Add scan_roles config for role-based PII/secrets filtering (#52)

Add scan_roles config for role-based PII/secrets filtering (#52)

Allows configuring which message roles to scan for PII and secrets.
By default all roles are scanned (existing behavior). When scan_roles
is set, only messages with matching roles are sent to Presidio.

Use case: Skip scanning large system prompts to reduce API calls and
avoid false positives on app-controlled content.

- Add role field to TextSpan type
- OpenAI extractor populates role from message
- PII detector filters by scan_roles before Presidio calls
- Secrets detector filters by scan_roles before detection