diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index d0a955230..ab2b55634 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -19,6 +19,7 @@ repos:
types-python-dateutil,
pydantic,
fastapi,
+ pytest,
"openai-agents[litellm]==0.14.6",
]
args: [--install-types, --non-interactive]
@@ -46,7 +47,7 @@ repos:
# Additional Python code quality checks
- repo: https://github.com/asottile/pyupgrade
- rev: v3.20.0
+ rev: v3.21.2
hooks:
- id: pyupgrade
args: [--py312-plus]
diff --git a/docs/advanced/configuration.mdx b/docs/advanced/configuration.mdx
index 9ab7f017d..5d56c9a16 100644
--- a/docs/advanced/configuration.mdx
+++ b/docs/advanced/configuration.mdx
@@ -79,6 +79,10 @@ When remote vars are set, Strix dual-writes telemetry to both local JSONL and th
Runtime backend for the sandbox environment.
+
+ Maximum size (in MB) of a local directory target that Strix will copy into the sandbox file-by-file. Larger targets exit early with a suggestion to use `--mount` instead. Set to `0` to disable the check.
+
+
## Sandbox Configuration
diff --git a/docs/usage/cli.mdx b/docs/usage/cli.mdx
index bb3200969..ab2cc47d5 100644
--- a/docs/usage/cli.mdx
+++ b/docs/usage/cli.mdx
@@ -15,6 +15,20 @@ strix --target [options]
Target to test. Accepts URLs, repositories, local directories, domains, or IP addresses. Can be specified multiple times.
+
+ Bind-mount a local directory into the sandbox (read-only) instead of copying it in file-by-file. Use this for large repositories that are too big to stream into the container. Can be specified multiple times.
+
+ Strix copies local `--target` directories into the sandbox one file at a time, which stalls on very large trees. When a local target exceeds the copy limit (see `STRIX_MAX_LOCAL_COPY_MB`, default 1024 MB) Strix exits early and asks you to re-run with `--mount`.
+
+
+ The mount is read-only to protect your source from accidental modification. This is not a hard security boundary: a root process inside the container can remount it writable, so treat `--mount` as "scan my own code", not as isolation from untrusted code.
+
+
+
+ The size pre-flight only covers local directory targets. Remote repositories (cloned at scan time) are not size-checked.
+
+
+
Custom instructions for the scan. Use for credentials, focus areas, or specific testing approaches.
@@ -63,6 +77,9 @@ strix -n --target ./ --scan-mode quick --scope-mode diff --diff-base origin/main
# Multi-target white-box testing
strix -t https://github.com/org/app -t https://staging.example.com
+
+# Large local repository — bind-mount instead of copying it in
+strix --mount ./huge-monorepo
```
## Exit Codes
diff --git a/pyproject.toml b/pyproject.toml
index 35f3c016e..4485d7793 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -55,8 +55,13 @@ dev = [
"bandit>=1.8.3",
"pre-commit>=4.2.0",
"pyinstaller>=6.17.0; python_version >= '3.12' and python_version < '3.15'",
+ "pytest>=8.3",
+ "pytest-asyncio>=0.24",
]
+[tool.pytest.ini_options]
+asyncio_mode = "auto"
+
[build-system]
requires = ["hatchling"]
build-backend = "hatchling.build"
@@ -104,6 +109,10 @@ module = [
ignore_missing_imports = true
disable_error_code = ["import-untyped"]
+[[tool.mypy.overrides]]
+module = ["tests.*"]
+disallow_untyped_decorators = false
+
# ============================================================================
# Ruff Configuration (Fast Python Linter & Formatter)
# ============================================================================
diff --git a/strix/config/settings.py b/strix/config/settings.py
index 1458e1ff8..91fbdef14 100644
--- a/strix/config/settings.py
+++ b/strix/config/settings.py
@@ -47,6 +47,11 @@ class RuntimeSettings(BaseSettings):
alias="STRIX_IMAGE",
)
backend: str = Field(default="docker", alias="STRIX_RUNTIME_BACKEND")
+ # Hard cap on a local target's size before we refuse to stream it into the
+ # sandbox file-by-file (the SDK copies every file individually, which stalls
+ # on large repos). Above this, the user must bind-mount via ``--mount``.
+ # Set to 0 (or less) to disable the pre-flight check entirely.
