feat: implement Delta Analysis Engine for auditing dependency version bumps (#106)

[prasiddhi-105]

Before opening: make sure there is an issue tracking this work, and link it below. PRs without a linked issue may be closed without review.

Linked issue

Closes #106

What this PR does

This PR implements the core Delta Analysis Engine to evaluate third-party package modifications and dependency version bumps. It dynamically fetches source distributions directly from public registries (such as PyPI) and extracts them into temporary file structures. It then analyzes the differences to track completely new files and runs an AST-based static analyzer over the source code to flag high-risk patterns like eval(), preventing hidden security regressions.

Type of change

• Bug fix
• New feature
• ML model / training pipeline
• Refactor (no behaviour change)
• Documentation
• Tests only

ML tier (if applicable)

N/A

How did you test this?

I tested this implementation locally using Python's sandbox runtime environment by passing version bump sequences through the parsing and auditing pipeline.

• Executed end-to-end simulation tracking requests: 2.28.1 -> 2.31.0.
• Verified live network communication fetching source distributions (.tar.gz) from the PyPI JSON API.
• Confirmed the system successfully unpacks archives, extracts directory footprints, executes Abstract Syntax Tree (ast) node inspections, and returns the strictly formatted output schema payload without errors.

---

🛠️ Implementation Details

• Version Manifest Diffing: Added a modular parser inside delta_engine.py using regex mapping to extract package metadata (dependency_name, old_version, and new_version) from incoming strings.
• Upstream Registry Fetching: Integrated a native, lightweight downloader that queries the public PyPI registry JSON API to isolate and download source distributions (.tar.gz).
• Code Changes Audit: Developed a directory-walking comparator to pinpoint added_files, paired with a built-in Abstract Syntax Tree (ast) walker to check python files for high-risk language signatures.

Verified Output Payload Schema:

{
  "supply_chain_diff": {
    "dependency": "requests",
    "upgrade_path": "2.28.1 -> 2.31.0",
    "risk_assessment": {
      "added_files": [],
      "suspicious_patterns_detected": [],
      "overall_risk_score": "low"
    }
  }
}

[github-actions]

⚠️ Automated Check: This PR does not strictly follow the required template. Please ensure you have not deleted any checkboxes or mandatory headings, and that you have written explanations under What this PR does and How did you test this?.

[prasiddhi-105]

hii would love to work under you and contribute in your project, please assign me.

[ionfwsrijan]

@prasiddhi-105 Please fix failing checks