Restrict member user link to admins (forbid policy)

Add ForbidMemberUserLinkUnlessAdmin check; forbid_if on Member create/update.
Fix member user-link tests: pass :user in params, assert via reload.

lib/membership/member.ex

@@ -312,14 +312,12 @@ defmodule Mv.Membership.Member do
       authorize_if expr(id == ^actor(:member_id))
     end
 
-    # GENERAL: Check permissions from user's role
-    # HasPermission handles update permissions correctly:
-    # - :own_data → can update linked member (scope :linked)
-    # - :read_only → cannot update any member (no update permission)
-    # - :normal_user → can update all members (scope :all)
-    # - :admin → can update all members (scope :all)
+    # GENERAL: Check permissions from user's role; forbid member–user link unless admin
+    # ForbidMemberUserLinkUnlessAdmin: only admins may pass :user on create/update (no-op for read/destroy).
+    # HasPermission: :own_data → update linked; :read_only → no update; :normal_user/admin → update all.
     policy action_type([:read, :create, :update, :destroy]) do
-      description "Check permissions from user's role and permission set"
+      description "Check permissions and forbid user link unless admin"
+      forbid_if Mv.Authorization.Checks.ForbidMemberUserLinkUnlessAdmin
       authorize_if Mv.Authorization.Checks.HasPermission
     end