Security audit and bug fixes (v0.12.0)

- Complete security audit for WordPress best practices, OWASP Top 10
- Fix Calculator static method calls in API controllers
- Fix EmailNotifier method names in BookingsController
- Fix guest_id type casting in EmailNotifier

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

CHANGELOG.md

@@ -5,6 +5,29 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.12.0] - 2026-02-04
+
+### Security
+
+- Completed comprehensive security audit (Phase 12)
+- Verified WordPress best practices compliance across entire codebase
+- Confirmed protection against SQL Injection: all database queries use `$wpdb->prepare()` or WP_Query
+- Confirmed protection against XSS: all output properly escaped with `esc_html()`, `esc_attr()`, `esc_url()`
+- Confirmed protection against CSRF: nonce verification on all forms and admin AJAX handlers
+- Verified REST API endpoint security: proper permission callbacks, rate limiting, input sanitization
+- Sensitive data (ID/passport numbers) properly encrypted and not exposed via API
+
+### Fixed
+
+- Fixed Calculator being called statically in API controllers (`BookingsController`, `RoomsController`, `PricingController`)
+- Fixed EmailNotifier method names in BookingsController (`send_admin_new_booking`, `send_cancellation`, `send_guest_confirmation`)
+- Fixed guest_id type casting in EmailNotifier (string to int from post meta)
+
+### Notes
+
+- Public AJAX endpoints (search, availability, calendar, price calculation) intentionally do not require nonce verification as they are read-only public APIs with proper input sanitization
+- All admin AJAX endpoints properly protected with nonce verification and capability checks
+
 ## [0.11.3] - 2026-02-03
 
 ### Changed