Redaction and PII catalog (NR7)

Classify merge fields: identifiers (hash), secrets (strip), PII (mask), operational metadata (retain).
Storage and previews must use redacted forms by default; full bodies allowed only with Notify.Audit permission.
Log payloads must omit secrets; hashes use BLAKE3-256 over UTF-8 normalized values.
Fixtures under docs/modules/notify/fixtures/redaction/ show expected redacted shapes for templates and receipts.