fix: migrate all remaining eval callers to source, fix stale CHANGELOG claim

5 templates and 2 bin scripts still used eval $(gstack-slug). All now use
source <(gstack-slug). Updated gstack-slug comment to match. Fixed v0.8.3
CHANGELOG entry that falsely claimed eval was fully eliminated — it was
the output sanitization that made it safe, not a calling convention change.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

bin/gstack-slug

@@ -1,10 +1,10 @@
 #!/usr/bin/env bash
 # gstack-slug — output project slug and sanitized branch name
-# Usage: eval $(gstack-slug)  → sets SLUG and BRANCH variables
-# Or:    gstack-slug          → prints SLUG=... and BRANCH=... lines
+# Usage: source <(gstack-slug)  → sets SLUG and BRANCH variables
+# Or:    gstack-slug            → prints SLUG=... and BRANCH=... lines
 #
 # Security: output is sanitized to [a-zA-Z0-9._-] only, preventing
-# shell injection when consumed via eval $(gstack-slug).
+# shell injection when consumed via source or eval.
 set -euo pipefail
 RAW_SLUG=$(git remote get-url origin 2>/dev/null | sed 's|.*[:/]\([^/]*/[^/]*\)\.git$|\1|;s|.*[:/]\([^/]*/[^/]*\)$|\1|' | tr '/' '-')
 RAW_BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null | tr '/' '-')