@marimo-team/islands 0.23.3-dev4 → 0.23.3-dev41

package/src/plugins/core/__test__/trusted-url.test.ts

@@ -1,10 +1,66 @@
 /* Copyright 2026 Marimo. All rights reserved. */
 import { afterEach, beforeEach, describe, expect, it } from "vitest";
 import { hasRunAnyCellAtom } from "@/components/editor/cell/useRunCells";
+import { userConfigAtom } from "@/core/config/config";
+import { parseUserConfig } from "@/core/config/config-schema";
+import { initialModeAtom } from "@/core/mode";
 import { store } from "@/core/state/jotai";
 import { isTrustedVirtualFileUrl } from "../trusted-url";
 
+type ExportContextWindow = Window & {
+  __MARIMO_EXPORT_CONTEXT__?: {
+    trusted: true;
+    notebookCode?: string;
+  };
+  __MARIMO_STATIC__?: unknown;
+};
+
+function snapshotTrustState() {
+  return {
+    hasRunAnyCell: store.get(hasRunAnyCellAtom),
+    userConfig: store.get(userConfigAtom),
+    initialMode: store.get(initialModeAtom),
+  };
+}
+
+function restoreTrustState(snapshot: ReturnType<typeof snapshotTrustState>) {
+  store.set(hasRunAnyCellAtom, snapshot.hasRunAnyCell);
+  store.set(userConfigAtom, snapshot.userConfig);
+  store.set(initialModeAtom, snapshot.initialMode);
+}
+
+function setAutoInstantiate(value: boolean) {
+  const cleared = parseUserConfig({});
+  store.set(userConfigAtom, {
+    ...cleared,
+    runtime: { ...cleared.runtime, auto_instantiate: value },
+  });
+}
+
+function clearTrustSignals() {
+  store.set(hasRunAnyCellAtom, false);
+  setAutoInstantiate(false);
+  store.set(initialModeAtom, "edit");
+}
+
 describe("isTrustedVirtualFileUrl", () => {
+  let windowWithExportContext: ExportContextWindow;
+  let trustStateSnapshot: ReturnType<typeof snapshotTrustState>;
+
+  beforeEach(() => {
+    windowWithExportContext = window as ExportContextWindow;
+    trustStateSnapshot = snapshotTrustState();
+    clearTrustSignals();
+    delete windowWithExportContext.__MARIMO_EXPORT_CONTEXT__;
+    delete windowWithExportContext.__MARIMO_STATIC__;
+  });
+
+  afterEach(() => {
+    restoreTrustState(trustStateSnapshot);
+    delete windowWithExportContext.__MARIMO_EXPORT_CONTEXT__;
+    delete windowWithExportContext.__MARIMO_STATIC__;
+  });
+
   it.each([
     "./@file/123-mpl.js",
     "./@file/456-mpl.css",
@@ -48,40 +104,96 @@ describe("isTrustedVirtualFileUrl", () => {
     expect(isTrustedVirtualFileUrl({})).toBe(false);
   });
 
-  describe("data URL exemption", () => {
-    let previousHasRunAnyCell: boolean;
+  /**
+   * Data URLs are the WASM / Pyodide fallback shape (see
+   * `virtual_file.py`: when `virtual_files_supported=False`, files are
+   * emitted directly as base64 data URLs). The tests below cover each
+   * supported and unsupported trust signal.
+   */
+  describe("data URL acceptance", () => {
+    const SAFE_DATA_URLS = [
+      "data:text/javascript;base64,ZXhwb3J0IGRlZmF1bHQge30=",
+      "data:application/javascript;base64,ZXhwb3J0IGRlZmF1bHQge30=",
+      "data:text/css;base64,Ym9keXt9",
+    ];
 
