@plmbr/notebook-intelligence 5.0.0 → 5.0.1

package/README.md

@@ -159,7 +159,7 @@ NBI reloads open document tabs when their files change on disk, so edits an AI a
 
 ## Configuration
 
-Configure your provider, model, and API key from NBI Settings — the gear icon in the chat panel, the `/settings` chat command, or the JupyterLab command palette. For background, see the [provider blog post](https://notebook-intelligence.github.io/notebook-intelligence/blog/2025/03/05/support-for-any-llm-provider.html).
+Configure your provider, model, and API key from NBI Settings — the gear icon in the chat panel, the `/settings` chat command, or the JupyterLab command palette. For background, see the [provider blog post](https://plmbr.dev/blog/archive/support-for-any-llm-provider/).
 
 <img src="media/provider-list.png" alt="Settings dialog" width=500 />
 
@@ -398,10 +398,10 @@ The feedback fires an in-process `telemetry` event. Nothing leaves the process b
 
 ## Further reading
 
-- [Introducing Notebook Intelligence!](https://notebook-intelligence.github.io/notebook-intelligence/blog/2025/01/08/introducing-notebook-intelligence.html)
-- [Building AI Extensions for JupyterLab](https://notebook-intelligence.github.io/notebook-intelligence/blog/2025/02/05/building-ai-extensions-for-jupyterlab.html)
-- [Building AI Agents for JupyterLab](https://notebook-intelligence.github.io/notebook-intelligence/blog/2025/02/09/building-ai-agents-for-jupyterlab.html)
-- [Notebook Intelligence now supports any LLM Provider and AI Model!](https://notebook-intelligence.github.io/notebook-intelligence/blog/2025/03/05/support-for-any-llm-provider.html)
+- [Introducing Notebook Intelligence!](https://plmbr.dev/blog/archive/introducing-notebook-intelligence/)
+- [Building AI Extensions for JupyterLab](https://plmbr.dev/blog/archive/building-ai-extensions-for-jupyterlab/)
+- [Building AI Agents for JupyterLab](https://plmbr.dev/blog/archive/building-ai-agents-for-jupyterlab/)
+- [Notebook Intelligence now supports any LLM Provider and AI Model!](https://plmbr.dev/blog/archive/support-for-any-llm-provider/)
 
