feat(scheduling): role-based access + align list count with qualifiedCount

- Gate 智能调度 module on BI-SCHEDULE-OPT role (or full-access roles)
  via shared canAccessScheduling helper, replacing hardcoded userId allowlist
- Thread roles[] through JWT payload → middleware → frontend nav
- Add router guard that 403s non-authorized users on /api/scheduling/*
- Emit replace_qualified suggestion for every qualified vehicle so list
  count matches the 已完成考核目标 card; recalc qualifiedCount /
  hopelessCount post-permission-filter for card↔list consistency

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/server/routes/scheduling/suggestions.ts

@@ -344,8 +344,8 @@ app.get('/', async (c) => {
     const filteredHopeless = masked.filter((s: any) => s.type === 'rescue_hopeless').length;
     const recentInterventionCount = await fetchRecentInterventionCount();
     const filteredSummary: SchedulingSummary = {
-      qualifiedCount: summary.qualifiedCount,
-      hopelessCount: summary.hopelessCount,
+      qualifiedCount: filteredQualified,
+      hopelessCount: filteredHopeless,
       suggestionCount: masked.length,
       estimatedGain: masked.filter((s: any) =>
         s.candidates?.some((c: any) => c.canQualifyAfterSwap)