-    beforeEach(() => {
-      previousHasRunAnyCell = store.get(hasRunAnyCellAtom);
-      store.set(hasRunAnyCellAtom, true);
+    it.each(SAFE_DATA_URLS)(
+      "accepts %s once the user has run a cell",
+      (url) => {
+        store.set(hasRunAnyCellAtom, true);
+        expect(isTrustedVirtualFileUrl(url)).toBe(true);
+      },
+    );
+
+    it("accepts safe data URL when trusted export context is present", () => {
+      windowWithExportContext.__MARIMO_EXPORT_CONTEXT__ = {
+        trusted: true,
+        notebookCode: "import marimo\napp = marimo.App()",
+      };
+      expect(
+        isTrustedVirtualFileUrl(
+          "data:text/javascript;base64,ZXhwb3J0IGRlZmF1bHQge30=",
+        ),
+      ).toBe(true);
+    });
+
+    it("rejects safe data URL when only read mode is present", () => {
+      store.set(initialModeAtom, "read");
+      expect(
+        isTrustedVirtualFileUrl(
+          "data:text/javascript;base64,ZXhwb3J0IGRlZmF1bHQge30=",
+        ),
+      ).toBe(false);
     });
 
-    afterEach(() => {
-      store.set(hasRunAnyCellAtom, previousHasRunAnyCell);
+    it("rejects safe data URL when only auto_instantiate is enabled", () => {
+      setAutoInstantiate(true);
+      expect(
+        isTrustedVirtualFileUrl(
+          "data:text/javascript;base64,ZXhwb3J0IGRlZmF1bHQge30=",
+        ),
+      ).toBe(false);
     });
 
-    it.each([
-      "data:text/javascript;base64,ZXhwb3J0IGRlZmF1bHQge30=",
-      "data:application/javascript;base64,ZXhwb3J0IGRlZmF1bHQge30=",
-      "data:text/css;base64,Ym9keXt9",
-    ])("accepts safe data URL %s after a cell has run", (url) => {
-      expect(isTrustedVirtualFileUrl(url)).toBe(true);
+    it("rejects safe data URL when only a marimo-code tag is present", () => {
+      const tag = document.createElement("marimo-code");
+      tag.textContent = encodeURIComponent("import marimo\napp = marimo.App()");
+      document.body.appendChild(tag);
+      try {
+        expect(
+          isTrustedVirtualFileUrl(
+            "data:text/javascript;base64,ZXhwb3J0IGRlZmF1bHQge30=",
+          ),
+        ).toBe(false);
+      } finally {
+        tag.remove();
+      }
+    });
+
+    it("rejects safe data URL when only __MARIMO_STATIC__ is present", () => {
+      windowWithExportContext.__MARIMO_STATIC__ = { files: {} };
+      expect(
+        isTrustedVirtualFileUrl(
+          "data:text/javascript;base64,ZXhwb3J0IGRlZmF1bHQge30=",
+        ),
+      ).toBe(false);
     });
 
     it.each([
-      // Non-base64 data URLs are refused
+      // Non-base64 data URLs are refused because the unencoded payload
+      // broadens the parsing/loading surface for attacker-controlled content.
       "data:text/javascript,alert(1)",
       "data:text/javascript;charset=utf-8,alert(1)",
-      // HTML / SVG / arbitrary types are refused
+      // HTML / SVG / arbitrary types are refused even when trusted.
       "data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==",
       "data:image/svg+xml;base64,PHN2Zy8+",
       "data:application/octet-stream;base64,AAA=",
-    ])("still rejects unsafe data URL %s", (url) => {
+    ])("still rejects unsafe data URL %s in trusted context", (url) => {
+      store.set(hasRunAnyCellAtom, true);
       expect(isTrustedVirtualFileUrl(url)).toBe(false);
     });
 
-    it("rejects data URL when no cell has been run", () => {
-      store.set(hasRunAnyCellAtom, false);
+    it("rejects data URLs when no trust signal is set", () => {
       expect(
         isTrustedVirtualFileUrl(
           "data:text/javascript;base64,ZXhwb3J0IGRlZmF1bHQge30=",

package/src/plugins/core/sanitize.ts

@@ -3,25 +3,31 @@ import { atom, useAtomValue } from "jotai";
 import { hasRunAnyCellAtom } from "@/components/editor/cell/useRunCells";
 import { autoInstantiateAtom } from "@/core/config/config";
 import { getInitialAppMode } from "@/core/mode";
+import { hasTrustedExportContext } from "@/core/static/export-context";
 
