fix: shell script quoting and argument injection hardening

Audit fixes for command injection risks in helper scripts:
- moonarch-cpugov: eval for quoted COMMANDS expansion (pkexec context)
- moonarch-btnote: while+read with process substitution, quoted vars
- moonarch-vpn: -- guard before connection name in nmcli calls
- post-install.sh: else-logging when USER_DEFAULTS dir missing

DECISIONS.md

@@ -1,5 +1,12 @@
 # Decisions
 
+## 2026-03-31 – Audit: shell script quoting fixes, PKGBUILD permissions
+
+- **Who**: Ragnar, Dom
+- **Why**: Security audit found command injection risk in moonarch-cpugov (unquoted array expansion with pkexec), word-splitting in moonarch-btnote (upower output from Bluetooth devices), and nmcli argument injection in moonarch-vpn. PKGBUILD for moongreet had world-readable cache dir.
+- **Tradeoffs**: `eval` in cpugov is safe because COMMANDS values are hardcoded string literals, not user input. Alternative (function dispatch) would be cleaner but over-engineered for 3 fixed entries. moonarch-btnote switched from for-loop to while+read with process substitution to avoid subshell.
+- **How**: (1) `eval "${COMMANDS[$choice]}"` in cpugov. (2) `while IFS= read -r` + process substitution + quoted `$DEVICE_DATA` in btnote. (3) `--` guard before `$connection` in vpn nmcli calls. (4) `install -dm700` for moongreet cache dirs in PKGBUILD. (5) `else err` logging in post-install.sh when USER_DEFAULTS missing.
+
 ## 2026-03-29 – /opt/moonarch stays root-owned, no chown to user
 - **Who**: Dominik, Ragnar
 - **Why**: Multi-user system — chown to UID 1000 locks out other users from moonarch-update