diff --git a/playbooks/linux_patch.yml b/playbooks/linux_patch.yml
index 8e55a7c..ce13c64 100644
--- a/playbooks/linux_patch.yml
+++ b/playbooks/linux_patch.yml
@@ -1,4 +1,10 @@
 ---
+- name: Bootstrap — ensure Python is available
+  hosts: linux_hosts
+  gather_facts: false
+  tasks:
+    - ansible.builtin.import_tasks: ../roles/preflight/tasks/bootstrap.yml
+
 - name: Linux patching
   hosts: linux_hosts
   gather_facts: true
diff --git a/playbooks/site_preflight.yml b/playbooks/site_preflight.yml
index e216cff..d577197 100644
--- a/playbooks/site_preflight.yml
+++ b/playbooks/site_preflight.yml
@@ -1,4 +1,10 @@
 ---
+- name: Bootstrap — ensure Python is available
+  hosts: all
+  gather_facts: false
+  tasks:
+    - ansible.builtin.import_tasks: ../roles/preflight/tasks/bootstrap.yml
+
 - name: Pre-flight safety checks
   hosts: all
   gather_facts: true
diff --git a/roles/preflight/tasks/bootstrap.yml b/roles/preflight/tasks/bootstrap.yml
new file mode 100644
index 0000000..d9a389a
--- /dev/null
+++ b/roles/preflight/tasks/bootstrap.yml
@@ -0,0 +1,18 @@
+---
+# Runs before gather_facts using raw commands — no Python required
+- name: Check if python3 is installed
+  ansible.builtin.raw: which python3 || echo "missing"
+  register: python_check
+  changed_when: false
+
+- name: Install python3 on Alpine (raw — no Python needed)
+  ansible.builtin.raw: apk add --no-cache python3
+  when: "'missing' in python_check.stdout"
+  changed_when: true
+
+- name: Install python3 on Debian/Ubuntu (raw — no Python needed)
+  ansible.builtin.raw: apt-get install -y python3
+  when:
+    - "'missing' in python_check.stdout"
+    - ansible_os_family is not defined or ansible_os_family == 'Debian'
+  changed_when: true