refactor(satellite): simplify Python entry point resolution logic

Author: Lasim

services/satellite/src/process/github-deployment.ts

@@ -902,24 +902,34 @@ export class GitHubDeploymentHandler {
       if (command === 'python3') {
         // Running with system python3 interpreter - make script path relative
         const relativeEntryPoint = path.relative(deploymentDir, entryPoint);
+
+        // Activate venv by setting VIRTUAL_ENV environment variable
+        // This allows system python3 to find packages in .venv/lib/python3.x/site-packages
+        //
+        // Note: In production (nsjail), deployment dir is mounted as /app
+        // So we set VIRTUAL_ENV=/app/.venv which is accessible inside nsjail
+        // In development, we use the actual deployment directory path
+        const isProduction = process.env.NODE_ENV === 'production';
+        const venvPath = isProduction ? '/app/.venv' : path.join(deploymentDir, '.venv');
+        const venvBinPath = isProduction ? '/app/.venv/bin' : path.join(deploymentDir, '.venv/bin');
+
+        const activatedEnv = {
+          ...config.env,
+          VIRTUAL_ENV: venvPath,
+          // Prepend .venv/bin to PATH so python3 uses venv packages
+          PATH: `${venvBinPath}:${process.env.PATH || '/usr/bin:/bin'}`
+        };
+
         updatedConfig = {
           ...config,
           command: 'python3',
           args: [relativeEntryPoint],
-          temp_dir: deploymentDir
-        };
-      } else if (command.includes('.venv/bin/python')) {
-        // Running with venv Python - use relative paths for both command and script
-        const relativeCommand = path.relative(deploymentDir, command);
-        const relativeEntryPoint = path.relative(deploymentDir, entryPoint);
-        updatedConfig = {
-          ...config,
-          command: relativeCommand,  // .venv/bin/python
-          args: [relativeEntryPoint],  // server.py
-          temp_dir: deploymentDir
+          temp_dir: deploymentDir,
+          env: activatedEnv
         };
       } else {
         // Running directly (entry point is executable script from venv bin)
+        // Used for Pattern 1 (Installable Package) where [project.scripts] creates executables
         const relativeCommand = path.relative(deploymentDir, entryPoint);
         updatedConfig = {
           ...config,

services/satellite/src/utils/python-helpers.ts

@@ -185,30 +185,24 @@ export async function resolvePythonEntryPoint(
   // Fallback: look for __main__.py
   const mainPath = path.join(tempDir, '__main__.py');
   if (await fileExists(mainPath)) {
-    // Use venv Python if available
-    const venvPython = path.join(tempDir, '.venv', 'bin', 'python');
-    const command = await fileExists(venvPython) ? venvPython : 'python3';
-    return { command, entryPoint: mainPath };
+    // Use system python3 (security validated, venv packages available via working directory)
+    return { command: 'python3', entryPoint: mainPath };
   }
 
   // Try src/__main__.py (common pattern)
   const srcMainPath = path.join(tempDir, 'src', '__main__.py');
   if (await fileExists(srcMainPath)) {
-    // Use venv Python if available
-    const venvPython = path.join(tempDir, '.venv', 'bin', 'python');
-    const command = await fileExists(venvPython) ? venvPython : 'python3';
-    return { command, entryPoint: srcMainPath };
+    // Use system python3 (security validated, venv packages available via working directory)
+    return { command: 'python3', entryPoint: srcMainPath };
   }
 
   // Try common script names (server.py, main.py, app.py, run.py)
   const commonScriptNames = ['server.py', 'main.py', 'app.py', 'run.py'];
   for (const scriptName of commonScriptNames) {
     const scriptPath = path.join(tempDir, scriptName);
     if (await fileExists(scriptPath)) {
-      // Use venv Python if available
-      const venvPython = path.join(tempDir, '.venv', 'bin', 'python');
-      const command = await fileExists(venvPython) ? venvPython : 'python3';
-      return { command, entryPoint: scriptPath };
+      // Use system python3 (security validated, venv packages available via working directory)
+      return { command: 'python3', entryPoint: scriptPath };
     }
   }