Security audit fixes: regex hardening, performance, and code quality (v1.1.2)

- WidgetRenderer: single regex for h2→h4 prevents mismatched tags
- ContextBuilder: O(n) comment tree with parent-indexed lookup map
- ContextBuilder: consolidated sidebar queries into single check
- ContextBuilder: transient caching for sidebar recent posts and tags
- functions.php: hex-to-RGB consolidation, type hints, ctype_xdigit validation
- Transient invalidation hooks for save_post and tag CRUD operations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

inc/Block/WidgetRenderer.php

@@ -98,15 +98,12 @@ class WidgetRenderer
             return $content;
         }
 
-        // Replace <h2 with <h4 and </h2> with </h4> for widget headings.
+        // Replace <h2 ... wp-block-heading ...>...</h2> with <h4> pairs.
+        // Single regex ensures only headings with wp-block-heading class are
+        // downgraded, preventing mismatched tags if a widget contains other h2s.
         $content = preg_replace(
-            '/<h2(\s+class="[^"]*wp-block-heading[^"]*")/',
-            '<h4$1',
-            $content
-        );
-        $content = preg_replace(
-            '/<\/h2>/',
-            '</h4>',
+            '/<h2(\s+class="[^"]*wp-block-heading[^"]*"[^>]*)>(.*?)<\/h2>/s',
+            '<h4$1>$2</h4>',
             $content
         );