Add batch management APIs, API security, rate limiting, and optimizations

- Batch device CRUD: POST /api/devices/batch (create 500), PUT /api/devices/batch (update 500),
  POST /api/devices/batch-delete (delete 100) with WHERE IN bulk queries
- Batch command: POST /api/commands/batch with model_validator mutual exclusion
- API key auth (X-API-Key header, secrets.compare_digest timing-safe)
- Rate limiting via SlowAPIMiddleware (60/min default, 30/min writes)
- Real client IP extraction (X-Forwarded-For / CF-Connecting-IP)
- Global exception handler (no stack trace leaks, passes HTTPException through)
- CORS with auto-disable credentials on wildcard origins
- Schema validation: IMEI pattern, lat/lon ranges, Literal enums, MAC/UUID patterns
- Heartbeats router, per-ID endpoints for locations/attendance/bluetooth
- Input dedup in batch create, result ordering preserved
- Baidu reverse geocoding, Gaode map tiles with WGS84→GCJ02 conversion
- Device detail panel with feature toggles and command controls
- Side panel for location/beacon pages with auto-select active device

via [HAPI](https://hapi.run)

Co-Authored-By: HAPI <noreply@hapi.run>

app/routers/devices.py

@@ -5,17 +5,24 @@ API endpoints for device CRUD operations and statistics.
 
 import math
 
-from fastapi import APIRouter, Depends, HTTPException, Query
+from fastapi import APIRouter, Depends, HTTPException, Query, Request
 from sqlalchemy.ext.asyncio import AsyncSession
 
 from app.database import get_db
 from app.schemas import (
     APIResponse,
+    BatchDeviceCreateRequest,
+    BatchDeviceCreateResponse,
+    BatchDeviceCreateResult,
+    BatchDeviceDeleteRequest,
+    BatchDeviceUpdateRequest,
     DeviceCreate,
     DeviceResponse,
     DeviceUpdate,
     PaginatedList,
 )
+from app.config import settings
+from app.extensions import limiter
 from app.services import device_service
 
 router = APIRouter(prefix="/api/devices", tags=["Devices / 设备管理"])
@@ -81,6 +88,76 @@ async def get_device_by_imei(imei: str, db: AsyncSession = Depends(get_db)):
     return APIResponse(data=DeviceResponse.model_validate(device))
 
 
+@router.post(
+    "/batch",
+    response_model=APIResponse[BatchDeviceCreateResponse],
+    status_code=201,
+    summary="批量创建设备 / Batch create devices",
+)
+@limiter.limit(settings.RATE_LIMIT_WRITE)
+async def batch_create_devices(request: Request, body: BatchDeviceCreateRequest, db: AsyncSession = Depends(get_db)):
+    """
+    批量注册设备（最多500台），跳过IMEI重复的设备。
+    Batch register devices (up to 500). Skips devices with duplicate IMEIs.
+    """
+    results = await device_service.batch_create_devices(db, body.devices)
+    created = sum(1 for r in results if r["success"])
+    failed = len(results) - created
+    return APIResponse(
+        message=f"Batch create: {created} created, {failed} failed",
+        data=BatchDeviceCreateResponse(
+            total=len(results),
+            created=created,
+            failed=failed,
+            results=[BatchDeviceCreateResult(**r) for r in results],
+        ),
+    )
+
+
+@router.put(
+    "/batch",
+    response_model=APIResponse[dict],
+    summary="批量更新设备 / Batch update devices",
+)
+@limiter.limit(settings.RATE_LIMIT_WRITE)
+async def batch_update_devices(request: Request, body: BatchDeviceUpdateRequest, db: AsyncSession = Depends(get_db)):
+    """
+    批量更新设备信息（名称、状态等），最多500台。
+    Batch update device fields (name, status, etc.) for up to 500 devices.
+    """
+    results = await device_service.batch_update_devices(db, body.device_ids, body.update)
+    updated = sum(1 for r in results if r["success"])
+    failed = len(results) - updated
+    return APIResponse(
+        message=f"Batch update: {updated} updated, {failed} failed",
+        data={"total": len(results), "updated": updated, "failed": failed, "results": results},
+    )
+
+
+@router.post(
+    "/batch-delete",
+    response_model=APIResponse[dict],
+    summary="批量删除设备 / Batch delete devices",
+)
+@limiter.limit(settings.RATE_LIMIT_WRITE)
+async def batch_delete_devices(
+    request: Request,
+    body: BatchDeviceDeleteRequest,
+    db: AsyncSession = Depends(get_db),
+):
+    """
+    批量删除设备（最多100台）。通过 POST body 传递 device_ids 列表。
+    Batch delete devices (up to 100). Pass device_ids in request body.
+    """
+    results = await device_service.batch_delete_devices(db, body.device_ids)
+    deleted = sum(1 for r in results if r["success"])
+    failed = len(results) - deleted
+    return APIResponse(
+        message=f"Batch delete: {deleted} deleted, {failed} failed",
+        data={"total": len(results), "deleted": deleted, "failed": failed, "results": results},
+    )
+
+
 @router.get(
     "/{device_id}",
     response_model=APIResponse[DeviceResponse],