 ## Roadmap
 

package/lib/chat-sidebar.js

@@ -13,8 +13,9 @@ import copySvgstr from '../style/icons/copy.svg';
 import copilotSvgstr from '../style/icons/copilot.svg';
 import copilotWarningSvgstr from '../style/icons/copilot-warning.svg';
 import { VscSend, VscStopCircle, VscEye, VscEyeClosed, VscAdd, VscClose, VscHistory, VscTriangleRight, VscTriangleDown, VscSettingsGear, VscPassFilled, VscTools, VscTrash, VscThumbsup, VscThumbsdown, VscThumbsupFilled, VscThumbsdownFilled, VscCloudUpload, VscFile, VscRefresh } from './icons';
-import { extractLLMGeneratedCode, isDarkTheme, safeAnchorUri, writeTextToClipboard } from './utils';
+import { extractLLMGeneratedCode, isDarkTheme, writeTextToClipboard } from './utils';
 import { CheckBoxItem } from './components/checkbox';
+import { SafeAnchor } from './components/safe-anchor';
 import { mcpServerSettingsToEnabledState } from './components/mcp-util';
 import claudeSvgStr from '../style/icons/claude.svg';
 import { AskUserQuestion } from './components/ask-user-question';
@@ -474,17 +475,8 @@ function ChatResponse(props) {
                             React.createElement("button", { className: "jp-Dialog-button jp-mod-accept jp-mod-styled", onClick: () => runCommand(item.content.commandId, item.content.args) },
                                 React.createElement("div", { className: "jp-Dialog-buttonLabel" }, item.content.title))));
                     case ResponseStreamDataType.Anchor: {
-                        const safeUri = safeAnchorUri(item.content.uri);
-                        if (!safeUri) {
-                            return (React.createElement("div", { className: "chat-response-anchor", key: `key-${index}` },
-                                React.createElement("span", null,
-                                    item.content.title,
-                                    React.createElement("span", { className: "nbi-sr-only" }, " (link blocked)"))));
-                        }
                         return (React.createElement("div", { className: "chat-response-anchor", key: `key-${index}` },
-                            React.createElement("a", { href: safeUri, target: "_blank", rel: "noopener noreferrer" },
-                                item.content.title,
-                                React.createElement("span", { className: "nbi-sr-only" }, " (opens in new tab)"))));
+                            React.createElement(SafeAnchor, { href: item.content.uri }, item.content.title)));
                     }
                     case ResponseStreamDataType.Progress:
                         // Render only the most recent progress entry, and only while
@@ -3369,28 +3361,20 @@ function GitHubCopilotLoginDialogBodyComponent(props) {
         ghLoginStatus === GitHubCopilotLoginStatus.NotLoggedIn && (React.createElement(React.Fragment, null,
             React.createElement("div", null, "Your code and data are directly transferred to GitHub Copilot as needed without storing any copies other than keeping in the process memory."),
             React.createElement("div", null,
-                React.createElement("a", { href: "https://github.com/features/copilot", target: "_blank", rel: "noopener noreferrer" },
-                    "GitHub Copilot",
-                    React.createElement("span", { className: "nbi-sr-only" }, " (opens in new tab)")),
+                React.createElement(SafeAnchor, { href: "https://github.com/features/copilot" }, "GitHub Copilot"),
                 ' ',
                 "requires a subscription and it has a free tier. GitHub Copilot is subject to the",
                 ' ',
-                React.createElement("a", { href: "https://docs.github.com/en/site-policy/github-terms/github-terms-for-additional-products-and-features", target: "_blank", rel: "noopener noreferrer" },
-                    "GitHub Terms for Additional Products and Features",
-                    React.createElement("span", { className: "nbi-sr-only" }, " (opens in new tab)")),
+                React.createElement(SafeAnchor, { href: "https://docs.github.com/en/site-policy/github-terms/github-terms-for-additional-products-and-features" }, "GitHub Terms for Additional Products and Features"),
                 "."),
             React.createElement("div", null,
                 React.createElement("h4", null, "Privacy and terms"),
                 "By using Notebook Intelligence with GitHub Copilot subscription you agree to",
                 ' ',
-                React.createElement("a", { href: "https://docs.github.com/en/copilot/responsible-use-of-github-copilot-features/responsible-use-of-github-copilot-chat-in-your-ide", target: "_blank", rel: "noopener noreferrer" },
-                    "GitHub Copilot chat terms",
-                    React.createElement("span", { className: "nbi-sr-only" }, " (opens in new tab)")),
+                React.createElement(SafeAnchor, { href: "https://docs.github.com/en/copilot/responsible-use-of-github-copilot-features/responsible-use-of-github-copilot-chat-in-your-ide" }, "GitHub Copilot chat terms"),
                 ". Review the terms to understand about usage, limitations and ways to improve GitHub Copilot. Please review",
                 ' ',
-                React.createElement("a", { href: "https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement", target: "_blank", rel: "noopener noreferrer" },
-                    "Privacy Statement",
-                    React.createElement("span", { className: "nbi-sr-only" }, " (opens in new tab)")),
+                React.createElement(SafeAnchor, { href: "https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement" }, "Privacy Statement"),
                 "."),
             React.createElement("div", null,
                 React.createElement("button", { className: "jp-Dialog-button jp-mod-accept jp-mod-reject jp-mod-styled", onClick: handleLoginClick },
@@ -3415,7 +3399,7 @@ function GitHubCopilotLoginDialogBodyComponent(props) {
                 ' ',
                 "and enter at",
                 ' ',
-                React.createElement("a", { href: deviceActivationURL, target: "_blank", rel: "noopener noreferrer" }, deviceActivationURL),
+                React.createElement(SafeAnchor, { href: deviceActivationURL }, deviceActivationURL),
                 ' ',
                 "to allow access to GitHub Copilot from this app. Activation could take up to a minute after you enter the code."))),
         ghLoginStatus === GitHubCopilotLoginStatus.ActivatingDevice && (React.createElement("div", { style: { marginTop: '10px' } },

package/lib/components/markdown-link.d.ts

@@ -0,0 +1,33 @@
+import React from 'react';
+import { JupyterFrontEnd } from '@jupyterlab/application';
+type MarkdownLinkProps = {
+    app: JupyterFrontEnd;
+    baseDir: string;
+    href: unknown;
+    title?: unknown;
+    children?: React.ReactNode;
+};
+/**
+ * Render an anchor node coming out of `react-markdown` so chat-sidebar
+ * links can never replace the JupyterLab shell or pivot through the
+ * lab origin.
+ *
+ * Three branches:
+ *   - Fragment-only (`#section`): inert plain text. A new-tab open would
+ *     navigate to `about:blank#section`, and a same-tab open would scroll
+ *     the wrong document; neither matches what the LLM meant.
+ *   - Workspace-relative (no scheme, no leading `/`, no `//` prefix):
+ *     resolved against the active document's directory, re-validated,
+ *     and routed through JupyterLab's `docmanager:open` command so a
+ *     `.ipynb` opens with the notebook factory and a `.md` opens in the
+ *     editor. The anchor's `href` stays `"#"` because a populated `href`
+ *     bypasses React's onClick on middle/Cmd-click, letting the browser
+ *     navigate `/lab/<path>` with session cookies attached; the hover
+ *     preview moves to `title` so the user still sees the intended
+ *     target.
+ *   - Everything else: handed to `SafeAnchor`, which enforces the
+ *     `safeAnchorUri` scheme allowlist and emits a `_blank` anchor with
+ *     `rel="noopener noreferrer"`.
+ */
+export declare function MarkdownLink({ app, baseDir, href, title, children }: MarkdownLinkProps): React.ReactElement;
+export {};

