diff --git a/.github/workflows/deploy-branch-preview.yml b/.github/workflows/deploy-branch-preview.yml
deleted file mode 100644
index e56d9c27..00000000
--- a/.github/workflows/deploy-branch-preview.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-name: Deploy a Datasette branch preview to Vercel
-
-on:
-  workflow_dispatch:
-    inputs:
-      branch:
-        description: "Branch to deploy"
-        required: true
-        type: string
-
-jobs:
-  deploy-branch-preview:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v3
-    - name: Set up Python 3.11
-      uses: actions/setup-python@v6
-      with:
-        python-version: "3.11"
-    - name: Install dependencies
-      run: |
-        pip install datasette-publish-vercel
-    - name: Deploy the preview
-      env:
-        VERCEL_TOKEN: ${{ secrets.BRANCH_PREVIEW_VERCEL_TOKEN }}
-      run: |
-        export BRANCH="${{ github.event.inputs.branch }}"
-        wget https://latest.datasette.io/fixtures.db
-        datasette publish vercel fixtures.db \
-          --branch $BRANCH \
-          --project "datasette-preview-$BRANCH" \
-          --token $VERCEL_TOKEN \
-          --scope datasette \
-          --about "Preview of $BRANCH" \
-          --about_url "https://github.com/simonw/datasette/tree/$BRANCH"
diff --git a/.github/workflows/deploy-latest.yml b/.github/workflows/deploy-latest.yml
index 7349a1ab..b0640ae8 100644
--- a/.github/workflows/deploy-latest.yml
+++ b/.github/workflows/deploy-latest.yml
@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Check out datasette
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
     - name: Set up Python
       uses: actions/setup-python@v6
       with:
@@ -57,7 +57,7 @@ jobs:
             db.route = "alternative-route"
         ' > plugins/alternative_route.py
         cp fixtures.db fixtures2.db
-    - name: And the counters writable canned query demo
+    - name: And the counters writable stored query demo
       run: |
         cat > plugins/counters.py <<EOF
         from datasette import hookimpl
@@ -69,23 +69,24 @@ jobs:
                 await db.execute_write("insert or ignore into counters (name, value) values ('counter_a', 0)")
                 await db.execute_write("insert or ignore into counters (name, value) values ('counter_b', 0)")
                 await db.execute_write("insert or ignore into counters (name, value) values ('counter_c', 0)")
-            return inner
-        @hookimpl
-        def canned_queries(database):
-            if database == "counters":
-                queries = {}
                 for name in ("counter_a", "counter_b", "counter_c"):
-                    queries["increment_{}".format(name)] = {
-                        "sql": "update counters set value = value + 1 where name = '{}'".format(name),
-                        "on_success_message_sql": "select 'Counter {name} incremented to ' || value from counters where name = '{name}'".format(name=name),
-                        "write": True,
-                    }
-                    queries["decrement_{}".format(name)] = {
-                        "sql": "update counters set value = value - 1 where name = '{}'".format(name),
-                        "on_success_message_sql": "select 'Counter {name} decremented to ' || value from counters where name = '{name}'".format(name=name),
-                        "write": True,
-                    }
-                return queries
+                    await datasette.add_query(
+                        "counters",
+                        "increment_{}".format(name),
+                        "update counters set value = value + 1 where name = '{}'".format(name),
+                        on_success_message_sql="select 'Counter {name} incremented to ' || value from counters where name = '{name}'".format(name=name),
+                        is_write=True,
+                        is_trusted=True,
+                    )
+                    await datasette.add_query(
+                        "counters",
+                        "decrement_{}".format(name),
+                        "update counters set value = value - 1 where name = '{}'".format(name),
+                        on_success_message_sql="select 'Counter {name} decremented to ' || value from counters where name = '{name}'".format(name=name),
+                        is_write=True,
+                        is_trusted=True,
+                    )
+            return inner
         EOF
     # - name: Make some modifications to metadata.json
     #   run: |
@@ -116,7 +117,7 @@ jobs:
             --plugins-dir=plugins \
             --branch=$GITHUB_SHA \
             --version-note=$GITHUB_SHA \
-            --extra-options="--setting template_debug 1 --setting trace_debug 1 --crossdb" \
+            --extra-options="--setting template_debug 1 --setting trace_debug 1 --crossdb --root" \
             --install 'datasette-ephemeral-tables>=0.2.2' \
             --service "datasette-latest$SUFFIX" \
             --secret $LATEST_DATASETTE_SECRET
diff --git a/.github/workflows/documentation-links.yml b/.github/workflows/documentation-links.yml
index a54bd83a..b8fb8aaa 100644
--- a/.github/workflows/documentation-links.yml
+++ b/.github/workflows/documentation-links.yml
@@ -1,6 +1,6 @@
 name: Read the Docs Pull Request Preview
 on:
-  pull_request_target:
+  pull_request:
     types:
       - opened
 
diff --git a/.github/workflows/playwright.yml b/.github/workflows/playwright.yml
new file mode 100644
index 00000000..5275ddef
--- /dev/null
+++ b/.github/workflows/playwright.yml
@@ -0,0 +1,48 @@
+name: Playwright
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        browser: [chromium, firefox, webkit]
+    steps:
+    - uses: actions/checkout@v6
+    - name: Set up Python 3.14
+      uses: actions/setup-python@v6
+      with:
+        python-version: "3.14"
+        allow-prereleases: true
+        cache: pip
+        cache-dependency-path: pyproject.toml
+    - name: Cache uv
+      uses: actions/cache@v5
+      with:
+        path: ~/.cache/uv
+        key: ${{ runner.os }}-py3.14-uv-${{ hashFiles('pyproject.toml') }}
+        restore-keys: |
+          ${{ runner.os }}-py3.14-uv-
+    - name: Cache Playwright browsers
+      uses: actions/cache@v5
+      with:
+        path: ~/.cache/ms-playwright/
+        key: ${{ runner.os }}-playwright-${{ matrix.browser }}-${{ hashFiles('pyproject.toml') }}
+        restore-keys: |
+          ${{ runner.os }}-playwright-${{ matrix.browser }}-
+    - name: Install uv
+      run: python -m pip install uv
+    - name: Install dependencies
+      run: uv sync --group dev --group playwright
+    - name: Install ${{ matrix.browser }}
+      run: uv run --group dev --group playwright playwright install --with-deps ${{ matrix.browser }}
+    - name: Run Playwright tests
+      run: uv run --group dev --group playwright pytest tests/test_playwright.py --playwright --browser ${{ matrix.browser }}
diff --git a/.github/workflows/prettier.yml b/.github/workflows/prettier.yml
index 77cce7d1..735e14e9 100644
--- a/.github/workflows/prettier.yml
+++ b/.github/workflows/prettier.yml
@@ -10,8 +10,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Check out repo
-      uses: actions/checkout@v4
-    - uses: actions/cache@v4
+      uses: actions/checkout@v6
+    - uses: actions/cache@v5
       name: Configure npm caching
       with:
         path: ~/.npm
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 2e8cea9c..87300593 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -14,7 +14,7 @@ jobs:
       matrix:
         python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v6
       with:
@@ -35,7 +35,7 @@ jobs:
     permissions:
       id-token: write
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
     - name: Set up Python
       uses: actions/setup-python@v6
       with:
@@ -56,7 +56,7 @@ jobs:
     needs: [deploy]
     if: "!github.event.release.prerelease"
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
     - name: Set up Python
       uses: actions/setup-python@v6
       with:
@@ -92,7 +92,7 @@ jobs:
     needs: [deploy]
     if: "!github.event.release.prerelease"
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
     - name: Build and push to Docker Hub
       env:
         DOCKER_USER: ${{ secrets.DOCKER_USER }}
diff --git a/.github/workflows/push_docker_tag.yml b/.github/workflows/push_docker_tag.yml
index afe8d6b2..e622ef4c 100644
--- a/.github/workflows/push_docker_tag.yml
+++ b/.github/workflows/push_docker_tag.yml
@@ -13,7 +13,7 @@ jobs:
   deploy_docker:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v6
     - name: Build and push to Docker Hub
       env:
         DOCKER_USER: ${{ secrets.DOCKER_USER }}
diff --git a/.github/workflows/spellcheck.yml b/.github/workflows/spellcheck.yml
index d42ae96b..9a808194 100644
--- a/.github/workflows/spellcheck.yml
+++ b/.github/workflows/spellcheck.yml
@@ -9,7 +9,7 @@ jobs:
   spellcheck:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
     - name: Set up Python
       uses: actions/setup-python@v6
       with:
diff --git a/.github/workflows/stable-docs.yml b/.github/workflows/stable-docs.yml
index 3119d617..59b5fbc0 100644
--- a/.github/workflows/stable-docs.yml
+++ b/.github/workflows/stable-docs.yml
@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
       with:
         fetch-depth: 0  # We need all commits to find docs/ changes
     - name: Set up Git user
diff --git a/.github/workflows/test-coverage.yml b/.github/workflows/test-coverage.yml
index 1b3d2f2c..c514048e 100644
--- a/.github/workflows/test-coverage.yml
+++ b/.github/workflows/test-coverage.yml
@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Check out datasette
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
     - name: Set up Python
       uses: actions/setup-python@v6
       with:
diff --git a/.github/workflows/test-pyodide.yml b/.github/workflows/test-pyodide.yml
index b490a9bf..5162c47a 100644
--- a/.github/workflows/test-pyodide.yml
+++ b/.github/workflows/test-pyodide.yml
@@ -12,7 +12,7 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
     - name: Set up Python 3.10
       uses: actions/setup-python@v6
       with:
@@ -20,7 +20,7 @@ jobs:
         cache: 'pip'
         cache-dependency-path: '**/pyproject.toml'
     - name: Cache Playwright browsers
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: ~/.cache/ms-playwright/
         key: ${{ runner.os }}-browsers
diff --git a/.github/workflows/test-sqlite-support.yml b/.github/workflows/test-sqlite-support.yml
index c81a3c0b..23fce459 100644
--- a/.github/workflows/test-sqlite-support.yml
+++ b/.github/workflows/test-sqlite-support.yml
@@ -25,7 +25,7 @@ jobs:
           #"3.23.1" # 2018-04-10, before UPSERT
         ]
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v6
       with:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index a0f5477b..9e47db6f 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -9,10 +9,11 @@ jobs:
   test:
     runs-on: ubuntu-latest
     strategy:
+      fail-fast: false
       matrix:
         python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v6
       with:
diff --git a/.github/workflows/tmate-mac.yml b/.github/workflows/tmate-mac.yml
index fcee0f21..a033cd92 100644
--- a/.github/workflows/tmate-mac.yml
+++ b/.github/workflows/tmate-mac.yml
@@ -10,6 +10,6 @@ jobs:
   build:
     runs-on: macos-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v6
     - name: Setup tmate session
       uses: mxschmitt/action-tmate@v3
diff --git a/.github/workflows/tmate.yml b/.github/workflows/tmate.yml
index 123f6c71..72af1eec 100644
--- a/.github/workflows/tmate.yml
+++ b/.github/workflows/tmate.yml
@@ -11,7 +11,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v6
     - name: Setup tmate session
       uses: mxschmitt/action-tmate@v3
       env:
diff --git a/.gitignore b/.gitignore
index 12acd87e..8c058692 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,8 @@
 build-metadata.json
 datasets.json
 
+.playwright-mcp
+
 scratchpad
 
 .vscode
@@ -131,4 +133,4 @@ tests/*.dylib
 tests/*.so
 tests/*.dll
 
-.idea
\ No newline at end of file
+.idea
diff --git a/Justfile b/Justfile
index 657881be..5fcd9afd 100644
--- a/Justfile
+++ b/Justfile
@@ -11,6 +11,22 @@ export DATASETTE_SECRET := "not_a_secret"
 @test *options: init
   uv run pytest -n auto {{options}}
 
+# Install Playwright browser support, Chromium by default
+@playwright-install browser="chromium":
+  uv run --group playwright playwright install {{browser}}
+
+# Install all Playwright browsers used by the test suite
+@playwright-install-all:
+  uv run --group playwright playwright install chromium firefox webkit
+
+# Run Playwright tests, Chromium by default
+@playwright browser="chromium" *options:
+  uv run --group playwright pytest tests/test_playwright.py --playwright --browser {{browser}} {{options}}
+
+# Run Playwright tests against all supported browsers
+@playwright-all *options:
+  uv run --group playwright pytest tests/test_playwright.py --playwright --browser chromium --browser firefox --browser webkit {{options}}
+
 @codespell:
   uv run codespell README.md --ignore-words docs/codespell-ignore-words.txt
   uv run codespell docs/*.rst --ignore-words docs/codespell-ignore-words.txt
diff --git a/datasette/_pytest_plugin.py b/datasette/_pytest_plugin.py
new file mode 100644
index 00000000..103c616d
--- /dev/null
+++ b/datasette/_pytest_plugin.py
@@ -0,0 +1,123 @@
+"""
+Pytest plugin that automatically closes any Datasette instances constructed
+during a pytest test — both in the test body and in function-scoped
+fixtures. Instances constructed by session-, module-, class- or package-
+scoped fixtures are left alone, because other tests in the session will
+still want to use them.
+
+Registered as a pytest11 entry point in pyproject.toml so that downstream
+projects using Datasette get the same FD-safety net for their own tests.
+
+Opt out by setting ``datasette_autoclose = false`` in pytest.ini (or the
+equivalent ini file).
+"""
+
+from __future__ import annotations
+
+import contextvars
+import weakref
+
+import pytest
+
+_active_instances: contextvars.ContextVar[list | None] = contextvars.ContextVar(
+    "datasette_active_instances", default=None
+)
+
+_original_init = None
+
+
+def _install_tracking():
+    # datasette.app is imported lazily here rather than at module level:
+    # as a pytest11 entry point this module is imported during pytest
+    # startup, before pytest-cov starts measuring, so a module-level
+    # import would drag in all of datasette and make every import-time
+    # line in the package invisible to coverage
+    global _original_init
+    if _original_init is not None:
+        return
+    from datasette.app import Datasette
+
+    _original_init = Datasette.__init__
+
+    def _tracking_init(self, *args, **kwargs):
+        _original_init(self, *args, **kwargs)
+        instances = _active_instances.get()
+        if instances is not None:
+            instances.append(weakref.ref(self))
+
+    Datasette.__init__ = _tracking_init
+
+
+def pytest_configure(config):
+    if _enabled(config):
+        _install_tracking()
+
+
+def pytest_addoption(parser):
+    parser.addini(
+        "datasette_autoclose",
+        help=(
+            "Automatically close Datasette instances created inside test "
+            "bodies and function-scoped fixtures (default: true)."
+        ),
+        default="true",
+    )
+
+
+def _enabled(config) -> bool:
+    value = config.getini("datasette_autoclose")
+    if isinstance(value, bool):
+        return value
+    return str(value).strip().lower() not in ("false", "0", "no", "off")
+
+
+@pytest.hookimpl(hookwrapper=True)
+def pytest_runtest_protocol(item, nextitem):
+    """Track Datasette instances across setup, call and teardown; close at end."""
+    if not _enabled(item.config):
+        yield
+        return
+    refs: list[weakref.ref] = []
+    token = _active_instances.set(refs)
+    try:
+        yield
+    finally:
+        _active_instances.reset(token)
+        for ref in reversed(refs):
+            ds = ref()
+            if ds is None:
+                continue
+            try:
+                ds.close()
+            except Exception as e:
+                item.warn(
+                    pytest.PytestUnraisableExceptionWarning(
+                        f"Error closing Datasette instance: {e!r}"
+                    )
+                )
+
+
+@pytest.hookimpl(hookwrapper=True)
+def pytest_fixture_setup(fixturedef, request):
+    """Exempt instances created by non-function-scoped fixtures.
+
+    Session-, module-, class- and package-scoped fixtures produce Datasette
+    instances that must survive beyond the current test — other tests in
+    the session will still use them. When such a fixture creates one or
+    more Datasette instances during its setup, we snapshot the tracking
+    list before the fixture runs and subtract off any instances that were
+    added during its setup, so they don't get closed at test teardown.
+    """
+    refs = _active_instances.get()
+    if refs is None:
+        yield
+        return
+    before_ids = {id(ref) for ref in refs}
+    yield
+    if fixturedef.scope != "function":
+        new_refs = [ref for ref in refs if id(ref) not in before_ids]
+        for new_ref in new_refs:
+            try:
+                refs.remove(new_ref)
+            except ValueError:
+                pass
diff --git a/datasette/app.py b/datasette/app.py
index 2df6e4e8..9c9b7de4 100644
--- a/datasette/app.py
+++ b/datasette/app.py
@@ -1,20 +1,17 @@
 from __future__ import annotations
 
-from asgi_csrf import Errors
 import asyncio
 import contextvars
-from typing import TYPE_CHECKING, Any, Dict, Iterable, List
+from typing import TYPE_CHECKING, Any, Dict, Iterable, List, Sequence
 
 if TYPE_CHECKING:
     from datasette.permissions import Resource
     from datasette.tokens import TokenRestrictions
-import asgi_csrf
 import collections
 import dataclasses
 import datetime
 import functools
 import glob
-import hashlib
 import httpx
 import importlib.metadata
 import inspect
@@ -37,18 +34,44 @@ from jinja2 import (
     ChoiceLoader,
     Environment,
     FileSystemLoader,
+    pass_context,
     PrefixLoader,
 )
 from jinja2.environment import Template
 from jinja2.exceptions import TemplateNotFound
 
 from .events import Event
+from .column_types import SQLiteType
+from . import stored_queries, write_sql
 from .views import Context
-from .views.database import database_download, DatabaseView, TableCreateView, QueryView
+from .views.database import (
+    database_download,
+    DatabaseView,
+    QueryView,
+)
+from .views.table_create_alter import (
+    DatabaseForeignKeyTargetsView,
+    TableAlterView,
+    TableCreateView,
+    TableForeignKeySuggestionsView,
+)
+from .views.execute_write import ExecuteWriteAnalyzeView, ExecuteWriteView
+from .views.stored_queries import (
+    QueryCreateAnalyzeView,
+    QueryDeleteView,
+    QueryDefinitionView,
+    QueryEditView,
+    GlobalQueryListView,
+    QueryListView,
+    QueryParametersView,
+    QueryStoreView,
+    QueryUpdateView,
+)
 from .views.index import IndexView
 from .views.special import (
     JsonDataView,
     PatternPortfolioView,
+    AutocompleteDebugView,
     AuthTokenView,
     ApiExplorerView,
     CreateTokenView,
@@ -59,15 +82,18 @@ from .views.special import (
     AllowedResourcesView,
     PermissionRulesView,
     PermissionCheckView,
-    TablesView,
+    JumpView,
     InstanceSchemaView,
     DatabaseSchemaView,
     TableSchemaView,
 )
 from .views.table import (
+    TableAutocompleteView,
     TableInsertView,
     TableUpsertView,
+    TableSetColumnTypeView,
     TableDropView,
+    TableFragmentView,
     table_view,
 )
 from .views.row import RowView, RowDeleteView, RowUpdateView
@@ -96,6 +122,7 @@ from .utils import (
     parse_metadata,
     resolve_env_secrets,
     resolve_routes,
+    sha256_file,
     tilde_decode,
     tilde_encode,
     to_css_class,
@@ -118,6 +145,7 @@ from .utils.asgi import (
     asgi_send_file,
     asgi_send_redirect,
 )
+from .csrf import CrossOriginProtectionMiddleware
 from .utils.internal_db import init_internal_db, populate_schema_tables
 from .utils.sqlite import (
     sqlite3,
@@ -272,12 +300,21 @@ DEFAULT_NOT_SET = object()
 ResourcesSQL = collections.namedtuple("ResourcesSQL", ("sql", "params"))
 
 
+def _permission_cache_key(actor, action, parent, child):
+    # Key on the full serialized actor so actors differing in any field
+    # (e.g. token restrictions) never share cache entries
+    actor_key = (
+        json.dumps(actor, sort_keys=True, default=repr) if actor is not None else None
+    )
+    return (actor_key, action, parent, child)
+
+
 async def favicon(request, send):
     await asgi_send_file(
         send,
         str(FAVICON_PATH),
         content_type="image/png",
-        headers={"Cache-Control": "max-age=3600, immutable, public"},
+        headers={"Cache-Control": "max-age=3600, public"},
     )
 
 
@@ -294,6 +331,57 @@ def _to_string(value):
         return json.dumps(value, default=str)
 
 
+def _template_context_json_default(value):
+    if dataclasses.is_dataclass(value) and not isinstance(value, type):
+        return {
+            field.name: getattr(value, field.name)
+            for field in dataclasses.fields(value)
+        }
+    return repr(value)
+
+
+@pass_context
+def _legacy_template_csrftoken(context):
+    request = context.get("request")
+    if request and "csrftoken" in request.scope:
+        return request.scope["csrftoken"]()
+    return ""
+
+
+def _resolve_static_asset_path(root_path, path):
+    root = Path(root_path).resolve()
+    full_path = (root / path).resolve()
+    try:
+        full_path.relative_to(root)
+    except ValueError:
+        raise ValueError("Static asset path cannot escape static root") from None
+    return full_path
+
+
+# Documentation for the variables Datasette.render_template() adds to the
+# context for every page. This is part of the documented template contract:
+# keys added in render_template() must be documented here - the contract
+# tests in tests/test_template_context.py enforce this, and the docs in
+# docs/template_context.rst are generated from it.
+TEMPLATE_BASE_CONTEXT = {
+    "request": "The current :ref:`Request object <internals_request>`, or None. Common properties include ``request.path``, ``request.args``, ``request.actor``, ``request.url_vars`` and ``request.host``.",
+    "crumb_items": 'Async function returning breadcrumb navigation items for the current page. Call it with ``request=request`` plus optional ``database=`` and ``table=`` arguments; it returns a list of ``{"href": url, "label": label}`` dictionaries.',
+    "urls": "Object with methods for constructing URLs within Datasette. Common methods include ``urls.instance()``, ``urls.database(database)``, ``urls.table(database, table)``, ``urls.query(database, query)``, ``urls.row(database, table, row_path)`` and ``urls.static(path)`` - see :ref:`internals_datasette_urls`.",
+    "actor": "The currently authenticated actor dictionary, or None. Actors usually include an ``id`` key and may include any other keys supplied by authentication plugins.",
+    "menu_links": "Async function returning links for the Datasette application menu, including links added by plugins. Each item is a link dictionary with ``href`` and ``label`` keys. See :ref:`plugin_hook_menu_links`; for page action menus that can also include JavaScript-backed buttons, see :ref:`plugin_actions`.",
+    "display_actor": "Function that accepts an actor dictionary and returns the display string used in the navigation menu.",
+    "show_logout": "True if the logout link should be shown in the navigation menu",
+    "zip": "Python's ``zip()`` builtin, made available to template logic",
+    "body_scripts": 'List of JavaScript snippets contributed by plugins using :ref:`plugin_hook_extra_body_script`. Each item is a dictionary with ``script`` containing JavaScript source and ``module`` indicating whether Datasette will wrap it in ``<script type="module">``; otherwise Datasette wraps it in a regular ``<script>`` block.',
+    "format_bytes": "Function that accepts a byte count integer and returns a human-readable string such as ``1.2 MB``.",
+    "show_messages": "Function returning any messages set for the current user, clearing them in the process. Returns a list of ``(message, type)`` pairs, where ``type`` is one of Datasette's ``INFO``, ``WARNING`` or ``ERROR`` constants.",
+    "extra_css_urls": "List of extra CSS stylesheets to include on the page. Each item is a dictionary with ``url`` and optional ``sri`` keys, from plugins and configuration.",
+    "extra_js_urls": "List of extra JavaScript URLs to include on the page. Each item is a dictionary with ``url`` plus optional ``sri`` and ``module`` keys, from plugins and configuration.",
+    "base_url": "The configured :ref:`setting_base_url` setting",
+    "datasette_version": "The version of Datasette that is running",
+}
+
+
 class Datasette:
     # Message constants:
     INFO = 1
@@ -325,6 +413,7 @@ class Datasette:
         default_deny=False,
     ):
         self._startup_invoked = False
+        self._closed = False
         assert config_dir is None or isinstance(
             config_dir, Path
         ), "config_dir= should be a pathlib.Path"
@@ -354,6 +443,7 @@ class Datasette:
         self.immutables = set(immutables or [])
         self.databases = collections.OrderedDict()
         self.actions = {}  # .invoke_startup() will populate this
+        self._column_types = {}  # .invoke_startup() will populate this
         try:
             self._refresh_schemas_lock = asyncio.Lock()
         except RuntimeError as rex:
@@ -378,12 +468,13 @@ class Datasette:
 
         self.internal_db_created = False
         if internal is None:
-            self._internal_database = Database(self, memory_name=secrets.token_hex())
+            self._internal_database = Database(self, is_temp_disk=True)
         else:
             self._internal_database = Database(self, path=internal, mode="rwc")
         self._internal_database.name = INTERNAL_DB_NAME
 
         self.cache_headers = cache_headers
+        self._static_asset_hashes = {}
         self.cors = cors
         config_files = []
         metadata_files = []
@@ -524,6 +615,8 @@ class Datasette:
         )
         environment.filters["escape_css_string"] = escape_css_string
         environment.filters["quote_plus"] = urllib.parse.quote_plus
+        environment.globals["csrftoken"] = _legacy_template_csrftoken
+        environment.globals["static"] = self.static
         self._jinja_env = environment
         environment.filters["escape_sqlite"] = escape_sqlite
         environment.filters["to_css_class"] = to_css_class
@@ -568,6 +661,9 @@ class Datasette:
             # TODO(alex) is metadata.json was loaded in, and --internal is not memory, then log
             # a warning to user that they should delete their metadata.json file
 
+    async def _save_queries_from_config(self):
+        await stored_queries.save_queries_from_config(self)
+
     def get_jinja_environment(self, request: Request = None) -> Environment:
         environment = self._jinja_env
         if request:
@@ -589,9 +685,12 @@ class Datasette:
                 return action
         return None
 
-    async def refresh_schemas(self):
+    async def refresh_schemas(self, *, force=False):
         # Throttle schema refreshes to at most once per second
-        if time.monotonic() - getattr(self, "_last_schema_refresh", 0) < 1.0:
+        if (
+            not force
+            and time.monotonic() - getattr(self, "_last_schema_refresh", 0) < 1.0
+        ):
             return
         self._last_schema_refresh = time.monotonic()
         if self._refresh_schemas_lock.locked():
@@ -611,15 +710,36 @@ class Datasette:
                 "select database_name, schema_version from catalog_databases"
             )
         }
-        # Delete stale entries for databases that are no longer attached
-        stale_databases = set(current_schema_versions.keys()) - set(
-            self.databases.keys()
+        catalog_table_names = (
+            "catalog_columns",
+            "catalog_foreign_keys",
+            "catalog_indexes",
+            "catalog_views",
+            "catalog_tables",
+            "catalog_databases",
         )
-        for stale_db_name in stale_databases:
-            await internal_db.execute_write(
-                "DELETE FROM catalog_databases WHERE database_name = ?",
-                [stale_db_name],
+        # Delete stale entries for databases that are no longer attached
+        catalog_database_names = set(current_schema_versions.keys())
+        for table in catalog_table_names[:-1]:
+            catalog_database_names.update(
+                row["database_name"]
+                for row in await internal_db.execute(
+                    "select distinct database_name from {}".format(table)
+                )
+                if row["database_name"] is not None
             )
+        stale_databases = catalog_database_names - set(self.databases.keys())
+        if stale_databases:
+
+            def delete_stale_database_catalog(conn):
+                for stale_db_name in stale_databases:
+                    for table in catalog_table_names:
+                        conn.execute(
+                            "DELETE FROM {} WHERE database_name = ?".format(table),
+                            [stale_db_name],
+                        )
+
+            await internal_db.execute_write_fn(delete_stale_database_catalog)
         for database_name, db in self.databases.items():
             schema_version = (await db.execute("PRAGMA schema_version")).first()[0]
             # Compare schema versions to see if we should skip it
@@ -692,10 +812,24 @@ class Datasette:
                         action_abbrs[action.abbr] = action
                     self.actions[action.name] = action
 
+        # Register column types (classes, not instances)
+        self._column_types = {}
+        for hook in pm.hook.register_column_types(datasette=self):
+            if hook:
+                for ct_cls in hook:
+                    if ct_cls.name in self._column_types:
+                        raise StartupError(f"Duplicate column type name: {ct_cls.name}")
+                    self._column_types[ct_cls.name] = ct_cls
+
         for hook in pm.hook.prepare_jinja2_environment(
             env=self._jinja_env, datasette=self
         ):
             await await_me_maybe(hook)
+        # Ensure internal tables and metadata are populated before startup hooks
+        await self._refresh_schemas()
+        await self._save_queries_from_config()
+        # Load column_types from config into internal DB
+        await self._apply_column_types_config()
         for hook in pm.hook.startup(datasette=self):
             await await_me_maybe(hook)
         self._startup_invoked = True
@@ -819,6 +953,33 @@ class Datasette:
         new_databases.pop(name)
         self.databases = new_databases
 
+    def close(self):
+        """Release all resources held by this Datasette instance.
+
+        Closes every attached Database (including the internal database),
+        shuts down the executor, and unlinks the temporary file used for
+        the internal database if one was created. Idempotent and one-way.
+        """
+        if self._closed:
+            return
+        self._closed = True
+        first_exception = None
+        dbs = list(self.databases.values()) + [self._internal_database]
+        for db in dbs:
+            try:
+                db.close()
+            except Exception as e:
+                if first_exception is None:
+                    first_exception = e
+        if self.executor is not None:
+            try:
+                self.executor.shutdown(wait=True, cancel_futures=True)
+            except Exception as e:
+                if first_exception is None:
+                    first_exception = e
+        if first_exception is not None:
+            raise first_exception
+
     def setting(self, key):
         return self._settings.get(key, None)
 
@@ -943,6 +1104,349 @@ class Datasette:
             [database_name, resource_name, column_name, key, value],
         )
 
+    @staticmethod
+    def _query_row_to_stored_query(row) -> stored_queries.StoredQuery | None:
+        return stored_queries.query_row_to_stored_query(row)
+
+    @staticmethod
+    def _query_options_json(options):
+        return stored_queries.query_options_json(options)
+
+    async def add_query(
+        self,
+        database: str,
+        name: str,
+        sql: str,
+        *,
+        title: str | None = None,
+        description: str | None = None,
+        description_html: str | None = None,
+        hide_sql: bool = False,
+        fragment: str | None = None,
+        parameters: Iterable[str] | None = None,
+        is_write: bool = False,
+        is_private: bool = False,
+        is_trusted: bool = False,
+        source: str = "plugin",
+        owner_id: str | None = None,
+        on_success_message: str | None = None,
+        on_success_message_sql: str | None = None,
+        on_success_redirect: str | None = None,
+        on_error_message: str | None = None,
+        on_error_redirect: str | None = None,
+        replace: bool = True,
+    ) -> None:
+        return await stored_queries.add_query(
+            self,
+            database,
+            name,
+            sql,
+            title=title,
+            description=description,
+            description_html=description_html,
+            hide_sql=hide_sql,
+            fragment=fragment,
+            parameters=parameters,
+            is_write=is_write,
+            is_private=is_private,
+            is_trusted=is_trusted,
+            source=source,
+            owner_id=owner_id,
+            on_success_message=on_success_message,
+            on_success_message_sql=on_success_message_sql,
+            on_success_redirect=on_success_redirect,
+            on_error_message=on_error_message,
+            on_error_redirect=on_error_redirect,
+            replace=replace,
+        )
+
+    async def update_query(
+        self,
+        database: str,
+        name: str,
+        *,
+        sql=stored_queries.UNCHANGED,
+        title=stored_queries.UNCHANGED,
+        description=stored_queries.UNCHANGED,
+        description_html=stored_queries.UNCHANGED,
+        hide_sql=stored_queries.UNCHANGED,
+        fragment=stored_queries.UNCHANGED,
+        parameters=stored_queries.UNCHANGED,
+        is_write=stored_queries.UNCHANGED,
+        is_private=stored_queries.UNCHANGED,
+        is_trusted=stored_queries.UNCHANGED,
+        source=stored_queries.UNCHANGED,
+        owner_id=stored_queries.UNCHANGED,
+        on_success_message=stored_queries.UNCHANGED,
+        on_success_message_sql=stored_queries.UNCHANGED,
+        on_success_redirect=stored_queries.UNCHANGED,
+        on_error_message=stored_queries.UNCHANGED,
+        on_error_redirect=stored_queries.UNCHANGED,
+    ) -> None:
+        return await stored_queries.update_query(
+            self,
+            database,
+            name,
+            sql=sql,
+            title=title,
+            description=description,
+            description_html=description_html,
+            hide_sql=hide_sql,
+            fragment=fragment,
+            parameters=parameters,
+            is_write=is_write,
+            is_private=is_private,
+            is_trusted=is_trusted,
+            source=source,
+            owner_id=owner_id,
+            on_success_message=on_success_message,
+            on_success_message_sql=on_success_message_sql,
+            on_success_redirect=on_success_redirect,
+            on_error_message=on_error_message,
+            on_error_redirect=on_error_redirect,
+        )
+
+    async def remove_query(
+        self, database: str, name: str, source: str | None = None
+    ) -> None:
+        return await stored_queries.remove_query(self, database, name, source=source)
+
+    async def get_query(
+        self, database: str, name: str
+    ) -> stored_queries.StoredQuery | None:
+        return await stored_queries.get_query(self, database, name)
+
+    async def count_queries(
+        self,
+        database: str | None = None,
+        *,
+        actor: dict[str, Any] | None = None,
+        q: str | None = None,
+        is_write: bool | None = None,
+        is_private: bool | None = None,
+        is_trusted: bool | None = None,
+        source: str | None = None,
+        owner_id: str | None = None,
+    ) -> int:
+        return await stored_queries.count_queries(
+            self,
+            database,
+            actor=actor,
+            q=q,
+            is_write=is_write,
+            is_private=is_private,
+            is_trusted=is_trusted,
+            source=source,
+            owner_id=owner_id,
+        )
+
+    async def list_queries(
+        self,
+        database: str | None = None,
+        *,
+        actor: dict[str, Any] | None = None,
+        limit: int = 50,
+        cursor: str | None = None,
+        q: str | None = None,
+        is_write: bool | None = None,
+        is_private: bool | None = None,
+        is_trusted: bool | None = None,
+        source: str | None = None,
+        owner_id: str | None = None,
+        include_private: bool = False,
+    ) -> stored_queries.StoredQueryPage:
+        return await stored_queries.list_queries(
+            self,
+            database,
+            actor=actor,
+            limit=limit,
+            cursor=cursor,
+            q=q,
+            is_write=is_write,
+            is_private=is_private,
+            is_trusted=is_trusted,
+            source=source,
+            owner_id=owner_id,
+            include_private=include_private,
+        )
+
+    async def ensure_query_write_permissions(
+        self, database, sql, *, actor=None, params=None, analysis=None
+    ):
+        # Raise Forbidden or QueryWriteRejected if SQL should not run
+        return await write_sql.ensure_query_write_permissions(
+            self, database, sql, actor=actor, params=params, analysis=analysis
+        )
+
+    # Column types API
+
+    async def _get_resource_column_details(self, database: str, resource: str):
+        db = self.databases.get(database)
+        if db is None:
+            return {}
+        try:
+            return {
+                column.name: column
+                for column in await db.table_column_details(resource)
+            }
+        except sqlite3.OperationalError:
+            return {}
+
+    @staticmethod
+    def _column_type_is_applicable(ct_cls, column_detail) -> bool:
+        sqlite_types = getattr(ct_cls, "sqlite_types", None)
+        if sqlite_types is None:
+            return True
+        if column_detail is None:
+            return False
+        actual_sqlite_type = SQLiteType.from_declared_type(column_detail.type)
+        return actual_sqlite_type in sqlite_types
+
+    async def _validate_column_type_assignment(
+        self, database: str, resource: str, column: str, ct_cls
+    ) -> None:
+        sqlite_types = getattr(ct_cls, "sqlite_types", None)
+        if sqlite_types is None:
+            return
+
+        column_detail = (
+            await self._get_resource_column_details(database, resource)
+        ).get(column)
+        if column_detail is None:
+            return
+
+        actual_sqlite_type = SQLiteType.from_declared_type(column_detail.type)
+        if actual_sqlite_type in sqlite_types:
+            return
+
+        allowed = ", ".join(sqlite_type.value for sqlite_type in sqlite_types)
+        actual = (
+            actual_sqlite_type.value
+            if actual_sqlite_type is not None
+            else "unrecognized {!r}".format(column_detail.type)
+        )
+        raise ValueError(
+            "Column type {!r} is only applicable to SQLite types {} but {}.{}.{} "
+            "has SQLite type {}".format(
+                ct_cls.name,
+                allowed,
+                database,
+                resource,
+                column,
+                actual,
+            )
+        )
+
+    async def _apply_column_types_config(self):
+        """Load column_types from datasette.json config into the internal DB."""
+        import logging
+
+        for db_name, db_conf in (self.config or {}).get("databases", {}).items():
+            for table_name, table_conf in db_conf.get("tables", {}).items():
+                for col_name, ct in table_conf.get("column_types", {}).items():
+                    if isinstance(ct, str):
+                        col_type, config = ct, None
+                    else:
+                        col_type = ct["type"]
+                        config = ct.get("config")
+                    if col_type not in self._column_types:
+                        logging.warning(
+                            "column_types config references unknown type %r "
+                            "for %s.%s.%s",
+                            col_type,
+                            db_name,
+                            table_name,
+                            col_name,
+                        )
+                    try:
+                        await self.set_column_type(
+                            db_name, table_name, col_name, col_type, config
+                        )
+                    except ValueError as ex:
+                        logging.warning(str(ex))
+
+    async def get_column_type(self, database: str, resource: str, column: str):
+        """
+        Return a ColumnType instance (with config baked in) for a specific
+        column, or None if no column type is assigned.
+        """
+        row = await self.get_internal_database().execute(
+            "SELECT column_type, config FROM column_types "
+            "WHERE database_name = ? AND resource_name = ? AND column_name = ?",
+            [database, resource, column],
+        )
+        rows = row.rows
+        if not rows:
+            return None
+        ct_name, config = rows[0]
+        ct_cls = self._column_types.get(ct_name)
+        if ct_cls is None:
+            return None
+        column_detail = (
+            await self._get_resource_column_details(database, resource)
+        ).get(column)
+        if not self._column_type_is_applicable(ct_cls, column_detail):
+            return None
+        return ct_cls(config=json.loads(config) if config else None)
+
+    async def get_column_types(self, database: str, resource: str) -> dict:
+        """
+        Return {column_name: ColumnType instance (with config)}
+        for all columns with assigned types on the given resource.
+        """
+        rows = await self.get_internal_database().execute(
+            "SELECT column_name, column_type, config FROM column_types "
+            "WHERE database_name = ? AND resource_name = ?",
+            [database, resource],
+        )
+        column_details = await self._get_resource_column_details(database, resource)
+        result = {}
+        for row in rows.rows:
+            col_name, ct_name, config = row
+            ct_cls = self._column_types.get(ct_name)
+            if ct_cls is not None and self._column_type_is_applicable(
+                ct_cls, column_details.get(col_name)
+            ):
+                result[col_name] = ct_cls(config=json.loads(config) if config else None)
+        return result
+
+    async def set_column_type(
+        self,
+        database: str,
+        resource: str,
+        column: str,
+        column_type: str,
+        config: dict = None,
+    ) -> None:
+        """Assign a column type. Overwrites any existing assignment."""
+        ct_cls = self._column_types.get(column_type)
+        if ct_cls is not None:
+            await self._validate_column_type_assignment(
+                database, resource, column, ct_cls
+            )
+        await self.get_internal_database().execute_write(
+            """INSERT OR REPLACE INTO column_types
+               (database_name, resource_name, column_name, column_type, config)
+               VALUES (?, ?, ?, ?, ?)""",
+            [
+                database,
+                resource,
+                column,
+                column_type,
+                json.dumps(config) if config else None,
+            ],
+        )
+
+    async def remove_column_type(
+        self, database: str, resource: str, column: str
+    ) -> None:
+        """Remove a column type assignment."""
+        await self.get_internal_database().execute_write(
+            "DELETE FROM column_types "
+            "WHERE database_name = ? AND resource_name = ? AND column_name = ?",
+            [database, resource, column],
+        )
+
     def get_internal_database(self):
         return self._internal_database
 
@@ -986,36 +1490,55 @@ class Datasette:
 
         return db_plugin_config
 
-    def app_css_hash(self):
-        if not hasattr(self, "_app_css_hash"):
-            with open(os.path.join(str(app_root), "datasette/static/app.css")) as fp:
-                self._app_css_hash = hashlib.sha1(fp.read().encode("utf8")).hexdigest()[
-                    :6
-                ]
-        return self._app_css_hash
+    def _static_asset_path(self, path):
+        return _resolve_static_asset_path(app_root / "datasette" / "static", path)
 
-    async def get_canned_queries(self, database_name, actor):
-        queries = {}
-        for more_queries in pm.hook.canned_queries(
-            datasette=self,
-            database=database_name,
-            actor=actor,
-        ):
-            more_queries = await await_me_maybe(more_queries)
-            queries.update(more_queries or {})
-        # Fix any {"name": "select ..."} queries to be {"name": {"sql": "select ..."}}
-        for key in queries:
-            if not isinstance(queries[key], dict):
-                queries[key] = {"sql": queries[key]}
-            # Also make sure "name" is available:
-            queries[key]["name"] = key
-        return queries
+    def _static_plugin_asset_path(self, plugin_name, path):
+        for plugin in get_plugins():
+            if not plugin["static_path"]:
+                continue
+            possible_names = {plugin["name"], plugin["name"].replace("-", "_")}
+            if plugin_name in possible_names:
+                return _resolve_static_asset_path(plugin["static_path"], path)
+        raise FileNotFoundError(
+            "No static assets found for plugin {}".format(plugin_name)
+        )
 
-    async def get_canned_query(self, database_name, query_name, actor):
-        queries = await self.get_canned_queries(database_name, actor)
-        query = queries.get(query_name)
-        if query:
-            return query
+    def _static_mounted_asset(self, mount_name, path):
+        mount_name = mount_name.strip("/")
+        for mount, dirname in self.static_mounts:
+            if mount.strip("/") == mount_name:
+                return (
+                    _resolve_static_asset_path(dirname, path),
+                    self.urls.path("/{}/{}".format(mount_name, path.lstrip("/"))),
+                )
+        raise FileNotFoundError("No static mount found for {}".format(mount_name))
+
+    def _static_asset_hash(self, filepath):
+        filepath = Path(filepath)
+        if self.cache_headers:
+            cached = self._static_asset_hashes.get(filepath)
+            if cached:
+                return cached
+        digest = sha256_file(filepath)[:12]
+        if self.cache_headers:
+            self._static_asset_hashes[filepath] = digest
+        return digest
+
+    def static(self, path, plugin=None, mount=None):
+        if plugin and mount:
+            raise ValueError("Use either plugin= or mount=, not both")
+        if plugin:
+            filepath = self._static_plugin_asset_path(plugin, path)
+            url = self.urls.static_plugins(plugin, path)
+        elif mount:
+            filepath, url = self._static_mounted_asset(mount, path)
+        else:
+            filepath = self._static_asset_path(path)
+            url = self.urls.static(path)
+        hash_value = self._static_asset_hash(filepath)
+        separator = "&" if "?" in url else "?"
+        return url + separator + urllib.parse.urlencode({"_hash": hash_value})
 
     def _prepare_connection(self, conn, database):
         conn.row_factory = sqlite3.Row
@@ -1400,46 +1923,124 @@ class Datasette:
             # For global actions, resource can be omitted:
             can_debug = await datasette.allowed(action="permissions-debug", actor=actor)
         """
-        from datasette.utils.actions_sql import check_permission_for_resource
+        results = await self.allowed_many(
+            actions=[action], resource=resource, actor=actor
+        )
+        return results[action]
 
-        # For global actions, resource remains None
+    async def allowed_many(
+        self,
+        *,
+        actions: Sequence[str],
+        resource: "Resource" = None,
+        actor: dict | None = None,
+    ) -> dict[str, bool]:
+        """
+        Check several actions against one resource for one actor.
 
-        # Check if this action has also_requires - if so, check that action first
-        action_obj = self.actions.get(action)
-        if action_obj and action_obj.also_requires:
-            # Must have the required action first
-            if not await self.allowed(
-                action=action_obj.also_requires,
-                resource=resource,
+        Resolves every action (plus any also_requires dependencies) with a
+        single internal database query, instead of one or two queries per
+        action. Results are stored in the request-scoped permission cache,
+        so subsequent datasette.allowed() calls for the same checks within
+        the same request are served from the cache.
+
+        Example:
+            from datasette.resources import TableResource
+            results = await datasette.allowed_many(
+                actions=["edit-schema", "drop-table", "insert-row"],
+                resource=TableResource(database="data", table="exercise"),
                 actor=actor,
-            ):
-                return False
+            )
+            # {"edit-schema": True, "drop-table": True, "insert-row": False}
+        """
+        from datasette.utils.actions_sql import check_permissions_for_actions
+        from datasette.permissions import (
+            _permission_check_cache,
+            _skip_permission_checks,
+        )
 
         # For global actions, resource is None
         parent = resource.parent if resource else None
         child = resource.child if resource else None
 
-        result = await check_permission_for_resource(
-            datasette=self,
-            actor=actor,
-            action=action,
-            parent=parent,
-            child=child,
-        )
+        # Expand also_requires dependencies (transitively) so that each
+        # dependency is resolved within the same batch
+        expanded = []
 
-        # Log the permission check for debugging
-        self._permission_checks.append(
-            PermissionCheck(
-                when=datetime.datetime.now(datetime.timezone.utc).isoformat(),
+        def add_action(name):
+            if name in expanded:
+                return
+            action_obj = self.actions.get(name)
+            if action_obj is None:
+                raise ValueError(f"Unknown action: {name}")
+            expanded.append(name)
+            if action_obj.also_requires:
+                add_action(action_obj.also_requires)
+
+        requested = list(dict.fromkeys(actions))
+        for name in requested:
+            add_action(name)
+
+        # Consult the request-scoped cache, unless permission checks are
+        # being skipped (skip-mode verdicts must never be cached)
+        skip = _skip_permission_checks.get()
+        cache = None if skip else _permission_check_cache.get()
+
+        final = {}
+        to_check = []
+        for name in expanded:
+            if cache is not None:
+                key = _permission_cache_key(actor, name, parent, child)
+                if key in cache:
+                    final[name] = cache[key]
+                    continue
+            to_check.append(name)
+
+        raw = {}
+        if to_check:
+            raw = await check_permissions_for_actions(
+                datasette=self,
                 actor=actor,
-                action=action,
+                actions=to_check,
                 parent=parent,
                 child=child,
-                result=result,
             )
-        )
 
-        return result
+        def resolve(name):
+            # final verdict = own rules AND verdict of also_requires chain
+            if name in final:
+                return final[name]
+            result = raw[name]
+            action_obj = self.actions.get(name)
+            if result and action_obj.also_requires:
+                result = resolve(action_obj.also_requires)
+            final[name] = result
+            return result
+
+        for name in expanded:
+            resolve(name)
+
+        # Cache the freshly computed checks
+        if cache is not None:
+            for name in to_check:
+                cache[_permission_cache_key(actor, name, parent, child)] = final[name]
+
+        # Log every check (including cache hits) for the debug page,
+        # dependencies before the actions that required them
+        when = datetime.datetime.now(datetime.timezone.utc).isoformat()
+        for name in reversed(expanded):
+            self._permission_checks.append(
+                PermissionCheck(
+                    when=when,
+                    actor=actor,
+                    action=name,
+                    parent=parent,
+                    child=child,
+                    result=final[name],
+                )
+            )
+
+        return {name: final[name] for name in requested}
 
     async def ensure_permission(
         self,
@@ -1512,6 +2113,11 @@ class Datasette:
 
         other_table = fk["other_table"]
         other_column = fk["other_column"]
+        if other_column is None:
+            other_pks = await db.primary_keys(other_table)
+            if len(other_pks) != 1:
+                return {}
+            other_column = other_pks[0]
         visible, _ = await self.check_visibility(
             actor,
             action="view-table",
@@ -1635,6 +2241,7 @@ class Datasette:
                     break
                 except importlib.metadata.PackageNotFoundError:
                     pass
+        conn.close()
         return info
 
     def _plugins(self, request=None, all=False):
@@ -1744,7 +2351,11 @@ class Datasette:
                 templates = [templates]
             template = self.get_jinja_environment(request).select_template(templates)
         if dataclasses.is_dataclass(context):
-            context = dataclasses.asdict(context)
+            # Shallow conversion - asdict() would deep-copy values, which
+            # is wasteful and fails on values like sqlite3.Row
+            context = {
+                f.name: getattr(context, f.name) for f in dataclasses.fields(context)
+            }
         body_scripts = []
         # pylint: disable=no-member
         for extra_script in pm.hook.extra_body_script(
@@ -1794,6 +2405,8 @@ class Datasette:
                     links.extend(extra_links)
             return links
 
+        # Keys added here must be documented in TEMPLATE_BASE_CONTEXT -
+        # the contract tests fail otherwise
         template_context = {
             **context,
             **{
@@ -1806,7 +2419,6 @@ class Datasette:
                 "show_logout": request is not None
                 and "ds_actor" in request.cookies
                 and request.actor,
-                "app_css_hash": self.app_css_hash(),
                 "zip": zip,
                 "body_scripts": body_scripts,
                 "format_bytes": format_bytes,
@@ -1818,14 +2430,19 @@ class Datasette:
                     "extra_js_urls", template, context, request, view_name
                 ),
                 "base_url": self.setting("base_url"),
-                "csrftoken": request.scope["csrftoken"] if request else lambda: "",
                 "datasette_version": __version__,
             },
             **extra_template_vars,
         }
         if request and request.args.get("_context") and self.setting("template_debug"):
             return "<pre>{}</pre>".format(
-                escape(json.dumps(template_context, default=repr, indent=4))
+                escape(
+                    json.dumps(
+                        template_context,
+                        default=_template_context_json_default,
+                        indent=4,
+                    )
+                )
             )
 
         return await template.render_async(template_context)
@@ -1900,7 +2517,6 @@ class Datasette:
         add_route(IndexView.as_view(self), r"/(\.(?P<format>jsono?))?$")
         add_route(IndexView.as_view(self), r"/-/(\.(?P<format>jsono?))?$")
         add_route(permanent_redirect("/-/"), r"/-$")
-        # TODO: /favicon.ico and /-/static/ deserve far-future cache expires
         add_route(favicon, "/favicon.ico")
 
         add_route(
@@ -1984,8 +2600,12 @@ class Datasette:
             r"/-/api$",
         )
         add_route(
-            TablesView.as_view(self),
-            r"/-/tables(\.(?P<format>json))?$",
+            JumpView.as_view(self),
+            r"/-/jump(\.(?P<format>json))?$",
+        )
+        add_route(
+            GlobalQueryListView.as_view(self),
+            r"/-/queries(\.(?P<format>json))?$",
         )
         add_route(
             InstanceSchemaView.as_view(self),
@@ -2023,6 +2643,10 @@ class Datasette:
             wrap_view(PatternPortfolioView, self),
             r"/-/patterns$",
         )
+        add_route(
+            AutocompleteDebugView.as_view(self),
+            r"/-/debug/autocomplete$",
+        )
         add_route(
             wrap_view(database_download, self),
             r"/(?P<database>[^\/\.]+)\.db$",
@@ -2032,14 +2656,58 @@ class Datasette:
             r"/(?P<database>[^\/\.]+)(\.(?P<format>\w+))?$",
         )
         add_route(TableCreateView.as_view(self), r"/(?P<database>[^\/\.]+)/-/create$")
+        add_route(
+            DatabaseForeignKeyTargetsView.as_view(self),
+            r"/(?P<database>[^\/\.]+)/-/foreign-key-targets$",
+        )
+        add_route(
+            QueryListView.as_view(self),
+            r"/(?P<database>[^\/\.]+)/-/queries(\.(?P<format>json))?$",
+        )
+        add_route(
+            QueryCreateAnalyzeView.as_view(self),
+            r"/(?P<database>[^\/\.]+)/-/queries/analyze$",
+        )
+        add_route(
+            QueryStoreView.as_view(self),
+            r"/(?P<database>[^\/\.]+)/-/queries/store$",
+        )
+        add_route(
+            ExecuteWriteAnalyzeView.as_view(self),
+            r"/(?P<database>[^\/\.]+)/-/execute-write/analyze$",
+        )
+        add_route(
+            ExecuteWriteView.as_view(self),
+            r"/(?P<database>[^\/\.]+)/-/execute-write$",
+        )
         add_route(
             DatabaseSchemaView.as_view(self),
             r"/(?P<database>[^\/\.]+)/-/schema(\.(?P<format>json|md))?$",
         )
+        add_route(
+            QueryParametersView.as_view(self),
+            r"/(?P<database>[^\/\.]+)/-/query/parameters$",
+        )
         add_route(
             wrap_view(QueryView, self),
             r"/(?P<database>[^\/\.]+)/-/query(\.(?P<format>\w+))?$",
         )
+        add_route(
+            QueryDefinitionView.as_view(self),
+            r"/(?P<database>[^\/\.]+)/(?P<query>[^\/\.]+)/-/definition$",
+        )
+        add_route(
+            QueryEditView.as_view(self),
+            r"/(?P<database>[^\/\.]+)/(?P<query>[^\/\.]+)/-/edit$",
+        )
+        add_route(
+            QueryUpdateView.as_view(self),
+            r"/(?P<database>[^\/\.]+)/(?P<query>[^\/\.]+)/-/update$",
+        )
+        add_route(
+            QueryDeleteView.as_view(self),
+            r"/(?P<database>[^\/\.]+)/(?P<query>[^\/\.]+)/-/delete$",
+        )
         add_route(
             wrap_view(table_view, self),
             r"/(?P<database>[^\/\.]+)/(?P<table>[^\/\.]+)(\.(?P<format>\w+))?$",
@@ -2056,6 +2724,26 @@ class Datasette:
             TableUpsertView.as_view(self),
             r"/(?P<database>[^\/\.]+)/(?P<table>[^\/\.]+)/-/upsert$",
         )
+        add_route(
+            TableAlterView.as_view(self),
+            r"/(?P<database>[^\/\.]+)/(?P<table>[^\/\.]+)/-/alter$",
+        )
+        add_route(
+            TableForeignKeySuggestionsView.as_view(self),
+            r"/(?P<database>[^\/\.]+)/(?P<table>[^\/\.]+)/-/foreign-key-suggestions$",
+        )
+        add_route(
+            TableSetColumnTypeView.as_view(self),
+            r"/(?P<database>[^\/\.]+)/(?P<table>[^\/\.]+)/-/set-column-type$",
+        )
+        add_route(
+            TableFragmentView.as_view(self),
+            r"/(?P<database>[^\/\.]+)/(?P<table>[^\/\.]+)/-/fragment$",
+        )
+        add_route(
+            TableAutocompleteView.as_view(self),
+            r"/(?P<database>[^\/\.]+)/(?P<table>[^\/\.]+)/-/autocomplete$",
+        )
         add_route(
             TableDropView.as_view(self),
             r"/(?P<database>[^\/\.]+)/(?P<table>[^\/\.]+)/-/drop$",
@@ -2117,29 +2805,13 @@ class Datasette:
                 if not database.is_mutable:
                     await database.table_counts(limit=60 * 60 * 1000)
 
-        async def custom_csrf_error(scope, send, message_id):
-            await asgi_send(
-                send,
-                content=await self.render_template(
-                    "csrf_error.html",
-                    {"message_id": message_id, "message_name": Errors(message_id).name},
-                ),
-                status=403,
-                content_type="text/html; charset=utf-8",
-            )
+        async def _close_on_shutdown():
+            self.close()
 
-        asgi = asgi_csrf.asgi_csrf(
-            DatasetteRouter(self, routes),
-            signing_secret=self._secret,
-            cookie_name="ds_csrftoken",
-            skip_if_scope=lambda scope: any(
-                pm.hook.skip_csrf(datasette=self, scope=scope)
-            ),
-            send_csrf_failed=custom_csrf_error,
-        )
+        asgi = CrossOriginProtectionMiddleware(DatasetteRouter(self, routes), self)
         if self.setting("trace_debug"):
             asgi = AsgiTracer(asgi)
-        asgi = AsgiLifespan(asgi)
+        asgi = AsgiLifespan(asgi, on_shutdown=[_close_on_shutdown])
         asgi = AsgiRunOnFirstRequest(asgi, on_startup=[setup_db, self.invoke_startup])
         for wrapper in pm.hook.asgi_wrapper(datasette=self):
             asgi = wrapper(asgi)
@@ -2158,7 +2830,16 @@ class DatasetteRouter:
         if raw_path:
             path = raw_path.decode("ascii")
         path = path.partition("?")[0]
-        return await self.route_path(scope, receive, send, path)
+        # Give each request a fresh permission check cache, so repeated
+        # datasette.allowed() checks within the request are memoized but
+        # results never persist beyond it
+        from datasette.permissions import _permission_check_cache
+
+        cache_token = _permission_check_cache.set({})
+        try:
+            return await self.route_path(scope, receive, send, path)
+        finally:
+            _permission_check_cache.reset(cache_token)
 
     async def route_path(self, scope, receive, send, path):
         # Strip off base_url if present before routing
@@ -2421,19 +3102,22 @@ def wrap_view_function(view_fn, datasette):
 
 
 def permanent_redirect(path, forward_query_string=False, forward_rest=False):
-    return wrap_view(
-        lambda request, send: Response.redirect(
+    def view(request, send):
+        redirect_path = (
             path
             + (request.url_vars["rest"] if forward_rest else "")
             + (
                 ("?" + request.query_string)
                 if forward_query_string and request.query_string
                 else ""
-            ),
-            status=301,
-        ),
-        datasette=None,
-    )
+            )
+        )
+        route_path = request.scope.get("route_path")
+        if route_path and request.path.endswith(route_path):
+            redirect_path = request.path[: -len(route_path)] + redirect_path
+        return Response.redirect(redirect_path, status=301)
+
+    return wrap_view(view, datasette=None)
 
 
 _curly_re = re.compile(r"({.*?})")
@@ -2481,9 +3165,21 @@ class DatasetteClient:
             path = f"http://localhost{path}"
         return path
 
+    def _apply_actor(self, kwargs):
+        """If ``actor=`` was supplied, convert it into a signed ds_actor cookie."""
+        actor = kwargs.pop("actor", None)
+        if actor is None:
+            return
+        cookies = dict(kwargs.get("cookies") or {})
+        if "ds_actor" in cookies:
+            raise TypeError("Cannot pass both actor= and a ds_actor cookie")
+        cookies["ds_actor"] = self.actor_cookie(actor)
+        kwargs["cookies"] = cookies
+
     async def _request(self, method, path, skip_permission_checks=False, **kwargs):
         from datasette.permissions import SkipPermissions
 
+        self._apply_actor(kwargs)
         with _DatasetteClientContext():
             if skip_permission_checks:
                 with SkipPermissions():
@@ -2549,6 +3245,7 @@ class DatasetteClient:
         from datasette.permissions import SkipPermissions
 
         avoid_path_rewrites = kwargs.pop("avoid_path_rewrites", None)
+        self._apply_actor(kwargs)
         with _DatasetteClientContext():
             if skip_permission_checks:
                 with SkipPermissions():
diff --git a/datasette/cli.py b/datasette/cli.py
index db777fe8..90a33e80 100644
--- a/datasette/cli.py
+++ b/datasette/cli.py
@@ -21,6 +21,7 @@ from .app import (
     SQLITE_LIMIT_ATTACHED,
     pm,
 )
+from .inspect import inspect_tables
 from .utils import (
     LoadExtension,
     StartupError,
@@ -154,14 +155,14 @@ async def inspect_(files, sqlite_extensions):
     app = Datasette([], immutables=files, sqlite_extensions=sqlite_extensions)
     data = {}
     for name, database in app.databases.items():
-        counts = await database.table_counts(limit=3600 * 1000)
+        tables = await database.execute_fn(lambda conn: inspect_tables(conn, {}))
         data[name] = {
             "hash": database.hash,
             "size": database.size,
             "file": database.path,
             "tables": {
-                table_name: {"count": table_count}
-                for table_name, table_count in counts.items()
+                table_name: {"count": table["count"]}
+                for table_name, table in tables.items()
             },
         }
     return data
@@ -615,7 +616,9 @@ def serve(
     for file in file_paths:
         if not pathlib.Path(file).exists():
             if create:
-                sqlite3.connect(file).execute("vacuum")
+                conn = sqlite3.connect(file)
+                conn.execute("vacuum")
+                conn.close()
             else:
                 raise click.ClickException(
                     "Invalid value for '[FILES]...': Path '{}' does not exist.".format(
@@ -661,15 +664,16 @@ def serve(
         # Private utility mechanism for writing unit tests
         return ds
 
