Refactor PyPI logic and cleanup

packages/safe-chain/bin/aikido-pip.js

@@ -3,15 +3,12 @@
 import { main } from "../src/main.js";
 import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
 import { setEcoSystem, ECOSYSTEM_PY } from "../src/config/settings.js";
-import { setCurrentPipInvocation, PIP_INVOCATIONS, PIP_PACKAGE_MANAGER } from "../src/packagemanager/pip/pipSettings.js";
+import { PIP_PACKAGE_MANAGER, PIP_COMMAND } from "../src/packagemanager/pip/pipSettings.js";
 
 // Set eco system
 setEcoSystem(ECOSYSTEM_PY);
 
-// Set current invocation
+initializePackageManager(PIP_PACKAGE_MANAGER, { tool: PIP_COMMAND, args: process.argv.slice(2) });
-setCurrentPipInvocation(PIP_INVOCATIONS.PIP);
-
-initializePackageManager(PIP_PACKAGE_MANAGER);
 
 (async () => {
   // Pass through only user-supplied pip args

packages/safe-chain/bin/aikido-pip3.js

@@ -3,16 +3,12 @@
 import { main } from "../src/main.js";
 import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
 import { setEcoSystem, ECOSYSTEM_PY } from "../src/config/settings.js";
-import { setCurrentPipInvocation, PIP_INVOCATIONS, PIP_PACKAGE_MANAGER } from "../src/packagemanager/pip/pipSettings.js";
+import { PIP_PACKAGE_MANAGER, PIP3_COMMAND } from "../src/packagemanager/pip/pipSettings.js";
 
 // Set eco system
 setEcoSystem(ECOSYSTEM_PY);
 
-// Set current invocation
+initializePackageManager(PIP_PACKAGE_MANAGER, { tool: PIP3_COMMAND, args: process.argv.slice(2) });
-setCurrentPipInvocation(PIP_INVOCATIONS.PIP3);
-
-// Create package manager
-initializePackageManager(PIP_PACKAGE_MANAGER);
 
 (async () => {
   // Pass through only user-supplied pip args

packages/safe-chain/bin/aikido-python.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
-import { setCurrentPipInvocation, PIP_INVOCATIONS, PIP_PACKAGE_MANAGER } from "../src/packagemanager/pip/pipSettings.js";
+import { PIP_PACKAGE_MANAGER, PYTHON_COMMAND } from "../src/packagemanager/pip/pipSettings.js";
 import { setEcoSystem, ECOSYSTEM_PY } from "../src/config/settings.js";
 import { main } from "../src/main.js";
 
@@ -11,20 +11,9 @@ setEcoSystem(ECOSYSTEM_PY);
 // Strip nodejs and wrapper script from args
 let argv = process.argv.slice(2);
 
+initializePackageManager(PIP_PACKAGE_MANAGER, { tool: PYTHON_COMMAND, args: argv });
+
 (async () => {
-  if (argv[0] === '-m' && (argv[1] === 'pip' || argv[1] === 'pip3')) {
-    setEcoSystem(ECOSYSTEM_PY);
-    setCurrentPipInvocation(argv[1] === 'pip3' ? PIP_INVOCATIONS.PY_PIP3 : PIP_INVOCATIONS.PY_PIP);
-    initializePackageManager(PIP_PACKAGE_MANAGER);
-
-    // Strip off the '-m pip' or '-m pip3' from the args
-    argv = argv.slice(2);
-
   var exitCode = await main(argv);
   process.exit(exitCode);
-  } else {
-    // Forward to real python binary for non-pip flows
-    const { spawn } = await import('child_process');
-    spawn('python', argv, { stdio: 'inherit' });
-  }
 })();

packages/safe-chain/bin/aikido-python3.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
-import { setCurrentPipInvocation, PIP_INVOCATIONS, PIP_PACKAGE_MANAGER } from "../src/packagemanager/pip/pipSettings.js";
+import { PIP_PACKAGE_MANAGER, PYTHON3_COMMAND } from "../src/packagemanager/pip/pipSettings.js";
 import { setEcoSystem, ECOSYSTEM_PY } from "../src/config/settings.js";
 import { main } from "../src/main.js";
 
