Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@server/utils/readme.ts`:
- Around line 352-358: The root-relative URL check at the beginning of the
conditional block (url.startsWith('/')) is incorrectly matching
protocol-relative URLs that start with //, causing them to be rewritten as
repository URLs instead of remaining external. Add an additional condition to
explicitly exclude protocol-relative URLs (those starting with //) before
processing the root-relative URL case in the repoInfo block. Additionally, add a
regression test case that verifies a markdown link with a protocol-relative URL
like [CDN](//cdn.example.com/file.css) correctly preserves the protocol-relative
href when repoInfo is present.

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/chromatic.yml:
- Around line 37-40: The Chromatic workflow is using an unsupported action input
for the Storybook build output, so update the chromaui/action configuration to
match Chromatic’s documented inputs. In the workflow job that uses
chromaui/action, replace the current outputDir usage with storybookBuildDir, and
make sure vp run build-storybook passes the output directory via buildCommand
using --output-dir so Chromatic can locate the generated Storybook files.

In @.github/workflows/release-tag.yml:
- Around line 103-106: The release workflow is checking out the moving release
branch instead of the immutable tag created by the tag job, so update the
checkout in the publish step to use the version output from the tag job. In the
release-tag workflow, fix the actions/checkout configuration so the publish job
uses needs.tag.outputs.version (the minted tag) rather than ref: release,
keeping the published connector aligned with the GitHub release and npm
provenance.

In `@app/components/global/BlueskyPostEmbed.client.vue`:
- Around line 120-125: Validate the external URL before assigning it to the
Bluesky embed anchor’s href: in BlueskyPostEmbed.client.vue, both postUrl (from
props.url) and post.embed.external.uri can be untrusted, so add an allow-list
check for only http: and https: before rendering the link. Update the anchor
binding and the related external link rendering around the postUrl usage and the
post.embed.external.uri usage so unsafe schemes fall back to a safe value
instead of being bound directly.
- Around line 124-125: The Bluesky embed anchor is still covering the entire
card because the pseudo-element on the link keeps the hit area stretched across
the embed. Update BlueskyPostEmbed.client.vue so the border/hover styling is
applied to the outer card container instead of the anchor, and scope the actual
link to just the icon/title area in the embed markup. Make sure the relevant
link element and container styling in the BlueskyPostEmbed component no longer
overlap the VideoPlayer or other in-card controls.

In `@i18n/locales/it-IT.json`:
- Around line 87-194: The Italian locale’s command_palette block is missing the
keyboard_shortcuts legend entries, so add the new navigate, select, and close
keys alongside the existing command_palette strings in it-IT.json. Use the
command_palette.keyboard_shortcuts structure from the other locale updates as
the reference so the CommandPalette UI can resolve these labels without falling
back to English or missing keys.
- Around line 35-36: The Italian command palette help text in the
command_palette_description entry is missing the macOS-specific shortcut hint,
so update this locale copy to match the other locales by distinguishing Mac from
Windows/Linux instead of always showing {ctrlKey}+K. Keep the wording aligned
with the existing command_palette and command_palette_description keys, and
ensure the text renders the macOS shortcut as ⌘K while preserving Ctrl+K for
other platforms.

In `@i18n/locales/ja-JP.json`:
- Around line 732-744: The locale strings for trend strength are using direction
terms instead of intensity, so update the translations for trend_strong and
trend_weak in the ja-JP JSON to reflect strength buckets rather than
upward/downward direction. Keep the wording aligned with the existing semantics
used by the trend-related labels in this file, and leave the surrounding keys
such as trend_undefined and analysis unchanged.

In `@modules/security-headers.ts`:
- Around line 53-54: The CSP in security-headers needs to allow the Bluesky
video hosts in media-src, not just video-src, because VideoPlayer.vue can fall
back to native <video> loading when Hls.isSupported() is false. Update the
media-src directive alongside the existing video-src entries to include
video.bsky.app and video.cdn.bsky.app so Safari/native HLS requests are not
blocked.