feat: Implement production D-Bus security policy with root-only access

- Update D-Bus policy for production use (root-only access)
- Document production vs development policy rationale
- Enhance D-BUS.md with security considerations
- Update CHANGELOG.md with production security hardening
- Update TODO.md to reflect completed security improvements

This change implements a production-ready security model where only root
users can access the apt-ostree daemon, which is appropriate since all
operations (package installation, OSTree commits, ComposeFS management)
inherently require root privileges. This eliminates the need for complex
PolicyKit authorization rules and provides clear security boundaries.

TODO.md

@@ -29,6 +29,9 @@
 - ✅ Documented D-Bus policy requirements and troubleshooting in D-BUS.md
 - ✅ Automated D-Bus policy file installation in install.sh
 - ✅ Improved install.sh robustness for permissions and directory creation
+- ✅ Updated D-Bus policy for production use (root-only access)
+- ✅ Documented production vs development policy rationale
+- ✅ Implemented production security hardening with root-only access
 
 ### VM Testing & Daemon Integration
 - ✅ VM environment setup and apt-layer/apt-ostree integration testing