feat(scheduling): role-based access + align list count with qualifiedCount

- Gate 智能调度 module on BI-SCHEDULE-OPT role (or full-access roles)
  via shared canAccessScheduling helper, replacing hardcoded userId allowlist
- Thread roles[] through JWT payload → middleware → frontend nav
- Add router guard that 403s non-authorized users on /api/scheduling/*
- Emit replace_qualified suggestion for every qualified vehicle so list
  count matches the 已完成考核目标 card; recalc qualifiedCount /
  hopelessCount post-permission-filter for card↔list consistency

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/auth/useAuth.ts

@@ -3,7 +3,13 @@ import { createContext, useContext } from 'react';
 export interface AuthState {
   isLoading: boolean;
   isAuthenticated: boolean;
-  user: { userId: string; userName: string; permissionLevel: string; depName: string } | null;
+  user: {
+    userId: string;
+    userName: string;
+    permissionLevel: string;
+    depName: string;
+    roles?: string[];
+  } | null;
   error: string | null;
 }