+ max_local_copy_mb: int = Field(default=1024, alias="STRIX_MAX_LOCAL_COPY_MB")
class TelemetrySettings(BaseSettings):
diff --git a/strix/core/inputs.py b/strix/core/inputs.py
index b86daa4c8..0505ef38c 100644
--- a/strix/core/inputs.py
+++ b/strix/core/inputs.py
@@ -44,7 +44,8 @@ def build_root_task(scan_config: dict[str, Any]) -> str:
)
elif ttype == "local_code":
path = details.get("target_path", "unknown")
- sections["Local Codebases"].append(f"- {path} (available at: {workspace_path})")
+ suffix = ", read-only mount" if details.get("mount") else ""
+ sections["Local Codebases"].append(f"- {path} (available at: {workspace_path}{suffix})")
elif ttype == "web_application":
sections["URLs"].append(f"- {details.get('target_url', '')}")
elif ttype == "ip_address":
diff --git a/strix/core/runner.py b/strix/core/runner.py
index a7371e9f7..9ab120bc5 100644
--- a/strix/core/runner.py
+++ b/strix/core/runner.py
@@ -55,7 +55,7 @@ async def run_strix_scan(
scan_config: dict[str, Any],
scan_id: str | None = None,
image: str,
- local_sources: list[dict[str, str]] | None = None,
+ local_sources: list[dict[str, Any]] | None = None,
coordinator: AgentCoordinator | None = None,
interactive: bool = False,
max_turns: int = DEFAULT_MAX_TURNS,
diff --git a/strix/interface/main.py b/strix/interface/main.py
index b5c56ad40..a928ee30d 100644
--- a/strix/interface/main.py
+++ b/strix/interface/main.py
@@ -33,9 +33,12 @@
from strix.interface.utils import (
assign_workspace_subdirs,
build_final_stats_text,
+ build_mount_targets_info,
check_docker_connection,
clone_repository,
collect_local_sources,
+ dedupe_local_targets,
+ find_oversized_local_targets,
generate_run_name,
image_exists,
infer_target_type,
@@ -317,6 +320,9 @@ def parse_arguments() -> argparse.Namespace:
# Local code analysis
strix --target ./my-project
+ # Large local repository (bind-mounted read-only instead of copied)
+ strix --mount ./huge-monorepo
+
# Domain penetration test
strix --target example.com
@@ -352,6 +358,15 @@ def parse_arguments() -> argparse.Namespace:
"Can be specified multiple times for multi-target scans. "
"Required for fresh runs; loaded from disk when ``--resume`` is set.",
)
+ parser.add_argument(
+ "--mount",
+ type=str,
+ action="append",
+ metavar="PATH",
+ help="Bind-mount a local directory into the sandbox (read-only) instead of "
+ "copying it file-by-file. Use this for large repositories that are too big to "
+ "stream into the container. Can be specified multiple times.",
+ )
parser.add_argument(
"--instruction",
type=str,
@@ -455,9 +470,9 @@ def parse_arguments() -> argparse.Namespace:
args.user_explicit_instruction = args.instruction if args.resume else None
if args.resume:
- if args.target:
+ if args.target or args.mount:
parser.error(
- "Cannot combine --resume with --target. --resume picks up where "
+ "Cannot combine --resume with --target/--mount. --resume picks up where "
"the prior run left off, including the original target list."
)
_load_resume_state(args, parser)
@@ -470,13 +485,13 @@ def parse_arguments() -> argparse.Namespace:
f"or remove --resume to start over with the same targets."
)
else:
- if not args.target:
+ if not args.target and not args.mount:
parser.error(
- "the following arguments are required: -t/--target "
+ "the following arguments are required: -t/--target or --mount "
"(or use --resume to continue a prior scan)"
)
args.targets_info = []
- for target in args.target:
+ for target in args.target or []:
try:
target_type, target_dict = infer_target_type(target)
@@ -491,9 +506,30 @@ def parse_arguments() -> argparse.Namespace:
except ValueError:
parser.error(f"Invalid target '{target}'")
+ try:
+ args.targets_info.extend(build_mount_targets_info(args.mount or []))
+ except ValueError as e:
+ parser.error(str(e))
+
+ args.targets_info = dedupe_local_targets(args.targets_info)
+
assign_workspace_subdirs(args.targets_info)
rewrite_localhost_targets(args.targets_info, HOST_GATEWAY_HOSTNAME)
+ max_local_copy_mb = load_settings().runtime.max_local_copy_mb
+ max_copy_bytes = max_local_copy_mb * 1024 * 1024
+ oversized = find_oversized_local_targets(args.targets_info, max_copy_bytes)
+ if oversized:
+ details = "; ".join(
+ f"{path} ({size / (1024 * 1024):.0f} MB)" for path, size in oversized
+ )
+ parser.error(
+ f"Local target too large to stream into the sandbox: {details}. "
+ f"The limit is {max_local_copy_mb} MB "
+ "(set STRIX_MAX_LOCAL_COPY_MB to change it). Re-run with "
+ "--mount to bind-mount the directory instead of copying it."