+    # Run async soundness checks before startup hooks, since invoke_startup
+    # now populates internal tables which requires querying each database
+    run_sync(lambda: check_databases(ds))
+
     # Run the "startup" plugin hooks
     try:
         run_sync(ds.invoke_startup)
     except StartupError as e:
         raise click.ClickException(e.args[0])
 
-    # Run async soundness checks - but only if we're not under pytest
-    run_sync(lambda: check_databases(ds))
-
     if headers and not get:
         raise click.ClickException("--headers can only be used with --get")
 
diff --git a/datasette/column_types.py b/datasette/column_types.py
new file mode 100644
index 00000000..11a14ec0
--- /dev/null
+++ b/datasette/column_types.py
@@ -0,0 +1,81 @@
+from enum import Enum
+
+
+class SQLiteType(Enum):
+    TEXT = "TEXT"
+    INTEGER = "INTEGER"
+    REAL = "REAL"
+    BLOB = "BLOB"
+    NUMERIC = "NUMERIC"
+
+    @classmethod
+    def from_declared_type(cls, declared_type: str | None) -> "SQLiteType":
+        if declared_type is None:
+            return cls.BLOB
+
+        normalized = declared_type.strip().upper()
+        if not normalized:
+            return cls.BLOB
+
+        if "INT" in normalized:
+            return cls.INTEGER
+        if any(token in normalized for token in ("CHAR", "CLOB", "TEXT")):
+            return cls.TEXT
+        if "BLOB" in normalized:
+            return cls.BLOB
+        if any(
+            token in normalized
+            for token in ("REAL", "FLOA", "DOUB")  # codespell:ignore doub
+        ):
+            return cls.REAL
+
+        return cls.NUMERIC
+
+
+class ColumnType:
+    """
+    Base class for column types.
+
+    Subclasses must define ``name`` and ``description`` as class attributes:
+
+    - ``name``: Unique identifier string. Lowercase, no spaces.
+      Examples: "markdown", "file", "email", "url", "point", "image".
+    - ``description``: Human-readable label for admin UI dropdowns.
+      Examples: "Markdown text", "File reference", "Email address".
+    - ``sqlite_types``: Optional tuple of SQLiteType values restricting
+      which SQLite column types this ColumnType can be assigned to.
+
+    Instantiate with an optional ``config`` dict to bind per-column
+    configuration::
+
+        ct = MyColumnType(config={"key": "value"})
+        ct.config  # {"key": "value"}
+    """
+
+    name: str
+    description: str
+    sqlite_types: tuple[SQLiteType, ...] | None = None
+
+    def __init__(self, config=None):
+        self.config = config
+
+    async def render_cell(self, value, column, table, database, datasette, request):
+        """
+        Return an HTML string to render this cell value, or None to
+        fall through to the default render_cell plugin hook chain.
+        """
+        return None
+
+    async def validate(self, value, datasette):
+        """
+        Validate a value before it is written. Return None if valid,
+        or a string error message if invalid.
+        """
+        return None
+
+    async def transform_value(self, value, datasette):
+        """
+        Transform a value before it appears in JSON API output.
+        Return the transformed value. Default: return unchanged.
+        """
+        return value
diff --git a/datasette/csrf.py b/datasette/csrf.py
new file mode 100644
index 00000000..df239aee
--- /dev/null
+++ b/datasette/csrf.py
@@ -0,0 +1,178 @@
+"""
+Header-based CSRF (Cross-Origin) protection.
+
+Datasette uses the Sec-Fetch-Site + Origin header approach described in
+Filippo Valsorda's article (https://words.filippo.io/csrf/) and implemented
+in Go 1.25's http.CrossOriginProtection. This replaces the previous
+token-based asgi-csrf mechanism.
+"""
+
+from __future__ import annotations
+
+import secrets
+import urllib.parse
+
+from .utils.asgi import asgi_send
+
+SAFE_METHODS = frozenset({"GET", "HEAD", "OPTIONS"})
+
+DEFAULT_PORTS = {"http": 80, "https": 443, "ws": 80, "wss": 443}
+
+
+def _normalize_headers(raw_headers):
+    """Lowercase header names; for duplicates, last value wins."""
+    result = {}
+    for name, value in raw_headers:
+        if isinstance(name, str):
+            name = name.encode("latin-1")
+        if isinstance(value, str):
+            value = value.encode("latin-1")
+        result[name.lower()] = value
+    return result
+
+
+def _origin_tuple(value):
+    """
+    Parse an origin-like string into ``(scheme, host, port)`` with default
+    ports filled in. Raises ``ValueError`` for malformed input.
+    """
+    parsed = urllib.parse.urlsplit(value)
+    scheme = (parsed.scheme or "").lower()
+    host = (parsed.hostname or "").lower()
+    if not scheme or not host:
+        raise ValueError("missing scheme or host in {!r}".format(value))
+    port = parsed.port  # may raise ValueError on bad ports
+    if port is None:
+        port = DEFAULT_PORTS.get(scheme)
+    if port is None:
+        raise ValueError("unknown default port for scheme {!r}".format(scheme))
+    return scheme, host, port
+
+
+def _install_legacy_csrftoken(scope):
+    """
+    Populate ``scope["csrftoken"]`` with a callable returning a per-request
+    random token. Provided for plugin compatibility only - core no longer
+    uses this value for CSRF enforcement.
+    """
+
+    def csrftoken():
+        if "_datasette_legacy_csrftoken" not in scope:
+            scope["_datasette_legacy_csrftoken"] = secrets.token_urlsafe(32)
+        return scope["_datasette_legacy_csrftoken"]
+
+    scope["csrftoken"] = csrftoken
+
+
+class CrossOriginProtectionMiddleware:
+    """
+    Modern CSRF protection using the Sec-Fetch-Site and Origin headers.
+
+    Based on Filippo Valsorda's algorithm, as implemented in Go 1.25's
+    http.CrossOriginProtection. See https://words.filippo.io/csrf/
+
+    Unsafe-method requests are allowed through only if they look same-origin.
+    Non-browser clients (curl, etc.) send neither Sec-Fetch-Site nor Origin
+    and are passed through unchanged - CSRF is a browser-only attack.
+    """
+
+    SAFE_METHODS = SAFE_METHODS
+
+    def __init__(self, app, datasette):
+        self.app = app
+        self.datasette = datasette
+
+    async def __call__(self, scope, receive, send):
+        if scope["type"] != "http":
+            await self.app(scope, receive, send)
+            return
+
+        _install_legacy_csrftoken(scope)
+
+        if scope.get("method", "GET") in self.SAFE_METHODS:
+            await self.app(scope, receive, send)
+            return
+
+        headers = _normalize_headers(scope.get("headers") or [])
+
+        authorization = headers.get(b"authorization", b"").decode("latin-1")
+        cookie_header = headers.get(b"cookie")
+        # Bearer-token requests are not ambient browser credentials, so they
+        # are not CSRF-vulnerable. Narrowly exempt them from the header check
+        # before evaluating Sec-Fetch-Site / Origin. Only "Bearer" is exempt;
+        # schemes like Basic or Digest can be browser-managed and ambient.
+        # If the request also carries a Cookie header, ambient cookie auth
+        # could be in play, so do NOT treat it as exempt.
+        if authorization and not cookie_header:
+            parts = authorization.split(None, 1)
+            if parts and parts[0].lower() == "bearer":
+                await self.app(scope, receive, send)
+                return
+
+        origin_bytes = headers.get(b"origin")
+        sec_fetch_site_bytes = headers.get(b"sec-fetch-site")
+        host_bytes = headers.get(b"host", b"")
+        origin = origin_bytes.decode("latin-1") if origin_bytes else None
+        sec_fetch_site = (
+            sec_fetch_site_bytes.decode("latin-1") if sec_fetch_site_bytes else None
+        )
+        host = host_bytes.decode("latin-1")
+
+        # Primary defense: Sec-Fetch-Site (set by browsers, unforgeable from JS)
+        if sec_fetch_site is not None:
+            if sec_fetch_site in ("same-origin", "none"):
+                await self.app(scope, receive, send)
+                return
+            await self._forbid(
+                send,
+                "Sec-Fetch-Site was {!r}, expected 'same-origin' or 'none'".format(
+                    sec_fetch_site
+                ),
+            )
+            return
+
+        # No Sec-Fetch-Site and no Origin -> non-browser client (curl, API, etc.)
+        if origin is None:
+            await self.app(scope, receive, send)
+            return
+
+        # Fallback for older browsers: Origin must match the request's own
+        # scheme + host + port. Compare full origin tuples, not host alone.
+        request_scheme = self._request_scheme(scope)
+        try:
+            origin_tuple = _origin_tuple(origin)
+            expected_tuple = _origin_tuple("{}://{}".format(request_scheme, host))
+        except ValueError:
+            await self._forbid(
+                send,
+                "Malformed Origin {!r} or Host {!r}".format(origin, host),
+            )
+            return
+
+        if origin_tuple == expected_tuple:
+            await self.app(scope, receive, send)
+            return
+
+        await self._forbid(
+            send,
+            "Origin {!r} does not match Host {!r}".format(origin, host),
+        )
+
+    def _request_scheme(self, scope):
+        if self.datasette is not None:
+            try:
+                if self.datasette.setting("force_https_urls"):
+                    return "https"
+            except Exception:
+                pass
+        return scope.get("scheme") or "http"
+
+    async def _forbid(self, send, reason):
+        await asgi_send(
+            send,
+            content=await self.datasette.render_template(
+                "csrf_error.html", {"reason": reason}
+            ),
+            status=403,
+            content_type="text/html; charset=utf-8",
+        )
diff --git a/datasette/database.py b/datasette/database.py
index fcf69c7f..e7fe1ed9 100644
--- a/datasette/database.py
+++ b/datasette/database.py
@@ -1,15 +1,19 @@
 import asyncio
+import atexit
 from collections import namedtuple
+import inspect
+import os
 from pathlib import Path
-import janus
 import queue
 import sqlite_utils
 import sys
+import tempfile
 import threading
 import uuid
 
 from .tracer import trace
 from .utils import (
+    call_with_supported_arguments,
     detect_fts,
     detect_primary_keys,
     detect_spatialite,
@@ -21,14 +25,24 @@ from .utils import (
     table_columns,
     table_column_details,
 )
-from .utils.sqlite import sqlite_version
+from .utils.sql_analysis import SQLAnalysis, analyze_sql_tables
+from .utils.sqlite import sqlite_hidden_table_names
 from .inspect import inspect_hash
 
 connections = threading.local()
 
+EXECUTE_WRITE_RETURNING_LIMIT = 10
+
 AttachedDatabase = namedtuple("AttachedDatabase", ("seq", "name", "file"))
 
 
+class DatasetteClosedError(RuntimeError):
+    """Raised when using a Datasette or Database instance after close()."""
+
+
+_SHUTDOWN = object()
+
+
 class Database:
     # For table counts stop at this many rows:
     count_limit = 10000
@@ -42,6 +56,7 @@ class Database:
         is_memory=False,
         memory_name=None,
         mode=None,
+        is_temp_disk=False,
     ):
         self.name = None
         self._thread_local_id = f"x{self._thread_local_id_counter}"
@@ -52,19 +67,44 @@ class Database:
         self.is_mutable = is_mutable
         self.is_memory = is_memory
         self.memory_name = memory_name
+        self.is_temp_disk = is_temp_disk
         if memory_name is not None:
             self.is_memory = True
+        if is_temp_disk:
+            fd, temp_path = tempfile.mkstemp(suffix=".db", prefix="datasette_temp_")
+            os.close(fd)
+            self.path = temp_path
+            self.is_mutable = True
+            self.mode = "rwc"
+            self._wal_enabled = False
+            atexit.register(self._cleanup_temp_file)
+        else:
+            self._wal_enabled = False
         self.cached_hash = None
         self.cached_size = None
         self._cached_table_counts = None
         self._write_thread = None
         self._write_queue = None
+        self._closed = False
+        self._pending_execute_futures = set()
+        self._pending_execute_futures_lock = threading.Lock()
         # These are used when in non-threaded mode:
         self._read_connection = None
         self._write_connection = None
         # This is used to track all file connections so they can be closed
         self._all_file_connections = []
-        self.mode = mode
+        if not is_temp_disk:
+            self.mode = mode
+
+    def _check_not_closed(self):
+        if self._closed:
+            raise DatasetteClosedError(
+                "Database {!r} has been closed".format(self.name)
+            )
+
+    def _remove_pending_execute_future(self, future):
+        with self._pending_execute_futures_lock:
+            self._pending_execute_futures.discard(future)
 
     @property
     def cached_table_counts(self):
@@ -85,6 +125,8 @@ class Database:
         return md5_not_usedforsecurity(self.name)[:6]
 
     def suggest_name(self):
+        if self.is_temp_disk:
+            return "_temp_disk"
         if self.path:
             return Path(self.path).stem
         elif self.memory_name:
@@ -123,22 +165,105 @@ class Database:
             f"file:{self.path}{qs}", uri=True, check_same_thread=False, **extra_kwargs
         )
         self._all_file_connections.append(conn)
+        if self.is_temp_disk and not self._wal_enabled:
+            conn.execute("PRAGMA journal_mode=WAL")
+            self._wal_enabled = True
         return conn
 
     def close(self):
-        # Close all connections - useful to avoid running out of file handles in tests
-        for connection in self._all_file_connections:
-            connection.close()
+        """Release all resources held by this database.
+
+        Idempotent. After close() further calls to execute()/execute_fn()/
+        execute_write()/execute_write_fn() raise DatasetteClosedError.
+        """
+        if self._closed:
+            return
+        with self._pending_execute_futures_lock:
+            if self._closed:
+                return
+            self._closed = True
+            pending_execute_futures = tuple(self._pending_execute_futures)
+        # Shut down the write thread, if any, via a sentinel. The thread
+        # drains any writes already queued before the sentinel and then
+        # closes its own write connection and returns.
+        write_thread = self._write_thread
+        if write_thread is not None and self._write_queue is not None:
+            self._write_queue.put(_SHUTDOWN)
+            write_thread.join(timeout=10)
+            if write_thread.is_alive():
+                sys.stderr.write(
+                    "Datasette: write thread for {!r} did not exit within 10s\n".format(
+                        self.name
+                    )
+                )
+                sys.stderr.flush()
+        for future in pending_execute_futures:
+            try:
+                future.result()
+            except Exception:
+                pass
+        # Close anything still tracked in _all_file_connections
+        for connection in self._all_file_connections:
+            try:
+                connection.close()
+            except Exception:
+                pass
+        self._all_file_connections = []
+        # Drop per-thread cached read connections we can reach
+        try:
+            delattr(connections, self._thread_local_id)
+        except AttributeError:
+            pass
+        # Close non-threaded-mode cached connections if still open
+        if self._read_connection is not None:
+            try:
+                self._read_connection.close()
+            except Exception:
+                pass
+            self._read_connection = None
+        if self._write_connection is not None:
+            try:
+                self._write_connection.close()
+            except Exception:
+                pass
+            self._write_connection = None
+        if self.is_temp_disk:
+            self._cleanup_temp_file()
+
+    def _cleanup_temp_file(self):
+        if self.is_temp_disk and self.path:
+            for suffix in ("", "-wal", "-shm"):
+                try:
+                    os.unlink(self.path + suffix)
+                except OSError:
+                    pass
+
+    async def execute_write(
+        self,
+        sql,
+        params=None,
+        block=True,
+        request=None,
+        return_all=False,
+        returning_limit=EXECUTE_WRITE_RETURNING_LIMIT,
+    ):
+        self._check_not_closed()
+        if returning_limit < 0:
+            raise ValueError("returning_limit must be >= 0")
 
-    async def execute_write(self, sql, params=None, block=True, request=None):
         def _inner(conn):
-            return conn.execute(sql, params or [])
+            cursor = conn.execute(sql, params or [])
+            return ExecuteWriteResult.from_cursor(
+                cursor, return_all=return_all, returning_limit=returning_limit
+            )
 
         with trace("sql", database=self.name, sql=sql.strip(), params=params):
             results = await self.execute_write_fn(_inner, block=block, request=request)
         return results
 
     async def execute_write_script(self, sql, block=True, request=None):
+        self._check_not_closed()
+
         def _inner(conn):
             return conn.executescript(sql)
 
@@ -149,6 +274,8 @@ class Database:
         return results
 
     async def execute_write_many(self, sql, params_seq, block=True, request=None):
+        self._check_not_closed()
+
         def _inner(conn):
             count = 0
 
@@ -170,13 +297,15 @@ class Database:
         return results
 
     async def execute_isolated_fn(self, fn):
-        # Open a new connection just for the duration of this function
+        self._check_not_closed()
+        # Open a new connection just for the duration of this function,
         # blocking the write queue to avoid any writes occurring during it
-        if self.ds.executor is None:
-            # non-threaded mode
-            isolated_connection = self.connect(write=True)
+        write = self.is_mutable
+
+        def _run():
+            isolated_connection = self.connect(write=write)
             try:
-                result = fn(isolated_connection)
+                return fn(isolated_connection)
             finally:
                 isolated_connection.close()
                 try:
@@ -184,13 +313,34 @@ class Database:
                 except ValueError:
                     # Was probably a memory connection
                     pass
-            return result
-        else:
-            # Threaded mode - send to write thread
-            return await self._send_to_write_thread(fn, isolated_connection=True)
+
+        if self.ds.executor is None:
+            # non-threaded mode
+            return _run()
+        if not write:
+            # Immutable database - no writes can ever occur, so there is no
+            # write queue to block; run against a fresh read-only connection
+            return await asyncio.get_running_loop().run_in_executor(
+                self.ds.executor, _run
+            )
+        # Threaded mode - send to write thread
+        return await self._send_to_write_thread(fn, isolated_connection=True)
+
+    async def analyze_sql(self, sql, params=None) -> SQLAnalysis:
+        self._check_not_closed()
+
+        return await self.execute_isolated_fn(
+            lambda conn: analyze_sql_tables(conn, sql, params, database_name=self.name)
+        )
 
     async def execute_write_fn(self, fn, block=True, transaction=True, request=None):
-        fn = self._wrap_fn_with_hooks(fn, request, transaction)
+        self._check_not_closed()
+        pending_events = []
+
+        def track_event(event):
+            pending_events.append(event)
+
+        fn = self._wrap_fn_with_hooks(fn, request, transaction, track_event)
         if self.ds.executor is None:
             # non-threaded mode
             if self._write_connection is None:
@@ -198,17 +348,53 @@ class Database:
                 self.ds._prepare_connection(self._write_connection, self.name)
             if transaction:
                 with self._write_connection:
-                    return fn(self._write_connection)
+                    result = fn(self._write_connection)
             else:
-                return fn(self._write_connection)
+                result = fn(self._write_connection)
         else:
-            return await self._send_to_write_thread(
+            result = await self._send_to_write_thread(
                 fn, block=block, transaction=transaction
             )
+        if block:
+            for event in pending_events:
+                await self.ds.track_event(event)
+        else:
+            # For non-blocking writes, spawn a background task to
+            # dispatch events after the write thread completes
+            task_id, reply_future = result
 
-    def _wrap_fn_with_hooks(self, fn, request, transaction):
+            async def _dispatch_events_after_write():
+                try:
+                    await reply_future
+                except Exception:
+                    # if the write failed, don't emit success events
+                    return
+                for event in pending_events:
+                    await self.ds.track_event(event)
+
+            asyncio.ensure_future(_dispatch_events_after_write())
+            result = task_id
+        return result
+
+    def _wrap_fn_with_hooks(self, fn, request, transaction, track_event):
         from .plugins import pm
 
+        # Wrap fn so it receives track_event if its signature supports it.
+        # Historically fn was called positionally, so any single-parameter
+        # name (conn, connection, db, ...) worked. Preserve that by only
+        # switching to keyword dependency injection when the callback
+        # explicitly opts in by declaring a `track_event` parameter.
+        original_fn = fn
+
+        if "track_event" in inspect.signature(original_fn).parameters:
+
+            def fn_with_track_event(conn):
+                return call_with_supported_arguments(
+                    original_fn, conn=conn, track_event=track_event
+                )
+
+            fn = fn_with_track_event
+
         wrappers = pm.hook.write_wrapper(
             datasette=self.ds,
             database=self.name,
@@ -220,10 +406,9 @@ class Database:
             return fn
         # Build the wrapped fn by nesting context manager generators.
         # The first wrapper returned by pluggy is outermost.
-        original_fn = fn
         for wrapper_factory in reversed(wrappers):
-            original_fn = _apply_write_wrapper(original_fn, wrapper_factory)
-        return original_fn
+            fn = _apply_write_wrapper(fn, wrapper_factory, track_event)
+        return fn
 
     async def _send_to_write_thread(
         self, fn, block=True, isolated_connection=False, transaction=True
@@ -239,18 +424,15 @@ class Database:
             )
             self._write_thread.start()
         task_id = uuid.uuid5(uuid.NAMESPACE_DNS, "datasette.io")
-        reply_queue = janus.Queue()
+        loop = asyncio.get_running_loop()
+        reply_future = loop.create_future()
         self._write_queue.put(
-            WriteTask(fn, task_id, reply_queue, isolated_connection, transaction)
+            WriteTask(fn, task_id, loop, reply_future, isolated_connection, transaction)
         )
         if block:
-            result = await reply_queue.async_q.get()
-            if isinstance(result, Exception):
-                raise result
-            else:
-                return result
+            return await reply_future
         else:
-            return task_id
+            return task_id, reply_future
 
     def _execute_writes(self):
         # Infinite looping thread that protects the single write connection
@@ -264,17 +446,22 @@ class Database:
             conn_exception = e
         while True:
             task = self._write_queue.get()
+            if task is _SHUTDOWN:
+                if conn is not None:
+                    try:
+                        conn.close()
+                    except Exception:
+                        pass
+                return
+            exception = None
+            result = None
             if conn_exception is not None:
-                result = conn_exception
-            else:
-                if task.isolated_connection:
+                exception = conn_exception
+            elif task.isolated_connection:
+                try:
                     isolated_connection = self.connect(write=True)
                     try:
                         result = task.fn(isolated_connection)
-                    except Exception as e:
-                        sys.stderr.write("{}\n".format(e))
-                        sys.stderr.flush()
-                        result = e
                     finally:
                         isolated_connection.close()
                         try:
@@ -282,20 +469,25 @@ class Database:
                         except ValueError:
                             # Was probably a memory connection
                             pass
-                else:
-                    try:
-                        if task.transaction:
-                            with conn:
-                                result = task.fn(conn)
-                        else:
+                except Exception as e:
+                    sys.stderr.write("{}\n".format(e))
+                    sys.stderr.flush()
+                    exception = e
+            else:
+                try:
+                    if task.transaction:
+                        with conn:
                             result = task.fn(conn)
-                    except Exception as e:
-                        sys.stderr.write("{}\n".format(e))
-                        sys.stderr.flush()
-                        result = e
-            task.reply_queue.sync_q.put(result)
+                    else:
+                        result = task.fn(conn)
+                except Exception as e:
+                    sys.stderr.write("{}\n".format(e))
+                    sys.stderr.flush()
+                    exception = e
+            _deliver_write_result(task, result, exception)
 
     async def execute_fn(self, fn):
+        self._check_not_closed()
         if self.ds.executor is None:
             # non-threaded mode
             if self._read_connection is None:
@@ -312,9 +504,12 @@ class Database:
                 setattr(connections, self._thread_local_id, conn)
             return fn(conn)
 
-        return await asyncio.get_event_loop().run_in_executor(
-            self.ds.executor, in_thread
-        )
+        with self._pending_execute_futures_lock:
+            self._check_not_closed()
+            future = self.ds.executor.submit(in_thread)
+            self._pending_execute_futures.add(future)
+        future.add_done_callback(self._remove_pending_execute_future)
+        return await asyncio.wrap_future(future)
 
     async def execute(
         self,
@@ -326,6 +521,7 @@ class Database:
         log_sql_errors=True,
     ):
         """Executes sql against db_name in a thread"""
+        self._check_not_closed()
         page_size = page_size or self.ds.page_size
 
         def sql_operation_in_thread(conn):
@@ -373,7 +569,7 @@ class Database:
     def hash(self):
         if self.cached_hash is not None:
             return self.cached_hash
-        elif self.is_mutable or self.is_memory:
+        elif self.is_mutable or self.is_memory or self.is_temp_disk:
             return None
         elif self.ds.inspect_data and self.ds.inspect_data.get(self.name):
             self.cached_hash = self.ds.inspect_data[self.name]["hash"]
@@ -531,83 +727,7 @@ class Database:
                 t for t in db_config["tables"] if db_config["tables"][t].get("hidden")
             ]
 
-        if sqlite_version()[1] >= 37:
-            hidden_tables += [x[0] for x in await self.execute("""
-                      with shadow_tables as (
-                        select name
-                        from pragma_table_list
-                        where [type] = 'shadow'
-                        order by name
-                      ),
-                      core_tables as (
-                        select name
-                        from sqlite_master
-                        WHERE  name in ('sqlite_stat1', 'sqlite_stat2', 'sqlite_stat3', 'sqlite_stat4')
-                          OR substr(name, 1, 1) == '_'
-                      ),
-                      combined as (
-                        select name from shadow_tables
-                        union all
-                        select name from core_tables
-                      )
-                      select name from combined order by 1
-                    """)]
-        else:
-            hidden_tables += [x[0] for x in await self.execute("""
-                      WITH base AS (
-                        SELECT name
-                        FROM sqlite_master
-                        WHERE  name IN ('sqlite_stat1', 'sqlite_stat2', 'sqlite_stat3', 'sqlite_stat4')
-                          OR substr(name, 1, 1) == '_'
-                      ),
-                      fts_suffixes AS (
-                        SELECT column1 AS suffix
-                        FROM (VALUES ('_data'), ('_idx'), ('_docsize'), ('_content'), ('_config'))
-                      ),
-                      fts5_names AS (
-                        SELECT name
-                        FROM sqlite_master
-                        WHERE sql LIKE '%VIRTUAL TABLE%USING FTS%'
-                      ),
-                      fts5_shadow_tables AS (
-                        SELECT
-                          printf('%s%s', fts5_names.name, fts_suffixes.suffix) AS name
-                        FROM fts5_names
-                        JOIN fts_suffixes
-                      ),
-                      fts3_suffixes AS (
-                        SELECT column1 AS suffix
-                        FROM (VALUES ('_content'), ('_segdir'), ('_segments'), ('_stat'), ('_docsize'))
-                      ),
-                      fts3_names AS (
-                        SELECT name
-                        FROM sqlite_master
-                        WHERE sql LIKE '%VIRTUAL TABLE%USING FTS3%'
-                          OR sql LIKE '%VIRTUAL TABLE%USING FTS4%'
-                      ),
-                      fts3_shadow_tables AS (
-                        SELECT
-                          printf('%s%s', fts3_names.name, fts3_suffixes.suffix) AS name
-                        FROM fts3_names
-                        JOIN fts3_suffixes
-                      ),
-                      final AS (
-                        SELECT name FROM base
-                        UNION ALL
-                        SELECT name FROM fts5_shadow_tables
-                        UNION ALL
-                        SELECT name FROM fts3_shadow_tables
-                      )
-                      SELECT name FROM final ORDER BY 1
-                    """)]
-        # Also hide any FTS tables that have a content= argument
-        hidden_tables += [x[0] for x in await self.execute("""
-                  SELECT name
-                  FROM sqlite_master
-                  WHERE sql LIKE '%VIRTUAL TABLE%'
-                    AND sql LIKE '%USING FTS%'
-                    AND sql LIKE '%content=%'
-                """)]
+        hidden_tables += await self.execute_fn(sqlite_hidden_table_names)
 
         has_spatialite = await self.execute_fn(detect_spatialite)
         if has_spatialite:
@@ -672,6 +792,8 @@ class Database:
             tags.append("mutable")
         if self.is_memory:
             tags.append("memory")
+        if self.is_temp_disk:
+            tags.append("temp_disk")
         if self.hash:
             tags.append(f"hash={self.hash}")
         if self.size is not None:
@@ -682,18 +804,21 @@ class Database:
         return f"<Database: {self.name}{tags_str}>"
 
 
-def _apply_write_wrapper(fn, wrapper_factory):
+def _apply_write_wrapper(fn, wrapper_factory, track_event):
     """Apply a single write_wrapper context manager around fn.
 
-    ``wrapper_factory`` is a callable that takes ``(conn)`` and returns a
-    generator that yields exactly once.  Code before the yield runs before
-    ``fn(conn)``, code after the yield runs after.  The result of
-    ``fn(conn)`` is sent into the generator via ``.send()``, and any
-    exception raised by ``fn(conn)`` is thrown via ``.throw()``.
+    ``wrapper_factory`` is a callable that takes ``(conn)`` and optionally
+    ``track_event``, and returns a generator that yields exactly once.
+    Code before the yield runs before ``fn(conn)``, code after the yield
+    runs after.  The result of ``fn(conn)`` is sent into the generator
+    via ``.send()``, and any exception raised by ``fn(conn)`` is thrown
+    via ``.throw()``.
     """
 
     def wrapped(conn):
-        gen = wrapper_factory(conn)
+        gen = call_with_supported_arguments(
+            wrapper_factory, conn=conn, track_event=track_event
+        )
         # Advance to the yield point (run "before" code)
         try:
             next(gen)
@@ -704,10 +829,10 @@ def _apply_write_wrapper(fn, wrapper_factory):
         # Execute the actual write
         try:
             result = fn(conn)
-        except Exception:
+        except Exception as e:
             # Throw exception into generator so it can handle it
             try:
-                gen.throw(*sys.exc_info())
+                gen.throw(e)
             except StopIteration:
                 pass
             # Re-raise the original exception
@@ -724,16 +849,45 @@ def _apply_write_wrapper(fn, wrapper_factory):
 
 
 class WriteTask:
-    __slots__ = ("fn", "task_id", "reply_queue", "isolated_connection", "transaction")
+    __slots__ = (
+        "fn",
+        "task_id",
+        "loop",
+        "reply_future",
+        "isolated_connection",
+        "transaction",
+    )
 
-    def __init__(self, fn, task_id, reply_queue, isolated_connection, transaction):
+    def __init__(
+        self, fn, task_id, loop, reply_future, isolated_connection, transaction
+    ):
         self.fn = fn
         self.task_id = task_id
-        self.reply_queue = reply_queue
+        self.loop = loop
+        self.reply_future = reply_future
         self.isolated_connection = isolated_connection
         self.transaction = transaction
 
 
+def _deliver_write_result(task, result, exception):
+    # Called from the write thread. Delivers the result back to the
+    # awaiting coroutine on its event loop via call_soon_threadsafe.
+    def _set():
+        if task.reply_future.done():
+            # Awaiter was cancelled; nothing to do.
+            return
+        if exception is not None:
+            task.reply_future.set_exception(exception)
+        else:
+            task.reply_future.set_result(result)
+
+    try:
+        task.loop.call_soon_threadsafe(_set)
+    except RuntimeError:
+        # Event loop has been closed; the awaiter is gone.
+        pass
+
+
 class QueryInterrupted(Exception):
     def __init__(self, e, sql, params):
         self.e = e
@@ -748,6 +902,44 @@ class MultipleValues(Exception):
     pass
 
 
+class ExecuteWriteResult:
+    def __init__(self, rowcount, lastrowid, description, rows, truncated):
+        self.rowcount = rowcount
+        self.lastrowid = lastrowid
+        self.description = description
+        self.truncated = truncated
+        self._rows = rows
+
+    @classmethod
+    def from_cursor(
+        cls, cursor, return_all=False, returning_limit=EXECUTE_WRITE_RETURNING_LIMIT
+    ):
+        rows = []
+        truncated = False
+        description = cursor.description
+        lastrowid = cursor.lastrowid
+        try:
+            if description is not None:
+                if return_all:
+                    rows = cursor.fetchall()
+                else:
+                    rows = cursor.fetchmany(returning_limit + 1)
+                    if len(rows) > returning_limit:
+                        rows = rows[:returning_limit]
+                        truncated = True
+            rowcount = cursor.rowcount
+        finally:
+            cursor.close()
+        if description is not None and not return_all and truncated:
+            rowcount = -1
+        return cls(rowcount, lastrowid, description, rows, truncated)
+
+    def fetchall(self):
+        rows = self._rows
+        self._rows = []
+        return rows
+
+
 class Results:
     def __init__(self, rows, truncated, description):
         self.rows = rows
diff --git a/datasette/default_actions.py b/datasette/default_actions.py
index 87d98fac..2f78570b 100644
--- a/datasette/default_actions.py
+++ b/datasette/default_actions.py
@@ -48,12 +48,26 @@ def register_actions():
             resource_class=DatabaseResource,
             also_requires="view-database",
         ),
+        Action(
+            name="execute-write-sql",
+            abbr="ews",
+            description="Execute writable SQL queries",
+            resource_class=DatabaseResource,
+            also_requires="view-database",
+        ),
         Action(
             name="create-table",
             abbr="ct",
             description="Create tables",
             resource_class=DatabaseResource,
         ),
+        Action(
+            name="store-query",
+            abbr="sq",
+            description="Create stored queries",
+            resource_class=DatabaseResource,
+            also_requires="execute-sql",
+        ),
         # Table-level actions (child-level)
         Action(
             name="view-table",
@@ -85,6 +99,12 @@ def register_actions():
             description="Alter tables",
             resource_class=TableResource,
         ),
+        Action(
+            name="set-column-type",
+            abbr="sct",
+            description="Set column type",
+            resource_class=TableResource,
+        ),
         Action(
             name="drop-table",
             abbr="dt",
@@ -98,4 +118,16 @@ def register_actions():
             description="View named query results",
             resource_class=QueryResource,
         ),
+        Action(
+            name="update-query",
+            abbr="uq",
+            description="Update stored queries",
+            resource_class=QueryResource,
+        ),
+        Action(
+            name="delete-query",
+            abbr="dq",
+            description="Delete stored queries",
+            resource_class=QueryResource,
+        ),
     )
diff --git a/datasette/default_column_types.py b/datasette/default_column_types.py
new file mode 100644
index 00000000..f90a733e
--- /dev/null
+++ b/datasette/default_column_types.py
@@ -0,0 +1,87 @@
+import json
+import re
+
+import markupsafe
+
+from datasette import hookimpl
+from datasette.column_types import ColumnType, SQLiteType
+
+
+class UrlColumnType(ColumnType):
+    name = "url"
+    description = "URL"
+    sqlite_types = (SQLiteType.TEXT,)
+
+    async def render_cell(self, value, column, table, database, datasette, request):
+        if not value or not isinstance(value, str):
+            return None
+        escaped = markupsafe.escape(value.strip())
+        return markupsafe.Markup(f'<a href="{escaped}">{escaped}</a>')
+
+    async def validate(self, value, datasette):
+        if value is None or value == "":
+            return None
+        if not isinstance(value, str):
+            return "URL must be a string"
+        if not re.match(r"^https?://\S+$", value.strip()):
+            return "Invalid URL"
+        return None
+
+
+class EmailColumnType(ColumnType):
+    name = "email"
+    description = "Email address"
+    sqlite_types = (SQLiteType.TEXT,)
+
+    async def render_cell(self, value, column, table, database, datasette, request):
+        if not value or not isinstance(value, str):
+            return None
+        escaped = markupsafe.escape(value.strip())
+        return markupsafe.Markup(f'<a href="mailto:{escaped}">{escaped}</a>')
+
+    async def validate(self, value, datasette):
+        if value is None or value == "":
+            return None
+        if not isinstance(value, str):
+            return "Email must be a string"
+        if not re.match(r"^[^@\s]+@[^@\s]+\.[^@\s]+$", value.strip()):
+            return "Invalid email address"
+        return None
+
+
+class JsonColumnType(ColumnType):
+    name = "json"
+    description = "JSON data"
+    sqlite_types = (SQLiteType.TEXT,)
+
+    async def render_cell(self, value, column, table, database, datasette, request):
+        if value is None:
+            return None
+        try:
+            parsed = json.loads(value) if isinstance(value, str) else value
+            formatted = json.dumps(parsed, indent=2)
+            escaped = markupsafe.escape(formatted)
+            return markupsafe.Markup(f"<pre>{escaped}</pre>")
+        except (json.JSONDecodeError, TypeError):
+            return None
+
+    async def validate(self, value, datasette):
+        if value is None or value == "":
+            return None
+        if isinstance(value, str):
+            try:
+                json.loads(value)
+            except json.JSONDecodeError:
+                return "Invalid JSON"
+        return None
+
+
+class TextareaColumnType(ColumnType):
+    name = "textarea"
+    description = "Multiline text"
+    sqlite_types = (SQLiteType.TEXT,)
+
+
+@hookimpl
+def register_column_types(datasette):
+    return [UrlColumnType, EmailColumnType, JsonColumnType, TextareaColumnType]
diff --git a/datasette/default_database_actions.py b/datasette/default_database_actions.py
new file mode 100644
index 00000000..e0cb3cdf
--- /dev/null
+++ b/datasette/default_database_actions.py
@@ -0,0 +1,24 @@
+from datasette import hookimpl
+from datasette.resources import DatabaseResource
+
+
+@hookimpl
+def database_actions(datasette, actor, database, request):
+    async def inner():
+        if not datasette.get_database(database).is_mutable:
+            return []
+        if not await datasette.allowed(
+            action="execute-write-sql",
+            resource=DatabaseResource(database),
+            actor=actor,
+        ):
+            return []
+        return [
+            {
+                "href": datasette.urls.database(database) + "/-/execute-write",
+                "label": "Execute write SQL",
+                "description": "Run writable SQL with table permission checks.",
+            }
+        ]
+
+    return inner
diff --git a/datasette/default_debug_menu.py b/datasette/default_debug_menu.py
new file mode 100644
index 00000000..8ea3c287
--- /dev/null
+++ b/datasette/default_debug_menu.py
@@ -0,0 +1,80 @@
+from datasette import hookimpl
+from datasette.jump import JumpSQL
+
+DEBUG_MENU_ITEMS = (
+    (
+        "/-/databases",
+        "Databases",
+        "List of databases known to this Datasette instance.",
+    ),
+    (
+        "/-/plugins",
+        "Installed plugins",
+        "Review loaded plugins, their versions and their registered hooks.",
+    ),
+    (
+        "/-/versions",
+        "Version info",
+        "Check the Python, SQLite and dependency versions used by this server.",
+    ),
+    (
+        "/-/settings",
+        "Settings",
+        "Inspect the active Datasette settings and configuration values.",
+    ),
+    (
+        "/-/permissions",
+        "Debug permissions",
+        "Test permission checks for actors, actions and resources.",
+    ),
+    (
+        "/-/messages",
+        "Debug messages",
+        "Try out temporary flash messages shown to users.",
+    ),
+    (
+        "/-/allow-debug",
+        "Debug allow rules",
+        "Explore how allow blocks match actors against permission rules.",
+    ),
+    (
+        "/-/debug/autocomplete",
+        "Debug autocomplete",
+        "Try out table autocomplete against a detected label column.",
+    ),
+    (
+        "/-/threads",
+        "Debug threads",
+        "Inspect worker threads and database tasks.",
+    ),
+    (
+        "/-/actor",
+        "Debug actor",
+        "View the actor object for the current signed-in user.",
+    ),
+    (
+        "/-/patterns",
+        "Pattern portfolio",
+        "Browse Datasette UI patterns.",
+    ),
+)
+
+
+@hookimpl
+def jump_items_sql(datasette, actor, request):
+    async def inner():
+        if not await datasette.allowed(action="debug-menu", actor=actor):
+            return []
+
+        return [
+            JumpSQL.menu_item(
+                label=label,
+                url=datasette.urls.path(path),
+                description=description,
+                search_text=f"debug {label} {description}",
+                item_type="debug",
+            )
+            for path, label, description in DEBUG_MENU_ITEMS
+        ]
+
+    return inner
diff --git a/datasette/default_jump_items.py b/datasette/default_jump_items.py
new file mode 100644
index 00000000..d215e7ec
--- /dev/null
+++ b/datasette/default_jump_items.py
@@ -0,0 +1,82 @@
+from datasette import hookimpl
+from datasette.jump import JumpSQL
+
+
+@hookimpl
+def jump_items_sql(datasette, actor, request):
+    async def inner():
+        database_sql, database_params = await datasette.allowed_resources_sql(
+            action="view-database", actor=actor
+        )
+        table_sql, table_params = await datasette.allowed_resources_sql(
+            action="view-table", actor=actor
+        )
+        query_sql, query_params = await datasette.allowed_resources_sql(
+            action="view-query", actor=actor
+        )
+        return [
+            JumpSQL(
+                sql=f"""
+                WITH allowed_databases AS (
+                    {database_sql}
+                )
+                SELECT
+                    'database' AS type,
+                    parent AS label,
+                    NULL AS description,
+                    json_object(
+                        'method', 'database',
+                        'database', parent
+                    ) AS url,
+                    parent AS search_text,
+                    NULL AS display_name
+                FROM allowed_databases
+                """,
+                params=database_params,
+            ),
+            JumpSQL(
+                sql=f"""
+                WITH allowed_tables AS (
+                    {table_sql}
+                )
+                SELECT
+                    CASE WHEN catalog_views.view_name IS NULL THEN 'table' ELSE 'view' END AS type,
+                    allowed_tables.parent || ': ' || allowed_tables.child AS label,
+                    NULL AS description,
+                    json_object(
+                        'method', 'table',
+                        'database', allowed_tables.parent,
+                        'table', allowed_tables.child
+                    ) AS url,
+                    allowed_tables.parent || ' ' || allowed_tables.child AS search_text,
+                    NULL AS display_name
+                FROM allowed_tables
+                LEFT JOIN catalog_views
+                    ON catalog_views.database_name = allowed_tables.parent
+                   AND catalog_views.view_name = allowed_tables.child
+                """,
+                params=table_params,
+            ),
+            JumpSQL(
+                sql=f"""
+                WITH allowed_queries AS (
+                    {query_sql}
+                )
+                SELECT
+                    'query' AS type,
+                    allowed_queries.parent || ': ' || allowed_queries.child AS label,
+                    NULL AS description,
+                    json_object(
+                        'method', 'query',
+                        'database', allowed_queries.parent,
+                        'query', allowed_queries.child
+                    ) AS url,
+                    allowed_queries.parent || ' ' || allowed_queries.child AS search_text,
+                    NULL AS display_name
+                FROM allowed_queries
+                """,
+                params=query_params,
+            ),
+        ]
+
+    return inner
diff --git a/datasette/default_menu_links.py b/datasette/default_menu_links.py
deleted file mode 100644
index 85032387..00000000
--- a/datasette/default_menu_links.py
+++ /dev/null
@@ -1,41 +0,0 @@
-from datasette import hookimpl
-
-
-@hookimpl
-def menu_links(datasette, actor):
-    async def inner():
-        if not await datasette.allowed(action="debug-menu", actor=actor):
-            return []
-
-        return [
-            {"href": datasette.urls.path("/-/databases"), "label": "Databases"},
-            {
-                "href": datasette.urls.path("/-/plugins"),
-                "label": "Installed plugins",
-            },
-            {
-                "href": datasette.urls.path("/-/versions"),
-                "label": "Version info",
-            },
-            {
-                "href": datasette.urls.path("/-/settings"),
-                "label": "Settings",
-            },
-            {
-                "href": datasette.urls.path("/-/permissions"),
-                "label": "Debug permissions",
-            },
-            {
-                "href": datasette.urls.path("/-/messages"),
-                "label": "Debug messages",
-            },
-            {
-                "href": datasette.urls.path("/-/allow-debug"),
-                "label": "Debug allow rules",
-            },
-            {"href": datasette.urls.path("/-/threads"), "label": "Debug threads"},
-            {"href": datasette.urls.path("/-/actor"), "label": "Debug actor"},
-            {"href": datasette.urls.path("/-/patterns"), "label": "Pattern portfolio"},
-        ]
-
-    return inner
diff --git a/datasette/default_permissions/__init__.py b/datasette/default_permissions/__init__.py
index 4ebe6147..6cd46f04 100644
--- a/datasette/default_permissions/__init__.py
+++ b/datasette/default_permissions/__init__.py
@@ -17,13 +17,6 @@ UNION/INTERSECT operations. The order of evaluation is:
 
 from __future__ import annotations
 
-from typing import TYPE_CHECKING, Optional
-
-if TYPE_CHECKING:
-    from datasette.app import Datasette
-
-from datasette import hookimpl
-
 # Re-export all hooks and public utilities
 from .restrictions import (
     actor_restrictions_sql as actor_restrictions_sql,
@@ -33,26 +26,9 @@ from .restrictions import (
 from .root import root_user_permissions_sql as root_user_permissions_sql
 from .config import config_permissions_sql as config_permissions_sql
 from .defaults import (
+    # Avoid "datasette.default_permissions" does not explicitly export attribute
     default_allow_sql_check as default_allow_sql_check,
     default_action_permissions_sql as default_action_permissions_sql,
+    default_query_permissions_sql as default_query_permissions_sql,
     DEFAULT_ALLOW_ACTIONS as DEFAULT_ALLOW_ACTIONS,
 )
-
-
-@hookimpl
-def skip_csrf(scope) -> Optional[bool]:
-    """Skip CSRF check for JSON content-type requests."""
-    if scope["type"] == "http":
-        headers = scope.get("headers") or {}
-        if dict(headers).get(b"content-type") == b"application/json":
-            return True
-    return None
-
-
-@hookimpl
-def canned_queries(datasette: "Datasette", database: str, actor) -> dict:
-    """Return canned queries defined in datasette.yaml configuration."""
-    queries = (
-        ((datasette.config or {}).get("databases") or {}).get(database) or {}
-    ).get("queries") or {}
-    return queries
diff --git a/datasette/default_permissions/defaults.py b/datasette/default_permissions/defaults.py
index 4c74219d..5bc74425 100644
--- a/datasette/default_permissions/defaults.py
+++ b/datasette/default_permissions/defaults.py
@@ -67,3 +67,48 @@ async def default_action_permissions_sql(
         return PermissionSQL.allow(reason=reason)
 
     return None
+
+
+@hookimpl(specname="permission_resources_sql")
+async def default_query_permissions_sql(
+    datasette: "Datasette",
+    actor: Optional[dict],
+    action: str,
+) -> Optional[PermissionSQL]:
+    actor_id = actor.get("id") if isinstance(actor, dict) else None
+
+    if action not in {"view-query", "update-query", "delete-query"}:
+        return None
+
+    params = {"query_owner_id": actor_id}
+    rule_sqls = []
+    if actor_id is not None:
+        if action in {"update-query", "delete-query"}:
+            # Query owner can update/delete query
+            rule_sqls.append("""
+            SELECT database_name AS parent, name AS child, 1 AS allow,
+              'query owner' AS reason
+            FROM queries
+            WHERE source = 'user'
+              AND owner_id = :query_owner_id
+            """)
+        else:
+            # Query owner can view-query
+            rule_sqls.append("""
+            SELECT database_name AS parent, name AS child, 1 AS allow,
+              'query owner' AS reason
+            FROM queries
+            WHERE owner_id = :query_owner_id
+            """)
+
+    # restriction_sql enforces private queries ONLY visible/mutable by owner
+    return PermissionSQL(
+        sql="\nUNION ALL\n".join(rule_sqls) if rule_sqls else None,
+        restriction_sql="""
+        SELECT database_name AS parent, name AS child
+        FROM queries
+        WHERE is_private = 0
+           OR owner_id = :query_owner_id
+        """,
+        params=params,
+    )
diff --git a/datasette/default_query_actions.py b/datasette/default_query_actions.py
new file mode 100644
index 00000000..2183e70b
--- /dev/null
+++ b/datasette/default_query_actions.py
@@ -0,0 +1,48 @@
+from datasette import hookimpl
+from datasette.resources import QueryResource
+
+
+@hookimpl
+def query_actions(datasette, actor, database, query_name, request):
+    # Only stored queries (with a name) can be edited or deleted
+    if not query_name:
+        return None
+
+    async def inner():
+        query = await datasette.get_query(database, query_name)
+        if query is None:
+            return []
+        # Config-defined and trusted queries are managed outside the UI
+        if query.source == "config" or query.is_trusted:
+            return []
+
+        links = []
+        if await datasette.allowed(
+            action="update-query",
+            resource=QueryResource(database, query_name),
+            actor=actor,
+        ):
+            links.append(
+                {
+                    "href": datasette.urls.table(database, query_name) + "/-/edit",
+                    "label": "Edit this query",
+                    "description": (
+                        "Change the title, description, SQL or visibility."
+                    ),
+                }
+            )
+        if await datasette.allowed(
+            action="delete-query",
+            resource=QueryResource(database, query_name),
+            actor=actor,
+        ):
+            links.append(
+                {
+                    "href": datasette.urls.table(database, query_name) + "/-/delete",
+                    "label": "Delete this query",
+                    "description": "Permanently remove this saved query.",
+                }
+            )
+        return links
+
+    return inner
diff --git a/datasette/default_table_actions.py b/datasette/default_table_actions.py
new file mode 100644
index 00000000..e41434ef
--- /dev/null
+++ b/datasette/default_table_actions.py
@@ -0,0 +1,29 @@
+from datasette import hookimpl
+from datasette.resources import TableResource
+
+
+@hookimpl
+def table_actions(datasette, actor, database, table, request):
+    async def inner():
+        db = datasette.get_database(database)
+        if not db.is_mutable:
+            return []
+        if not await datasette.allowed(
+            action="alter-table",
+            resource=TableResource(database=database, table=table),
+            actor=actor,
+        ):
+            return []
+        return [
+            {
+                "type": "button",
+                "label": "Alter table",
+                "description": "Change columns and primary key for this table.",
+                "attrs": {
+                    "aria-label": "Alter table {}".format(table),
+                    "data-table-action": "alter-table",
+                },
+            }
+        ]
+
+    return inner
diff --git a/datasette/events.py b/datasette/events.py
index 5cd5ba3d..e8786da9 100644
--- a/datasette/events.py
+++ b/datasette/events.py
@@ -199,6 +199,27 @@ class UpdateRowEvent(Event):
     pks: list
 
 
+@dataclass
+class RenameTableEvent(Event):
+    """
+    Event name: ``rename-table``
+
+    A table has been renamed.
+
+    :ivar database: The name of the database containing the renamed table.
+    :type database: str
+    :ivar old_table: The previous name of the table.
+    :type old_table: str
+    :ivar new_table: The new name of the table.
+    :type new_table: str
+    """
+
+    name = "rename-table"
+    database: str
+    old_table: str
+    new_table: str
+
+
 @dataclass
 class DeleteRowEvent(Event):
     """
@@ -219,6 +240,42 @@ class DeleteRowEvent(Event):
     pks: list
 
