The behandel-portal authenticates staff against the Keycloak `medewerker` realm. Add
MedewerkerAuthService (reads nested realm_access.roles), provideMedewerkerAuth, a roles/hasRole
surface on the shared AuthService, and a realm-roles protocol mapper so the frontend can read
the behandelaar/teamlead roles from the token. Per ADR-0013 the BFF remains the security boundary.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>