+ )
+
return args
diff --git a/strix/interface/utils.py b/strix/interface/utils.py
index ff53a6cd8..bffc0d47d 100644
--- a/strix/interface/utils.py
+++ b/strix/interface/utils.py
@@ -1,5 +1,6 @@
import ipaddress
import json
+import logging
import os
import re
import secrets
@@ -23,6 +24,9 @@
from strix.config import load_settings
+logger = logging.getLogger(__name__)
+
+
def get_severity_color(severity: str) -> str:
severity_colors = {
"critical": "#dc2626",
@@ -1185,8 +1189,8 @@ def is_whitebox_scan(targets_info: list[dict[str, Any]]) -> bool:
return any(t.get("type") == "local_code" for t in targets_info or [])
-def collect_local_sources(targets_info: list[dict[str, Any]]) -> list[dict[str, str]]:
- local_sources: list[dict[str, str]] = []
+def collect_local_sources(targets_info: list[dict[str, Any]]) -> list[dict[str, Any]]:
+ local_sources: list[dict[str, Any]] = []
for target_info in targets_info:
details = target_info["details"]
@@ -1197,6 +1201,7 @@ def collect_local_sources(targets_info: list[dict[str, Any]]) -> list[dict[str,
{
"source_path": details["target_path"],
"workspace_subdir": workspace_subdir,
+ "mount": bool(details.get("mount", False)),
}
)
@@ -1205,12 +1210,126 @@ def collect_local_sources(targets_info: list[dict[str, Any]]) -> list[dict[str,
{
"source_path": details["cloned_repo_path"],
"workspace_subdir": workspace_subdir,
+ "mount": False,
}
)
return local_sources
+def directory_size_bytes(path: Path) -> int:
+ """Total size in bytes of regular files under ``path`` (symlinks not followed).
+
+ Best-effort: files that disappear or can't be stat'd mid-walk are skipped.
+ Used as a cheap (stat-only) pre-flight to estimate the cost of streaming a
+ local target into the sandbox before we actually try to copy it.
+
+ Directories that can't be listed (e.g. permission denied) are logged and
+ skipped rather than silently dropped — so an under-count is at least
+ visible — but the returned total then excludes their contents.
+ """
+
+ def _on_walk_error(error: OSError) -> None:
+ logger.warning("Could not read %s while measuring size: %s", error.filename, error)
+
+ total = 0
+ for root, _dirs, files in os.walk(path, followlinks=False, onerror=_on_walk_error):
+ for name in files:
+ file_path = os.path.join(root, name) # noqa: PTH118
+ try:
+ if os.path.islink(file_path): # noqa: PTH114
+ continue
+ total += os.path.getsize(file_path) # noqa: PTH202
+ except OSError:
+ continue
+ return total
+
+
+def find_oversized_local_targets(
+ targets_info: list[dict[str, Any]], max_bytes: int
+) -> list[tuple[str, int]]:
+ """Return ``(path, size_bytes)`` for non-mounted local targets over ``max_bytes``.
+
+ Mounted targets are bind-mounted rather than copied, so their size is
+ irrelevant and they are excluded. A ``max_bytes`` of zero or less disables
+ the check entirely (returns no targets).
+ """
+ if max_bytes <= 0:
+ return []
+ oversized: list[tuple[str, int]] = []
+ for target in targets_info:
+ if target.get("type") != "local_code":
+ continue
+ details = target.get("details") or {}
+ if details.get("mount"):
+ continue
+ target_path = details.get("target_path")
+ if not target_path:
+ continue
+ size = directory_size_bytes(Path(target_path))
+ if size > max_bytes:
+ oversized.append((target_path, size))
+ return oversized
+
+
+def build_mount_targets_info(mount_paths: list[str]) -> list[dict[str, Any]]:
+ """Build ``targets_info`` entries for ``--mount`` directories.
+
+ Each path must be an existing local directory; it is bind-mounted into the
+ sandbox (read-only) instead of being copied file-by-file. Raises
+ ``ValueError`` for an empty path, or one that does not exist or is not a
+ directory.
+ """
+ targets_info: list[dict[str, Any]] = []
+ for raw in mount_paths:
+ if not raw or not raw.strip():
+ raise ValueError("--mount path must not be empty.")
+ path = Path(raw).expanduser()
+ try:
+ resolved = path.resolve()
+ is_dir = resolved.is_dir()
+ except (OSError, RuntimeError) as e:
+ raise ValueError(f"Invalid mount path '{raw}': {e!s}") from e
+ if not is_dir:
+ raise ValueError(
+ f"Mount path '{raw}' is not an existing directory. "
+ "--mount requires a path to a local directory."
+ )
+ targets_info.append(
+ {
+ "type": "local_code",
+ "details": {"target_path": str(resolved), "mount": True},
+ "original": str(resolved),
+ }
+ )
+ return targets_info
+
+
+def dedupe_local_targets(targets_info: list[dict[str, Any]]) -> list[dict[str, Any]]:
+ """Collapse local_code targets that resolve to the same path.
+
+ When a directory is supplied both as a copied ``--target`` and via
+ ``--mount`` (or as duplicate values of either), keep one entry and prefer
+ the bind-mounted one — so the same tree is never both streamed in and
+ mounted. Order is preserved; non-local targets pass through untouched.