 
+@hookimpl
+def write_wrapper(datasette, database, request, transaction):
+    def wrapper(conn, track_event):
+        # Snapshot rootpage -> name before the write
+        before = {
+            row[1]: row[0]
+            for row in conn.execute(
+                "select name, rootpage from sqlite_master"
+                " where type='table' and rootpage != 0"
+            ).fetchall()
+        }
+        yield
+        # Snapshot rootpage -> name after the write
+        after = {
+            row[1]: row[0]
+            for row in conn.execute(
+                "select name, rootpage from sqlite_master"
+                " where type='table' and rootpage != 0"
+            ).fetchall()
+        }
+        # Detect renames: same rootpage, different name
+        for rootpage, old_name in before.items():
+            new_name = after.get(rootpage)
+            if new_name and new_name != old_name:
+                track_event(
+                    RenameTableEvent(
+                        actor=request.actor if request else None,
+                        database=database,
+                        old_table=old_name,
+                        new_table=new_name,
+                    )
+                )
+
+    return wrapper
+
+
 @hookimpl
 def register_events():
     return [
@@ -227,6 +284,7 @@ def register_events():
         CreateTableEvent,
         CreateTokenEvent,
         AlterTableEvent,
+        RenameTableEvent,
         DropTableEvent,
         InsertRowsEvent,
         UpsertRowsEvent,
diff --git a/datasette/extras.py b/datasette/extras.py
new file mode 100644
index 00000000..36014185
--- /dev/null
+++ b/datasette/extras.py
@@ -0,0 +1,128 @@
+import re
+from dataclasses import dataclass
+from enum import Enum
+from typing import ClassVar
+
+from asyncinject import Registry
+
+
+def extra_names_from_request(request):
+    extra_bits = request.args.getlist("_extra")
+    extras = set()
+    for bit in extra_bits:
+        extras.update(part for part in bit.split(",") if part)
+    return extras
+
+
+class ExtraScope(Enum):
+    TABLE = "table"
+    ROW = "row"
+    QUERY = "query"
+
+
+@dataclass(frozen=True)
+class ExtraExample:
+    path: str | None = None
+    key: str | None = None
+    value: object | None = None
+    note: str | None = None
+
+
+class Provider:
+    name: ClassVar[str | None] = None
+    scopes: ClassVar[set[ExtraScope]] = set()
+    public: ClassVar[bool] = False
+
+    @classmethod
+    def key(cls):
+        return cls.name or _camel_to_snake(cls.__name__)
+
+    @classmethod
+    def available_for(cls, scope):
+        return scope in cls.scopes
+
+    async def resolve(self, context):
+        raise NotImplementedError
+
+
+class Extra(Provider):
+    description: ClassVar[str | None] = None
+    example: ClassVar[ExtraExample | None] = None
+    examples: ClassVar[dict[ExtraScope, ExtraExample | list[ExtraExample]]] = {}
+    public: ClassVar[bool] = True
+    expensive: ClassVar[bool] = False
+    docs_note: ClassVar[str | None] = None
+
+    @classmethod
+    def example_for_scope(cls, scope):
+        return cls.examples.get(scope, cls.example)
+
+
+class ExtraRegistry:
+    def __init__(self, classes):
+        self.classes = list(classes)
+        self.classes_by_name = {cls.key(): cls for cls in self.classes}
+        # Lazily-built shared state, keyed by scope. Safe to share across
+        # requests because Extra instances are stateless and asyncinject's
+        # Registry keeps per-call state local to each resolve_multi() call.
+        # If extras classes ever become registerable at runtime (e.g. via a
+        # plugin hook) these caches will need invalidating.
+        self._scope_registries = {}
+        self._allowed_names = {}
+
+    def classes_for_scope(self, scope, include_internal=True):
+        classes = [
+            cls
+            for cls in self.classes
+            if cls.available_for(scope) and (include_internal or cls.public)
+        ]
+        return classes
+
+    def public_classes_for_scope(self, scope):
+        return self.classes_for_scope(scope, include_internal=False)
+
+    def internal_classes_for_scope(self, scope):
+        # Extras that are available to HTML templates but excluded from
+        # JSON responses - plain Providers are dependency plumbing and
+        # never surface as keys, so they are not included
+        return [
+            cls
+            for cls in self.classes_for_scope(scope)
+            if issubclass(cls, Extra) and not cls.public
+        ]
+
+    def _registry_for_scope(self, scope):
+        registry = self._scope_registries.get(scope)
+        if registry is None:
+            registry = Registry()
+            for cls in self.classes_for_scope(scope):
+                registry.register(cls().resolve, name=cls.key())
+            self._scope_registries[scope] = registry
+        return registry
+
+    def _allowed_names_for_scope(self, scope, include_internal):
+        key = (scope, include_internal)
+        names = self._allowed_names.get(key)
+        if names is None:
+            names = {
+                cls.key()
+                for cls in self.classes_for_scope(
+                    scope, include_internal=include_internal
+                )
+            }
+            self._allowed_names[key] = names
+        return names
+
+    async def resolve(self, requested, context, scope, include_internal=False):
+        allowed_names = self._allowed_names_for_scope(scope, include_internal)
+        requested_names = [name for name in requested if name in allowed_names]
+        resolved = await self._registry_for_scope(scope).resolve_multi(
+            requested_names, results={"context": context}
+        )
+        return {name: resolved[name] for name in requested_names}
+
+
+def _camel_to_snake(name):
+    name = re.sub(r"(Extra|Provider)$", "", name)
+    name = re.sub("(.)([A-Z][a-z]+)", r"\1_\2", name)
+    return re.sub("([a-z0-9])([A-Z])", r"\1_\2", name).lower()
diff --git a/datasette/facets.py b/datasette/facets.py
index bc4b6904..abe0605e 100644
--- a/datasette/facets.py
+++ b/datasette/facets.py
@@ -83,7 +83,7 @@ class Facet:
         self.ds = ds
         self.request = request
         self.database = database
-        # For foreign key expansion. Can be None for e.g. canned SQL queries:
+        # For foreign key expansion. Can be None for e.g. stored SQL queries:
         self.table = table
         self.sql = sql or f"select * from [{table}]"
         self.params = params or []
diff --git a/datasette/fixtures.py b/datasette/fixtures.py
new file mode 100644
index 00000000..7c85e16a
--- /dev/null
+++ b/datasette/fixtures.py
@@ -0,0 +1,415 @@
+from datasette.utils.sqlite import sqlite3
+from datasette.utils import documented
+import itertools
+import random
+import string
+
+__all__ = [
+    "EXTRA_DATABASE_SQL",
+    "TABLES",
+    "TABLE_PARAMETERIZED_SQL",
+    "generate_compound_rows",
+    "generate_sortable_rows",
+    "populate_extra_database",
+    "populate_fixture_database",
+    "write_extra_database",
+    "write_fixture_database",
+]
+
+
+def generate_compound_rows(num):
+    """Generate rows for the compound_three_primary_keys fixture table."""
+    for a, b, c in itertools.islice(
+        itertools.product(string.ascii_lowercase, repeat=3), num
+    ):
+        yield a, b, c, f"{a}-{b}-{c}"
+
+
+def generate_sortable_rows(num):
+    """Generate rows for the sortable fixture table."""
+    rand = random.Random(42)
+    for a, b in itertools.islice(
+        itertools.product(string.ascii_lowercase, repeat=2), num
+    ):
+        yield {
+            "pk1": a,
+            "pk2": b,
+            "content": f"{a}-{b}",
+            "sortable": rand.randint(-100, 100),
+            "sortable_with_nulls": rand.choice([None, rand.random(), rand.random()]),
+            "sortable_with_nulls_2": rand.choice([None, rand.random(), rand.random()]),
+            "text": rand.choice(["$null", "$blah"]),
+        }
+
+
+TABLES = (
+    """
+CREATE TABLE simple_primary_key (
+  id integer primary key,
+  content text
+);
+
+CREATE TABLE primary_key_multiple_columns (
+  id varchar(30) primary key,
+  content text,
+  content2 text
+);
+
+CREATE TABLE primary_key_multiple_columns_explicit_label (
+  id varchar(30) primary key,
+  content text,
+  content2 text
+);
+
+CREATE TABLE compound_primary_key (
+  pk1 varchar(30),
+  pk2 varchar(30),
+  content text,
+  PRIMARY KEY (pk1, pk2)
+);
+
+INSERT INTO compound_primary_key VALUES ('a', 'b', 'c');
+INSERT INTO compound_primary_key VALUES ('a/b', '.c-d', 'c');
+INSERT INTO compound_primary_key VALUES ('d', 'e', 'RENDER_CELL_DEMO');
+
+CREATE TABLE compound_three_primary_keys (
+  pk1 varchar(30),
+  pk2 varchar(30),
+  pk3 varchar(30),
+  content text,
+  PRIMARY KEY (pk1, pk2, pk3)
+);
+CREATE INDEX idx_compound_three_primary_keys_content ON compound_three_primary_keys(content);
+
+CREATE TABLE foreign_key_references (
+  pk varchar(30) primary key,
+  foreign_key_with_label integer,
+  foreign_key_with_blank_label integer,
+  foreign_key_with_no_label varchar(30),
+  foreign_key_compound_pk1 varchar(30),
+  foreign_key_compound_pk2 varchar(30),
+  FOREIGN KEY (foreign_key_with_label) REFERENCES simple_primary_key(id),
+  FOREIGN KEY (foreign_key_with_blank_label) REFERENCES simple_primary_key(id),
+  FOREIGN KEY (foreign_key_with_no_label) REFERENCES primary_key_multiple_columns(id)
+  FOREIGN KEY (foreign_key_compound_pk1, foreign_key_compound_pk2) REFERENCES compound_primary_key(pk1, pk2)
+);
+
+CREATE TABLE sortable (
+  pk1 varchar(30),
+  pk2 varchar(30),
+  content text,
+  sortable integer,
+  sortable_with_nulls real,
+  sortable_with_nulls_2 real,
+  text text,
+  PRIMARY KEY (pk1, pk2)
+);
+
+CREATE TABLE no_primary_key (
+  content text,
+  a text,
+  b text,
+  c text
+);
+
+CREATE TABLE [123_starts_with_digits] (
+  content text
+);
+
+CREATE VIEW paginated_view AS
+    SELECT
+        content,
+        '- ' || content || ' -' AS content_extra
+    FROM no_primary_key;
+
+CREATE TABLE "Table With Space In Name" (
+  pk varchar(30) primary key,
+  content text
+);
+
+CREATE TABLE "table/with/slashes.csv" (
+  pk varchar(30) primary key,
+  content text
+);
+
+CREATE TABLE "complex_foreign_keys" (
+  pk varchar(30) primary key,
+  f1 integer,
+  f2 integer,
+  f3 integer,
+  FOREIGN KEY ("f1") REFERENCES [simple_primary_key](id),
+  FOREIGN KEY ("f2") REFERENCES [simple_primary_key](id),
+  FOREIGN KEY ("f3") REFERENCES [simple_primary_key](id)
+);
+
+CREATE TABLE "custom_foreign_key_label" (
+  pk varchar(30) primary key,
+  foreign_key_with_custom_label text,
+  FOREIGN KEY ("foreign_key_with_custom_label") REFERENCES [primary_key_multiple_columns_explicit_label](id)
+);
+
+CREATE TABLE tags (
+    tag TEXT PRIMARY KEY
+);
+
+CREATE TABLE searchable (
+  pk integer primary key,
+  text1 text,
+  text2 text,
+  [name with . and spaces] text
+);
+
+CREATE TABLE searchable_tags (
+    searchable_id integer,
+    tag text,
+    PRIMARY KEY (searchable_id, tag),
+    FOREIGN KEY (searchable_id) REFERENCES searchable(pk),
+    FOREIGN KEY (tag) REFERENCES tags(tag)
+);
+
+INSERT INTO searchable VALUES (1, 'barry cat', 'terry dog', 'panther');
+INSERT INTO searchable VALUES (2, 'terry dog', 'sara weasel', 'puma');
+
+INSERT INTO tags VALUES ("canine");
+INSERT INTO tags VALUES ("feline");
+
+INSERT INTO searchable_tags (searchable_id, tag) VALUES
+    (1, "feline"),
+    (2, "canine")
+;
+
+CREATE VIRTUAL TABLE "searchable_fts"
+    USING FTS5 (text1, text2, [name with . and spaces], content="searchable", content_rowid="pk");
+INSERT INTO "searchable_fts" (searchable_fts) VALUES ('rebuild');
+
+CREATE TABLE [select] (
+  [group] text,
+  [having] text,
+  [and] text,
+  [json] text
+);
+INSERT INTO [select] VALUES ('group', 'having', 'and',
+    '{"href": "http://example.com/", "label":"Example"}'
+);
+
+CREATE TABLE infinity (
+    value REAL
+);
+INSERT INTO infinity VALUES
+    (1e999),
+    (-1e999),
+    (1.5)
+;
+
+CREATE TABLE facet_cities (
+    id integer primary key,
+    name text
+);
+INSERT INTO facet_cities (id, name) VALUES
+    (1, 'San Francisco'),
+    (2, 'Los Angeles'),
+    (3, 'Detroit'),
+    (4, 'Memnonia')
+;
+
+CREATE TABLE facetable (
+    pk integer primary key,
+    created text,
+    planet_int integer,
+    on_earth integer,
+    state text,
+    _city_id integer,
+    _neighborhood text,
+    tags text,
+    complex_array text,
+    distinct_some_null,
+    n text,
+    FOREIGN KEY ("_city_id") REFERENCES [facet_cities](id)
+);
+INSERT INTO facetable
+    (created, planet_int, on_earth, state, _city_id, _neighborhood, tags, complex_array, distinct_some_null, n)
+VALUES
+    ("2019-01-14 08:00:00", 1, 1, 'CA', 1, 'Mission', '["tag1", "tag2"]', '[{"foo": "bar"}]', 'one', 'n1'),
+    ("2019-01-14 08:00:00", 1, 1, 'CA', 1, 'Dogpatch', '["tag1", "tag3"]', '[]', 'two', 'n2'),
+    ("2019-01-14 08:00:00", 1, 1, 'CA', 1, 'SOMA', '[]', '[]', null, null),
+    ("2019-01-14 08:00:00", 1, 1, 'CA', 1, 'Tenderloin', '[]', '[]', null, null),
+    ("2019-01-15 08:00:00", 1, 1, 'CA', 1, 'Bernal Heights', '[]', '[]', null, null),
+    ("2019-01-15 08:00:00", 1, 1, 'CA', 1, 'Hayes Valley', '[]', '[]', null, null),
+    ("2019-01-15 08:00:00", 1, 1, 'CA', 2, 'Hollywood', '[]', '[]', null, null),
+    ("2019-01-15 08:00:00", 1, 1, 'CA', 2, 'Downtown', '[]', '[]', null, null),
+    ("2019-01-16 08:00:00", 1, 1, 'CA', 2, 'Los Feliz', '[]', '[]', null, null),
+    ("2019-01-16 08:00:00", 1, 1, 'CA', 2, 'Koreatown', '[]', '[]', null, null),
+    ("2019-01-16 08:00:00", 1, 1, 'MI', 3, 'Downtown', '[]', '[]', null, null),
+    ("2019-01-17 08:00:00", 1, 1, 'MI', 3, 'Greektown', '[]', '[]', null, null),
+    ("2019-01-17 08:00:00", 1, 1, 'MI', 3, 'Corktown', '[]', '[]', null, null),
+    ("2019-01-17 08:00:00", 1, 1, 'MI', 3, 'Mexicantown', '[]', '[]', null, null),
+    ("2019-01-17 08:00:00", 2, 0, 'MC', 4, 'Arcadia Planitia', '[]', '[]', null, null)
+;
+
+CREATE TABLE binary_data (
+    data BLOB
+);
+
+-- Many 2 Many demo: roadside attractions!
+
+CREATE TABLE roadside_attractions (
+    pk integer primary key,
+    name text,
+    address text,
+    url text,
+    latitude real,
+    longitude real
+);
+INSERT INTO roadside_attractions VALUES (
+    1, "The Mystery Spot", "465 Mystery Spot Road, Santa Cruz, CA 95065", "https://www.mysteryspot.com/",
+    37.0167, -122.0024
+);
+INSERT INTO roadside_attractions VALUES (
+    2, "Winchester Mystery House", "525 South Winchester Boulevard, San Jose, CA 95128", "https://winchestermysteryhouse.com/",
+    37.3184, -121.9511
+);
+INSERT INTO roadside_attractions VALUES (
+    3, "Burlingame Museum of PEZ Memorabilia", "214 California Drive, Burlingame, CA 94010", null,
+    37.5793, -122.3442
+);
+INSERT INTO roadside_attractions VALUES (
+    4, "Bigfoot Discovery Museum", "5497 Highway 9, Felton, CA 95018", "https://www.bigfootdiscoveryproject.com/",
+    37.0414, -122.0725
+);
+
+CREATE TABLE attraction_characteristic (
+    pk integer primary key,
+    name text
+);
+INSERT INTO attraction_characteristic VALUES (
+    1, "Museum"
+);
+INSERT INTO attraction_characteristic VALUES (
+    2, "Paranormal"
+);
+
+CREATE TABLE roadside_attraction_characteristics (
+    attraction_id INTEGER REFERENCES roadside_attractions(pk),
+    characteristic_id INTEGER REFERENCES attraction_characteristic(pk)
+);
+INSERT INTO roadside_attraction_characteristics VALUES (
+    1, 2
+);
+INSERT INTO roadside_attraction_characteristics VALUES (
+    2, 2
+);
+INSERT INTO roadside_attraction_characteristics VALUES (
+    4, 2
+);
+INSERT INTO roadside_attraction_characteristics VALUES (
+    3, 1
+);
+INSERT INTO roadside_attraction_characteristics VALUES (
+    4, 1
+);
+
+INSERT INTO simple_primary_key VALUES (1, 'hello');
+INSERT INTO simple_primary_key VALUES (2, 'world');
+INSERT INTO simple_primary_key VALUES (3, '');
+INSERT INTO simple_primary_key VALUES (4, 'RENDER_CELL_DEMO');
+INSERT INTO simple_primary_key VALUES (5, 'RENDER_CELL_ASYNC');
+
+INSERT INTO primary_key_multiple_columns VALUES (1, 'hey', 'world');
+INSERT INTO primary_key_multiple_columns_explicit_label VALUES (1, 'hey', 'world2');
+
+INSERT INTO foreign_key_references VALUES (1, 1, 3, 1, 'a', 'b');
+INSERT INTO foreign_key_references VALUES (2, null, null, null, null, null);
+
+INSERT INTO complex_foreign_keys VALUES (1, 1, 2, 1);
+INSERT INTO custom_foreign_key_label VALUES (1, 1);
+
+INSERT INTO [table/with/slashes.csv] VALUES (3, 'hey');
+
+CREATE VIEW simple_view AS
+    SELECT content, upper(content) AS upper_content FROM simple_primary_key;
+
+CREATE VIEW searchable_view AS
+    SELECT * from searchable;
+
+CREATE VIEW searchable_view_configured_by_metadata AS
+    SELECT * from searchable;
+
+"""
+    + "\n".join(
+        [
+            'INSERT INTO no_primary_key VALUES ({i}, "a{i}", "b{i}", "c{i}");'.format(
+                i=i + 1
+            )
+            for i in range(201)
+        ]
+    )
+    + '\nINSERT INTO no_primary_key VALUES ("RENDER_CELL_DEMO", "a202", "b202", "c202");\n'
+    + "\n".join(
+        [
+            'INSERT INTO compound_three_primary_keys VALUES ("{a}", "{b}", "{c}", "{content}");'.format(
+                a=a, b=b, c=c, content=content
+            )
+            for a, b, c, content in generate_compound_rows(1001)
+        ]
+    )
+    + "\n".join(["""INSERT INTO sortable VALUES (
+        "{pk1}", "{pk2}", "{content}", {sortable},
+        {sortable_with_nulls}, {sortable_with_nulls_2}, "{text}");
+    """.format(**row).replace("None", "null") for row in generate_sortable_rows(201)])
+)
+
+TABLE_PARAMETERIZED_SQL = [
+    ("insert into binary_data (data) values (?);", [b"\x15\x1c\x02\xc7\xad\x05\xfe"]),
+    ("insert into binary_data (data) values (?);", [b"\x15\x1c\x03\xc7\xad\x05\xfe"]),
+    ("insert into binary_data (data) values (null);", []),
+]
+
+EXTRA_DATABASE_SQL = """
+CREATE TABLE searchable (
+  pk integer primary key,
+  text1 text,
+  text2 text
+);
+
+CREATE VIEW searchable_view AS SELECT * FROM searchable;
+
+INSERT INTO searchable VALUES (1, 'barry cat', 'terry dog');
+INSERT INTO searchable VALUES (2, 'terry dog', 'sara weasel');
+
+CREATE VIRTUAL TABLE "searchable_fts"
+    USING FTS3 (text1, text2, content="searchable");
+INSERT INTO "searchable_fts" (rowid, text1, text2)
+    SELECT rowid, text1, text2 FROM searchable;
+"""
+
+
+@documented(label="datasette_fixtures_populate_fixture_database")
+def populate_fixture_database(conn):
+    """Populate a SQLite connection with Datasette's test fixture tables."""
+    conn.executescript(TABLES)
+    for sql, params in TABLE_PARAMETERIZED_SQL:
+        with conn:
+            conn.execute(sql, params)
+
+
+def populate_extra_database(conn):
+    """Populate a SQLite connection with the extra database used in tests."""
+    conn.executescript(EXTRA_DATABASE_SQL)
+
+
+def write_fixture_database(db_filename):
+    """Write Datasette's test fixture tables to a SQLite database file."""
+    conn = sqlite3.connect(db_filename)
+    try:
+        populate_fixture_database(conn)
+    finally:
+        conn.close()
+
+
+def write_extra_database(db_filename):
+    """Write the extra test database tables to a SQLite database file."""
+    conn = sqlite3.connect(db_filename)
+    try:
+        populate_extra_database(conn)
+    finally:
+        conn.close()
diff --git a/datasette/handle_exception.py b/datasette/handle_exception.py
index 96398a4c..2b311644 100644
--- a/datasette/handle_exception.py
+++ b/datasette/handle_exception.py
@@ -66,7 +66,6 @@ def handle_exception(datasette, request, exception):
                     dict(
                         info,
                         urls=datasette.urls,
-                        app_css_hash=datasette.app_css_hash(),
                         menu_links=lambda: [],
                     )
                 ),
diff --git a/datasette/hookspecs.py b/datasette/hookspecs.py
index 64901900..7c56f882 100644
--- a/datasette/hookspecs.py
+++ b/datasette/hookspecs.py
@@ -55,7 +55,17 @@ def publish_subcommand(publish):
 
 
 @hookspec
-def render_cell(row, value, column, table, pks, database, datasette, request):
+def render_cell(
+    row,
+    value,
+    column,
+    table,
+    pks,
+    database,
+    datasette,
+    request,
+    column_type,
+):
     """Customize rendering of HTML table cell values"""
 
 
@@ -74,6 +84,11 @@ def register_actions(datasette):
     """Register actions: returns a list of datasette.permission.Action objects"""
 
 
+@hookspec
+def register_column_types(datasette):
+    """Return a list of ColumnType subclasses"""
+
+
 @hookspec
 def register_routes(datasette):
     """Register URL routes: return a list of (regex, view_function) pairs"""
@@ -122,11 +137,6 @@ def permission_resources_sql(datasette, actor, action):
     """
 
 
-@hookspec
-def canned_queries(datasette, database, actor):
-    """Return a dictionary of canned query definitions or an awaitable function that returns them"""
-
-
 @hookspec
 def register_magic_parameters(datasette):
     """Return a list of (name, function) magic parameter functions"""
@@ -142,39 +152,39 @@ def menu_links(datasette, actor, request):
     """Links for the navigation menu"""
 
 
+@hookspec
+def jump_items_sql(datasette, actor, request):
+    """SQL fragments for extra items in the jump menu"""
+
+
 @hookspec
 def row_actions(datasette, actor, request, database, table, row):
-    """Links for the row actions menu"""
+    """Items for the row actions menu"""
 
 
 @hookspec
 def table_actions(datasette, actor, database, table, request):
-    """Links for the table actions menu"""
+    """Items for the table actions menu"""
 
 
 @hookspec
 def view_actions(datasette, actor, database, view, request):
-    """Links for the view actions menu"""
+    """Items for the view actions menu"""
 
 
 @hookspec
 def query_actions(datasette, actor, database, query_name, request, sql, params):
-    """Links for the query and canned query actions menu"""
+    """Items for the query and stored query actions menu"""
 
 
 @hookspec
 def database_actions(datasette, actor, database, request):
-    """Links for the database actions menu"""
+    """Items for the database actions menu"""
 
 
 @hookspec
 def homepage_actions(datasette, actor, request):
-    """Links for the homepage actions menu"""
-
-
-@hookspec
-def skip_csrf(datasette, scope):
-    """Mechanism for skipping CSRF checks for certain requests"""
+    """Items for the homepage actions menu"""
 
 
 @hookspec
@@ -218,8 +228,8 @@ def top_query(datasette, request, database, sql):
 
 
 @hookspec
-def top_canned_query(datasette, request, database, query_name):
-    """HTML to include at the top of the canned query page"""
+def top_stored_query(datasette, request, database, query_name):
+    """HTML to include at the top of the stored query page"""
 
 
 @hookspec
@@ -231,12 +241,18 @@ def register_token_handler(datasette):
 def write_wrapper(datasette, database, request, transaction):
     """Called when a write function is about to execute.
 
-    Return a generator function that accepts a ``conn`` argument.
-    The generator should ``yield`` exactly once: code before the
-    ``yield`` runs before the write, code after the ``yield`` runs
-    after the write completes. The result of the write is sent
-    back through the ``yield``, so you can capture it with
-    ``result = yield``.
+    Return a generator function that accepts a ``conn`` argument and
+    optionally a ``track_event`` argument.  The generator should
+    ``yield`` exactly once: code before the ``yield`` runs before
+    the write, code after the ``yield`` runs after the write
+    completes. The result of the write is sent back through the
+    ``yield``, so you can capture it with ``result = yield``.
+
+    If your generator accepts ``track_event``, you can call
+    ``track_event(event)`` to queue an event that will be dispatched
+    via ``datasette.track_event()`` after the write commits
+    successfully.  Events are discarded if the write raises an
+    exception.
 
     If the write raises an exception, it is thrown into the generator
     so you can handle it with a try/except around the ``yield``.
diff --git a/datasette/jump.py b/datasette/jump.py
new file mode 100644
index 00000000..d138e827
--- /dev/null
+++ b/datasette/jump.py
@@ -0,0 +1,68 @@
+from __future__ import annotations
+
+import re
+from dataclasses import dataclass
+from typing import Any
+
+
+@dataclass
+class JumpSQL:
+    sql: str
+    params: dict[str, Any] | None = None
+    database: str | None = None
+
+    @classmethod
+    def menu_item(
+        cls,
+        *,
+        label: str,
+        url: str,
+        description: str = "Menu item",
+        search_text: str | None = None,
+        display_name: str | None = None,
+        item_type: str = "menu",
+    ) -> "JumpSQL":
+        if search_text is None:
+            search_text = " ".join(
+                text for text in (label, display_name, description) if text is not None
+            )
+        return cls(
+            sql="""
+            SELECT
+                :type AS type,
+                :label AS label,
+                :description AS description,
+                :url AS url,
+                :search_text AS search_text,
+                :display_name AS display_name
+            """,
+            params={
+                "type": item_type,
+                "label": label,
+                "description": description,
+                "url": url,
+                "search_text": search_text,
+                "display_name": display_name,
+            },
+        )
+
+
+_PARAM_RE = re.compile(r"(?<!:):([A-Za-z_][A-Za-z0-9_]*)")
+
+
+def namespace_sql_params(sql: str, params: dict[str, Any], prefix: str):
+    """Rename named SQL parameters so UNION query parameters cannot collide."""
+    if not params:
+        return sql, {}
+
+    renamed = {key: f"{prefix}_{key}" for key in params}
+
+    def replace(match):
+        key = match.group(1)
+        if key not in renamed:
+            return match.group(0)
+        return f":{renamed[key]}"
+
+    return _PARAM_RE.sub(replace, sql), {
+        renamed[key]: value for key, value in params.items()
+    }
diff --git a/datasette/permissions.py b/datasette/permissions.py
index b5e72b8e..786dc026 100644
--- a/datasette/permissions.py
+++ b/datasette/permissions.py
@@ -8,6 +8,14 @@ _skip_permission_checks = contextvars.ContextVar(
     "skip_permission_checks", default=False
 )
 
+# Request-scoped cache of permission check results. The ASGI router sets
+# this to a fresh dict at the start of each request, so cached verdicts
+# never outlive a request or leak between actors. Keys are
+# (actor_json, action, parent, child) tuples, values are booleans.
+_permission_check_cache: contextvars.ContextVar[dict | None] = contextvars.ContextVar(
+    "permission_check_cache", default=None
+)
+
 
 class SkipPermissions:
     """Context manager to temporarily skip permission checks.
@@ -58,6 +66,16 @@ class Resource(ABC):
         self.child = child
         self._private = None  # Sentinel to track if private was set
 
+    def __str__(self) -> str:
+        return "/".join(
+            str(part) for part in (self.parent, self.child) if part is not None
+        )
+
+    def __repr__(self) -> str:
+        return "{}(parent={!r}, child={!r})".format(
+            self.__class__.__name__, self.parent, self.child
+        )
+
     @property
     def private(self) -> bool:
         """
@@ -105,7 +123,7 @@ class Resource(ABC):
 
     @classmethod
     @abstractmethod
-    def resources_sql(cls) -> str:
+    async def resources_sql(cls, datasette, actor=None) -> str:
         """
         Return SQL query that returns all resources of this type.
 
diff --git a/datasette/plugins.py b/datasette/plugins.py
index 992137bd..ae2cb17d 100644
--- a/datasette/plugins.py
+++ b/datasette/plugins.py
@@ -25,9 +25,14 @@ DEFAULT_PLUGINS = (
     "datasette.default_permissions",
     "datasette.default_permissions.tokens",
     "datasette.default_actions",
+    "datasette.default_column_types",
     "datasette.default_magic_parameters",
     "datasette.blob_renderer",
-    "datasette.default_menu_links",
+    "datasette.default_debug_menu",
+    "datasette.default_jump_items",
+    "datasette.default_database_actions",
+    "datasette.default_table_actions",
+    "datasette.default_query_actions",
     "datasette.handle_exception",
     "datasette.forbidden",
     "datasette.events",
diff --git a/datasette/renderer.py b/datasette/renderer.py
index acf23e59..f40e3dbb 100644
--- a/datasette/renderer.py
+++ b/datasette/renderer.py
@@ -1,4 +1,5 @@
 import json
+from datasette.extras import extra_names_from_request
 from datasette.utils import (
     value_as_boolean,
     remove_infinites,
@@ -108,7 +109,7 @@ def json_renderer(request, args, data, error, truncated=None):
 
     # Don't include "columns" in output
     # https://github.com/simonw/datasette/issues/2136
-    if isinstance(data, dict) and "columns" not in request.args.getlist("_extra"):
+    if isinstance(data, dict) and "columns" not in extra_names_from_request(request):
         data.pop("columns", None)
 
     # Handle _nl option for _shape=array
diff --git a/datasette/resources.py b/datasette/resources.py
index 641afb2f..ee2e6d98 100644
--- a/datasette/resources.py
+++ b/datasette/resources.py
@@ -13,7 +13,7 @@ class DatabaseResource(Resource):
         super().__init__(parent=database, child=None)
 
     @classmethod
-    async def resources_sql(cls, datasette) -> str:
+    async def resources_sql(cls, datasette, actor=None) -> str:
         return """
             SELECT database_name AS parent, NULL AS child
             FROM catalog_databases
@@ -30,7 +30,7 @@ class TableResource(Resource):
         super().__init__(parent=database, child=table)
 
     @classmethod
-    async def resources_sql(cls, datasette) -> str:
+    async def resources_sql(cls, datasette, actor=None) -> str:
         return """
             SELECT database_name AS parent, table_name AS child
             FROM catalog_tables
@@ -41,7 +41,7 @@ class TableResource(Resource):
 
 
 class QueryResource(Resource):
-    """A canned query in a database."""
+    """A stored query in a database."""
 
     name = "query"
     parent_class = DatabaseResource
@@ -50,41 +50,9 @@ class QueryResource(Resource):
         super().__init__(parent=database, child=query)
 
     @classmethod
-    async def resources_sql(cls, datasette) -> str:
-        from datasette.plugins import pm
-        from datasette.utils import await_me_maybe
-
-        # Get all databases from catalog
-        db = datasette.get_internal_database()
-        result = await db.execute("SELECT database_name FROM catalog_databases")
-        databases = [row[0] for row in result.rows]
-
-        # Gather all canned queries from all databases
-        query_pairs = []
-        for database_name in databases:
-            # Call the hook to get queries (including from config via default plugin)
-            for queries_result in pm.hook.canned_queries(
-                datasette=datasette,
-                database=database_name,
-                actor=None,  # Get ALL queries for resource enumeration
-            ):
-                queries = await await_me_maybe(queries_result)
-                if queries:
-                    for query_name in queries.keys():
-                        query_pairs.append((database_name, query_name))
-
-        # Build SQL
-        if not query_pairs:
-            return "SELECT NULL AS parent, NULL AS child WHERE 0"
-
-        # Generate UNION ALL query
-        selects = []
-        for db_name, query_name in query_pairs:
-            # Escape single quotes by doubling them
-            db_escaped = db_name.replace("'", "''")
-            query_escaped = query_name.replace("'", "''")
-            selects.append(
-                f"SELECT '{db_escaped}' AS parent, '{query_escaped}' AS child"
-            )
-
-        return " UNION ALL ".join(selects)
+    async def resources_sql(cls, datasette, actor=None) -> str:
+        return """
+            SELECT q.database_name AS parent, q.name AS child
+            FROM queries q
+            JOIN catalog_databases cd ON cd.database_name = q.database_name
+        """
diff --git a/datasette/static/app.css b/datasette/static/app.css
index a7fc7fa3..ce800f61 100644
--- a/datasette/static/app.css
+++ b/datasette/static/app.css
@@ -63,6 +63,14 @@ em {
 }
 /* end reset */
 
+/* Modal CSS variables (shared by web components via Shadow DOM) */
+:root {
+    --modal-backdrop-bg: rgba(0, 0, 0, 0.5);
+    --modal-backdrop-blur: blur(4px);
+    --modal-border-radius: 0.75rem;
+    --modal-shadow: 0 20px 25px -5px rgba(0, 0, 0, 0.1), 0 10px 10px -5px rgba(0, 0, 0, 0.04);
+    --modal-animation-duration: 0.2s;
+}
 
 body {
     margin: 0;
@@ -354,6 +362,32 @@ form.nav-menu-logout {
 .nav-menu-inner a {
     display: block;
 }
+.nav-menu-inner button.button-as-link {
+    display: block;
+    width: 100%;
+    text-align: left;
+    font: inherit;
+}
+.nav-menu-inner .keyboard-shortcut {
+    float: right;
+    box-sizing: border-box;
+    min-width: 1.4em;
+    margin-left: 0.75rem;
+    padding: 0 0.35em;
+    border: 1px solid rgba(255,255,244,0.6);
+    border-radius: 3px;
+    background: rgba(255,255,244,0.12);
+    font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace;
+    font-size: 0.85em;
+    line-height: 1.35;
+    text-align: center;
+    text-decoration: none;
+}
+@media (max-width: 640px) {
+    .nav-menu-inner .keyboard-shortcut {
+        display: none;
+    }
+}
 
 /* Table/database actions menu */
 .page-action-menu {
@@ -575,9 +609,6 @@ button.core[type=button] {
     border-color: #007bff;
 }
 
-.filter-row {
-    margin-bottom: 0.6em;
-}
 .search-row {
     margin-bottom: 1.8em;
 }
@@ -589,72 +620,239 @@ button.core[type=button] {
     width: 80px;
 }
 
-.select-wrapper {
-    border: 1px solid #ccc;
-    width: 120px;
-    border-radius: 3px;
+.filters .search-row {
+    box-sizing: border-box;
+    display: grid;
+    grid-template-columns: max-content minmax(16rem, 1fr);
+    align-items: center;
+    gap: 0.6rem;
+    margin: 0 0 0.45rem;
+    padding-right: var(--filter-two-icon-space);
+}
+
+.filters .search-row label {
+    width: auto;
     padding: 0;
-    background-color: #fafafa;
-    position: relative;
+    color: var(--filter-muted);
+    font-size: 0.875rem;
+    font-weight: 600;
+}
+
+.filters {
+    --filter-ink: #0f0f0f;
+    --filter-paper: #eef6ff;
+    --filter-muted: #6b6b6b;
+    --filter-rule: #d8e6f5;
+    --filter-accent: #1a56db;
+    --filter-control-border: #bfccd9;
+    --filter-control-height: 2.125rem;
+    --filter-control-gap: 0.4rem;
+    --filter-row-icon-size: 2rem;
+    --filter-two-icon-space: calc(
+        (2 * var(--filter-row-icon-size)) + (2 * var(--filter-control-gap))
+    );
+    display: grid;
+    grid-template-columns: minmax(0, 1fr);
+    gap: 0.55rem;
+    max-width: 760px;
+    margin: 0 0 1rem;
+    padding: 0.75rem;
+    border: 1px solid var(--filter-rule);
+    border-radius: 8px;
+    background: var(--filter-paper);
+    color: var(--filter-ink);
+    font-size: 0.875rem;
+}
+
+.filters .filter-row {
+    margin-bottom: 0;
+}
+
+.filters .filter-controls-row {
+    display: grid;
+    min-width: 0;
+    width: 100%;
+    max-width: 100%;
+    box-sizing: border-box;
+    grid-template-columns:
+        minmax(8rem, 0.75fr)
+        minmax(6.5rem, 0.5fr)
+        minmax(12rem, 1.2fr)
+        var(--filter-row-icon-size)
+        var(--filter-row-icon-size);
+    gap: var(--filter-control-gap);
+    align-items: center;
+}
+
+.filters .filter-actions-row {
+    display: flex;
+    align-items: center;
+    justify-content: flex-start;
+    flex-wrap: wrap;
+    gap: 0.6rem;
+}
+
+.select-wrapper {
     display: inline-block;
-    margin-right: 0.3em;
-}
-.select-wrapper:focus-within {
-    border: 1px solid black;
+    width: 120px;
+    min-width: 0;
 }
+
 .select-wrapper.filter-op {
     width: 80px;
 }
-.select-wrapper::after {
-    content: "\25BE";
-    position: absolute;
-    top: 0px;
-    right: 0.4em;
-    color: #bbb;
-    pointer-events: none;
-    font-size: 1.2em;
-    padding-top: 0.16em;
+
+.filters .select-wrapper {
+    width: auto;
 }
 
 .select-wrapper select {
-    padding: 9px 8px;
+    box-sizing: border-box;
     width: 100%;
-    border: none;
-    box-shadow: none;
-    background: transparent;
-    background-image: none;
-    -webkit-appearance: none;
-    -moz-appearance: none;
+    height: var(--filter-control-height);
+    border: 1px solid var(--filter-control-border, #ccc);
+    border-radius: 5px;
+    background-color: #fff;
+    color: inherit;
     cursor: pointer;
+    font-family: inherit;
+    font-size: 0.875rem;
+    line-height: 1.25;
+    padding: 7px 8px;
 }
-.select-wrapper select {
-    font-size: 1em;
-    font-family: Helvetica, sans-serif;
-}
+
 .select-wrapper option {
     font-size: 1em;
     font-family: Helvetica, sans-serif;
 }
 
 .select-wrapper select:focus {
+    border-color: var(--filter-accent, #000);
+    box-shadow: 0 0 0 2px rgba(26, 86, 219, 0.14);
     outline: none;
 }
-.filters {
-    font-size: 0.8em;
-}
 .filters input.filter-value {
-    width: 200px;
-    border-radius: 3px;
-    -webkit-appearance: none;
-    padding: 9px 4px;
-    font-size: 16px;
-    font-family: Helvetica, sans-serif;
+    box-sizing: border-box;
+    width: 100%;
+    min-width: 0;
+    height: var(--filter-control-height);
+    border: 1px solid var(--filter-control-border);
+    border-radius: 5px;
+    background: #fff;
+    color: inherit;
+    font-family: inherit;
+    font-size: 0.875rem;
+    line-height: 1.25;
+    padding: 7px 9px;
+}
+
+.filters input.filter-value:focus {
+    border-color: var(--filter-accent);
+    box-shadow: 0 0 0 2px rgba(26, 86, 219, 0.14);
+    outline: none;
+}
+
+.filters input[type=submit] {
+    border-color: var(--filter-accent);
+    background: var(--filter-accent);
+    border-radius: 5px;
+    font-weight: 500;
+    padding: 0.55rem 0.85rem;
+}
+
+.filters input[type=submit]:hover,
+.filters input[type=submit]:focus {
+    background: #1949b8;
+    border-color: #1949b8;
+}
+
+.filters button.filter-row-icon {
+    display: inline-flex;
+    align-items: center;
+    justify-content: center;
+    box-sizing: border-box;
+    width: var(--filter-row-icon-size);
+    height: var(--filter-row-icon-size);
+    min-width: var(--filter-row-icon-size);
+    padding: 0;
+    border: 1px solid var(--filter-rule);
+    border-radius: 5px;
+    background: #fff;
+    color: var(--filter-muted);
+    font-family: inherit;
+    font-size: 1.15rem;
+    font-weight: 600;
+    line-height: 1;
+}
+
+.filters button.filter-row-icon[hidden] {
+    display: none;
+}
+
+.filters button.filter-row-icon:focus-visible {
+    outline: 3px solid rgba(26, 86, 219, 0.14);
+    outline-offset: 2px;
+}
+
+.filters .filter-row-remove-icon {
+    display: block;
+    height: 14px;
+    width: 14px;
+}
+
+.filters button.filter-row-remove:hover,
+.filters button.filter-row-remove:focus {
+    border-color: #c9d5e3;
+    background: #f8fbff;
+    color: var(--filter-ink);
+}
+
+.filters button.filter-row-add {
+    border-color: var(--filter-accent);
+    background: var(--filter-accent);
+    color: #fff;
+}
+
+.filters .filter-row-add-icon {
+    display: block;
+    height: 16px;
+    width: 16px;
+}
+
+.filters button.filter-row-add:hover,
+.filters button.filter-row-add:focus {
+    border-color: #1949b8;
+    background: #1949b8;
+    color: #fff;
+}
+
+.filters button.filter-row-add:focus-visible svg {
+    color: #fff;
+    stroke: currentColor;
 }
 
 #_search {
     font-size: 16px;
 }
 
+.filters #_search {
+    box-sizing: border-box;
+    width: 100%;
+    height: var(--filter-control-height);
+    border: 1px solid var(--filter-control-border);
+    border-radius: 5px;
+    background: #fff;
+    color: var(--filter-ink);
+    font: inherit;
+    padding: 7px 9px;
+}
+
+.filters #_search:focus {
+    border-color: var(--filter-accent);
+    box-shadow: 0 0 0 2px rgba(26, 86, 219, 0.14);
+    outline: none;
+}
+
 
 
 
