[T006] [US1][US2] Add FINANCIAL_ROUTES role check to middleware

[EmiyaKiritsugu3]

Feature: Financial Role Access Control — Phase 3 (P1 MVP)
Stories: US1 (GERENTE retains access) + US2 (non-GERENTE blocked)

Update src/utils/supabase/middleware.ts inside updateSession:

1. Add const FINANCIAL_ROUTES = ['/dashboard/financeiro', '/dashboard/planos'] as const at module scope
2. Add const isFinancialRoute = FINANCIAL_ROUTES.some(r => pathname.startsWith(r))
3. When isFuncionario && isFinancialRoute: query supabase.from('funcionarios').select('role').eq('id', user.id).maybeSingle() and redirect to /dashboard if data?.role !== 'GERENTE' or if query errors (fail-closed)

Independent test: GERENTE → financeiro renders ✅, RECEPCIONISTA → redirected to /dashboard ✅