Security hardening (breaking).
- Breaking: admin panel is fail-closed; requests denied with 401 when no auth callable configured (CWE-306)
- Detail view renders only detail_fields() so hidden columns no longer leak (CWE-200)
- Sensitive/authorization field detection extended; matched fields forced read-only (CWE-915)
- CSRF cookie sets HttpOnly and Max-Age (CWE-1004)
- Security headers + CSP on admin responses (CWE-1021)
- Non-integer page no longer 500s (CWE-20)
- Security events logged (CWE-778)