feat(scheduling): role-based access + align list count with qualifiedCount

- Gate 智能调度 module on BI-SCHEDULE-OPT role (or full-access roles)
  via shared canAccessScheduling helper, replacing hardcoded userId allowlist
- Thread roles[] through JWT payload → middleware → frontend nav
- Add router guard that 403s non-authorized users on /api/scheduling/*
- Emit replace_qualified suggestion for every qualified vehicle so list
  count matches the 已完成考核目标 card; recalc qualifiedCount /
  hopelessCount post-permission-filter for card↔list consistency

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/server/routes/scheduling/algorithm.ts

@@ -157,12 +157,10 @@ export function generateSuggestions(
   }
 
   // --- replace_qualified (medium priority) ---
-  // Swap out the qualified car, swap in a car that NEEDS mileage.
-  // The high-mileage customer will drive it hard → helps it reach target.
-  // Exclude candidates already at target (gap <= 0) — swapping those in is pointless.
+  // Every qualified vehicle gets a suggestion row so the list count matches
+  // `qualifiedCount`. Candidates may be empty when no inventory vehicle can
+  // reach target at this customer — the row still surfaces for manual review.
   for (const vehicle of qualified) {
-    if (vehicle.customerAvgDaily <= vehicle.dailyRequiredMileage) continue;
-
     const candidates: CandidateVehicle[] = inventoryVehicles
       .filter((inv) => {
         if (!isTypeCompatible(vehicle.vehicleType, inv.vehicleType)) return false;
@@ -206,9 +204,6 @@ export function generateSuggestions(
       })
 ;
 
-    // Skip if no candidate can reach target — swap would be pointless
-    if (candidates.length === 0) continue;
-
     const yearRate = vehicle.yearTarget > 0 ? Math.round((vehicle.currentYearMileage / vehicle.yearTarget) * 100) : 0;
     const canAddKm = vehicle.customerAvgDaily * vehicle.daysLeft;
     const reason: ReasonBlock = {
@@ -231,8 +226,11 @@ export function generateSuggestions(
     });
   }
 
-  // Remove suggestions with no candidates
-  const filteredSuggestions = suggestions.filter((s) => s.candidates.length > 0);
+  // Drop rescue_hopeless with no candidates — no actionable rescue available.
+  // Keep every replace_qualified so the list count matches the qualifiedCount card.
+  const filteredSuggestions = suggestions.filter(
+    (s) => s.type === 'replace_qualified' || s.candidates.length > 0,
+  );
 
   // Sort: high priority first
   filteredSuggestions.sort((a, b) => {

src/server/routes/scheduling/index.ts

@@ -1,9 +1,22 @@
 import { Hono } from 'hono';
 import suggestionsRouter from './suggestions.js';
 import notifyRouter from './notify.js';
+import type { AuthUser } from '../../auth/types.js';
+import { canAccessScheduling } from '../../auth/types.js';
 
 const app = new Hono();
 
+// Module-level access guard. When auth middleware is active, `user` is set and
+// we require a role from SCHEDULING_ACCESS_ROLES (or a full-access role).
+// When auth is bypassed (dev), `user` is undefined and requests pass through.
+app.use('*', async (c, next) => {
+  const user = (c as any).get('user') as AuthUser | undefined;
+  if (user && !canAccessScheduling(user.roles)) {
+    return c.json({ error: 'Forbidden: 智能调度访问需要 BI-SCHEDULE-OPT 角色' }, 403);
+  }
+  return next();
+});
+
 app.route('/suggestions', suggestionsRouter);
 app.route('/notify', notifyRouter);
 

src/server/routes/scheduling/suggestions.ts

@@ -344,8 +344,8 @@ app.get('/', async (c) => {
     const filteredHopeless = masked.filter((s: any) => s.type === 'rescue_hopeless').length;
     const recentInterventionCount = await fetchRecentInterventionCount();
     const filteredSummary: SchedulingSummary = {
-      qualifiedCount: summary.qualifiedCount,
-      hopelessCount: summary.hopelessCount,
+      qualifiedCount: filteredQualified,
+      hopelessCount: filteredHopeless,
       suggestionCount: masked.length,
       estimatedGain: masked.filter((s: any) =>
         s.candidates?.some((c: any) => c.canQualifyAfterSwap)