feat(scheduling): role-based access + align list count with qualifiedCount

- Gate 智能调度 module on BI-SCHEDULE-OPT role (or full-access roles)
  via shared canAccessScheduling helper, replacing hardcoded userId allowlist
- Thread roles[] through JWT payload → middleware → frontend nav
- Add router guard that 403s non-authorized users on /api/scheduling/*
- Emit replace_qualified suggestion for every qualified vehicle so list
  count matches the 已完成考核目标 card; recalc qualifiedCount /
  hopelessCount post-permission-filter for card↔list consistency

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/server/routes/scheduling/index.ts

@@ -1,9 +1,22 @@
 import { Hono } from 'hono';
 import suggestionsRouter from './suggestions.js';
 import notifyRouter from './notify.js';
+import type { AuthUser } from '../../auth/types.js';
+import { canAccessScheduling } from '../../auth/types.js';
 
 const app = new Hono();
 
+// Module-level access guard. When auth middleware is active, `user` is set and
+// we require a role from SCHEDULING_ACCESS_ROLES (or a full-access role).
+// When auth is bypassed (dev), `user` is undefined and requests pass through.
+app.use('*', async (c, next) => {
+  const user = (c as any).get('user') as AuthUser | undefined;
+  if (user && !canAccessScheduling(user.roles)) {
+    return c.json({ error: 'Forbidden: 智能调度访问需要 BI-SCHEDULE-OPT 角色' }, 403);
+  }
+  return next();
+});
+
 app.route('/suggestions', suggestionsRouter);
 app.route('/notify', notifyRouter);