+ """
+ result: list[dict[str, Any]] = []
+ index_by_path: dict[str, int] = {}
+ for target in targets_info:
+ details = target.get("details") or {}
+ path = details.get("target_path")
+ if target.get("type") != "local_code" or not path:
+ result.append(target)
+ continue
+ existing = index_by_path.get(path)
+ if existing is None:
+ index_by_path[path] = len(result)
+ result.append(target)
+ elif details.get("mount") and not (result[existing].get("details") or {}).get("mount"):
+ result[existing] = target # bind mount supersedes the copied entry
+ return result
+
+
def _is_localhost_host(host: str) -> bool:
host_lower = host.lower().strip("[]")
diff --git a/strix/report/writer.py b/strix/report/writer.py
index 8118fe9f6..a7c2146df 100644
--- a/strix/report/writer.py
+++ b/strix/report/writer.py
@@ -27,7 +27,7 @@ def read_run_record(run_dir: Path) -> dict[str, Any]:
except (OSError, json.JSONDecodeError) as exc:
raise RuntimeError(f"run.json at {path} is unreadable: {exc}") from exc
if not isinstance(data, dict):
- raise RuntimeError(f"run.json at {path} is not an object")
+ raise TypeError(f"run.json at {path} is not an object")
return data
diff --git a/strix/runtime/backends.py b/strix/runtime/backends.py
index 9f241a3ae..d7eba3357 100644
--- a/strix/runtime/backends.py
+++ b/strix/runtime/backends.py
@@ -22,6 +22,7 @@ async def _docker_backend(
image: str,
manifest: Manifest,
exposed_ports: tuple[int, ...],
+ bind_mounts: list[dict[str, Any]] | None = None,
) -> tuple[Any, Any]:
"""Bring up a session backed by the local Docker daemon.
@@ -31,11 +32,15 @@ async def _docker_backend(
backend don't need the docker-py library installed.
``session.start()`` is what materializes the manifest entries
- (LocalDir copies, mount setup, etc.) into the running container —
- the SDK's ``client.create()`` only builds the inner session object
- without applying the manifest. ``async with session:`` would call it
- too, but Strix manages session lifetime explicitly via
+ (LocalDir copies and manifest-declared volume/FUSE mounts) into the
+ running container — the SDK's ``client.create()`` only builds the inner
+ session object without applying the manifest. ``async with session:``
+ would call it too, but Strix manages session lifetime explicitly via
``client.delete()`` so we trigger ``start()`` ourselves.
+
+ ``bind_mounts`` are host directories (e.g. large repos passed via
+ ``--mount``) bind-mounted read-only; unlike manifest entries they are
+ applied by Docker at container-create time, not by ``start()``.
"""
import docker
from agents.sandbox.sandboxes.docker import DockerSandboxClientOptions
@@ -43,6 +48,7 @@ async def _docker_backend(
from strix.runtime.docker_client import StrixDockerSandboxClient
client = StrixDockerSandboxClient(docker.from_env())
+ client.strix_bind_mounts = bind_mounts or []
options = DockerSandboxClientOptions(image=image, exposed_ports=exposed_ports)
session = await client.create(options=options, manifest=manifest)
await session.start()
diff --git a/strix/runtime/docker_client.py b/strix/runtime/docker_client.py
index 2a753834d..497ae2f21 100644
--- a/strix/runtime/docker_client.py
+++ b/strix/runtime/docker_client.py
@@ -38,6 +38,7 @@
from agents.sandbox.session.sandbox_session import SandboxSession
from docker import errors as docker_errors # type: ignore[import-untyped, unused-ignore]
from docker.models.containers import Container # type: ignore[import-untyped, unused-ignore]
+from docker.types import Mount as DockerSDKMount # type: ignore[import-untyped, unused-ignore]
from docker.utils import parse_repository_tag # type: ignore[import-untyped, unused-ignore]
@@ -45,6 +46,10 @@
class StrixDockerSandboxClient(DockerSandboxClient):
+ # Host directories to bind-mount into the container, set by the docker
+ # backend before ``create()``. Each item is ``{source, target, read_only}``.
+ strix_bind_mounts: list[dict[str, Any]] = [] # overridden per-instance in backends.py
+
async def _create_container(
self,
image: str,
@@ -111,6 +116,21 @@ async def _create_container(
extra_hosts = create_kwargs.setdefault("extra_hosts", {})
extra_hosts["host.docker.internal"] = "host-gateway"
+ # Strix injection: host bind mounts (e.g. large repos passed via --mount)
+ # that bypass the SDK's file-by-file LocalDir copy.
+ bind_mounts = getattr(self, "strix_bind_mounts", ())
+ if bind_mounts:
+ mounts = create_kwargs.setdefault("mounts", [])
+ for spec in bind_mounts:
+ mounts.append(
+ DockerSDKMount(
+ target=spec["target"],
+ source=spec["source"],
+ type="bind",
+ read_only=spec.get("read_only", True),
+ )
+ )
+
logger.debug(
"Creating sandbox container: image=%s caps=%s exposed_ports=%s",
image,
diff --git a/strix/runtime/session_manager.py b/strix/runtime/session_manager.py
index 6f3e27338..a19495cc5 100644
--- a/strix/runtime/session_manager.py
+++ b/strix/runtime/session_manager.py
@@ -23,30 +23,59 @@
_SESSION_CACHE: dict[str, dict[str, Any]] = {}
+# Manifest root inside the container; entry keys hang off this path.
