feat(accounts): block update/destroy on system-actor user

Validation prevents modifying system actor user (required for internal ops).

lib/accounts/user.ex

@@ -175,6 +175,13 @@ defmodule Mv.Accounts.User do
       end
     end
 
+    # Internal update used only by SystemActor/bootstrap and tests to assign role to system user.
+    # Not protected by system-user validation so bootstrap can run.
+    update :update_internal do
+      accept []
+      require_atomic? false
+    end
+
     # Admin action for direct password changes in admin panel
     # Uses the official Ash Authentication HashPasswordChange with correct context
     update :admin_set_password do
@@ -366,18 +373,20 @@ defmodule Mv.Accounts.User do
       end
     end
 
-    # Prevent deletion of the system actor user (required for internal operations)
+    # Prevent modification of the system actor user (required for internal operations).
+    # Block update/destroy on UI-exposed actions only; :update_internal is used by bootstrap/tests.
     validate fn changeset, _context ->
-               if to_string(changeset.data.email) == Mv.Helpers.SystemActor.system_user_email() do
+               if Mv.Helpers.SystemActor.system_user?(changeset.data) do
                  {:error,
                   field: :email,
                   message:
-                    "Cannot delete system actor user. This user is required for internal operations."}
+                    "Cannot modify system actor user. This user is required for internal operations."}
                else
                  :ok
                end
              end,
-             on: [:destroy]
+             on: [:update, :destroy],
+             where: [action_is([:update, :update_user, :admin_set_password, :destroy])]
   end
 
   def validate_oidc_id_present(changeset, _context) do