fix(backend): add role guard to variety-preview and extract shared scoring method

- Add @RequiresHouseholdRole("member") to GET /{planId}/variety-preview endpoint
  to require household membership (was accessible to any authenticated user)
- Extract scoreFromSimulatedSlots() private method eliminating duplicate logic
  between simulateVarietyScore() and the old computeCurrentScore()
- Fix loose variety preview test assertions (isBetween → exact assertEquals)
- Add test verifying negative scoreDelta when candidate is a duplicate recipe

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/src/test/java/com/recipeapp/planning/WeekPlanControllerTest.java

@@ -265,4 +265,5 @@ class WeekPlanControllerTest {
                         .principal(() -> "member@example.com"))
                 .andExpect(status().isForbidden());
     }
+
 }