Fix unlink-by-omission: on_missing :ignore, test, doc, string-key

- Member update_member: on_missing :unrelate → :ignore (no unlink when :user omitted)
- Test: normal_user update linked member without :user keeps link
- Doc: unlink only explicit (user: nil), admin-only; Actor.admin?(nil) note
- Check: defense-in-depth for "user" string key

lib/membership/member.ex

@@ -154,15 +154,13 @@ defmodule Mv.Membership.Member do
       change manage_relationship(:custom_field_values, on_match: :update, on_no_match: :create)
 
       # Manage the user relationship during member update
+      # on_missing: :ignore so that omitting :user does NOT unlink (security: only admins may
+      # change the link; unlink is explicit via user: nil, forbidden for non-admins by policy).
       change manage_relationship(:user, :user,
-               # Look up existing user and relate to it
                on_lookup: :relate,
-               # Error if user doesn't exist in database
                on_no_match: :error,
-               # Error if user is already linked to another member (prevents "stealing")
                on_match: :error,
-               # If no user provided, remove existing relationship (allows user removal)
-               on_missing: :unrelate
+               on_missing: :ignore
              )
 
       # Sync member email to user when email changes (Member → User)