audit pass 10-11: type=button, XSS escaping, focus/ARIA fixes

HTML:
- Add type="button" to all buttons outside forms (22 instances)
- Add aria-label="Add comment" to unlabelled textarea#td-comment

JS:
- Escape alt text and link text in markdown renderer with escHtml()
  to prevent XSS in image alt/link content
- Fix nested modal focus: only restore trigger focus when no other
  modal is still open; add document.contains guard

CSS:
- Add .lt-nav-link:focus-visible focus ring (was missing entirely)
- Fix .lt-typeahead-option (dead selector) → .lt-typeahead-item with
  :hover, .is-focused, and :focus-visible for light theme

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

base.css

@@ -487,6 +487,7 @@ hr {
   background: var(--accent-cyan-dim);
 }
 .lt-nav-link:hover::after { left: 0; right: 0; box-shadow: var(--glow-cyan); }
+.lt-nav-link:focus-visible { outline: 2px solid var(--accent-cyan); outline-offset: -2px; color: var(--accent-cyan); }
 
 .lt-nav-link.active {
   color: var(--accent-orange);
@@ -3884,7 +3885,9 @@ html[data-theme="light"] .lt-empty-state-title { color: var(--text-secondary); }
 html[data-theme="light"] .lt-combobox-dropdown,
 html[data-theme="light"] .lt-typeahead-dropdown { background: var(--bg-card); border-color: var(--border-color); box-shadow: 0 4px 16px rgba(0,0,0,0.1); }
 html[data-theme="light"] .lt-combobox-option:hover,
-html[data-theme="light"] .lt-typeahead-option:hover { background: var(--accent-cyan-dim); }
+html[data-theme="light"] .lt-typeahead-item:hover,
+html[data-theme="light"] .lt-typeahead-item.is-focused,
+html[data-theme="light"] .lt-typeahead-item:focus-visible { background: var(--accent-cyan-dim); color: var(--accent-cyan); }
 html[data-theme="light"] .lt-combobox-tag     { background: var(--accent-cyan-dim); color: var(--accent-cyan); border-color: var(--accent-cyan-border); }
 
 /* — Sortable ghost — */