package/lib/components/markdown-link.js

@@ -0,0 +1,114 @@
+// Copyright (c) Mehmet Bektas <mbektasgh@outlook.com>
+import React from 'react';
+import { PathExt } from '@jupyterlab/coreutils';
+import { SafeAnchor } from './safe-anchor';
+import { hasDangerousTextCodepoints } from '../utils';
+// Match an absolute URI by its scheme prefix so a workspace-relative path
+// (`README.md`) is distinguished from a protocol-rooted URL (`http://...`).
+// Mirrors the SCHEME_RE in utils.ts; kept local because this discriminant
+// answers a different question (presence vs. allowlist).
+const SCHEME_PREFIX_RE = /^[A-Za-z][A-Za-z0-9+.-]*:/;
+/**
+ * True when a freshly-joined workspace path is *not* safe to hand to
+ * `docmanager:open` or expose on a rendered anchor. Rejects:
+ *
+ * - leading `..` segments or absolute paths: the join didn't anchor and
+ *   the path escapes the Jupyter root (ContentsManager rejects too, but
+ *   we want to fail closed visually as well so the status bar/title
+ *   never previews a traversal target),
+ * - any embedded scheme: `PathExt.join('', 'java\tscript:alert(1)')`
+ *   returns the input verbatim, so a path that looks workspace-relative
+ *   pre-join can unmask into a `javascript:` href when `baseDir` is
+ *   empty (any active doc at server root),
+ * - dangerous codepoints (bidi-override, zero-width, C0/C1/DEL, etc.):
+ *   the WHATWG URL parser strips these from the scheme during
+ *   recognition, and they also visually impersonate the link target on
+ *   hover / in dev-tools logs.
+ */
+function isUnsafeWorkspacePath(path) {
+    // Empty / cwd-only paths reach here when react-markdown's built-in
+    // `urlTransform` strips an unsafe scheme (`javascript:`, `data:`, ...)
+    // to an empty string before our override runs: the result joins to
+    // either `""` or `"."`, both of which would render as a dead
+    // `<a href="#">` that 404s on click. Surface them as blocked-link
+    // spans so the user sees why nothing happened.
+    if (path === '' || path === '.' || path === './') {
+        return true;
+    }
+    if (path.startsWith('/') || path === '..' || path.startsWith('../')) {
+        return true;
+    }
+    if (SCHEME_PREFIX_RE.test(path)) {
+        return true;
+    }
+    if (hasDangerousTextCodepoints(path)) {
+        return true;
+    }
+    return false;
+}
+/**
+ * Render an anchor node coming out of `react-markdown` so chat-sidebar
+ * links can never replace the JupyterLab shell or pivot through the
+ * lab origin.
+ *
+ * Three branches:
+ *   - Fragment-only (`#section`): inert plain text. A new-tab open would
+ *     navigate to `about:blank#section`, and a same-tab open would scroll
+ *     the wrong document; neither matches what the LLM meant.
+ *   - Workspace-relative (no scheme, no leading `/`, no `//` prefix):
+ *     resolved against the active document's directory, re-validated,
+ *     and routed through JupyterLab's `docmanager:open` command so a
+ *     `.ipynb` opens with the notebook factory and a `.md` opens in the
+ *     editor. The anchor's `href` stays `"#"` because a populated `href`
+ *     bypasses React's onClick on middle/Cmd-click, letting the browser
+ *     navigate `/lab/<path>` with session cookies attached; the hover
+ *     preview moves to `title` so the user still sees the intended
+ *     target.
+ *   - Everything else: handed to `SafeAnchor`, which enforces the
+ *     `safeAnchorUri` scheme allowlist and emits a `_blank` anchor with
+ *     `rel="noopener noreferrer"`.
+ */
+export function MarkdownLink({ app, baseDir, href, title, children }) {
+    if (typeof href === 'string') {
+        if (href.startsWith('#')) {
+            return React.createElement("span", null, children);
+        }
+        if (!SCHEME_PREFIX_RE.test(href) &&
+            !href.startsWith('/') &&
+            !href.startsWith('//')) {
+            // PathExt.join: plain concatenation + normalization. Resolve()
+            // would fall back to the browser process cwd when `baseDir` is
+            // relative, which gives nonsense like `/Users/.../notebooks/...`.
+            const resolvedPath = PathExt.join(baseDir, href);
+            // Re-validate post-join. Two attack/confusion shapes the pre-check
+            // alone misses: `[x](java\tscript:alert(1))` survives the scheme
+            // sniff because `\t` isn't a scheme char, then unmasks once the
+            // WHATWG parser sees the joined href; `[x](../../../etc/passwd)`
+            // looks workspace-relative but escapes the workspace root.
+            if (isUnsafeWorkspacePath(resolvedPath)) {
+                return (React.createElement(SafeAnchor, { href: null, title: undefined }, children));
+            }
+            // href="#" rather than href={resolvedPath}: a modifier-click on a
+            // populated href bypasses the React onClick, lets the browser
+            // navigate the chat sidebar to /lab/<path> in a new tab, and would
+            // ride along the user's Jupyter session cookies. The hover preview
+            // moves to `title` so the user still sees the intended target.
+            const safeTitleFromMd = typeof title === 'string' && !hasDangerousTextCodepoints(title)
+                ? title
+                : undefined;
+            const hoverTitle = safeTitleFromMd !== null && safeTitleFromMd !== void 0 ? safeTitleFromMd : resolvedPath;
+            const onClick = (e) => {
+                e.preventDefault();
+                // ContentsManager rejects paths outside the Jupyter root with a
+                // promise rejection. Catch so the failure surfaces in logs instead
+                // of an unhandled rejection, and the user can see the rendered
+                // anchor was attempted even when the target doesn't exist.
+                Promise.resolve(app.commands.execute('docmanager:open', { path: resolvedPath })).catch(err => {
+                    console.warn(`NBI: failed to open workspace path "${resolvedPath}":`, err);
+                });
+            };
+            return (React.createElement("a", { href: "#", title: hoverTitle, onClick: onClick }, children));
+        }
+    }
+    return (React.createElement(SafeAnchor, { href: typeof href === 'string' ? href : null, title: typeof title === 'string' ? title : undefined }, children));
+}