@@ -11,20 +11,9 @@ setEcoSystem(ECOSYSTEM_PY);
 // Strip nodejs and wrapper script from args
 let argv = process.argv.slice(2);
 
+initializePackageManager(PIP_PACKAGE_MANAGER, { tool: PYTHON3_COMMAND, args: argv });
+
 (async () => {
-  if (argv[0] === '-m' && (argv[1] === 'pip' || argv[1] === 'pip3')) {
-    setEcoSystem(ECOSYSTEM_PY);
-    setCurrentPipInvocation(argv[1] === 'pip3' ? PIP_INVOCATIONS.PY3_PIP3 : PIP_INVOCATIONS.PY3_PIP);
-    initializePackageManager(PIP_PACKAGE_MANAGER);
-
-    // Strip off the '-m pip' or '-m pip3' from the args
-    argv = argv.slice(2);
-
   var exitCode = await main(argv);
   process.exit(exitCode);
-  } else {
-    // Forward to real python3 binary for non-pip flows
-    const { spawn } = await import('child_process');
-    spawn('python3', argv, { stdio: 'inherit' });
-  }
 })();

packages/safe-chain/bin/safe-chain.js

@@ -13,11 +13,6 @@ import path from "path";
 import { fileURLToPath } from "url";
 import fs from "fs";
 import { knownAikidoTools } from "../src/shell-integration/helpers.js";
-import {
-  PIP_INVOCATIONS,
-  PIP_PACKAGE_MANAGER,
-  setCurrentPipInvocation,
-} from "../src/packagemanager/pip/pipSettings.js";
 
 /** @type {string} */
 // This checks the current file's dirname in a way that's compatible with:
@@ -46,15 +41,14 @@ const command = process.argv[2];
 
 const tool = knownAikidoTools.find((tool) => tool.tool === command);
 
-if (tool && tool.internalPackageManagerName === PIP_PACKAGE_MANAGER) {
+if (tool) {
-  (async function () {
-    await executePip(tool);
-  })();
-} else if (tool) {
   const args = process.argv.slice(3);
 
   setEcoSystem(tool.ecoSystem);
-  initializePackageManager(tool.internalPackageManagerName);
+  
+  // Provide tool context to PM (pip uses this; others ignore)
+  const toolContext = { tool: tool.tool, args };
+  initializePackageManager(tool.internalPackageManagerName, toolContext);
 
   (async () => {
     var exitCode = await main(args);
@@ -140,51 +134,3 @@ async function getVersion() {
 
   return "0.0.0";
 }
-
-/**
- * @param {import("../src/shell-integration/helpers.js").AikidoTool} tool
- */
-async function executePip(tool) {
-  // Scanners for pip / pip3 / python / python3 use a slightly different approach:
-  //  - They all use the same PIP_PACKAGE_MANAGER internally, but need some setup to be able to do so
-  //     - It needs to set which tool to run (pip / pip3 / python / python3)
-  //     - For python and python3, the -m pip/pip3 args are removed and later added again by the package manager
-  //  - Python / python3 skips safe-chain if not being run with -m pip or -m pip3
-
-  let args = process.argv.slice(3);
-  setEcoSystem(tool.ecoSystem);
-  initializePackageManager(PIP_PACKAGE_MANAGER);
-
-  let shouldSkip = false;
-  if (tool.tool === "pip") {
-    setCurrentPipInvocation(PIP_INVOCATIONS.PIP);
-  } else if (tool.tool === "pip3") {
-    setCurrentPipInvocation(PIP_INVOCATIONS.PIP3);
-  } else if (tool.tool === "python") {
-    if (args[0] === "-m" && (args[1] === "pip" || args[1] === "pip3")) {
-      setCurrentPipInvocation(
-        args[1] === "pip3" ? PIP_INVOCATIONS.PY_PIP3 : PIP_INVOCATIONS.PY_PIP
-      );
-      args = args.slice(2);
-    } else {
-      shouldSkip = true;
-    }
-  } else if (tool.tool === "python3") {
-    if (args[0] === "-m" && (args[1] === "pip" || args[1] === "pip3")) {
-      setCurrentPipInvocation(
-        args[1] === "pip3" ? PIP_INVOCATIONS.PY3_PIP3 : PIP_INVOCATIONS.PY3_PIP
-      );
-      args = args.slice(2);
-    } else {
-      shouldSkip = true;
-    }
-  }
-
-  if (shouldSkip) {
-    const { spawn } = await import("child_process");
-    spawn(tool.tool, args, { stdio: "inherit" });
-  } else {
-    var exitCode = await main(args);
-    process.exit(exitCode);
-  }
-}

