want, an http wrapper around the CLI. You said MCP will be built on top of this API, so is it matching what you need for that?

There are a few things that need changed, which I've left individual comments on. The linter also has some thoughts with this file.

[spencerschrock]

In the CLI, policy file is a local file. How do we expect to pass a policy file to a server, with a URI?

[spencerschrock]

what is the goal of having POST? Passing parameters as JSON instead of as query parameters?

[spencerschrock]

log.InfoLevel is a constant with this value.

[spencerschrock]

Right now we have one options.Options, which is passed in serveCmd, and then this one copy is modified for each request. This seems like a race condition.

we should create a new struct for each request. either through options.New, or manually if we want to avoid the env var parsing.

[spencerschrock]

this validation is already covered by the s.opts.Validate call below

[spencerschrock]

do we expect people to pass the serve command repos which are local to the server?

[spencerschrock]

should this be removed? was this for your testing?

[spencerschrock]

we would probably want ShowAnnotations as a query parameter.

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 211 lines in your changes missing coverage. Please review.

Project coverage is 67.71%. Comparing base (353ed60) to head (3060b2a).
Report is 184 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4665      +/-   ##
==========================================
+ Coverage   66.80%   67.71%   +0.91%     
==========================================
  Files         230      249      +19     
  Lines       16602    19044    +2442     
==========================================
+ Hits        11091    12896    +1805     
- Misses       4808     5289     +481     
- Partials      703      859     +156     

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.