feat: add AI module for LLM interaction and a heuristic for checking code–docstring consistency

[AmineRaouane]

Summary

This PR introduces an AI client for interacting with large language models (LLMs) and adds a new heuristic analyzer to detect inconsistencies between code and its docstrings.

Description of changes

• Added an AIClient class to enable seamless integration with LLMs .
• Implemented a new heuristic analyzer called MatchingDocstringsAnalyzer that detect inconsistencies between code and its docstrings.
• Integrated the new heuristic into the heuristics.py registry.
• Updated detect_malicious_metadata_check.py to include and run this new heuristic.
• Added unit tests to verify correct detection of missing or mismatched docstrings.

Related issues

None

Checklist

• I have reviewed the contribution guide.
• My PR title and commits follow the Conventional Commits convention.
• My commits include the "Signed-off-by" line.
• I have signed my commits following the instructions provided by GitHub. Note that we run GitHub's commit verification tool to check the commit signatures. A green verified label should appear next to all of your commits on GitHub.
• I have updated the relevant documentation, if applicable.
• I have tested my changes and verified they work as expected.

[art1f1c3R]

Can you tell me more about the types of responses models give to this prompt? My main questions are how the model assigns a score from 0 to 100. It is asked to look at several aspects (High-level description summary, benefit, how to install, how to use) and their consistency with each other. What happens if one of those sections is missing? Is that "less consistent"? Do any of the section comparisons get weighted more than the other (e.g. "how to use" vs "high-level description summary" has more weight than "how to use" vs "benefit")? If a description uses clear headings, is it going to be scored higher than one that does not, when both include equivalent information? If a package has a pretty bare-bones description with essentially no information on any of these headings, is it labelled inconsistent?

[AmineRaouane]

Well, I didn’t specify more in the system prompt as you can see, the model will decide the overall score. If needed, I can add examples of best and worst packages in the prompt to guide it better.

Right now, the model isn’t explicitly told to weigh one section over another; it just evaluates the consistency across all provided aspects (high-level description, benefit, how to install, how to use) and gives a score from 0 to 100. If one of those sections is missing, the model will likely consider it “less consistent” overall, which should lower the score.

The returned format looks like this:
{ "score": ... , "reason": ... }

[art1f1c3R]

So it looks like we patch and hardcode the return values for analyzer.client.invoke. Isn't pass/fail mostly determined by that result though?

[AmineRaouane]

Yeah, that’s exactly why I set it up this way I wanted something fixed across all models, so patching and hardcoding the return values for analyzer.client.invoke ensures consistency. The pass/fail is indeed mostly determined by that result, and this approach keeps it stable so the outcome isn’t affected by model variance.

[art1f1c3R]

Same here.

[tromai]

Could you please explain to us what does /no_think means in this context and why it's used in this prompt ?

[AmineRaouane]

/no_think here is used to prevent “thinking” or reasoning steps from the model. This way, it skips generating internal reasoning chains and directly produces the output, which reduces response time .

[art1f1c3R]

Do you have any results from running this on existing PyPI packages, and how the LLM performed?