packages/safe-chain/src/packagemanager/currentPackageManager.js

@@ -35,10 +35,11 @@ const state = {
 
 /**
  * @param {string} packageManagerName
+ * @param {{ tool: string, args: string[] }} [context] - Optional tool context for package managers like pip
  *
  * @return {PackageManager}
  */
-export function initializePackageManager(packageManagerName) {
+export function initializePackageManager(packageManagerName, context) {
   if (packageManagerName === "npm") {
     state.packageManagerName = createNpmPackageManager();
   } else if (packageManagerName === "npx") {
@@ -54,7 +55,7 @@ export function initializePackageManager(packageManagerName) {
   } else if (packageManagerName === "bunx") {
     state.packageManagerName = createBunxPackageManager();
   } else if (packageManagerName === "pip") {
-    state.packageManagerName = createPipPackageManager();
+    state.packageManagerName = createPipPackageManager(context);
   } else if (packageManagerName === "uv") {
     state.packageManagerName = createUvPackageManager();
   } else {

packages/safe-chain/src/packagemanager/pip/createPackageManager.js

@@ -1,17 +1,21 @@
 import { runPip } from "./runPipCommand.js";
-import { getCurrentPipInvocation } from "./pipSettings.js";
+import { PIP_COMMAND } from "./pipSettings.js";
+
 /**
+ * @param {{ tool: string, args: string[] }} [context] - Optional context with tool name and args
  * @returns {import("../currentPackageManager.js").PackageManager}
  */
-export function createPipPackageManager() {
+export function createPipPackageManager(context) {
+  const tool = context?.tool || PIP_COMMAND;
+
   return {
     /**
      * @param {string[]} args
      */
     runCommand: (args) => {
-      const invocation = getCurrentPipInvocation();
+      // Args from main.js are already stripped of --safe-chain-* flags
-      const fullArgs = [...invocation.args, ...args];
+      // We just pass the tool (e.g. "python3") and the args (e.g. ["-m", "pip", "install", ...])
-      return runPip(invocation.command, fullArgs);
+      return runPip(tool, args);
     },
     // For pip, rely solely on MITM proxy to detect/deny downloads from known registries.
     isSupportedCommand: () => false,

packages/safe-chain/src/packagemanager/pip/pipSettings.js

@@ -1,30 +1,6 @@
 export const PIP_PACKAGE_MANAGER = "pip";
 
-// All supported python/pip invocations for Safe Chain interception
+export const PIP_COMMAND = "pip";
-export const PIP_INVOCATIONS = {
+export const PIP3_COMMAND = "pip3";
-  PIP: { command: "pip", args: [] },
+export const PYTHON_COMMAND = "python";
-  PIP3: { command: "pip3", args: [] },
+export const PYTHON3_COMMAND = "python3";
-  PY_PIP: { command: "python", args: ["-m", "pip"] },
-  PY3_PIP: { command: "python3", args: ["-m", "pip"] },
-  PY_PIP3: { command: "python", args: ["-m", "pip3"] },
-  PY3_PIP3: { command: "python3", args: ["-m", "pip3"] }
-};
-
-/**
- * @type {{ command: string, args: string[] }}
- */
-let currentInvocation = PIP_INVOCATIONS.PY3_PIP; // Default to python3 -m pip
-
-/**
- * @param {{ command: string, args: string[] }} invocation
- */
-export function setCurrentPipInvocation(invocation) {
-  currentInvocation = invocation;
-}
-
-/**
- * @returns {{ command: string, args: string[] }}
- */
-export function getCurrentPipInvocation() {
-  return currentInvocation;
-}

packages/safe-chain/src/packagemanager/pip/runPipCommand.js

@@ -2,12 +2,31 @@ import { ui } from "../../environment/userInteraction.js";
 import { safeSpawn } from "../../utils/safeSpawn.js";
 import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
 import { getCombinedCaBundlePath } from "../../registryProxy/certBundle.js";
+import { PIP_COMMAND, PIP3_COMMAND, PYTHON_COMMAND, PYTHON3_COMMAND } from "./pipSettings.js";
 import fs from "node:fs/promises";
 import fsSync from "node:fs";
 import os from "node:os";
 import path from "node:path";
 import ini from "ini";
 