 // Re-export so existing consumers don't break.
 export { sanitizeHtml } from "./sanitize-html";
 
 /**
- * Whether to sanitize the html.
- * When running as an app or with auto_instantiate enabled
- * we ignore sanitization because they should be treated as a website.
+ * Whether to sanitize the html. Trust signals match
+ * `hasTrustedNotebookContext` in `@/core/static/export-context`.
+ * Kept as a jotai atom so consumers re-render when `hasRunAnyCellAtom`
+ * flips after the user runs a cell.
  */
 const sanitizeHtmlAtom = atom<boolean>((get) => {
   const hasRunAnyCell = get(hasRunAnyCellAtom);
   const autoInstantiate = get(autoInstantiateAtom);
 
-  // If a user has specifically run at least one cell or auto_instantiate is enabled, we don't need to sanitize.
-  // HTML needs to be rich to allow for interactive widgets and other dynamic content.
   if (hasRunAnyCell || autoInstantiate) {
     return false;
   }
 
+  // Trusted export context is installed once at page load by a first-party
+  // script (frozen + non-configurable), so a direct read is safe and stable.
+  if (hasTrustedExportContext()) {
+    return false;
+  }
+
   let isInAppMode = true;
   try {
     isInAppMode = getInitialAppMode() === "read";

package/src/plugins/core/trusted-url.ts

@@ -1,6 +1,7 @@
 /* Copyright 2026 Marimo. All rights reserved. */
 
 import { hasRunAnyCellAtom } from "@/components/editor/cell/useRunCells";
+import { hasTrustedExportContext } from "@/core/static/export-context";
 import { store } from "@/core/state/jotai";
 
 /**
@@ -15,13 +16,13 @@ import { store } from "@/core/state/jotai";
  * attacker-controlled JavaScript at same origin, since the HTML sanitizer
  * lets arbitrary marimo custom elements and attributes through.
  *
- * Some runtimes (WASM, VS Code) have no backend to serve virtual files, so
- * `VirtualFile` falls back to inline base64 data URLs (see `virtual_file.py`).
+ * Some runtimes (WASM, VS Code, and trusted exported notebook contexts such as
+ * Quarto islands) have no backend to serve virtual files, so `VirtualFile`
+ * falls back to inline base64 data URLs (see `virtual_file.py`).
  * We accept those only once the user has explicitly run a cell in the current
- * notebook — the same trust signal `sanitize.ts` uses to lift HTML
- * sanitization. Running a cell requires deliberate user action and already
- * executes arbitrary Python, so a data URL script loaded afterwards is not a
- * new attack surface.
+ * notebook, or when a first-party export script has installed a trusted
+ * notebook export context. Both cases already imply trust in notebook-authored
+ * code, so loading the matching data URL is not a new attack surface.
  */
 export function isTrustedVirtualFileUrl(url: unknown): url is string {
   if (typeof url !== "string" || url.length === 0) {
@@ -30,16 +31,37 @@ export function isTrustedVirtualFileUrl(url: unknown): url is string {
   if (/^(\.?\/)?@file\/[^?#]+$/.test(url)) {
     return true;
   }
-  if (isSafeDataUrl(url) && store.get(hasRunAnyCellAtom)) {
+  if (isSafeDataUrl(url)) {
     return true;
   }
   return false;
 }
 