package/lib/components/safe-anchor.d.ts

@@ -0,0 +1,25 @@
+import React from 'react';
+type SafeAnchorProps = {
+    href: string | undefined | null;
+    children: React.ReactNode;
+    title?: string;
+    className?: string;
+};
+/**
+ * The single render path for anchor elements driven by LLM / tool output.
+ *
+ * Runs `href` through `safeAnchorUri`, which mirrors the server-side
+ * `safe_anchor_uri` allowlist (`http` / `https` / `mailto`) and rejects
+ * dangerous codepoints. On accept it renders a `_blank` anchor with
+ * `rel="noopener noreferrer"` and an SR-only "(opens in new tab)" suffix;
+ * on reject it falls through to plain text plus an SR-only "(link
+ * blocked)" note so screen readers can tell why the link disappeared.
+ *
+ * The `title` attribute is scrubbed for the same dangerous codepoints
+ * the URI check rejects, since react-markdown forwards CommonMark
+ * `[text](url "title")` titles to the rendered anchor and an LLM can
+ * smuggle bidi-override or zero-width characters there to visually
+ * impersonate the link target on hover.
+ */
+export declare function SafeAnchor({ href, children, title, className }: SafeAnchorProps): React.ReactElement;
+export {};

package/lib/components/safe-anchor.js

@@ -0,0 +1,33 @@
+// Copyright (c) Mehmet Bektas <mbektasgh@outlook.com>
+import React from 'react';
+import { hasDangerousTextCodepoints, safeAnchorUri } from '../utils';
+/**
+ * The single render path for anchor elements driven by LLM / tool output.
+ *
+ * Runs `href` through `safeAnchorUri`, which mirrors the server-side
+ * `safe_anchor_uri` allowlist (`http` / `https` / `mailto`) and rejects
+ * dangerous codepoints. On accept it renders a `_blank` anchor with
+ * `rel="noopener noreferrer"` and an SR-only "(opens in new tab)" suffix;
+ * on reject it falls through to plain text plus an SR-only "(link
+ * blocked)" note so screen readers can tell why the link disappeared.
+ *
+ * The `title` attribute is scrubbed for the same dangerous codepoints
+ * the URI check rejects, since react-markdown forwards CommonMark
+ * `[text](url "title")` titles to the rendered anchor and an LLM can
+ * smuggle bidi-override or zero-width characters there to visually
+ * impersonate the link target on hover.
+ */
+export function SafeAnchor({ href, children, title, className }) {
+    const safeUri = safeAnchorUri(href !== null && href !== void 0 ? href : '');
+    if (!safeUri) {
+        return (React.createElement("span", { className: className },
+            children,
+            React.createElement("span", { className: "nbi-sr-only" }, " (link blocked)")));
+    }
+    const safeTitle = typeof title === 'string' && !hasDangerousTextCodepoints(title)
+        ? title
+        : undefined;
+    return (React.createElement("a", { href: safeUri, target: "_blank", rel: "noopener noreferrer", title: safeTitle, className: className },
+        children,
+        React.createElement("span", { className: "nbi-sr-only" }, " (opens in new tab)")));
+}

package/lib/markdown-renderer.js

@@ -6,12 +6,34 @@ import { Prism as SyntaxHighlighterBase } from 'react-syntax-highlighter';
 const SyntaxHighlighter = SyntaxHighlighterBase;
 import { oneLight, oneDark } from 'react-syntax-highlighter/dist/cjs/styles/prism';
 import { VscNewFile, VscInsert, VscCopy, VscNotebook, VscAdd } from './icons';
+import { PathExt } from '@jupyterlab/coreutils';
+import { MarkdownLink } from './components/markdown-link';
 import { isDarkTheme, writeTextToClipboard } from './utils';
 export function MarkdownRenderer({ children: markdown, getApp, getActiveDocumentInfo }) {
     const app = getApp();
     const activeDocumentInfo = getActiveDocumentInfo();
     const isNotebook = activeDocumentInfo.filename.endsWith('.ipynb');
-    return (React.createElement(Markdown, { remarkPlugins: [remarkGfm], components: {
+    // Resolve workspace-relative LLM links against the active document's
+    // directory so `[file](README.md)` from a chat scoped to
+    // `notebooks/proj/work.ipynb` lands at `notebooks/proj/README.md` (the
+    // user's mental model) rather than the server-root README.
+    const linkBaseDir = activeDocumentInfo.filePath
+        ? PathExt.dirname(activeDocumentInfo.filePath)
+        : '';
+    return (
+    // No `rehype-raw` plugin: raw HTML in chat markdown (e.g. an LLM
+    // emitting `<a href="javascript:...">`) renders as literal text, not
+    // a DOM anchor, so the only anchor sink is the CommonMark/GFM `a`
+    // node handled by `SafeAnchor` below. Any future change that enables
+    // raw HTML needs to add a rehype-sanitize pass alongside.
+    React.createElement(Markdown, { remarkPlugins: [remarkGfm], components: {
+            // CommonMark `<https://...>` autolinks, `[text](url)`, and
+            // reference-style links all normalize to the same `a` node.
+            // `MarkdownLink` routes fragment-only and workspace-relative
+            // hrefs through Lab's docmanager so an LLM-emitted link can't
+            // replace the JupyterLab shell, and hands everything else to
+            // SafeAnchor for the `_blank` + scheme-allowlist treatment.
+            a: ({ href, title, children }) => (React.createElement(MarkdownLink, { app: app, baseDir: linkBaseDir, href: href, title: title }, children)),
             code({ node, inline, className, children, getApp, ...props }) {
                 const match = /language-(\w+)/.exec(className || '');
                 const codeString = String(children).replace(/\n$/, '');