+/**
+ * Checks if this pip invocation should bypass safe-chain and spawn directly.
+ * Returns true if the tool is python/python3 but NOT being run with -m pip/pip3.
+ * @param {string} command - The command executable
+ * @param {string[]} args - The arguments
+ * @returns {boolean}
+ */
+function shouldBypassSafeChain(command, args) {
+  if (command === PYTHON_COMMAND || command === PYTHON3_COMMAND) {
+    // Check if args start with -m pip
+    if (args.length >= 2 && args[0] === "-m" && (args[1] === PIP_COMMAND || args[1] === PIP3_COMMAND)) {
+      return false;
+    }
+    return true;
+  }
+  return false;
+}
+
 /**
  * Sets fallback CA bundle environment variables used by Python libraries.
  * These are applied in addition to the PIP_CONFIG_FILE to ensure all Python
@@ -49,11 +68,28 @@ function setFallbackCaBundleEnvironmentVariables(env, combinedCaPath) {
  * Special handling for commands that modify config/cache/state: PIP_CONFIG_FILE is NOT overridden to allow
  * users to read/write persistent config. Only CA environment variables are set for these commands.
  * 
- * @param {string} command - The pip command to execute (e.g., 'pip3')
+ * @param {string} command - The pip command executable (e.g., 'pip3' or 'python3')
  * @param {string[]} args - Command line arguments to pass to pip
  * @returns {Promise<{status: number}>} Exit status of the pip command
  */
 export async function runPip(command, args) {
+  // Check if we should bypass safe-chain (python/python3 without -m pip)
+  if (shouldBypassSafeChain(command, args)) {
+    ui.writeVerbose(`Safe-chain: Bypassing safe-chain for non-pip invocation: ${command} ${args.join(" ")}`);
+    // Spawn the ORIGINAL command with ORIGINAL args
+    const { spawn } = await import("child_process");
+    return new Promise((_resolve) => {
+      const proc = spawn(command, args, { stdio: "inherit" });
+      proc.on("exit", (/** @type {number | null} */ code) => {
+        process.exit(code ?? 0);
+      });
+      proc.on("error", (/** @type {Error} */ err) => {
+        ui.writeError(`Error executing command: ${err.message}`);
+        process.exit(1);
+      });
+    });
+  }
+
   try {
     const env = mergeSafeChainProxyEnvironmentVariables(process.env);
 