@@ -672,6 +870,11 @@ button.core[type=button] {
     color: #666;
     padding-right: 0.25em;
 }
+/* The label may wrap (word-break: break-all on the li) but the count should
+   stay on one line - https://github.com/simonw/datasette/issues/2754 */
+.facet-count {
+    white-space: nowrap;
+}
 .facet-info li,
 .facet-info ul {
     margin: 0;
@@ -734,6 +937,2198 @@ p.zero-results {
 .select-wrapper.small-screen-only {
     display: none;
 }
+
+@keyframes datasette-modal-slide-in {
+    from {
+        opacity: 0;
+        transform: translateY(-20px) scale(0.95);
+    }
+    to {
+        opacity: 1;
+        transform: translateY(0) scale(1);
+    }
+}
+
+@keyframes datasette-modal-fade-in {
+    from { opacity: 0; }
+    to { opacity: 1; }
+}
+
+dialog.mobile-column-actions-dialog {
+    --ink: #0f0f0f;
+    --paper: #eef6ff;
+    --muted: #6b6b6b;
+    --rule: #d8e6f5;
+    --accent: #1a56db;
+    --card: #ffffff;
+    border: none;
+    border-radius: var(--modal-border-radius, 0.75rem);
+    padding: 0;
+    margin: auto;
+    width: min(420px, calc(100vw - 32px));
+    max-width: 95vw;
+    max-height: min(640px, calc(100vh - 32px));
+    box-shadow: var(--modal-shadow, 0 20px 25px -5px rgba(0, 0, 0, 0.1), 0 10px 10px -5px rgba(0, 0, 0, 0.04));
+    animation: datasette-modal-slide-in var(--modal-animation-duration, 0.2s) ease-out;
+    overflow: hidden;
+    font-family: system-ui, -apple-system, sans-serif;
+    background: var(--card);
+}
+
+dialog.mobile-column-actions-dialog[open] {
+    display: flex;
+    flex-direction: column;
+}
+
+dialog.mobile-column-actions-dialog::backdrop {
+    background: var(--modal-backdrop-bg, rgba(0, 0, 0, 0.5));
+    backdrop-filter: var(--modal-backdrop-blur, blur(4px));
+    -webkit-backdrop-filter: var(--modal-backdrop-blur, blur(4px));
+    animation: datasette-modal-fade-in var(--modal-animation-duration, 0.2s) ease-out;
+}
+
+.mobile-column-actions-dialog .modal-header {
+    padding: 20px 24px 16px;
+    border-bottom: 1px solid var(--rule);
+    display: flex;
+    align-items: center;
+    justify-content: space-between;
+    gap: 12px;
+    flex-shrink: 0;
+}
+
+.mobile-column-actions-dialog .modal-title {
+    font-size: 1rem;
+    font-weight: 600;
+    color: var(--ink);
+}
+
+.mobile-column-actions-dialog .modal-meta {
+    font-family: ui-monospace, monospace;
+    font-size: 0.7rem;
+    color: var(--muted);
+    background: var(--paper);
+    padding: 3px 9px;
+    border-radius: 20px;
+}
+
+.mobile-column-actions-dialog .list-wrap {
+    flex: 1 1 auto;
+    min-height: 0;
+    overflow-y: auto;
+    overflow-x: hidden;
+    position: relative;
+    overscroll-behavior: contain;
+    -webkit-overflow-scrolling: touch;
+}
+
+.mobile-column-actions-dialog .list-wrap::before,
+.mobile-column-actions-dialog .list-wrap::after {
+    content: "";
+    position: sticky;
+    display: block;
+    left: 0;
+    right: 0;
+    height: 20px;
+    pointer-events: none;
+    z-index: 5;
+}
+
+.mobile-column-actions-dialog .list-wrap::before {
+    top: 0;
+    background: linear-gradient(to bottom, rgba(255,255,255,0.9), transparent);
+}
+
+.mobile-column-actions-dialog .list-wrap::after {
+    bottom: 0;
+    background: linear-gradient(to top, rgba(255,255,255,0.9), transparent);
+    margin-top: -20px;
+}
+
+.mobile-column-top-actions {
+    padding: 10px 24px 0;
+}
+
+.mobile-column-top-action {
+    display: inline-block;
+    text-decoration: none;
+}
+
+.mobile-column-section {
+    border-bottom: 1px solid var(--rule);
+}
+
+.mobile-column-actions-dialog .col-header {
+    width: 100%;
+    padding: 12px 24px;
+    font: inherit;
+    font-weight: 600;
+    border: 0;
+    background: none;
+    cursor: pointer;
+    display: flex;
+    justify-content: space-between;
+    align-items: center;
+    text-align: left;
+}
+
+.mobile-column-header-text {
+    display: flex;
+    flex-direction: column;
+    gap: 0.15rem;
+}
+
+.mobile-column-name {
+    color: var(--ink);
+}
+
+.mobile-column-meta {
+    color: var(--muted);
+    font-size: 0.78em;
+    font-family: ui-monospace, monospace;
+    font-weight: normal;
+}
+
+.mobile-column-chevron {
+    color: var(--muted);
+    transition: transform 0.2s ease-out;
+}
+
+.mobile-column-actions-dialog .col-header[aria-expanded="true"] .mobile-column-chevron {
+    transform: rotate(180deg);
+}
+
+.mobile-column-actions-dialog .col-actions[hidden] {
+    display: none;
+}
+
+.mobile-column-actions-dialog .col-actions ul,
+.mobile-column-actions-dialog .col-actions li {
+    margin: 0;
+    padding: 0;
+    list-style-type: none;
+}
+
+.mobile-column-actions-dialog .col-actions a,
+.mobile-column-actions-dialog .col-actions button {
+    display: block;
+    width: 100%;
+    padding: 10px 24px 10px 40px;
+    color: var(--ink);
+    text-align: left;
+    font: inherit;
+    text-decoration: none;
+    background: none;
+    border: 0;
+    border-top: 1px solid #f5f5f5;
+    cursor: pointer;
+}
+
+.mobile-column-actions-dialog .col-actions a:hover,
+.mobile-column-actions-dialog .col-actions button:hover {
+    background: var(--paper);
+}
+
+.mobile-column-actions-dialog .col-actions a:active,
+.mobile-column-actions-dialog .col-actions button:active {
+    background: #eee;
+}
+
+.mobile-column-description,
+.mobile-column-no-actions {
+    margin: 0;
+    padding: 0 24px 12px 24px;
+    color: var(--muted);
+    font-size: 0.85em;
+}
+
+.mobile-column-actions-dialog .modal-footer {
+    padding: 14px 20px;
+    border-top: 1px solid var(--rule);
+    display: flex;
+    align-items: center;
+    gap: 10px;
+    flex-shrink: 0;
+    background: var(--paper);
+}
+
+.mobile-column-actions-dialog .footer-info {
+    flex: 1;
+    font-family: ui-monospace, monospace;
+    font-size: 0.68rem;
+    color: var(--muted);
+}
+
+.mobile-column-actions-dialog .btn {
+    border: none;
+    border-radius: 5px;
+    padding: 9px 20px;
+    font-size: 0.85rem;
+    font-weight: 500;
+    cursor: pointer;
+    touch-action: manipulation;
+    font-family: inherit;
+    transition: background 0.12s;
+}
+
+.mobile-column-actions-dialog .btn-ghost {
+    background: transparent;
+    color: var(--muted);
+    border: 1px solid var(--rule);
+}
+
+.mobile-column-actions-dialog .btn-ghost:hover {
+    background: var(--rule);
+    color: var(--ink);
+}
+
+dialog.set-column-type-dialog {
+    --ink: #0f0f0f;
+    --paper: #eef6ff;
+    --muted: #6b6b6b;
+    --rule: #d8e6f5;
+    --accent: #1a56db;
+    --card: #ffffff;
+    border: none;
+    border-radius: var(--modal-border-radius, 0.75rem);
+    padding: 0;
+    margin: auto;
+    width: min(520px, calc(100vw - 32px));
+    max-width: 95vw;
+    max-height: min(720px, calc(100vh - 32px));
+    box-shadow: var(--modal-shadow, 0 20px 25px -5px rgba(0, 0, 0, 0.1), 0 10px 10px -5px rgba(0, 0, 0, 0.04));
+    animation: datasette-modal-slide-in var(--modal-animation-duration, 0.2s) ease-out;
+    overflow: hidden;
+    font-family: system-ui, -apple-system, sans-serif;
+    background: var(--card);
+}
+
+dialog.set-column-type-dialog[open] {
+    display: flex;
+    flex-direction: column;
+}
+
+dialog.set-column-type-dialog::backdrop {
+    background: var(--modal-backdrop-bg, rgba(0, 0, 0, 0.5));
+    backdrop-filter: var(--modal-backdrop-blur, blur(4px));
+    -webkit-backdrop-filter: var(--modal-backdrop-blur, blur(4px));
+    animation: datasette-modal-fade-in var(--modal-animation-duration, 0.2s) ease-out;
+}
+
+.set-column-type-dialog .modal-header {
+    padding: 20px 24px 12px;
+    border-bottom: 1px solid var(--rule);
+    display: flex;
+    align-items: center;
+    justify-content: space-between;
+    gap: 12px;
+    flex-shrink: 0;
+}
+
+.set-column-type-dialog .modal-title {
+    font-size: 1rem;
+    font-weight: 600;
+    color: var(--ink);
+}
+
+.set-column-type-dialog .modal-meta {
+    font-family: ui-monospace, monospace;
+    font-size: 0.7rem;
+    color: var(--muted);
+    background: var(--paper);
+    padding: 3px 9px;
+    border-radius: 20px;
+}
+
+.set-column-type-status,
+.set-column-type-empty,
+.set-column-type-error {
+    margin: 0;
+    padding: 12px 24px 0;
+}
+
+.set-column-type-status,
+.set-column-type-empty {
+    color: var(--muted);
+    font-size: 0.9rem;
+}
+
+.set-column-type-error {
+    color: #b91c1c;
+    font-size: 0.9rem;
+}
+
+.set-column-type-options {
+    padding: 16px 24px 24px;
+    overflow-y: auto;
+    display: grid;
+    gap: 12px;
+}
+
+.set-column-type-option {
+    display: grid;
+    grid-template-columns: auto 1fr;
+    gap: 12px;
+    align-items: start;
+    padding: 14px 16px;
+    border: 1px solid var(--rule);
+    border-radius: 8px;
+    background: #fbfdff;
+    cursor: pointer;
+}
+
+.set-column-type-option:focus-within {
+    border-color: var(--accent);
+    box-shadow: 0 0 0 3px rgba(26, 86, 219, 0.12);
+}
+
+.set-column-type-option input {
+    margin-top: 3px;
+}
+
+.set-column-type-option-content {
+    display: grid;
+    gap: 4px;
+}
+
+.set-column-type-option-name {
+    font-family: ui-monospace, monospace;
+    font-size: 0.95rem;
+    color: var(--ink);
+}
+
+.set-column-type-option-description {
+    color: var(--muted);
+    font-size: 0.9rem;
+}
+
+.set-column-type-dialog .modal-footer {
+    padding: 14px 20px;
+    border-top: 1px solid var(--rule);
+    display: flex;
+    align-items: center;
+    gap: 10px;
+    flex-shrink: 0;
+    background: var(--paper);
+}
+
+.set-column-type-dialog .footer-info {
+    flex: 1;
+    font-family: ui-monospace, monospace;
+    font-size: 0.68rem;
+    color: var(--muted);
+}
+
+.set-column-type-dialog .btn {
+    border: none;
+    border-radius: 5px;
+    padding: 9px 20px;
+    font-size: 0.85rem;
+    font-weight: 500;
+    cursor: pointer;
+    touch-action: manipulation;
+    font-family: inherit;
+    transition: background 0.12s;
+}
+
+.set-column-type-dialog .btn-ghost {
+    background: transparent;
+    color: var(--muted);
+    border: 1px solid var(--rule);
+}
+
+.set-column-type-dialog .btn-ghost:hover {
+    background: var(--rule);
+    color: var(--ink);
+}
+
+.set-column-type-dialog .btn-primary {
+    background: var(--accent);
+    color: #fff;
+}
+
+.set-column-type-dialog .btn-primary:hover {
+    background: #1949b8;
+}
+
+.set-column-type-dialog .btn:disabled {
+    opacity: 0.65;
+    cursor: wait;
+}
+
+.row-mutation-status {
+    margin: 0 0 0.75rem;
+    padding: 8px 10px;
+    border-left: 4px solid #54AC8E;
+    background: rgba(103,201,141,0.12);
+    color: #222;
+}
+
+.row-mutation-status[hidden] {
+    display: none;
+}
+
+.row-mutation-status-error {
+    border-left-color: #D0021B;
+    background: rgba(208,2,27,0.12);
+}
+
+.table-row-toolbar {
+    margin: 0 0 0.75rem;
+}
+
+button.table-insert-row {
+    display: inline-flex;
+    align-items: center;
+    gap: 0.4rem;
+}
+
+button.table-insert-row svg {
+    display: block;
+    flex-shrink: 0;
+}
+
+dialog.row-delete-dialog {
+    --ink: #0f0f0f;
+    --paper: #eef6ff;
+    --muted: #6b6b6b;
+    --rule: #d8e6f5;
+    --accent: #1a56db;
+    --card: #ffffff;
+    border: none;
+    border-radius: var(--modal-border-radius, 0.75rem);
+    padding: 0;
+    margin: auto;
+    width: min(440px, calc(100vw - 32px));
+    max-width: 95vw;
+    box-shadow: var(--modal-shadow, 0 20px 25px -5px rgba(0, 0, 0, 0.1), 0 10px 10px -5px rgba(0, 0, 0, 0.04));
+    animation: datasette-modal-slide-in var(--modal-animation-duration, 0.2s) ease-out;
+    overflow: hidden;
+    font-family: system-ui, -apple-system, sans-serif;
+    background: var(--card);
+}
+
+dialog.row-delete-dialog[open] {
+    display: flex;
+    flex-direction: column;
+}
+
+dialog.row-delete-dialog::backdrop {
+    background: var(--modal-backdrop-bg, rgba(0, 0, 0, 0.5));
+    backdrop-filter: var(--modal-backdrop-blur, blur(4px));
+    -webkit-backdrop-filter: var(--modal-backdrop-blur, blur(4px));
+    animation: datasette-modal-fade-in var(--modal-animation-duration, 0.2s) ease-out;
+}
+
+.row-delete-dialog .modal-header {
+    padding: 20px 24px 12px;
+    border-bottom: 1px solid var(--rule);
+    display: flex;
+    align-items: center;
+    justify-content: flex-start;
+    gap: 12px;
+    flex-shrink: 0;
+    min-width: 0;
+}
+
+.row-delete-dialog .modal-title {
+    display: flex;
+    align-items: center;
+    gap: 0.35rem;
+    min-width: 0;
+    max-width: 100%;
+    font-size: 1rem;
+    font-weight: 600;
+    color: var(--ink);
+}
+
+.row-delete-message,
+.row-delete-error {
+    margin: 0;
+    padding: 16px 24px 0;
+}
+
+.row-delete-message {
+    color: var(--ink);
+    font-size: 0.95rem;
+}
+
+.row-delete-id {
+    display: inline;
+    padding: 2px 5px;
+    border: 1px solid var(--rule);
+    border-radius: 4px;
+    background: var(--paper);
+    font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace;
+    font-size: 0.92em;
+    overflow-wrap: anywhere;
+}
+
+.row-delete-error {
+    color: #b91c1c;
+    font-size: 0.9rem;
+}
+
+.row-delete-dialog .modal-footer {
+    padding: 18px 20px 14px;
+    border-top: 1px solid var(--rule);
+    display: flex;
+    align-items: center;
+    justify-content: flex-end;
+    gap: 10px;
+    flex-shrink: 0;
+    background: var(--paper);
+    margin-top: 18px;
+}
+
+.row-delete-dialog .btn {
+    border: none;
+    border-radius: 5px;
+    padding: 9px 20px;
+    font-size: 0.85rem;
+    font-weight: 500;
+    cursor: pointer;
+    touch-action: manipulation;
+    font-family: inherit;
+    transition: background 0.12s;
+}
+
+.row-delete-dialog .btn-ghost {
+    background: transparent;
+    color: var(--muted);
+    border: 1px solid var(--rule);
+}
+
+.row-delete-dialog .btn-ghost:hover {
+    background: var(--rule);
+    color: var(--ink);
+}
+
+.row-delete-dialog .btn-primary {
+    background: var(--accent);
+    color: #fff;
+}
+
+.row-delete-dialog .btn-primary:hover {
+    background: #1949b8;
+}
+
+.row-delete-dialog .btn:disabled {
+    opacity: 0.65;
+    cursor: wait;
+}
+
+dialog.row-edit-dialog {
+    --ink: #0f0f0f;
+    --paper: #eef6ff;
+    --muted: #6b6b6b;
+    --rule: #d8e6f5;
+    --accent: #1a56db;
+    --card: #ffffff;
+    border: none;
+    border-radius: var(--modal-border-radius, 0.75rem);
+    padding: 0;
+    margin: auto;
+    width: min(720px, calc(100vw - 32px));
+    max-width: 95vw;
+    max-height: min(780px, calc(100vh - 32px));
+    box-shadow: var(--modal-shadow, 0 20px 25px -5px rgba(0, 0, 0, 0.1), 0 10px 10px -5px rgba(0, 0, 0, 0.04));
+    animation: datasette-modal-slide-in var(--modal-animation-duration, 0.2s) ease-out;
+    overflow: hidden;
+    font-family: system-ui, -apple-system, sans-serif;
+    background: var(--card);
+}
+
+dialog.row-edit-dialog[open] {
+    display: flex;
+    flex-direction: column;
+}
+
+dialog.row-edit-dialog::backdrop {
+    background: var(--modal-backdrop-bg, rgba(0, 0, 0, 0.5));
+    backdrop-filter: var(--modal-backdrop-blur, blur(4px));
+    -webkit-backdrop-filter: var(--modal-backdrop-blur, blur(4px));
+    animation: datasette-modal-fade-in var(--modal-animation-duration, 0.2s) ease-out;
+}
+
+.row-edit-dialog .modal-header {
+    padding: 20px 24px 12px;
+    border-bottom: 1px solid var(--rule);
+    display: flex;
+    align-items: center;
+    gap: 12px;
+    flex-shrink: 0;
+    min-width: 0;
+}
+
+.row-edit-dialog .modal-title {
+    display: flex;
+    align-items: center;
+    gap: 0.35rem;
+    min-width: 0;
+    max-width: 100%;
+    font-size: 1rem;
+    font-weight: 600;
+    color: var(--ink);
+}
+
+.row-edit-dialog .modal-title .row-dialog-action,
+.row-delete-dialog .modal-title .row-dialog-action {
+    flex: 0 0 auto;
+    white-space: nowrap;
+}
+
+.row-edit-dialog .modal-title code,
+.row-delete-dialog .modal-title code {
+    display: inline;
+    flex: 0 0 auto;
+    padding: 2px 5px;
+    border: 1px solid var(--rule);
+    border-radius: 4px;
+    background: var(--paper);
+    font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace;
+    font-size: 0.92em;
+    overflow-wrap: anywhere;
+}
+
+.row-edit-dialog .modal-title .row-dialog-label,
+.row-delete-dialog .modal-title .row-dialog-label {
+    min-width: 0;
+    overflow: hidden;
+    text-overflow: ellipsis;
+    white-space: nowrap;
+}
+
+.row-edit-form {
+    display: flex;
+    flex: 1 1 auto;
+    min-height: 0;
+    flex-direction: column;
+}
+
+.row-edit-summary,
+.row-edit-loading,
+.row-edit-error {
+    margin: 0;
+    padding: 12px 24px 0;
+}
+
+.row-edit-summary,
+.row-edit-loading {
+    color: var(--muted);
+    font-size: 0.9rem;
+}
+
+.row-edit-error {
+    border-left: 4px solid #b91c1c;
+    border-radius: 4px;
+    background: #fff1f1;
+    color: #7f1d1d;
+    font-size: 0.9rem;
+    margin: 12px 24px 0;
+    padding: 10px 12px;
+}
+
+.row-edit-error:focus {
+    outline: 3px solid rgba(185, 28, 28, 0.18);
+    outline-offset: 2px;
+}
+
+.row-edit-fields {
+    display: grid;
+    gap: 14px;
+    padding: 16px 24px 24px;
+    overflow-y: auto;
+}
+
+.row-edit-field {
+    display: grid;
+    grid-template-columns: minmax(120px, 180px) minmax(0, 1fr);
+    gap: 12px;
+    align-items: start;
+}
+
+.row-edit-label {
+    padding-top: 8px;
+    color: var(--ink);
+    font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace;
+    font-size: 0.82rem;
+    overflow-wrap: anywhere;
+}
+
+.row-edit-control-wrap {
+    display: grid;
+    gap: 5px;
+}
+
+.row-edit-input {
+    box-sizing: border-box;
+    width: 100%;
+    min-width: 0;
+    border: 1px solid var(--rule);
+    border-radius: 5px;
+    padding: 8px 10px;
+    color: var(--ink);
+    background: #fff;
+    font: inherit;
+}
+
+textarea.row-edit-input {
+    resize: vertical;
+    font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace;
+    font-size: 0.82rem;
+    line-height: 1.45;
+}
+
+.row-edit-input:focus {
+    border-color: var(--accent);
+    outline: 3px solid rgba(26, 86, 219, 0.12);
+}
+
+.row-edit-input[aria-invalid="true"] {
+    border-color: #b42318;
+    background: #fff8f7;
+}
+
+.row-edit-input[aria-invalid="true"]:focus {
+    border-color: #b42318;
+    outline-color: rgba(180, 35, 24, 0.16);
+}
+
+.row-edit-input[readonly] {
+    color: var(--muted);
+    background: var(--paper);
+}
+
+.row-edit-default {
+    display: grid;
+    grid-template-columns: minmax(0, 1fr) 7.25rem;
+    align-items: center;
+    gap: 8px;
+    min-width: 0;
+    border: 1px solid var(--rule);
+    border-radius: 5px;
+    padding: 7px 8px 7px 10px;
+    background: var(--paper);
+    color: var(--ink);
+}
+
+.row-edit-default[hidden],
+.row-edit-custom-value[hidden] {
+    display: none;
+}
+
+.row-edit-default-text {
+    min-width: 0;
+    overflow-wrap: anywhere;
+}
+
+.row-edit-default-code {
+    font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace;
+    font-size: 0.82rem;
+}
+
+.row-edit-custom-value {
+    display: grid;
+    grid-template-columns: minmax(0, 1fr) 7.25rem;
+    gap: 8px;
+    align-items: center;
+    min-height: 45px;
+    padding-right: 8px;
+}
+
+.row-edit-default-button {
+    appearance: none;
+    border: 1px solid var(--rule);
+    border-radius: 4px;
+    background: #fff;
+    color: var(--accent);
+    cursor: pointer;
+    font: inherit;
+    font-size: 0.78rem;
+    line-height: 1.2;
+    padding: 6px 8px;
+    white-space: nowrap;
+    width: 100%;
+    align-self: center;
+}
+
+.row-edit-default-button:hover,
+.row-edit-default-button:focus {
+    background: #f8fafc;
+}
+
+.row-edit-default-button:focus {
+    outline: 3px solid rgba(26, 86, 219, 0.12);
+    outline-offset: 1px;
+}
+
+.row-edit-field-meta {
+    color: var(--muted);
+    font-size: 0.78rem;
+}
+
+.row-edit-field-validation-error {
+    color: #b42318;
+    display: block;
+    margin-top: 2px;
+}
+
+.row-edit-field-validation-error[hidden] {
+    display: none;
+}
+
+.row-edit-field-meta-autocomplete {
+    line-height: 1.2;
+    min-height: 1.2em;
+}
+
+.row-edit-fk-pk {
+    color: var(--ink);
+    font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace;
+}
+
+.row-edit-fk-link {
+    overflow-wrap: anywhere;
+}
+
+.row-edit-empty {
+    color: var(--muted);
+    font-size: 0.9rem;
+    margin: 0;
+}
+
+datasette-autocomplete {
+    display: block;
+    position: relative;
+    max-width: 38rem;
+}
+
+datasette-autocomplete input[type="text"],
+.debug-autocomplete-form input[type="text"] {
+    box-sizing: border-box;
+    width: 100%;
+    max-width: 38rem;
+}
+
+.datasette-autocomplete-list {
+    background: #fff;
+    border: 1px solid var(--rule);
+    border-radius: 5px;
+    box-shadow: 0 12px 24px rgba(15, 23, 42, 0.14);
+    box-sizing: border-box;
+    left: 0;
+    max-height: 16rem;
+    overflow-y: auto;
+    position: fixed;
+    right: auto;
+    top: auto;
+    z-index: 10000;
+}
+
+.datasette-autocomplete-list[hidden] {
+    display: none;
+}
+
+.datasette-autocomplete-option {
+    cursor: pointer;
+    padding: 7px 9px;
+}
+
+.datasette-autocomplete-option:hover,
+.datasette-autocomplete-option[aria-selected="true"] {
+    background: var(--paper);
+}
+
+.datasette-autocomplete-option[aria-selected="true"] {
+    background: var(--paper);
+    font-weight: 600;
+}
+
+.datasette-autocomplete-status {
+    border: 0;
+    clip: rect(0 0 0 0);
+    height: 1px;
+    margin: -1px;
+    overflow: hidden;
+    padding: 0;
+    position: absolute;
+    white-space: nowrap;
+    width: 1px;
+}
+
+.debug-autocomplete-demo {
+    margin: 1rem 0;
+}
+
+.debug-autocomplete-selected {
+    max-width: 46rem;
+}
+
+.row-edit-dialog .modal-footer {
+    padding: 14px 20px;
+    border-top: 1px solid var(--rule);
+    display: flex;
+    align-items: center;
+    justify-content: flex-end;
+    gap: 10px;
+    flex-shrink: 0;
+    background: var(--paper);
+}
+
+.row-edit-dialog .btn {
+    border: none;
+    border-radius: 5px;
+    padding: 9px 20px;
+    font-size: 0.85rem;
+    font-weight: 500;
+    cursor: pointer;
+    touch-action: manipulation;
+    font-family: inherit;
+    transition: background 0.12s;
+}
+
+.row-edit-dialog .btn-ghost {
+    background: transparent;
+    color: var(--muted);
+    border: 1px solid var(--rule);
+}
+
+.row-edit-dialog .btn-ghost:hover {
+    background: var(--rule);
+    color: var(--ink);
+}
+
+.row-edit-dialog .btn-primary {
+    background: var(--accent);
+    color: #fff;
+}
+
+.row-edit-dialog .btn-primary:hover {
+    background: #1949b8;
+}
+
+.row-edit-dialog .btn:disabled {
+    opacity: 0.55;
+    cursor: not-allowed;
+}
+
+dialog.table-create-dialog {
+    --ink: #0f0f0f;
+    --paper: #eef6ff;
+    --muted: #6b6b6b;
+    --rule: #d8e6f5;
+    --accent: #1a56db;
+    --card: #ffffff;
+    border: none;
+    border-radius: var(--modal-border-radius, 0.75rem);
+    padding: 0;
+    margin: auto;
+    width: min(980px, calc(100vw - 32px));
+    max-width: 95vw;
+    max-height: min(780px, calc(100vh - 32px));
+    box-shadow: var(--modal-shadow, 0 20px 25px -5px rgba(0, 0, 0, 0.1), 0 10px 10px -5px rgba(0, 0, 0, 0.04));
+    animation: datasette-modal-slide-in var(--modal-animation-duration, 0.2s) ease-out;
+    overflow: hidden;
+    font-family: system-ui, -apple-system, sans-serif;
+    background: var(--card);
+}
+
+dialog.table-create-dialog[open] {
+    display: flex;
+    flex-direction: column;
+}
+
+dialog.table-create-dialog::backdrop {
+    background: var(--modal-backdrop-bg, rgba(0, 0, 0, 0.5));
+    backdrop-filter: var(--modal-backdrop-blur, blur(4px));
+    -webkit-backdrop-filter: var(--modal-backdrop-blur, blur(4px));
+    animation: datasette-modal-fade-in var(--modal-animation-duration, 0.2s) ease-out;
+}
+
+.table-create-dialog .modal-header {
+    padding: 20px 24px 12px;
+    border-bottom: 1px solid var(--rule);
+    display: flex;
+    align-items: center;
+    gap: 12px;
+    flex-shrink: 0;
+    min-width: 0;
+}
+
+.table-create-dialog .modal-title {
+    display: flex;
+    align-items: center;
+    min-width: 0;
+    max-width: 100%;
+    font-size: 1rem;
+    font-weight: 600;
+    color: var(--ink);
+}
+
+.table-create-form {
+    display: flex;
+    flex: 1 1 auto;
+    min-height: 0;
+    flex-direction: column;
+}
+
+.table-create-error {
+    border-left: 4px solid #b91c1c;
+    border-radius: 4px;
+    background: #fff1f1;
+    color: #7f1d1d;
+    font-size: 0.9rem;
+    margin: 12px 24px 0;
+    padding: 10px 12px;
+}
+
+.table-create-error:focus {
+    outline: 3px solid rgba(185, 28, 28, 0.18);
+    outline-offset: 2px;
+}
+
+.table-create-fields {
+    display: grid;
+    gap: 18px;
+    padding: 16px 24px 24px;
+    overflow-y: auto;
+}
+
+.table-create-field {
+    display: grid;
+    grid-template-columns: minmax(120px, 180px) minmax(0, 1fr);
+    gap: 12px;
+    align-items: start;
+}
+
+.table-create-label,
+.table-create-column-headings {
+    color: var(--ink);
+    font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace;
+    font-size: 0.82rem;
+}
+
+.table-create-label {
+    padding-top: 8px;
+}
+
+.table-create-column-label {
+    border: 0;
+    clip: rect(0 0 0 0);
+    height: 1px;
+    margin: -1px;
+    overflow: hidden;
+    padding: 0;
+    position: absolute;
+    white-space: nowrap;
+    width: 1px;
+}
+
+.table-create-input {
+    box-sizing: border-box;
+    min-width: 0;
+    min-height: 46px;
+    border: 1px solid var(--rule);
+    border-radius: 5px;
+    padding: 8px 10px;
+    color: var(--ink);
+    background: #fff;
+    font: inherit;
+    line-height: 1.35;
+}
+
+select.table-create-input {
+    height: 46px;
+}
+
+.table-create-input-placeholder {
+    color: var(--muted);
+}
+
+.table-create-foreign-key-target option,
+.table-create-custom-column-type option,
+.table-create-default-expr option {
+    color: var(--ink);
+}
+
+.table-create-foreign-key-target option[value=""],
+.table-create-custom-column-type option[value=""],
+.table-create-default-expr option[value=""] {
+    color: var(--muted);
+}
+
+.table-create-table-name {
+    width: 100%;
+}
+
+.table-create-input:focus {
+    border-color: var(--accent);
+    outline: 3px solid rgba(26, 86, 219, 0.12);
+}
+
+.table-create-columns {
+    display: grid;
+    gap: 10px;
+}
+
+.table-create-column-list {
+    display: grid;
+    gap: 8px;
+}
+
+.table-create-column-headings,
+.table-create-column-main {
+    display: grid;
+    grid-template-columns: minmax(140px, 1.2fr) minmax(7.5rem, 0.7fr) max-content 32px;
+    align-items: center;
+    gap: 8px;
+    min-width: 0;
+}
+
+.table-create-column-row {
+    display: grid;
+    gap: 8px;
+    min-width: 0;
+}
+
+.table-create-column-headings {
+    color: var(--muted);
+    font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace;
+    font-size: 0.72rem;
+    padding: 0 1px;
+}
+
+.table-create-column-details {
+    display: grid;
+    grid-template-columns: minmax(0, 1fr) minmax(0, 1fr);
+    align-items: start;
+    gap: 12px 16px;
+    padding: 12px;
+    border-left: 3px solid var(--rule);
+    background: #f8fafc;
+}
+
+.table-create-column-details[hidden] {
+    display: none;
+}
+
+.table-create-detail-field {
+    display: grid;
+    gap: 4px;
+    min-width: 0;
+}
+
+.table-create-detail-label {
+    color: var(--muted);
+    font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace;
+    font-size: 0.72rem;
+}
+
+.table-create-detail-help,
+.table-alter-detail-help {
+    color: var(--muted);
+    font-size: 0.82rem;
+    line-height: 1.35;
+    margin: 0;
+}
+
+.table-create-detail-check {
+    display: inline-flex;
+    align-items: flex-start;
+    gap: 8px;
+    color: var(--ink);
+    font-size: 0.85rem;
+    line-height: 1.35;
+    min-width: 0;
+    white-space: normal;
+}
+
+.table-create-not-null,
+.table-create-primary-key,
+.table-create-foreign-key-field,
+.table-create-default-options {
+    grid-column: 1 / -1;
+}
+
+.table-create-default-options,
+.table-alter-default-options {
+    border: 1px solid var(--rule);
+    border-radius: 5px;
+    background: #fff;
+    color: var(--ink);
+    min-width: 0;
+}
+
+.table-create-default-options > summary,
+.table-alter-default-options > summary {
+    cursor: pointer;
+    color: var(--accent);
+    font-size: 0.85rem;
+    padding: 8px 10px;
+}
+
+.table-create-default-options > summary:focus,
+.table-alter-default-options > summary:focus {
+    outline: 3px solid rgba(26, 86, 219, 0.12);
+    outline-offset: 1px;
+}
+
+.table-create-default-grid,
+.table-alter-default-grid {
+    display: grid;
+    grid-template-columns: minmax(0, 1fr) minmax(0, 1fr);
+    gap: 12px 16px;
+    padding: 0 10px 10px;
+}
+
+.table-create-detail-check input {
+    flex: 0 0 auto;
+    margin: 0.15rem 0 0;
+}
+
+.table-create-detail-check span {
+    min-width: 0;
+    overflow-wrap: break-word;
+}
+
+.table-create-move-controls {
+    display: grid;
+    grid-template-columns: repeat(4, 32px);
+    gap: 4px;
+    justify-content: start;
+}
+
+.table-create-more-options {
+    appearance: none;
+    border: 0;
+    background: transparent;
+    color: var(--accent);
+    cursor: pointer;
+    font: inherit;
+    font-size: 0.85rem;
+    justify-self: start;
+    padding: 0;
+    grid-column: 1 / -1;
+    text-align: left;
+}
+
+.table-create-more-options:hover,
+.table-create-more-options:focus {
+    text-decoration: underline;
+}
+
+.table-create-more-options:focus {
+    outline: 3px solid rgba(26, 86, 219, 0.12);
+    outline-offset: 2px;
+}
+
+.table-create-more-options:disabled {
+    color: var(--muted);
+    cursor: default;
+    text-decoration: none;
+}
+
+.table-create-icon-button {
+    appearance: none;
+    border: 1px solid rgba(74, 85, 104, 0.24);
+    background: transparent;
+    color: #4a5568;
+    border-radius: 4px;
+    cursor: pointer;
+    display: inline-grid;
+    place-items: center;
+    height: 32px;
+    width: 32px;
+    padding: 0;
+}
+
+.table-create-icon-button:hover,
+.table-create-icon-button:focus {
+    background: rgba(74, 85, 104, 0.07);
+}
+
+.table-create-icon-button:focus {
+    outline: 3px solid #b3d4ff;
+    outline-offset: 1px;
+}
+
+.table-create-icon-button svg {
+    display: block;
+}
+
+.table-create-add-column {
+    appearance: none;
+    justify-self: start;
+    border: 1px solid var(--rule);
+    border-radius: 5px;
+    background: #fff;
+    color: var(--accent);
+    cursor: pointer;
+    display: inline-flex;
+    align-items: center;
+    gap: 6px;
+    font: inherit;
+    font-size: 0.85rem;
+    padding: 7px 10px;
+}
+
+.table-create-add-column svg {
+    display: block;
+    flex: 0 0 auto;
+}
+
+.table-create-add-column:hover,
+.table-create-add-column:focus {
+    background: #f8fafc;
+}
+
+.table-create-add-column:focus {
+    outline: 3px solid rgba(26, 86, 219, 0.12);
+    outline-offset: 1px;
+}
+
+.table-create-dialog .modal-footer {
+    padding: 14px 20px;
+    border-top: 1px solid var(--rule);
+    display: flex;
+    align-items: center;
+    justify-content: flex-end;
+    gap: 10px;
+    flex-shrink: 0;
+    background: var(--paper);
+}
+
+.table-create-dialog .btn {
+    border: none;
+    border-radius: 5px;
+    padding: 9px 20px;
+    font-size: 0.85rem;
+    font-weight: 500;
+    cursor: pointer;
+    touch-action: manipulation;
+    font-family: inherit;
+    transition: background 0.12s;
+}
+
+.table-create-dialog .btn-ghost {
+    background: transparent;
+    color: var(--muted);
+    border: 1px solid var(--rule);
+}
+
+.table-create-dialog .btn-ghost:hover {
+    background: var(--rule);
+    color: var(--ink);
+}
+
+.table-create-dialog .btn-primary {
+    background: var(--accent);
+    color: #fff;
+}
+
+.table-create-dialog .btn-primary:hover {
+    background: #1949b8;
+}
+
+.table-create-dialog .btn:disabled,
+.table-create-add-column:disabled,
+.table-create-icon-button:disabled {
+    opacity: 0.55;
+    cursor: not-allowed;
+}
+
+dialog.table-alter-dialog {
+    --ink: #0f0f0f;
+    --paper: #eef6ff;
+    --muted: #6b6b6b;
+    --rule: #d8e6f5;
+    --accent: #1a56db;
+    --card: #ffffff;
+    border: none;
+    border-radius: var(--modal-border-radius, 0.75rem);
+    padding: 0;
+    margin: auto;
+    width: min(980px, calc(100vw - 32px));
+    max-width: 95vw;
+    max-height: min(780px, calc(100vh - 32px));
+    box-shadow: var(--modal-shadow, 0 20px 25px -5px rgba(0, 0, 0, 0.1), 0 10px 10px -5px rgba(0, 0, 0, 0.04));
+    animation: datasette-modal-slide-in var(--modal-animation-duration, 0.2s) ease-out;
+    overflow: hidden;
+    font-family: system-ui, -apple-system, sans-serif;
+    background: var(--card);
+}
+
+dialog.table-alter-dialog[open] {
+    display: flex;
+    flex-direction: column;
+}
+
+dialog.table-alter-dialog::backdrop {
+    background: var(--modal-backdrop-bg, rgba(0, 0, 0, 0.5));
+    backdrop-filter: var(--modal-backdrop-blur, blur(4px));
+    -webkit-backdrop-filter: var(--modal-backdrop-blur, blur(4px));
+    animation: datasette-modal-fade-in var(--modal-animation-duration, 0.2s) ease-out;
+}
+
+.table-alter-dialog .modal-header {
+    padding: 20px 24px 12px;
+    border-bottom: 1px solid var(--rule);
+    display: flex;
+    align-items: center;
+    gap: 12px;
+    flex-shrink: 0;
+    min-width: 0;
+}
+
+.table-alter-dialog .modal-title {
+    display: flex;
+    align-items: center;
+    min-width: 0;
+    max-width: 100%;
+    font-size: 1rem;
+    font-weight: 600;
+    color: var(--ink);
+}
+
+.table-alter-form {
+    display: flex;
+    flex: 1 1 auto;
+    min-height: 0;
+    flex-direction: column;
+}
+
+.table-alter-error {
+    border-left: 4px solid #b91c1c;
+    border-radius: 4px;
+    background: #fff1f1;
+    color: #7f1d1d;
+    font-size: 0.9rem;
+    margin: 12px 24px 0;
+    padding: 10px 12px;
+}
+
+.table-alter-error:focus {
+    outline: 3px solid rgba(185, 28, 28, 0.18);
+    outline-offset: 2px;
+}
+
+.table-alter-fields {
+    display: grid;
+    gap: 18px;
+    padding: 16px 24px 24px;
+    overflow-y: auto;
+}
+
+.table-alter-table-options {
+    border-top: 1px solid var(--rule);
+    padding-top: 12px;
+}
+
+.table-alter-table-options > summary {
+    color: var(--ink);
+    cursor: pointer;
+    font-weight: 600;
+}
+
+.table-alter-table-options > summary:focus {
+    outline: 3px solid rgba(26, 86, 219, 0.12);
+    outline-offset: 3px;
+}
+
+.table-alter-table-name-field {
+    display: grid;
+    gap: 4px;
+    margin-top: 10px;
+    max-width: 24rem;
+}
+
+.table-alter-fields[hidden],
+.table-alter-dialog .modal-footer [hidden] {
+    display: none;
+}
+
+.table-alter-review {
+    display: grid;
+    gap: 12px;
+    overflow-y: auto;
+    padding: 16px 24px 24px;
+}
+
+.table-alter-review[hidden] {
+    display: none;
+}
+
+.table-alter-review-title {
+    color: var(--ink);
+    font-size: 1rem;
+    line-height: 1.35;
+    margin: 0;
+}
+
+.table-alter-review-title:focus {
+    outline: 3px solid rgba(26, 86, 219, 0.12);
+    outline-offset: 2px;
+}
+
+.table-alter-review-intro {
+    color: var(--muted);
+    font-size: 0.9rem;
+    margin: 0;
+}
+
+.table-alter-review-warning {
+    border-left: 4px solid #b91c1c;
+    border-radius: 4px;
+    background: #fff1f1;
+    color: #7f1d1d;
+    font-size: 0.9rem;
+    margin: 0;
+    padding: 10px 12px;
+}
+
+.table-alter-review-list {
+    display: grid;
+    gap: 8px;
+    margin: 0;
+    padding-left: 1.4rem;
+}
+
+.table-alter-review-list li {
+    color: var(--ink);
+    line-height: 1.4;
+}
+
+.table-alter-review-damaging {
+    font-weight: 600;
+}
+
+.table-alter-review-name {
+    background: #eef6ff;
+    border: 1px solid #c9ddf2;
+    border-radius: 4px;
+    color: var(--ink);
+    font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace;
+    font-size: 0.85em;
+    padding: 1px 4px;
+    white-space: nowrap;
+}
+
+.table-alter-columns {
+    display: grid;
+    gap: 10px;
+}
+
+.table-alter-column-list {
+    display: grid;
+    gap: 8px;
+}
+
+.table-alter-column-headings,
+.table-alter-column-main {
+    display: grid;
+    grid-template-columns: minmax(140px, 1.2fr) minmax(7.5rem, 0.7fr) max-content 32px;
+    align-items: center;
+    gap: 8px;
+    min-width: 0;
+}
+
+.table-alter-column-row {
+    display: grid;
+    gap: 8px;
+    min-width: 0;
+}
+
+.table-alter-column-headings {
+    color: var(--muted);
+    font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace;
+    font-size: 0.72rem;
+    padding: 0 1px;
+}
+
+.table-alter-column-label {
+    border: 0;
+    clip: rect(0 0 0 0);
+    height: 1px;
+    margin: -1px;
+    overflow: hidden;
+    padding: 0;
+    position: absolute;
+    white-space: nowrap;
+    width: 1px;
+}
+
+.table-alter-input {
+    box-sizing: border-box;
+    min-width: 0;
+    min-height: 46px;
+    border: 1px solid var(--rule);
+    border-radius: 5px;
+    padding: 8px 10px;
+    color: var(--ink);
+    background: #fff;
+    font: inherit;
+    line-height: 1.35;
+}
+
+select.table-alter-input {
+    height: 46px;
+}
+
+.table-alter-input-placeholder {
+    color: var(--muted);
+}
+
+.table-alter-default-expr option,
+.table-alter-custom-column-type option,
+.table-alter-foreign-key-target option {
+    color: var(--ink);
+}
+
+.table-alter-default-expr option[value=""],
+.table-alter-custom-column-type option[value=""],
+.table-alter-foreign-key-target option[value=""] {
+    color: var(--muted);
+}
+
+.table-alter-input:focus {
+    border-color: var(--accent);
+    outline: 3px solid rgba(26, 86, 219, 0.12);
+}
+
+.table-alter-column-details {
+    display: grid;
+    grid-template-columns: minmax(0, 1fr) minmax(0, 1fr);
+    align-items: start;
+    gap: 12px 16px;
+    padding: 12px;
+    border-left: 3px solid var(--rule);
+    background: #f8fafc;
+}
+
+.table-alter-column-details[hidden] {
+    display: none;
+}
+
+.table-alter-detail-field {
+    display: grid;
+    gap: 4px;
+    min-width: 0;
+}
+
+.table-alter-detail-label {
+    color: var(--muted);
+    font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace;
+    font-size: 0.72rem;
+}
+
+.table-alter-detail-check {
+    display: inline-flex;
+    align-items: flex-start;
+    gap: 8px;
+    color: var(--ink);
+    font-size: 0.85rem;
+    line-height: 1.35;
+    min-width: 0;
+    white-space: normal;
+}
+
+.table-alter-not-null,
+.table-alter-primary-key,
+.table-alter-foreign-key-field,
+.table-alter-default-options {
+    grid-column: 1 / -1;
+}
+
+.table-alter-detail-check input {
+    flex: 0 0 auto;
+    margin: 0.15rem 0 0;
+}
+
+.table-alter-detail-check span {
+    min-width: 0;
+    overflow-wrap: break-word;
+}
+
+.table-alter-move-controls {
+    display: grid;
+    grid-template-columns: repeat(4, 32px);
+    gap: 4px;
+    justify-content: start;
+}
+
+.table-alter-more-options {
+    appearance: none;
+    border: 0;
+    background: transparent;
+    color: var(--accent);
+    cursor: pointer;
+    font: inherit;
+    font-size: 0.85rem;
+    justify-self: start;
+    padding: 0;
+    grid-column: 1 / -1;
+    text-align: left;
+}
+
+.table-alter-more-options:hover,
+.table-alter-more-options:focus {
+    text-decoration: underline;
+}
+
+.table-alter-more-options:focus {
+    outline: 3px solid rgba(26, 86, 219, 0.12);
+    outline-offset: 2px;
+}
+
+.table-alter-more-options:disabled {
+    color: var(--muted);
+    cursor: default;
+    text-decoration: none;
+}
+
+.table-alter-icon-button {
+    appearance: none;
+    border: 1px solid rgba(74, 85, 104, 0.24);
+    background: transparent;
+    color: #4a5568;
+    border-radius: 4px;
+    cursor: pointer;
+    display: inline-grid;
+    place-items: center;
+    height: 32px;
+    width: 32px;
+    padding: 0;
+}
+
+.table-alter-icon-button:hover,
+.table-alter-icon-button:focus {
+    background: rgba(74, 85, 104, 0.07);
+}
+
+.table-alter-icon-button:focus {
+    outline: 3px solid #b3d4ff;
+    outline-offset: 1px;
+}
+
+.table-alter-icon-button svg {
+    display: block;
+}
+
+.table-alter-add-column {
+    appearance: none;
+    justify-self: start;
+    border: 1px solid var(--rule);
+    border-radius: 5px;
+    background: #fff;
+    color: var(--accent);
+    cursor: pointer;
+    display: inline-flex;
+    align-items: center;
+    gap: 6px;
+    font: inherit;
+    font-size: 0.85rem;
+    padding: 7px 10px;
+}
+
+.table-alter-add-column svg {
+    display: block;
+    flex: 0 0 auto;
+}
+
+.table-alter-add-column:hover,
+.table-alter-add-column:focus {
+    background: #f8fafc;
+}
+
+.table-alter-add-column:focus {
+    outline: 3px solid rgba(26, 86, 219, 0.12);
+    outline-offset: 1px;
+}
+
+.table-alter-dialog .modal-footer {
+    padding: 14px 20px;
+    border-top: 1px solid var(--rule);
+    display: flex;
+    align-items: center;
+    justify-content: flex-end;
+    gap: 10px;
+    flex-shrink: 0;
+    background: var(--paper);
+}
+
+.table-alter-dialog .btn {
+    border: none;
+    border-radius: 5px;
+    padding: 9px 20px;
+    font-size: 0.85rem;
+    font-weight: 500;
+    cursor: pointer;
+    touch-action: manipulation;
+    font-family: inherit;
+    transition: background 0.12s;
+}
+
+.table-alter-dialog .btn-ghost {
+    background: transparent;
+    color: var(--muted);
+    border: 1px solid var(--rule);
+}
+
+.table-alter-dialog .btn-ghost:hover {
+    background: var(--rule);
+    color: var(--ink);
+}
+
+.table-alter-dialog .btn-danger {
+    background: #b91c1c;
+    color: #fff;
+    margin-right: auto;
+}
+
+.table-alter-dialog .btn-danger:hover {
+    background: #991b1b;
+}
+
+.table-alter-dialog .btn-danger:disabled,
+.table-alter-dialog .btn-danger:disabled:hover {
+    background: #d98c8c;
+    color: #fff;
+}
+
+.table-alter-dialog .btn-primary {
+    background: var(--accent);
+    color: #fff;
+}
+
+.table-alter-dialog .btn-primary:hover {
+    background: #1949b8;
+}
+
+.table-alter-dialog .btn-primary:disabled,
+.table-alter-dialog .btn-primary:disabled:hover {
+    background: #a0aec0;
+    color: #fff;
+}
+
+.table-alter-dialog .btn:disabled,
+.table-alter-add-column:disabled,
+.table-alter-icon-button:disabled {
+    opacity: 0.55;
+    cursor: not-allowed;
+}
+
+@media (max-width: 900px) {
+    dialog.table-alter-dialog {
+        width: 95vw;
+        max-height: 85vh;
+        border-radius: 0.5rem;
+    }
+
+    .table-alter-dialog .modal-header,
+    .table-alter-fields,
+    .table-alter-review {
+        padding-left: 18px;
+        padding-right: 18px;
+    }
+
+    .table-alter-error {
+        margin-left: 18px;
+        margin-right: 18px;
+    }
+
+    .table-alter-column-headings {
+        display: none;
+    }
+
+    .table-alter-column-row {
+        padding-bottom: 8px;
+        border-bottom: 1px solid var(--rule);
+    }
+
+    .table-alter-column-main {
+        grid-template-columns: minmax(0, 1fr) minmax(7.5rem, 0.8fr) 32px;
+        align-items: end;
+    }
+
+    .table-alter-column-name {
+        grid-column: 1;
+        grid-row: 1;
+    }
+
+    .table-alter-column-type {
+        grid-column: 2;
+        grid-row: 1;
+    }
+
+    .table-alter-remove-column {
+        grid-column: 3;
+        grid-row: 1;
+        justify-self: end;
+    }
+
+    .table-alter-move-controls {
+        grid-column: 1;
+        grid-row: 2;
+        justify-self: start;
+    }
+
+    .table-alter-more-options {
+        align-self: center;
+        grid-column: 2 / 4;
+        grid-row: 2;
+    }
+
+    .table-alter-column-details {
+        grid-template-columns: 1fr;
+    }
+
+    .table-alter-default-grid {
+        grid-template-columns: 1fr;
+    }
+
+    .table-alter-dialog .modal-footer {
+        padding-left: 18px;
+        padding-right: 18px;
+    }
+}
+
+.row-link-with-actions {
+    display: inline-flex;
+    align-items: center;
+    gap: 0.4rem;
+    flex-wrap: wrap;
+}
+
+.row-inline-actions {
+    display: inline-flex;
+    gap: 0.2rem;
+    align-items: center;
+}
+
+.row-inline-action {
+    appearance: none;
+    border: 1px solid rgba(74, 85, 104, 0.24);
+    background: transparent;
+    color: #4a5568;
+    border-radius: 4px;
+    cursor: pointer;
+    display: inline-grid;
+    place-items: center;
+    min-height: 24px;
+    min-width: 24px;
+    padding: 2px;
+    position: relative;
+}
+
+.row-inline-action:hover,
+.row-inline-action:focus {
+    background: rgba(74, 85, 104, 0.07);
+}
+
+.row-inline-action:focus {
+    outline: 3px solid #b3d4ff;
+    outline-offset: 1px;
+}
+
+.row-inline-action-icon {
+    display: block;
+    height: 13px;
+    width: 13px;
+}
+
+@media (max-width: 640px) {
+    dialog.mobile-column-actions-dialog {
+        width: 95vw;
+        max-height: 85vh;
+        border-radius: 0.5rem;
+    }
+
+    .mobile-column-actions-dialog .modal-header {
+        padding: 16px 18px 14px;
+    }
+
+    .mobile-column-top-actions {
+        padding-left: 18px;
+        padding-right: 18px;
+    }
+
+    .mobile-column-actions-dialog .col-header {
+        padding-left: 18px;
+        padding-right: 18px;
+    }
+
+    .mobile-column-actions-dialog .col-actions a,
+    .mobile-column-actions-dialog .col-actions button {
+        padding-left: 34px;
+        padding-right: 18px;
+    }
+
+    .mobile-column-description,
+    .mobile-column-no-actions {
+        padding-left: 18px;
+        padding-right: 18px;
+    }
+
+    dialog.set-column-type-dialog {
+        width: 95vw;
+        max-height: 85vh;
+        border-radius: 0.5rem;
+    }
+
+    .set-column-type-dialog .modal-header,
+    .set-column-type-status,
+    .set-column-type-empty,
+    .set-column-type-error,
+    .set-column-type-options {
+        padding-left: 18px;
+        padding-right: 18px;
+    }
+
+    dialog.row-delete-dialog {
+        width: 95vw;
+        max-height: 85vh;
+        border-radius: 0.5rem;
+    }
+
+    .row-delete-dialog .modal-header,
+    .row-delete-message,
+    .row-delete-error {
+        padding-left: 18px;
+        padding-right: 18px;
+    }
+
+    .row-delete-dialog .modal-footer {
+        padding-left: 18px;
+        padding-right: 18px;
+    }
+
+    dialog.row-edit-dialog {
+        width: 95vw;
+        max-height: 85vh;
+        border-radius: 0.5rem;
+    }
+
+    .row-edit-dialog .modal-header,
+    .row-edit-summary,
+    .row-edit-loading,
+    .row-edit-fields {
+        padding-left: 18px;
+        padding-right: 18px;
+    }
+
+    .row-edit-error {
+        margin-left: 18px;
+        margin-right: 18px;
+    }
+
+    .row-edit-field {
+        grid-template-columns: 1fr;
+        gap: 5px;
+    }
+
+    .row-edit-label {
+        padding-top: 0;
+    }
+
+    .row-edit-dialog .modal-footer {
+        padding-left: 18px;
+        padding-right: 18px;
+    }
+
+    dialog.table-create-dialog {
+        width: 95vw;
+        max-height: 85vh;
+        border-radius: 0.5rem;
+    }
+
+    .table-create-dialog .modal-header,
+    .table-create-fields {
+        padding-left: 18px;
+        padding-right: 18px;
+    }
+
+    .table-create-error {
+        margin-left: 18px;
+        margin-right: 18px;
+    }
+
+    .table-create-field {
+        grid-template-columns: 1fr;
+        gap: 5px;
+    }
+
+    .table-create-label {
+        padding-top: 0;
+    }
+
+    .table-create-column-headings {
+        display: none;
+    }
+
+    .table-create-column-row {
+        padding-bottom: 8px;
+        border-bottom: 1px solid var(--rule);
+    }
+
+    .table-create-column-main {
+        grid-template-columns: minmax(0, 1fr) minmax(7.5rem, 0.8fr) 32px;
+        align-items: end;
+    }
+
+    .table-create-column-name {
+        grid-column: 1;
+        grid-row: 1;
+    }
+
+    .table-create-column-type {
+        grid-column: 2;
+        grid-row: 1;
+    }
+
+    .table-create-remove-column {
+        grid-column: 3;
+        grid-row: 1;
+        justify-self: end;
+    }
+
+    .table-create-move-controls {
+        grid-column: 1;
+        grid-row: 2;
+        justify-self: start;
+    }
+
+    .table-create-more-options {
+        align-self: center;
+        grid-column: 2 / 4;
+        grid-row: 2;
+    }
+
+    .table-create-column-details {
+        grid-template-columns: 1fr;
+    }
+
+    .table-create-default-grid {
+        grid-template-columns: 1fr;
+    }
+
+    .table-create-dialog .modal-footer {
+        padding-left: 18px;
+        padding-right: 18px;
+    }
+
+    .row-inline-action {
+        min-height: 30px;
+        min-width: 30px;
+        padding: 4px;
+    }
+
+    .row-inline-action-icon {
+        height: 14px;
+        width: 14px;
+    }
+}
+
 @media only screen and (max-width: 576px) {
 
     .small-screen-only {
@@ -786,14 +3181,107 @@ p.zero-results {
         font-size: 0.8em;
     }
 
-    .select-wrapper {
-        width: 100px;
+    .row-inline-actions {
+        margin-bottom: 0.35rem;
     }
-    .select-wrapper.filter-op {
-        width: 60px;
+
+    .filters {
+        max-width: none;
+        padding: 0.65rem;
+    }
+    .filters .search-row {
+        grid-template-columns: max-content minmax(0, 1fr);
+        padding-right: 0;
+    }
+    .filters .filter-controls-row {
+        --filter-value-button-space: 0px;
+        --filter-remove-button-offset: 0px;
+        grid-template-columns: repeat(2, minmax(0, 1fr));
+    }
+    .filters .filter-controls-row-one-button {
+        --filter-value-button-space: calc(
+            var(--filter-row-icon-size) + var(--filter-control-gap)
+        );
+    }
+    .filters .filter-controls-row-two-buttons {
+        --filter-value-button-space: var(--filter-two-icon-space);
+        --filter-remove-button-offset: calc(
+            var(--filter-row-icon-size) + var(--filter-control-gap)
+        );
+    }
+    .filters .filter-controls-row .select-wrapper {
+        grid-row: 1;
+        grid-column: 1 / 2;
+    }
+    .filters .filter-controls-row .select-wrapper.filter-op {
+        grid-column: 2 / 3;
     }
     .filters input.filter-value {
-        width: 140px;
+        grid-row: 2;
+        grid-column: 1 / 3;
+        justify-self: start;
+        width: calc(100% - var(--filter-value-button-space));
+    }
+    .filters button.filter-row-icon {
+        grid-row: 2;
+        grid-column: 1 / 3;
+        justify-self: end;
+    }
+    .filters .filter-controls-row-two-buttons button.filter-row-remove:not([hidden]) {
+        margin-right: var(--filter-remove-button-offset);
+    }
+    .filters .filter-actions-row {
+        justify-content: flex-start;
+    }
+    .filters .filter-actions-row input[type=submit] {
+        flex: 0 1 auto;
+    }
+    button.choose-columns-mobile,
+    button.table-insert-row,
+    button.column-actions-mobile {
+        display: inline-flex;
+        align-items: center;
+        justify-content: center;
+        padding: 0.5rem 1rem;
+        margin-bottom: 1em;
+        font-size: 0.9rem;
+        line-height: 1.2;
+        font-family: inherit;
+        background: white;
+        border: 1px solid #ccc;
+        border-radius: 5px;
+        cursor: pointer;
+        vertical-align: top;
+        box-sizing: border-box;
+        min-height: 2.5rem;
+    }
+
+    button.column-actions-mobile {
+        gap: 0.55rem;
+    }
+
+    button.column-actions-mobile svg {
+        display: block;
+        width: 16px;
+        height: 16px;
+        flex-shrink: 0;
+    }
+
+    button.column-actions-mobile span {
+        line-height: 1.2;
+    }
+
+    button.choose-columns-mobile {
+        margin-right: 0.5rem;
+    }
+
+    .table-row-toolbar {
+        margin-bottom: 0.75rem;
+    }
+
+    button.table-insert-row {
+        width: 100%;
+        margin-bottom: 0;
     }
 }
 
@@ -840,18 +3328,32 @@ svg.dropdown-menu-icon {
 .dropdown-menu a:link,
 .dropdown-menu a:visited,
 .dropdown-menu a:hover,
-.dropdown-menu a:focus
-.dropdown-menu a:active {
+.dropdown-menu a:focus,
+.dropdown-menu a:active,
+.dropdown-menu button.action-menu-button {
     text-decoration: none;
     display: block;
     padding: 4px 8px 2px 8px;
     color: #222;
     white-space: nowrap;
 }
-.dropdown-menu a:hover {
+.dropdown-menu button.action-menu-button {
+    appearance: none;
+    background: none;
+    border: none;
+    box-sizing: border-box;
+    cursor: pointer;
+    font: inherit;
+    text-align: left;
+    width: 100%;
+}
+.dropdown-menu a:hover,
+.dropdown-menu button.action-menu-button:hover,
+.dropdown-menu button.action-menu-button:focus {
     background-color: #eee;
 }
 .dropdown-menu .dropdown-description {
+    display: block;
     margin: 0;
     color: #666;
     font-size: 0.8em;
@@ -870,11 +3372,15 @@ svg.dropdown-menu-icon {
     border-bottom: 5px solid #666;
 }
 
-.canned-query-edit-sql {
+.stored-query-edit-sql {
     padding-left: 0.5em;
     position: relative;
     top: 1px;
 }
+.save-query {
+    display: inline-block;
+    margin-left: 0.45em;
+}
 
 .blob-download {
     display: block;
diff --git a/datasette/static/autocomplete.js b/datasette/static/autocomplete.js
new file mode 100644
index 00000000..c615000e
--- /dev/null
+++ b/datasette/static/autocomplete.js
@@ -0,0 +1,344 @@
+(function () {
+  function autocompleteValueFromRow(row) {
+    var pks = (row && row.pks) || {};
+    var keys = Object.keys(pks);
+    if (!keys.length) {
+      return "";
+    }
+    if (keys.length === 1) {
+      return String(pks[keys[0]]);
+    }
+    return keys
+      .map(function (key) {
+        return key + "=" + pks[key];
+      })
+      .join(", ");
+  }
+
+  function autocompleteLabelFromRow(row) {
+    var value = autocompleteValueFromRow(row);
+    if (row.label && String(row.label) !== value) {
+      return row.label + " (" + value + ")";
+    }
+    return value;
+  }
+
+  if (!window.customElements || customElements.get("datasette-autocomplete")) {
+    return;
+  }
+
+  class DatasetteAutocomplete extends HTMLElement {
+    constructor() {
+      super();
+      this.input = null;
+      this.listbox = null;
+      this.status = null;
+      this.results = [];
+      this.activeIndex = -1;
+      this.fetchId = 0;
+      this.searchTimer = null;
+      this.boundInput = this.handleInput.bind(this);
+      this.boundKeydown = this.handleKeydown.bind(this);
+      this.boundBlur = this.handleBlur.bind(this);
+      this.boundFocus = this.handleFocus.bind(this);
+      this.boundPositionListbox = this.positionListbox.bind(this);
+    }
+
+    connectedCallback() {
+      if (this.input) {
+        return;
+      }
+      this.input = this.querySelector("input");
+      if (!this.input) {
+        return;
+      }
+
+      var inputId =
+        this.input.id ||
+        "datasette-autocomplete-" + Math.random().toString(36).slice(2);
+      this.input.id = inputId;
+      var listboxId = inputId + "-listbox";
+      var statusId = inputId + "-status";
+
+      this.classList.add("datasette-autocomplete");
+      this.input.setAttribute("role", "combobox");
+      this.input.setAttribute("aria-autocomplete", "list");
+      this.input.setAttribute("aria-expanded", "false");
+      this.input.setAttribute("aria-controls", listboxId);
+      this.input.setAttribute("autocomplete", "off");
+
+      this.listbox = document.createElement("div");
+      this.listbox.className = "datasette-autocomplete-list";
+      this.listbox.id = listboxId;
+      this.listbox.setAttribute("role", "listbox");
+      this.listbox.hidden = true;
+
+      this.status = document.createElement("span");
+      this.status.className = "datasette-autocomplete-status";
+      this.status.id = statusId;
+      this.status.setAttribute("role", "status");
+      this.status.setAttribute("aria-live", "polite");
+
+      this.input.setAttribute(
+        "aria-describedby",
+        [this.input.getAttribute("aria-describedby"), statusId]
+          .filter(Boolean)
+          .join(" "),
+      );
+
+      this.appendChild(this.listbox);
+      this.appendChild(this.status);
+
+      this.input.addEventListener("input", this.boundInput);
+      this.input.addEventListener("keydown", this.boundKeydown);
+      this.input.addEventListener("blur", this.boundBlur);
+      this.input.addEventListener("focus", this.boundFocus);
+    }
+
+    disconnectedCallback() {
+      if (!this.input) {
+        return;
+      }
+      this.input.removeEventListener("input", this.boundInput);
+      this.input.removeEventListener("keydown", this.boundKeydown);
+      this.input.removeEventListener("blur", this.boundBlur);
+      this.input.removeEventListener("focus", this.boundFocus);
+    }
+
+    handleInput() {
+      this.scheduleSearch();
+    }
+
+    handleFocus() {
+      if (this.input.value.trim() || this.hasAttribute("suggest-on-focus")) {
+        this.scheduleSearch();
+      }
+    }
+
+    handleBlur() {
+      window.setTimeout(() => this.close(), 150);
+    }
+
+    handleKeydown(ev) {
+      if (ev.key === "Escape") {
+        if (!this.listbox.hidden) {
+          ev.preventDefault();
+          this.close();
+        }
+        return;
+      }
+      if (ev.key === "ArrowDown") {
+        ev.preventDefault();
+        if (this.listbox.hidden) {
+          this.scheduleSearch();
+        } else {
+          this.setActiveIndex(this.activeIndex + 1);
+        }
+        return;
+      }
+      if (ev.key === "ArrowUp") {
+        ev.preventDefault();
+        if (!this.listbox.hidden) {
+          this.setActiveIndex(this.activeIndex - 1);
+        }
+        return;
+      }
+      if (ev.key === "Enter" && !this.listbox.hidden && this.activeIndex >= 0) {
+        ev.preventDefault();
+        this.chooseIndex(this.activeIndex);
+      }
+    }
+
+    scheduleSearch() {
+      window.clearTimeout(this.searchTimer);
+      this.searchTimer = window.setTimeout(() => this.search(), 150);
+    }
+
+    async search() {
+      var query = this.input.value.trim();
+      var initial = !query && this.hasAttribute("suggest-on-focus");
+      if (!query && !initial) {
+        this.close();
+        this.status.textContent = "";
+        return;
+      }
+      var src = this.getAttribute("src");
+      if (!src) {
+        return;
+      }
+
+      var url = new URL(src, location.href);
+      url.searchParams.set("q", query);
+      if (initial) {
+        url.searchParams.set("_initial", "1");
+      } else {
+        url.searchParams.delete("_initial");
+      }
+      var fetchId = this.fetchId + 1;
+      this.fetchId = fetchId;
+      this.status.textContent = "Searching...";
+
+      try {
+        var response = await fetch(url.toString(), {
+          headers: {
+            Accept: "application/json",
+          },
+        });
+        if (!response.ok) {
+          throw new Error("HTTP " + response.status);
+        }
+        var data = await response.json();
+        if (fetchId !== this.fetchId) {
+          return;
+        }
+        this.results = (data && data.rows) || [];
+        this.render();
+      } catch (_error) {
+        if (fetchId !== this.fetchId) {
+          return;
+        }
+        this.results = [];
+        this.close();
+        this.status.textContent = "Could not load suggestions";
+      }
+    }
+
+    render() {
+      this.listbox.textContent = "";
+      this.activeIndex = -1;
+      if (!this.results.length) {
+        this.close();
+        this.status.textContent = "No matches";
+        return;
+      }
+
+      this.results.forEach((row, index) => {
+        var option = document.createElement("div");
+        option.className = "datasette-autocomplete-option";
+        option.id = this.input.id + "-option-" + index;
+        option.setAttribute("role", "option");
+        option.setAttribute("aria-selected", "false");
+        option.dataset.index = String(index);
+        option.dataset.value = autocompleteValueFromRow(row);
+        option.textContent = autocompleteLabelFromRow(row);
+        option.addEventListener("mousedown", (ev) => {
+          ev.preventDefault();
+          this.chooseIndex(index);
+        });
+        this.listbox.appendChild(option);
+      });
+
+      this.listbox.hidden = false;
+      this.input.setAttribute("aria-expanded", "true");
+      this.status.textContent =
+        this.results.length + (this.results.length === 1 ? " match" : " matches");
+      this.positionListbox();
+      this.setActiveIndex(0);
+    }
+
+    positionListbox() {
+      if (!this.input || !this.listbox || this.listbox.hidden) {
+        return;
+      }
+
+      var gap = 3;
+      var margin = 8;
+      var inputRect = this.input.getBoundingClientRect();
+      this.listbox.style.maxHeight = "";
+      var defaultMaxHeight = parseFloat(
+        window.getComputedStyle(this.listbox).maxHeight,
+      );
+      if (!Number.isFinite(defaultMaxHeight)) {
+        defaultMaxHeight = 256;
+      }
+      var scrollHeight = Math.ceil(this.listbox.scrollHeight);
+      var desiredHeight = Math.min(scrollHeight, defaultMaxHeight);
+      var availableBelow = Math.max(
+        0,
+        (window.innerHeight || document.documentElement.clientHeight) -
+          inputRect.bottom -
+          gap -
+          margin,
+      );
+
+      this.listbox.style.left = inputRect.left + "px";
+      this.listbox.style.top = inputRect.bottom + gap + "px";
+      this.listbox.style.width = inputRect.width + "px";
+      if (scrollHeight <= defaultMaxHeight && scrollHeight <= availableBelow) {
+        this.listbox.style.maxHeight = "none";
+      } else {
+        this.listbox.style.maxHeight =
+          Math.min(defaultMaxHeight, desiredHeight, availableBelow || defaultMaxHeight) +
+          "px";
+      }
+      window.addEventListener("resize", this.boundPositionListbox);
+      document.addEventListener("scroll", this.boundPositionListbox, true);
+    }
+
+    setActiveIndex(index) {
+      var options = this.listbox.querySelectorAll("[role='option']");
+      if (!options.length) {
+        this.activeIndex = -1;
+        this.input.removeAttribute("aria-activedescendant");
+        return;
+      }
+      if (index < 0) {
+        index = options.length - 1;
+      }
+      if (index >= options.length) {
+        index = 0;
+      }
+      options.forEach((option, optionIndex) => {
+        option.setAttribute(
+          "aria-selected",
+          optionIndex === index ? "true" : "false",
+        );
+      });
+      this.activeIndex = index;
+      this.input.setAttribute("aria-activedescendant", options[index].id);
+    }
+
+    chooseIndex(index) {
+      var row = this.results[index];
+      if (!row) {
+        return;
+      }
+      var value = autocompleteValueFromRow(row);
+      var label = autocompleteLabelFromRow(row);
+      this.input.value = value;
+      this.input.dispatchEvent(new Event("change", { bubbles: true }));
+      this.close();
+      this.status.textContent = "Selected " + label;
+      this.dispatchEvent(
+        new CustomEvent("datasette-autocomplete-select", {
+          bubbles: true,
+          detail: {
+            row: row,
+            value: value,
+            label: label,
+          },
+        }),
+      );
+    }
+
+    close() {
+      if (this.listbox) {
+        this.listbox.hidden = true;
+        this.listbox.textContent = "";
+        this.listbox.style.left = "";
+        this.listbox.style.maxHeight = "";
+        this.listbox.style.top = "";
+        this.listbox.style.width = "";
+      }
+      if (this.input) {
+        this.input.setAttribute("aria-expanded", "false");
+        this.input.removeAttribute("aria-activedescendant");
+      }
+      window.removeEventListener("resize", this.boundPositionListbox);
+      document.removeEventListener("scroll", this.boundPositionListbox, true);
+      this.activeIndex = -1;
+    }
+  }
+
+  customElements.define("datasette-autocomplete", DatasetteAutocomplete);
+})();
diff --git a/datasette/static/column-chooser.js b/datasette/static/column-chooser.js
new file mode 100644
index 00000000..198641f3
--- /dev/null
+++ b/datasette/static/column-chooser.js
@@ -0,0 +1,699 @@
+class ColumnChooser extends HTMLElement {
+  constructor() {
+    super();
+    this.attachShadow({ mode: "open" });
+
+    // State
+    this._items = [];
+    this._checked = new Set();
+    this._savedItems = null;
+    this._savedChecked = null;
+    this._onApply = null;
+
+    // Drag state
+    this._ghost = null;
+    this._dragSrcIdx = null;
+    this._dropTargetIdx = null;
+    this._dropPosition = null;
+    this._ghostOffX = 0;
+    this._ghostOffY = 0;
+    this._autoScrollRAF = null;
+    this._lastPointerY = 0;
+    this._lastPointerX = 0;
+    this._SCROLL_ZONE = 72;
+    this._SCROLL_SPEED = 0.4;
+
+    // Bound handlers
+    this._onMove = this._onMove.bind(this);
+    this._onUp = this._onUp.bind(this);
+
+    this.shadowRoot.innerHTML = `
+      <style>
+        :host {
+          --ink: #0f0f0f;
+          --paper: #eef6ff;
+          --muted: #6b6b6b;
+          --rule: #d8e6f5;
+          --accent: #1a56db;
+          --accent-light: #e8effd;
+          --card: #ffffff;
+        }
+
+        * { box-sizing: border-box; margin: 0; padding: 0; }
+
+        dialog {
+          border: none;
+          border-radius: var(--modal-border-radius, 0.75rem);
+          padding: 0;
+          margin: auto;
+          width: 100%;
+          max-width: 420px;
+          max-height: min(640px, calc(100vh - 32px));
+          box-shadow: var(--modal-shadow, 0 20px 25px -5px rgba(0, 0, 0, 0.1), 0 10px 10px -5px rgba(0, 0, 0, 0.04));
+          animation: slideIn var(--modal-animation-duration, 0.2s) ease-out;
+          overflow: hidden;
+          font-family: system-ui, -apple-system, sans-serif;
+          background: var(--card);
+          -webkit-user-select: none;
+          -webkit-touch-callout: none;
+          -webkit-tap-highlight-color: transparent;
+        }
+
+        dialog[open] {
+          display: flex;
+          flex-direction: column;
+          height: min(640px, calc(100vh - 32px));
+        }
+
+        dialog::backdrop {
+          background: var(--modal-backdrop-bg, rgba(0, 0, 0, 0.5));
+          backdrop-filter: var(--modal-backdrop-blur, blur(4px));
+          -webkit-backdrop-filter: var(--modal-backdrop-blur, blur(4px));
+          animation: fadeIn var(--modal-animation-duration, 0.2s) ease-out;
+        }
+
+        @keyframes slideIn {
+          from {
+            opacity: 0;
+            transform: translateY(-20px) scale(0.95);
+          }
+          to {
+            opacity: 1;
+            transform: translateY(0) scale(1);
+          }
+        }
+
+        @keyframes fadeIn {
+          from { opacity: 0; }
+          to { opacity: 1; }
+        }
+
+        .modal-header {
+          padding: 20px 24px 16px;
+          border-bottom: 1px solid var(--rule);
+          display: flex;
+          align-items: center;
+          justify-content: space-between;
+          flex-shrink: 0;
+        }
+
+        .modal-title {
+          font-size: 1rem;
+          font-weight: 600;
+        }
+
+        .modal-meta {
+          font-family: ui-monospace, monospace;
+          font-size: 0.7rem;
+          color: var(--muted);
+          background: var(--paper);
+          padding: 3px 9px;
+          border-radius: 20px;
+        }
+
+        .list-toolbar {
+          padding: 6px 24px;
+          border-bottom: 1px solid var(--rule);
+          display: flex;
+          gap: 12px;
+          flex-shrink: 0;
+        }
+
+        .list-toolbar button {
+          background: var(--accent-light);
+          border: 1px solid var(--rule);
+          border-radius: 4px;
+          font-family: inherit;
+          font-size: 0.75rem;
+          color: var(--accent);
+          cursor: pointer;
+          padding: 3px 10px;
+          transition: background 0.12s, color 0.12s;
+        }
+        .list-toolbar button:hover { background: var(--accent); color: white; }
+
+        .list-wrap {
+          flex: 1;
+          overflow-y: auto;
+          overflow-x: hidden;
+          position: relative;
+          overscroll-behavior: contain;
+          -webkit-overflow-scrolling: touch;
+        }
+
+        .list-wrap::before,
+        .list-wrap::after {
+          content: '';
+          position: sticky;
+          display: block;
+          left: 0; right: 0;
+          height: 20px;
+          pointer-events: none;
+          z-index: 5;
+          transition: opacity 0.2s;
+        }
+        .list-wrap::before {
+          top: 0;
+          background: linear-gradient(to bottom, rgba(255,255,255,0.9), transparent);
+        }
+        .list-wrap::after {
+          bottom: 0;
+          background: linear-gradient(to top, rgba(255,255,255,0.9), transparent);
+          margin-top: -20px;
+        }
+
+        .scroll-zone {
+          position: absolute;
+          left: 0; right: 0;
+          height: 72px;
+          pointer-events: none;
+          z-index: 10;
+        }
+        .scroll-zone-top { top: 0; }
+        .scroll-zone-bot { bottom: 0; }
+
+        .drag-list {
+          list-style: none;
+          padding: 4px 0;
+        }
+
+        .drag-item {
+          display: flex;
+          align-items: center;
+          background: white;
+          border-bottom: 1px solid var(--rule);
+          user-select: none;
+          -webkit-user-select: none;
+          -webkit-touch-callout: none;
+          position: relative;
+          transition: background 0.08s;
+        }
+
+        .drag-item:last-child { border-bottom: none; }
+
+        .drag-handle {
+          display: flex;
+          align-items: center;
+          justify-content: center;
+          width: 48px;
+          height: 48px;
+          flex-shrink: 0;
+          cursor: grab;
+          color: #c8c4bc;
+          touch-action: none;
+          transition: color 0.15s;
+        }
+
+        .drag-handle:hover { color: var(--accent); }
+        .drag-handle svg { pointer-events: none; display: block; }
+
+        .drag-item-content {
+          display: flex;
+          align-items: center;
+          flex: 1;
+          min-width: 0;
+          cursor: pointer;
+        }
+
+        .drag-item-check {
+          display: flex;
+          align-items: center;
+          width: 32px;
+          height: 48px;
+          flex-shrink: 0;
+        }
+
+        .drag-item-check input[type="checkbox"] {
+          width: 16px;
+          height: 16px;
+          accent-color: var(--accent);
+          cursor: pointer;
+        }
+
+        .drag-item-label {
+          flex: 1;
+          font-size: 0.9rem;
+          line-height: 48px;
+          padding-right: 16px;
+          white-space: nowrap;
+          overflow: hidden;
+          text-overflow: ellipsis;
+          cursor: default;
+        }
+
+        .drag-item.is-dragging {
+          opacity: 0;
+        }
+
+        .drop-indicator {
+          position: absolute;
+          left: 48px;
+          right: 0;
+          height: 2px;
+          background: var(--accent);
+          border-radius: 99px;
+          pointer-events: none;
+          z-index: 20;
+          display: none;
+        }
+        .drop-indicator.top { top: -1px; display: block; }
+        .drop-indicator.bottom { bottom: -1px; display: block; }
+
+        .drag-ghost {
+          position: fixed;
+          pointer-events: none;
+          z-index: 9999;
+          background: white;
+          border-radius: 6px;
+          box-shadow: 0 8px 32px rgba(0,0,0,0.18), 0 2px 8px rgba(0,0,0,0.1);
+          display: flex;
+          align-items: center;
+          border: 1.5px solid var(--accent-light);
+          opacity: 0.97;
+          will-change: transform;
+          font-family: system-ui, -apple-system, sans-serif;
+        }
+
+        .scroll-pulse {
+          position: absolute;
+          left: 50%;
+          transform: translateX(-50%);
+          width: 32px;
+          height: 32px;
+          border-radius: 50%;
+          background: var(--accent);
+          opacity: 0;
+          pointer-events: none;
+          z-index: 10;
+          transition: opacity 0.15s;
+        }
+        .scroll-pulse.top { top: 8px; }
+        .scroll-pulse.bot { bottom: 8px; }
+        .scroll-pulse.active {
+          opacity: 0.18;
+          animation: pulse 0.8s ease-in-out infinite;
+        }
+
+        @keyframes pulse {
+          0%, 100% { transform: translateX(-50%) scale(1); opacity: 0.18; }
+          50% { transform: translateX(-50%) scale(1.5); opacity: 0.07; }
+        }
+
+        .modal-footer {
+          padding: 14px 20px;
+          border-top: 1px solid var(--rule);
+          display: flex;
+          align-items: center;
+          gap: 10px;
+          flex-shrink: 0;
+          background: var(--paper);
+        }
+
+        .footer-info {
+          flex: 1;
+          font-family: ui-monospace, monospace;
+          font-size: 0.68rem;
+          color: var(--muted);
+        }
+
+        .btn {
+          border: none;
+          border-radius: 5px;
+          padding: 9px 20px;
+          font-size: 0.85rem;
+          font-weight: 500;
+          cursor: pointer;
+          touch-action: manipulation;
+          font-family: inherit;
+          transition: background 0.12s;
+        }
+
+        .btn-primary {
+          background: var(--accent);
+          color: white;
+        }
+        .btn-primary:hover { background: #1448c0; }
+
+        .btn-ghost {
+          background: transparent;
+          color: var(--muted);
+          border: 1px solid var(--rule);
+        }
+        .btn-ghost:hover { background: var(--rule); color: var(--ink); }
+
+        .list-wrap::-webkit-scrollbar { width: 5px; }
+        .list-wrap::-webkit-scrollbar-track { background: transparent; }
+        .list-wrap::-webkit-scrollbar-thumb { background: var(--rule); border-radius: 99px; }
+
+        input, textarea { -webkit-user-select: auto; user-select: auto; }
+      </style>
+
+      <dialog aria-labelledby="modalTitle">
+          <div class="modal-header">
+            <span class="modal-title" id="modalTitle">Choose columns</span>
+            <span class="modal-meta" id="selectedCount"></span>
+          </div>
+          <div class="list-toolbar">
+            <button id="selectAllBtn">Select all</button>
+            <button id="deselectAllBtn">Deselect all</button>
+          </div>
+          <div class="list-wrap" id="listWrap">
+            <div class="scroll-pulse top" id="pulseTop"></div>
+            <div class="scroll-pulse bot" id="pulseBot"></div>
+            <ul class="drag-list" id="dragList"></ul>
+          </div>
+          <div class="modal-footer">
+            <span class="footer-info" id="footerInfo"></span>
+            <button class="btn btn-ghost" id="cancelBtn">Cancel</button>
+            <button class="btn btn-primary" id="applyBtn">Apply</button>
+          </div>
+      </dialog>
+    `;
+
+    // DOM refs
+    this._dialog = this.shadowRoot.querySelector("dialog");
+    this._listWrap = this.shadowRoot.getElementById("listWrap");
+    this._dragList = this.shadowRoot.getElementById("dragList");
+    this._pulseTop = this.shadowRoot.getElementById("pulseTop");
+    this._pulseBot = this.shadowRoot.getElementById("pulseBot");
+    this._selectAllBtn = this.shadowRoot.getElementById("selectAllBtn");
+    this._deselectAllBtn = this.shadowRoot.getElementById("deselectAllBtn");
+    this._cancelBtn = this.shadowRoot.getElementById("cancelBtn");
+    this._applyBtn = this.shadowRoot.getElementById("applyBtn");
+    this._countEl = this.shadowRoot.getElementById("selectedCount");
+    this._footerEl = this.shadowRoot.getElementById("footerInfo");
+
+    // Event listeners
+    this._selectAllBtn.addEventListener("click", () => this._selectAll());
+    this._deselectAllBtn.addEventListener("click", () => this._deselectAll());
+    this._cancelBtn.addEventListener("click", () => this._close());
+    this._applyBtn.addEventListener("click", () => this._apply());
+    this._dialog.addEventListener("click", (e) => {
+      if (e.target === this._dialog) this._close();
+    });
+    this._dialog.addEventListener("cancel", (e) => {
+      e.preventDefault();
+      this._close();
+    });
+  }
+
+  /**
+   * Open the column chooser dialog.
+   * @param {Object} opts
+   * @param {string[]} opts.columns - All available column names, in display order.
+   * @param {string[]} opts.selected - Column names that should be pre-checked.
+   * @param {function(string[]): void} opts.onApply - Called with the selected columns in order when Apply is clicked.
+   */
+  open({ columns, selected = [], onApply }) {
+    this._items = [...columns];
+    this._checked = new Set(selected);
+    this._onApply = onApply || null;
+
+    // Save state for cancel/restore
+    this._savedItems = [...this._items];
+    this._savedChecked = new Set(this._checked);
+
+    this._render();
+    this._dialog.showModal();
+  }
+
+  // ── Internal methods ──
+
+  _close() {
+    this._items = this._savedItems ? [...this._savedItems] : this._items;
+    this._checked = this._savedChecked
+      ? new Set(this._savedChecked)
+      : this._checked;
+    this._dialog.close();
+  }
+
+  _selectAll() {
+    this._items.forEach((col) => this._checked.add(col));
+    this._dragList.querySelectorAll('input[type="checkbox"]').forEach((cb) => {
+      cb.checked = true;
+    });
+    this._updateCounts();
+  }
+
+  _deselectAll() {
+    this._checked.clear();
+    this._dragList.querySelectorAll('input[type="checkbox"]').forEach((cb) => {
+      cb.checked = false;
+    });
+    this._updateCounts();
+  }
+
+  _apply() {
+    const selected = this._items.filter((col) => this._checked.has(col));
+    this._dialog.close();
+    if (this._onApply) {
+      this._onApply(selected);
+    }
+  }
+
+  _render() {
+    this._dragList.innerHTML = "";
+    this._items.forEach((col, i) => {
+      const li = document.createElement("li");
+      li.className = "drag-item";
+      li.dataset.idx = i;
+      li.innerHTML = `
+        <span class="drag-handle" aria-label="Drag to reorder">
+          <svg width="12" height="18" viewBox="0 0 12 18" fill="currentColor">
+            <circle cx="3.5" cy="3.5" r="1.8"/>
+            <circle cx="8.5" cy="3.5" r="1.8"/>
+            <circle cx="3.5" cy="9" r="1.8"/>
+            <circle cx="8.5" cy="9" r="1.8"/>
+            <circle cx="3.5" cy="14.5" r="1.8"/>
+            <circle cx="8.5" cy="14.5" r="1.8"/>
+          </svg>
+        </span>
+        <label class="drag-item-content">
+          <span class="drag-item-check">
+            <input type="checkbox" ${this._checked.has(col) ? "checked" : ""}>
+          </span>
+          <span class="drag-item-label">${col}</span>
+        </label>
+        <div class="drop-indicator"></div>
+      `;
+
+      li.querySelector("input").addEventListener("change", (e) => {
+        e.target.checked ? this._checked.add(col) : this._checked.delete(col);
+        this._updateCounts();
+      });
+
+      li.querySelector(".drag-handle").addEventListener("pointerdown", (e) =>
+        this._startDrag(e, i),
+      );
+      this._dragList.appendChild(li);
+    });
+
+    this._updateCounts();
+  }
+
+  _updateCounts() {
+    const n = this._checked.size;
+    this._countEl.textContent = `${n} of ${this._items.length} selected`;
+    this._footerEl.textContent = `${this._items.length} columns`;
+  }
+
+  // ── Drag engine ──
+
+  _startDrag(e, idx) {
+    e.preventDefault();
+    this._dragSrcIdx = idx;
+
+    const srcEl = this._dragList.children[idx];
+    const rect = srcEl.getBoundingClientRect();
+
+    this._ghostOffX = e.clientX - rect.left;
+    this._ghostOffY = e.clientY - rect.top;
+
+    // Build ghost inside shadow DOM
+    this._ghost = document.createElement("div");
+    this._ghost.className = "drag-ghost";
+    this._ghost.style.width = rect.width + "px";
+    this._ghost.style.height = rect.height + "px";
+    this._ghost.innerHTML = srcEl.innerHTML;
+    this._ghost.querySelector(".drop-indicator")?.remove();
+    const h = this._ghost.querySelector(".drag-handle");
+    if (h) h.style.color = "var(--accent)";
+    this.shadowRoot.appendChild(this._ghost);
+
+    srcEl.classList.add("is-dragging");
+    this._positionGhost(e.clientX, e.clientY);
+
+    document.addEventListener("pointermove", this._onMove);
+    document.addEventListener("pointerup", this._onUp);
+    document.addEventListener("pointercancel", this._onUp);
+  }
+
+  _positionGhost(cx, cy) {
+    this._ghost.style.left = cx - this._ghostOffX + "px";
+    this._ghost.style.top = cy - this._ghostOffY + "px";
+  }
+
+  _onMove(e) {
+    this._lastPointerX = e.clientX;
+    this._lastPointerY = e.clientY;
+    this._positionGhost(e.clientX, e.clientY);
+    this._updateDropTarget(e.clientY);
+    this._updateAutoScroll(e.clientY);
+  }
+
+  _onUp() {
+    document.removeEventListener("pointermove", this._onMove);
+    document.removeEventListener("pointerup", this._onUp);
+    document.removeEventListener("pointercancel", this._onUp);
+
+    this._stopAutoScroll();
+
+    const noMove =
+      this._dropTargetIdx === null || this._dropTargetIdx === this._dragSrcIdx;
+    this._clearDropIndicators();
+
+    let dest = null;
+    if (!noMove) {
+      const moved = this._items.splice(this._dragSrcIdx, 1)[0];
+      dest = this._dropTargetIdx;
+      if (this._dropPosition === "after") dest++;
+      if (dest > this._dragSrcIdx) dest--;
+      this._items.splice(dest, 0, moved);
+    }
+
+    this._dragSrcIdx = null;
+    this._dropTargetIdx = null;
+    this._dropPosition = null;
+
+    const g = this._ghost;
+    this._ghost = null;
+
+    if (noMove) {
+      if (g) g.remove();
+      this._render();
+      return;
+    }
+
+    this._render();
+
+    if (g && dest !== null) {
+      const landedEl = this._dragList.children[dest];
+      if (landedEl) {
+        landedEl.style.opacity = "0";
+        const r = landedEl.getBoundingClientRect();
+        g.getBoundingClientRect();
+        g.style.transition =
+          "left 0.15s cubic-bezier(0.22, 1, 0.36, 1), top 0.15s cubic-bezier(0.22, 1, 0.36, 1), box-shadow 0.15s, opacity 0.1s 0.1s";
+        g.style.left = r.left + "px";
+        g.style.top = r.top + "px";
+        g.style.boxShadow = "0 1px 4px rgba(0,0,0,0.08)";
+        g.style.opacity = "0";
+        setTimeout(() => {
+          g.remove();
+          if (landedEl) landedEl.style.opacity = "";
+        }, 160);
+      } else {
+        g.remove();
+      }
+    } else if (g) {
+      g.remove();
+    }
+  }
+
+  _updateDropTarget(clientY) {
+    this._clearDropIndicators();
+    const listItems = [
+      ...this._dragList.querySelectorAll(".drag-item:not(.is-dragging)"),
+    ];
+    if (!listItems.length) return;
+
+    let best = null,
+      bestDist = Infinity;
+    listItems.forEach((li) => {
+      const r = li.getBoundingClientRect();
+      const mid = r.top + r.height / 2;
+      const dist = Math.abs(clientY - mid);
+      if (dist < bestDist) {
+        bestDist = dist;
+        best = li;
+      }
+    });
+
+    if (!best) return;
+    const r = best.getBoundingClientRect();
+    const mid = r.top + r.height / 2;
+    const above = clientY < mid;
+    const indic = best.querySelector(".drop-indicator");
+
+    this._dropTargetIdx = parseInt(best.dataset.idx);
+    this._dropPosition = above ? "before" : "after";
+
+    if (indic) {
+      indic.className = "drop-indicator " + (above ? "top" : "bottom");
+    }
+  }
+
+  _clearDropIndicators() {
+    this._dragList.querySelectorAll(".drop-indicator").forEach((el) => {
+      el.className = "drop-indicator";
+    });
+  }
+
+  _updateAutoScroll(clientY) {
+    const rect = this._listWrap.getBoundingClientRect();
+    const relY = clientY - rect.top;
+    const distTop = relY;
+    const distBot = rect.height - relY;
+
+    const inTop = distTop < this._SCROLL_ZONE && distTop >= 0;
+    const inBot = distBot < this._SCROLL_ZONE && distBot >= 0;
+
+    this._pulseTop.classList.toggle("active", inTop);
+    this._pulseBot.classList.toggle("active", inBot);
+
+    if ((inTop || inBot) && !this._autoScrollRAF) {
+      let lastTime = null;
+      const loop = (ts) => {
+        if (!this._ghost) {
+          this._stopAutoScroll();
+          return;
+        }
+        if (lastTime !== null) {
+          const dt = ts - lastTime;
+          const rect2 = this._listWrap.getBoundingClientRect();
+          const relY2 = this._lastPointerY - rect2.top;
+          const dTop = relY2;
+          const dBot = rect2.height - relY2;
+
+          if (dTop < this._SCROLL_ZONE && dTop >= 0) {
+            const factor = 1 - dTop / this._SCROLL_ZONE;
+            this._listWrap.scrollTop -= this._SCROLL_SPEED * dt * factor * 2.5;
+          } else if (dBot < this._SCROLL_ZONE && dBot >= 0) {
+            const factor = 1 - dBot / this._SCROLL_ZONE;
+            this._listWrap.scrollTop += this._SCROLL_SPEED * dt * factor * 2.5;
+          } else {
+            this._stopAutoScroll();
+            return;
+          }
+          this._updateDropTarget(this._lastPointerY);
+        }
+        lastTime = ts;
+        this._autoScrollRAF = requestAnimationFrame(loop);
+      };
+      this._autoScrollRAF = requestAnimationFrame(loop);
+    }
+
+    if (!inTop && !inBot) this._stopAutoScroll();
+  }
+
+  _stopAutoScroll() {
+    if (this._autoScrollRAF) {
+      cancelAnimationFrame(this._autoScrollRAF);
+      this._autoScrollRAF = null;
+    }
+    this._pulseTop.classList.remove("active");
+    this._pulseBot.classList.remove("active");
+  }
+}
+
+customElements.define("column-chooser", ColumnChooser);
diff --git a/datasette/static/datasette-manager.js b/datasette/static/datasette-manager.js
index d2347ab3..b049fc73 100644
--- a/datasette/static/datasette-manager.js
+++ b/datasette/static/datasette-manager.js
@@ -82,6 +82,48 @@ const datasetteManager = {
     return columnActions;
   },
 
