feat(scheduling): role-based access + align list count with qualifiedCount

- Gate 智能调度 module on BI-SCHEDULE-OPT role (or full-access roles)
  via shared canAccessScheduling helper, replacing hardcoded userId allowlist
- Thread roles[] through JWT payload → middleware → frontend nav
- Add router guard that 403s non-authorized users on /api/scheduling/*
- Emit replace_qualified suggestion for every qualified vehicle so list
  count matches the 已完成考核目标 card; recalc qualifiedCount /
  hopelessCount post-permission-filter for card↔list consistency

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/server/auth/middleware.ts

@@ -35,6 +35,7 @@ export async function authMiddleware(c: Context, next: Next) {
       depCode: payload.depCode,
       depName: payload.depName,
       permissionLevel: payload.permissionLevel,
+      roles: payload.roles ?? [],
     };
     c.set('user', user);
     return next();