+_WORKSPACE_ROOT = "/workspace"
+
+
+def build_session_entries(
+ local_sources: list[dict[str, Any]],
+) -> tuple[dict[str | Path, BaseEntry], list[dict[str, Any]]]:
+ """Split local sources into copied manifest entries and host bind mounts.
+
+ Sources flagged ``mount`` are bind-mounted read-only at
+ ``/workspace/`` (not added to the manifest, so the SDK
+ does not stream them in file-by-file). Every other source becomes a
+ ``LocalDir`` entry copied into the container as before.
+ """
+ entries: dict[str | Path, BaseEntry] = {}
+ bind_mounts: list[dict[str, Any]] = []
+ for src in local_sources:
+ ws_subdir = src.get("workspace_subdir") or ""
+ host_path = src.get("source_path") or ""
+ if not ws_subdir or not host_path:
+ continue
+ resolved = Path(host_path).expanduser().resolve()
+ if src.get("mount"):
+ bind_mounts.append(
+ {
+ "source": str(resolved),
+ "target": f"{_WORKSPACE_ROOT}/{ws_subdir}",
+ "read_only": True,
+ }
+ )
+ else:
+ entries[ws_subdir] = LocalDir(src=resolved)
+ return entries, bind_mounts
+
async def create_or_reuse(
scan_id: str,
*,
image: str,
- local_sources: list[dict[str, str]],
+ local_sources: list[dict[str, Any]],
) -> dict[str, Any]:
"""Return the existing session bundle for ``scan_id`` or create a new one.
- Each ``local_sources`` entry mounts its host ``source_path`` at
- ``/workspace/`` inside the container.
+ Each ``local_sources`` entry exposes its host ``source_path`` at
+ ``/workspace/`` inside the container — copied in, or
+ bind-mounted read-only when the entry is flagged ``mount``.
"""
cached = _SESSION_CACHE.get(scan_id)
if cached is not None:
logger.info("Reusing existing sandbox session for scan %s", scan_id)
return cached
- entries: dict[str | Path, BaseEntry] = {}
- for src in local_sources:
- ws_subdir = src.get("workspace_subdir") or ""
- host_path = src.get("source_path") or ""
- if not ws_subdir or not host_path:
- continue
- entries[ws_subdir] = LocalDir(src=Path(host_path).expanduser().resolve())
+ entries, bind_mounts = build_session_entries(local_sources)
# Caido runs as an in-container sidecar; HTTP(S) traffic from any
# process started via ``session.exec`` (the SDK's Shell tool, etc.)
@@ -81,6 +110,7 @@ async def create_or_reuse(
image=image,
manifest=manifest,
exposed_ports=(_CONTAINER_CAIDO_PORT,),
+ bind_mounts=bind_mounts,
)
caido_endpoint = await session.resolve_exposed_port(_CONTAINER_CAIDO_PORT)
diff --git a/tests/__init__.py b/tests/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/tests/test_local_sources.py b/tests/test_local_sources.py
new file mode 100644
index 000000000..bd3448de8
--- /dev/null
+++ b/tests/test_local_sources.py
@@ -0,0 +1,188 @@
+"""Tests for local-source sizing and ``--mount`` target helpers in interface.utils."""
+
+from __future__ import annotations
+
+import logging
+import os
+import sys
+from typing import TYPE_CHECKING, Any
+
+import pytest
+
+
+if TYPE_CHECKING:
+ from pathlib import Path
+
+from strix.interface.utils import (
+ build_mount_targets_info,
+ collect_local_sources,
+ dedupe_local_targets,
+ directory_size_bytes,
+ find_oversized_local_targets,
+)
+
+
+def _write_file(path: Path, size: int) -> None:
+ path.write_bytes(b"x" * size)
+
+
+def _local_target(target_path: str, *, mount: bool = False) -> dict[str, Any]:
+ details: dict[str, Any] = {"target_path": target_path, "workspace_subdir": "repo"}
+ if mount:
+ details["mount"] = True
+ return {"type": "local_code", "details": details, "original": target_path}
+
+
+def test_directory_size_empty_dir_is_zero(tmp_path: Path) -> None:
+ assert directory_size_bytes(tmp_path) == 0
+
+
+def test_directory_size_sums_flat_and_nested_files(tmp_path: Path) -> None:
+ _write_file(tmp_path / "a.txt", 100)
+ nested = tmp_path / "sub" / "deep"
+ nested.mkdir(parents=True)
+ _write_file(nested / "b.txt", 250)
+ assert directory_size_bytes(tmp_path) == 350
+
+
+def test_directory_size_skips_symlinks(tmp_path: Path) -> None:
+ _write_file(tmp_path / "real.txt", 100)
+ (tmp_path / "link.txt").symlink_to(tmp_path / "real.txt")
+ # The symlink target is counted once via the real file, not doubled.