+/**
+ * Intentionally narrower than `hasTrustedNotebookContext` in
+ * `@/core/static/export-context`: `auto_instantiate` and `read` mode are
+ * deliberately excluded here. Both can be triggered by DOM-observable page
+ * shape, and accepting inline base64 `data:` JS/CSS payloads on their
+ * strength would let a hostile notebook page smuggle attacker-controlled
+ * script into the same origin. Keep this gate tied only to "user actively
+ * ran a cell" or "first-party exporter installed a trusted runtime marker".
+ */
+function hasNotebookTrustedDataUrlContext(): boolean {
+  return store.get(hasRunAnyCellAtom) || hasTrustedExportContext();
+}
+
+/**
+ * Safe data URL formats: JS/CSS inlined as base64. Non-base64 data URLs and
+ * other MIME types (HTML, SVG, octet-stream, etc.) are refused because they
+ * broaden the surface for attacker-controlled inline content.
+ */
 function isSafeDataUrl(url: string): boolean {
-  return (
+  const isSafeKind =
     url.startsWith("data:text/javascript;base64,") ||
     url.startsWith("data:application/javascript;base64,") ||
-    url.startsWith("data:text/css;base64,")
-  );
+    url.startsWith("data:text/css;base64,");
+  if (!isSafeKind) {
+    return false;
+  }
+  return hasNotebookTrustedDataUrlContext();
 }

package/src/plugins/impl/anywidget/__tests__/widget-binding.test.ts

@@ -1,5 +1,11 @@
 /* Copyright 2026 Marimo. All rights reserved. */
-import { beforeEach, describe, expect, it, vi } from "vitest";
+import type { ExtractAtomValue } from "jotai";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { hasRunAnyCellAtom } from "@/components/editor/cell/useRunCells";
+import { userConfigAtom } from "@/core/config/config";
+import { parseUserConfig } from "@/core/config/config-schema";
+import { initialModeAtom } from "@/core/mode";
+import { store } from "@/core/state/jotai";
 import { Model } from "../model";
 import type { ModelState, WidgetModelId } from "../types";
 import { visibleForTesting } from "../widget-binding";
@@ -18,9 +24,31 @@ function createMockComm() {
 
 describe("WidgetDefRegistry", () => {
   let registry: InstanceType<typeof WidgetDefRegistry>;
+  let previousConfig: ExtractAtomValue<typeof userConfigAtom>;
+  let previousMode: ExtractAtomValue<typeof initialModeAtom>;
+  let previousHasRunAnyCell: ExtractAtomValue<typeof hasRunAnyCellAtom>;
 
   beforeEach(() => {
     registry = new WidgetDefRegistry();
+    // Force "no notebook trust" so the `data:` rejection test below
+    // exercises the untrusted branch. The positive trust path is covered
+    // centrally in trusted-url.test.ts.
+    previousConfig = store.get(userConfigAtom);
+    previousMode = store.get(initialModeAtom);
+    previousHasRunAnyCell = store.get(hasRunAnyCellAtom);
+    store.set(hasRunAnyCellAtom, false);
+    const cleared = parseUserConfig({});
+    store.set(userConfigAtom, {
+      ...cleared,
+      runtime: { ...cleared.runtime, auto_instantiate: false },
+    });
+    store.set(initialModeAtom, "edit");
+  });
+
+  afterEach(() => {
+    store.set(userConfigAtom, previousConfig);
+    store.set(initialModeAtom, previousMode);
+    store.set(hasRunAnyCellAtom, previousHasRunAnyCell);
   });
 
   it("should cache modules by jsHash and return same promise", () => {

package/src/plugins/impl/mpl-interactive/__tests__/MplInteractivePlugin.test.tsx

@@ -1,12 +1,41 @@
 /* Copyright 2026 Marimo. All rights reserved. */
+import type { ExtractAtomValue } from "jotai";
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { hasRunAnyCellAtom } from "@/components/editor/cell/useRunCells";
+import { userConfigAtom } from "@/core/config/config";
+import { parseUserConfig } from "@/core/config/config-schema";
+import { initialModeAtom } from "@/core/mode";
+import { store } from "@/core/state/jotai";
 import { Logger } from "@/utils/Logger";
 import { visibleForTesting } from "../MplInteractivePlugin";
 
 const { ensureMplJs, injectCss, resetMplJsLoading } = visibleForTesting;
 
