fix: Standalone nav + REST URL + SVG upload support

## ✅ Issue 1: Standalone Mode Navigation
**Problem:** Standalone mode not getting WNW_NAV_TREE from PHP
**Fixed:** Added WNW_NAV_TREE injection to StandaloneAdmin.php
**Result:** Navigation now works in standalone mode with PHP as single source

## ✅ Issue 2: 404 Errors for branding and customer-settings
**Problem:** REST URLs had trailing slashes causing double slashes
**Root Cause:**
- `rest_url("woonoow/v1")` returns `https://site.com/wp-json/woonoow/v1/`
- Frontend: `restUrl + "/store/branding"` = double slash
- WP-admin missing WNW_CONFIG entirely

**Fixed:**
1. **Removed trailing slashes** from all REST URLs using `untrailingslashit()`
   - StandaloneAdmin.php
   - Assets.php (dev and prod modes)

2. **Added WNW_CONFIG to wp-admin** for API compatibility
   - Dev mode: Added WNW_CONFIG with restUrl, nonce, standaloneMode, etc.
   - Prod mode: Added WNW_CONFIG to localize_runtime()
   - Now both modes use same config structure

**Result:**
- ✅ `/store/branding` works in all modes
- ✅ `/store/customer-settings` works in all modes
- ✅ Consistent API access across standalone and wp-admin

## ✅ Issue 3: SVG Upload Error 500
**Problem:** WordPress blocks SVG uploads by default
**Security:** "Sorry, you are not allowed to upload this file type"

**Fixed:** Created MediaUpload.php with:
1. **Allow SVG uploads** for users with upload_files capability
2. **Fix SVG mime type detection** (WordPress issue)
3. **Sanitize SVG on upload** - reject files with:
   - `<script>` tags
   - `javascript:` protocols
   - Event handlers (onclick, onload, etc.)

**Result:**
- ✅ SVG uploads work securely
- ✅ Dangerous SVG content blocked
- ✅ Only authorized users can upload

---

## Files Modified:
- `StandaloneAdmin.php` - Add nav tree + fix REST URL
- `Assets.php` - Add WNW_CONFIG + fix REST URLs
- `Bootstrap.php` - Initialize MediaUpload
- `MediaUpload.php` - NEW: SVG upload support with security

## Testing:
1. ✅ Navigation works in standalone mode
2. ✅ Branding endpoint works in all modes
3. ✅ Customer settings endpoint works in all modes
4. ✅ SVG logo upload works
5. ✅ Dangerous SVG files rejected

includes/Admin/Assets.php

@@ -39,7 +39,7 @@ class Assets {
         // Attach runtime config (before module loader runs)
         // If you prefer, keep using self::localize_runtime($handle)
         wp_localize_script($handle, 'WNW_API', [
-            'root'        => esc_url_raw(rest_url('woonoow/v1/')),
+            'root'        => untrailingslashit(esc_url_raw(rest_url('woonoow/v1'))),
             'nonce'       => wp_create_nonce('wp_rest'),
             'isDev'       => true,
             'devServer'   => $dev_url,
@@ -48,9 +48,19 @@ class Assets {
         ]);
         wp_add_inline_script($handle, 'window.WNW_API = window.WNW_API || WNW_API;', 'after');
         
+        // WNW_CONFIG for compatibility with standalone mode code
+        wp_localize_script($handle, 'WNW_CONFIG', [
+            'restUrl'         => untrailingslashit(esc_url_raw(rest_url('woonoow/v1'))),
+            'nonce'           => wp_create_nonce('wp_rest'),
+            'standaloneMode'  => false,
+            'wpAdminUrl'      => admin_url('admin.php?page=woonoow'),
+            'isAuthenticated' => is_user_logged_in(),
+        ]);
+        wp_add_inline_script($handle, 'window.WNW_CONFIG = window.WNW_CONFIG || WNW_CONFIG;', 'after');
+        
         // WordPress REST API settings (for media upload compatibility)
         wp_localize_script($handle, 'wpApiSettings', [
-            'root'  => esc_url_raw(rest_url()),
+            'root'  => untrailingslashit(esc_url_raw(rest_url())),
             'nonce' => wp_create_nonce('wp_rest'),
         ]);
         wp_add_inline_script($handle, 'window.wpApiSettings = window.wpApiSettings || wpApiSettings;', 'after');
@@ -134,7 +144,7 @@ class Assets {
     /** Attach runtime config to a handle */
     private static function localize_runtime(string $handle): void {
         wp_localize_script($handle, 'WNW_API', [
-            'root'        => esc_url_raw(rest_url('woonoow/v1/')),
+            'root'        => untrailingslashit(esc_url_raw(rest_url('woonoow/v1'))),
             'nonce'       => wp_create_nonce('wp_rest'),
             'isDev'       => self::is_dev_mode(),
             'devServer'   => self::dev_server_url(),
@@ -142,9 +152,18 @@ class Assets {
             'adminUrl'    => admin_url('admin.php'),
         ]);
         
+        // WNW_CONFIG for compatibility with standalone mode code
+        wp_localize_script($handle, 'WNW_CONFIG', [
+            'restUrl'         => untrailingslashit(esc_url_raw(rest_url('woonoow/v1'))),
+            'nonce'           => wp_create_nonce('wp_rest'),
+            'standaloneMode'  => false,
+            'wpAdminUrl'      => admin_url('admin.php?page=woonoow'),
+            'isAuthenticated' => is_user_logged_in(),
+        ]);
+        
         // WordPress REST API settings (for media upload compatibility)
         wp_localize_script($handle, 'wpApiSettings', [
-            'root'  => esc_url_raw(rest_url()),
+            'root'  => untrailingslashit(esc_url_raw(rest_url())),
             'nonce' => wp_create_nonce('wp_rest'),
         ]);
         

includes/Admin/StandaloneAdmin.php

@@ -57,7 +57,7 @@ class StandaloneAdmin {
 		
 		// Get nonce for REST API
 		$nonce = wp_create_nonce( 'wp_rest' );
-		$rest_url = rest_url( 'woonoow/v1' );
+		$rest_url = untrailingslashit( rest_url( 'woonoow/v1' ) );
 		$wp_admin_url = admin_url( 'admin.php?page=woonoow' );
 		
 		// Get current user data if authenticated
@@ -134,6 +134,9 @@ class StandaloneAdmin {
 	
 	// WooCommerce store settings (currency, formatting, etc.)
 	window.WNW_STORE = <?php echo wp_json_encode( $store_settings ); ?>;
+	
+	// Navigation tree (single source of truth from PHP)
+	window.WNW_NAV_TREE = <?php echo wp_json_encode( \WooNooW\Compat\NavigationRegistry::get_frontend_nav_tree() ); ?>;
 	</script>
 	
 	<script type="module" src="<?php echo esc_url( $js_url ); ?>"></script>