test/e2e/pip.e2e.spec.js

@@ -539,4 +539,278 @@ describe("E2E: pip coverage", () => {
       `Should download certifi. Output was:\n${downloadResult.output}`
     );
   });
+
+  // Tests for python/python3 bypass (non-pip invocations should go directly without safe-chain)
+  
+  it(`python3 --version should bypass safe-chain and work normally`, async () => {
+    const shell = await container.openShell("zsh");
+    const result = await shell.runCommand("python3 --version");
+    
+    // Should output Python version
+    assert.ok(
+      result.output.match(/Python 3\.\d+\.\d+/),
+      `Should output Python version. Output was:\n${result.output}`
+    );
+    
+    // Should NOT go through safe-chain proxy
+    assert.ok(
+      !result.output.includes("Safe-chain"),
+      `python3 --version should not go through safe-chain. Output was:\n${result.output}`
+    );
+  });
+
+  it(`python --version should bypass safe-chain and work normally`, async () => {
+    const shell = await container.openShell("zsh");
+    const result = await shell.runCommand("python --version");
+    
+    // Should output Python version
+    assert.ok(
+      result.output.match(/Python \d+\.\d+\.\d+/),
+      `Should output Python version. Output was:\n${result.output}`
+    );
+    
+    // Should NOT go through safe-chain
+    assert.ok(
+      !result.output.includes("Safe-chain"),
+      `python --version should not go through safe-chain. Output was:\n${result.output}`
+    );
+  });
+
+  it(`python3 -c "print('hello')" should bypass safe-chain and execute code`, async () => {
+    const shell = await container.openShell("zsh");
+    const result = await shell.runCommand("python3 -c \"print('hello world')\"");
+    
+    // Should execute Python code
+    assert.ok(
+      result.output.includes("hello world"),
+      `Should execute Python code. Output was:\n${result.output}`
+    );
+    
+    // Should NOT go through safe-chain
+    assert.ok(
+      !result.output.includes("Safe-chain"),
+      `python3 -c should not go through safe-chain. Output was:\n${result.output}`
+    );
+  });
+
+  it(`python -c should bypass safe-chain and execute code`, async () => {
+    const shell = await container.openShell("zsh");
+    const result = await shell.runCommand("python -c \"import sys; print(sys.version)\"");
+    
+    // Should execute Python code and print version
+    assert.ok(
+      result.output.match(/\d+\.\d+\.\d+/),
+      `Should execute Python code. Output was:\n${result.output}`
+    );
+    
+    // Should NOT go through safe-chain
+    assert.ok(
+      !result.output.includes("Safe-chain"),
+      `python -c should not go through safe-chain. Output was:\n${result.output}`
+    );
+  });
+
+  it(`python3 script.py should bypass safe-chain and execute script`, async () => {
+    const shell = await container.openShell("zsh");
+    
+    // Create a simple Python script
+    await shell.runCommand("echo \"print('script executed')\" > /tmp/test_script.py");
+    
+    const result = await shell.runCommand("python3 /tmp/test_script.py");
+    
+    // Should execute the script
+    assert.ok(
+      result.output.includes("script executed"),
+      `Should execute Python script. Output was:\n${result.output}`
+    );
+    
+    // Should NOT go through safe-chain
+    assert.ok(
+      !result.output.includes("Safe-chain"),
+      `python3 script.py should not go through safe-chain. Output was:\n${result.output}`
+    );
+  });
+
+  it(`python script.py should bypass safe-chain and execute script`, async () => {
+    const shell = await container.openShell("zsh");
+    
+    // Create a simple Python script
+    await shell.runCommand("echo \"print('python2/3 compatible')\" > /tmp/test_script2.py");
+    
+    const result = await shell.runCommand("python /tmp/test_script2.py");
+    
+    // Should execute the script
+    assert.ok(
+      result.output.includes("python2/3 compatible"),
+      `Should execute Python script. Output was:\n${result.output}`
+    );
+    
+    // Should NOT go through safe-chain
+    assert.ok(
+      !result.output.includes("Safe-chain"),
+      `python script.py should not go through safe-chain. Output was:\n${result.output}`
+    );
+  });
+
+  it(`python3 -m json.tool should bypass safe-chain (module other than pip)`, async () => {
+    const shell = await container.openShell("zsh");
+    
+    // json.tool is a built-in Python module for formatting JSON
+    const result = await shell.runCommand("echo '{\"test\": 123}' | python3 -m json.tool");
+    
+    // Should format JSON
+    assert.ok(
+      result.output.includes('"test"') && result.output.includes('123'),
+      `Should format JSON. Output was:\n${result.output}`
+    );
+    
+    // Should NOT go through safe-chain
+    assert.ok(
+      !result.output.includes("Safe-chain"),
+      `python3 -m json.tool should not go through safe-chain. Output was:\n${result.output}`
+    );
+  });
+
+  it(`python3 -m http.server should bypass safe-chain (module other than pip)`, async () => {
+    const shell = await container.openShell("zsh");
+    
+    // Start http.server in background and kill it immediately
+    // We just want to verify it starts without safe-chain interference