+/**
+ * Clear every "notebook trust" signal `isTrustedVirtualFileUrl` consults so
+ * the rejection cases below test the actually-untrusted branch. Positive
+ * export-context trust is covered centrally in trusted-url.test.ts.
+ */
+function clearTrustSignals() {
+  store.set(hasRunAnyCellAtom, false);
+  const cleared = parseUserConfig({});
+  store.set(userConfigAtom, {
+    ...cleared,
+    runtime: { ...cleared.runtime, auto_instantiate: false },
+  });
+  store.set(initialModeAtom, "edit");
+}
+
 describe("MplInteractivePlugin URL validation", () => {
+  let previousConfig: ExtractAtomValue<typeof userConfigAtom>;
+  let previousMode: ExtractAtomValue<typeof initialModeAtom>;
+  let previousHasRunAnyCell: ExtractAtomValue<typeof hasRunAnyCellAtom>;
+
   beforeEach(() => {
+    previousConfig = store.get(userConfigAtom);
+    previousMode = store.get(initialModeAtom);
+    previousHasRunAnyCell = store.get(hasRunAnyCellAtom);
+    clearTrustSignals();
     // Reset module-level script-loading state and any stubs.
     delete (window as { mpl?: unknown }).mpl;
     resetMplJsLoading();
@@ -20,6 +49,9 @@ describe("MplInteractivePlugin URL validation", () => {
 
   afterEach(() => {
     vi.restoreAllMocks();
+    store.set(userConfigAtom, previousConfig);
+    store.set(initialModeAtom, previousMode);
+    store.set(hasRunAnyCellAtom, previousHasRunAnyCell);
   });
 
   describe("ensureMplJs", () => {
@@ -35,6 +67,8 @@ describe("MplInteractivePlugin URL validation", () => {
       "https://evil.example.com/x.js",
       "//evil.example.com/x.js",
       "javascript:alert(1)",
+      // Data URL is rejected only in an untrusted context. WASM/autoInstantiate
+      // intentionally accepts it — covered by trusted-url.test.ts.
       "data:text/javascript;base64,YWxlcnQoMSk=",
       "./@file/x.js?redirect=http://evil.com",
     ])("rejects %s", async (url) => {

package/src/plugins/impl/panel/__tests__/PanelPlugin.test.ts

@@ -1,10 +1,39 @@
 /* Copyright 2026 Marimo. All rights reserved. */
+import type { ExtractAtomValue } from "jotai";
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { hasRunAnyCellAtom } from "@/components/editor/cell/useRunCells";
+import { userConfigAtom } from "@/core/config/config";
+import { parseUserConfig } from "@/core/config/config-schema";
+import { initialModeAtom } from "@/core/mode";
+import { store } from "@/core/state/jotai";
 import { Logger } from "@/utils/Logger";
 import { loadPanelExtension } from "../PanelPlugin";
 
+/**
+ * Force the "no notebook trust" branch so the `data:` URL rejection below
+ * actually exercises the untrusted path. Positive export-context trust is
+ * covered centrally in trusted-url.test.ts.
+ */
+function clearTrustSignals() {
+  store.set(hasRunAnyCellAtom, false);
+  const cleared = parseUserConfig({});
+  store.set(userConfigAtom, {
+    ...cleared,
+    runtime: { ...cleared.runtime, auto_instantiate: false },
+  });
+  store.set(initialModeAtom, "edit");
+}
+
 describe("loadPanelExtension", () => {
+  let previousConfig: ExtractAtomValue<typeof userConfigAtom>;
+  let previousMode: ExtractAtomValue<typeof initialModeAtom>;
+  let previousHasRunAnyCell: ExtractAtomValue<typeof hasRunAnyCellAtom>;
+
   beforeEach(() => {
+    previousConfig = store.get(userConfigAtom);
+    previousMode = store.get(initialModeAtom);
+    previousHasRunAnyCell = store.get(hasRunAnyCellAtom);
+    clearTrustSignals();
     for (const el of document.head.querySelectorAll("script")) {
       el.remove();
     }
@@ -12,6 +41,9 @@ describe("loadPanelExtension", () => {
 
