fix: CustomField policies, no system-actor fallback, guidelines

- Tests and UI pass actor for CustomField create/read/destroy; seeds use actor
- Member required-custom-fields validation uses context.actor only (no fallback)
- CODE_GUIDELINES: add rule forbidding system-actor fallbacks

priv/repo/seeds.exs

@@ -118,10 +118,12 @@ for attrs <- [
         required: false
       }
     ] do
+  # Bootstrap: no admin user yet; CustomField create requires admin, so skip authorization
   Membership.create_custom_field!(
     attrs,
     upsert?: true,
-    upsert_identity: :unique_name
+    upsert_identity: :unique_name,
+    authorize?: false
   )
 end
 
@@ -594,7 +596,7 @@ end)
 
 # Create sample custom field values for some members
 all_members = Ash.read!(Membership.Member, actor: admin_user_with_role)
-all_custom_fields = Ash.read!(Membership.CustomField)
+all_custom_fields = Ash.read!(Membership.CustomField, actor: admin_user_with_role)
 
 # Helper function to find custom field by name
 find_field = fn name -> Enum.find(all_custom_fields, &(&1.name == name)) end