package/lib/utils.d.ts

@@ -26,6 +26,15 @@ export declare function getSelectionInEditor(editor: CodeEditor.IEditor): string
 export declare function getWholeNotebookContent(np: NotebookPanel): string;
 export declare function applyCodeToSelectionInEditor(editor: CodeEditor.IEditor, code: string): void;
 export { shellSingleQuote };
+/**
+ * True when `s` contains any codepoint in the same set `safeAnchorUri`
+ * rejects (C0/DEL/C1, NEL/NBSP/LS/PS/BOM, ZWSP, bidi-override controls).
+ * Mirrors the Python `has_dangerous_text_codepoints`. Used to scrub the
+ * `title` attribute on rendered anchors so an LLM-emitted hover tooltip
+ * can't visually impersonate the link via bidi-reorder or zero-width
+ * tricks.
+ */
+export declare function hasDangerousTextCodepoints(s: string | undefined | null): boolean;
 /**
  * Return `uri` if its scheme is in the chat-anchor allowlist, else null.
  * Mirrors the server-side `safe_anchor_uri` check so that anchor parts

package/lib/utils.js

@@ -277,6 +277,25 @@ function isDisallowedUriCodepoint(code) {
     }
     return false;
 }
+/**
+ * True when `s` contains any codepoint in the same set `safeAnchorUri`
+ * rejects (C0/DEL/C1, NEL/NBSP/LS/PS/BOM, ZWSP, bidi-override controls).
+ * Mirrors the Python `has_dangerous_text_codepoints`. Used to scrub the
+ * `title` attribute on rendered anchors so an LLM-emitted hover tooltip
+ * can't visually impersonate the link via bidi-reorder or zero-width
+ * tricks.
+ */
+export function hasDangerousTextCodepoints(s) {
+    if (typeof s !== 'string') {
+        return false;
+    }
+    for (let i = 0; i < s.length; i++) {
+        if (isDisallowedUriCodepoint(s.charCodeAt(i))) {
+            return true;
+        }
+    }
+    return false;
+}
 /**
  * Return `uri` if its scheme is in the chat-anchor allowlist, else null.
  * Mirrors the server-side `safe_anchor_uri` check so that anchor parts

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@plmbr/notebook-intelligence",
-    "version": "5.0.0",
+    "version": "5.0.1",
     "description": "AI coding assistant for JupyterLab",
     "keywords": [
         "AI",

