From d21f1ad91b4b3075e35a5013ab1a23f52a34e4b7 Mon Sep 17 00:00:00 2001
From: Nicholas Romero <ncrmro@gmail.com>
Date: Wed, 18 Feb 2026 14:34:58 -0600
Subject: [PATCH] fix(nix): Wrap package binary to isolate Python environment

When consumed as a buildInput in another flake's devShell, other
Python-based packages (azure-cli, awscli2, pipx) pollute PYTHONPATH
with python3.13 site-packages. deepwork's python3.11 interpreter then
loads incompatible native extensions (e.g. cryptography built for 3.13),
causing "undefined symbol: PyErr_GetRaisedException" on MCP server start.

Wrap the deepwork binary with makeWrapper --unset PYTHONPATH to isolate
it from the host Python environment.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 flake.nix | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/flake.nix b/flake.nix
index a7a2150f..92601a77 100644
--- a/flake.nix
+++ b/flake.nix
@@ -119,13 +119,29 @@
         }
       );
 
-      # Package output - virtual environment with default deps only
+      # Package output - wrapped deepwork binary with isolated Python environment
+      # When consumed as a dependency in other flakes, the consuming devShell may
+      # include Python packages for a different version (e.g. python3.13 from
+      # azure-cli, awscli2). These pollute PYTHONPATH and cause symbol errors
+      # when deepwork's python3.11 tries to load python3.13 native extensions.
+      # Wrapping with --unset PYTHONPATH isolates deepwork from the host environment.
       packages = forAllSystems (system:
         let
-          pkg = pythonSets.${system}.mkVirtualEnv "deepwork-env" workspace.deps.default;
+          pkgs = import nixpkgs {
+            inherit system;
+            config.allowUnfree = true;
+          };
+          venv = pythonSets.${system}.mkVirtualEnv "deepwork-env" workspace.deps.default;
+          wrapped = pkgs.runCommand "deepwork-wrapped" {
+            nativeBuildInputs = [ pkgs.makeWrapper ];
+          } ''
+            mkdir -p $out/bin
+            makeWrapper ${venv}/bin/deepwork $out/bin/deepwork \
+              --unset PYTHONPATH
+          '';
         in {
-          default = pkg;
-          deepwork = pkg;  # Alias for backwards compatibility
+          default = wrapped;
+          deepwork = wrapped;  # Alias for backwards compatibility
         }
       );