feat: implement authorization policies for Member resource

lib/mv/authorization/checks/no_actor.ex

@@ -0,0 +1,60 @@
+defmodule Mv.Authorization.Checks.NoActor do
+  @moduledoc """
+  Custom Ash Policy Check that allows actions when no actor is present.
+
+  This is primarily used for:
+  - Database seeding (priv/repo/seeds.exs)
+  - Test fixtures that create data without authentication
+  - Background jobs that operate on behalf of the system
+
+  ## Security Note
+
+  This check should only be used for specific actions where system-level
+  access is appropriate. It should always be combined with other policy
+  checks that validate actor-based permissions when an actor IS present.
+
+  ## Usage in Policies
+
+      policies do
+        # Allow seeding and system operations
+        policy action_type(:create) do
+          authorize_if NoActor
+        end
+        
+        # Check permissions when actor is present
+        policy action_type([:read, :create, :update, :destroy]) do
+          authorize_if HasPermission
+        end
+      end
+
+  ## Behavior
+
+  - Returns `{:ok, true}` when actor is nil (allows action)
+  - Returns `{:ok, :unknown}` when actor is present (delegates to other policies)
+  - `auto_filter` returns nil (no filtering needed)
+  """
+
+  use Ash.Policy.Check
+
+  @impl true
+  def describe(_opts) do
+    "allows actions when no actor is present (for seeds and system operations)"
+  end
+
+  @impl true
+  def strict_check(actor, _authorizer, _opts) do
+    if is_nil(actor) do
+      # No actor present - allow (for seeds, tests, system operations)
+      {:ok, true}
+    else
+      # Actor present - let other policies decide
+      {:ok, :unknown}
+    end
+  end
+
+  @impl true
+  def auto_filter(_actor, _authorizer, _opts) do
+    # No filtering needed - this check only validates presence/absence of actor
+    nil
+  end
+end