lib/membership/member.ex

@@ -333,10 +333,10 @@ defmodule Mv.Membership.Member do
       authorize_if Mv.Authorization.Checks.HasPermission
     end
 
-    # Internal sync action: allow setting vereinfacht_contact_id (used only by SyncContact change).
+    # Internal sync action: only SystemActor may set vereinfacht_contact_id (used by SyncContact change).
     policy action(:set_vereinfacht_contact_id) do
-      description "Allow internal sync to set Vereinfacht contact ID"
+      description "Only system actor may set Vereinfacht contact ID"
-      authorize_if always()
+      authorize_if Mv.Authorization.Checks.ActorIsSystemUser
     end
 
     # CREATE/UPDATE: Forbid member–user link unless admin, then check permissions

lib/mv/authorization/checks/actor_is_system_user.ex

@@ -0,0 +1,15 @@
+defmodule Mv.Authorization.Checks.ActorIsSystemUser do
+  @moduledoc """
+  Policy check: true only when the actor is the system user (e.g. system@mila.local).
+
+  Used to restrict internal actions (e.g. Member.set_vereinfacht_contact_id) so that
+  only code paths using SystemActor can perform them, not regular admins.
+  """
+  use Ash.Policy.SimpleCheck
+
+  @impl true
+  def describe(_opts), do: "actor is the system user"
+
+  @impl true
+  def match?(actor, _context, _opts), do: Mv.Helpers.SystemActor.system_user?(actor)
+end