Validate sortable and searchable columns against SQL injection

[todo-mdx]

CRITICAL: While POST/PUT/PATCH columns are validated via isValidColumnName(), the sortable and searchable config arrays in src/conventions/crud.ts are directly interpolated into SQL without validation.

Location: src/conventions/crud.ts lines 18-31 (sortable) and 24-28 (searchable)

TDD Steps:

• RED: Write test with malicious sortable/searchable config values
• GREEN: Apply isValidColumnName() validation to sortable/searchable entries at API init or request time
• REFACTOR: Consider validating all config column arrays in a single initialization pass