Code-review follow-ups: policy, docs, seed_admin behaviour

- Use OidcRoleSyncContext for set_role_from_oidc_sync; document JWT peek risk.
- seed_admin without password sets Admin role on existing user (OIDC-only); update docs and test.
- Fix DE translation for 'access this page'; add get? true comment in User.

lib/mv/authorization/checks/oidc_role_sync_context.ex

@@ -1,9 +1,9 @@
 defmodule Mv.Authorization.Checks.OidcRoleSyncContext do
   @moduledoc """
-  Policy check: true when the action is being run from OIDC role sync (context.private.oidc_role_sync).
+  Policy check: true when the action is run from OIDC role sync (context.private.oidc_role_sync).
 
-  Used to allow the internal set_role_from_oidc_sync action when called by Mv.OidcRoleSync
-  without an actor.
+  Used to allow the internal set_role_from_oidc_sync action only when called by Mv.OidcRoleSync,
+  which sets context.private.oidc_role_sync when performing the update.
   """
   use Ash.Policy.SimpleCheck
 
@@ -12,11 +12,7 @@ defmodule Mv.Authorization.Checks.OidcRoleSyncContext do
 
   @impl true
   def match?(_actor, authorizer, _opts) do
-    # Context from opts (e.g. Ash.update!(..., context: %{private: %{oidc_role_sync: true}}))
     context = Map.get(authorizer, :context) || %{}
-    from_context = get_in(context, [:private, :oidc_role_sync]) == true
-    # When update runs inside create's after_action, context may not be passed; use process dict.
-    from_process = Process.get(:oidc_role_sync) == true
-    from_context or from_process
+    get_in(context, [:private, :oidc_role_sync]) == true
   end
 end