   afterEach(() => {
     vi.restoreAllMocks();
+    store.set(userConfigAtom, previousConfig);
+    store.set(initialModeAtom, previousMode);
+    store.set(hasRunAnyCellAtom, previousHasRunAnyCell);
   });
 
   it("does nothing and returns false for null URL", () => {
@@ -35,8 +67,9 @@ describe("loadPanelExtension", () => {
   it.each([
     "https://evil.example.com/x.js",
     "//evil.example.com/x.js",
-    // An attacker embedding inline JS as a data URL — what the old plugin
-    // would have executed verbatim via script.innerHTML.
+    // Data URL is rejected only in an untrusted context — the WASM fallback
+    // legitimately produces these, so trusted-url.test.ts covers the
+    // positive path when a notebook trust signal is set.
     "data:text/javascript;base64,YWxlcnQoMSk=",
     "javascript:alert(1)",
     "./@file/x.js#http://evil.com",

package/src/utils/__tests__/path.test.ts

@@ -9,6 +9,26 @@ describe("Paths", () => {
     expect(Paths.isAbsolute("/user/docs/Letter.txt")).toBe(true);
     expect(Paths.isAbsolute("C:\\user\\docs\\Letter.txt")).toBe(true);
     expect(Paths.isAbsolute("user/docs/Letter.txt")).toBe(false);
+
+    // Any Windows drive letter, either separator, and any case
+    expect(Paths.isAbsolute("D:\\Users\\x\\a.py")).toBe(true);
+    expect(Paths.isAbsolute("z:/tmp/file")).toBe(true);
+    expect(Paths.isAbsolute("e:\\")).toBe(true);
+
+    // UNC / server paths
+    expect(Paths.isAbsolute("\\\\server\\share\\file")).toBe(true);
+
+    // URI schemes
+    expect(Paths.isAbsolute("s3://bucket/key")).toBe(true);
+    expect(Paths.isAbsolute("gs://bucket/key")).toBe(true);
+    expect(Paths.isAbsolute("file:///tmp/file")).toBe(true);
+    expect(Paths.isAbsolute("http://example.com/x")).toBe(true);
+
+    // Negative cases
+    expect(Paths.isAbsolute("C:file")).toBe(false); // drive without separator
+    expect(Paths.isAbsolute("notebook.py")).toBe(false);
+    expect(Paths.isAbsolute("./relative")).toBe(false);
+    expect(Paths.isAbsolute("")).toBe(false);
   });
 
   describe("dirname", () => {

package/src/utils/pathUtils.test.ts

@@ -1,6 +1,12 @@
 /* Copyright 2026 Marimo. All rights reserved. */
 import { describe, expect, it } from "vitest";
-import { fileSplit, getProtocolAndParentDirectories } from "./pathUtils";
+import {
+  fileSplit,
+  getProtocolAndParentDirectories,
+  makeDuplicateName,
+  resolvePaths,
+  toAbsolutePath,
+} from "./pathUtils";
 