package/src/chat-sidebar.tsx

@@ -72,10 +72,10 @@ import type { Contents } from '@jupyterlab/services';
 import {
   extractLLMGeneratedCode,
   isDarkTheme,
-  safeAnchorUri,
   writeTextToClipboard
 } from './utils';
 import { CheckBoxItem } from './components/checkbox';
+import { SafeAnchor } from './components/safe-anchor';
 import { mcpServerSettingsToEnabledState } from './components/mcp-util';
 import claudeSvgStr from '../style/icons/claude.svg';
 import { AskUserQuestion } from './components/ask-user-question';
@@ -836,23 +836,11 @@ function ChatResponse(props: any) {
                 </div>
               );
             case ResponseStreamDataType.Anchor: {
-              const safeUri = safeAnchorUri(item.content.uri);
-              if (!safeUri) {
-                return (
-                  <div className="chat-response-anchor" key={`key-${index}`}>
-                    <span>
-                      {item.content.title}
-                      <span className="nbi-sr-only"> (link blocked)</span>
-                    </span>
-                  </div>
-                );
-              }
               return (
                 <div className="chat-response-anchor" key={`key-${index}`}>
-                  <a href={safeUri} target="_blank" rel="noopener noreferrer">
+                  <SafeAnchor href={item.content.uri}>
                     {item.content.title}
-                    <span className="nbi-sr-only"> (opens in new tab)</span>
-                  </a>
+                  </SafeAnchor>
                 </div>
               );
             }
@@ -4956,48 +4944,28 @@ function GitHubCopilotLoginDialogBodyComponent(props: any) {
             memory.
           </div>
           <div>
-            <a
-              href="https://github.com/features/copilot"
-              target="_blank"
-              rel="noopener noreferrer"
-            >
+            <SafeAnchor href="https://github.com/features/copilot">
               GitHub Copilot
-              <span className="nbi-sr-only"> (opens in new tab)</span>
-            </a>{' '}
+            </SafeAnchor>{' '}
             requires a subscription and it has a free tier. GitHub Copilot is
             subject to the{' '}
-            <a
-              href="https://docs.github.com/en/site-policy/github-terms/github-terms-for-additional-products-and-features"
-              target="_blank"
-              rel="noopener noreferrer"
-            >
+            <SafeAnchor href="https://docs.github.com/en/site-policy/github-terms/github-terms-for-additional-products-and-features">
               GitHub Terms for Additional Products and Features
-              <span className="nbi-sr-only"> (opens in new tab)</span>
-            </a>
+            </SafeAnchor>
             .
           </div>
           <div>
             <h4>Privacy and terms</h4>
             By using Notebook Intelligence with GitHub Copilot subscription you
             agree to{' '}
-            <a
-              href="https://docs.github.com/en/copilot/responsible-use-of-github-copilot-features/responsible-use-of-github-copilot-chat-in-your-ide"
-              target="_blank"
-              rel="noopener noreferrer"
-            >
+            <SafeAnchor href="https://docs.github.com/en/copilot/responsible-use-of-github-copilot-features/responsible-use-of-github-copilot-chat-in-your-ide">
               GitHub Copilot chat terms
-              <span className="nbi-sr-only"> (opens in new tab)</span>
-            </a>
+            </SafeAnchor>
             . Review the terms to understand about usage, limitations and ways
             to improve GitHub Copilot. Please review{' '}
-            <a
-              href="https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement"
-              target="_blank"
-              rel="noopener noreferrer"
-            >
+            <SafeAnchor href="https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement">
               Privacy Statement
-              <span className="nbi-sr-only"> (opens in new tab)</span>
-            </a>
+            </SafeAnchor>
             .
           </div>
           <div>
@@ -5046,13 +5014,9 @@ function GitHubCopilotLoginDialogBodyComponent(props: any) {
                 </b>
               </span>{' '}
               and enter at{' '}
-              <a
-                href={deviceActivationURL}
-                target="_blank"
-                rel="noopener noreferrer"
-              >
+              <SafeAnchor href={deviceActivationURL}>
                 {deviceActivationURL}
-              </a>{' '}
+              </SafeAnchor>{' '}
               to allow access to GitHub Copilot from this app. Activation could
               take up to a minute after you enter the code.
             </div>