+  /**
+   * Allows JavaScript plugins to replace or enhance insert/edit modal fields
+   * for specific Datasette column types.
+   *
+   * The first plugin to return a control object wins. Returning null or
+   * undefined means "I do not handle this field".
+   */
+  makeColumnField: (context) => {
+    for (const [pluginName, plugin] of datasetteManager.plugins) {
+      if (!plugin.makeColumnField) {
+        continue;
+      }
+      let control = null;
+      try {
+        control = plugin.makeColumnField(context);
+      } catch (error) {
+        console.error(
+          `Error in makeColumnField() for plugin ${pluginName}`,
+          error,
+        );
+        continue;
+      }
+      if (control) {
+        return Object.assign({ pluginName }, control);
+      }
+    }
+    return null;
+  },
+
+  makeJumpSections: (context) => {
+    let jumpSections = [];
+
+    datasetteManager.plugins.forEach((plugin) => {
+      if (plugin.makeJumpSections) {
+        const sections = plugin.makeJumpSections(context) || [];
+        jumpSections.push(...sections);
+      }
+    });
+
+    return jumpSections;
+  },
+
   /**
    * In MVP, each plugin can only have 1 instance.
    * In future, panels could be repeated. We omit that for now since so many plugins depend on
@@ -192,7 +234,6 @@ const initializeDatasette = () => {
   // DATASETTE_EVENTS.INIT event to avoid the habit of reading from the window.
 
   window.__DATASETTE__ = datasetteManager;
-  console.debug("Datasette Manager Created!");
 
