feat: improve oidc only mode

lib/accounts/user.ex

@@ -362,6 +362,12 @@ defmodule Mv.Accounts.User do
   # Authorization Policies
   # Order matters: Most specific policies first, then general permission check
   policies do
+    # When OIDC-only is active, password sign-in is forbidden (SSO only).
+    policy action(:sign_in_with_password) do
+      forbid_if Mv.Authorization.Checks.OidcOnlyActive
+      authorize_if always()
+    end
+
     # AshAuthentication bypass (registration/login without actor)
     bypass AshAuthentication.Checks.AshAuthenticationInteraction do
       description "Allow AshAuthentication internal operations (registration, login)"
@@ -409,6 +415,10 @@ defmodule Mv.Accounts.User do
     validate {Mv.Accounts.User.Validations.RegistrationEnabled, []},
       where: [action_is(:register_with_password)]
 
+    # Block password registration when OIDC-only mode is active
+    validate {Mv.Accounts.User.Validations.OidcOnlyBlocksPasswordRegistration, []},
+      where: [action_is(:register_with_password)]
+
     # Email uniqueness check for all actions that change the email attribute
     # Validates that user email is not already used by another (unlinked) member
     validate Mv.Accounts.User.Validations.EmailNotUsedByOtherMember