fix(#3532): standardize metric IDs from snake_case to lowerCamelCase

[fullsend-ai-coder]

Rename all Scorecard metric and provider IDs from snake_case to lowerCamelCase to align with the app-config.yaml naming convention and the planned Scorecard design.

Key changes:

• Provider ID definitions (e.g. github.open_prs -> github.openPrs)
• SonarQube metric config keys and type members
• OpenSSF dynamic ID generation (hyphen-to-camelCase conversion)
• Translation keys in ref.ts and all 5 locale files
• Config schema (config.d.ts) and YAML config keys
• All test fixtures, e2e tests, and documentation
• MetricProvidersRegistry error message format

SonarQube API metric keys (e.g. security_rating, code_smells) are preserved as-is since they are external API field names.

This is a breaking change for existing configurations that reference metric IDs by name.

---

Closes #3532

Post-script verification

• Branch is not main/master (agent/3532-snake-case-to-camel-case)
• Secret scan passed (gitleaks — ed84b21fc3f37da0e0d2ffb05b78432d11ec7ce6..HEAD)
• Pre-commit hooks passed (authoritative run on runner)
• Tests ran inside sandbox

[rhdh-gh-app]

Important

This PR includes changes that affect public-facing API. Please ensure you are adding/updating documentation for new features or behavior.

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
app-legacy	workspaces/scorecard/packages/app-legacy	none	v0.0.0
@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-dependabot	workspaces/scorecard/plugins/scorecard-backend-module-dependabot	major	v0.2.13
@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-github	workspaces/scorecard/plugins/scorecard-backend-module-github	major	v2.7.9
@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-jira	workspaces/scorecard/plugins/scorecard-backend-module-jira	major	v2.7.9
@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-openssf	workspaces/scorecard/plugins/scorecard-backend-module-openssf	major	v0.2.13
@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-sonarqube	workspaces/scorecard/plugins/scorecard-backend-module-sonarqube	major	v0.1.8
@red-hat-developer-hub/backstage-plugin-scorecard-backend	workspaces/scorecard/plugins/scorecard-backend	major	v2.7.9
@red-hat-developer-hub/backstage-plugin-scorecard	workspaces/scorecard/plugins/scorecard	major	v2.7.9

[codecov]

Codecov Report

❌ Patch coverage is 85.71429% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 53.63%. Comparing base (ed84b21) to head (a97e9fd).
⚠️ Report is 10 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #3534   +/-   ##
=======================================
  Coverage   53.63%   53.63%           
=======================================
  Files        2260     2260           
  Lines       85976    85978    +2     
  Branches    24193    24201    +8     
=======================================
+ Hits        46116    46118    +2     
  Misses      38302    38302           
  Partials     1558     1558           

Flag	Coverage Δ		*Carryforward flag
adoption-insights	83.70% <ø> (ø)		Carriedforward from ed84b21
ai-integrations	67.95% <ø> (ø)		Carriedforward from ed84b21
app-defaults	69.79% <ø> (ø)		Carriedforward from ed84b21
augment	46.39% <ø> (ø)		Carriedforward from ed84b21
boost	74.64% <ø> (ø)		Carriedforward from ed84b21
bulk-import	72.46% <ø> (ø)		Carriedforward from ed84b21
cost-management	14.10% <ø> (ø)		Carriedforward from ed84b21
dcm	61.79% <ø> (ø)		Carriedforward from ed84b21
extensions	61.53% <ø> (ø)		Carriedforward from ed84b21
global-floating-action-button	71.18% <ø> (ø)		Carriedforward from ed84b21
global-header	59.71% <ø> (ø)		Carriedforward from ed84b21
homepage	49.84% <ø> (ø)		Carriedforward from ed84b21
install-dynamic-plugins	56.23% <ø> (ø)		Carriedforward from ed84b21
konflux	91.49% <ø> (ø)		Carriedforward from ed84b21
lightspeed	68.57% <ø> (ø)		Carriedforward from ed84b21
mcp-integrations	85.46% <ø> (ø)		Carriedforward from ed84b21
orchestrator	37.79% <ø> (ø)		Carriedforward from ed84b21
quickstart	63.76% <ø> (ø)		Carriedforward from ed84b21
sandbox	79.56% <ø> (ø)		Carriedforward from ed84b21
scorecard	83.97% <85.71%> (+<0.01%)	⬆️
theme	61.26% <ø> (ø)		Carriedforward from ed84b21
translations	7.25% <ø> (ø)		Carriedforward from ed84b21
x2a	78.68% <ø> (ø)		Carriedforward from ed84b21

*This pull request uses carry forward flags. Click here to find out more.

---

Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ed84b21...a97e9fd. Read the comment docs.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 5:09 PM UTC · Completed 5:22 PM UTC
Commit: ed84b21 · View workflow run →

[fullsend-ai-review]

Review

Findings

High

• [logic-error] workspaces/scorecard/plugins/scorecard-backend-module-openssf/src/metricProviders/OpenSSFMetricProvider.ts:59 — The camelCase conversion regex .replace(/-([a-zA-Z])/g, (_, c) => c.toUpperCase()).replace(/^[A-Z]/, c => c.toLowerCase()) only lowercases a single leading uppercase character, not a run of them. For metric names starting with uppercase acronyms, this produces incorrect IDs: CII-Best-Practices → cIIBestPractices (documented: ciiBestPractices), CI-Tests → cITests (documented: ciTests), SAST → sAST (documented: sast). Three of eighteen OpenSSF metrics will have provider IDs that do not match the README or any downstream configuration referencing the documented names.
  Remediation: Apply .toLowerCase() first, then camelCase the hyphens: name.toLowerCase().replace(/-([a-z])/g, (_, c) => c.toUpperCase()). This yields ciiBestPractices, ciTests, and sast as documented.

• [test-integrity] workspaces/scorecard/plugins/scorecard-backend-module-openssf/src/metricProviders/OpenSSFMetricProvider.test.ts:231 — The test computes expectedProviderIds using the same broken regex as the production code. Because the expected values are derived from the same buggy logic, the test passes but cannot detect that the generated IDs diverge from the documented/intended values for CII-Best-Practices, CI-Tests, and SAST.
  Remediation: Fix the regex in both production and test code, or hardcode the expected provider IDs in the test so it serves as an independent correctness check.

Info

• [sub-agent-failure] N/A — The intent-coherence, style-conventions, and docs-currency sub-agents did not return findings due to model unavailability (claude-sonnet-4-5@20250929 not available on vertex deployment). The correctness dimension (opus) was fully evaluated.

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[high] logic-error

The camelCase conversion regex only lowercases a single leading uppercase character, not a run of them. For metric names starting with uppercase acronyms, this produces incorrect IDs: CII-Best-Practices -> cIIBestPractices (documented: ciiBestPractices), CI-Tests -> cITests (documented: ciTests), SAST -> sAST (documented: sast). Three of eighteen OpenSSF metrics will have provider IDs that do not match the README or downstream configuration.

Suggested fix: Apply .toLowerCase() first, then camelCase the hyphens: name.toLowerCase().replace(/-([a-z])/g, (_, c) => c.toUpperCase()). This yields ciiBestPractices, ciTests, and sast as documented.

[fullsend-ai-review]

[high] test-integrity

The test computes expectedProviderIds using the same broken regex as production code. Because the expected values are derived from the same buggy logic, the test passes but cannot detect that generated IDs diverge from documented/intended values for CII-Best-Practices, CI-Tests, and SAST.

Suggested fix: Fix the regex in both production and test code, or hardcode expected provider IDs in the test so it serves as an independent correctness check.