   const initDatasetteEvent = new CustomEvent(DATASETTE_EVENTS.INIT, {
     detail: datasetteManager,
diff --git a/datasette/static/edit-tools.js b/datasette/static/edit-tools.js
new file mode 100644
index 00000000..9f4f89b9
--- /dev/null
+++ b/datasette/static/edit-tools.js
@@ -0,0 +1,5293 @@
+var ROW_DELETE_DIALOG_ID = "row-delete-dialog";
+var rowDeleteDialogState = null;
+var ROW_EDIT_DIALOG_ID = "row-edit-dialog";
+var rowEditDialogState = null;
+var TABLE_CREATE_DIALOG_ID = "table-create-dialog";
+var tableCreateDialogState = null;
+var TABLE_ALTER_DIALOG_ID = "table-alter-dialog";
+var tableAlterDialogState = null;
+
+function ensureRowMutationStatus(manager) {
+  var status = document.querySelector(".row-mutation-status");
+  if (status) {
+    return status;
+  }
+
+  status = document.createElement("p");
+  status.className = "row-mutation-status";
+  status.hidden = true;
+  status.setAttribute("role", "status");
+  status.setAttribute("aria-live", "polite");
+  status.setAttribute("tabindex", "-1");
+
+  var tableWrapper = document.querySelector(manager.selectors.tableWrapper);
+  if (tableWrapper && tableWrapper.parentNode) {
+    tableWrapper.parentNode.insertBefore(status, tableWrapper);
+  } else {
+    document.body.appendChild(status);
+  }
+  return status;
+}
+
+function showRowMutationStatus(manager, message, isError) {
+  var status = ensureRowMutationStatus(manager);
+  status.hidden = false;
+  status.classList.toggle("row-mutation-status-error", !!isError);
+  status.textContent = message;
+  return status;
+}
+
+function hideRowMutationStatus() {
+  var status = document.querySelector(".row-mutation-status");
+  if (!status) {
+    return;
+  }
+  status.hidden = true;
+  status.classList.remove("row-mutation-status-error");
+  status.textContent = "";
+}
+
+function databaseCreateTableData() {
+  return (
+    window._datasetteDatabaseData && window._datasetteDatabaseData.createTable
+  );
+}
+
+function tableCreateColumnTypes() {
+  var data = databaseCreateTableData() || {};
+  return data.columnTypes && data.columnTypes.length
+    ? data.columnTypes
+    : ["text", "integer", "float", "blob"];
+}
+
+function tableCreateDefaultExpressions() {
+  var data = databaseCreateTableData() || {};
+  return data.defaultExpressions || [];
+}
+
+var SQLITE_COLUMN_TYPE_LABELS = {
+  float: "floating point number",
+  real: "floating point number",
+  blob: "blob - binary data",
+};
+
+function sqliteColumnTypeLabel(type) {
+  return SQLITE_COLUMN_TYPE_LABELS[type] || type;
+}
+
+function populateSqliteColumnTypeSelect(select, type, options) {
+  options.forEach(function (option) {
+    var optionElement = document.createElement("option");
+    optionElement.value = option;
+    optionElement.textContent = sqliteColumnTypeLabel(option);
+    select.appendChild(optionElement);
+  });
+  select.value = options.indexOf(type) === -1 ? options[0] : type;
+}
+
+function updateSelectPlaceholder(select, placeholderClass) {
+  select.classList.toggle(placeholderClass, !select.value);
+}
+
+function createCustomColumnTypeSelect(options, className, placeholderClass) {
+  var select = document.createElement("select");
+  select.className = className;
+  select.setAttribute("aria-label", "Custom column type");
+  var blankOption = document.createElement("option");
+  blankOption.value = "";
+  blankOption.textContent = "- custom type -";
+  select.appendChild(blankOption);
+  options.forEach(function (option) {
+    var optionElement = document.createElement("option");
+    optionElement.value = option.name;
+    optionElement.textContent = option.description
+      ? option.description + " (" + option.name + ")"
+      : option.name;
+    select.appendChild(optionElement);
+  });
+  updateSelectPlaceholder(select, placeholderClass);
+  return select;
+}
+
+function normalizeDefaultExpressionOption(option) {
+  if (typeof option === "string") {
+    return {
+      value: option,
+      label: option.replace(/_/g, " "),
+      sqliteType: "",
+    };
+  }
+  option = option || {};
+  return {
+    value: option.value || "",
+    label: option.label || option.value || "",
+    sqliteType: option.sqliteType || "",
+  };
+}
+
+function defaultExpressionOptionForValue(options, value) {
+  var match = null;
+  (options || []).some(function (option) {
+    var normalized = normalizeDefaultExpressionOption(option);
+    if (normalized.value === value) {
+      match = normalized;
+      return true;
+    }
+    return false;
+  });
+  return match;
+}
+
+function defaultExpressionLabelForValue(options, value) {
+  var option = defaultExpressionOptionForValue(options, value);
+  return option && option.label
+    ? option.label
+    : value
+      ? value.replace(/_/g, " ")
+      : "";
+}
+
+function applyDefaultExpressionColumnType(row, prefix, options, columnTypes) {
+  var defaultExprSelect = row.querySelector("." + prefix + "-default-expr");
+  var typeSelect = row.querySelector("." + prefix + "-column-type");
+  if (!defaultExprSelect || !typeSelect || !defaultExprSelect.value) {
+    return false;
+  }
+  var option = defaultExpressionOptionForValue(
+    options,
+    defaultExprSelect.value,
+  );
+  if (
+    option &&
+    option.sqliteType &&
+    (columnTypes || []).indexOf(option.sqliteType) !== -1 &&
+    typeSelect.value !== option.sqliteType
+  ) {
+    typeSelect.value = option.sqliteType;
+    return true;
+  }
+  return false;
+}
+
+function createDefaultExpressionSelect(
+  options,
+  className,
+  placeholderClass,
+  value,
+) {
+  var select = document.createElement("select");
+  select.className = className;
+  var blankOption = document.createElement("option");
+  blankOption.value = "";
+  blankOption.textContent = "- default expr -";
+  select.appendChild(blankOption);
+  options.forEach(function (option) {
+    var normalized = normalizeDefaultExpressionOption(option);
+    if (!normalized.value) {
+      return;
+    }
+    var optionElement = document.createElement("option");
+    optionElement.value = normalized.value;
+    optionElement.textContent = normalized.label;
+    select.appendChild(optionElement);
+  });
+  select.value = value || "";
+  updateSelectPlaceholder(select, placeholderClass);
+  return select;
+}
+
+function createSchemaDialogDefaultControls(prefix, index, expressions, column) {
+  var defaultDetails = document.createElement("details");
+  defaultDetails.className = prefix + "-default-options";
+  defaultDetails.open = !!(
+    column &&
+    (column.defaultValue || column.defaultExpr)
+  );
+  var summary = document.createElement("summary");
+  summary.textContent = "Set a default value";
+  defaultDetails.appendChild(summary);
+
+  var defaultGrid = document.createElement("div");
+  defaultGrid.className = prefix + "-default-grid";
+
+  var defaultExprId = prefix + "-column-default-expr-" + index;
+  var defaultExprField = document.createElement("div");
+  defaultExprField.className = prefix + "-detail-field";
+  var defaultExprLabel = document.createElement("label");
+  defaultExprLabel.className = prefix + "-detail-label";
+  defaultExprLabel.setAttribute("for", defaultExprId);
+  defaultExprLabel.textContent = "Default expression";
+  var defaultExprSelect = createDefaultExpressionSelect(
+    expressions,
+    prefix + "-input " + prefix + "-default-expr",
+    prefix + "-input-placeholder",
+    column && column.defaultExpr,
+  );
+  defaultExprSelect.id = defaultExprId;
+  defaultExprSelect.setAttribute("aria-label", "Default expression");
+  defaultExprField.appendChild(defaultExprLabel);
+  defaultExprField.appendChild(defaultExprSelect);
+
+  var defaultId = prefix + "-column-default-" + index;
+  var defaultField = document.createElement("div");
+  defaultField.className = prefix + "-detail-field";
+  var defaultLabel = document.createElement("label");
+  defaultLabel.className = prefix + "-detail-label";
+  defaultLabel.setAttribute("for", defaultId);
+  defaultLabel.textContent = "or default to a specific value";
+  var defaultInput = document.createElement("input");
+  defaultInput.id = defaultId;
+  defaultInput.className = prefix + "-input " + prefix + "-default";
+  defaultInput.type = "text";
+  defaultInput.autocomplete = "off";
+  defaultInput.placeholder = "default";
+  defaultInput.setAttribute("aria-label", "or default to a specific value");
+  defaultInput.value = column && column.defaultValue ? column.defaultValue : "";
+  defaultField.appendChild(defaultLabel);
+  defaultField.appendChild(defaultInput);
+
+  defaultGrid.appendChild(defaultExprField);
+  defaultGrid.appendChild(defaultField);
+  defaultDetails.appendChild(defaultGrid);
+
+  return {
+    controls: defaultDetails,
+    defaultInput: defaultInput,
+    defaultExprSelect: defaultExprSelect,
+  };
+}
+
+function syncSchemaDialogDefaultControls(row, prefix) {
+  if (!row) {
+    return;
+  }
+  var defaultInput = row.querySelector("." + prefix + "-default");
+  var defaultExprSelect = row.querySelector("." + prefix + "-default-expr");
+  if (!defaultInput || !defaultExprSelect) {
+    return;
+  }
+  updateSelectPlaceholder(defaultExprSelect, prefix + "-input-placeholder");
+}
+
+var COLUMN_MOVE_ICONS = {
+  top: '<svg aria-hidden="true" xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="m18 17-6-6-6 6"></path><path d="m18 11-6-6-6 6"></path></svg>',
+  up: '<svg aria-hidden="true" xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="m18 15-6-6-6 6"></path></svg>',
+  down: '<svg aria-hidden="true" xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="m6 9 6 6 6-6"></path></svg>',
+  bottom:
+    '<svg aria-hidden="true" xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="m6 7 6 6 6-6"></path><path d="m6 13 6 6 6-6"></path></svg>',
+  remove:
+    '<svg aria-hidden="true" xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M3 6h18"></path><path d="M8 6V4a2 2 0 0 1 2-2h4a2 2 0 0 1 2 2v2"></path><path d="M19 6l-1 14a2 2 0 0 1-2 2H8a2 2 0 0 1-2-2L5 6"></path></svg>',
+};
+
+function createSchemaDialogIconButton(prefix, modifier, ariaLabel, title, svg) {
+  var button = document.createElement("button");
+  button.type = "button";
+  button.className = prefix + "-icon-button " + prefix + "-" + modifier;
+  button.setAttribute("aria-label", ariaLabel);
+  button.title = title;
+  button.dataset.defaultTitle = title;
+  button.innerHTML = svg;
+  return button;
+}
+
+function createSchemaDialogMoveControls(prefix) {
+  var moveControls = document.createElement("div");
+  moveControls.className = prefix + "-move-controls";
+
+  var moveTopButton = createSchemaDialogIconButton(
+    prefix,
+    "move-top",
+    "Move column to top",
+    "Move column to top",
+    COLUMN_MOVE_ICONS.top,
+  );
+  var moveUpButton = createSchemaDialogIconButton(
+    prefix,
+    "move-up",
+    "Move column up",
+    "Move column up",
+    COLUMN_MOVE_ICONS.up,
+  );
+  var moveDownButton = createSchemaDialogIconButton(
+    prefix,
+    "move-down",
+    "Move column down",
+    "Move column down",
+    COLUMN_MOVE_ICONS.down,
+  );
+  var moveBottomButton = createSchemaDialogIconButton(
+    prefix,
+    "move-bottom",
+    "Move column to bottom",
+    "Move column to bottom",
+    COLUMN_MOVE_ICONS.bottom,
+  );
+
+  moveControls.appendChild(moveTopButton);
+  moveControls.appendChild(moveUpButton);
+  moveControls.appendChild(moveDownButton);
+  moveControls.appendChild(moveBottomButton);
+
+  return {
+    controls: moveControls,
+    topButton: moveTopButton,
+    upButton: moveUpButton,
+    downButton: moveDownButton,
+    bottomButton: moveBottomButton,
+  };
+}
+
+function createSchemaDialogMoreOptionsButton(prefix, details) {
+  var expandButton = document.createElement("button");
+  expandButton.type = "button";
+  expandButton.className = prefix + "-more-options";
+  expandButton.setAttribute("aria-label", "Toggle column settings");
+  expandButton.setAttribute("aria-controls", details.id);
+  expandButton.setAttribute("aria-expanded", details.hidden ? "false" : "true");
+  updateSchemaDialogMoreOptionsButton(expandButton);
+  return expandButton;
+}
+
+function updateSchemaDialogMoreOptionsButton(button) {
+  var isExpanded = button.getAttribute("aria-expanded") === "true";
+  button.textContent = isExpanded ? "v Hide options" : "> Advanced options";
+  button.title = isExpanded ? "Hide column settings" : "Show column settings";
+}
+
+function toggleSchemaDialogMoreOptions(button, details) {
+  var isExpanded = button.getAttribute("aria-expanded") === "true";
+  details.hidden = isExpanded;
+  button.setAttribute("aria-expanded", isExpanded ? "false" : "true");
+  updateSchemaDialogMoreOptionsButton(button);
+}
+
+function schemaDialogRows(state, prefix) {
+  return Array.prototype.slice.call(
+    state.columnList.querySelectorAll("." + prefix + "-column-row"),
+  );
+}
+
+function schemaDialogRowIsPrimaryKey(row, prefix) {
+  var input = row && row.querySelector("." + prefix + "-primary-key-input");
+  return !!(input && input.checked);
+}
+
+function schemaDialogFirstNonPrimaryRow(state, prefix) {
+  var rows = schemaDialogRows(state, prefix);
+  for (var i = 0; i < rows.length; i += 1) {
+    if (!schemaDialogRowIsPrimaryKey(rows[i], prefix)) {
+      return rows[i];
+    }
+  }
+  return null;
+}
+
+function updateSchemaDialogMoveButtons(state, prefix) {
+  if (!state || !state.columnList) {
+    return;
+  }
+  var firstNonPrimary = schemaDialogFirstNonPrimaryRow(state, prefix);
+  var rows = schemaDialogRows(state, prefix);
+  var hasPrimaryKeys = rows.some(function (row) {
+    return schemaDialogRowIsPrimaryKey(row, prefix);
+  });
+  var primaryKeyMoveTitle = "Primary key columns are always listed first";
+  rows.forEach(function (row) {
+    var isPrimaryKey = schemaDialogRowIsPrimaryKey(row, prefix);
+    var previous = row.previousElementSibling;
+    var next = row.nextElementSibling;
+    row
+      .querySelectorAll("." + prefix + "-move-controls button")
+      .forEach(function (button) {
+        button.title = button.dataset.defaultTitle || button.title;
+        button.disabled = state.isSaving || isPrimaryKey;
+        if (isPrimaryKey) {
+          button.title = primaryKeyMoveTitle;
+        }
+      });
+    if (!isPrimaryKey) {
+      var topButton = row.querySelector("." + prefix + "-move-top");
+      var upButton = row.querySelector("." + prefix + "-move-up");
+      var downButton = row.querySelector("." + prefix + "-move-down");
+      var bottomButton = row.querySelector("." + prefix + "-move-bottom");
+      topButton.disabled =
+        state.isSaving || !firstNonPrimary || row === firstNonPrimary;
+      upButton.disabled =
+        state.isSaving ||
+        !previous ||
+        schemaDialogRowIsPrimaryKey(previous, prefix);
+      downButton.disabled = state.isSaving || !next;
+      bottomButton.disabled = state.isSaving || !next;
+      if (hasPrimaryKeys && row === firstNonPrimary) {
+        topButton.title = primaryKeyMoveTitle;
+        upButton.title = primaryKeyMoveTitle;
+      }
+    }
+  });
+}
+
+function normalizeSchemaDialogPrimaryKeyRows(state, prefix) {
+  var rows = schemaDialogRows(state, prefix);
+  rows
+    .filter(function (row) {
+      return schemaDialogRowIsPrimaryKey(row, prefix);
+    })
+    .concat(
+      rows.filter(function (row) {
+        return !schemaDialogRowIsPrimaryKey(row, prefix);
+      }),
+    )
+    .forEach(function (row) {
+      state.columnList.appendChild(row);
+    });
+}
+
+function tableCreateCustomColumnTypes() {
+  var data = databaseCreateTableData() || {};
+  return data.customColumnTypes || [];
+}
+
+function tableCreateCustomColumnType(name) {
+  var options = tableCreateCustomColumnTypes();
+  for (var i = 0; i < options.length; i += 1) {
+    if (options[i].name === name) {
+      return options[i];
+    }
+  }
+  return null;
+}
+
+function tableCreateCustomTypeAppliesToSqliteType(option, sqliteType) {
+  return (
+    option &&
+    option.sqliteTypes &&
+    option.sqliteTypes.indexOf(sqliteType) !== -1
+  );
+}
+
+function tableCreateDialogRows(state) {
+  return schemaDialogRows(state, "table-create");
+}
+
+function tableCreateRowIsPrimaryKey(row) {
+  return schemaDialogRowIsPrimaryKey(row, "table-create");
+}
+
+function tableCreateFirstNonPrimaryRow(state) {
+  return schemaDialogFirstNonPrimaryRow(state, "table-create");
+}
+
+function updateTableCreateMoveButtons(state) {
+  updateSchemaDialogMoveButtons(state, "table-create");
+}
+
+function schemaDialogTypeAffinity(type) {
+  if (type === "float") {
+    return "real";
+  }
+  return type;
+}
+
+function foreignKeyTypesCompatible(sourceAffinity, targetAffinity) {
+  if (sourceAffinity === targetAffinity) {
+    return true;
+  }
+  var numericAffinities = ["integer", "real", "numeric"];
+  if (sourceAffinity === "numeric") {
+    return numericAffinities.indexOf(targetAffinity) !== -1;
+  }
+  if (targetAffinity === "numeric") {
+    return numericAffinities.indexOf(sourceAffinity) !== -1;
+  }
+  return false;
+}
+
+function foreignKeyTargetKey(target) {
+  return target.fk_table + "\u001f" + target.fk_column;
+}
+
+function foreignKeyTargetLabel(target) {
+  return (
+    target.fk_table +
+    "." +
+    target.fk_column +
+    " (" +
+    sqliteColumnTypeLabel(target.type) +
+    ")"
+  );
+}
+
+function appendForeignKeyTargetOption(select, target) {
+  var optionElement = document.createElement("option");
+  optionElement.value = foreignKeyTargetKey(target);
+  optionElement.dataset.fkTable = target.fk_table;
+  optionElement.dataset.fkColumn = target.fk_column;
+  optionElement.dataset.fkType = target.type;
+  optionElement.textContent = foreignKeyTargetLabel(target);
+  select.appendChild(optionElement);
+  return optionElement;
+}
+
+function sqliteColumnTypeForForeignKeyTarget(type) {
+  var affinity = schemaDialogTypeAffinity(type);
+  if (affinity === "real" || affinity === "numeric") {
+    return "float";
+  }
+  if (["text", "integer", "blob"].indexOf(affinity) !== -1) {
+    return affinity;
+  }
+  return "";
+}
+
+function selectedSchemaDialogForeignKeyOption(foreignKeySelect) {
+  return foreignKeySelect && foreignKeySelect.selectedOptions
+    ? foreignKeySelect.selectedOptions[0]
+    : null;
+}
+
+function setBlankSchemaDialogColumnNameFromForeignKey(
+  row,
+  prefix,
+  foreignKeyOption,
+) {
+  var nameInput = row.querySelector("." + prefix + "-column-name");
+  if (
+    nameInput &&
+    !nameInput.value.trim() &&
+    foreignKeyOption &&
+    foreignKeyOption.dataset.fkTable &&
+    foreignKeyOption.dataset.fkColumn
+  ) {
+    nameInput.value =
+      foreignKeyOption.dataset.fkTable +
+      "_" +
+      foreignKeyOption.dataset.fkColumn;
+  }
+}
+
+function tableCreateForeignKeyTargetsUrl() {
+  var data = databaseCreateTableData() || {};
+  if (data.foreignKeyTargetsPath) {
+    return data.foreignKeyTargetsPath;
+  }
+  if (!data.path) {
+    return null;
+  }
+  return data.path.replace(/\/-\/create$/, "/-/foreign-key-targets");
+}
+
+function populateSchemaDialogForeignKeySelect(
+  select,
+  state,
+  prefix,
+  sourceType,
+  options,
+) {
+  options = options || {};
+  var previousKey = select.value || select.dataset.selectedKey || "";
+  select.textContent = "";
+
+  var blankOption = document.createElement("option");
+  blankOption.value = "";
+  blankOption.textContent = "- no foreign key -";
+  select.appendChild(blankOption);
+
+  if (state.foreignKeyTargetsLoading) {
+    var loadingOption = document.createElement("option");
+    loadingOption.value = "";
+    loadingOption.disabled = true;
+    loadingOption.textContent = "Loading foreign keys...";
+    select.appendChild(loadingOption);
+  } else if (state.foreignKeyTargetsError) {
+    var errorOption = document.createElement("option");
+    errorOption.value = "";
+    errorOption.disabled = true;
+    errorOption.textContent = "Could not load foreign keys";
+    select.appendChild(errorOption);
+  } else {
+    var sourceAffinity = schemaDialogTypeAffinity(sourceType);
+    (state.foreignKeyTargets || []).forEach(function (target) {
+      if (
+        options.filterByType !== false &&
+        !foreignKeyTypesCompatible(sourceAffinity, target.type)
+      ) {
+        return;
+      }
+      appendForeignKeyTargetOption(select, target);
+    });
+  }
+
+  select.value = previousKey;
+  if (
+    previousKey &&
+    select.value !== previousKey &&
+    select.dataset.currentFkTable &&
+    select.dataset.currentFkColumn
+  ) {
+    appendForeignKeyTargetOption(select, {
+      fk_table: select.dataset.currentFkTable,
+      fk_column: select.dataset.currentFkColumn,
+      type: select.dataset.currentFkType || sourceType,
+    });
+    select.value = previousKey;
+  }
+  if (select.value !== previousKey) {
+    select.value = "";
+  }
+  select.dataset.selectedKey = select.value;
+  select.disabled = state.isSaving || select.options.length <= 1;
+  updateSelectPlaceholder(select, prefix + "-input-placeholder");
+}
+
+function syncSchemaDialogForeignKeyOptions(row, state, prefix, options) {
+  var typeSelect = row.querySelector("." + prefix + "-column-type");
+  var foreignKeySelect = row.querySelector(
+    "." + prefix + "-foreign-key-target",
+  );
+  if (!typeSelect || !foreignKeySelect) {
+    return;
+  }
+  populateSchemaDialogForeignKeySelect(
+    foreignKeySelect,
+    state,
+    prefix,
+    typeSelect.value,
+    options,
+  );
+}
+
+function syncSchemaDialogCustomTypeAndForeignKey(row, state, prefix) {
+  var customTypeSelect = row.querySelector(
+    "." + prefix + "-custom-column-type",
+  );
+  var foreignKeySelect = row.querySelector(
+    "." + prefix + "-foreign-key-target",
+  );
+  if (!foreignKeySelect) {
+    return;
+  }
+
+  var hasCustomType = customTypeSelect && !!customTypeSelect.value;
+  var hasForeignKey = !!foreignKeySelect.value;
+
+  if (customTypeSelect && hasForeignKey) {
+    customTypeSelect.value = "";
+    updateSelectPlaceholder(customTypeSelect, prefix + "-input-placeholder");
+    hasCustomType = false;
+  }
+
+  if (hasCustomType) {
+    foreignKeySelect.value = "";
+    foreignKeySelect.dataset.selectedKey = "";
+    updateSelectPlaceholder(foreignKeySelect, prefix + "-input-placeholder");
+    hasForeignKey = false;
+  }
+
+  if (customTypeSelect) {
+    customTypeSelect.disabled = state.isSaving;
+  }
+  foreignKeySelect.disabled =
+    state.isSaving || foreignKeySelect.options.length <= 1;
+}
+
+function handleSchemaDialogForeignKeyChange(row, state, prefix, options) {
+  options = options || {};
+  var foreignKeySelect = row.querySelector(
+    "." + prefix + "-foreign-key-target",
+  );
+  var typeSelect = row.querySelector("." + prefix + "-column-type");
+  var customTypeSelect = row.querySelector(
+    "." + prefix + "-custom-column-type",
+  );
+  if (!foreignKeySelect) {
+    return;
+  }
+  foreignKeySelect.dataset.selectedKey = foreignKeySelect.value;
+  updateSelectPlaceholder(foreignKeySelect, prefix + "-input-placeholder");
+
+  var foreignKeyOption = selectedSchemaDialogForeignKeyOption(foreignKeySelect);
+  setBlankSchemaDialogColumnNameFromForeignKey(row, prefix, foreignKeyOption);
+
+  var columnTypes = options.columnTypes || [];
+  var foreignKeyColumnType =
+    foreignKeyOption && foreignKeyOption.dataset.fkType
+      ? sqliteColumnTypeForForeignKeyTarget(foreignKeyOption.dataset.fkType)
+      : "";
+  if (
+    options.matchType &&
+    typeSelect &&
+    foreignKeyColumnType &&
+    columnTypes.indexOf(foreignKeyColumnType) !== -1 &&
+    typeSelect.value !== foreignKeyColumnType
+  ) {
+    typeSelect.value = foreignKeyColumnType;
+    syncSchemaDialogForeignKeyOptions(
+      row,
+      state,
+      prefix,
+      options.foreignKeyOptions,
+    );
+  }
+
+  if (customTypeSelect && foreignKeySelect.value) {
+    customTypeSelect.value = "";
+    updateSelectPlaceholder(customTypeSelect, prefix + "-input-placeholder");
+  }
+  syncSchemaDialogCustomTypeAndForeignKey(row, state, prefix);
+}
+
+function refreshSchemaDialogForeignKeyControls(state, prefix, options) {
+  schemaDialogRows(state, prefix).forEach(function (row) {
+    syncSchemaDialogForeignKeyOptions(row, state, prefix, options);
+    syncSchemaDialogCustomTypeAndForeignKey(row, state, prefix);
+  });
+}
+
+async function loadSchemaDialogForeignKeyTargets(state, prefix, url, options) {
+  if (!url || !window.fetch) {
+    state.foreignKeyTargets = [];
+    state.foreignKeyTargetsLoading = false;
+    refreshSchemaDialogForeignKeyControls(state, prefix, options);
+    return;
+  }
+  state.foreignKeyTargets = [];
+  state.foreignKeyTargetsError = null;
+  state.foreignKeyTargetsLoading = true;
+  refreshSchemaDialogForeignKeyControls(state, prefix, options);
+  try {
+    var response = await fetch(url, {
+      headers: {
+        Accept: "application/json",
+      },
+    });
+    var data = await response.json();
+    if (!response.ok || data.ok === false) {
+      throw rowMutationRequestError(response, data);
+    }
+    state.foreignKeyTargets = data.targets || [];
+  } catch (error) {
+    state.foreignKeyTargets = [];
+    state.foreignKeyTargetsError = error;
+  } finally {
+    state.foreignKeyTargetsLoading = false;
+    refreshSchemaDialogForeignKeyControls(state, prefix, options);
+  }
+}
+
+function syncTableCreateForeignKeyOptions(row, state) {
+  syncSchemaDialogForeignKeyOptions(row, state, "table-create", {
+    filterByType: false,
+  });
+}
+
+function syncTableCreateCustomTypeAndForeignKey(row, state) {
+  syncSchemaDialogCustomTypeAndForeignKey(row, state, "table-create");
+}
+
+function refreshTableCreateForeignKeyControls(state) {
+  tableCreateDialogRows(state).forEach(function (row) {
+    syncTableCreateForeignKeyOptions(row, state);
+    syncTableCreateCustomTypeAndForeignKey(row, state);
+  });
+}
+
+function updateTableCreateColumnRules(state) {
+  normalizeSchemaDialogPrimaryKeyRows(state, "table-create");
+  tableCreateDialogRows(state).forEach(function (row) {
+    syncTableCreateForeignKeyOptions(row, state);
+    syncTableCreateCustomTypeAndForeignKey(row, state);
+    syncSchemaDialogDefaultControls(row, "table-create");
+  });
+  updateTableCreateMoveButtons(state);
+}
+
+async function loadTableCreateForeignKeyTargets(state) {
+  return loadSchemaDialogForeignKeyTargets(
+    state,
+    "table-create",
+    tableCreateForeignKeyTargetsUrl(),
+    { filterByType: false },
+  );
+}
+
+function tableCreateDialogSignature(state) {
+  if (!state || !state.form) {
+    return "";
+  }
+  return JSON.stringify({
+    table: state.tableName.value,
+    columns: tableCreateDialogRows(state).map(function (row) {
+      return {
+        name: row.querySelector(".table-create-column-name").value,
+        type: row.querySelector(".table-create-column-type").value,
+        customType:
+          (
+            row.querySelector(".table-create-custom-column-type") || {
+              value: "",
+            }
+          ).value || "",
+        pk: row.querySelector(".table-create-primary-key-input").checked,
+        notNull: row.querySelector(".table-create-not-null-input").checked,
+        defaultValue: row.querySelector(".table-create-default").value,
+        defaultExpr: row.querySelector(".table-create-default-expr").value,
+        foreignKey:
+          (
+            row.querySelector(".table-create-foreign-key-target") || {
+              value: "",
+            }
+          ).value || "",
+      };
+    }),
+  });
+}
+
+function tableCreateDialogHasChanges(state) {
+  return (
+    !!state &&
+    !state.isSaving &&
+    tableCreateDialogSignature(state) !== state.initialSignature
+  );
+}
+
+function clearTableCreateDialogError(state) {
+  state.error.hidden = true;
+  state.error.textContent = "";
+  state.dialog.removeAttribute("aria-describedby");
+}
+
+function showTableCreateDialogError(state, message) {
+  state.error.hidden = false;
+  state.error.textContent = message;
+  state.dialog.setAttribute("aria-describedby", "table-create-error");
+  state.error.focus();
+}
+
+function setTableCreateDialogSaving(state, isSaving) {
+  state.isSaving = isSaving;
+  state.cancelButton.disabled = isSaving;
+  state.saveButton.disabled = isSaving;
+  state.addColumnButton.disabled = isSaving;
+  state.saveButton.textContent = isSaving ? "Creating..." : "Create table";
+  state.columnList
+    .querySelectorAll("input, select, button")
+    .forEach(function (control) {
+      control.disabled = isSaving;
+    });
+  if (!isSaving) {
+    updateTableCreateColumnRules(state);
+  }
+  updateTableCreateMoveButtons(state);
+}
+
+function tableCreateSelectTypeValue(select, type) {
+  var options = tableCreateColumnTypes();
+  populateSqliteColumnTypeSelect(select, type, options);
+}
+
+function updateTableCreateCustomColumnTypePlaceholder(select) {
+  updateSelectPlaceholder(select, "table-create-input-placeholder");
+}
+
+function createTableCustomColumnTypeSelect() {
+  var options = tableCreateCustomColumnTypes();
+  return createCustomColumnTypeSelect(
+    options,
+    "table-create-input table-create-custom-column-type",
+    "table-create-input-placeholder",
+  );
+}
+
+function syncTableCreateCustomTypeForSqliteType(row) {
+  var typeSelect = row.querySelector(".table-create-column-type");
+  var customTypeSelect = row.querySelector(".table-create-custom-column-type");
+  if (!typeSelect || !customTypeSelect || !customTypeSelect.value) {
+    return;
+  }
+  var option = tableCreateCustomColumnType(customTypeSelect.value);
+  if (!tableCreateCustomTypeAppliesToSqliteType(option, typeSelect.value)) {
+    customTypeSelect.value = "";
+    updateTableCreateCustomColumnTypePlaceholder(customTypeSelect);
+  }
+}
+
+function createTableColumnRow(state, column) {
+  var index = state.nextColumnIndex;
+  state.nextColumnIndex += 1;
+
+  var row = document.createElement("div");
+  row.className = "table-create-column-row";
+
+  var main = document.createElement("div");
+  main.className = "table-create-column-main";
+
+  var details = document.createElement("div");
+  details.className = "table-create-column-details";
+  details.id = "table-create-column-details-" + index;
+  details.hidden = !(column && column.expanded);
+
+  var expandButton = createSchemaDialogMoreOptionsButton(
+    "table-create",
+    details,
+  );
+
+  var nameId = "table-create-column-name-" + index;
+  var nameLabel = document.createElement("label");
+  nameLabel.className = "table-create-column-label";
+  nameLabel.setAttribute("for", nameId);
+  nameLabel.textContent = "Column";
+
+  var nameInput = document.createElement("input");
+  nameInput.id = nameId;
+  nameInput.className = "table-create-input table-create-column-name";
+  nameInput.type = "text";
+  nameInput.required = true;
+  nameInput.autocomplete = "off";
+  nameInput.placeholder = "column name";
+  nameInput.value = column && column.name ? column.name : "";
+
+  var typeSelect = document.createElement("select");
+  typeSelect.className = "table-create-input table-create-column-type";
+  typeSelect.setAttribute("aria-label", "Column type");
+  tableCreateSelectTypeValue(typeSelect, column && column.type);
+
+  var customTypeSelect = null;
+  var customTypeField = null;
+  if (tableCreateCustomColumnTypes().length) {
+    var customTypeId = "table-create-column-custom-type-" + index;
+    customTypeField = document.createElement("div");
+    customTypeField.className =
+      "table-create-detail-field table-create-custom-type-field";
+    var customTypeLabel = document.createElement("label");
+    customTypeLabel.className = "table-create-detail-label";
+    customTypeLabel.setAttribute("for", customTypeId);
+    customTypeLabel.textContent = "Custom type";
+    var customTypeHelpId = "table-create-column-custom-type-help-" + index;
+    var customTypeHelp = document.createElement("p");
+    customTypeHelp.id = customTypeHelpId;
+    customTypeHelp.className = "table-create-detail-help";
+    customTypeHelp.textContent =
+      "Controls how Datasette displays and edits this column";
+    customTypeSelect = createTableCustomColumnTypeSelect();
+    customTypeSelect.id = customTypeId;
+    customTypeSelect.setAttribute("aria-describedby", customTypeHelpId);
+    customTypeSelect.value =
+      column && column.customType ? column.customType : "";
+    updateTableCreateCustomColumnTypePlaceholder(customTypeSelect);
+    customTypeField.appendChild(customTypeLabel);
+    customTypeField.appendChild(customTypeHelp);
+    customTypeField.appendChild(customTypeSelect);
+  }
+
+  var pkLabel = document.createElement("label");
+  pkLabel.className = "table-create-detail-check table-create-primary-key";
+  var pkInput = document.createElement("input");
+  pkInput.type = "checkbox";
+  pkInput.className = "table-create-primary-key-input";
+  pkInput.checked = !!(column && column.primaryKey);
+  var pkText = document.createElement("span");
+  var pkStrong = document.createElement("strong");
+  pkStrong.textContent = "Primary key";
+  pkText.appendChild(pkStrong);
+  pkText.appendChild(
+    document.createTextNode(" This ID uniquely identifies the record"),
+  );
+  pkLabel.appendChild(pkInput);
+  pkLabel.appendChild(pkText);
+
+  var foreignKeyId = "table-create-column-foreign-key-" + index;
+  var foreignKeyHelpId = "table-create-column-foreign-key-help-" + index;
+  var foreignKeyField = document.createElement("div");
+  foreignKeyField.className =
+    "table-create-detail-field table-create-foreign-key-field";
+  var foreignKeyLabel = document.createElement("label");
+  foreignKeyLabel.className = "table-create-detail-label";
+  foreignKeyLabel.setAttribute("for", foreignKeyId);
+  foreignKeyLabel.textContent = "Foreign key";
+  var foreignKeyHelp = document.createElement("p");
+  foreignKeyHelp.id = foreignKeyHelpId;
+  foreignKeyHelp.className = "table-create-detail-help";
+  foreignKeyHelp.textContent = "Link this column to another table.";
+  var foreignKeySelect = document.createElement("select");
+  foreignKeySelect.id = foreignKeyId;
+  foreignKeySelect.className =
+    "table-create-input table-create-foreign-key-target";
+  foreignKeySelect.setAttribute("aria-label", "Foreign key target");
+  foreignKeySelect.setAttribute("aria-describedby", foreignKeyHelpId);
+  foreignKeyField.appendChild(foreignKeyLabel);
+  foreignKeyField.appendChild(foreignKeyHelp);
+  foreignKeyField.appendChild(foreignKeySelect);
+
+  var notNullLabel = document.createElement("label");
+  notNullLabel.className = "table-create-detail-check table-create-not-null";
+  var notNullInput = document.createElement("input");
+  notNullInput.type = "checkbox";
+  notNullInput.className = "table-create-not-null-input";
+  notNullInput.checked = !!(column && column.notNull);
+  var notNullText = document.createElement("span");
+  var notNullStrong = document.createElement("strong");
+  notNullStrong.textContent = "Not null";
+  notNullText.appendChild(notNullStrong);
+  notNullText.appendChild(
+    document.createTextNode(" This value cannot be left unset"),
+  );
+  notNullLabel.appendChild(notNullInput);
+  notNullLabel.appendChild(notNullText);
+
+  var defaultControls = createSchemaDialogDefaultControls(
+    "table-create",
+    index,
+    tableCreateDefaultExpressions(),
+    {
+      defaultValue: column && column.defaultValue,
+      defaultExpr: column && column.defaultExpr,
+    },
+  );
+
+  var moveControls = createSchemaDialogMoveControls("table-create");
+
+  var removeButton = createSchemaDialogIconButton(
+    "table-create",
+    "remove-column",
+    "Remove column",
+    "Remove column",
+    COLUMN_MOVE_ICONS.remove,
+  );
+
+  main.appendChild(nameLabel);
+  main.appendChild(nameInput);
+  main.appendChild(typeSelect);
+  main.appendChild(moveControls.controls);
+  main.appendChild(removeButton);
+  main.appendChild(expandButton);
+
+  if (customTypeField) {
+    details.appendChild(customTypeField);
+  }
+  details.appendChild(defaultControls.controls);
+  details.appendChild(notNullLabel);
+  details.appendChild(pkLabel);
+  details.appendChild(foreignKeyField);
+  row.appendChild(main);
+  row.appendChild(details);
+
+  removeButton.addEventListener("click", function () {
+    if (state.isSaving) {
+      return;
+    }
+    row.remove();
+    clearTableCreateDialogError(state);
+    updateTableCreateColumnRules(state);
+    var nextInput = state.columnList.querySelector(".table-create-column-name");
+    if (nextInput) {
+      nextInput.focus();
+    } else {
+      state.addColumnButton.focus();
+    }
+  });
+
+  nameInput.addEventListener("input", function () {
+    clearTableCreateDialogError(state);
+  });
+  typeSelect.addEventListener("change", function () {
+    clearTableCreateDialogError(state);
+    syncTableCreateCustomTypeForSqliteType(row);
+    syncTableCreateForeignKeyOptions(row, state);
+    syncTableCreateCustomTypeAndForeignKey(row, state);
+  });
+  if (customTypeSelect) {
+    customTypeSelect.addEventListener("change", function () {
+      clearTableCreateDialogError(state);
+      updateTableCreateCustomColumnTypePlaceholder(customTypeSelect);
+      if (customTypeSelect.value) {
+        foreignKeySelect.value = "";
+        foreignKeySelect.dataset.selectedKey = "";
+      }
+      var option = tableCreateCustomColumnType(customTypeSelect.value);
+      if (
+        option &&
+        option.fixedSqliteType &&
+        tableCreateColumnTypes().indexOf(option.fixedSqliteType) !== -1
+      ) {
+        typeSelect.value = option.fixedSqliteType;
+        syncTableCreateForeignKeyOptions(row, state);
+      }
+      syncTableCreateCustomTypeAndForeignKey(row, state);
+    });
+  }
+  pkInput.addEventListener("change", function () {
+    clearTableCreateDialogError(state);
+    updateTableCreateColumnRules(state);
+  });
+  notNullInput.addEventListener("change", function () {
+    clearTableCreateDialogError(state);
+  });
+  defaultControls.defaultInput.addEventListener("input", function () {
+    if (defaultControls.defaultInput.value) {
+      defaultControls.defaultExprSelect.value = "";
+      syncSchemaDialogDefaultControls(row, "table-create");
+    }
+    clearTableCreateDialogError(state);
+  });
+  defaultControls.defaultExprSelect.addEventListener("change", function () {
+    if (defaultControls.defaultExprSelect.value) {
+      defaultControls.defaultInput.value = "";
+    }
+    if (
+      applyDefaultExpressionColumnType(
+        row,
+        "table-create",
+        tableCreateDefaultExpressions(),
+        tableCreateColumnTypes(),
+      )
+    ) {
+      syncTableCreateCustomTypeForSqliteType(row);
+      syncTableCreateForeignKeyOptions(row, state);
+      syncTableCreateCustomTypeAndForeignKey(row, state);
+    }
+    syncSchemaDialogDefaultControls(row, "table-create");
+    clearTableCreateDialogError(state);
+  });
+  foreignKeySelect.addEventListener("change", function () {
+    clearTableCreateDialogError(state);
+    handleSchemaDialogForeignKeyChange(row, state, "table-create", {
+      columnTypes: tableCreateColumnTypes(),
+      foreignKeyOptions: { filterByType: false },
+      matchType: true,
+    });
+  });
+
+  expandButton.addEventListener("click", function () {
+    toggleSchemaDialogMoreOptions(expandButton, details);
+  });
+
+  moveControls.topButton.addEventListener("click", function () {
+    var first = tableCreateFirstNonPrimaryRow(state);
+    if (
+      state.isSaving ||
+      tableCreateRowIsPrimaryKey(row) ||
+      !first ||
+      first === row
+    ) {
+      return;
+    }
+    state.columnList.insertBefore(row, first);
+    clearTableCreateDialogError(state);
+    updateTableCreateColumnRules(state);
+    row.querySelector(".table-create-column-name").focus();
+  });
+
+  moveControls.upButton.addEventListener("click", function () {
+    var previous = row.previousElementSibling;
+    if (
+      state.isSaving ||
+      tableCreateRowIsPrimaryKey(row) ||
+      !previous ||
+      tableCreateRowIsPrimaryKey(previous)
+    ) {
+      return;
+    }
+    state.columnList.insertBefore(row, previous);
+    clearTableCreateDialogError(state);
+    updateTableCreateColumnRules(state);
+    row.querySelector(".table-create-column-name").focus();
+  });
+
+  moveControls.downButton.addEventListener("click", function () {
+    var next = row.nextElementSibling;
+    if (state.isSaving || tableCreateRowIsPrimaryKey(row) || !next) {
+      return;
+    }
+    state.columnList.insertBefore(next, row);
+    clearTableCreateDialogError(state);
+    updateTableCreateColumnRules(state);
+    row.querySelector(".table-create-column-name").focus();
+  });
+
+  moveControls.bottomButton.addEventListener("click", function () {
+    var last = state.columnList.lastElementChild;
+    if (
+      state.isSaving ||
+      tableCreateRowIsPrimaryKey(row) ||
+      !last ||
+      last === row
+    ) {
+      return;
+    }
+    state.columnList.appendChild(row);
+    clearTableCreateDialogError(state);
+    updateTableCreateColumnRules(state);
+    row.querySelector(".table-create-column-name").focus();
+  });
+
+  syncSchemaDialogDefaultControls(row, "table-create");
+  return row;
+}
+
+function addTableCreateColumn(state, column) {
+  var row = createTableColumnRow(state, column || { type: "text" });
+  state.columnList.appendChild(row);
+  updateTableCreateColumnRules(state);
+  return row;
+}
+
+function resetTableCreateDialog(state) {
+  state.nextColumnIndex = 0;
+  state.tableName.value = "";
+  state.columnList.textContent = "";
+  addTableCreateColumn(state, {
+    name: "id",
+    type: "integer",
+    primaryKey: true,
+  });
+  addTableCreateColumn(state, {
+    name: "",
+    type: "text",
+    primaryKey: false,
+  });
+  updateTableCreateColumnRules(state);
+  state.initialSignature = tableCreateDialogSignature(state);
+}
+
+function collectTableCreatePayload(state) {
+  var payload = {
+    table: state.tableName.value.trim(),
+    columns: [],
+  };
+  var primaryKeys = [];
+  tableCreateDialogRows(state).forEach(function (row) {
+    var name = row.querySelector(".table-create-column-name").value.trim();
+    var type = row.querySelector(".table-create-column-type").value;
+    var column = { name: name, type: type };
+    var foreignKeySelect = row.querySelector(
+      ".table-create-foreign-key-target",
+    );
+    var foreignKeyOption =
+      foreignKeySelect && foreignKeySelect.selectedOptions
+        ? foreignKeySelect.selectedOptions[0]
+        : null;
+    if (
+      foreignKeyOption &&
+      foreignKeyOption.dataset.fkTable &&
+      foreignKeyOption.dataset.fkColumn
+    ) {
+      column.fk_table = foreignKeyOption.dataset.fkTable;
+      column.fk_column = foreignKeyOption.dataset.fkColumn;
+    }
+    if (row.querySelector(".table-create-not-null-input").checked) {
+      column.not_null = true;
+    }
+    var defaultExpr = row.querySelector(".table-create-default-expr").value;
+    var defaultValue = row.querySelector(".table-create-default").value;
+    if (defaultExpr) {
+      column.default_expr = defaultExpr;
+    } else if (defaultValue) {
+      column.default = defaultValue;
+    }
+    payload.columns.push(column);
+    if (row.querySelector(".table-create-primary-key-input").checked) {
+      primaryKeys.push(name);
+    }
+  });
+  if (primaryKeys.length === 1) {
+    payload.pk = primaryKeys[0];
+  } else if (primaryKeys.length > 1) {
+    payload.pks = primaryKeys;
+  }
+  return payload;
+}
+
+function collectTableCreateColumnTypeAssignments(state) {
+  var assignments = [];
+  tableCreateDialogRows(state).forEach(function (row) {
+    var customTypeSelect = row.querySelector(
+      ".table-create-custom-column-type",
+    );
+    if (!customTypeSelect || !customTypeSelect.value) {
+      return;
+    }
+    assignments.push({
+      column: row.querySelector(".table-create-column-name").value.trim(),
+      columnType: customTypeSelect.value,
+      sqliteType: row.querySelector(".table-create-column-type").value,
+    });
+  });
+  return assignments;
+}
+
+function validateTableCreatePayload(payload) {
+  if (!payload.table) {
+    return "Table name is required.";
+  }
+  if (payload.table.indexOf("\n") !== -1) {
+    return "Table name cannot contain newlines.";
+  }
+  if (/^sqlite_/i.test(payload.table)) {
+    return "Table name cannot start with sqlite_.";
+  }
+  if (!payload.columns.length) {
+    return "At least one column is required.";
+  }
+  var seen = {};
+  var supportedTypes = tableCreateColumnTypes();
+  for (var i = 0; i < payload.columns.length; i += 1) {
+    var column = payload.columns[i];
+    if (!column.name) {
+      return "Column name is required.";
+    }
+    if (column.name.indexOf("\n") !== -1) {
+      return "Column names cannot contain newlines.";
+    }
+    var columnKey = column.name.toLowerCase();
+    if (seen[columnKey]) {
+      return "Duplicate column name: " + column.name;
+    }
+    seen[columnKey] = true;
+    if (supportedTypes.indexOf(column.type) === -1) {
+      return "Unsupported column type: " + column.type;
+    }
+    if (column.default && column.default_expr) {
+      return "Use either a default value or a default expression.";
+    }
+  }
+  return null;
+}
+
+function validateTableCreateColumnTypeAssignments(assignments) {
+  for (var i = 0; i < assignments.length; i += 1) {
+    var assignment = assignments[i];
+    var option = tableCreateCustomColumnType(assignment.columnType);
+    if (!option) {
+      return "Unknown custom column type: " + assignment.columnType;
+    }
+    if (
+      !tableCreateCustomTypeAppliesToSqliteType(option, assignment.sqliteType)
+    ) {
+      return (
+        "Custom type " +
+        assignment.columnType +
+        " cannot be used with SQLite type " +
+        assignment.sqliteType +
+        "."
+      );
+    }
+  }
+  return null;
+}
+
+function fallbackTableUrl(tableName) {
+  var data = databaseCreateTableData() || {};
+  if (!data.path) {
+    return null;
+  }
+  return data.path.replace(/\/-\/create$/, "/" + encodeURIComponent(tableName));
+}
+
+function tableCreateSetColumnTypeUrl(responseData, payload) {
+  var tableUrl =
+    responseData.table_url ||
+    fallbackTableUrl(responseData.table || payload.table);
+  if (!tableUrl) {
+    return null;
+  }
+  var url = new URL(tableUrl, location.href);
+  url.hash = "";
+  url.search = "";
+  url.pathname = url.pathname.replace(/\/$/, "") + "/-/set-column-type";
+  return url.toString();
+}
+
+async function assignTableCreateColumnTypes(
+  responseData,
+  payload,
+  assignments,
+) {
+  if (!assignments.length) {
+    return;
+  }
+  var url = tableCreateSetColumnTypeUrl(responseData, payload);
+  if (!url) {
+    throw new Error("Could not find the set column type URL.");
+  }
+  for (var i = 0; i < assignments.length; i += 1) {
+    var assignment = assignments[i];
+    var response = await fetch(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Accept: "application/json",
+      },
+      body: JSON.stringify({
+        column: assignment.column,
+        column_type: {
+          type: assignment.columnType,
+        },
+      }),
+    });
+    var data = null;
+    try {
+      data = await response.json();
+    } catch (_error) {
+      data = null;
+    }
+    if (!response.ok || (data && data.ok === false)) {
+      var error = rowMutationRequestError(response, data);
+      throw new Error(
+        "Created table, but could not set custom type for " +
+          assignment.column +
+          ": " +
+          error.message,
+      );
+    }
+  }
+}
+
+async function saveTableCreateDialog(state) {
+  if (state.isSaving) {
+    return;
+  }
+  var data = databaseCreateTableData();
+  if (!data || !data.path) {
+    showTableCreateDialogError(state, "Could not find the create table URL.");
+    return;
+  }
+  clearTableCreateDialogError(state);
+  var payload = collectTableCreatePayload(state);
+  var columnTypeAssignments = collectTableCreateColumnTypeAssignments(state);
+  var validationError = validateTableCreatePayload(payload);
+  if (validationError) {
+    showTableCreateDialogError(state, validationError);
+    return;
+  }
+  var columnTypeValidationError = validateTableCreateColumnTypeAssignments(
+    columnTypeAssignments,
+  );
+  if (columnTypeValidationError) {
+    showTableCreateDialogError(state, columnTypeValidationError);
+    return;
+  }
+  setTableCreateDialogSaving(state, true);
+  try {
+    var response = await fetch(data.path, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Accept: "application/json",
+      },
+      body: JSON.stringify(payload),
+    });
+    var responseData = null;
+    try {
+      responseData = await response.json();
+    } catch (_error) {
+      responseData = null;
+    }
+    if (!response.ok || (responseData && responseData.ok === false)) {
+      throw rowMutationRequestError(response, responseData);
+    }
+    await assignTableCreateColumnTypes(
+      responseData,
+      payload,
+      columnTypeAssignments,
+    );
+    var tableUrl =
+      responseData.table_url ||
+      fallbackTableUrl(responseData.table || payload.table);
+    state.shouldRestoreFocus = false;
+    state.dialog.close();
+    if (tableUrl) {
+      location.href = tableUrl;
+    } else {
+      location.reload();
+    }
+  } catch (error) {
+    setTableCreateDialogSaving(state, false);
+    showTableCreateDialogError(
+      state,
+      error.message || "Could not create table",
+    );
+  }
+}
+
+function confirmDiscardTableCreateChanges(state) {
+  if (!tableCreateDialogHasChanges(state)) {
+    return true;
+  }
+  return window.confirm("Discard this new table?");
+}
+
+function closeTableCreateDialogIfConfirmed(state) {
+  if (!state || state.isSaving) {
+    return false;
+  }
+  if (!confirmDiscardTableCreateChanges(state)) {
+    return false;
+  }
+  state.shouldRestoreFocus = true;
+  state.dialog.close();
+  return true;
+}
+
+function ensureTableCreateDialog(manager) {
+  if (tableCreateDialogState) {
+    return tableCreateDialogState;
+  }
+  if (!window.HTMLDialogElement) {
+    return null;
+  }
+
+  var dialog = document.createElement("dialog");
+  dialog.id = TABLE_CREATE_DIALOG_ID;
+  dialog.className = "table-create-dialog";
+  dialog.setAttribute("aria-labelledby", "table-create-title");
+  dialog.innerHTML = `
+    <div class="modal-header">
+      <span class="modal-title" id="table-create-title">Create table</span>
+    </div>
+    <form class="table-create-form" method="post" novalidate>
+      <p class="table-create-error" id="table-create-error" role="alert" tabindex="-1" hidden></p>
+      <div class="table-create-fields">
+        <div class="table-create-field">
+          <label class="table-create-label" for="table-create-name">Table name</label>
+          <input class="table-create-input table-create-table-name" id="table-create-name" type="text" name="table" required autocomplete="off">
+        </div>
+        <div class="table-create-columns">
+          <div class="table-create-column-headings" aria-hidden="true">
+            <span>Column</span>
+            <span>Type</span>
+            <span>Move</span>
+            <span></span>
+          </div>
+          <div class="table-create-column-list"></div>
+          <button type="button" class="table-create-add-column"><svg aria-hidden="true" xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M5 12h14"></path><path d="M12 5v14"></path></svg><span>Add column</span></button>
+        </div>
+      </div>
+      <div class="modal-footer">
+        <button type="button" class="btn btn-ghost table-create-cancel">Cancel</button>
+        <button type="submit" class="btn btn-primary table-create-save">Create table</button>
+      </div>
+    </form>
+  `;
+  document.body.appendChild(dialog);
+
+  tableCreateDialogState = {
+    dialog: dialog,
+    form: dialog.querySelector(".table-create-form"),
+    title: dialog.querySelector(".modal-title"),
+    error: dialog.querySelector(".table-create-error"),
+    fields: dialog.querySelector(".table-create-fields"),
+    tableName: dialog.querySelector(".table-create-table-name"),
+    columnList: dialog.querySelector(".table-create-column-list"),
+    addColumnButton: dialog.querySelector(".table-create-add-column"),
+    cancelButton: dialog.querySelector(".table-create-cancel"),
+    saveButton: dialog.querySelector(".table-create-save"),
+    currentButton: null,
+    shouldRestoreFocus: true,
+    isSaving: false,
+    initialSignature: "",
+    nextColumnIndex: 0,
+    foreignKeyTargets: [],
+    foreignKeyTargetsError: null,
+    foreignKeyTargetsLoading: false,
+    manager: manager,
+  };
+
+  tableCreateDialogState.form.addEventListener("submit", function (ev) {
+    ev.preventDefault();
+    saveTableCreateDialog(tableCreateDialogState);
+  });
+
+  tableCreateDialogState.addColumnButton.addEventListener("click", function () {
+    if (tableCreateDialogState.isSaving) {
+      return;
+    }
+    var row = addTableCreateColumn(tableCreateDialogState, { type: "text" });
+    clearTableCreateDialogError(tableCreateDialogState);
+    row.querySelector(".table-create-column-name").focus();
+  });
+
+  tableCreateDialogState.cancelButton.addEventListener("click", function () {
+    closeTableCreateDialogIfConfirmed(tableCreateDialogState);
+  });
+
+  tableCreateDialogState.tableName.addEventListener("input", function () {
+    clearTableCreateDialogError(tableCreateDialogState);
+  });
+
+  dialog.addEventListener("click", function (ev) {
+    if (ev.target === dialog) {
+      closeTableCreateDialogIfConfirmed(tableCreateDialogState);
+    }
+  });
+
+  dialog.addEventListener("keydown", function (ev) {
+    if (ev.key !== "Escape") {
+      return;
+    }
+    ev.preventDefault();
+    closeTableCreateDialogIfConfirmed(tableCreateDialogState);
+  });
+
+  dialog.addEventListener("cancel", function (ev) {
+    ev.preventDefault();
+    closeTableCreateDialogIfConfirmed(tableCreateDialogState);
+  });
+
+  dialog.addEventListener("close", function () {
+    var state = tableCreateDialogState;
+    clearTableCreateDialogError(state);
+    setTableCreateDialogSaving(state, false);
+    if (
+      state.shouldRestoreFocus &&
+      state.currentButton &&
+      document.contains(state.currentButton)
+    ) {
+      state.currentButton.focus();
+    }
+  });
+
+  return tableCreateDialogState;
+}
+
+function openTableCreateDialog(button, manager) {
+  var data = databaseCreateTableData();
+  if (!data) {
+    return;
+  }
+  var state = ensureTableCreateDialog(manager);
+  if (!state) {
+    return;
+  }
+
+  var menu = button.closest("details");
+  if (menu) {
+    menu.open = false;
+  }
+  state.manager = manager;
+  state.currentButton = button;
+  state.shouldRestoreFocus = true;
+  state.title.textContent = "Create a table in " + data.databaseName;
+  clearTableCreateDialogError(state);
+  resetTableCreateDialog(state);
+  loadTableCreateForeignKeyTargets(state);
+  if (!state.dialog.open) {
+    state.dialog.showModal();
+  }
+  state.tableName.focus();
+}
+
+function initTableCreateActions(manager) {
+  if (
+    !window.fetch ||
+    !window.HTMLDialogElement ||
+    !databaseCreateTableData()
+  ) {
+    return;
+  }
+  document.addEventListener("click", function (ev) {
+    var button = ev.target.closest(
+      'button[data-database-action="create-table"]',
+    );
+    if (!button) {
+      return;
+    }
+    ev.preventDefault();
+    openTableCreateDialog(button, manager);
+  });
+}
+
+function setRowDeleteDialogBusy(state, isBusy) {
+  state.isBusy = isBusy;
+  state.confirmButton.disabled = isBusy;
+  state.cancelButton.disabled = isBusy;
+  state.confirmButton.textContent = isBusy ? "Deleting..." : "Delete row";
+}
+
+function clearRowDeleteDialogError(state) {
+  state.error.hidden = true;
+  state.error.textContent = "";
+}
+
+function showRowDeleteDialogError(state, message) {
+  state.error.hidden = false;
+  state.error.textContent = message;
+}
+
+function rowMutationRequestError(response, data) {
+  if (data && data.errors) {
+    return new Error(data.errors.join(" "));
+  }
+  if (data && data.error) {
+    return new Error(data.error);
+  }
+  if (data && data.title) {
+    return new Error(data.title);
+  }
+  return new Error("Request failed with HTTP " + response.status);
+}
+
+function tildeDecode(value) {
+  if (!value) {
+    return "";
+  }
+  var placeholder = "__datasette_percent_placeholder__";
+  try {
+    return decodeURIComponent(
+      value.replace(/%/g, placeholder).replace(/~/g, "%").replace(/\+/g, " "),
+    ).replace(new RegExp(placeholder, "g"), "%");
+  } catch (_error) {
+    return value;
+  }
+}
+
+function tildeEncode(value) {
+  var bytes = new TextEncoder().encode(String(value));
+  var encoded = "";
+  bytes.forEach(function (byte) {
+    var isSafe =
+      (byte >= 65 && byte <= 90) ||
+      (byte >= 97 && byte <= 122) ||
+      (byte >= 48 && byte <= 57) ||
+      byte === 95 ||
+      byte === 45;
+    if (isSafe) {
+      encoded += String.fromCharCode(byte);
+    } else if (byte === 32) {
+      encoded += "+";
+    } else {
+      encoded += "~" + byte.toString(16).toUpperCase().padStart(2, "0");
+    }
+  });
+  return encoded;
+}
+
+function rowDisplayLabel(row) {
+  return tildeDecode(row.getAttribute("data-row") || "");
+}
+
+function rowTitleLabel(row) {
+  return row.getAttribute("data-row-label") || "";
+}
+
+function insertedRowStatusMessage(rowId, rowLabel) {
+  var message = "Inserted row " + rowId;
+  if (rowLabel && rowLabel !== rowId) {
+    message += " (" + rowLabel + ")";
+  }
+  return message + ".";
+}
+
+function tableBaseUrl() {
+  var tableUrl =
+    window._datasetteTableData && window._datasetteTableData.tableUrl;
+  var url = new URL(tableUrl || location.href, location.href);
+  url.hash = "";
+  url.search = "";
+  return url;
+}
+
+function tablePageData() {
+  return window._datasetteTableData || {};
+}
+
+function tableInsertData() {
+  return tablePageData().insertRow;
+}
+
+function tableAlterData() {
+  return tablePageData().alterTable;
+}
+
+function tableAlterColumnTypes() {
+  var data = tableAlterData() || {};
+  return data.columnTypes && data.columnTypes.length
+    ? data.columnTypes
+    : ["text", "integer", "float", "blob"];
+}
+
+function tableAlterDefaultExpressions() {
+  var data = tableAlterData() || {};
+  return data.defaultExpressions || [];
+}
+
+function tableAlterForeignKeyTargetsUrl() {
+  var data = tableAlterData() || {};
+  return data.foreignKeyTargetsPath || null;
+}
+
+function tableAlterCustomColumnTypes() {
+  var data = tableAlterData() || {};
+  return data.customColumnTypes || [];
+}
+
+function tableAlterCustomColumnType(name) {
+  var options = tableAlterCustomColumnTypes();
+  for (var i = 0; i < options.length; i += 1) {
+    if (options[i].name === name) {
+      return options[i];
+    }
+  }
+  return null;
+}
+
+function tableAlterCustomTypeAppliesToSqliteType(option, sqliteType) {
+  return (
+    option &&
+    option.sqliteTypes &&
+    option.sqliteTypes.indexOf(sqliteType) !== -1
+  );
+}
+
+function tableAlterDialogRows(state) {
+  return schemaDialogRows(state, "table-alter");
+}
+
+function syncTableAlterForeignKeyOptions(row, state) {
+  syncSchemaDialogForeignKeyOptions(row, state, "table-alter", {
+    filterByType: false,
+  });
+}
+
+function tableAlterRowSignature(row) {
+  var foreignKeySelect = row.querySelector(".table-alter-foreign-key-target");
+  var foreignKeyValue = foreignKeySelect
+    ? foreignKeySelect.value || foreignKeySelect.dataset.selectedKey || ""
+    : "";
+  var foreignKeyOption =
+    foreignKeySelect && foreignKeySelect.selectedOptions
+      ? foreignKeySelect.selectedOptions[0]
+      : null;
+  return {
+    existing: row.dataset.existing === "1",
+    originalName: row.dataset.originalName || "",
+    name: row.querySelector(".table-alter-column-name").value,
+    type: row.querySelector(".table-alter-column-type").value,
+    customType:
+      (
+        row.querySelector(".table-alter-custom-column-type") || {
+          value: "",
+        }
+      ).value || "",
+    notNull: row.querySelector(".table-alter-not-null-input").checked,
+    defaultValue: row.querySelector(".table-alter-default").value,
+    defaultExpr: row.querySelector(".table-alter-default-expr").value,
+    pk: row.querySelector(".table-alter-primary-key-input").checked,
+    foreignKey: foreignKeyValue,
+    foreignKeyTable:
+      foreignKeyOption && foreignKeyOption.dataset.fkTable
+        ? foreignKeyOption.dataset.fkTable
+        : "",
+    foreignKeyColumn:
+      foreignKeyOption && foreignKeyOption.dataset.fkColumn
+        ? foreignKeyOption.dataset.fkColumn
+        : "",
+  };
+}
+
+function tableAlterDialogSignature(state) {
+  if (!state || !state.form) {
+    return "";
+  }
+  return JSON.stringify({
+    tableName: state.tableNameInput ? state.tableNameInput.value.trim() : "",
+    columns: tableAlterDialogRows(state).map(tableAlterRowSignature),
+    deletedColumns: state.deletedColumns.slice(),
+  });
+}
+
+function tableAlterDialogHasChanges(state) {
+  return (
+    !!state &&
+    !state.isSaving &&
+    tableAlterDialogSignature(state) !== state.initialSignature
+  );
+}
+
+function updateTableAlterSaveButtonState(state) {
+  if (!state || !state.saveButton) {
+    return;
+  }
+  state.saveButton.disabled =
+    state.isSaving ||
+    (state.mode !== "review" &&
+      tableAlterDialogSignature(state) === state.initialSignature);
+}
+
+function tableAlterRowIsPrimaryKey(row) {
+  return schemaDialogRowIsPrimaryKey(row, "table-alter");
+}
+
+function tableAlterFirstNonPrimaryRow(state) {
+  return schemaDialogFirstNonPrimaryRow(state, "table-alter");
+}
+
+function updateTableAlterMoveButtons(state) {
+  updateSchemaDialogMoveButtons(state, "table-alter");
+}
+
+function normalizeTableAlterPrimaryKeyRows(state) {
+  normalizeSchemaDialogPrimaryKeyRows(state, "table-alter");
+}
+
+function clearTableAlterDialogError(state) {
+  state.error.hidden = true;
+  state.error.textContent = "";
+  state.dialog.removeAttribute("aria-describedby");
+}
+
+function showTableAlterDialogError(state, message) {
+  state.error.hidden = false;
+  state.error.textContent = message;
+  state.dialog.setAttribute("aria-describedby", "table-alter-error");
+  state.error.focus();
+}
+
+function setTableAlterDialogSaving(state, isSaving) {
+  state.isSaving = isSaving;
+  state.cancelButton.disabled = isSaving;
+  state.addColumnButton.disabled = isSaving;
+  state.backButton.disabled = isSaving;
+  state.dropButton.disabled = isSaving;
+  state.saveButton.textContent = isSaving
+    ? state.mode === "review"
+      ? "Applying..."
+      : "Preparing..."
+    : tableAlterSaveButtonText(state);
+  state.fields
+    .querySelectorAll("input, select, button")
+    .forEach(function (control) {
+      control.disabled = isSaving;
+    });
+  if (!isSaving) {
+    state.columnList
+      .querySelectorAll(".table-alter-default-expr")
+      .forEach(function (select) {
+        syncSchemaDialogDefaultControls(
+          select.closest(".table-alter-column-row"),
+          "table-alter",
+        );
+      });
+    refreshSchemaDialogForeignKeyControls(state, "table-alter");
+  }
+  updateTableAlterMoveButtons(state);
+  updateTableAlterSaveButtonState(state);
+}
+
+function tableAlterSaveButtonText(state) {
+  return state && state.mode === "review" ? "Apply changes" : "Review changes";
+}
+
+function tableAlterSelectTypeValue(select, type) {
+  var options = tableAlterColumnTypes();
+  populateSqliteColumnTypeSelect(select, type, options);
+}
+
+function updateTableAlterCustomColumnTypePlaceholder(select) {
+  updateSelectPlaceholder(select, "table-alter-input-placeholder");
+}
+
+function createTableAlterCustomColumnTypeSelect() {
+  var options = tableAlterCustomColumnTypes();
+  return createCustomColumnTypeSelect(
+    options,
+    "table-alter-input table-alter-custom-column-type",
+    "table-alter-input-placeholder",
+  );
+}
+
+function syncTableAlterCustomTypeForSqliteType(row) {
+  var typeSelect = row.querySelector(".table-alter-column-type");
+  var customTypeSelect = row.querySelector(".table-alter-custom-column-type");
+  if (!typeSelect || !customTypeSelect || !customTypeSelect.value) {
+    return;
+  }
+  var option = tableAlterCustomColumnType(customTypeSelect.value);
+  if (!tableAlterCustomTypeAppliesToSqliteType(option, typeSelect.value)) {
+    customTypeSelect.value = "";
+    updateTableAlterCustomColumnTypePlaceholder(customTypeSelect);
+  }
+}
+
+function createTableAlterColumnRow(state, column) {
+  var index = state.nextColumnIndex;
+  state.nextColumnIndex += 1;
+  var existing = !!(column && column.existing);
+  var originalName = existing ? column.name || "" : "";
+  var originalCustomType =
+    existing && column.column_type ? column.column_type.type || "" : "";
+  var originalDefaultExpr =
+    existing && column.has_default && column.default_expr
+      ? column.default_expr
+      : "";
+  var originalDefault =
+    existing &&
+    column.has_default &&
+    !originalDefaultExpr &&
+    column.default !== null
+      ? String(column.default)
+      : "";
+  var originalForeignKey =
+    existing && column.foreign_key
+      ? foreignKeyTargetKey(column.foreign_key)
+      : "";
+
+  var row = document.createElement("div");
+  row.className = "table-alter-column-row";
+  row.dataset.existing = existing ? "1" : "0";
+  row.dataset.originalName = originalName;
+  row.dataset.originalType = existing ? column.type || "text" : "";
+  row.dataset.originalNotNull = existing && column.notnull ? "1" : "0";
+  row.dataset.originalHasDefault = existing && column.has_default ? "1" : "0";
+  row.dataset.originalDefault = originalDefault;
+  row.dataset.originalDefaultExpr = originalDefaultExpr;
+  row.dataset.originalPk = existing && column.is_pk ? "1" : "0";
+  row.dataset.originalCustomType = originalCustomType;
+  row.dataset.originalForeignKey = originalForeignKey;
+
+  var main = document.createElement("div");
+  main.className = "table-alter-column-main";
+
+  var details = document.createElement("div");
+  details.className = "table-alter-column-details";
+  details.id = "table-alter-column-details-" + index;
+  details.hidden = !(column && column.expanded);
+
+  var expandButton = createSchemaDialogMoreOptionsButton(
+    "table-alter",
+    details,
+  );
+
+  var nameId = "table-alter-column-name-" + index;
+  var nameLabel = document.createElement("label");
+  nameLabel.className = "table-alter-column-label";
+  nameLabel.setAttribute("for", nameId);
+  nameLabel.textContent = "Column";
+
+  var nameInput = document.createElement("input");
+  nameInput.id = nameId;
+  nameInput.className = "table-alter-input table-alter-column-name";
+  nameInput.type = "text";
+  nameInput.required = true;
+  nameInput.autocomplete = "off";
+  nameInput.placeholder = "column name";
+  nameInput.value = column && column.name ? column.name : "";
+
+  var typeSelect = document.createElement("select");
+  typeSelect.className = "table-alter-input table-alter-column-type";
+  typeSelect.setAttribute("aria-label", "Column type");
+  tableAlterSelectTypeValue(typeSelect, column && column.type);
+
+  var customTypeSelect = null;
+  var customTypeField = null;
+  if (tableAlterCustomColumnTypes().length) {
+    var customTypeId = "table-alter-column-custom-type-" + index;
+    customTypeField = document.createElement("div");
+    customTypeField.className =
+      "table-alter-detail-field table-alter-custom-type-field";
+    var customTypeLabel = document.createElement("label");
+    customTypeLabel.className = "table-alter-detail-label";
+    customTypeLabel.setAttribute("for", customTypeId);
+    customTypeLabel.textContent = "Custom type";
+    var customTypeHelpId = "table-alter-column-custom-type-help-" + index;
+    var customTypeHelp = document.createElement("p");
+    customTypeHelp.id = customTypeHelpId;
+    customTypeHelp.className = "table-alter-detail-help";
+    customTypeHelp.textContent =
+      "Controls how Datasette displays and edits this column";
+    customTypeSelect = createTableAlterCustomColumnTypeSelect();
+    customTypeSelect.id = customTypeId;
+    customTypeSelect.setAttribute("aria-describedby", customTypeHelpId);
+    customTypeSelect.value = originalCustomType;
+    updateTableAlterCustomColumnTypePlaceholder(customTypeSelect);
+    customTypeField.appendChild(customTypeLabel);
+    customTypeField.appendChild(customTypeHelp);
+    customTypeField.appendChild(customTypeSelect);
+  }
+
+  var notNullLabel = document.createElement("label");
+  notNullLabel.className = "table-alter-detail-check table-alter-not-null";
+  var notNullInput = document.createElement("input");
+  notNullInput.type = "checkbox";
+  notNullInput.className = "table-alter-not-null-input";
+  notNullInput.checked = !!(column && column.notnull);
+  var notNullText = document.createElement("span");
+  var notNullStrong = document.createElement("strong");
+  notNullStrong.textContent = "Not null";
+  notNullText.appendChild(notNullStrong);
+  notNullText.appendChild(
+    document.createTextNode(" This value cannot be left unset"),
+  );
+  notNullLabel.appendChild(notNullInput);
+  notNullLabel.appendChild(notNullText);
+
+  var defaultControls = createSchemaDialogDefaultControls(
+    "table-alter",
+    index,
+    tableAlterDefaultExpressions(),
+    {
+      defaultValue: originalDefault,
+      defaultExpr: originalDefaultExpr,
+    },
+  );
+  var defaultInput = defaultControls.defaultInput;
+  var defaultExprSelect = defaultControls.defaultExprSelect;
+
+  var foreignKeyId = "table-alter-column-foreign-key-" + index;
+  var foreignKeyHelpId = "table-alter-column-foreign-key-help-" + index;
+  var foreignKeyField = document.createElement("div");
+  foreignKeyField.className =
+    "table-alter-detail-field table-alter-foreign-key-field";
+  var foreignKeyLabel = document.createElement("label");
+  foreignKeyLabel.className = "table-alter-detail-label";
+  foreignKeyLabel.setAttribute("for", foreignKeyId);
+  foreignKeyLabel.textContent = "Foreign key";
+  var foreignKeyHelp = document.createElement("p");
+  foreignKeyHelp.id = foreignKeyHelpId;
+  foreignKeyHelp.className = "table-alter-detail-help";
+  foreignKeyHelp.textContent = "Link this column to another table.";
+  var foreignKeySelect = document.createElement("select");
+  foreignKeySelect.id = foreignKeyId;
+  foreignKeySelect.className =
+    "table-alter-input table-alter-foreign-key-target";
+  foreignKeySelect.setAttribute("aria-label", "Foreign key target");
+  foreignKeySelect.setAttribute("aria-describedby", foreignKeyHelpId);
+  foreignKeySelect.dataset.selectedKey = originalForeignKey;
+  if (column && column.foreign_key) {
+    foreignKeySelect.dataset.currentFkTable = column.foreign_key.fk_table;
+    foreignKeySelect.dataset.currentFkColumn = column.foreign_key.fk_column;
+    appendForeignKeyTargetOption(foreignKeySelect, {
+      fk_table: column.foreign_key.fk_table,
+      fk_column: column.foreign_key.fk_column,
+      type: column.type || "text",
+    });
+    foreignKeySelect.value = originalForeignKey;
+  }
+  foreignKeyField.appendChild(foreignKeyLabel);
+  foreignKeyField.appendChild(foreignKeyHelp);
+  foreignKeyField.appendChild(foreignKeySelect);
+
+  var pkLabel = document.createElement("label");
+  pkLabel.className = "table-alter-detail-check table-alter-primary-key";
+  var pkInput = document.createElement("input");
+  pkInput.type = "checkbox";
+  pkInput.className = "table-alter-primary-key-input";
+  pkInput.checked = !!(column && column.is_pk);
+  var pkText = document.createElement("span");
+  var pkStrong = document.createElement("strong");
+  pkStrong.textContent = "Primary key";
+  pkText.appendChild(pkStrong);
+  pkText.appendChild(
+    document.createTextNode(" This ID uniquely identifies the record"),
+  );
+  pkLabel.appendChild(pkInput);
+  pkLabel.appendChild(pkText);
+
+  var moveControls = createSchemaDialogMoveControls("table-alter");
+
+  var removeButton = createSchemaDialogIconButton(
+    "table-alter",
+    "remove-column",
+    existing ? "Drop column" : "Remove column",
+    existing ? "Drop column" : "Remove column",
+    COLUMN_MOVE_ICONS.remove,
+  );
+  main.appendChild(nameLabel);
+  main.appendChild(nameInput);
+  main.appendChild(typeSelect);
+  main.appendChild(moveControls.controls);
+  main.appendChild(removeButton);
+  main.appendChild(expandButton);
+
+  if (customTypeField) {
+    details.appendChild(customTypeField);
+  }
+  details.appendChild(defaultControls.controls);
+  details.appendChild(notNullLabel);
+  details.appendChild(pkLabel);
+  details.appendChild(foreignKeyField);
+  row.appendChild(main);
+  row.appendChild(details);
+
+  var controls = [
+    nameInput,
+    typeSelect,
+    notNullInput,
+    defaultInput,
+    defaultExprSelect,
+    pkInput,
+    foreignKeySelect,
+  ];
+  if (customTypeSelect) {
+    controls.push(customTypeSelect);
+  }
+  controls.forEach(function (control) {
+    control.addEventListener("input", function () {
+      clearTableAlterDialogError(state);
+      updateTableAlterSaveButtonState(state);
+    });
+    control.addEventListener("change", function () {
+      clearTableAlterDialogError(state);
+      updateTableAlterSaveButtonState(state);
+    });
+  });
+
+  defaultInput.addEventListener("input", function () {
+    if (defaultInput.value) {
+      defaultExprSelect.value = "";
+      syncSchemaDialogDefaultControls(row, "table-alter");
+    }
+    updateTableAlterSaveButtonState(state);
+  });
+  defaultExprSelect.addEventListener("change", function () {
+    if (defaultExprSelect.value) {
+      defaultInput.value = "";
+    }
+    if (
+      applyDefaultExpressionColumnType(
+        row,
+        "table-alter",
+        tableAlterDefaultExpressions(),
+        tableAlterColumnTypes(),
+      )
+    ) {
+      syncTableAlterCustomTypeForSqliteType(row);
+      syncTableAlterForeignKeyOptions(row, state);
+      syncSchemaDialogCustomTypeAndForeignKey(row, state, "table-alter");
+    }
+    syncSchemaDialogDefaultControls(row, "table-alter");
+    updateTableAlterSaveButtonState(state);
+  });
+  pkInput.addEventListener("change", function () {
+    normalizeTableAlterPrimaryKeyRows(state);
+    updateTableAlterMoveButtons(state);
+    updateTableAlterSaveButtonState(state);
+  });
+
+  expandButton.addEventListener("click", function () {
+    toggleSchemaDialogMoreOptions(expandButton, details);
+  });
+
+  typeSelect.addEventListener("change", function () {
+    syncTableAlterCustomTypeForSqliteType(row);
+    syncTableAlterForeignKeyOptions(row, state);
+    syncSchemaDialogCustomTypeAndForeignKey(row, state, "table-alter");
+    updateTableAlterSaveButtonState(state);
+  });
+  if (customTypeSelect) {
+    customTypeSelect.addEventListener("change", function () {
+      updateTableAlterCustomColumnTypePlaceholder(customTypeSelect);
+      var option = tableAlterCustomColumnType(customTypeSelect.value);
+      if (
+        option &&
+        option.fixedSqliteType &&
+        tableAlterColumnTypes().indexOf(option.fixedSqliteType) !== -1
+      ) {
+        typeSelect.value = option.fixedSqliteType;
+        syncTableAlterForeignKeyOptions(row, state);
+      }
+      syncSchemaDialogCustomTypeAndForeignKey(row, state, "table-alter");
+      updateTableAlterSaveButtonState(state);
+    });
+  }
+  foreignKeySelect.addEventListener("change", function () {
+    handleSchemaDialogForeignKeyChange(row, state, "table-alter", {
+      columnTypes: tableAlterColumnTypes(),
+      foreignKeyOptions: { filterByType: false },
+      matchType: true,
+    });
+    updateTableAlterSaveButtonState(state);
+  });
+
+  moveControls.topButton.addEventListener("click", function () {
+    var first = tableAlterFirstNonPrimaryRow(state);
+    if (
+      state.isSaving ||
+      tableAlterRowIsPrimaryKey(row) ||
+      !first ||
+      first === row
+    ) {
+      return;
+    }
+    state.columnList.insertBefore(row, first);
+    clearTableAlterDialogError(state);
+    updateTableAlterMoveButtons(state);
+    updateTableAlterSaveButtonState(state);
+    row.querySelector(".table-alter-column-name").focus();
+  });
+
+  moveControls.upButton.addEventListener("click", function () {
+    var previous = row.previousElementSibling;
+    if (
+      state.isSaving ||
+      tableAlterRowIsPrimaryKey(row) ||
+      !previous ||
+      tableAlterRowIsPrimaryKey(previous)
+    ) {
+      return;
+    }
+    state.columnList.insertBefore(row, previous);
+    clearTableAlterDialogError(state);
+    updateTableAlterMoveButtons(state);
+    updateTableAlterSaveButtonState(state);
+    row.querySelector(".table-alter-column-name").focus();
+  });
+
+  moveControls.downButton.addEventListener("click", function () {
+    var next = row.nextElementSibling;
+    if (state.isSaving || tableAlterRowIsPrimaryKey(row) || !next) {
+      return;
+    }
+    state.columnList.insertBefore(next, row);
+    clearTableAlterDialogError(state);
+    updateTableAlterMoveButtons(state);
+    updateTableAlterSaveButtonState(state);
+    row.querySelector(".table-alter-column-name").focus();
+  });
+
+  moveControls.bottomButton.addEventListener("click", function () {
+    var last = state.columnList.lastElementChild;
+    if (
+      state.isSaving ||
+      tableAlterRowIsPrimaryKey(row) ||
+      !last ||
+      last === row
+    ) {
+      return;
+    }
+    state.columnList.appendChild(row);
+    clearTableAlterDialogError(state);
+    updateTableAlterMoveButtons(state);
+    updateTableAlterSaveButtonState(state);
+    row.querySelector(".table-alter-column-name").focus();
+  });
+
+  removeButton.addEventListener("click", function () {
+    if (state.isSaving) {
+      return;
+    }
+    if (row.dataset.existing === "1") {
+      state.deletedColumns.push(row.dataset.originalName);
+    }
+    row.remove();
+    clearTableAlterDialogError(state);
+    updateTableAlterMoveButtons(state);
+    updateTableAlterSaveButtonState(state);
+    var nextInput = state.columnList.querySelector(".table-alter-column-name");
+    if (nextInput) {
+      nextInput.focus();
+    } else {
+      state.addColumnButton.focus();
+    }
+  });
+
+  syncSchemaDialogDefaultControls(row, "table-alter");
+  syncTableAlterForeignKeyOptions(row, state);
+  syncSchemaDialogCustomTypeAndForeignKey(row, state, "table-alter");
+  return row;
+}
+
+function addTableAlterColumn(state, column) {
+  var row = createTableAlterColumnRow(state, column || { type: "text" });
+  state.columnList.appendChild(row);
+  return row;
+}
+
+function resetTableAlterDialog(state, data) {
+  state.nextColumnIndex = 0;
+  state.deletedColumns = [];
+  state.originalTableName = data.tableName || "";
+  state.tableNameInput.value = state.originalTableName;
+  state.tableOptions.open = false;
+  state.originalPrimaryKeys = (data.primaryKeys || []).slice();
+  state.originalColumnNames = (data.columns || []).map(function (column) {
+    return column.name;
+  });
+  state.columnList.textContent = "";
+  (data.columns || []).forEach(function (column) {
+    addTableAlterColumn(
+      state,
+      Object.assign({}, column, {
+        existing: true,
+      }),
+    );
+  });
+  normalizeTableAlterPrimaryKeyRows(state);
+  state.initialSignature = tableAlterDialogSignature(state);
+  showTableAlterEditor(state);
+}
+
+function collectTableAlterRows(state) {
+  return tableAlterDialogRows(state).map(function (row) {
+    var signature = tableAlterRowSignature(row);
+    signature.originalType = row.dataset.originalType || "";
+    signature.originalNotNull = row.dataset.originalNotNull === "1";
+    signature.originalHasDefault = row.dataset.originalHasDefault === "1";
+    signature.originalDefault = row.dataset.originalDefault || "";
+    signature.originalDefaultExpr = row.dataset.originalDefaultExpr || "";
+    signature.originalPk = row.dataset.originalPk === "1";
+    signature.originalCustomType = row.dataset.originalCustomType || "";
+    signature.originalForeignKey = row.dataset.originalForeignKey || "";
+    return signature;
+  });
+}
+
+function validateTableAlterRows(state, rows) {
+  var tableName = state.tableNameInput.value.trim();
+  if (!tableName) {
+    return "Table name is required.";
+  }
+  if (tableName.indexOf("\n") !== -1) {
+    return "Table names cannot contain newlines.";
+  }
+  if (/^sqlite_/.test(tableName)) {
+    return "Table names cannot start with sqlite_.";
+  }
+  if (!rows.length) {
+    return "At least one column is required.";
+  }
+  var seen = {};
+  var supportedTypes = tableAlterColumnTypes();
+  for (var i = 0; i < rows.length; i += 1) {
+    var row = rows[i];
+    var name = row.name.trim();
+    if (!name) {
+      return "Column name is required.";
+    }
+    if (name.indexOf("\n") !== -1) {
+      return "Column names cannot contain newlines.";
+    }
+    var columnKey = name.toLowerCase();
+    if (seen[columnKey]) {
+      return "Duplicate column name: " + name;
+    }
+    seen[columnKey] = true;
+    if (supportedTypes.indexOf(row.type) === -1) {
+      return "Unsupported column type: " + row.type;
+    }
+    if (row.customType) {
+      var option = tableAlterCustomColumnType(row.customType);
+      if (!option) {
+        return "Unknown custom column type: " + row.customType;
+      }
+      if (!tableAlterCustomTypeAppliesToSqliteType(option, row.type)) {
+        return (
+          "Custom type " +
+          row.customType +
+          " cannot be used with SQLite type " +
+          row.type +
+          "."
+        );
+      }
+    }
+    if (row.defaultValue && row.defaultExpr) {
+      return "Use either a default value or a default expression.";
+    }
+    if (!row.existing && row.notNull && !row.defaultValue && !row.defaultExpr) {
+      return "New NOT NULL columns need a default or default expression.";
+    }
+  }
+  var pkColumns = rows.filter(function (row) {
+    return row.pk;
+  });
+  if (state.originalPrimaryKeys.length && !pkColumns.length) {
+    return "At least one primary key column is required.";
+  }
+  return null;
+}
+
+function collectTableAlterColumnTypeAssignments(rows) {
+  var assignments = [];
+  if (!tableAlterCustomColumnTypes().length) {
+    return assignments;
+  }
+  rows.forEach(function (row) {
+    var renamed = row.existing && row.name.trim() !== row.originalName;
+    if (row.customType === row.originalCustomType && !renamed) {
+      return;
+    }
+    if (!row.customType && !row.originalCustomType) {
+      return;
+    }
+    assignments.push({
+      column: row.name.trim(),
+      columnType: row.customType || null,
+      sqliteType: row.type,
+    });
+  });
+  return assignments;
+}
+
+function tableAlterPkIdentityColumns(rows) {
+  return rows
+    .filter(function (row) {
+      return row.pk;
+    })
+    .map(function (row) {
+      return row.existing ? row.originalName : row.name.trim();
+    });
+}
+
+function tableAlterPkChanged(state, rows) {
+  return (
+    JSON.stringify(tableAlterPkIdentityColumns(rows)) !==
+    JSON.stringify(state.originalPrimaryKeys)
+  );
+}
+
+function tableAlterNaturalColumnOrder(state, rows) {
+  var existingRowsByOriginalName = {};
+  var newRows = [];
+  rows.forEach(function (row) {
+    if (row.existing) {
+      existingRowsByOriginalName[row.originalName] = row;
+    } else {
+      newRows.push(row);
+    }
+  });
+  var naturalOrder = [];
+  state.originalColumnNames.forEach(function (originalName) {
+    var row = existingRowsByOriginalName[originalName];
+    if (row) {
+      naturalOrder.push(row.name.trim());
+    }
+  });
+  newRows.forEach(function (row) {
+    naturalOrder.push(row.name.trim());
+  });
+  return naturalOrder;
+}
+
+function tableAlterColumnsReordered(state, rows) {
+  var finalOrder = rows.map(function (row) {
+    return row.name.trim();
+  });
+  return (
+    JSON.stringify(finalOrder) !==
+    JSON.stringify(tableAlterNaturalColumnOrder(state, rows))
+  );
+}
+
+function tableAlterForeignKeyIdentity(row) {
+  return [
+    row.name.trim(),
+    row.foreignKeyTable || "",
+    row.foreignKeyColumn || "",
+  ].join("\u001f");
+}
+
+function tableAlterOriginalForeignKeyIdentity(row) {
+  return [row.originalName || "", row.originalForeignKey].join("\u001f");
+}
+
+function tableAlterForeignKeyRows(rows) {
+  return rows
+    .filter(function (row) {
+      return row.foreignKey && row.foreignKeyTable && row.foreignKeyColumn;
+    })
+    .map(function (row) {
+      return {
+        column: row.name.trim(),
+        fk_table: row.foreignKeyTable,
+        fk_column: row.foreignKeyColumn,
+      };
+    });
+}
+
+function tableAlterForeignKeysChanged(rows) {
+  var original = rows
+    .filter(function (row) {
+      return row.existing && row.originalForeignKey;
+    })
+    .map(tableAlterOriginalForeignKeyIdentity);
+  var final = rows
+    .filter(function (row) {
+      return row.foreignKey && row.foreignKeyTable && row.foreignKeyColumn;
+    })
+    .map(tableAlterForeignKeyIdentity);
+  return JSON.stringify(original) !== JSON.stringify(final);
+}
+
+function collectTableAlterPayload(state) {
+  var rows = collectTableAlterRows(state);
+  var validationError = validateTableAlterRows(state, rows);
+  if (validationError) {
+    return { error: validationError };
+  }
+
+  var operations = [];
+  var tableName = state.tableNameInput.value.trim();
+  if (tableName !== state.originalTableName) {
+    operations.push({
+      op: "rename_table",
+      args: { to: tableName },
+    });
+  }
+  var columnTypeAssignments = collectTableAlterColumnTypeAssignments(rows);
+  rows.forEach(function (row) {
+    var name = row.name.trim();
+    if (!row.existing) {
+      var addArgs = {
+        name: name,
+        type: row.type,
+        not_null: row.notNull,
+      };
+      if (row.defaultExpr) {
+        addArgs.default_expr = row.defaultExpr;
+      } else if (row.defaultValue || row.notNull) {
+        addArgs.default = row.defaultValue;
+      }
+      operations.push({ op: "add_column", args: addArgs });
+      return;
+    }
+
+    var originalName = row.originalName;
+    if (name !== originalName) {
+      operations.push({
+        op: "rename_column",
+        args: { name: originalName, to: name },
+      });
+    }
+
+    var alterArgs = { name: originalName };
+    if (row.type !== row.originalType) {
+      alterArgs.type = row.type;
+    }
+    if (row.notNull !== row.originalNotNull) {
+      alterArgs.not_null = row.notNull;
+    }
+    if (row.defaultExpr !== row.originalDefaultExpr) {
+      if (row.defaultExpr) {
+        alterArgs.default_expr = row.defaultExpr;
+      } else {
+        alterArgs.default = row.defaultValue === "" ? null : row.defaultValue;
+      }
+    } else if (row.originalHasDefault) {
+      if (row.defaultValue !== row.originalDefault) {
+        alterArgs.default = row.defaultValue === "" ? null : row.defaultValue;
+      }
+    } else if (row.defaultValue) {
+      alterArgs.default = row.defaultValue;
+    }
+    if (Object.keys(alterArgs).length > 1) {
+      operations.push({ op: "alter_column", args: alterArgs });
+    }
+  });
+
+  state.deletedColumns.forEach(function (name) {
+    operations.push({ op: "drop_column", args: { name: name } });
+  });
+
+  var pkColumns = rows
+    .filter(function (row) {
+      return row.pk;
+    })
+    .map(function (row) {
+      return row.name.trim();
+    });
+  if (tableAlterPkChanged(state, rows)) {
+    operations.push({ op: "set_primary_key", args: { columns: pkColumns } });
+  }
+
+  if (tableAlterColumnsReordered(state, rows)) {
+    operations.push({
+      op: "reorder_columns",
+      args: {
+        columns: rows.map(function (row) {
+          return row.name.trim();
+        }),
+      },
+    });
+  }
+
+  if (tableAlterForeignKeysChanged(rows)) {
+    operations.push({
+      op: "set_foreign_keys",
+      args: {
+        foreign_keys: tableAlterForeignKeyRows(rows),