+    const result = await shell.runCommand("timeout 1 python3 -m http.server 8999 || true");
+    
+    // Should NOT go through safe-chain
+    assert.ok(
+      !result.output.includes("Safe-chain"),
+      `python3 -m http.server should not go through safe-chain. Output was:\n${result.output}`
+    );
+    
+    // Should either start the server or timeout (both are success for bypass test)
+    assert.ok(
+      result.output.includes("Serving HTTP") || result.output === "" || result.exitCode !== undefined,
+      `Should attempt to start server. Output was:\n${result.output}`
+    );
+  });
+
+  it(`python3 interactive mode should bypass safe-chain`, async () => {
+    const shell = await container.openShell("zsh");
+    
+    // Run python3 with a command piped to stdin to simulate interactive mode
+    const result = await shell.runCommand("echo 'print(2+2)' | python3");
+    
+    // Should execute the command
+    assert.ok(
+      result.output.includes("4"),
+      `Should execute Python interactively. Output was:\n${result.output}`
+    );
+    
+    // Should NOT go through safe-chain
+    assert.ok(
+      !result.output.includes("Safe-chain"),
+      `python3 interactive should not go through safe-chain. Output was:\n${result.output}`
+    );
+  });
+
+  it(`python3 with no arguments should bypass safe-chain`, async () => {
+    const shell = await container.openShell("zsh");
+    
+    // Python with no args goes to interactive REPL, pipe exit command
+    const result = await shell.runCommand("echo 'exit()' | python3");
+    
+    // Should NOT go through safe-chain
+    assert.ok(
+      !result.output.includes("Safe-chain"),
+      `python3 with no args should not go through safe-chain. Output was:\n${result.output}`
+    );
+  });
+
+  it(`python3 -m venv should bypass safe-chain (venv module)`, async () => {
+    const shell = await container.openShell("zsh");
+    
+    const result = await shell.runCommand("python3 -m venv /tmp/test_venv");
+    
+    // Should create venv without safe-chain
+    assert.ok(
+      !result.output.includes("Safe-chain"),
+      `python3 -m venv should not go through safe-chain. Output was:\n${result.output}`
+    );
+    
+    // Verify venv was created
+    const checkVenv = await shell.runCommand("test -f /tmp/test_venv/bin/python3 && echo 'exists'");
+    assert.ok(
+      checkVenv.output.includes("exists"),
+      `venv should be created. Output was:\n${checkVenv.output}`
+    );
+  });
+
+  it(`python3 -m pytest should bypass safe-chain (pytest module)`, async () => {
+    const shell = await container.openShell("zsh");
+    
+    // pytest may not be installed, but the bypass should work regardless
+    const result = await shell.runCommand("python3 -m pytest --version 2>&1 || true");
+    
+    // Should NOT go through safe-chain
+    assert.ok(
+      !result.output.includes("Safe-chain"),
+      `python3 -m pytest should not go through safe-chain. Output was:\n${result.output}`
+    );
+  });
+
+  it(`python3 -m site should bypass safe-chain (site module)`, async () => {
+    const shell = await container.openShell("zsh");
+    
+    const result = await shell.runCommand("python3 -m site");
+    
+    // Should output site information
+    assert.ok(
+      result.output.includes("sys.path") || result.output.includes("USER_BASE"),
+      `Should output site information. Output was:\n${result.output}`
+    );
+    
+    // Should NOT go through safe-chain
+    assert.ok(
+      !result.output.includes("Safe-chain"),
+      `python3 -m site should not go through safe-chain. Output was:\n${result.output}`
+    );
+  });
+
+  // Verify that -m pip* still goes through safe-chain (sanity check)
+  
+  it(`python3 -m pip DOES go through safe-chain (sanity check)`, async () => {
+    const shell = await container.openShell("zsh");
+    const result = await shell.runCommand(
+      "python3 -m pip install --break-system-packages certifi"
+    );
+    
+    // SHOULD go through safe-chain
+    assert.ok(
+      result.output.includes("Safe-chain") || result.output.includes("no malware found"),
+      `python3 -m pip SHOULD go through safe-chain. Output was:\n${result.output}`
+    );
+  });
+
+  it(`python3 -m pip3 DOES go through safe-chain (sanity check)`, async () => {
+    const shell = await container.openShell("zsh");
+    const result = await shell.runCommand(
+      "python3 -m pip3 install --break-system-packages certifi"
+    );
+    
+    // SHOULD go through safe-chain
+    assert.ok(
+      result.output.includes("Safe-chain") || result.output.includes("no malware found"),
+      `python3 -m pip3 SHOULD go through safe-chain. Output was:\n${result.output}`
+    );
+  });
+
+  it(`python -m pip DOES go through safe-chain (sanity check)`, async () => {
+    const shell = await container.openShell("zsh");
+    const result = await shell.runCommand(
+      "python -m pip install --break-system-packages certifi"
+    );
+    
+    // SHOULD go through safe-chain
+    assert.ok(
+      result.output.includes("Safe-chain") || result.output.includes("no malware found"),
+      `python -m pip SHOULD go through safe-chain. Output was:\n${result.output}`
+    );
+  });
 });

