fix: shell script quoting and argument injection hardening

Audit fixes for command injection risks in helper scripts:
- moonarch-cpugov: eval for quoted COMMANDS expansion (pkexec context)
- moonarch-btnote: while+read with process substitution, quoted vars
- moonarch-vpn: -- guard before connection name in nmcli calls
- post-install.sh: else-logging when USER_DEFAULTS dir missing

defaults/bin/moonarch-cpugov

@@ -60,8 +60,9 @@ fi
 # check if choice exists
 if test "${COMMANDS[$choice]+isset}"
 then
-    # Execute the choice
-    ${COMMANDS[$choice]}
+    # Execute the choice — eval required because COMMANDS values contain
+    # multi-word strings that must be interpreted as full commands.
+    eval "${COMMANDS[$choice]}"
 
     notify-send -h string:x-canonical-private-synchronous:cpugov -i cpu "CPU Mode" "Set to $choice ${LABELS[$choice]}"
 else