Fix OIDC login by using SystemActor in OidcEmailCollision validation

- Add SystemActor to Ash.read_one() calls in OidcEmailCollision validation
- Prevents authorization failures during OIDC registration when no actor is logged in
- Enables proper email collision detection and account linking flow

lib/accounts/user/validations/oidc_email_collision.ex

@@ -42,25 +42,29 @@ defmodule Mv.Accounts.User.Validations.OidcEmailCollision do
     if email && oidc_id && user_info do
       # Check if a user with this oidc_id already exists
       # If yes, this will be an upsert (email update), not a new registration
+      # Use SystemActor for authorization during OIDC registration (no logged-in actor)
+      system_actor = Mv.Helpers.SystemActor.get_system_actor()
+
       existing_oidc_user =
         case Mv.Accounts.User
              |> Ash.Query.filter(oidc_id == ^to_string(oidc_id))
-             |> Ash.read_one() do
+             |> Ash.read_one(actor: system_actor) do
           {:ok, user} -> user
           _ -> nil
         end
 
-      check_email_collision(email, oidc_id, user_info, existing_oidc_user)
+      check_email_collision(email, oidc_id, user_info, existing_oidc_user, system_actor)
     else
       :ok
     end
   end
 
-  defp check_email_collision(email, new_oidc_id, user_info, existing_oidc_user) do
+  defp check_email_collision(email, new_oidc_id, user_info, existing_oidc_user, system_actor) do
     # Find existing user with this email
+    # Use SystemActor for authorization during OIDC registration (no logged-in actor)
     case Mv.Accounts.User
          |> Ash.Query.filter(email == ^to_string(email))
-         |> Ash.read_one() do
+         |> Ash.read_one(actor: system_actor) do
       {:ok, nil} ->
         # No user exists with this email - OK to create new user
         :ok