Revision 54a9a0a3d54299e4abb27e32c1b4f9421e558638

Fix SQL injection vulnerability by removing string interpolation

SECURITY: Remove buildQueryWithParams() which did dangerous string
interpolation of user-provided values before CDC hooks fired.

Changes:
- Add ExecutionRequest type to coordinator for local execution params
- Update ConnectionHandler.HandleQuery to accept params []interface{}
- Thread params through CoordinatorHandler and ReadOnlyHandler
- Update db.ExecContext to use variadic args for prepared statements
- Delete vulnerable functions: buildQueryWithParams, formatParam, escapeString

Architecture:
- Wire protocol params now passed directly to SQLite prepared statements
- DML uses row data (OldValues/NewValues) for CDC, not SQL - already safe
- DDL uses raw SQL (no user params) - already safe
- All replica replay paths verified to use parameterized queries

Tests:
- Add parameterized_query_test.go with SQL injection prevention tests
- Add CDC contract tests verifying Statement has no Params field
- Update existing tests to use new HandleQuery signature

???? Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>