+      },
+    });
+  }
+
+  if (!operations.length && !columnTypeAssignments.length) {
+    return { error: "No changes to apply." };
+  }
+  return {
+    payload: operations.length ? { operations: operations } : null,
+    columnTypeAssignments: columnTypeAssignments,
+  };
+}
+
+function tableAlterQuotedName(name) {
+  return '"' + name + '"';
+}
+
+function tableAlterReadableDefaultExpression(value) {
+  return defaultExpressionLabelForValue(tableAlterDefaultExpressions(), value);
+}
+
+function tableAlterReadableValue(value) {
+  if (value === null) {
+    return "NULL";
+  }
+  return '"' + String(value) + '"';
+}
+
+function tableAlterOperationSummary(operation) {
+  var args = operation.args || {};
+  if (operation.op === "rename_table") {
+    return {
+      text: "Rename table to " + tableAlterQuotedName(args.to) + ".",
+      damaging: false,
+    };
+  }
+  if (operation.op === "add_column") {
+    var addDetails = ["as " + args.type];
+    if (args.not_null) {
+      addDetails.push("with values required");
+    }
+    if (args.default_expr) {
+      addDetails.push(
+        "defaulting to " +
+          tableAlterReadableDefaultExpression(args.default_expr),
+      );
+    } else if (Object.prototype.hasOwnProperty.call(args, "default")) {
+      addDetails.push(
+        "with default value " + tableAlterReadableValue(args.default),
+      );
+    }
+    return {
+      text:
+        "Add column " +
+        tableAlterQuotedName(args.name) +
+        " " +
+        addDetails.join(", ") +
+        ".",
+      damaging: false,
+    };
+  }
+  if (operation.op === "rename_column") {
+    return {
+      text:
+        "Rename column " +
+        tableAlterQuotedName(args.name) +
+        " to " +
+        tableAlterQuotedName(args.to) +
+        ".",
+      damaging: false,
+    };
+  }
+  if (operation.op === "alter_column") {
+    var changes = [];
+    if (args.type) {
+      changes.push("set type to " + args.type);
+    }
+    if (Object.prototype.hasOwnProperty.call(args, "not_null")) {
+      changes.push(
+        args.not_null ? "not null (require values)" : "allow unset values",
+      );
+    }
+    if (args.default_expr) {
+      changes.push(
+        "default to " + tableAlterReadableDefaultExpression(args.default_expr),
+      );
+    } else if (Object.prototype.hasOwnProperty.call(args, "default")) {
+      changes.push(
+        args.default === null
+          ? "remove the default value"
+          : "set default value to " + tableAlterReadableValue(args.default),
+      );
+    }
+    return {
+      text:
+        "Change column " +
+        tableAlterQuotedName(args.name) +
+        ": " +
+        changes.join(", ") +
+        ".",
+      damaging: false,
+    };
+  }
+  if (operation.op === "drop_column") {
+    return {
+      text: "Drop column " + tableAlterQuotedName(args.name) + ".",
+      damaging: true,
+    };
+  }
+  if (operation.op === "set_primary_key") {
+    return {
+      text:
+        "Set primary key to " +
+        (args.columns || []).map(tableAlterQuotedName).join(", ") +
+        ".",
+      damaging: false,
+    };
+  }
+  if (operation.op === "reorder_columns") {
+    return {
+      text:
+        "Set column order to " +
+        (args.columns || []).map(tableAlterQuotedName).join(", ") +
+        ".",
+      damaging: false,
+    };
+  }
+  if (operation.op === "set_foreign_keys") {
+    var foreignKeys = args.foreign_keys || [];
+    return {
+      text: foreignKeys.length
+        ? "Set foreign keys to " +
+          foreignKeys
+            .map(function (foreignKey) {
+              return (
+                tableAlterQuotedName(foreignKey.column) +
+                " -> " +
+                foreignKey.fk_table +
+                "." +
+                foreignKey.fk_column
+              );
+            })
+            .join(", ") +
+          "."
+        : "Remove all foreign keys.",
+      damaging: false,
+    };
+  }
+  return {
+    text: "Run " + operation.op + ".",
+    damaging: false,
+  };
+}
+
+function tableAlterColumnTypeAssignmentSummary(assignment) {
+  return {
+    text: assignment.columnType
+      ? "Set custom type for column " +
+        tableAlterQuotedName(assignment.column) +
+        " to " +
+        assignment.columnType +
+        "."
+      : "Remove custom type from column " +
+        tableAlterQuotedName(assignment.column) +
+        ".",
+    damaging: false,
+  };
+}
+
+function tableAlterReviewItems(result) {
+  var items = [];
+  var operations = result.payload ? result.payload.operations || [] : [];
+  operations.forEach(function (operation) {
+    items.push(tableAlterOperationSummary(operation));
+  });
+  (result.columnTypeAssignments || []).forEach(function (assignment) {
+    items.push(tableAlterColumnTypeAssignmentSummary(assignment));
+  });
+  return items;
+}
+
+function tableAlterReviewHasDamagingItems(items) {
+  return items.some(function (item) {
+    return item.damaging;
+  });
+}
+
+function appendTableAlterReviewText(element, text) {
+  text.split(/("[^"]+")/g).forEach(function (part) {
+    if (!part) {
+      return;
+    }
+    if (part.charAt(0) === '"' && part.charAt(part.length - 1) === '"') {
+      var name = document.createElement("code");
+      name.className = "table-alter-review-name";
+      name.textContent = part.slice(1, -1);
+      element.appendChild(name);
+    } else {
+      element.appendChild(document.createTextNode(part));
+    }
+  });
+}
+
+function tableAlterSetColumnTypeUrl(tableUrl) {
+  if (tableUrl) {
+    return tableUrl.replace(/\/$/, "") + "/-/set-column-type";
+  }
+  var data = tableAlterData();
+  if (!data || !data.path) {
+    return null;
+  }
+  var url = new URL(data.path, location.href);
+  url.pathname = url.pathname.replace(/\/-\/alter\/?$/, "/-/set-column-type");
+  return url.toString();
+}
+
+async function assignTableAlterColumnTypes(assignments, tableUrl) {
+  if (!assignments.length) {
+    return;
+  }
+  var url = tableAlterSetColumnTypeUrl(tableUrl);
+  if (!url) {
+    throw new Error("Could not find the set column type URL.");
+  }
+  for (var i = 0; i < assignments.length; i += 1) {
+    var assignment = assignments[i];
+    var response = await fetch(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Accept: "application/json",
+      },
+      body: JSON.stringify({
+        column: assignment.column,
+        column_type: assignment.columnType
+          ? {
+              type: assignment.columnType,
+            }
+          : null,
+      }),
+    });
+    var data = null;
+    try {
+      data = await response.json();
+    } catch (_error) {
+      data = null;
+    }
+    if (!response.ok || (data && data.ok === false)) {
+      var error = rowMutationRequestError(response, data);
+      throw new Error(
+        "Saved schema changes, but could not set custom type for " +
+          assignment.column +
+          ": " +
+          error.message,
+      );
+    }
+  }
+}
+
+function tableAlterResultRenamesTable(result) {
+  return !!(
+    result &&
+    result.payload &&
+    (result.payload.operations || []).some(function (operation) {
+      return operation.op === "rename_table";
+    })
+  );
+}
+
+function showTableAlterEditor(state) {
+  state.mode = "edit";
+  state.reviewResult = null;
+  state.dialog.classList.remove("table-alter-reviewing");
+  state.fields.hidden = false;
+  state.review.hidden = true;
+  state.review.textContent = "";
+  state.backButton.hidden = true;
+  var data = tableAlterData();
+  state.dropButton.hidden = !(data && data.dropPath);
+  state.saveButton.textContent = tableAlterSaveButtonText(state);
+  updateTableAlterMoveButtons(state);
+  updateTableAlterSaveButtonState(state);
+}
+
+function showTableAlterReview(state, result) {
+  var items = tableAlterReviewItems(result);
+  state.mode = "review";
+  state.reviewResult = result;
+  state.dialog.classList.add("table-alter-reviewing");
+  state.fields.hidden = true;
+  state.review.hidden = false;
+  state.review.textContent = "";
+  state.backButton.hidden = false;
+  state.dropButton.hidden = true;
+  state.saveButton.textContent = tableAlterSaveButtonText(state);
+  updateTableAlterSaveButtonState(state);
+
+  var heading = document.createElement("h3");
+  heading.className = "table-alter-review-title";
+  heading.tabIndex = -1;
+  heading.textContent = "Review changes";
+  state.review.appendChild(heading);
+
+  var intro = document.createElement("p");
+  intro.className = "table-alter-review-intro";
+  intro.textContent = "These changes will be applied to the table.";
+  state.review.appendChild(intro);
+
+  if (tableAlterReviewHasDamagingItems(items)) {
+    var warning = document.createElement("p");
+    warning.className = "table-alter-review-warning";
+    warning.setAttribute("role", "alert");
+    warning.textContent =
+      "Warning: data in dropped columns will be permanently lost.";
+    state.review.appendChild(warning);
+  }
+
+  var list = document.createElement("ol");
+  list.className = "table-alter-review-list";
+  items.forEach(function (item) {
+    var listItem = document.createElement("li");
+    appendTableAlterReviewText(listItem, item.text);
+    if (item.damaging) {
+      listItem.className = "table-alter-review-damaging";
+    }
+    list.appendChild(listItem);
+  });
+  state.review.appendChild(list);
+  heading.focus();
+}
+
+async function applyTableAlterChanges(state, result) {
+  if (state.isSaving) {
+    return;
+  }
+  if (!result) {
+    showTableAlterDialogError(state, "Could not find the reviewed changes.");
+    return;
+  }
+  var data = tableAlterData();
+  if (!data || !data.path) {
+    showTableAlterDialogError(state, "Could not find the alter table URL.");
+    return;
+  }
+  clearTableAlterDialogError(state);
+  if (result.error) {
+    showTableAlterDialogError(state, result.error);
+    return;
+  }
+  setTableAlterDialogSaving(state, true);
+  try {
+    var responseData = null;
+    if (result.payload) {
+      var response = await fetch(data.path, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Accept: "application/json",
+        },
+        body: JSON.stringify(result.payload),
+      });
+      try {
+        responseData = await response.json();
+      } catch (_error) {
+        responseData = null;
+      }
+      if (!response.ok || (responseData && responseData.ok === false)) {
+        throw rowMutationRequestError(response, responseData);
+      }
+    }
+    var tableUrl = responseData && responseData.table_url;
+    await assignTableAlterColumnTypes(
+      result.columnTypeAssignments || [],
+      tableUrl,
+    );
+    state.shouldRestoreFocus = false;
+    state.dialog.close();
+    if (tableAlterResultRenamesTable(result) && tableUrl) {
+      window.location.href = tableUrl;
+    } else {
+      location.reload();
+    }
+  } catch (error) {
+    setTableAlterDialogSaving(state, false);
+    showTableAlterDialogError(state, error.message || "Could not alter table");
+  }
+}
+
+function tableAlterDatabaseUrl() {
+  var data = tableAlterData();
+  if (!data || !data.path) {
+    return null;
+  }
+  var url = new URL(data.path, location.href);
+  url.pathname = url.pathname.replace(/\/[^/]+\/-\/alter\/?$/, "");
+  url.search = "";
+  url.hash = "";
+  return url.toString();
+}
+
+async function dropTableFromAlterDialog(state) {
+  if (state.isSaving) {
+    return;
+  }
+  var data = tableAlterData();
+  if (!data || !data.dropPath) {
+    return;
+  }
+  if (
+    !window.confirm(
+      'Permanently delete the table "' +
+        data.tableName +
+        '"? This will delete all of its data and cannot be undone.',
+    )
+  ) {
+    return;
+  }
+  clearTableAlterDialogError(state);
+  setTableAlterDialogSaving(state, true);
+  try {
+    var response = await fetch(data.dropPath, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Accept: "application/json",
+      },
+      body: JSON.stringify({ confirm: true }),
+    });
+    var responseData = null;
+    try {
+      responseData = await response.json();
+    } catch (_error) {
+      responseData = null;
+    }
+    if (!response.ok || (responseData && responseData.ok === false)) {
+      throw rowMutationRequestError(response, responseData);
+    }
+    state.shouldRestoreFocus = false;
+    state.dialog.close();
+    window.location.href = tableAlterDatabaseUrl() || "/";
+  } catch (error) {
+    setTableAlterDialogSaving(state, false);
+    showTableAlterDialogError(state, error.message || "Could not drop table");
+  }
+}
+
+async function saveTableAlterDialog(state) {
+  if (state.isSaving) {
+    return;
+  }
+  if (state.mode === "review") {
+    if (!state.reviewResult) {
+      showTableAlterDialogError(state, "Could not find the reviewed changes.");
+      return;
+    }
+    await applyTableAlterChanges(state, state.reviewResult);
+    return;
+  }
+  clearTableAlterDialogError(state);
+  var result = collectTableAlterPayload(state);
+  if (result.error) {
+    showTableAlterDialogError(state, result.error);
+    return;
+  }
+  showTableAlterReview(state, result);
+}
+
+function confirmDiscardTableAlterChanges(state) {
+  if (!tableAlterDialogHasChanges(state)) {
+    return true;
+  }
+  return window.confirm("Discard table changes?");
+}
+
+function closeTableAlterDialogIfConfirmed(state) {
+  if (!state || state.isSaving) {
+    return false;
+  }
+  if (!confirmDiscardTableAlterChanges(state)) {
+    return false;
+  }
+  state.shouldRestoreFocus = true;
+  state.dialog.close();
+  return true;
+}
+
+function closeTableAlterDialog(state) {
+  if (!state || state.isSaving) {
+    return false;
+  }
+  state.shouldRestoreFocus = true;
+  state.dialog.close();
+  return true;
+}
+
+function ensureTableAlterDialog(manager) {
+  if (tableAlterDialogState) {
+    return tableAlterDialogState;
+  }
+  if (!window.HTMLDialogElement) {
+    return null;
+  }
+
+  var dialog = document.createElement("dialog");
+  dialog.id = TABLE_ALTER_DIALOG_ID;
+  dialog.className = "table-alter-dialog";
+  dialog.setAttribute("aria-labelledby", "table-alter-title");
+  dialog.innerHTML = `
+    <div class="modal-header">
+      <span class="modal-title" id="table-alter-title">Alter table</span>
+    </div>
+    <form class="table-alter-form" method="post" novalidate>
+      <p class="table-alter-error" id="table-alter-error" role="alert" tabindex="-1" hidden></p>
+      <div class="table-alter-fields">
+        <div class="table-alter-columns">
+          <div class="table-alter-column-headings" aria-hidden="true">
+            <span>Column</span>
+            <span>Type</span>
+            <span>Move</span>
+            <span></span>
+          </div>
+          <div class="table-alter-column-list"></div>
+          <button type="button" class="table-alter-add-column"><svg aria-hidden="true" xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M5 12h14"></path><path d="M12 5v14"></path></svg><span>Add column</span></button>
+        </div>
+        <details class="table-alter-table-options">
+          <summary>Rename table</summary>
+          <div class="table-alter-table-name-field">
+            <label class="table-alter-detail-label" for="table-alter-table-name">New table name</label>
+            <input id="table-alter-table-name" class="table-alter-input table-alter-table-name" type="text" autocomplete="off" placeholder="table name" required>
+          </div>
+        </details>
+      </div>
+      <div class="table-alter-review" hidden></div>
+      <div class="modal-footer">
+        <button type="button" class="btn btn-danger table-alter-drop" hidden>Drop table</button>
+        <button type="button" class="btn btn-ghost table-alter-back" hidden>Back</button>
+        <button type="button" class="btn btn-ghost table-alter-cancel">Cancel</button>
+        <button type="submit" class="btn btn-primary table-alter-save">Review changes</button>
+      </div>
+    </form>
+  `;
+  document.body.appendChild(dialog);
+
+  tableAlterDialogState = {
+    dialog: dialog,
+    form: dialog.querySelector(".table-alter-form"),
+    title: dialog.querySelector(".modal-title"),
+    error: dialog.querySelector(".table-alter-error"),
+    fields: dialog.querySelector(".table-alter-fields"),
+    tableOptions: dialog.querySelector(".table-alter-table-options"),
+    tableNameInput: dialog.querySelector(".table-alter-table-name"),
+    review: dialog.querySelector(".table-alter-review"),
+    columnList: dialog.querySelector(".table-alter-column-list"),
+    addColumnButton: dialog.querySelector(".table-alter-add-column"),
+    backButton: dialog.querySelector(".table-alter-back"),
+    dropButton: dialog.querySelector(".table-alter-drop"),
+    cancelButton: dialog.querySelector(".table-alter-cancel"),
+    saveButton: dialog.querySelector(".table-alter-save"),
+    currentButton: null,
+    shouldRestoreFocus: true,
+    isSaving: false,
+    initialSignature: "",
+    originalTableName: "",
+    nextColumnIndex: 0,
+    deletedColumns: [],
+    originalColumnNames: [],
+    originalPrimaryKeys: [],
+    foreignKeyTargets: [],
+    foreignKeyTargetsError: null,
+    foreignKeyTargetsLoading: false,
+    mode: "edit",
+    reviewResult: null,
+    manager: manager,
+  };
+
+  tableAlterDialogState.form.addEventListener("submit", function (ev) {
+    ev.preventDefault();
+    saveTableAlterDialog(tableAlterDialogState);
+  });
+
+  tableAlterDialogState.tableNameInput.addEventListener("input", function () {
+    clearTableAlterDialogError(tableAlterDialogState);
+    updateTableAlterSaveButtonState(tableAlterDialogState);
+  });
+
+  tableAlterDialogState.addColumnButton.addEventListener("click", function () {
+    if (tableAlterDialogState.isSaving) {
+      return;
+    }
+    var row = addTableAlterColumn(tableAlterDialogState, {
+      type: "text",
+      existing: false,
+      expanded: true,
+    });
+    clearTableAlterDialogError(tableAlterDialogState);
+    updateTableAlterMoveButtons(tableAlterDialogState);
+    updateTableAlterSaveButtonState(tableAlterDialogState);
+    row.querySelector(".table-alter-column-name").focus();
+  });
+
+  tableAlterDialogState.cancelButton.addEventListener("click", function () {
+    closeTableAlterDialog(tableAlterDialogState);
+  });
+
+  tableAlterDialogState.dropButton.addEventListener("click", function () {
+    dropTableFromAlterDialog(tableAlterDialogState);
+  });
+
+  tableAlterDialogState.backButton.addEventListener("click", function () {
+    if (tableAlterDialogState.isSaving) {
+      return;
+    }
+    clearTableAlterDialogError(tableAlterDialogState);
+    showTableAlterEditor(tableAlterDialogState);
+    var firstName = tableAlterDialogState.columnList.querySelector(
+      ".table-alter-column-name",
+    );
+    if (firstName) {
+      firstName.focus();
+    }
+  });
+
+  dialog.addEventListener("click", function (ev) {
+    if (ev.target === dialog) {
+      closeTableAlterDialogIfConfirmed(tableAlterDialogState);
+    }
+  });
+
+  dialog.addEventListener("keydown", function (ev) {
+    if (ev.key !== "Escape") {
+      return;
+    }
+    ev.preventDefault();
+    closeTableAlterDialogIfConfirmed(tableAlterDialogState);
+  });
+
+  dialog.addEventListener("cancel", function (ev) {
+    ev.preventDefault();
+    closeTableAlterDialogIfConfirmed(tableAlterDialogState);
+  });
+
+  dialog.addEventListener("close", function () {
+    var state = tableAlterDialogState;
+    clearTableAlterDialogError(state);
+    setTableAlterDialogSaving(state, false);
+    if (
+      state.shouldRestoreFocus &&
+      state.currentButton &&
+      document.contains(state.currentButton)
+    ) {
+      state.currentButton.focus();
+    }
+  });
+
+  return tableAlterDialogState;
+}
+
+function openTableAlterDialog(button, manager) {
+  var data = tableAlterData();
+  if (!data) {
+    return;
+  }
+  var state = ensureTableAlterDialog(manager);
+  if (!state) {
+    return;
+  }
+
+  var menu = button.closest("details");
+  if (menu) {
+    menu.open = false;
+  }
+  state.manager = manager;
+  state.currentButton = button;
+  state.shouldRestoreFocus = true;
+  state.title.textContent = "Alter table " + data.tableName;
+  clearTableAlterDialogError(state);
+  resetTableAlterDialog(state, data);
+  loadSchemaDialogForeignKeyTargets(
+    state,
+    "table-alter",
+    tableAlterForeignKeyTargetsUrl(),
+    { filterByType: false },
+  );
+  if (!state.dialog.open) {
+    state.dialog.showModal();
+  }
+  var firstName = state.columnList.querySelector(".table-alter-column-name");
+  if (firstName) {
+    firstName.focus();
+  }
+}
+
+function initTableAlterActions(manager) {
+  if (!window.fetch || !window.HTMLDialogElement || !tableAlterData()) {
+    return;
+  }
+  document.addEventListener("click", function (ev) {
+    var button = ev.target.closest('button[data-table-action="alter-table"]');
+    if (!button) {
+      return;
+    }
+    ev.preventDefault();
+    openTableAlterDialog(button, manager);
+  });
+}
+
+function tableForeignKeys() {
+  return tablePageData().foreignKeys || {};
+}
+
+function isRowPage() {
+  return document.body && document.body.classList.contains("row");
+}
+
+function rowElementForActionButton(button) {
+  return (
+    button.closest("[data-row]") ||
+    (button.getAttribute("data-row") ? button : null)
+  );
+}
+
+function foreignKeyAutocompleteUrl(column) {
+  return tableForeignKeys()[column] || null;
+}
+
+function autocompleteRowPk(row) {
+  var pks = (row && row.pks) || {};
+  var keys = Object.keys(pks);
+  if (keys.length !== 1) {
+    return null;
+  }
+  return pks[keys[0]];
+}
+
+function foreignKeyRowUrl(autocompleteUrl, pk) {
+  var url = new URL(autocompleteUrl, location.href);
+  if (!/\/-\/autocomplete\/?$/.test(url.pathname)) {
+    return null;
+  }
+  url.pathname =
+    url.pathname.replace(/\/-\/autocomplete\/?$/, "") + "/" + tildeEncode(pk);
+  url.search = "";
+  url.hash = "";
+  return url.toString();
+}
+
+function foreignKeyLabelText(row) {
+  var pk = autocompleteRowPk(row);
+  var label = row && row.label;
+  if (
+    label !== null &&
+    typeof label !== "undefined" &&
+    String(label) !== String(pk)
+  ) {
+    return String(label);
+  }
+  return "View row";
+}
+
+function rowEditMetaTextWithoutCurrentValue(meta) {
+  return (meta.dataset.baseMeta || "")
+    .split(" · ")
+    .filter(function (part) {
+      return part !== "Current value: NULL";
+    })
+    .join(" · ");
+}
+
+function updateRowEditForeignKeySeparator(meta) {
+  var separator = meta.querySelector(".row-edit-fk-separator");
+  if (!separator) {
+    return;
+  }
+  var baseMeta = meta.querySelector(".row-edit-base-meta");
+  var hasBaseMeta = !!(baseMeta && baseMeta.textContent);
+  separator.textContent = hasBaseMeta ? " · " : "";
+  separator.hidden = !hasBaseMeta;
+}
+
+function updateRowEditFieldMetaHidden(meta) {
+  var baseMeta = meta.querySelector(".row-edit-base-meta");
+  var hasBaseMeta = !!(baseMeta && baseMeta.textContent);
+  var foreignKeyLinkWrap = meta.querySelector(".row-edit-fk-link-wrap");
+  var hasForeignKeyLink = foreignKeyLinkWrap && !foreignKeyLinkWrap.hidden;
+  meta.hidden =
+    meta.dataset.reserveSpace !== "1" && !hasBaseMeta && !hasForeignKeyLink;
+}
+
+function setRowEditBaseMetaText(meta, text) {
+  var baseMeta = meta.querySelector(".row-edit-base-meta");
+  if (!baseMeta) {
+    return;
+  }
+  baseMeta.textContent = text || "";
+  updateRowEditForeignKeySeparator(meta);
+  updateRowEditFieldMetaHidden(meta);
+}
+
+function setForeignKeyMetaLink(meta, autocompleteUrl, row) {
+  var wrap = meta.querySelector(".row-edit-fk-link-wrap");
+  if (!wrap) {
+    return;
+  }
+  var pkSpan = wrap.querySelector(".row-edit-fk-pk");
+  var link = wrap.querySelector("a");
+  var pk = autocompleteRowPk(row);
+  var url =
+    pk === null || typeof pk === "undefined"
+      ? null
+      : foreignKeyRowUrl(autocompleteUrl, pk);
+  if (!url) {
+    wrap.hidden = true;
+    pkSpan.textContent = "";
+    link.removeAttribute("href");
+    link.textContent = "";
+    link.removeAttribute("aria-label");
+    setRowEditBaseMetaText(meta, meta.dataset.baseMeta || "");
+    updateRowEditFieldMetaHidden(meta);
+    return;
+  }
+  setRowEditBaseMetaText(meta, rowEditMetaTextWithoutCurrentValue(meta));
+  var pkText = String(pk);
+  var linkText = foreignKeyLabelText(row);
+  pkSpan.textContent = pkText;
+  link.href = url;
+  link.textContent = linkText;
+  link.setAttribute(
+    "aria-label",
+    "Open referenced row " + pkText + " " + linkText + " in a new tab",
+  );
+  wrap.hidden = false;
+  updateRowEditFieldMetaHidden(meta);
+}
+
+async function resolveForeignKeyMetaLink(control, autocompleteUrl, meta) {
+  var value = control.value.trim();
+  if (!value) {
+    setForeignKeyMetaLink(meta, autocompleteUrl, null);
+    return;
+  }
+
+  var url = new URL(autocompleteUrl, location.href);
+  url.searchParams.set("q", value);
+  try {
+    var response = await fetch(url.toString(), {
+      headers: {
+        Accept: "application/json",
+      },
+    });
+    if (!response.ok) {
+      throw new Error("HTTP " + response.status);
+    }
+    var data = await response.json();
+    if (control.value.trim() !== value) {
+      return;
+    }
+    var rows = (data && data.rows) || [];
+    var row = rows.find(function (candidate) {
+      var pk = autocompleteRowPk(candidate);
+      return pk !== null && typeof pk !== "undefined" && String(pk) === value;
+    });
+    setForeignKeyMetaLink(meta, autocompleteUrl, row || null);
+  } catch (_error) {
+    if (control.value.trim() === value) {
+      setForeignKeyMetaLink(meta, autocompleteUrl, null);
+    }
+  }
+}
+
+function tableInsertUrl() {
+  var data = tableInsertData();
+  if (data && data.path) {
+    return new URL(data.path, location.href).toString();
+  }
+  var url = tableBaseUrl();
+  url.pathname = url.pathname.replace(/\/$/, "") + "/-/insert";
+  return url.toString();
+}
+
+function rowResourceUrl(row) {
+  var rowId = row.getAttribute("data-row");
+  if (!rowId) {
+    return null;
+  }
+  var url = tableBaseUrl();
+  url.pathname = url.pathname.replace(/\/$/, "") + "/" + rowId;
+  return url;
+}
+
+function rowJsonUrl(row) {
+  var url = rowResourceUrl(row);
+  if (!url) {
+    return "";
+  }
+  url.pathname = url.pathname + ".json";
+  url.searchParams.set("_extra", "columns,column_types");
+  return url.toString();
+}
+
+function rowDeleteUrl(row) {
+  var url = rowResourceUrl(row);
+  if (!url) {
+    return "";
+  }
+  url.pathname = url.pathname.replace(/\/$/, "") + "/-/delete";
+  if (isRowPage()) {
+    url.searchParams.set("_redirect_to_table", "1");
+  }
+  return url.toString();
+}
+
+function rowUpdateUrl(row) {
+  var url = rowResourceUrl(row);
+  if (!url) {
+    return "";
+  }
+  url.pathname = url.pathname.replace(/\/$/, "") + "/-/update";
+  if (isRowPage()) {
+    url.searchParams.set("_message", "1");
+  }
+  return url.toString();
+}
+
+function rowFragmentUrl(row) {
+  var rowId = row.getAttribute("data-row");
+  return rowFragmentUrlById(rowId);
+}
+
+function rowFragmentUrlById(rowId) {
+  if (!rowId) {
+    return "";
+  }
+  var url = tableBaseUrl();
+  url.search = new URL(location.href).search;
+  url.pathname = url.pathname.replace(/\/$/, "") + "/-/fragment";
+  url.searchParams.delete("_next");
+  url.searchParams.set("_row", rowId);
+  url.searchParams.set("_nocount", "1");
+  url.searchParams.set("_nofacet", "1");
+  url.searchParams.set("_nosuggest", "1");
+  return url.toString();
+}
+
+function nextRowActionFocusTarget(row, action) {
+  var selector = 'button[data-row-action="' + action + '"]:not([disabled])';
+  var sibling = row.nextElementSibling;
+  while (sibling) {
+    var nextButton = sibling.querySelector(selector);
+    if (nextButton) {
+      return nextButton;
+    }
+    sibling = sibling.nextElementSibling;
+  }
+
+  sibling = row.previousElementSibling;
+  while (sibling) {
+    var previousButton = sibling.querySelector(selector);
+    if (previousButton) {
+      return previousButton;
+    }
+    sibling = sibling.previousElementSibling;
+  }
+
+  return null;
+}
+
+function nextRowDeleteFocusTarget(row, manager) {
+  return (
+    nextRowActionFocusTarget(row, "delete") || ensureRowMutationStatus(manager)
+  );
+}
+
+function ensureRowDeleteDialog(manager) {
+  if (rowDeleteDialogState) {
+    return rowDeleteDialogState;
+  }
+  if (!window.HTMLDialogElement) {
+    return null;
+  }
+
+  var dialog = document.createElement("dialog");
+  dialog.id = ROW_DELETE_DIALOG_ID;
+  dialog.className = "row-delete-dialog";
+  dialog.setAttribute("aria-labelledby", "row-delete-title");
+  dialog.setAttribute("aria-describedby", "row-delete-message");
+  dialog.innerHTML = `
+    <div class="modal-header">
+      <span class="modal-title" id="row-delete-title">Delete row</span>
+    </div>
+    <p class="row-delete-message" id="row-delete-message">Delete row <span class="row-delete-id"></span>?</p>
+    <p class="row-delete-error" role="alert" hidden></p>
+    <div class="modal-footer">
+      <button type="button" class="btn btn-ghost row-delete-cancel">Cancel</button>
+      <button type="button" class="btn btn-primary row-delete-confirm">Delete row</button>
+    </div>
+  `;
+  document.body.appendChild(dialog);
+
+  rowDeleteDialogState = {
+    dialog: dialog,
+    title: dialog.querySelector(".modal-title"),
+    message: dialog.querySelector(".row-delete-message"),
+    rowId: dialog.querySelector(".row-delete-id"),
+    error: dialog.querySelector(".row-delete-error"),
+    cancelButton: dialog.querySelector(".row-delete-cancel"),
+    confirmButton: dialog.querySelector(".row-delete-confirm"),
+    currentRow: null,
+    currentDeleteUrl: null,
+    currentPkPath: null,
+    manager: manager,
+    isBusy: false,
+    shouldRestoreFocus: true,
+  };
+
+  rowDeleteDialogState.cancelButton.addEventListener("click", function () {
+    if (!rowDeleteDialogState.isBusy) {
+      rowDeleteDialogState.shouldRestoreFocus = true;
+      dialog.close();
+    }
+  });
+
+  dialog.addEventListener("click", function (ev) {
+    if (ev.target === dialog && !rowDeleteDialogState.isBusy) {
+      rowDeleteDialogState.shouldRestoreFocus = true;
+      dialog.close();
+    }
+  });
+
+  dialog.addEventListener("keydown", function (ev) {
+    if (
+      ev.key === "Enter" &&
+      document.activeElement === rowDeleteDialogState.confirmButton
+    ) {
+      ev.preventDefault();
+      if (!rowDeleteDialogState.isBusy) {
+        rowDeleteDialogState.confirmButton.click();
+      }
+      return;
+    }
+    if (ev.key !== "Escape") {
+      return;
+    }
+    if (rowDeleteDialogState.isBusy) {
+      ev.preventDefault();
+      return;
+    }
+    ev.preventDefault();
+    rowDeleteDialogState.shouldRestoreFocus = true;
+    dialog.close();
+  });
+
+  dialog.addEventListener("cancel", function (ev) {
+    if (rowDeleteDialogState.isBusy) {
+      ev.preventDefault();
+    } else {
+      rowDeleteDialogState.shouldRestoreFocus = true;
+    }
+  });
+
+  dialog.addEventListener("close", function () {
+    var state = rowDeleteDialogState;
+    clearRowDeleteDialogError(state);
+    setRowDeleteDialogBusy(state, false);
+    if (
+      state.shouldRestoreFocus &&
+      state.currentButton &&
+      document.contains(state.currentButton)
+    ) {
+      state.currentButton.focus();
+    }
+  });
+
+  rowDeleteDialogState.confirmButton.addEventListener(
+    "click",
+    async function () {
+      var state = rowDeleteDialogState;
+      clearRowDeleteDialogError(state);
+      setRowDeleteDialogBusy(state, true);
+
+      try {
+        var response = await fetch(state.currentDeleteUrl, {
+          method: "POST",
+          headers: {
+            Accept: "application/json",
+          },
+        });
+        var data = null;
+        try {
+          data = await response.json();
+        } catch (_error) {
+          data = null;
+        }
+        if (!response.ok || (data && data.ok === false)) {
+          throw rowMutationRequestError(response, data);
+        }
+        if (data && data.redirect) {
+          state.shouldRestoreFocus = false;
+          state.dialog.close();
+          location.href = data.redirect;
+          return;
+        }
+
+        var focusTarget = nextRowDeleteFocusTarget(
+          state.currentRow,
+          state.manager,
+        );
+        var statusMessage = state.currentPkPath
+          ? "Deleted row " + state.currentPkPath + "."
+          : "Deleted row.";
+        state.shouldRestoreFocus = false;
+        state.dialog.close();
+        state.currentRow.remove();
+        showRowMutationStatus(state.manager, statusMessage, false);
+        if (focusTarget && document.contains(focusTarget)) {
+          focusTarget.focus();
+        } else {
+          ensureRowMutationStatus(state.manager).focus();
+        }
+      } catch (error) {
+        setRowDeleteDialogBusy(state, false);
+        showRowDeleteDialogError(state, error.message || "Delete failed");
+      }
+    },
+  );
+
+  return rowDeleteDialogState;
+}
+
+function openRowDeleteDialog(button, manager) {
+  var row = rowElementForActionButton(button);
+  if (!row || !row.getAttribute("data-row")) {
+    return;
+  }
+  var state = ensureRowDeleteDialog(manager);
+  if (!state) {
+    return;
+  }
+
+  state.manager = manager;
+  state.currentButton = button;
+  state.currentRow = row;
+  state.currentDeleteUrl = rowDeleteUrl(row);
+  state.currentPkPath = rowDisplayLabel(row);
+  state.shouldRestoreFocus = true;
+
+  clearRowDeleteDialogError(state);
+  setRowDeleteDialogBusy(state, false);
+  setRowDialogTitle(
+    state.title,
+    "Delete row",
+    state.currentPkPath || "this row",
+    rowTitleLabel(row),
+  );
+  state.rowId.textContent = state.currentPkPath || "this row";
+
+  if (!state.dialog.open) {
+    state.dialog.showModal();
+  }
+  state.confirmButton.focus();
+}
+
+function initRowDeleteActions(manager) {
+  if (!window.fetch || !window.HTMLDialogElement) {
+    return;
+  }
+  document.addEventListener("click", function (ev) {
+    var button = ev.target.closest('button[data-row-action="delete"]');
+    if (!button) {
+      return;
+    }
+    ev.preventDefault();
+    openRowDeleteDialog(button, manager);
+  });
+}
+
+function valueToEditText(value) {
+  if (value === null || typeof value === "undefined") {
+    return "";
+  }
+  if (typeof value === "object") {
+    return JSON.stringify(value, null, 2);
+  }
+  return String(value);
+}
+
+function shouldUseTextarea(value, columnType) {
+  if (columnType && columnType.type === "textarea") {
+    return true;
+  }
+  if (value && typeof value === "object") {
+    return true;
+  }
+  var text = valueToEditText(value);
+  return text.length > 80 || /[\r\n]/.test(text);
+}
+
+function rowEditValueKind(value) {
+  if (value === null || typeof value === "undefined") {
+    return "null";
+  }
+  if (typeof value === "number") {
+    return "number";
+  }
+  if (typeof value === "boolean") {
+    return "boolean";
+  }
+  return "string";
+}
+
+function rowEditControlElement(control, autocompleteUrl) {
+  if (!autocompleteUrl || control.nodeName !== "INPUT") {
+    return control;
+  }
+  var autocomplete = document.createElement("datasette-autocomplete");
+  autocomplete.setAttribute("src", autocompleteUrl);
+  autocomplete.setAttribute("suggest-on-focus", "");
+  autocomplete.appendChild(control);
+  return autocomplete;
+}
+
+function columnTypeForContext(columnType) {
+  if (!columnType) {
+    return null;
+  }
+  return {
+    type: columnType.type,
+    config: columnType.config || {},
+  };
+}
+
+function defaultExpressionForContext(expression) {
+  if (expression === null || typeof expression === "undefined") {
+    return null;
+  }
+  return expression;
+}
+
+function columnFormControlContext(column, isPk, columnType, options) {
+  var pageData = tablePageData();
+  var defaultExpression = defaultExpressionForContext(
+    options.defaultExpression,
+  );
+  return {
+    mode: options.mode || "edit",
+    database: pageData.database || null,
+    table:
+      pageData.table ||
+      (tableInsertData() && tableInsertData().tableName) ||
+      null,
+    tableUrl: pageData.tableUrl || null,
+    column: column,
+    columnType: columnTypeForContext(columnType),
+    sqliteType: options.sqliteType || null,
+    notNull: !!options.notnull,
+    isPk: !!isPk,
+    defaultExpression: defaultExpression,
+    form: options.form || null,
+    dialog: options.dialog || null,
+  };
+}
+
+function makeColumnField(manager, context) {
+  if (!manager || !manager.makeColumnField) {
+    return null;
+  }
+  return manager.makeColumnField(context);
+}
+
+function createColumnFieldApi(options) {
+  var control = options.control;
+  var context = options.context;
+  var field = {
+    context: context,
+    id: options.id,
+    labelId: options.labelId,
+    descriptionId: options.descriptionId,
+    root: null,
+    form: options.form || null,
+    dialog: options.dialog || null,
+    input: control,
+    control: control,
+    meta: options.meta || null,
+    validationMessageElement: null,
+    getValue: function () {
+      return valueFromRowEditControl(control);
+    },
+    setValue: function (value) {
+      if (
+        value !== null &&
+        typeof value !== "undefined" &&
+        typeof value === "object"
+      ) {
+        throw new TypeError(
+          "field.setValue() accepts strings, numbers, booleans or null; serialize objects before setting the field value",
+        );
+      }
+      field.stopUsingSqliteDefault();
+      control.value = valueToEditText(value);
+      control.dataset.currentValueKind = rowEditValueKind(value);
+    },
+    getInitialValue: function () {
+      return initialValueFromRowEditControl(control);
+    },
+    hasChanged: function () {
+      return rowEditControlHasChanged(control);
+    },
+    clearValue: function () {
+      field.setValue(null);
+    },
+    isUsingSqliteDefault: function () {
+      return control.dataset.useSqliteDefault === "1";
+    },
+    useSqliteDefault: function () {
+      if (
+        context.defaultExpression === null ||
+        typeof context.defaultExpression === "undefined"
+      ) {
+        return;
+      }
+      control.dataset.useSqliteDefault = "1";
+      control.disabled = true;
+      control.value = "";
+      control.dataset.currentValueKind = "null";
+      field.syncSqliteDefaultUi();
+    },
+    stopUsingSqliteDefault: function () {
+      if (control.dataset.useSqliteDefault !== "1") {
+        return;
+      }
+      control.dataset.useSqliteDefault = "0";
+      control.disabled = false;
+      field.syncSqliteDefaultUi();
+    },
+    syncSqliteDefaultUi: function () {},
+    markClean: function () {
+      markRowEditControlClean(control);
+    },
+    setValidity: function (message) {
+      message = message || "";
+      control.setCustomValidity(message);
+      if (message) {
+        control.setAttribute("aria-invalid", "true");
+      } else {
+        control.removeAttribute("aria-invalid");
+      }
+      var validationMessage = ensureColumnFieldValidationMessage(field);
+      if (validationMessage) {
+        validationMessage.textContent = message;
+        validationMessage.hidden = !message;
+      }
+    },
+    clearValidity: function () {
+      field.setValidity("");
+    },
+  };
+  field.markClean();
+  return field;
+}
+
+function ensureColumnFieldValidationMessage(field) {
+  if (field.validationMessageElement) {
+    return field.validationMessageElement;
+  }
+  if (!field.meta) {
+    return null;
+  }
+  var validationMessage = document.createElement("span");
+  validationMessage.id = field.id + "-validation-error";
+  validationMessage.className = "row-edit-field-validation-error";
+  validationMessage.hidden = true;
+  validationMessage.setAttribute("role", "alert");
+  field.meta.appendChild(validationMessage);
+  field.validationMessageElement = validationMessage;
+  return validationMessage;
+}
+
+function renderColumnField(pluginControl, fieldApi) {
+  if (!pluginControl || !pluginControl.render) {
+    return null;
+  }
+  var pluginWrap = document.createElement("div");
+  pluginWrap.className = "row-edit-plugin-control";
+  pluginWrap.dataset.pluginName = pluginControl.pluginName || "";
+  pluginWrap.dataset.column = fieldApi.context.column;
+  if (fieldApi.context.columnType && fieldApi.context.columnType.type) {
+    pluginWrap.dataset.columnType = fieldApi.context.columnType.type;
+  }
+  fieldApi.root = pluginWrap;
+  try {
+    var rendered = pluginControl.render(fieldApi);
+    if (rendered && rendered.nodeType) {
+      pluginWrap.appendChild(rendered);
+    }
+  } catch (error) {
+    console.error("Error rendering column form control", error);
+    return null;
+  }
+  pluginWrap._datasetteColumnField = pluginControl;
+  pluginWrap._datasetteColumnFormField = fieldApi;
+  return pluginWrap;
+}
+
+function validateJsonColumnField(field) {
+  var value = field.input.value;
+  if (value.trim() === "") {
+    field.clearValidity();
+    return true;
+  }
+  try {
+    JSON.parse(value);
+    field.clearValidity();
+    return true;
+  } catch (error) {
+    field.setValidity(
+      "Invalid JSON" + (error && error.message ? ": " + error.message : ""),
+    );
+    return false;
+  }
+}
+
+function registerBuiltinColumnFieldPlugins(manager) {
+  if (!manager || !manager.registerPlugin) {
+    return;
+  }
+  manager.registerPlugin("datasette-json-column", {
+    version: "1.0",
+    makeColumnField: function (context) {
+      if (!context.columnType || context.columnType.type !== "json") {
+        return;
+      }
+      return {
+        useTextarea: true,
+        render: function (field) {
+          field.input.addEventListener("input", function () {
+            validateJsonColumnField(field);
+          });
+          field.input.addEventListener("change", function () {
+            validateJsonColumnField(field);
+          });
+          validateJsonColumnField(field);
+          return field.input;
+        },
+        focus: function (field) {
+          field.input.focus();
+        },
+      };
+    },
+  });
+}
+
+function focusRowEditPluginControl(field) {
+  var pluginWrap = field.querySelector(".row-edit-plugin-control");
+  if (!pluginWrap) {
+    return false;
+  }
+  var pluginControl = pluginWrap._datasetteColumnField;
+  var fieldApi = pluginWrap._datasetteColumnFormField;
+  if (pluginControl && pluginControl.focus) {
+    try {
+      pluginControl.focus(fieldApi);
+      return true;
+    } catch (error) {
+      console.error("Error focusing column form control", error);
+    }
+  }
+  return false;
+}
+
+function focusFirstRowEditControl(state, options) {
+  options = options || {};
+  var fields = state.fields.querySelectorAll(".row-edit-field");
+  for (var i = 0; i < fields.length; i += 1) {
+    var field = fields[i];
+    var control = field.querySelector(".row-edit-input");
+    if (!control) {
+      continue;
+    }
+    if (options.skipReadonly && (control.readOnly || control.disabled)) {
+      continue;
+    }
+    if (focusRowEditPluginControl(field)) {
+      return true;
+    }
+    control.focus();
+    return true;
+  }
+  return false;
+}
+
+function destroyRowEditFields(state) {
+  if (!state || !state.fields) {
+    return;
+  }
+  state.fields
+    .querySelectorAll(".row-edit-plugin-control")
+    .forEach(function (pluginWrap) {
+      var pluginControl = pluginWrap._datasetteColumnField;
+      var fieldApi = pluginWrap._datasetteColumnFormField;
+      if (pluginControl && pluginControl.destroy) {
+        try {
+          pluginControl.destroy(fieldApi);
+        } catch (error) {
+          console.error("Error destroying column form control", error);
+        }
+      }
+    });
+  state.fields.innerHTML = "";
+}
+
+function createRowEditField(column, value, isPk, columnType, index, options) {
+  options = options || {};
+  var field = document.createElement("div");
+  field.className = "row-edit-field";
+  var defaultExpression = defaultExpressionForContext(
+    options.defaultExpression,
+  );
+  var hasDefaultExpression = defaultExpression !== null;
+  var useSqliteDefault = hasDefaultExpression && options.useSqliteDefault;
+
+  var fieldId = "row-edit-field-" + index;
+  var metaId = "row-edit-field-meta-" + index;
+  var labelId = "row-edit-field-label-" + index;
+  var label = document.createElement("label");
+  label.className = "row-edit-label";
+  label.id = labelId;
+  label.setAttribute("for", fieldId);
+  label.textContent = column;
+
+  var controlWrap = document.createElement("div");
+  controlWrap.className = "row-edit-control-wrap";
+
+  var context = columnFormControlContext(column, isPk, columnType, options);
+  var pluginControl = makeColumnField(options.manager, context);
+  var useTextarea =
+    (pluginControl && pluginControl.useTextarea === true) ||
+    shouldUseTextarea(value, columnType);
+  var control = useTextarea
+    ? document.createElement("textarea")
+    : document.createElement("input");
+  control.className = "row-edit-input";
+  control.id = fieldId;
+  control.name = column;
+  control.value = valueToEditText(value);
+  control.setAttribute("aria-describedby", metaId);
+  control.dataset.initialValue = valueToEditText(value);
+  control.dataset.initialValueKind =
+    options.valueKind || rowEditValueKind(value);
+  control.dataset.primaryKey = isPk ? "1" : "0";
+  control.dataset.currentValueKind = control.dataset.initialValueKind;
+  if (hasDefaultExpression) {
+    control.dataset.useSqliteDefault = useSqliteDefault ? "1" : "0";
+  }
+  if (useSqliteDefault) {
+    control.disabled = true;
+  }
+  if (options.omitIfBlank) {
+    control.dataset.omitIfBlank = "1";
+  }
+
+  if (control.nodeName === "TEXTAREA") {
+    control.rows = Math.min(8, Math.max(3, control.value.split("\n").length));
+  } else {
+    control.type = "text";
+  }
+
+  if (isPk && options.primaryKeyReadonly !== false) {
+    control.readOnly = true;
+  }
+
+  var meta = document.createElement("span");
+  meta.id = metaId;
+  meta.className = "row-edit-field-meta";
+  if (options.autocompleteUrl) {
+    meta.classList.add("row-edit-field-meta-autocomplete");
+    meta.dataset.reserveSpace = "1";
+  }
+  var metaParts = [];
+  if (isPk) {
+    metaParts.push("Primary key");
+  }
+  if (options.notnull) {
+    metaParts.push("Required");
+  }
+  if (hasDefaultExpression && !useSqliteDefault) {
+    metaParts.push("SQLite default: " + defaultExpression);
+  }
+  if (value === null) {
+    metaParts.push("Current value: NULL");
+    control.placeholder = "NULL";
+  }
+  if (columnType && columnType.type) {
+    metaParts.push("Custom type: " + columnType.type);
+  }
+  meta.dataset.baseMeta = metaParts.join(" · ");
+  var baseMeta = document.createElement("span");
+  baseMeta.className = "row-edit-base-meta";
+  baseMeta.textContent = meta.dataset.baseMeta;
+  meta.appendChild(baseMeta);
+  if (options.autocompleteUrl) {
+    var foreignKeyLinkWrap = document.createElement("span");
+    foreignKeyLinkWrap.className = "row-edit-fk-link-wrap";
+    foreignKeyLinkWrap.hidden = true;
+    var foreignKeySeparator = document.createElement("span");
+    foreignKeySeparator.className = "row-edit-fk-separator";
+    foreignKeySeparator.textContent = meta.dataset.baseMeta ? " · " : "";
+    foreignKeySeparator.hidden = !meta.dataset.baseMeta;
+    foreignKeyLinkWrap.appendChild(foreignKeySeparator);
+    var foreignKeyPk = document.createElement("span");
+    foreignKeyPk.className = "row-edit-fk-pk";
+    foreignKeyLinkWrap.appendChild(foreignKeyPk);
+    foreignKeyLinkWrap.appendChild(document.createTextNode(" "));
+    var foreignKeyLink = document.createElement("a");
+    foreignKeyLink.className = "row-edit-fk-link";
+    foreignKeyLink.target = "_blank";
+    foreignKeyLink.rel = "noopener noreferrer";
+    foreignKeyLinkWrap.appendChild(foreignKeyLink);
+    meta.appendChild(foreignKeyLinkWrap);
+    updateRowEditFieldMetaHidden(meta);
+  }
+  var fieldApi = createColumnFieldApi({
+    id: fieldId,
+    labelId: labelId,
+    descriptionId: metaId,
+    control: control,
+    meta: meta,
+    input: control,
+    form: options.form || null,
+    dialog: options.dialog || null,
+    context: context,
+  });
+  field._datasetteColumnFormField = fieldApi;
+  var pluginControlElement = renderColumnField(pluginControl, fieldApi);
+  var controlElement =
+    pluginControlElement ||
+    rowEditControlElement(control, options.autocompleteUrl);
+  if (options.autocompleteUrl && !pluginControlElement) {
+    control.addEventListener("input", function () {
+      setForeignKeyMetaLink(meta, options.autocompleteUrl, null);
+    });
+    control.addEventListener("change", function () {
+      resolveForeignKeyMetaLink(control, options.autocompleteUrl, meta);
+    });
+    controlElement.addEventListener(
+      "datasette-autocomplete-select",
+      function (ev) {
+        setForeignKeyMetaLink(
+          meta,
+          options.autocompleteUrl,
+          ev.detail && ev.detail.row,
+        );
+      },
+    );
+    resolveForeignKeyMetaLink(control, options.autocompleteUrl, meta);
+  }
+
+  if (hasDefaultExpression) {
+    var defaultBlock = document.createElement("div");
+    defaultBlock.className = "row-edit-default";
+    defaultBlock.setAttribute("aria-describedby", metaId);
+
+    var defaultText = document.createElement("span");
+    defaultText.className = "row-edit-default-text";
+    defaultText.appendChild(document.createTextNode("default "));
+    var defaultCode = document.createElement("code");
+    defaultCode.className = "row-edit-default-code";
+    defaultCode.textContent = defaultExpression;
+    defaultText.appendChild(defaultCode);
+
+    var setValueButton = document.createElement("button");
+    setValueButton.type = "button";
+    setValueButton.className =
+      "row-edit-default-button row-edit-default-set-value";
+    setValueButton.textContent = "Set value";
+    setValueButton.setAttribute("aria-label", "Set value for " + column);
+
+    var customWrap = document.createElement("div");
+    customWrap.className = "row-edit-custom-value";
+    customWrap.hidden = true;
+
+    var useSqliteDefaultButton = document.createElement("button");
+    useSqliteDefaultButton.type = "button";
+    useSqliteDefaultButton.className = "row-edit-default-button";
+    useSqliteDefaultButton.textContent = "Use default";
+    useSqliteDefaultButton.setAttribute(
+      "aria-label",
+      "Use SQLite default for " + column,
+    );
+
+    setValueButton.addEventListener("click", function () {
+      fieldApi.stopUsingSqliteDefault();
+      control.focus();
+    });
+
+    useSqliteDefaultButton.addEventListener("click", function () {
+      fieldApi.useSqliteDefault();
+      setValueButton.focus();
+    });
+
+    defaultBlock.appendChild(defaultText);
+    defaultBlock.appendChild(setValueButton);
+    customWrap.appendChild(controlElement);
+    customWrap.appendChild(useSqliteDefaultButton);
+    controlWrap.appendChild(defaultBlock);
+    controlWrap.appendChild(customWrap);
+    fieldApi.syncSqliteDefaultUi = function () {
+      var usingDefault = fieldApi.isUsingSqliteDefault();
+      defaultBlock.hidden = !usingDefault;
+      customWrap.hidden = usingDefault;
+    };
+    fieldApi.syncSqliteDefaultUi();
+  } else {
+    controlWrap.appendChild(controlElement);
+  }
+  if (meta.textContent || options.autocompleteUrl) {
+    controlWrap.appendChild(meta);
+  }
+  field.appendChild(label);
+  field.appendChild(controlWrap);
+  return field;
+}
+
+function clearRowEditDialogError(state) {
+  state.error.hidden = true;
+  state.error.textContent = "";
+}
+
+function showRowEditDialogError(state, message) {
+  state.error.hidden = false;
+  state.error.textContent = message;
+  state.error.focus();
+}
+
+function updateRowEditDialogButtons(state) {
+  state.saveButton.disabled =
+    state.isLoading || state.isSaving || !state.hasLoaded;
+  state.cancelButton.disabled = state.isSaving;
+  var saveLabel = state.mode === "insert" ? "Insert row" : "Save";
+  state.saveButton.textContent = state.isSaving ? "Saving..." : saveLabel;
+  state.form.setAttribute(
+    "aria-busy",
+    state.isLoading || state.isSaving ? "true" : "false",
+  );
+}
+
+function setRowEditDialogLoading(state, isLoading) {
+  state.isLoading = isLoading;
+  state.loading.hidden = !isLoading;
+  updateRowEditDialogButtons(state);
+}
+
+function setRowEditDialogSaving(state, isSaving) {
+  state.isSaving = isSaving;
+  updateRowEditDialogButtons(state);
+}
+
+function valueFromRowEditControl(control) {
+  var value = control.value;
+  return valueFromRowEditText(
+    control.name,
+    value,
+    rowEditControlValueKind(control),
+  );
+}
+
+function valueFromRowEditText(name, value, initialValueKind) {
+  var trimmed = value.trim();
+
+  if (initialValueKind === "null" && value === "") {
+    return null;
+  }
+  if (initialValueKind === "number") {
+    if (trimmed === "") {
+      return null;
+    }
+    var numberValue = Number(trimmed);
+    if (Number.isNaN(numberValue)) {
+      throw new Error(name + " must be a number");
+    }
+    return numberValue;
+  }
+  if (initialValueKind === "boolean") {
+    if (/^(true|1|yes)$/i.test(trimmed)) {
+      return true;
+    }
+    if (/^(false|0|no)$/i.test(trimmed)) {
+      return false;
+    }
+    throw new Error(name + " must be true or false");
+  }
+  return value;
+}
+
+function initialValueFromRowEditControl(control) {
+  return valueFromRowEditText(
+    control.name,
+    control.dataset.initialValue || "",
+    control.dataset.initialValueKind || "string",
+  );
+}
+
+function rowEditControlValueKind(control) {
+  return (
+    control.dataset.currentValueKind ||
+    control.dataset.initialValueKind ||
+    "string"
+  );
+}
+
+function rowEditControlCleanValue(control) {
+  if (Object.prototype.hasOwnProperty.call(control.dataset, "cleanValue")) {
+    return control.dataset.cleanValue;
+  }
+  return control.dataset.initialValue || "";
+}
+
+function rowEditControlCleanValueKind(control) {
+  return (
+    control.dataset.cleanValueKind ||
+    control.dataset.initialValueKind ||
+    "string"
+  );
+}
+
+function rowEditControlCleanUsesSqliteDefault(control) {
+  if (
+    Object.prototype.hasOwnProperty.call(
+      control.dataset,
+      "cleanUseSqliteDefault",
+    )
+  ) {
+    return control.dataset.cleanUseSqliteDefault === "1";
+  }
+  return false;
+}
+
+function markRowEditControlClean(control) {
+  control.dataset.cleanValue = control.value;
+  control.dataset.cleanValueKind = rowEditControlValueKind(control);
+  control.dataset.cleanUseSqliteDefault =
+    control.dataset.useSqliteDefault === "1" ? "1" : "0";
+}
+
+function cleanValueFromRowEditControl(control) {
+  return valueFromRowEditText(
+    control.name,
+    rowEditControlCleanValue(control),
+    rowEditControlCleanValueKind(control),
+  );
+}
+
+function rowEditValuesMatch(left, right) {
+  if (left === right) {
+    return true;
+  }
+  if (left && right && typeof left === "object" && typeof right === "object") {
+    return JSON.stringify(left) === JSON.stringify(right);
+  }
+  return false;
+}
+
+function rowEditControlHasChanged(control) {
+  var usingSqliteDefault = control.dataset.useSqliteDefault === "1";
+  var cleanUsesSqliteDefault = rowEditControlCleanUsesSqliteDefault(control);
+  if (usingSqliteDefault || cleanUsesSqliteDefault) {
+    return usingSqliteDefault !== cleanUsesSqliteDefault;
+  }
+  if (
+    control.value === rowEditControlCleanValue(control) &&
+    rowEditControlValueKind(control) === rowEditControlCleanValueKind(control)
+  ) {
+    return false;
+  }
+  try {
+    return !rowEditValuesMatch(
+      valueFromRowEditControl(control),
+      cleanValueFromRowEditControl(control),
+    );
+  } catch (_error) {
+    return true;
+  }
+}
+
+function collectRowFormValues(state) {
+  var values = {};
+  state.fields.querySelectorAll(".row-edit-input").forEach(function (control) {
+    if (
+      state.mode === "edit" &&
+      (control.readOnly || control.dataset.primaryKey === "1")
+    ) {
+      return;
+    }
+    if (control.dataset.useSqliteDefault === "1") {
+      return;
+    }
+    if (control.dataset.omitIfBlank === "1" && control.value === "") {
+      return;
+    }
+    if (
+      state.mode === "edit" &&
+      control.value === (control.dataset.initialValue || "") &&
+      (control.dataset.currentValueKind ||
+        control.dataset.initialValueKind ||
+        "string") === (control.dataset.initialValueKind || "string")
+    ) {
+      return;
+    }
+    var value = valueFromRowEditControl(control);
+    if (state.mode === "edit") {
+      try {
+        if (
+          rowEditValuesMatch(value, initialValueFromRowEditControl(control))
+        ) {
+          return;
+        }
+      } catch (_error) {
+        // If the original value cannot be parsed using the field's current
+        // type, treat the field as changed and submit the corrected value.
+      }
+    }
+    values[control.name] = value;
+  });
+  return values;
+}
+
+function rowEditDialogHasChanges(state) {
+  if (!state || !state.hasLoaded || state.isLoading) {
+    return false;
+  }
+  var fields = state.fields.querySelectorAll(".row-edit-field");
+  for (var i = 0; i < fields.length; i += 1) {
+    var fieldApi = fields[i]._datasetteColumnFormField;
+    if (fieldApi && fieldApi.hasChanged && fieldApi.hasChanged()) {
+      return true;
+    }
+  }
+  return false;
+}
+
+function confirmDiscardRowEditChanges(state) {
+  if (!rowEditDialogHasChanges(state)) {
+    return true;
+  }
+  var message =
+    state.mode === "insert"
+      ? "Discard this new row?"
+      : "Discard unsaved changes to this row?";
+  return window.confirm(message);
+}
+
+function closeRowEditDialogIfConfirmed(state) {
+  if (!state || state.isSaving) {
+    return false;
+  }
+  if (!confirmDiscardRowEditChanges(state)) {
+    return false;
+  }
+  state.shouldRestoreFocus = true;
+  state.dialog.close();
+  return true;
+}
+
+function scheduleCloseRowEditDialogIfConfirmed(state) {
+  // Fix for an issue in Safari where hitting Esc would show
+  // the confirm() prompt asking if state should be discarded
+  // but the Esc key press would then cancel that dialog too.
+  // Wait for keyup, then move the confirm() to a fresh timer tick.
+  if (!state || state.isSaving || state.isClosePending) {
+    return false;
+  }
+  if (!rowEditDialogHasChanges(state)) {
+    state.shouldRestoreFocus = true;
+    state.dialog.close();
+    return true;
+  }
+  state.isClosePending = true;
+  var closeAfterKeyup = function () {
+    if (!state.isClosePending) {
+      return;
+    }
+    state.isClosePending = false;
+    closeRowEditDialogIfConfirmed(state);
+  };
+  var onKeyup = function (ev) {
+    if (ev.key !== "Escape") {
+      return;
+    }
+    document.removeEventListener("keyup", onKeyup, true);
+    setTimeout(closeAfterKeyup, 0);
+  };
+  document.addEventListener("keyup", onKeyup, true);
+  return true;
+}
+
+function findDataRowElement(root, rowId) {
+  var elements = root.querySelectorAll("[data-row]");
+  for (var i = 0; i < elements.length; i += 1) {
+    if (elements[i].getAttribute("data-row") === rowId) {
+      return elements[i];
+    }
+  }
+  return null;
+}
+
+async function fetchUpdatedRowElement(state) {
+  if (!state.currentFragmentUrl || !state.currentRowId) {
+    return null;
+  }
+  var response = await fetch(state.currentFragmentUrl, {
+    headers: {
+      Accept: "text/html",
+    },
+  });
+  var html = await response.text();
+  if (!response.ok) {
+    throw new Error("Could not refresh row: HTTP " + response.status);
+  }
+  var doc = new DOMParser().parseFromString(html, "text/html");
+  return findDataRowElement(doc, state.currentRowId);
+}
+
+function rowPathFromRowData(row, primaryKeys) {
+  if (!row) {
+    return null;
+  }
+  var keys = primaryKeys && primaryKeys.length ? primaryKeys : ["rowid"];
+  var bits = [];
+  for (var i = 0; i < keys.length; i += 1) {
+    var key = keys[i];
+    if (typeof row[key] === "undefined") {
+      return null;
+    }
+    bits.push(tildeEncode(row[key]));
+  }
+  return bits.join(",");
+}
+
+function addInsertedRowToPage(rowElement) {
+  var importedRow = document.importNode(rowElement, true);
+  var firstRow = document.querySelector("[data-row]");
+  if (firstRow && firstRow.parentNode) {
+    firstRow.parentNode.insertBefore(importedRow, firstRow);
+  } else {
+    var tbody = document.querySelector("table.rows-and-columns tbody");
+    if (!tbody) {
+      return null;
+    }
+    tbody.appendChild(importedRow);
+  }
+  var zeroResults = document.querySelector(".zero-results");
+  if (zeroResults) {
+    zeroResults.remove();
+  }
+  return importedRow;
+}
+
+async function saveRowEditDialog(state) {
+  if (state.isLoading || state.isSaving || !state.hasLoaded) {
+    return;
+  }
+  clearRowEditDialogError(state);
+  setRowEditDialogSaving(state, true);
+
+  try {
+    var url =
+      state.mode === "insert" ? state.currentInsertUrl : state.currentUpdateUrl;
+    if (!url) {
+      throw new Error(
+        state.mode === "insert"
+          ? "Could not find the row insert URL"
+          : "Could not find the row update URL",
+      );
+    }
+    var formValues = collectRowFormValues(state);
+    if (state.mode === "edit" && !Object.keys(formValues).length) {
+      state.shouldRestoreFocus = true;
+      hideRowMutationStatus();
+      state.dialog.close();
+      return;
+    }
+    var payload =
+      state.mode === "insert"
+        ? { row: formValues, return: true }
+        : { update: formValues, return: true };
+    var response = await fetch(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Accept: "application/json",
+      },
+      body: JSON.stringify(payload),
+    });
+    var data = null;
+    try {
+      data = await response.json();
+    } catch (_error) {
+      data = null;
+    }
+    if (!response.ok || (data && data.ok === false)) {
+      throw rowMutationRequestError(response, data);
+    }
+
+    if (state.mode === "insert") {
+      var insertData = tableInsertData() || {};
+      var insertedRowData =
+        data && data.rows && data.rows.length ? data.rows[0] : null;
+      var insertedRowId = rowPathFromRowData(
+        insertedRowData,
+        insertData.primaryKeys || [],
+      );
+      state.shouldRestoreFocus = false;
+      if (!insertedRowId) {
+        state.dialog.close();
+        var missingIdStatus = showRowMutationStatus(
+          state.manager,
+          "Inserted row. Refresh the page to see it.",
+          false,
+        );
+        missingIdStatus.focus();
+        return;
+      }
+
+      state.currentRowId = insertedRowId;
+      state.currentFragmentUrl = rowFragmentUrlById(insertedRowId);
+      var insertedRow = null;
+      try {
+        insertedRow = await fetchUpdatedRowElement(state);
+      } catch (_error) {
+        state.dialog.close();
+        var refreshFailedStatus = showRowMutationStatus(
+          state.manager,
+          "Inserted row, but could not refresh the table row. Refresh the page to see it.",
+          true,
+        );
+        refreshFailedStatus.focus();
+        return;
+      }
+      if (insertedRow) {
+        var insertedStatusMessage = insertedRowStatusMessage(
+          tildeDecode(insertedRowId),
+          rowTitleLabel(insertedRow),
+        );
+        var addedRow = addInsertedRowToPage(insertedRow);
+        state.dialog.close();
+        showRowMutationStatus(state.manager, insertedStatusMessage, false);
+        if (addedRow) {
+          var insertedFocusTarget =
+            addedRow.querySelector('button[data-row-action="edit"]') ||
+            addedRow;
+          insertedFocusTarget.focus();
+        }
+      } else {
+        state.dialog.close();
+        var filteredStatus = showRowMutationStatus(
+          state.manager,
+          "Inserted row. It does not match the current filters.",
+          false,
+        );
+        filteredStatus.focus();
+      }
+      return;
+    }
+
+    if (isRowPage()) {
+      state.shouldRestoreFocus = false;
+      state.dialog.close();
+      location.reload();
+      return;
+    }
+
+    var updatedRow = await fetchUpdatedRowElement(state);
+    var focusTarget = null;
+    if (updatedRow && state.currentRow && document.contains(state.currentRow)) {
+      var importedRow = document.importNode(updatedRow, true);
+      state.currentRow.replaceWith(importedRow);
+      showRowMutationStatus(
+        state.manager,
+        state.currentPkPath
+          ? "Updated row " + state.currentPkPath + "."
+          : "Updated row.",
+        false,
+      );
+      focusTarget =
+        importedRow.querySelector('button[data-row-action="edit"]') ||
+        importedRow;
+    } else if (state.currentRow && document.contains(state.currentRow)) {
+      focusTarget =
+        nextRowActionFocusTarget(state.currentRow, "edit") ||
+        ensureRowMutationStatus(state.manager);
+      state.currentRow.remove();
+      showRowMutationStatus(
+        state.manager,
+        state.currentPkPath
+          ? "Updated row " +
+              state.currentPkPath +
+              ". It no longer matches the current filters."
+          : "Updated row. It no longer matches the current filters.",
+        false,
+      );
+    }
+
+    state.shouldRestoreFocus = false;
+    state.dialog.close();
+    if (focusTarget && document.contains(focusTarget)) {
+      focusTarget.focus();
+    }
+  } catch (error) {
+    setRowEditDialogSaving(state, false);
+    showRowEditDialogError(state, error.message || "Could not save row");
+  }
+}
+
+function renderRowEditFields(state, data) {
+  var row = data.rows && data.rows.length ? data.rows[0] : null;
+  var columns = data.columns || (row ? Object.keys(row) : []);
+  var primaryKeys = data.primary_keys || [];
+  var columnTypes = data.column_types || {};
+
+  destroyRowEditFields(state);
+  columns.forEach(function (column, index) {
+    state.fields.appendChild(
+      createRowEditField(
+        column,
+        row ? row[column] : null,
+        primaryKeys.indexOf(column) !== -1,
+        columnTypes[column],
+        index,
+        {
+          autocompleteUrl: foreignKeyAutocompleteUrl(column),
+          dialog: state.dialog,
+          form: state.form,
+          manager: state.manager,
+          mode: state.mode,
+          primaryKeyReadonly: true,
+        },
+      ),
+    );
+  });
+
+  state.hasLoaded = true;
+  updateRowEditDialogButtons(state);
+  if (!focusFirstRowEditControl(state, { skipReadonly: true })) {
+    focusFirstRowEditControl(state) || state.cancelButton.focus();
+  }
+}
+
+function renderRowInsertFields(state, data) {
+  var columns = data.columns || [];
+
+  destroyRowEditFields(state);
+  columns.forEach(function (column, index) {
+    state.fields.appendChild(
+      createRowEditField(
+        column.name,
+        "",
+        !!column.is_pk,
+        column.column_type,
+        index,
+        {
+          autocompleteUrl: foreignKeyAutocompleteUrl(column.name),
+          dialog: state.dialog,
+          form: state.form,
+          defaultExpression: column.default,
+          manager: state.manager,
+          mode: state.mode,
+          notnull: column.notnull,
+          primaryKeyReadonly: false,
+          sqliteType: column.sqlite_type,
+          useSqliteDefault: column.default !== null,
+          valueKind: column.value_kind,
+        },
+      ),
+    );
+  });
+
+  if (!columns.length) {
+    var emptyMessage = document.createElement("p");
+    emptyMessage.className = "row-edit-empty";
+    emptyMessage.textContent = "This row will use the table defaults.";
+    state.fields.appendChild(emptyMessage);
+  }
+
+  state.hasLoaded = true;
+  updateRowEditDialogButtons(state);
+  var firstDefaultButton = state.fields.querySelector(
+    ".row-edit-default-set-value",
+  );
+  if (firstDefaultButton) {
+    firstDefaultButton.focus();
+  } else {
+    focusFirstRowEditControl(state, { skipReadonly: true }) ||
+      state.saveButton.focus();
+  }
+}
+
+function setRowDialogTitle(title, text, codeText, labelText) {
+  title.textContent = "";
+  var action = document.createElement("span");
+  action.className = "row-dialog-action";
+  action.textContent = text;
+  title.appendChild(action);
+  if (!codeText) {
+    return;
+  }
+  title.appendChild(document.createTextNode(" "));
+  var code = document.createElement("code");
+  code.textContent = codeText;
+  title.appendChild(code);
+  if (labelText && labelText !== codeText) {
+    title.appendChild(document.createTextNode(" "));
+    var label = document.createElement("span");
+    label.className = "row-dialog-label";
+    label.textContent = labelText;
+    title.appendChild(label);
+  }
+}
+
+function ensureRowEditDialog(manager) {
+  if (rowEditDialogState) {
+    return rowEditDialogState;
+  }
+  if (!window.HTMLDialogElement) {
+    return null;
+  }
+
+  var dialog = document.createElement("dialog");
+  dialog.id = ROW_EDIT_DIALOG_ID;
+  dialog.className = "row-edit-dialog";
+  dialog.setAttribute("aria-labelledby", "row-edit-title");
+  dialog.innerHTML = `
+    <div class="modal-header">
+      <span class="modal-title" id="row-edit-title">Edit row</span>
+    </div>
+    <form class="row-edit-form" method="post">
+      <p class="row-edit-summary" id="row-edit-summary" hidden></p>
+      <p class="row-edit-loading" role="status" aria-live="polite">Loading row...</p>
+      <p class="row-edit-error" role="alert" tabindex="-1" hidden></p>
+      <div class="row-edit-fields"></div>
+      <div class="modal-footer">
+        <button type="button" class="btn btn-ghost row-edit-cancel">Cancel</button>
+        <button type="submit" class="btn btn-primary row-edit-save" disabled>Save</button>
+      </div>
+    </form>
+  `;
+  document.body.appendChild(dialog);
+
+  rowEditDialogState = {
+    dialog: dialog,
+    form: dialog.querySelector(".row-edit-form"),
+    title: dialog.querySelector(".modal-title"),
+    summary: dialog.querySelector(".row-edit-summary"),
+    loading: dialog.querySelector(".row-edit-loading"),
+    error: dialog.querySelector(".row-edit-error"),
+    fields: dialog.querySelector(".row-edit-fields"),
+    cancelButton: dialog.querySelector(".row-edit-cancel"),
+    saveButton: dialog.querySelector(".row-edit-save"),
+    currentButton: null,
+    currentRow: null,
+    currentRowId: null,
+    currentPkPath: null,
+    currentInsertUrl: null,
+    currentUpdateUrl: null,
+    currentFragmentUrl: null,
+    mode: "edit",
+    loadId: 0,
+    manager: manager,
+    isLoading: false,
+    isSaving: false,
+    isClosePending: false,
+    hasLoaded: false,
+    shouldRestoreFocus: true,
+  };
+
+  rowEditDialogState.form.addEventListener("submit", function (ev) {
+    ev.preventDefault();
+    saveRowEditDialog(rowEditDialogState);
+  });
+
+  rowEditDialogState.cancelButton.addEventListener("click", function () {
+    if (!rowEditDialogState.isSaving) {
+      rowEditDialogState.shouldRestoreFocus = true;
+      dialog.close();
+    }
+  });
+
+  dialog.addEventListener("click", function (ev) {
+    if (ev.target === dialog) {
+      closeRowEditDialogIfConfirmed(rowEditDialogState);
+    }
+  });
+
+  dialog.addEventListener("keydown", function (ev) {
+    if (ev.key !== "Escape") {
+      return;
+    }
+    ev.preventDefault();
+    scheduleCloseRowEditDialogIfConfirmed(rowEditDialogState);
+  });
+
+  dialog.addEventListener("cancel", function (ev) {
+    ev.preventDefault();
+    scheduleCloseRowEditDialogIfConfirmed(rowEditDialogState);
+  });
+
+  dialog.addEventListener("close", function () {
+    var state = rowEditDialogState;
+    state.loadId += 1;
+    state.isClosePending = false;
+    clearRowEditDialogError(state);
+    state.hasLoaded = false;
+    destroyRowEditFields(state);
+    setRowEditDialogLoading(state, false);
+    setRowEditDialogSaving(state, false);
+    if (
+      state.shouldRestoreFocus &&
+      state.currentButton &&
+      document.contains(state.currentButton)
+    ) {
+      state.currentButton.focus();
+    }
+  });
+
+  return rowEditDialogState;
+}
+
+async function openRowEditDialog(button, manager) {
+  var row = rowElementForActionButton(button);
+  if (!row || !row.getAttribute("data-row")) {
+    return;
+  }
+  var state = ensureRowEditDialog(manager);
+  if (!state) {
+    return;
+  }
+
+  state.manager = manager;
+  state.mode = "edit";
+  state.currentButton = button;
+  state.currentRow = row;
+  state.currentRowId = row.getAttribute("data-row") || "";
+  state.currentPkPath = rowDisplayLabel(row);
+  state.currentInsertUrl = null;
+  state.currentUpdateUrl = rowUpdateUrl(row);
+  state.currentFragmentUrl = rowFragmentUrl(row);
+  if (state.currentUpdateUrl) {
+    state.form.action = new URL(
+      state.currentUpdateUrl,
+      location.href,
+    ).toString();
+  } else {
+    state.form.removeAttribute("action");
+  }
+  state.shouldRestoreFocus = true;
+  state.hasLoaded = false;
+  state.loadId += 1;
+  var loadId = state.loadId;
+
+  clearRowEditDialogError(state);
+  setRowEditDialogLoading(state, true);
+  destroyRowEditFields(state);
+  state.dialog.removeAttribute("aria-describedby");
+  setRowDialogTitle(
+    state.title,
+    "Edit row",
+    state.currentPkPath || "this row",
+    rowTitleLabel(row),
+  );
+  state.summary.hidden = true;
+  state.summary.textContent = "";
+
+  if (!state.dialog.open) {
+    state.dialog.showModal();
+  }
+  state.cancelButton.focus();
+
+  try {
+    var response = await fetch(rowJsonUrl(row), {
+      headers: {
+        Accept: "application/json",
+      },
+    });
+    var data = await response.json();
+    if (loadId !== state.loadId) {
+      return;
+    }
+    if (!response.ok || data.ok === false) {
+      throw rowMutationRequestError(response, data);
+    }
+    setRowEditDialogLoading(state, false);
+    renderRowEditFields(state, data);
+  } catch (error) {
+    if (loadId !== state.loadId) {
+      return;
+    }
+    setRowEditDialogLoading(state, false);
+    showRowEditDialogError(state, error.message || "Could not load row");
+    state.cancelButton.focus();
+  }
+}
+
+function openRowInsertDialog(button, manager) {
+  var insertData = tableInsertData();
+  if (!insertData) {
+    return;
+  }
+  var state = ensureRowEditDialog(manager);
+  if (!state) {
+    return;
+  }
+
+  state.manager = manager;
+  state.mode = "insert";
+  state.currentButton = button;
+  state.currentRow = null;
+  state.currentRowId = null;
+  state.currentPkPath = null;
+  state.currentInsertUrl = tableInsertUrl();
+  state.currentUpdateUrl = null;
+  state.currentFragmentUrl = null;
+  state.shouldRestoreFocus = true;
+  state.hasLoaded = false;
+  state.loadId += 1;
+
+  if (state.currentInsertUrl) {
+    state.form.action = new URL(
+      state.currentInsertUrl,
+      location.href,
+    ).toString();
+  } else {
+    state.form.removeAttribute("action");
+  }
+
+  clearRowEditDialogError(state);
+  setRowEditDialogLoading(state, false);
+  destroyRowEditFields(state);
+  state.dialog.removeAttribute("aria-describedby");
+  setRowDialogTitle(
+    state.title,
+    insertData.tableName
+      ? "Insert row into " + insertData.tableName
+      : "Insert row",
+  );
+  state.summary.hidden = true;
+  state.summary.textContent = "";
+
+  if (!state.dialog.open) {
+    state.dialog.showModal();
+  }
+  renderRowInsertFields(state, insertData);
+}
+
+function initRowEditActions(manager) {
+  if (!window.fetch || !window.HTMLDialogElement) {
+    return;
+  }
+  document.addEventListener("click", function (ev) {
+    var button = ev.target.closest('button[data-row-action="edit"]');
+    if (!button) {
+      return;
+    }
+    ev.preventDefault();
+    openRowEditDialog(button, manager);
+  });
+}
+
+function initRowInsertActions(manager) {
+  if (!window.fetch || !window.HTMLDialogElement || !tableInsertData()) {
+    return;
+  }
+  document.addEventListener("click", function (ev) {
+    var button = ev.target.closest('button[data-table-action="insert-row"]');
+    if (!button) {
+      return;
+    }
+    ev.preventDefault();
+    openRowInsertDialog(button, manager);
+  });
+}
+
+document.addEventListener("datasette_init", function (evt) {
+  const { detail: manager } = evt;
+
+  registerBuiltinColumnFieldPlugins(manager);
+  initTableCreateActions(manager);
+  initTableAlterActions(manager);
+  initRowInsertActions(manager);
+  initRowEditActions(manager);
+  initRowDeleteActions(manager);
+});
diff --git a/datasette/static/mobile-column-actions.js b/datasette/static/mobile-column-actions.js
new file mode 100644
index 00000000..a386b1fc
--- /dev/null
+++ b/datasette/static/mobile-column-actions.js
@@ -0,0 +1,318 @@
+var MOBILE_COLUMN_BREAKPOINT = 576;
+var MOBILE_COLUMN_DIALOG_ID = "mobile-column-actions-dialog";
+var MOBILE_COLUMN_DIALOG_TITLE_ID = "mobile-column-actions-title";
+
+function mobileColumnHeaders(manager) {
+  return Array.from(
+    document.querySelectorAll(manager.selectors.tableHeaders),
+  ).filter((th) => th.dataset.column && th.dataset.isLinkColumn !== "1");
+}
+
+function mobileColumnMetaText(th) {
+  var parts = [];
+  if (th.dataset.columnType) {
+    parts.push(th.dataset.columnType);
+  }
+  if (th.dataset.isPk === "1") {
+    parts.push("pk");
+  }
+  if (th.dataset.columnNotNull === "1") {
+    parts.push("not null");
+  }
+  return parts.join(", ");
+}
+
+function createMobileColumnActionNode(itemConfig, closeDialog) {
+  var actionNode;
+  if (itemConfig.href) {
+    actionNode = document.createElement("a");
+    actionNode.href = itemConfig.href;
+  } else {
+    actionNode = document.createElement("button");
+    actionNode.type = "button";
+  }
+  actionNode.textContent = itemConfig.label;
+
+  if (itemConfig.onClick) {
+    actionNode.addEventListener("click", function (ev) {
+      try {
+        itemConfig.onClick.call(actionNode, ev);
+      } finally {
+        closeDialog({ restoreFocus: false });
+      }
+    });
+  }
+
+  return actionNode;
+}
+
+function initMobileColumnActions(manager) {
+  var triggerButton = document.querySelector(".column-actions-mobile");
+  if (!triggerButton) {
+    return;
+  }
+
+  if (
+    !window.URLSearchParams ||
+    !window.HTMLDialogElement ||
+    !manager.columnActions
+  ) {
+    triggerButton.style.display = "none";
+    return;
+  }
+
+  if (!mobileColumnHeaders(manager).length) {
+    triggerButton.style.display = "none";
+    return;
+  }
+
+  var dialog = document.createElement("dialog");
+  dialog.className = "mobile-column-actions-dialog";
+  dialog.id = MOBILE_COLUMN_DIALOG_ID;
+  dialog.setAttribute("aria-labelledby", MOBILE_COLUMN_DIALOG_TITLE_ID);
+  dialog.innerHTML = `
+    <div class="modal-header">
+      <span class="modal-title" id="${MOBILE_COLUMN_DIALOG_TITLE_ID}">Column actions</span>
+      <span class="modal-meta"></span>
+    </div>
+    <div class="list-wrap mobile-column-list"></div>
+    <div class="modal-footer">
+      <span class="footer-info">Tap a column to reveal actions.</span>
+      <button type="button" class="btn btn-ghost mobile-column-actions-done">Done</button>
+    </div>
+  `;
+  document.body.appendChild(dialog);
+
+  triggerButton.setAttribute("aria-haspopup", "dialog");
+  triggerButton.setAttribute("aria-controls", MOBILE_COLUMN_DIALOG_ID);
+  triggerButton.setAttribute("aria-expanded", "false");
+
+  var countEl = dialog.querySelector(".modal-meta");
+  var listWrap = dialog.querySelector(".mobile-column-list");
+  var doneButton = dialog.querySelector(".mobile-column-actions-done");
+  var expandedSectionId = null;
+  var shouldRestoreFocus = true;
+
+  function updateExpandedSection() {
+    Array.from(dialog.querySelectorAll(".col-header")).forEach((button) => {
+      var controlsId = button.getAttribute("aria-controls");
+      var actionList = dialog.querySelector("#" + controlsId);
+      var isExpanded = controlsId === expandedSectionId;
+      button.setAttribute("aria-expanded", isExpanded ? "true" : "false");
+      actionList.hidden = !isExpanded;
+      actionList.classList.toggle("expanded", isExpanded);
+    });
+  }
+
+  function scrollExpandedSectionIntoView(section) {
+    var sectionTop = section.offsetTop;
+    var sectionBottom = sectionTop + section.offsetHeight;
+    var visibleTop = listWrap.scrollTop;
+    var visibleBottom = visibleTop + listWrap.clientHeight;
+    var sectionHeight = section.offsetHeight;
+
+    if (sectionTop < visibleTop) {
+      listWrap.scrollTop = sectionTop;
+      return;
+    }
+
+    if (sectionBottom <= visibleBottom) {
+      return;
+    }
+
+    if (sectionHeight <= listWrap.clientHeight) {
+      listWrap.scrollTop = sectionBottom - listWrap.clientHeight;
+    } else {
+      listWrap.scrollTop = sectionTop;
+    }
+  }
+
+  function closeDialog(options) {
+    options = options || {};
+    shouldRestoreFocus = options.restoreFocus !== false;
+    if (dialog.open) {
+      dialog.close();
+    } else {
+      triggerButton.setAttribute("aria-expanded", "false");
+      if (shouldRestoreFocus) {
+        triggerButton.focus();
+      }
+    }
+  }
+
+  function renderDialog() {
+    var headers = mobileColumnHeaders(manager);
+    if (!headers.length) {
+      closeDialog({ restoreFocus: false });
+      triggerButton.style.display = "none";
+      return false;
+    }
+
+    if (
+      !headers.some(
+        (_th, index) => `mobile-column-actions-${index}` === expandedSectionId,
+      )
+    ) {
+      expandedSectionId = null;
+    }
+
+    countEl.textContent = `${headers.length} column${
+      headers.length === 1 ? "" : "s"
+    }`;
+    listWrap.innerHTML = "";
+
+    if (manager.columnActions.shouldShowShowAllColumns()) {
+      var topActions = document.createElement("div");
+      topActions.className = "mobile-column-top-actions";
+
+      var showAllColumns = document.createElement("a");
+      showAllColumns.className = "btn btn-ghost mobile-column-top-action";
+      showAllColumns.href = manager.columnActions.showAllColumnsUrl();
+      showAllColumns.textContent = "Show all columns";
+
+      topActions.appendChild(showAllColumns);
+      listWrap.appendChild(topActions);
+    }
+
+    headers.forEach((th, index) => {
+      var sectionId = `mobile-column-actions-${index}`;
+      var actionState = manager.columnActions.buildColumnActionState(th, {
+        includeChooseColumns: false,
+        includeShowAllColumns: false,
+      });
+      var section = document.createElement("section");
+      section.className = "mobile-column-section";
+
+      var headerButton = document.createElement("button");
+      headerButton.type = "button";
+      headerButton.className = "col-header";
+      headerButton.setAttribute("aria-controls", sectionId);
+      headerButton.setAttribute("aria-expanded", "false");
+
+      var headerText = document.createElement("span");
+      headerText.className = "mobile-column-header-text";
+
+      var name = document.createElement("span");
+      name.className = "mobile-column-name";
+      name.textContent = th.dataset.column;
+      headerText.appendChild(name);
+
+      var metaText = mobileColumnMetaText(th);
+      if (metaText) {
+        var meta = document.createElement("span");
+        meta.className = "mobile-column-meta";
+        meta.textContent = metaText;
+        headerText.appendChild(meta);
+      }
+
+      var chevron = document.createElement("span");
+      chevron.className = "mobile-column-chevron";
+      chevron.setAttribute("aria-hidden", "true");
+      chevron.textContent = "▾";
+
+      headerButton.appendChild(headerText);
+      headerButton.appendChild(chevron);
+      headerButton.addEventListener("click", function () {
+        expandedSectionId = expandedSectionId === sectionId ? null : sectionId;
+        updateExpandedSection();
+        if (expandedSectionId === sectionId) {
+          scrollExpandedSectionIntoView(section);
+        }
+      });
+
+      var actionContainer = document.createElement("div");
+      actionContainer.id = sectionId;
+      actionContainer.className = "col-actions";
+      actionContainer.hidden = true;
+
+      if (actionState.columnDescription) {
+        var description = document.createElement("p");
+        description.className = "mobile-column-description";
+        description.textContent = actionState.columnDescription;
+        actionContainer.appendChild(description);
+      }
+
+      if (actionState.actionItems.length) {
+        var actionList = document.createElement("ul");
+        actionState.actionItems.forEach((itemConfig) => {
+          var actionItem = document.createElement("li");
+          actionItem.appendChild(
+            createMobileColumnActionNode(itemConfig, closeDialog),
+          );
+          actionList.appendChild(actionItem);
+        });
+        actionContainer.appendChild(actionList);
+      } else {
+        var noActions = document.createElement("p");
+        noActions.className = "mobile-column-no-actions";
+        noActions.textContent = "No actions available";
+        actionContainer.appendChild(noActions);
+      }
+
+      section.appendChild(headerButton);
+      section.appendChild(actionContainer);
+      listWrap.appendChild(section);
+    });
+
+    updateExpandedSection();
+    return true;
+  }
+
+  function openDialog() {
+    if (window.innerWidth > MOBILE_COLUMN_BREAKPOINT) {
+      return;
+    }
+    if (!renderDialog()) {
+      return;
+    }
+    if (!dialog.open) {
+      dialog.showModal();
+    }
+    triggerButton.setAttribute("aria-expanded", "true");
+    var focusTarget =
+      dialog.querySelector(".mobile-column-top-action") ||
+      dialog.querySelector(".col-header") ||
+      doneButton;
+    focusTarget.focus();
+  }
+
+  triggerButton.addEventListener("click", function () {
+    if (dialog.open) {
+      closeDialog();
+    } else {
+      openDialog();
+    }
+  });
+
+  doneButton.addEventListener("click", function () {
+    closeDialog();
+  });
+
+  dialog.addEventListener("click", function (ev) {
+    if (ev.target === dialog) {
+      closeDialog();
+    }
+  });
+
+  dialog.addEventListener("cancel", function (ev) {
+    ev.preventDefault();
+    closeDialog();
+  });
+
+  dialog.addEventListener("close", function () {
+    triggerButton.setAttribute("aria-expanded", "false");
+    if (shouldRestoreFocus) {
+      triggerButton.focus();
+    }
+  });
+
+  window.addEventListener("resize", function () {
+    if (window.innerWidth > MOBILE_COLUMN_BREAKPOINT && dialog.open) {
+      closeDialog({ restoreFocus: false });
+    }
+  });
+}
+
+document.addEventListener("datasette_init", function (evt) {
+  initMobileColumnActions(evt.detail);
+});
diff --git a/datasette/static/navigation-search.js b/datasette/static/navigation-search.js
index 48de5c4f..ec2d23d8 100644
--- a/datasette/static/navigation-search.js
+++ b/datasette/static/navigation-search.js
@@ -1,10 +1,22 @@
+let navigationSearchInstanceCounter = 0;
+
 class NavigationSearch extends HTMLElement {
   constructor() {
     super();
+    this.instanceId = ++navigationSearchInstanceCounter;
+    this.inputId = `navigation-search-input-${this.instanceId}`;
+    this.instructionsId = `navigation-search-instructions-${this.instanceId}`;
+    this.listboxId = `navigation-search-results-${this.instanceId}`;
+    this.recentHeadingId = `navigation-search-recent-${this.instanceId}`;
+    this.statusId = `navigation-search-status-${this.instanceId}`;
+    this.titleId = `navigation-search-title-${this.instanceId}`;
     this.attachShadow({ mode: "open" });
     this.selectedIndex = -1;
     this.matches = [];
+    this.renderedMatches = [];
     this.debounceTimer = null;
+    this.restoreFocusTarget = null;
+    this.shouldRestoreFocus = true;
 
