refactor: Cleanup git state - commit all staged changes

Major refactoring cleanup:
- Add new controller architecture (class-controller-*.php)
- Add new settings-v2 UI (views/settings-v2/)
- Add new CSS architecture (agentic-sidebar.css, tokens)
- Add esbuild build pipeline (scripts/build.js, package.json)
- Add composer dependencies (vendor/)
- Add frontend src directory (assets/js/src/index.jsx)
- Add documentation files
- Remove old/obsolete files (class-settings.php, old CSS)

This commits all pending changes from previous refactoring efforts.

CHANGELOG.md

@@ -6,9 +6,22 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## [Unreleased]
 
+### Added
+- **REST API documentation**: Added `docs/architecture/REST_API_ENDPOINTS.md` with complete endpoint reference
+- **Architecture refactor**: Extracted REST controllers from `class-gutenberg-sidebar.php` into dedicated controller classes (`Controller_Chat`, `Controller_Cost`, `Controller_Models`, `Controller_Session`, `Controller_Conversation`, `Controller_Planning`, `Controller_Config`, `Controller_Writing`, `Controller_Refinement`, `Controller_Image`)
+- **Helper utilities**: Extracted ~24 pure helper methods into `WP_Agentic_Writer_Sidebar_Helpers` class (`class-sidebar-helpers.php`): JSON extraction, plan normalization, block manipulation, refinement, SEO patterns, memory helpers
+- **Rate limiting**: Added `WPAW_Rate_Limiter` class for REST endpoint protection (30/min chat, 20/min search, 10/min content fetch)
+- **Session locking**: Added multi-tab safety via session locks (acquire, refresh, release)
+
+### Changed
+- **Post meta optimization**: Bulk fetch post meta in sidebar initialization for reduced database queries
+
 ### Fixed
 - **Sidebar logger recursion**: Fixed wpawLog.error/log/warn calling themselves recursively (now call console.* directly)
 - **Sidebar syntax**: Restored valid JavaScript syntax after debug logger conversion damaged string literals
+- **Session ID security**: Session ID generation now uses `wp_generate_uuid4()` for cryptographically secure uniqueness (requires DB migration for existing sessions)
+- **Font loading**: Fixed broken font loading in `agentic-sidebar.css` by correcting `.wpaw-sidebar-container` selector and `@import` paths
+- **Dead stylesheet**: Removed `settings-v2.css` from enqueue queue (was loaded but not used)
 - **Cost tracker backward compatibility**: Added `record_usage()` method to match WP AI Client wrapper contract
 - **Cost attribution**: Added `record_usage_full()` method for accurate model/provider attribution in cost records
 - **Cost table self-heal**: Added `SHOW TABLES LIKE` guard before `DESCRIBE` to handle missing table scenario
@@ -29,9 +42,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ### Changed
 - **record_usage() deprecated**: Marked `record_usage()` as deprecated in docblock; use `record_usage_full()` for accurate provider attribution
+- **Session ID security**: Changed session ID generation from `wp_hash()` to `wp_generate_uuid4()` for better uniqueness (requires DB migration)
 
 ### Removed
 - **Legacy chat history**: Post meta `_wpaw_chat_history` is deleted after successful migration (replaced by `_wpaw_chat_history_migrated` marker)
+- **Deprecated files**: Moved `CREATE_TABLE.sql`, empty `languages/`, and other unused files to `legacy/` directory
+- **Unused directories**: Removed `tests/`, `admin/`, `deprecated/`, `stitch/` directories (already moved to `legacy/`)
 
 ## [0.1.3] - 2025-05-24