Congrats and i admire you're layering on security.
Am the author of seven published Python packages including: wreck, sphinx-external-toc-strict, pytest-logging-strict, logging-strict, and a few others.
long story short, the answer to your question is use the virtualenv (venv) absolute path to the Python binary. With the python absolute path there is no need to activate the venv.
Would appreciate a star on wreck or sphinx-external-toc-strict or pytest-logging-strict
Thank you and thank anyone else who found this answer useful.