feat(polkit): restrict systemd + udisks system actions to active local sessions

Two narrow defence-in-depth rules:

- 52-systemd-local-only: org.freedesktop.systemd1.* requires both
  subject.local and subject.active. Wheel-via-sudo-rs is on a different
  path (sudoers) and is not affected. Stops a non-active or remote
  polkit caller from start/stop/restart of system units.

- 53-udisks-system-mount: filesystem-mount-system and modify-system
  require subject.active. The everyday USB auto-mount path uses
  filesystem-mount (no -system suffix) and is unaffected.

Audited against current workflow (virt-manager, networkctl, USB mount,
bluetoothctl, fwupdmgr) — none of these break.

0 files changed, 0 insertions, 0 deletions