test/e2e/safe-chain-cli-python.e2e.spec.js

@@ -0,0 +1,104 @@
+import { describe, it, before, beforeEach, afterEach } from "node:test";
+import { DockerTestContainer } from "./DockerTestContainer.js";
+import assert from "node:assert";
+
+describe("E2E: safe-chain CLI python/pip support", () => {
+  let container;
+
+  before(async () => {
+    DockerTestContainer.buildImage();
+  });
+
+  beforeEach(async () => {
+    container = new DockerTestContainer();
+    await container.start();
+    // Note: We do NOT run 'safe-chain setup' here.
+    // We want to test the 'safe-chain' CLI command directly.
+  });
+
+  afterEach(async () => {
+    if (container) {
+      await container.stop();
+      container = null;
+    }
+  });
+
+  it("safe-chain pip3 install routes through proxy", async () => {
+    const shell = await container.openShell("zsh");
+    // Invoke safe-chain directly with pip3 command
+    const result = await shell.runCommand(
+      "safe-chain pip3 install --break-system-packages requests"
+    );
+
+    assert.ok(
+      result.output.includes("no malware found."),
+      `Output did not include expected text. Output was:\n${result.output}`
+    );
+    assert.ok(
+      result.output.includes("Successfully installed") ||
+        result.output.includes("Requirement already satisfied"),
+      `Installation failed. Output was:\n${result.output}`
+    );
+  });
+
+  it("safe-chain python3 -m pip install routes through proxy", async () => {
+    const shell = await container.openShell("zsh");
+    const result = await shell.runCommand(
+      "safe-chain python3 -m pip install --break-system-packages requests"
+    );
+
+    assert.ok(
+      result.output.includes("no malware found."),
+      `Output did not include expected text. Output was:\n${result.output}`
+    );
+  });
+
+  it("safe-chain python3 script.py bypasses proxy", async () => {
+    const shell = await container.openShell("zsh");
+    
+    // Create a simple script
+    await shell.runCommand("echo \"print('direct execution')\" > /tmp/test.py");
+
+    const result = await shell.runCommand("safe-chain python3 /tmp/test.py");
+
+    // Should execute the script
+    assert.ok(
+      result.output.includes("direct execution"),
+      `Script execution failed. Output was:\n${result.output}`
+    );
+
+    // Should NOT show safe-chain logs
+    assert.ok(
+      !result.output.includes("Safe-chain"),
+      `Should have bypassed safe-chain. Output was:\n${result.output}`
+    );
+  });
+
+  it("safe-chain python3 --version bypasses proxy", async () => {
+    const shell = await container.openShell("zsh");
+    const result = await shell.runCommand("safe-chain python3 --version");
+
+    assert.ok(
+      result.output.match(/Python 3\.\d+\.\d+/),
+      `Should show python version. Output was:\n${result.output}`
+    );
+    assert.ok(
+      !result.output.includes("Safe-chain"),
+      `Should have bypassed safe-chain. Output was:\n${result.output}`
+    );
+  });
+
+  it("safe-chain blocks malicious package via pip3", async () => {
+    const shell = await container.openShell("zsh");
+    await shell.runCommand("pip3 cache purge");
+
+    const result = await shell.runCommand(
+      "safe-chain pip3 install --break-system-packages safe-chain-pi-test"
+    );
+
+    assert.ok(
+      result.output.includes("blocked 1 malicious package downloads"),
+      `Should have blocked malware. Output was:\n${result.output}`
+    );
+  });
+});