fix: harden release profile, drop dead struct fields (v0.6.18)

Security-audit follow-up. The release profile had silently drifted from
the hardened profile (v0.6.12): v0.6.14 bundled lto fat->thin, strip
true->false, and debug=true into an unrelated refactor — a debug aid for
the suspend/resume SIGSEGV hunt. That crash is fixed (v0.6.17), so
restore lto=fat + strip=true and drop the debug symbols, which on a
security-critical auth binary only ease reverse-engineering of the auth
path and bloat the binary.

Also remove two vestigial struct fields the audit surfaced: never read,
no behavior change.
- LockscreenHandles.password_entry: the entry is fully wired via internal
  closures before the handles return; no caller read the field.
- User.uid: superseded by getuid() (root check) and username lookups.

src/lockscreen.rs

@@ -24,7 +24,6 @@ use crate::users;
 pub struct LockscreenHandles {
     pub window: gtk::ApplicationWindow,
     pub fp_label: gtk::Label,
-    pub password_entry: gtk::PasswordEntry,
     pub unlock_callback: Rc<dyn Fn()>,
     pub username: String,
     state: Rc<RefCell<LockscreenState>>,
@@ -67,7 +66,6 @@ pub fn create_lockscreen_window(
             return LockscreenHandles {
                 window,
                 fp_label,
-                password_entry: gtk::PasswordEntry::new(),
                 unlock_callback,
                 username: String::new(),
                 state: Rc::new(RefCell::new(LockscreenState {
@@ -357,7 +355,6 @@ pub fn create_lockscreen_window(
     LockscreenHandles {
         window,
         fp_label,
-        password_entry: password_entry.clone(),
         unlock_callback,
         username: user.username,
         state: state.clone(),