+ assert directory_size_bytes(tmp_path) == 100
+
+
+@pytest.mark.skipif(sys.platform == "win32", reason="relies on POSIX permissions")
+def test_directory_size_logs_and_skips_unreadable_subdir(
+ tmp_path: Path, caplog: pytest.LogCaptureFixture
+) -> None:
+ if hasattr(os, "geteuid") and os.geteuid() == 0:
+ pytest.skip("root bypasses directory permissions")
+ _write_file(tmp_path / "top.txt", 100)
+ locked = tmp_path / "locked"
+ locked.mkdir()
+ _write_file(locked / "secret.bin", 9999)
+ locked.chmod(0o000)
+ try:
+ with caplog.at_level(logging.WARNING):
+ size = directory_size_bytes(tmp_path)
+ finally:
+ locked.chmod(0o755)
+ # The unreadable subtree is excluded (not silently treated as readable) and
+ # the omission is logged rather than vanishing without a trace.
+ assert size == 100
+ assert any("Could not read" in record.message for record in caplog.records)
+
+
+def test_find_oversized_returns_nothing_under_limit(tmp_path: Path) -> None:
+ _write_file(tmp_path / "a.txt", 100)
+ targets = [_local_target(str(tmp_path))]
+ assert find_oversized_local_targets(targets, max_bytes=1000) == []
+
+
+def test_find_oversized_returns_target_over_limit(tmp_path: Path) -> None:
+ _write_file(tmp_path / "big.bin", 500)
+ targets = [_local_target(str(tmp_path))]
+ result = find_oversized_local_targets(targets, max_bytes=100)
+ assert result == [(str(tmp_path), 500)]
+
+
+def test_find_oversized_ignores_mounted_targets(tmp_path: Path) -> None:
+ _write_file(tmp_path / "big.bin", 500)
+ targets = [_local_target(str(tmp_path), mount=True)]
+ assert find_oversized_local_targets(targets, max_bytes=100) == []
+
+
+def test_find_oversized_ignores_non_local_targets() -> None:
+ targets = [{"type": "web_application", "details": {"target_url": "https://x"}}]
+ assert find_oversized_local_targets(targets, max_bytes=1) == []
+
+
+@pytest.mark.parametrize("disabled", [0, -1])
+def test_find_oversized_disabled_for_non_positive_limit(tmp_path: Path, disabled: int) -> None:
+ _write_file(tmp_path / "big.bin", 500)
+ targets = [_local_target(str(tmp_path))]
+ assert find_oversized_local_targets(targets, max_bytes=disabled) == []
+
+
+def test_collect_local_sources_propagates_mount_flag() -> None:
+ copied = _local_target("/copied")
+ copied["details"]["workspace_subdir"] = "copied"
+ mounted = _local_target("/mounted", mount=True)
+ mounted["details"]["workspace_subdir"] = "mounted"
+
+ sources = collect_local_sources([copied, mounted])
+
+ by_path = {s["source_path"]: s for s in sources}
+ assert by_path["/copied"]["mount"] is False
+ assert by_path["/mounted"]["mount"] is True
+
+
+def test_collect_local_sources_repository_is_never_mounted() -> None:
+ repo = {
+ "type": "repository",
+ "details": {"cloned_repo_path": "/clone", "workspace_subdir": "clone"},
+ }
+ sources = collect_local_sources([repo])
+ assert sources == [{"source_path": "/clone", "workspace_subdir": "clone", "mount": False}]
+
+
+def test_build_mount_targets_info_for_valid_dir(tmp_path: Path) -> None:
+ result = build_mount_targets_info([str(tmp_path)])
+ assert len(result) == 1
+ entry = result[0]
+ assert entry["type"] == "local_code"
+ assert entry["details"]["mount"] is True
+ assert entry["details"]["target_path"] == str(tmp_path.resolve())
+
+
+def test_build_mount_targets_info_rejects_missing_path(tmp_path: Path) -> None:
+ missing = tmp_path / "does-not-exist"
+ with pytest.raises(ValueError, match="not an existing directory"):
+ build_mount_targets_info([str(missing)])
+
+
+def test_build_mount_targets_info_rejects_file(tmp_path: Path) -> None:
+ file_path = tmp_path / "a-file.txt"
+ _write_file(file_path, 10)
+ with pytest.raises(ValueError, match="not an existing directory"):
+ build_mount_targets_info([str(file_path)])
+
+
+@pytest.mark.parametrize("empty", ["", " "])
+def test_build_mount_targets_info_rejects_empty_path(empty: str) -> None:
+ # An empty path would otherwise resolve to the current working directory
+ # and silently bind-mount it into the sandbox.
