Add CustomField resource policies and tests

- Add policies block with HasPermission for read/create/update/destroy
- Add authorizers: [Ash.Policy.Authorizer] to CustomField resource
- Add custom_field_policies_test.exs (read all roles, write admin only)
- Fix CustomField path in roles-and-permissions doc (lib/membership)

docs/roles-and-permissions-architecture.md

@@ -1101,28 +1101,23 @@ end
 
 ### CustomField Resource Policies
 
-**Location:** `lib/mv/membership/custom_field.ex`
+**Location:** `lib/membership/custom_field.ex`
 
 **No Special Cases:** All users can read, only admin can write.
 
 ```elixir
 defmodule Mv.Membership.CustomField do
-  use Ash.Resource, ...
-  
+  use Ash.Resource,
+    domain: Mv.Membership,
+    data_layer: AshPostgres.DataLayer,
+    authorizers: [Ash.Policy.Authorizer]
+
   policies do
-    # All authenticated users can read custom fields (needed for forms)
-    # Write operations are admin-only
     policy action_type([:read, :create, :update, :destroy]) do
       description "Check permissions from user's role"
       authorize_if Mv.Authorization.Checks.HasPermission
     end
-    
-    # DEFAULT: Forbid
-    policy action_type([:read, :create, :update, :destroy]) do
-      forbid_if always()
-    end
   end
-  
   # ...
 end
 ```