package/src/components/markdown-link.tsx

@@ -0,0 +1,161 @@
+// Copyright (c) Mehmet Bektas <mbektasgh@outlook.com>
+
+import React from 'react';
+import { JupyterFrontEnd } from '@jupyterlab/application';
+import { PathExt } from '@jupyterlab/coreutils';
+import { SafeAnchor } from './safe-anchor';
+import { hasDangerousTextCodepoints } from '../utils';
+
+// Match an absolute URI by its scheme prefix so a workspace-relative path
+// (`README.md`) is distinguished from a protocol-rooted URL (`http://...`).
+// Mirrors the SCHEME_RE in utils.ts; kept local because this discriminant
+// answers a different question (presence vs. allowlist).
+const SCHEME_PREFIX_RE = /^[A-Za-z][A-Za-z0-9+.-]*:/;
+
+/**
+ * True when a freshly-joined workspace path is *not* safe to hand to
+ * `docmanager:open` or expose on a rendered anchor. Rejects:
+ *
+ * - leading `..` segments or absolute paths: the join didn't anchor and
+ *   the path escapes the Jupyter root (ContentsManager rejects too, but
+ *   we want to fail closed visually as well so the status bar/title
+ *   never previews a traversal target),
+ * - any embedded scheme: `PathExt.join('', 'java\tscript:alert(1)')`
+ *   returns the input verbatim, so a path that looks workspace-relative
+ *   pre-join can unmask into a `javascript:` href when `baseDir` is
+ *   empty (any active doc at server root),
+ * - dangerous codepoints (bidi-override, zero-width, C0/C1/DEL, etc.):
+ *   the WHATWG URL parser strips these from the scheme during
+ *   recognition, and they also visually impersonate the link target on
+ *   hover / in dev-tools logs.
+ */
+function isUnsafeWorkspacePath(path: string): boolean {
+  // Empty / cwd-only paths reach here when react-markdown's built-in
+  // `urlTransform` strips an unsafe scheme (`javascript:`, `data:`, ...)
+  // to an empty string before our override runs: the result joins to
+  // either `""` or `"."`, both of which would render as a dead
+  // `<a href="#">` that 404s on click. Surface them as blocked-link
+  // spans so the user sees why nothing happened.
+  if (path === '' || path === '.' || path === './') {
+    return true;
+  }
+  if (path.startsWith('/') || path === '..' || path.startsWith('../')) {
+    return true;
+  }
+  if (SCHEME_PREFIX_RE.test(path)) {
+    return true;
+  }
+  if (hasDangerousTextCodepoints(path)) {
+    return true;
+  }
+  return false;
+}
+
+type MarkdownLinkProps = {
+  app: JupyterFrontEnd;
+  // Directory the LLM-emitted relative link should resolve against. The
+  // active document's directory matches the user's mental model: a
+  // workspace-relative link like `[file](README.md)` in a chat scoped to
+  // `notebooks/proj/work.ipynb` lands at `notebooks/proj/README.md`, not
+  // at the server-root README. Empty string is treated as "server root".
+  baseDir: string;
+  href: unknown;
+  title?: unknown;
+  children?: React.ReactNode;
+};
+
+/**
+ * Render an anchor node coming out of `react-markdown` so chat-sidebar
+ * links can never replace the JupyterLab shell or pivot through the
+ * lab origin.
+ *
+ * Three branches:
+ *   - Fragment-only (`#section`): inert plain text. A new-tab open would
+ *     navigate to `about:blank#section`, and a same-tab open would scroll
+ *     the wrong document; neither matches what the LLM meant.
+ *   - Workspace-relative (no scheme, no leading `/`, no `//` prefix):
+ *     resolved against the active document's directory, re-validated,
+ *     and routed through JupyterLab's `docmanager:open` command so a
+ *     `.ipynb` opens with the notebook factory and a `.md` opens in the
+ *     editor. The anchor's `href` stays `"#"` because a populated `href`
+ *     bypasses React's onClick on middle/Cmd-click, letting the browser
+ *     navigate `/lab/<path>` with session cookies attached; the hover
+ *     preview moves to `title` so the user still sees the intended
+ *     target.
+ *   - Everything else: handed to `SafeAnchor`, which enforces the
+ *     `safeAnchorUri` scheme allowlist and emits a `_blank` anchor with
+ *     `rel="noopener noreferrer"`.
+ */
+export function MarkdownLink({
+  app,
+  baseDir,
+  href,
+  title,
+  children
+}: MarkdownLinkProps): React.ReactElement {
+  if (typeof href === 'string') {
+    if (href.startsWith('#')) {
+      return <span>{children}</span>;
+    }
+    if (
+      !SCHEME_PREFIX_RE.test(href) &&
+      !href.startsWith('/') &&
+      !href.startsWith('//')
+    ) {
+      // PathExt.join: plain concatenation + normalization. Resolve()
+      // would fall back to the browser process cwd when `baseDir` is
+      // relative, which gives nonsense like `/Users/.../notebooks/...`.
+      const resolvedPath = PathExt.join(baseDir, href);
+      // Re-validate post-join. Two attack/confusion shapes the pre-check
+      // alone misses: `[x](java\tscript:alert(1))` survives the scheme
+      // sniff because `\t` isn't a scheme char, then unmasks once the
+      // WHATWG parser sees the joined href; `[x](../../../etc/passwd)`
+      // looks workspace-relative but escapes the workspace root.
+      if (isUnsafeWorkspacePath(resolvedPath)) {
+        return (
+          <SafeAnchor href={null} title={undefined}>
+            {children}
+          </SafeAnchor>
+        );
+      }
+      // href="#" rather than href={resolvedPath}: a modifier-click on a
+      // populated href bypasses the React onClick, lets the browser
+      // navigate the chat sidebar to /lab/<path> in a new tab, and would
+      // ride along the user's Jupyter session cookies. The hover preview
+      // moves to `title` so the user still sees the intended target.
+      const safeTitleFromMd =
+        typeof title === 'string' && !hasDangerousTextCodepoints(title)
+          ? title
+          : undefined;
+      const hoverTitle = safeTitleFromMd ?? resolvedPath;
+      const onClick = (e: React.MouseEvent<HTMLAnchorElement>) => {
+        e.preventDefault();
+        // ContentsManager rejects paths outside the Jupyter root with a
+        // promise rejection. Catch so the failure surfaces in logs instead
+        // of an unhandled rejection, and the user can see the rendered
+        // anchor was attempted even when the target doesn't exist.
+        Promise.resolve(
+          app.commands.execute('docmanager:open', { path: resolvedPath })
+        ).catch(err => {
+          console.warn(
+            `NBI: failed to open workspace path "${resolvedPath}":`,
+            err
+          );
+        });
+      };
+      return (
+        <a href="#" title={hoverTitle} onClick={onClick}>
+          {children}
+        </a>
+      );
+    }
+  }
+  return (
+    <SafeAnchor
+      href={typeof href === 'string' ? href : null}
+      title={typeof title === 'string' ? title : undefined}
+    >
+      {children}
+    </SafeAnchor>
+  );
+}