+ with pytest.raises(ValueError, match="must not be empty"):
+ build_mount_targets_info([empty])
+
+
+def test_dedupe_keeps_distinct_targets_in_order() -> None:
+ targets = [
+ _local_target("/a"),
+ {"type": "web_application", "details": {"target_url": "https://x"}},
+ _local_target("/b", mount=True),
+ ]
+ assert dedupe_local_targets(targets) == targets
+
+
+def test_dedupe_mount_supersedes_copied_same_path() -> None:
+ copied = _local_target("/repo")
+ mounted = _local_target("/repo", mount=True)
+
+ # Copied first, then mounted: the single surviving entry is the mount.
+ result = dedupe_local_targets([copied, mounted])
+ assert len(result) == 1
+ assert result[0]["details"]["mount"] is True
+
+ # Order-independent: mounted first, copied second also yields the mount.
+ result_rev = dedupe_local_targets([mounted, copied])
+ assert len(result_rev) == 1
+ assert result_rev[0]["details"]["mount"] is True
+
+
+def test_dedupe_collapses_duplicate_mounts() -> None:
+ result = dedupe_local_targets(
+ [_local_target("/repo", mount=True), _local_target("/repo", mount=True)]
+ )
+ assert len(result) == 1
diff --git a/tests/test_session_entries.py b/tests/test_session_entries.py
new file mode 100644
index 000000000..8288c1d08
--- /dev/null
+++ b/tests/test_session_entries.py
@@ -0,0 +1,67 @@
+"""Tests for build_session_entries: splitting copied vs bind-mounted sources."""
+
+from __future__ import annotations
+
+from typing import TYPE_CHECKING, Any
+
+from agents.sandbox.entries import LocalDir
+
+from strix.runtime.session_manager import build_session_entries
+
+
+if TYPE_CHECKING:
+ from pathlib import Path
+
+
+def _source(subdir: str, path: str, *, mount: bool = False) -> dict[str, Any]:
+ return {"source_path": path, "workspace_subdir": subdir, "mount": mount}
+
+
+def test_copied_source_becomes_localdir_entry(tmp_path: Path) -> None:
+ entries, bind_mounts = build_session_entries([_source("repo", str(tmp_path))])
+
+ assert bind_mounts == []
+ assert isinstance(entries["repo"], LocalDir)
+ assert entries["repo"].src == tmp_path.resolve()
+
+
+def test_mounted_source_becomes_bind_mount(tmp_path: Path) -> None:
+ entries, bind_mounts = build_session_entries([_source("repo", str(tmp_path), mount=True)])
+
+ assert entries == {}
+ assert bind_mounts == [
+ {
+ "source": str(tmp_path.resolve()),
+ "target": "/workspace/repo",
+ "read_only": True,
+ }
+ ]
+
+
+def test_mixed_sources_split_correctly(tmp_path: Path) -> None:
+ copied = tmp_path / "copied"
+ mounted = tmp_path / "mounted"
+ copied.mkdir()
+ mounted.mkdir()
+
+ entries, bind_mounts = build_session_entries(
+ [
+ _source("copied", str(copied)),
+ _source("mounted", str(mounted), mount=True),
+ ]
+ )
+
+ assert list(entries) == ["copied"]
+ assert isinstance(entries["copied"], LocalDir)
+ assert [m["target"] for m in bind_mounts] == ["/workspace/mounted"]
+
+
+def test_incomplete_sources_are_skipped() -> None:
+ entries, bind_mounts = build_session_entries(
+ [
+ {"source_path": "", "workspace_subdir": "x"},
+ {"source_path": "/p", "workspace_subdir": ""},
+ ]
+ )
+ assert entries == {}
+ assert bind_mounts == []
diff --git a/uv.lock b/uv.lock
index 29df8e941..cc7cb0a17 100644
--- a/uv.lock
+++ b/uv.lock
@@ -775,6 +775,15 @@ wheels = [
{ url = "https://files.pythonhosted.org/packages/a0/d9/a1e041c5e7caa9a05c925f4bdbdfb7f006d1f74996af53467bc394c97be7/importlib_metadata-8.5.0-py3-none-any.whl", hash = "sha256:45e54197d28b7a7f1559e60b95e7c567032b602131fbd588f1497f47880aa68b", size = 26514, upload-time = "2024-09-11T14:56:07.019Z" },
]
+[[package]]
+name = "iniconfig"
+version = "2.3.0"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/72/34/14ca021ce8e5dfedc35312d08ba8bf51fdd999c576889fc2c24cb97f4f10/iniconfig-2.3.0.tar.gz", hash = "sha256:c76315c77db068650d49c5b56314774a7804df16fee4402c1f19d6d15d8c4730", size = 20503, upload-time = "2025-10-18T21:55:43.219Z" }
+wheels = [
