Code-review follow-ups: policy, docs, seed_admin behaviour

- Use OidcRoleSyncContext for set_role_from_oidc_sync; document JWT peek risk.
- seed_admin without password sets Admin role on existing user (OIDC-only); update docs and test.
- Fix DE translation for 'access this page'; add get? true comment in User.

lib/mv/release.ex

@@ -52,14 +52,37 @@ defmodule Mv.Release do
         :ok
 
       is_nil(admin_password) or admin_password == "" ->
-        # Do not create or update any user without a password (no fallback in production)
-        :ok
+        ensure_admin_role_only(admin_email)
 
       true ->
         ensure_admin_user(admin_email, admin_password)
     end
   end
 
+  defp ensure_admin_role_only(email) do
+    case Role.get_admin_role() do
+      {:ok, nil} ->
+        :ok
+
+      {:ok, %Role{} = admin_role} ->
+        case get_user_by_email(email) do
+          {:ok, %User{} = user} ->
+            user
+            |> Ash.Changeset.for_update(:update, %{})
+            |> Ash.Changeset.manage_relationship(:role, admin_role, type: :append_and_remove)
+            |> Ash.update!(authorize?: false)
+
+            :ok
+
+          _ ->
+            :ok
+        end
+
+      {:error, _} ->
+        :ok
+    end
+  end
+
   defp ensure_admin_user(email, password) do
     if is_nil(password) or password == "" do
       :ok