#389 HIGH: NOTIFY SQL injection via unsanitized channel/payload

durable_context.py:1683-1698 - NOTIFY uses f-string: cur.execute(f"NOTIFY \"{channel}\", '{payload}'"). Channel not sanitized, payload quote escaping can be bypassed. Fix: Use pg_notify(): cur.execute("SELECT pg_notify(%s, %s)", (channel, payload))