fix: use pipx for poetry + venv for project dependencies

SOLUTION: Hybrid approach using pipx + virtual environment

Strategy:
- pipx: Install poetry (manages its own virtual environment)
- venv: Isolate project dependencies and security tools
- This avoids PEP 668 restrictions completely

Changes:
- Install pipx system-wide for poetry management
- Use 'pipx install poetry' (bypasses system pip restrictions)
- Create separate venv for project dependencies
- Use poetry (via pipx) to install project dependencies
- Use venv/bin/pip for security tools (safety, bandit)
- Maintain complete isolation for both environments

Benefits:
- Poetry: Self-contained virtual environment via pipx
- Project: Isolated dependencies in project venv
- Security: Tools in project venv for consistency
- No conflicts: Complete separation of concerns
- PEP 668 compliant: No system Python modifications

Updated workflows:
- audit.yml: pipx poetry + project venv
- fix.yml: pipx poetry + project venv + safety
- security-scanning.yml: pipx poetry + project venv + security tools

Expected results:
- Poetry installed via pipx without system restrictions
- Project dependencies installed via poetry in project venv
- Security tools working in isolated project venv
- Complete compliance with PEP 668 requirements
- All workflows should complete successfully

.gitea/workflows/audit.yml

@@ -46,28 +46,39 @@ jobs:
             if ! command -v python3 >/dev/null 2>&1; then
               echo "Installing Python 3..."
               apt-get update
-              apt-get install -y python3 python3-pip python3-venv python3-full
+              apt-get install -y python3 python3-pip python3-venv python3-full pipx
             fi
             
-            echo "=== VIRTUAL ENVIRONMENT ==="
-            # Create and use virtual environment
+            # Install pipx if not available (for poetry)
+            if ! command -v pipx >/dev/null 2>&1; then
+              echo "Installing pipx..."
+              python3 -m pip install --user pipx
+              python3 -m pipx ensurepath
+            fi
+            
+            echo "=== POETRY INSTALLATION (via pipx) ==="
+            # Use pipx to install poetry (manages its own venv)
+            if ! command -v poetry >/dev/null 2>&1; then
+              echo "Installing poetry with pipx..."
+              pipx install poetry
+            else
+              echo "Poetry already available"
+            fi
+            
+            echo "=== PROJECT VIRTUAL ENVIRONMENT ==="
+            # Create venv for project dependencies
             python3 -m venv venv
             source venv/bin/activate
             
-            echo "Virtual environment activated"
+            echo "Project venv activated"
             echo "Python in venv: $(python --version)"
             echo "Pip in venv: $(pip --version)"
             
             echo "=== PYTHON DEPENDENCIES ==="
-            # Use venv pip explicitly to avoid system pip
-            if command -v poetry >/dev/null 2>&1; then
-              echo "Poetry found, installing dependencies..."
-              poetry install
-            else
-              echo "Installing poetry with venv pip..."
-              venv/bin/pip install poetry
-              poetry install
-            fi
+            # Use poetry (installed via pipx) to install project dependencies
+            echo "Installing project dependencies with poetry..."
+            poetry install
+            
             echo "✅ Python dependencies installed!"
           else
             echo "❌ No supported project type found!"

.gitea/workflows/fix.yml

@@ -44,28 +44,39 @@ jobs:
             if ! command -v python3 >/dev/null 2>&1; then
               echo "Installing Python 3..."
               apt-get update
-              apt-get install -y python3 python3-pip python3-venv python3-full
+              apt-get install -y python3 python3-pip python3-venv python3-full pipx
             fi
             
-            echo "=== VIRTUAL ENVIRONMENT ==="
-            # Create and use virtual environment
+            # Install pipx if not available (for poetry)
+            if ! command -v pipx >/dev/null 2>&1; then
+              echo "Installing pipx..."
+              python3 -m pip install --user pipx
+              python3 -m pipx ensurepath
+            fi
+            
+            echo "=== POETRY INSTALLATION (via pipx) ==="
+            # Use pipx to install poetry (manages its own venv)
+            if ! command -v poetry >/dev/null 2>&1; then
+              echo "Installing poetry with pipx..."
+              pipx install poetry
+            else
+              echo "Poetry already available"
+            fi
+            
+            echo "=== PROJECT VIRTUAL ENVIRONMENT ==="
+            # Create venv for project dependencies
             python3 -m venv venv
             source venv/bin/activate
             
-            echo "Virtual environment activated"
+            echo "Project venv activated"
             echo "Python in venv: $(python --version)"
             echo "Pip in venv: $(pip --version)"
             
             echo "=== PYTHON DEPENDENCIES ==="
-            # Use venv pip explicitly to avoid system pip
-            if command -v poetry >/dev/null 2>&1; then
-              echo "Poetry found, installing dependencies..."
-              poetry install
-            else
-              echo "Installing poetry with venv pip..."
-              venv/bin/pip install poetry
-              poetry install
-            fi
+            # Use poetry (installed via pipx) to install project dependencies
+            echo "Installing project dependencies with poetry..."
+            poetry install
+            
             echo "✅ Python dependencies installed!"
             echo "=== SECURITY FIXES ==="
             # Check for common Python security issues

.gitea/workflows/security-scanning.yml

@@ -44,28 +44,39 @@ jobs:
             if ! command -v python3 >/dev/null 2>&1; then
               echo "Installing Python 3..."
               apt-get update
-              apt-get install -y python3 python3-pip python3-venv python3-full
+              apt-get install -y python3 python3-pip python3-venv python3-full pipx
             fi
             
-            echo "=== VIRTUAL ENVIRONMENT ==="
-            # Create and use virtual environment
+            # Install pipx if not available (for poetry)
+            if ! command -v pipx >/dev/null 2>&1; then
+              echo "Installing pipx..."
+              python3 -m pip install --user pipx
+              python3 -m pipx ensurepath
+            fi
+            
+            echo "=== POETRY INSTALLATION (via pipx) ==="
+            # Use pipx to install poetry (manages its own venv)
+            if ! command -v poetry >/dev/null 2>&1; then
+              echo "Installing poetry with pipx..."
+              pipx install poetry
+            else
+              echo "Poetry already available"
+            fi
+            
+            echo "=== PROJECT VIRTUAL ENVIRONMENT ==="
+            # Create venv for project dependencies
             python3 -m venv venv
             source venv/bin/activate
             
-            echo "Virtual environment activated"
+            echo "Project venv activated"
             echo "Python in venv: $(python --version)"
             echo "Pip in venv: $(pip --version)"
             
             echo "=== PYTHON DEPENDENCIES ==="
-            # Use venv pip explicitly to avoid system pip
-            if command -v poetry >/dev/null 2>&1; then
-              echo "Poetry found, installing dependencies..."
-              poetry install
-            else
-              echo "Installing poetry with venv pip..."
-              venv/bin/pip install poetry
-              poetry install
-            fi
+            # Use poetry (installed via pipx) to install project dependencies
+            echo "Installing project dependencies with poetry..."
+            poetry install
+            
             echo "✅ Running security scan..."
             venv/bin/pip install safety bandit
             echo "=== Safety check (dependencies) ==="