fix(framework/tools): eval injection, broken JSON, tmpfile leak (#549)

packages/mosaic/framework/tools/git/milestone-create.sh

@@ -99,10 +99,15 @@ fi
 case "$PLATFORM" in
     github)
         # GitHub uses the API for milestone creation
-        JSON_PAYLOAD="{\"title\":\"$TITLE\""
-        [[ -n "$DESCRIPTION" ]] && JSON_PAYLOAD="$JSON_PAYLOAD,\"description\":\"$DESCRIPTION\""
-        [[ -n "$DUE_DATE" ]] && JSON_PAYLOAD="$JSON_PAYLOAD,\"due_on\":\"${DUE_DATE}T00:00:00Z\""
-        JSON_PAYLOAD="$JSON_PAYLOAD}"
+        # Use jq to safely construct JSON so titles/descriptions containing
+        # quotes or special characters do not corrupt the payload (F-07).
+        JSON_PAYLOAD=$(jq -n \
+            --arg t "$TITLE" \
+            --arg d "$DESCRIPTION" \
+            --arg due "${DUE_DATE}" \
+            '{"title": $t}
+             + (if $d != "" then {"description": $d} else {} end)
+             + (if $due != "" then {"due_on": ($due + "T00:00:00Z")} else {} end)')
 
         gh api repos/:owner/:repo/milestones --method POST --input - <<< "$JSON_PAYLOAD"
         echo "Milestone '$TITLE' created successfully"