feat: Iteration 1 — 审计日志IP记录、文件上传、医护端API、小程序角色切换

Iteration 1 六项任务全部完成：

1. 审计日志IP记录 — task_local RequestInfo 自动注入 IP/user_agent
2. 文件上传服务 — multipart 上传 + ServeDir 静态文件服务
3. 医护端后端API — 医生工作台仪表盘 + 患者标签CRUD + 会话已读
4. 小程序角色切换 — 登录后根据角色跳转医护台/患者首页
5. 小程序安全加固 — secure-storage 开发模式警告
6. 讨论记录归档 — docs/discussions/

crates/erp-server/src/main.rs

@@ -173,6 +173,7 @@ use axum::middleware as axum_middleware;
 use config::AppConfig;
 use erp_auth::middleware::jwt_auth_middleware_fn;
 use state::AppState;
+use tower_http::services::ServeDir;
 use tracing_subscriber::EnvFilter;
 use utoipa::OpenApi;
 
@@ -509,6 +510,10 @@ async fn main() -> anyhow::Result<()> {
         .merge(erp_health::HealthModule::protected_routes())
         .merge(erp_ai::AiModule::protected_routes())
         .merge(handlers::audit_log::audit_log_router())
+        .route(
+            "/upload",
+            axum::routing::post(handlers::upload::upload_file),
+        )
         .route(
             "/admin/tenants/{id}/rotate-key",
             axum::routing::post(handlers::crypto_admin::rotate_tenant_key),
@@ -530,8 +535,10 @@ async fn main() -> anyhow::Result<()> {
     // Merge public + protected into the final application router
     // All API routes are nested under /api/v1
     let cors = build_cors_layer(&state.config.cors.allowed_origins);
+    let upload_dir = state.config.storage.upload_dir.clone();
     let app = Router::new()
         .nest("/api/v1", public_routes.merge(protected_routes))
+        .nest_service("/uploads", ServeDir::new(&upload_dir))
         .layer(cors);
 
     let addr = format!("{}:{}", host, port);