 describe("getProtocolAndParentDirectories", () => {
   it("should extract protocol and list parent directories correctly", () => {
@@ -111,3 +117,137 @@ describe("fileSplit", () => {
     ]);
   });
 });
+
+describe("makeDuplicateName", () => {
+  it("appends _copy before the extension", () => {
+    expect(makeDuplicateName("notebook.py")).toBe("notebook_copy.py");
+    expect(makeDuplicateName("foo.tar.gz")).toBe("foo.tar_copy.gz");
+  });
+
+  it("appends _copy for extensionless names", () => {
+    expect(makeDuplicateName("README")).toBe("README_copy");
+  });
+});
+
+describe("toAbsolutePath", () => {
+  it("joins relative paths against the root", () => {
+    expect(toAbsolutePath("notebooks/a.py", "/workspaces/marimo")).toBe(
+      "/workspaces/marimo/notebooks/a.py",
+    );
+  });
+
+  it("returns absolute POSIX paths unchanged", () => {
+    expect(toAbsolutePath("/abs/a.py", "/workspaces/marimo")).toBe("/abs/a.py");
+  });
+
+  it("returns absolute Windows paths unchanged", () => {
+    expect(toAbsolutePath("C:\\Users\\x\\a.py", "C:\\Users\\marimo")).toBe(
+      "C:\\Users\\x\\a.py",
+    );
+  });
+
+  it("joins relative paths using the Windows delimiter", () => {
+    expect(toAbsolutePath("a.py", "C:\\Users\\marimo")).toBe(
+      "C:\\Users\\marimo\\a.py",
+    );
+  });
+});
+
+describe("resolvePaths", () => {
+  it("resolves relative paths against the root", () => {
+    expect(
+      resolvePaths({
+        path: "notebooks/notebook.py",
+        name: "notebook_copy.py",
+        root: "/workspaces/marimo",
+      }),
+    ).toEqual({
+      path: "/workspaces/marimo/notebooks/notebook.py",
+      newPath: "/workspaces/marimo/notebooks/notebook_copy.py",
+    });
+  });
+
+  it("keeps absolute source paths untouched", () => {
+    expect(
+      resolvePaths({
+        path: "/abs/path/notebook.py",
+        name: "notebook_copy.py",
+        root: "/workspaces/marimo",
+      }),
+    ).toEqual({
+      path: "/abs/path/notebook.py",
+      newPath: "/abs/path/notebook_copy.py",
+    });
+  });
+
+  it("handles Windows roots for relative paths", () => {
+    expect(
+      resolvePaths({
+        path: "notebook.py",
+        name: "notebook_copy.py",
+        root: "C:\\Users\\marimo",
+      }),
+    ).toEqual({
+      path: "C:\\Users\\marimo\\notebook.py",
+      newPath: "C:\\Users\\marimo\\notebook_copy.py",
+    });
+  });
+
+  it("handles Windows absolute source paths", () => {
+    // The tricky case: `path` is an absolute Windows path with a drive letter,
+    // so it must be detected by `Paths.isAbsolute` AND the deliminator must be
+    // picked up from the root so the join uses backslashes.
+    expect(
+      resolvePaths({
+        path: "C:\\Users\\marimo\\folder\\notebook.py",
+        name: "notebook_copy.py",
+        root: "C:\\Users\\marimo",
+      }),
+    ).toEqual({
+      path: "C:\\Users\\marimo\\folder\\notebook.py",
+      newPath: "C:\\Users\\marimo\\folder\\notebook_copy.py",
+    });
+  });
+
+  it("keeps the file in its current directory when renaming", () => {
+    expect(
+      resolvePaths({
+        path: "/root/a/b/file.py",
+        name: "renamed.py",
+        root: "/root",
+      }),
+    ).toEqual({
+      path: "/root/a/b/file.py",
+      newPath: "/root/a/b/renamed.py",
+    });
+  });
+
+  it("handles an empty root with an absolute POSIX path", () => {
+    // Callers that already hold absolute paths pass `root: ""`. In that case
+    // the delimiter must be inferred from the path itself, not from `""` (which
+    // would otherwise default to Windows backslashes).
+    expect(
+      resolvePaths({
+        path: "/abs/path/file.py",
+        name: "renamed.py",
+        root: "",
+      }),
+    ).toEqual({
+      path: "/abs/path/file.py",
+      newPath: "/abs/path/renamed.py",
+    });
+  });
+
+  it("handles an empty root with an absolute Windows path", () => {
+    expect(
+      resolvePaths({
+        path: "C:\\Users\\marimo\\file.py",
+        name: "renamed.py",
+        root: "",
+      }),
+    ).toEqual({
+      path: "C:\\Users\\marimo\\file.py",
+      newPath: "C:\\Users\\marimo\\renamed.py",
+    });
+  });
+});