Restrict User.update_user to admin; allow :update for email only

- Add ActorIsAdmin policy check (admin permission set only)
- User: policy action(:update_user) forbid_unless + authorize_if ActorIsAdmin
- User: primary :update action accept [:email] for non-admin profile edit

lib/mv/authorization/checks/actor_is_admin.ex

@@ -0,0 +1,22 @@
+defmodule Mv.Authorization.Checks.ActorIsAdmin do
+  @moduledoc """
+  Policy check: true when the actor's role has permission_set_name "admin".
+
+  Used to restrict actions (e.g. User.update_user for member link/unlink) to admins only.
+  """
+  use Ash.Policy.SimpleCheck
+
+  @impl true
+  def describe(_opts), do: "actor has admin permission set"
+
+  @impl true
+  def match?(nil, _context, _opts), do: false
+
+  def match?(actor, _context, _opts) do
+    ps_name =
+      get_in(actor, [Access.key(:role), Access.key(:permission_set_name)]) ||
+        get_in(actor, [Access.key("role"), Access.key("permission_set_name")])
+
+    ps_name == "admin"
+  end
+end