package/src/components/safe-anchor.tsx

@@ -0,0 +1,60 @@
+// Copyright (c) Mehmet Bektas <mbektasgh@outlook.com>
+
+import React from 'react';
+import { hasDangerousTextCodepoints, safeAnchorUri } from '../utils';
+
+type SafeAnchorProps = {
+  href: string | undefined | null;
+  children: React.ReactNode;
+  title?: string;
+  className?: string;
+};
+
+/**
+ * The single render path for anchor elements driven by LLM / tool output.
+ *
+ * Runs `href` through `safeAnchorUri`, which mirrors the server-side
+ * `safe_anchor_uri` allowlist (`http` / `https` / `mailto`) and rejects
+ * dangerous codepoints. On accept it renders a `_blank` anchor with
+ * `rel="noopener noreferrer"` and an SR-only "(opens in new tab)" suffix;
+ * on reject it falls through to plain text plus an SR-only "(link
+ * blocked)" note so screen readers can tell why the link disappeared.
+ *
+ * The `title` attribute is scrubbed for the same dangerous codepoints
+ * the URI check rejects, since react-markdown forwards CommonMark
+ * `[text](url "title")` titles to the rendered anchor and an LLM can
+ * smuggle bidi-override or zero-width characters there to visually
+ * impersonate the link target on hover.
+ */
+export function SafeAnchor({
+  href,
+  children,
+  title,
+  className
+}: SafeAnchorProps): React.ReactElement {
+  const safeUri = safeAnchorUri(href ?? '');
+  if (!safeUri) {
+    return (
+      <span className={className}>
+        {children}
+        <span className="nbi-sr-only"> (link blocked)</span>
+      </span>
+    );
+  }
+  const safeTitle =
+    typeof title === 'string' && !hasDangerousTextCodepoints(title)
+      ? title
+      : undefined;
+  return (
+    <a
+      href={safeUri}
+      target="_blank"
+      rel="noopener noreferrer"
+      title={safeTitle}
+      className={className}
+    >
+      {children}
+      <span className="nbi-sr-only"> (opens in new tab)</span>
+    </a>
+  );
+}

package/src/markdown-renderer.tsx

@@ -12,6 +12,8 @@ import {
 } from 'react-syntax-highlighter/dist/cjs/styles/prism';
 import { VscNewFile, VscInsert, VscCopy, VscNotebook, VscAdd } from './icons';
 import { JupyterFrontEnd } from '@jupyterlab/application';
+import { PathExt } from '@jupyterlab/coreutils';
+import { MarkdownLink } from './components/markdown-link';
 import { isDarkTheme, writeTextToClipboard } from './utils';
 import { IActiveDocumentInfo } from './tokens';
 
@@ -29,11 +31,39 @@ export function MarkdownRenderer({
   const app = getApp();
   const activeDocumentInfo = getActiveDocumentInfo();
   const isNotebook = activeDocumentInfo.filename.endsWith('.ipynb');
+  // Resolve workspace-relative LLM links against the active document's
+  // directory so `[file](README.md)` from a chat scoped to
+  // `notebooks/proj/work.ipynb` lands at `notebooks/proj/README.md` (the
+  // user's mental model) rather than the server-root README.
+  const linkBaseDir = activeDocumentInfo.filePath
+    ? PathExt.dirname(activeDocumentInfo.filePath)
+    : '';
 
   return (
+    // No `rehype-raw` plugin: raw HTML in chat markdown (e.g. an LLM
+    // emitting `<a href="javascript:...">`) renders as literal text, not
+    // a DOM anchor, so the only anchor sink is the CommonMark/GFM `a`
+    // node handled by `SafeAnchor` below. Any future change that enables
+    // raw HTML needs to add a rehype-sanitize pass alongside.
     <Markdown
       remarkPlugins={[remarkGfm]}
       components={{
+        // CommonMark `<https://...>` autolinks, `[text](url)`, and
+        // reference-style links all normalize to the same `a` node.
+        // `MarkdownLink` routes fragment-only and workspace-relative
+        // hrefs through Lab's docmanager so an LLM-emitted link can't
+        // replace the JupyterLab shell, and hands everything else to
+        // SafeAnchor for the `_blank` + scheme-allowlist treatment.
+        a: ({ href, title, children }: any) => (
+          <MarkdownLink
+            app={app}
+            baseDir={linkBaseDir}
+            href={href}
+            title={title}
+          >
+            {children}
+          </MarkdownLink>
+        ),
         code({ node, inline, className, children, getApp, ...props }: any) {
           const match = /language-(\w+)/.exec(className || '');
           const codeString = String(children).replace(/\n$/, '');

package/src/utils.ts

@@ -339,6 +339,28 @@ function isDisallowedUriCodepoint(code: number): boolean {
   return false;
 }
 
+/**
+ * True when `s` contains any codepoint in the same set `safeAnchorUri`
+ * rejects (C0/DEL/C1, NEL/NBSP/LS/PS/BOM, ZWSP, bidi-override controls).
+ * Mirrors the Python `has_dangerous_text_codepoints`. Used to scrub the
+ * `title` attribute on rendered anchors so an LLM-emitted hover tooltip
+ * can't visually impersonate the link via bidi-reorder or zero-width
+ * tricks.
+ */
+export function hasDangerousTextCodepoints(
+  s: string | undefined | null
+): boolean {
+  if (typeof s !== 'string') {
+    return false;
+  }
+  for (let i = 0; i < s.length; i++) {
+    if (isDisallowedUriCodepoint(s.charCodeAt(i))) {
+      return true;
+    }
+  }
+  return false;
+}
+
 /**
  * Return `uri` if its scheme is in the chat-anchor allowlist, else null.
  * Mirrors the server-side `safe_anchor_uri` check so that anchor parts