+ { url = "https://files.pythonhosted.org/packages/cb/b1/3846dd7f199d53cb17f49cba7e651e9ce294d8497c8c150530ed11865bb8/iniconfig-2.3.0-py3-none-any.whl", hash = "sha256:f631c04d2c48c52b84d0d0549c99ff3859c98df65b3101406327ecc7d53fbf12", size = 7484, upload-time = "2025-10-18T21:55:41.639Z" },
+]
+
[[package]]
name = "jinja2"
version = "3.1.6"
@@ -1347,6 +1356,15 @@ wheels = [
{ url = "https://files.pythonhosted.org/packages/63/d7/97f7e3a6abb67d8080dd406fd4df842c2be0efaf712d1c899c32a075027c/platformdirs-4.9.4-py3-none-any.whl", hash = "sha256:68a9a4619a666ea6439f2ff250c12a853cd1cbd5158d258bd824a7df6be2f868", size = 21216, upload-time = "2026-03-05T18:34:12.172Z" },
]
+[[package]]
+name = "pluggy"
+version = "1.6.0"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/f9/e2/3e91f31a7d2b083fe6ef3fa267035b518369d9511ffab804f839851d2779/pluggy-1.6.0.tar.gz", hash = "sha256:7dcc130b76258d33b90f61b658791dede3486c3e6bfb003ee5c9bfb396dd22f3", size = 69412, upload-time = "2025-05-15T12:30:07.975Z" }
+wheels = [
+ { url = "https://files.pythonhosted.org/packages/54/20/4d324d65cc6d9205fabedc306948156824eb9f0ee1633355a8f7ec5c66bf/pluggy-1.6.0-py3-none-any.whl", hash = "sha256:e920276dd6813095e9377c0bc5566d94c932c33b27a3e3945d8389c374dd4746", size = 20538, upload-time = "2025-05-15T12:30:06.134Z" },
+]
+
[[package]]
name = "pre-commit"
version = "4.5.1"
@@ -1633,6 +1651,35 @@ wheels = [
{ url = "https://files.pythonhosted.org/packages/0c/82/a2c93e32800940d9573fb28c346772a14778b84ba7524e691b324620ab89/pyright-1.1.408-py3-none-any.whl", hash = "sha256:090b32865f4fdb1e0e6cd82bf5618480d48eecd2eb2e70f960982a3d9a4c17c1", size = 6399144, upload-time = "2026-01-08T08:07:37.082Z" },
]
+[[package]]
+name = "pytest"
+version = "9.1.0"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+ { name = "colorama", marker = "sys_platform == 'win32'" },
+ { name = "iniconfig" },
+ { name = "packaging" },
+ { name = "pluggy" },
+ { name = "pygments" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/84/0e/b5858858d74958632c49b72cb25a3976ff9f632397626715be71c89d3971/pytest-9.1.0.tar.gz", hash = "sha256:41dd9148c08072446394cefd3d79701701335a9f4cae69ba92e39f6c7f5c061c", size = 1634181, upload-time = "2026-06-13T18:52:45.983Z" }
+wheels = [
+ { url = "https://files.pythonhosted.org/packages/8b/5a/ba30a81239b909821b3153e303e7def45178bf353da4f72380e6c5e8793b/pytest-9.1.0-py3-none-any.whl", hash = "sha256:8ebb0e7888bdf2bdfc602ec51f8f62d50200af37356c74e503c79a94f5c81f32", size = 386453, upload-time = "2026-06-13T18:52:44.045Z" },
+]
+
+[[package]]
+name = "pytest-asyncio"
+version = "1.4.0"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+ { name = "pytest" },
+ { name = "typing-extensions", marker = "python_full_version < '3.13'" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/43/7c/d36d04db312ecf4298932ef77e6e4a9e8ad017906e24e34f0b0c361a2473/pytest_asyncio-1.4.0.tar.gz", hash = "sha256:c6c0d2259945122819f171a32ecea2c349ead889ee28176caaf492143424be42", size = 58514, upload-time = "2026-05-26T09:56:04.083Z" }
+wheels = [
+ { url = "https://files.pythonhosted.org/packages/03/e2/08a497ef684b88559c9cc5f4ad53a37e7b99e727094a86d6ea32536d5d3c/pytest_asyncio-1.4.0-py3-none-any.whl", hash = "sha256:933ca923a23075a87fb7070c0ec272a6848489824d887c85c812670932835aa1", size = 16930, upload-time = "2026-05-26T09:56:02.576Z" },
+]
+
[[package]]
name = "python-discovery"
version = "1.2.0"
@@ -2056,6 +2103,8 @@ dev = [
{ name = "pre-commit" },
{ name = "pyinstaller", marker = "python_full_version < '3.15'" },
{ name = "pyright" },
+ { name = "pytest" },
+ { name = "pytest-asyncio" },
{ name = "ruff" },
]
@@ -2079,6 +2128,8 @@ dev = [
{ name = "pre-commit", specifier = ">=4.2.0" },
{ name = "pyinstaller", marker = "python_full_version >= '3.12' and python_full_version < '3.15'", specifier = ">=6.17.0" },
{ name = "pyright", specifier = ">=1.1.401" },
+ { name = "pytest", specifier = ">=8.3" },
+ { name = "pytest-asyncio", specifier = ">=0.24" },
{ name = "ruff", specifier = ">=0.11.13" },
]