fix: harden release profile, drop dead struct fields (v0.6.18)

Security-audit follow-up. The release profile had silently drifted from
the hardened profile (v0.6.12): v0.6.14 bundled lto fat->thin, strip
true->false, and debug=true into an unrelated refactor — a debug aid for
the suspend/resume SIGSEGV hunt. That crash is fixed (v0.6.17), so
restore lto=fat + strip=true and drop the debug symbols, which on a
security-critical auth binary only ease reverse-engineering of the auth
path and bloat the binary.

Also remove two vestigial struct fields the audit surfaced: never read,
no behavior change.
- LockscreenHandles.password_entry: the entry is fully wired via internal
  closures before the handles return; no caller read the field.
- User.uid: superseded by getuid() (root check) and username lookups.

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "moonlock"
-version = "0.6.17"
+version = "0.6.18"
 edition = "2024"
 description = "A secure Wayland lockscreen with GTK4, PAM and fingerprint support"
 license = "MIT"
@@ -28,7 +28,6 @@ tempfile = "3"
 glib-build-tools = "0.22"
 
 [profile.release]
-lto = "thin"
+lto = "fat"
 codegen-units = 1
-strip = false
-debug = true
+strip = true