Implement Phase 10: REST API Endpoints (v0.10.0)

- Add complete REST API infrastructure under src/Api/
- ResponseFormatter for standardized responses
- RateLimiter with tiered limits (public 60/min, availability 30/min, booking 10/min, admin 120/min)
- AbstractController base class with common functionality
- BuildingsController: list, get, rooms endpoints
- RoomsController: list, get, availability, calendar, search endpoints
- BookingsController: CRUD + confirm/check-in/check-out status transitions
- GuestsController: list, get, search, booking history (admin only)
- ServicesController: list, get, calculate endpoints
- PricingController: calculate, seasons endpoints
- API settings tab with enable/disable toggles
- Comprehensive API documentation in README

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

PLAN.md

@@ -194,17 +194,21 @@ This document outlines the implementation plan for the WP BnB Management plugin.
   - 24 panels with gauges, pie charts, and stat displays
 - [x] Update settings page to enable/disable metrics
 
-### Phase 10: API Endpoints (v0.10.0)
+### Phase 10: API Endpoints (v0.10.0) - Complete
 
-- [ ] REST API for rooms
-- [ ] REST API for availability
-- [ ] REST API for bookings
-- [ ] Authentication and rate limiting
+- [x] REST API for rooms (list, details, availability, calendar)
+- [x] REST API for availability (search available rooms)
+- [x] REST API for bookings (CRUD, status transitions)
+- [x] REST API for buildings, guests, services, pricing
+- [x] Authentication (Application Passwords, edit_posts capability)
+- [x] Transient-based rate limiting with tiered limits
+- [x] API settings tab with enable/disable toggles
 
 ## Phase 11: Security Audit (v0.11.0)
 
 - [ ] Check for Wordpress best-practices
 - [ ] Review the code for OWASP Top 10, including XSS, XSRF, SQLi and other critical threads
+- [ ] Test the API-Endpoints against a local live system under <http://localhost:9080/> for common vulnerabilities
 
 ## Future Considerations (v1.0.0+)