Code-review follow-ups: policy, docs, seed_admin behaviour

- Use OidcRoleSyncContext for set_role_from_oidc_sync; document JWT peek risk.
- seed_admin without password sets Admin role on existing user (OIDC-only); update docs and test.
- Fix DE translation for 'access this page'; add get? true comment in User.

test/mv/release_test.exs

@@ -44,18 +44,20 @@ defmodule Mv.ReleaseTest do
              "seed_admin must not create any user when ADMIN_PASSWORD is unset (expected #{user_count_before}, got #{count_users()})"
     end
 
-    test "with ADMIN_EMAIL but without ADMIN_PASSWORD and user exists: leaves user and role unchanged" do
+    test "with ADMIN_EMAIL but without ADMIN_PASSWORD and user exists: sets Admin role (OIDC-only bootstrap)" do
+      System.delete_env("ADMIN_PASSWORD")
+      System.delete_env("ADMIN_PASSWORD_FILE")
+
       email = "existing-admin-#{System.unique_integer([:positive])}@test.example.com"
       System.put_env("ADMIN_EMAIL", email)
       on_exit(fn -> System.delete_env("ADMIN_EMAIL") end)
 
-      {:ok, user} = create_user_with_mitglied_role(email)
-      role_id_before = user.role_id
+      {:ok, _user} = create_user_with_mitglied_role(email)
 
       Mv.Release.seed_admin()
 
       {:ok, updated} = get_user_by_email(email)
-      assert updated.role_id == role_id_before
+      assert updated.role_id == admin_role_id()
     end
 
     test "with ADMIN_EMAIL and ADMIN_PASSWORD: creates user with Admin role and sets password" do