fix(backend): add role guard to variety-preview and extract shared scoring method

- Add @RequiresHouseholdRole("member") to GET /{planId}/variety-preview endpoint
  to require household membership (was accessible to any authenticated user)
- Extract scoreFromSimulatedSlots() private method eliminating duplicate logic
  between simulateVarietyScore() and the old computeCurrentScore()
- Fix loose variety preview test assertions (isBetween → exact assertEquals)
- Add test verifying negative scoreDelta when candidate is a duplicate recipe

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/src/main/java/com/recipeapp/planning/WeekPlanController.java

@@ -98,6 +98,7 @@ public class WeekPlanController {
     }
 
     @GetMapping("/{planId}/variety-preview")
+    @RequiresHouseholdRole("member")
     public VarietyPreviewResponse getVarietyPreview(
             Principal principal,
             @PathVariable UUID planId,