Datasette 1.0a27 drops Django-style CSRF for header-based protection, adds rename events

The latest Datasette alpha replaces Django-style CSRF form tokens with a modern header-based approach modeled on Filippo Valsorda’s browser-header technique. This shift modernizes cross-site request protection by relying on headers browsers already send, avoiding the friction of embedding tokens in every form.

A second notable change introduces a RenameTableEvent that fires whenever a table is renamed inside a SQLite transaction. Plugins like datasette-comments, which bind auxiliary data to tables by name, can now react to renames instead of silently drifting out of sync.

Smaller improvements round out the release: an actor= parameter on datasette.client methods for impersonation in tests, an is_temp_disk=True flag on Database to push the internal database to disk and cut intermittent lock errors, stricter null-primary-key rejection on the upsert API, and a promotion of call_with_supported_arguments() to documented public API status.