     this.render();
     this.setupEventListeners();
@@ -19,19 +31,20 @@ class NavigationSearch extends HTMLElement {
 
                 dialog {
                     border: none;
-                    border-radius: 0.75rem;
+                    border-radius: var(--modal-border-radius, 0.75rem);
                     padding: 0;
                     max-width: 90vw;
                     width: 600px;
                     max-height: 80vh;
-                    box-shadow: 0 20px 25px -5px rgba(0, 0, 0, 0.1), 0 10px 10px -5px rgba(0, 0, 0, 0.04);
-                    animation: slideIn 0.2s ease-out;
+                    box-shadow: var(--modal-shadow, 0 20px 25px -5px rgba(0, 0, 0, 0.1), 0 10px 10px -5px rgba(0, 0, 0, 0.04));
+                    animation: slideIn var(--modal-animation-duration, 0.2s) ease-out;
                 }
 
                 dialog::backdrop {
-                    background: rgba(0, 0, 0, 0.5);
-                    backdrop-filter: blur(4px);
-                    animation: fadeIn 0.2s ease-out;
+                    background: var(--modal-backdrop-bg, rgba(0, 0, 0, 0.5));
+                    backdrop-filter: var(--modal-backdrop-blur, blur(4px));
+                    -webkit-backdrop-filter: var(--modal-backdrop-blur, blur(4px));
+                    animation: fadeIn var(--modal-animation-duration, 0.2s) ease-out;
                 }
 
                 @keyframes slideIn {
@@ -53,16 +66,20 @@ class NavigationSearch extends HTMLElement {
                 .search-container {
                     display: flex;
                     flex-direction: column;
-                    height: 100%;
                 }
 
                 .search-input-wrapper {
                     padding: 1.25rem;
                     border-bottom: 1px solid #e5e7eb;
+                    display: flex;
+                    gap: 0.5rem;
+                    align-items: center;
                 }
 
                 .search-input {
                     width: 100%;
+                    flex: 1;
+                    min-width: 0;
                     padding: 0.75rem 1rem;
                     font-size: 1rem;
                     border: 2px solid #e5e7eb;
@@ -76,12 +93,36 @@ class NavigationSearch extends HTMLElement {
                     border-color: #2563eb;
                 }
 
+                .close-search {
+                    background: transparent;
+                    border: 1px solid transparent;
+                    border-radius: 0.375rem;
+                    color: #4b5563;
+                    cursor: pointer;
+                    flex: 0 0 auto;
+                    font: inherit;
+                    font-size: 1.5rem;
+                    height: 2.75rem;
+                    line-height: 1;
+                    width: 2.75rem;
+                }
+
+                .close-search:hover,
+                .close-search:focus {
+                    background-color: #f3f4f6;
+                    border-color: #d1d5db;
+                }
+
                 .results-container {
                     overflow-y: auto;
                     height: calc(80vh - 180px);
                     padding: 0.5rem;
                 }
 
+                .results-list:empty {
+                    display: none;
+                }
+
                 .result-item {
                     padding: 0.875rem 1rem;
                     cursor: pointer;
@@ -100,16 +141,81 @@ class NavigationSearch extends HTMLElement {
                     background-color: #dbeafe;
                 }
 
+                .result-item > div {
+                    flex: 1;
+                    min-width: 0;
+                }
+
+                .jump-start-content {
+                    border-bottom: 1px solid #e5e7eb;
+                    margin-bottom: 0.5rem;
+                    padding: 0.5rem 0.5rem 1rem;
+                }
+
+                .jump-start-content:empty {
+                    display: none;
+                }
+
                 .result-name {
                     font-weight: 500;
                     color: #111827;
                 }
 
+                .result-label {
+                    font-size: 0.875rem;
+                    color: #4b5563;
+                }
+
+                .result-type {
+                    color: #4b5563;
+                    font-size: 0.75rem;
+                    font-weight: 600;
+                    text-transform: uppercase;
+                }
+
                 .result-url {
                     font-size: 0.875rem;
                     color: #6b7280;
                 }
 
+                .result-description {
+                    color: #374151;
+                    display: -webkit-box;
+                    font-size: 0.8125rem;
+                    line-height: 1.35;
+                    margin-top: 0.35rem;
+                    overflow: hidden;
+                    -webkit-box-orient: vertical;
+                    -webkit-line-clamp: 2;
+                }
+
+                .results-heading {
+                    color: #4b5563;
+                    font-size: 0.75rem;
+                    font-weight: 600;
+                    letter-spacing: 0;
+                    padding: 0.5rem 1rem 0.25rem;
+                    text-transform: uppercase;
+                }
+
+                .recent-actions {
+                    padding: 0.25rem 1rem 0.75rem;
+                }
+
+                .clear-recent {
+                    background: transparent;
+                    border: 0;
+                    color: #2563eb;
+                    cursor: pointer;
+                    font: inherit;
+                    font-size: 0.875rem;
+                    padding: 0;
+                }
+
+                .clear-recent:hover {
+                    text-decoration: underline;
+                }
+
                 .no-results {
                     padding: 2rem;
                     text-align: center;
@@ -135,6 +241,18 @@ class NavigationSearch extends HTMLElement {
                     font-family: monospace;
                 }
 
+                .visually-hidden {
+                    border: 0;
+                    clip: rect(0 0 0 0);
+                    height: 1px;
+                    margin: -1px;
+                    overflow: hidden;
+                    padding: 0;
+                    position: absolute;
+                    white-space: nowrap;
+                    width: 1px;
+                }
+
                 /* Mobile optimizations */
                 @media (max-width: 640px) {
                     dialog {
@@ -162,19 +280,29 @@ class NavigationSearch extends HTMLElement {
                 }
             </style>
 
-            <dialog>
+            <dialog aria-modal="true" aria-labelledby="${this.titleId}">
                 <div class="search-container">
+                    <h2 id="${this.titleId}" class="visually-hidden">Jump to</h2>
+                    <p id="${this.instructionsId}" class="visually-hidden">Type to search. Use up and down arrow keys to move through results, Enter to select a result, and Escape to close this menu.</p>
+                    <div id="${this.statusId}" class="visually-hidden" aria-live="polite" aria-atomic="true"></div>
                     <div class="search-input-wrapper">
                         <input 
+                            id="${this.inputId}"
                             type="text" 
                             class="search-input" 
-                            placeholder="Search..."
-                            aria-label="Search navigation"
+                            placeholder="Jump to..."
+                            aria-label="Jump to"
+                            aria-describedby="${this.instructionsId}"
+                            role="combobox"
+                            aria-autocomplete="list"
+                            aria-controls="${this.listboxId}"
+                            aria-expanded="false"
                             autocomplete="off"
                             spellcheck="false"
                         >
+                        <button type="button" class="close-search" aria-label="Close jump menu">&times;</button>
                     </div>
-                    <div class="results-container" role="listbox"></div>
+                    <div class="results-container"></div>
                     <div class="hint-text">
                         <span><kbd>↑</kbd> <kbd>↓</kbd> Navigate</span>
                         <span><kbd>Enter</kbd> Select</span>
@@ -188,6 +316,7 @@ class NavigationSearch extends HTMLElement {
   setupEventListeners() {
     const dialog = this.shadowRoot.querySelector("dialog");
     const input = this.shadowRoot.querySelector(".search-input");
+    const closeButton = this.shadowRoot.querySelector(".close-search");
     const resultsContainer =
       this.shadowRoot.querySelector(".results-container");
 
@@ -199,6 +328,17 @@ class NavigationSearch extends HTMLElement {
       }
     });
 
+    document.addEventListener("click", (e) => {
+      const trigger = e.target.closest("[data-navigation-search-open]");
+      if (trigger) {
+        e.preventDefault();
+        const details = trigger.closest("details");
+        const restoreTarget = details?.querySelector("summary") || trigger;
+        details?.removeAttribute("open");
+        this.openMenu(restoreTarget);
+      }
+    });
+
     // Input event
     input.addEventListener("input", (e) => {
       this.handleSearch(e.target.value);
@@ -220,8 +360,19 @@ class NavigationSearch extends HTMLElement {
       }
     });
 
+    closeButton.addEventListener("click", () => {
+      this.closeMenu();
+    });
+
     // Click on result item
     resultsContainer.addEventListener("click", (e) => {
+      const clearRecent = e.target.closest("[data-clear-recent-items]");
+      if (clearRecent) {
+        e.preventDefault();
+        this.clearRecentItems();
+        return;
+      }
+
       const item = e.target.closest(".result-item");
       if (item) {
         const index = parseInt(item.dataset.index);
@@ -236,6 +387,15 @@ class NavigationSearch extends HTMLElement {
       }
     });
 
+    dialog.addEventListener("cancel", (e) => {
+      e.preventDefault();
+      this.closeMenu();
+    });
+
+    dialog.addEventListener("close", () => {
+      this.onMenuClosed();
+    });
+
     // Initial load
     this.loadInitialData();
   }
@@ -250,6 +410,106 @@ class NavigationSearch extends HTMLElement {
     );
   }
 
+  setElementAttribute(element, name, value) {
+    if (!element) {
+      return;
+    }
+    if (typeof element.setAttribute === "function") {
+      element.setAttribute(name, value);
+    } else {
+      element[name] = String(value);
+    }
+  }
+
+  removeElementAttribute(element, name) {
+    if (!element) {
+      return;
+    }
+    if (typeof element.removeAttribute === "function") {
+      element.removeAttribute(name);
+    } else {
+      delete element[name];
+    }
+  }
+
+  focusRestoreTarget(trigger) {
+    if (trigger && typeof trigger.focus === "function") {
+      return trigger;
+    }
+    if (
+      document.activeElement &&
+      typeof document.activeElement.focus === "function"
+    ) {
+      return document.activeElement;
+    }
+    return null;
+  }
+
+  setNavigationTriggersExpanded(expanded) {
+    if (typeof document.querySelectorAll !== "function") {
+      return;
+    }
+    document
+      .querySelectorAll("[data-navigation-search-open]")
+      .forEach((trigger) => {
+        this.setElementAttribute(
+          trigger,
+          "aria-expanded",
+          expanded ? "true" : "false",
+        );
+      });
+  }
+
+  resultOptionId(index) {
+    return `${this.listboxId}-option-${index}`;
+  }
+
+  updateComboboxState() {
+    const dialog = this.shadowRoot.querySelector("dialog");
+    const input = this.shadowRoot.querySelector(".search-input");
+    const matches = this.renderedMatches || [];
+    this.setElementAttribute(
+      input,
+      "aria-expanded",
+      dialog && dialog.open && matches.length > 0 ? "true" : "false",
+    );
+
+    if (
+      dialog &&
+      dialog.open &&
+      this.selectedIndex >= 0 &&
+      this.selectedIndex < matches.length
+    ) {
+      this.setElementAttribute(
+        input,
+        "aria-activedescendant",
+        this.resultOptionId(this.selectedIndex),
+      );
+    } else {
+      this.removeElementAttribute(input, "aria-activedescendant");
+    }
+  }
+
+  setStatus(message) {
+    const status = this.shadowRoot.querySelector(`#${this.statusId}`);
+    if (status) {
+      status.textContent = message || "";
+    }
+  }
+
+  resultsStatus(count, truncated) {
+    if (truncated) {
+      return "More than 100 results. Keep typing to narrow the list.";
+    }
+    if (count === 0) {
+      return "No results found.";
+    }
+    if (count === 1) {
+      return "1 result.";
+    }
+    return `${count} results.`;
+  }
+
   loadInitialData() {
     const itemsAttr = this.getAttribute("items");
     if (itemsAttr) {
@@ -266,6 +526,11 @@ class NavigationSearch extends HTMLElement {
 
   handleSearch(query) {
     clearTimeout(this.debounceTimer);
+    if (query.trim()) {
+      this.setStatus("Searching...");
+    } else {
+      this.setStatus("");
+    }
 
     this.debounceTimer = setTimeout(() => {
       const url = this.getAttribute("url");
@@ -288,65 +553,262 @@ class NavigationSearch extends HTMLElement {
       this.matches = data.matches || [];
       this.selectedIndex = this.matches.length > 0 ? 0 : -1;
       this.renderResults();
+      if (query.trim()) {
+        this.setStatus(this.resultsStatus(this.matches.length, data.truncated));
+      } else {
+        this.setStatus("");
+      }
     } catch (e) {
       console.error("Failed to fetch search results:", e);
       this.matches = [];
       this.renderResults();
+      this.setStatus("Search failed.");
     }
   }
 
   filterLocalItems(query) {
     if (!query.trim()) {
-      this.matches = [];
+      this.matches = this.allItems || [];
     } else {
       const lowerQuery = query.toLowerCase();
       this.matches = (this.allItems || []).filter(
         (item) =>
           item.name.toLowerCase().includes(lowerQuery) ||
+          (item.display_name || "").toLowerCase().includes(lowerQuery) ||
           item.url.toLowerCase().includes(lowerQuery),
       );
     }
     this.selectedIndex = this.matches.length > 0 ? 0 : -1;
     this.renderResults();
+    if (query.trim()) {
+      this.setStatus(this.resultsStatus(this.matches.length, false));
+    } else {
+      this.setStatus("");
+    }
   }
 
-  renderResults() {
-    const container = this.shadowRoot.querySelector(".results-container");
-    const input = this.shadowRoot.querySelector(".search-input");
+  recentItemsStorageKey() {
+    return "datasette.navigationSearch.recentItems";
+  }
 
-    if (this.matches.length === 0) {
-      const message = input.value.trim()
-        ? "No results found"
-        : "Start typing to search...";
-      container.innerHTML = `<div class="no-results">${message}</div>`;
+  loadRecentItems() {
+    if (typeof localStorage === "undefined") {
+      return [];
+    }
+
+    try {
+      const raw = localStorage.getItem(this.recentItemsStorageKey());
+      if (!raw) {
+        return [];
+      }
+      const parsed = JSON.parse(raw);
+      if (!Array.isArray(parsed)) {
+        return [];
+      }
+      return parsed
+        .filter((item) => item && item.name && item.url)
+        .map((item) => ({
+          name: String(item.name),
+          display_name: item.display_name ? String(item.display_name) : "",
+          url: String(item.url),
+          type: item.type ? String(item.type) : "",
+          description: item.description ? String(item.description) : "",
+        }))
+        .slice(0, 5);
+    } catch (e) {
+      return [];
+    }
+  }
+
+  saveRecentItem(match) {
+    if (
+      typeof localStorage === "undefined" ||
+      !match ||
+      !match.name ||
+      !match.url
+    ) {
       return;
     }
 
-    container.innerHTML = this.matches
-      .map(
-        (match, index) => `
-            <div 
-                class="result-item ${
-                  index === this.selectedIndex ? "selected" : ""
-                }" 
+    try {
+      const item = {
+        name: String(match.name),
+        display_name: match.display_name ? String(match.display_name) : "",
+        url: String(match.url),
+        type: match.type ? String(match.type) : "",
+        description: match.description ? String(match.description) : "",
+      };
+      const recentItems = this.loadRecentItems().filter(
+        (recentItem) => recentItem.url !== item.url,
+      );
+      localStorage.setItem(
+        this.recentItemsStorageKey(),
+        JSON.stringify([item, ...recentItems].slice(0, 5)),
+      );
+    } catch (e) {
+      // localStorage may be unavailable, full, or disabled.
+    }
+  }
+
+  clearRecentItems() {
+    if (typeof localStorage === "undefined") {
+      return;
+    }
+
+    try {
+      localStorage.removeItem(this.recentItemsStorageKey());
+    } catch (e) {
+      localStorage.setItem(this.recentItemsStorageKey(), "[]");
+    }
+    this.renderResults();
+    this.setStatus("Recent items cleared.");
+  }
+
+  jumpSections() {
+    const manager = window.__DATASETTE__;
+    if (!manager || typeof manager.makeJumpSections !== "function") {
+      return [];
+    }
+    const sections = manager.makeJumpSections({
+      navigationSearch: this,
+    });
+    return Array.isArray(sections)
+      ? sections.filter(
+          (section) => section && typeof section.render === "function",
+        )
+      : [];
+  }
+
+  jumpSectionsHtml(jumpSections) {
+    return jumpSections
+      .map((section, index) => {
+        const id = section.id
+          ? ` data-jump-section-id="${this.escapeHtml(section.id)}"`
+          : "";
+        return `<div class="jump-start-content" data-jump-section-index="${index}"${id}></div>`;
+      })
+      .join("");
+  }
+
+  renderJumpSections(container, jumpSections) {
+    jumpSections.forEach((section, index) => {
+      const node = container.querySelector(
+        `[data-jump-section-index="${index}"]`,
+      );
+      if (!node) {
+        return;
+      }
+      section.render(node, {
+        navigationSearch: this,
+        container,
+        input: this.shadowRoot.querySelector(".search-input"),
+      });
+    });
+  }
+
+  resultItemHtml(match, index) {
+    const displayName = match.display_name || match.name;
+    const label =
+      match.display_name && match.display_name !== match.name
+        ? `<div class="result-label">${this.escapeHtml(match.name)}</div>`
+        : "";
+    const type = match.type
+      ? `<div class="result-type">${this.escapeHtml(match.type)}</div>`
+      : "";
+    const description = match.description
+      ? `<div class="result-description">${this.escapeHtml(
+          match.description,
+        )}</div>`
+      : "";
+    return `
+            <div
+                id="${this.resultOptionId(index)}"
+                class="result-item ${index === this.selectedIndex ? "selected" : ""}"
                 data-index="${index}"
                 role="option"
                 aria-selected="${index === this.selectedIndex}"
             >
                 <div>
-                    <div class="result-name">${this.escapeHtml(
-                      match.name,
-                    )}</div>
+                    ${type}
+                    <div class="result-name">${this.escapeHtml(displayName)}</div>
+                    ${label}
                     <div class="result-url">${this.escapeHtml(match.url)}</div>
+                    ${description}
                 </div>
             </div>
-        `,
+        `;
+  }
+
+  renderResults() {
+    const container = this.shadowRoot.querySelector(".results-container");
+    const input = this.shadowRoot.querySelector(".search-input");
+    const showStartContent = !input.value.trim();
+    const jumpSections = showStartContent ? this.jumpSections() : [];
+    const startBlock = showStartContent
+      ? this.jumpSectionsHtml(jumpSections)
+      : "";
+    const recentItems = showStartContent ? this.loadRecentItems() : [];
+    const defaultMatches = showStartContent ? [] : this.matches;
+    const renderedMatches = [...recentItems, ...defaultMatches];
+    this.renderedMatches = renderedMatches;
+    const emptyListbox = `<div id="${this.listboxId}" class="results-list" role="listbox" aria-label="Jump results"></div>`;
+
+    if (renderedMatches.length) {
+      if (
+        this.selectedIndex < 0 ||
+        this.selectedIndex >= renderedMatches.length
+      ) {
+        this.selectedIndex = 0;
+      }
+    } else {
+      this.selectedIndex = -1;
+    }
+
+    if (renderedMatches.length === 0) {
+      if (startBlock) {
+        container.innerHTML = startBlock + emptyListbox;
+        this.renderJumpSections(container, jumpSections);
+      } else if (showStartContent) {
+        container.innerHTML = emptyListbox;
+      } else {
+        const message = input.value.trim()
+          ? "No results found"
+          : "Start typing to search...";
+        container.innerHTML = `${emptyListbox}<div class="no-results">${message}</div>`;
+      }
+      this.updateComboboxState();
+      return;
+    }
+
+    const recentHeading = recentItems.length
+      ? `<div class="results-heading" id="${this.recentHeadingId}">Recent</div>`
+      : "";
+    const recentGroup = recentItems.length
+      ? `<div role="group" aria-labelledby="${this.recentHeadingId}">${recentItems
+          .map((match, index) => this.resultItemHtml(match, index))
+          .join("")}</div>`
+      : "";
+    const recentActions = recentItems.length
+      ? `<div class="recent-actions"><button type="button" class="clear-recent" data-clear-recent-items>Clear recent</button></div>`
+      : "";
+    const defaultHtml = defaultMatches
+      .map((match, index) =>
+        this.resultItemHtml(match, recentItems.length + index),
       )
       .join("");
+    container.innerHTML =
+      startBlock +
+      recentHeading +
+      `<div id="${this.listboxId}" class="results-list" role="listbox" aria-label="Jump results">${recentGroup}${defaultHtml}</div>` +
+      recentActions;
+    this.renderJumpSections(container, jumpSections);
+    this.updateComboboxState();
 
     // Scroll selected item into view
     if (this.selectedIndex >= 0) {
-      const selectedItem = container.children[this.selectedIndex];
+      const selectedItem = container.querySelector(
+        `.result-item[data-index="${this.selectedIndex}"]`,
+      );
       if (selectedItem) {
         selectedItem.scrollIntoView({ block: "nearest" });
       }
@@ -354,22 +816,27 @@ class NavigationSearch extends HTMLElement {
   }
 
   moveSelection(direction) {
+    const matches = this.renderedMatches || this.matches;
     const newIndex = this.selectedIndex + direction;
-    if (newIndex >= 0 && newIndex < this.matches.length) {
+    if (newIndex >= 0 && newIndex < matches.length) {
       this.selectedIndex = newIndex;
       this.renderResults();
     }
   }
 
   selectCurrentItem() {
-    if (this.selectedIndex >= 0 && this.selectedIndex < this.matches.length) {
+    const matches = this.renderedMatches || this.matches;
+    if (this.selectedIndex >= 0 && this.selectedIndex < matches.length) {
       this.selectItem(this.selectedIndex);
     }
   }
 
   selectItem(index) {
-    const match = this.matches[index];
+    const matches = this.renderedMatches || this.matches;
+    const match = matches[index];
     if (match) {
+      this.saveRecentItem(match);
+
       // Dispatch custom event
       this.dispatchEvent(
         new CustomEvent("select", {
@@ -382,32 +849,59 @@ class NavigationSearch extends HTMLElement {
       // Navigate to URL
       window.location.href = match.url;
 
-      this.closeMenu();
+      this.closeMenu({ restoreFocus: false });
     }
   }
 
-  openMenu() {
+  openMenu(trigger) {
     const dialog = this.shadowRoot.querySelector("dialog");
     const input = this.shadowRoot.querySelector(".search-input");
 
-    dialog.showModal();
+    this.restoreFocusTarget = this.focusRestoreTarget(trigger);
+    this.shouldRestoreFocus = true;
+    if (!dialog.open) {
+      dialog.showModal();
+    }
+    this.setNavigationTriggersExpanded(true);
     input.value = "";
     input.focus();
 
-    // Reset state - start with no items shown
+    // Reset state, then populate the default jump list.
     this.matches = [];
     this.selectedIndex = -1;
     this.renderResults();
+    this.setStatus("");
   }
 
-  closeMenu() {
+  closeMenu(options = {}) {
     const dialog = this.shadowRoot.querySelector("dialog");
-    dialog.close();
+    this.shouldRestoreFocus = options.restoreFocus !== false;
+    if (dialog.open) {
+      dialog.close();
+    } else {
+      this.onMenuClosed();
+    }
+  }
+
+  onMenuClosed() {
+    const input = this.shadowRoot.querySelector(".search-input");
+    this.setElementAttribute(input, "aria-expanded", "false");
+    this.removeElementAttribute(input, "aria-activedescendant");
+    this.setNavigationTriggersExpanded(false);
+    this.setStatus("");
+    if (
+      this.shouldRestoreFocus &&
+      this.restoreFocusTarget &&
+      typeof this.restoreFocusTarget.focus === "function"
+    ) {
+      this.restoreFocusTarget.focus();
+    }
+    this.restoreFocusTarget = null;
   }
 
   escapeHtml(text) {
     const div = document.createElement("div");
-    div.textContent = text;
+    div.textContent = text == null ? "" : text;
     return div.innerHTML;
   }
 }
diff --git a/datasette/static/table.js b/datasette/static/table.js
index 0caeeb91..74a96d8e 100644
--- a/datasette/static/table.js
+++ b/datasette/static/table.js
@@ -1,13 +1,6 @@
 var DROPDOWN_HTML = `<div class="dropdown-menu">
 <div class="hook"></div>
-<ul>
-  <li><a class="dropdown-sort-asc" href="#">Sort ascending</a></li>
-  <li><a class="dropdown-sort-desc" href="#">Sort descending</a></li>
-  <li><a class="dropdown-facet" href="#">Facet by this</a></li>
-  <li><a class="dropdown-hide-column" href="#">Hide this column</a></li>
-  <li><a class="dropdown-show-all-columns" href="#">Show all columns</a></li>
-  <li><a class="dropdown-not-blank" href="#">Show not-blank rows</a></li>
-</ul>
+<ul class="dropdown-actions"></ul>
 <p class="dropdown-column-type"></p>
 <p class="dropdown-column-description"></p>
 </div>`;
@@ -17,54 +10,508 @@ var DROPDOWN_ICON_SVG = `<svg xmlns="http://www.w3.org/2000/svg" width="14" heig
   <path d="M19.4 15a1.65 1.65 0 0 0 .33 1.82l.06.06a2 2 0 0 1 0 2.83 2 2 0 0 1-2.83 0l-.06-.06a1.65 1.65 0 0 0-1.82-.33 1.65 1.65 0 0 0-1 1.51V21a2 2 0 0 1-2 2 2 2 0 0 1-2-2v-.09A1.65 1.65 0 0 0 9 19.4a1.65 1.65 0 0 0-1.82.33l-.06.06a2 2 0 0 1-2.83 0 2 2 0 0 1 0-2.83l.06-.06a1.65 1.65 0 0 0 .33-1.82 1.65 1.65 0 0 0-1.51-1H3a2 2 0 0 1-2-2 2 2 0 0 1 2-2h.09A1.65 1.65 0 0 0 4.6 9a1.65 1.65 0 0 0-.33-1.82l-.06-.06a2 2 0 0 1 0-2.83 2 2 0 0 1 2.83 0l.06.06a1.65 1.65 0 0 0 1.82.33H9a1.65 1.65 0 0 0 1-1.51V3a2 2 0 0 1 2-2 2 2 0 0 1 2 2v.09a1.65 1.65 0 0 0 1 1.51 1.65 1.65 0 0 0 1.82-.33l.06-.06a2 2 0 0 1 2.83 0 2 2 0 0 1 0 2.83l-.06.06a1.65 1.65 0 0 0-.33 1.82V9a1.65 1.65 0 0 0 1.51 1H21a2 2 0 0 1 2 2 2 2 0 0 1-2 2h-.09a1.65 1.65 0 0 0-1.51 1z"></path>
 </svg>`;
 
+var SET_COLUMN_TYPE_DIALOG_ID = "set-column-type-dialog";
+var setColumnTypeDialogState = null;
+function getParams() {
+  return new URLSearchParams(location.search);
+}
+
+function paramsToUrl(params) {
+  var s = params.toString();
+  return s ? "?" + s : location.pathname;
+}
+
+function sortDescUrl(column) {
+  var params = getParams();
+  params.set("_sort_desc", column);
+  params.delete("_sort");
+  params.delete("_next");
+  return paramsToUrl(params);
+}
+
+function sortAscUrl(column) {
+  var params = getParams();
+  params.set("_sort", column);
+  params.delete("_sort_desc");
+  params.delete("_next");
+  return paramsToUrl(params);
+}
+
+function facetUrl(column) {
+  var params = getParams();
+  params.append("_facet", column);
+  return paramsToUrl(params);
+}
+
+function hideColumnUrl(column) {
+  var params = getParams();
+  params.append("_nocol", column);
+  return paramsToUrl(params);
+}
+
+function showAllColumnsUrl() {
+  var params = getParams();
+  params.delete("_nocol");
+  params.delete("_col");
+  return paramsToUrl(params);
+}
+
+function notBlankUrl(column) {
+  var params = getParams();
+  params.set(`${column}__notblank`, "1");
+  return paramsToUrl(params);
+}
+
+function getDisplayedFacets() {
+  return Array.from(document.querySelectorAll(".facet-info")).map(
+    (el) => el.dataset.column,
+  );
+}
+
+function getColumnClassName(th) {
+  return Array.from(th.classList).find((className) =>
+    className.startsWith("col-"),
+  );
+}
+
+function getColumnCells(th) {
+  var table = th.closest("table");
+  var columnClassName = getColumnClassName(th);
+  if (!table || !columnClassName) {
+    return [];
+  }
+  return Array.from(table.querySelectorAll("td." + columnClassName));
+}
+
+function getColumnMeta(th) {
+  return {
+    columnName: th.dataset.column,
+    columnNotNull: th.dataset.columnNotNull === "1",
+    columnType: th.dataset.columnType,
+    isPk: th.dataset.isPk === "1",
+  };
+}
+
+function getColumnTypeText(th) {
+  var columnType = th.dataset.columnType;
+  if (!columnType) {
+    return null;
+  }
+  var notNull = th.dataset.columnNotNull === "1" ? " NOT NULL" : "";
+  return `Type: ${columnType.toUpperCase()}${notNull}`;
+}
+
+function getSetColumnTypeData() {
+  return window._setColumnTypeData || null;
+}
+
+function getSetColumnTypeConfig(column) {
+  var data = getSetColumnTypeData();
+  if (!data || !data.columns) {
+    return null;
+  }
+  return data.columns[column] || null;
+}
+
+function canSetColumnType() {
+  return !!(getSetColumnTypeData() && window.HTMLDialogElement && window.fetch);
+}
+
+function setColumnTypeActionLabel(column) {
+  var columnConfig = getSetColumnTypeConfig(column);
+  if (!columnConfig) {
+    return null;
+  }
+  return columnConfig.current
+    ? `Custom type: ${columnConfig.current.type}`
+    : "Set custom type";
+}
+
+function createSetColumnTypeOption(value, name, description, checked) {
+  var label = document.createElement("label");
+  label.className = "set-column-type-option";
+
+  var input = document.createElement("input");
+  input.type = "radio";
+  input.name = "set-column-type-choice";
+  input.value = value;
+  input.checked = checked;
+
+  var content = document.createElement("span");
+  content.className = "set-column-type-option-content";
+
+  var title = document.createElement("span");
+  title.className = "set-column-type-option-name";
+  title.textContent = name;
+
+  var detail = document.createElement("span");
+  detail.className = "set-column-type-option-description";
+  detail.textContent = description;
+
+  content.appendChild(title);
+  content.appendChild(detail);
+  label.appendChild(input);
+  label.appendChild(content);
+  return label;
+}
+
+function setSetColumnTypeDialogBusy(state, isBusy) {
+  state.isBusy = isBusy;
+  state.saveButton.disabled = isBusy;
+  state.cancelButton.disabled = isBusy;
+  Array.from(
+    state.optionsWrap.querySelectorAll('input[name="set-column-type-choice"]'),
+  ).forEach(function (input) {
+    input.disabled = isBusy;
+  });
+  state.saveButton.textContent = isBusy ? "Saving..." : "Save";
+}
+
+function clearSetColumnTypeDialogError(state) {
+  state.error.hidden = true;
+  state.error.textContent = "";
+}
+
+function showSetColumnTypeDialogError(state, message) {
+  state.error.hidden = false;
+  state.error.textContent = message;
+}
+
+function ensureSetColumnTypeDialog() {
+  if (setColumnTypeDialogState) {
+    return setColumnTypeDialogState;
+  }
+  if (!window.HTMLDialogElement) {
+    return null;
+  }
+
+  var dialog = document.createElement("dialog");
+  dialog.id = SET_COLUMN_TYPE_DIALOG_ID;
+  dialog.className = "set-column-type-dialog";
+  dialog.setAttribute("aria-labelledby", "set-column-type-title");
+  dialog.innerHTML = `
+    <div class="modal-header">
+      <span class="modal-title" id="set-column-type-title">Set custom type</span>
+      <span class="modal-meta"></span>
+    </div>
+    <p class="set-column-type-status"></p>
+    <p class="set-column-type-error" hidden></p>
+    <div class="set-column-type-options"></div>
+    <div class="modal-footer">
+      <span class="footer-info"></span>
+      <button type="button" class="btn btn-ghost set-column-type-cancel">Cancel</button>
+      <button type="button" class="btn btn-primary set-column-type-save">Save</button>
+    </div>
+  `;
+  document.body.appendChild(dialog);
+
+  setColumnTypeDialogState = {
+    dialog: dialog,
+    meta: dialog.querySelector(".modal-meta"),
+    status: dialog.querySelector(".set-column-type-status"),
+    error: dialog.querySelector(".set-column-type-error"),
+    optionsWrap: dialog.querySelector(".set-column-type-options"),
+    footerInfo: dialog.querySelector(".footer-info"),
+    cancelButton: dialog.querySelector(".set-column-type-cancel"),
+    saveButton: dialog.querySelector(".set-column-type-save"),
+    currentColumn: null,
+    currentConfig: null,
+    isBusy: false,
+  };
+
+  setColumnTypeDialogState.cancelButton.addEventListener("click", function () {
+    if (!setColumnTypeDialogState.isBusy) {
+      dialog.close();
+    }
+  });
+
+  dialog.addEventListener("click", function (ev) {
+    if (ev.target === dialog && !setColumnTypeDialogState.isBusy) {
+      dialog.close();
+    }
+  });
+
+  dialog.addEventListener("cancel", function (ev) {
+    if (setColumnTypeDialogState.isBusy) {
+      ev.preventDefault();
+    }
+  });
+
+  dialog.addEventListener("close", function () {
+    clearSetColumnTypeDialogError(setColumnTypeDialogState);
+    setSetColumnTypeDialogBusy(setColumnTypeDialogState, false);
+  });
+
+  setColumnTypeDialogState.saveButton.addEventListener("click", async function () {
+    var state = setColumnTypeDialogState;
+    var selected = state.dialog.querySelector(
+      'input[name="set-column-type-choice"]:checked',
+    );
+    var selectedType = selected ? selected.value : "";
+    var currentType = state.currentConfig.current
+      ? state.currentConfig.current.type
+      : "";
+
+    if (selectedType === currentType) {
+      state.dialog.close();
+      return;
+    }
+
+    clearSetColumnTypeDialogError(state);
+    setSetColumnTypeDialogBusy(state, true);
+
+    var payload = {
+      column: state.currentColumn,
+      column_type: selectedType ? { type: selectedType } : null,
+    };
+
+    try {
+      var response = await fetch(getSetColumnTypeData().path, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Accept: "application/json",
+        },
+        body: JSON.stringify(payload),
+      });
+      var data = await response.json();
+      if (!response.ok || data.ok === false) {
+        var message = (data.errors || ["Request failed"]).join(" ");
+        throw new Error(message);
+      }
+      location.reload();
+    } catch (error) {
+      setSetColumnTypeDialogBusy(state, false);
+      showSetColumnTypeDialogError(state, error.message || "Request failed");
+    }
+  });
+
+  return setColumnTypeDialogState;
+}
+
+function openSetColumnTypeDialog(th) {
+  var column = th.dataset.column;
+  var columnConfig = getSetColumnTypeConfig(column);
+  if (!columnConfig) {
+    return;
+  }
+
+  var state = ensureSetColumnTypeDialog();
+  if (!state) {
+    return;
+  }
+
+  clearSetColumnTypeDialogError(state);
+  setSetColumnTypeDialogBusy(state, false);
+  state.currentColumn = column;
+  state.currentConfig = columnConfig;
+  state.status.textContent = `Column: ${column}`;
+  state.meta.textContent = getColumnTypeText(th) || "Type unavailable";
+  state.footerInfo.textContent = columnConfig.current
+    ? `Current custom type: ${columnConfig.current.type}`
+    : "No custom type set.";
+  state.optionsWrap.innerHTML = "";
+
+  var currentType = columnConfig.current ? columnConfig.current.type : "";
+  state.optionsWrap.appendChild(
+    createSetColumnTypeOption(
+      "",
+      "No custom type",
+      "Use standard Datasette rendering without a custom type.",
+      currentType === "",
+    ),
+  );
+
+  columnConfig.options.forEach(function (option) {
+    state.optionsWrap.appendChild(
+      createSetColumnTypeOption(
+        option.name,
+        option.name,
+        option.description,
+        option.name === currentType,
+      ),
+    );
+  });
+
+  if (!columnConfig.options.length) {
+    var emptyState = document.createElement("p");
+    emptyState.className = "set-column-type-empty";
+    emptyState.textContent =
+      "No registered custom types are compatible with this SQLite type.";
+    state.optionsWrap.appendChild(emptyState);
+  }
+
+  if (!state.dialog.open) {
+    state.dialog.showModal();
+  }
+  var selectedOption = state.dialog.querySelector(
+    'input[name="set-column-type-choice"]:checked',
+  );
+  if (selectedOption) {
+    selectedOption.focus();
+  } else {
+    state.saveButton.focus();
+  }
+}
+
+function canChooseColumns() {
+  return !!(
+    document.querySelector("column-chooser") && window._columnChooserData
+  );
+}
+
+function shouldShowShowAllColumns() {
+  var params = getParams();
+  return params.getAll("_nocol").length || params.getAll("_col").length;
+}
+
+function hasMultipleVisibleColumns(manager) {
+  return (
+    Array.from(document.querySelectorAll(manager.selectors.tableHeaders)).filter(
+      (th) => th.dataset.column && th.dataset.isLinkColumn !== "1",
+    ).length > 1
+  );
+}
+
+function buildColumnActionItems(manager, th, options) {
+  options = options || {};
+  var params = getParams();
+  var column = th.dataset.column;
+  var columnActions = [];
+  var isSortable = !!th.querySelector("a");
+  var isFirstColumn = th.parentElement.querySelector("th:first-of-type") === th;
+  var isSinglePk =
+    th.dataset.isPk === "1" &&
+    document.querySelectorAll('th[data-is-pk="1"]').length === 1;
+  var hasBlankValues = getColumnCells(th).some(
+    (el) => el.innerText.trim() === "",
+  );
+
+  if (isSortable && params.get("_sort") !== column) {
+    columnActions.push({
+      label: "Sort ascending",
+      href: sortAscUrl(column),
+    });
+  }
+
+  if (isSortable && params.get("_sort_desc") !== column) {
+    columnActions.push({
+      label: "Sort descending",
+      href: sortDescUrl(column),
+    });
+  }
+
+  if (
+    DATASETTE_ALLOW_FACET &&
+    !isFirstColumn &&
+    !getDisplayedFacets().includes(column) &&
+    !isSinglePk
+  ) {
+    columnActions.push({
+      label: "Facet by this",
+      href: facetUrl(column),
+    });
+  }
+
+  if (options.includeChooseColumns && canChooseColumns()) {
+    columnActions.push({
+      label: "Choose columns",
+      href: "#",
+      onClick:
+        options.onChooseColumns ||
+        function (ev) {
+          ev.preventDefault();
+          openColumnChooser();
+        },
+    });
+  }
+
+  if (canSetColumnType() && getSetColumnTypeConfig(column)) {
+    columnActions.push({
+      label: setColumnTypeActionLabel(column),
+      href: "#",
+      onClick:
+        options.onSetColumnType ||
+        function (ev) {
+          ev.preventDefault();
+          window.setTimeout(function () {
+            openSetColumnTypeDialog(th);
+          }, 0);
+        },
+    });
+  }
+
+  if (th.dataset.isPk !== "1" && hasMultipleVisibleColumns(manager)) {
+    columnActions.push({
+      label: "Hide this column",
+      href: hideColumnUrl(column),
+    });
+  }
+
+  if (options.includeShowAllColumns && shouldShowShowAllColumns()) {
+    columnActions.push({
+      label: "Show all columns",
+      href: showAllColumnsUrl(),
+    });
+  }
+
+  if (params.get(`${column}__notblank`) !== "1" && hasBlankValues) {
+    columnActions.push({
+      label: "Show not-blank rows",
+      href: notBlankUrl(column),
+    });
+  }
+
+  return columnActions.concat(manager.makeColumnActions(getColumnMeta(th)));
+}
+
+function buildColumnActionState(manager, th, options) {
+  return {
+    column: th.dataset.column,
+    columnDescription: th.dataset.columnDescription || null,
+    columnMeta: getColumnMeta(th),
+    columnTypeText: getColumnTypeText(th),
+    actionItems: buildColumnActionItems(manager, th, options),
+  };
+}
+
+function initializeColumnActions(manager) {
+  manager.columnActions = {
+    buildColumnActionState: function (th, options) {
+      return buildColumnActionState(manager, th, options);
+    },
+    buildColumnActionItems: function (th, options) {
+      return buildColumnActionItems(manager, th, options);
+    },
+    canChooseColumns: canChooseColumns,
+    facetUrl: facetUrl,
+    getColumnMeta: getColumnMeta,
+    getColumnTypeText: getColumnTypeText,
+    hideColumnUrl: hideColumnUrl,
+    notBlankUrl: notBlankUrl,
+    shouldShowShowAllColumns: shouldShowShowAllColumns,
+    showAllColumnsUrl: showAllColumnsUrl,
+    sortAscUrl: sortAscUrl,
+    sortDescUrl: sortDescUrl,
+  };
+}
+
+function renderActionLink(itemConfig) {
+  var newLink = document.createElement("a");
+  newLink.textContent = itemConfig.label;
+  newLink.href = itemConfig.href || "#";
+  if (itemConfig.onClick) {
+    newLink.addEventListener("click", itemConfig.onClick);
+  }
+  return newLink;
+}
+
 /** Main initialization function for Datasette Table interactions */
 const initDatasetteTable = function (manager) {
   // Feature detection
   if (!window.URLSearchParams) {
     return;
   }
-  function getParams() {
-    return new URLSearchParams(location.search);
-  }
-  function paramsToUrl(params) {
-    var s = params.toString();
-    return s ? "?" + s : location.pathname;
-  }
-  function sortDescUrl(column) {
-    var params = getParams();
-    params.set("_sort_desc", column);
-    params.delete("_sort");
-    params.delete("_next");
-    return paramsToUrl(params);
-  }
-  function sortAscUrl(column) {
-    var params = getParams();
-    params.set("_sort", column);
-    params.delete("_sort_desc");
-    params.delete("_next");
-    return paramsToUrl(params);
-  }
-  function facetUrl(column) {
-    var params = getParams();
-    params.append("_facet", column);
-    return paramsToUrl(params);
-  }
-  function hideColumnUrl(column) {
-    var params = getParams();
-    params.append("_nocol", column);
-    return paramsToUrl(params);
-  }
-  function showAllColumnsUrl() {
-    var params = getParams();
-    params.delete("_nocol");
-    params.delete("_col");
-    return paramsToUrl(params);
-  }
-  function notBlankUrl(column) {
-    var params = getParams();
-    params.set(`${column}__notblank`, "1");
-    return paramsToUrl(params);
-  }
   function closeMenu() {
     menu.style.display = "none";
     menu.classList.remove("anim-scale-in");
@@ -96,87 +543,41 @@ const initDatasetteTable = function (manager) {
     var rect = th.getBoundingClientRect();
     var menuTop = rect.bottom + window.scrollY;
     var menuLeft = rect.left + window.scrollX;
-    var column = th.getAttribute("data-column");
-    var params = getParams();
-    var sort = menu.querySelector("a.dropdown-sort-asc");
-    var sortDesc = menu.querySelector("a.dropdown-sort-desc");
-    var facetItem = menu.querySelector("a.dropdown-facet");
-    var notBlank = menu.querySelector("a.dropdown-not-blank");
-    var hideColumn = menu.querySelector("a.dropdown-hide-column");
-    var showAllColumns = menu.querySelector("a.dropdown-show-all-columns");
-    if (params.get("_sort") == column) {
-      sort.parentNode.style.display = "none";
-    } else {
-      sort.parentNode.style.display = "block";
-      sort.setAttribute("href", sortAscUrl(column));
-    }
-    if (params.get("_sort_desc") == column) {
-      sortDesc.parentNode.style.display = "none";
-    } else {
-      sortDesc.parentNode.style.display = "block";
-      sortDesc.setAttribute("href", sortDescUrl(column));
-    }
-    /* Show hide columns options */
-    if (params.get("_nocol") || params.get("_col")) {
-      showAllColumns.parentNode.style.display = "block";
-      showAllColumns.setAttribute("href", showAllColumnsUrl());
-    } else {
-      showAllColumns.parentNode.style.display = "none";
-    }
-    if (th.getAttribute("data-is-pk") != "1") {
-      hideColumn.parentNode.style.display = "block";
-      hideColumn.setAttribute("href", hideColumnUrl(column));
-    } else {
-      hideColumn.parentNode.style.display = "none";
-    }
-    /* Only show "Facet by this" if it's not the first column, not selected,
-       not a single PK and the Datasette allow_facet setting is True */
-    var displayedFacets = Array.from(
-      document.querySelectorAll(".facet-info"),
-    ).map((el) => el.dataset.column);
-    var isFirstColumn =
-      th.parentElement.querySelector("th:first-of-type") == th;
-    var isSinglePk =
-      th.getAttribute("data-is-pk") == "1" &&
-      document.querySelectorAll('th[data-is-pk="1"]').length == 1;
-    if (
-      !DATASETTE_ALLOW_FACET ||
-      isFirstColumn ||
-      displayedFacets.includes(column) ||
-      isSinglePk
-    ) {
-      facetItem.parentNode.style.display = "none";
-    } else {
-      facetItem.parentNode.style.display = "block";
-      facetItem.setAttribute("href", facetUrl(column));
-    }
-    /* Show notBlank option if not selected AND at least one visible blank value */
-    var tdsForThisColumn = Array.from(
-      th.closest("table").querySelectorAll("td." + th.className),
-    );
-    if (
-      params.get(`${column}__notblank`) != "1" &&
-      tdsForThisColumn.filter((el) => el.innerText.trim() == "").length
-    ) {
-      notBlank.parentNode.style.display = "block";
-      notBlank.setAttribute("href", notBlankUrl(column));
-    } else {
-      notBlank.parentNode.style.display = "none";
-    }
-    var columnTypeP = menu.querySelector(".dropdown-column-type");
-    var columnType = th.dataset.columnType;
-    var notNull = th.dataset.columnNotNull == 1 ? " NOT NULL" : "";
+    var actionState = manager.columnActions.buildColumnActionState(th, {
+      includeChooseColumns: true,
+      includeShowAllColumns: true,
+      onChooseColumns: function (ev) {
+        ev.preventDefault();
+        closeMenu();
+        openColumnChooser();
+      },
+      onSetColumnType: function (ev) {
+        ev.preventDefault();
+        closeMenu();
+        window.setTimeout(function () {
+          openSetColumnTypeDialog(th);
+        }, 0);
+      },
+    });
+    var menuList = menu.querySelector("ul.dropdown-actions");
+    menuList.innerHTML = "";
+    actionState.actionItems.forEach((itemConfig) => {
+      var menuItem = document.createElement("li");
+      menuItem.appendChild(renderActionLink(itemConfig));
+      menuList.appendChild(menuItem);
+    });
 
-    if (columnType) {
+    var columnTypeP = menu.querySelector(".dropdown-column-type");
+    if (actionState.columnTypeText) {
       columnTypeP.style.display = "block";
-      columnTypeP.innerText = `Type: ${columnType.toUpperCase()}${notNull}`;
+      columnTypeP.innerText = actionState.columnTypeText;
     } else {
       columnTypeP.style.display = "none";
     }
 
     var columnDescriptionP = menu.querySelector(".dropdown-column-description");
-    if (th.dataset.columnDescription) {
-      columnDescriptionP.innerText = th.dataset.columnDescription;
+    if (actionState.columnDescription) {
+      columnDescriptionP.innerText = actionState.columnDescription;
       columnDescriptionP.style.display = "block";
     } else {
       columnDescriptionP.style.display = "none";
@@ -187,39 +588,6 @@ const initDatasetteTable = function (manager) {
     menu.style.display = "block";
     menu.classList.add("anim-scale-in");
 
-    // Custom menu items on each render
-    // Plugin hook: allow adding JS-based additional menu items
-    const columnActionsPayload = {
-      columnName: th.dataset.column,
-      columnNotNull: th.dataset.columnNotNull === "1",
-      columnType: th.dataset.columnType,
-      isPk: th.dataset.isPk === "1",
-    };
-    const columnItemConfigs = manager.makeColumnActions(columnActionsPayload);
-
-    const menuList = menu.querySelector("ul");
-    columnItemConfigs.forEach((itemConfig) => {
-      // Remove items from previous render. We assume entries have unique labels.
-      const existingItems = menuList.querySelectorAll(`li`);
-      Array.from(existingItems)
-        .filter((item) => item.innerText === itemConfig.label)
-        .forEach((node) => {
-          node.remove();
-        });
-
-      const newLink = document.createElement("a");
-      newLink.textContent = itemConfig.label;
-      newLink.href = itemConfig.href ?? "#";
-      if (itemConfig.onClick) {
-        newLink.onclick = itemConfig.onClick;
-      }
-
-      // Attach new elements to DOM
-      const menuItem = document.createElement("li");
-      menuItem.appendChild(newLink);
-      menuList.appendChild(menuItem);
-    });
-
     // Measure width of menu and adjust position if too far right
     const menuWidth = menu.offsetWidth;
     const windowWidth = window.innerWidth;
@@ -265,32 +633,151 @@ const initDatasetteTable = function (manager) {
   });
 };
 
-/* Add x buttons to the filter rows */
-function addButtonsToFilterRows(manager) {
-  var x = "✖";
-  var rows = Array.from(
-    document.querySelectorAll(manager.selectors.filterRow),
+function filterRowSelector(manager) {
+  return manager.selectors.filterRows || manager.selectors.filterRow;
+}
+
+function filterRowsWithControls(manager) {
+  return Array.from(
+    document.querySelectorAll(filterRowSelector(manager)),
   ).filter((el) => el.querySelector(".filter-op"));
-  rows.forEach((row) => {
-    var a = document.createElement("a");
-    a.setAttribute("href", "#");
-    a.setAttribute("aria-label", "Remove this filter");
-    a.style.textDecoration = "none";
-    a.innerText = x;
-    a.addEventListener("click", (ev) => {
-      ev.preventDefault();
-      let row = ev.target.closest("div");
-      row.querySelector("select").value = "";
-      row.querySelector(".filter-op select").value = "exact";
-      row.querySelector("input.filter-value").value = "";
-      ev.target.closest("a").style.display = "none";
-    });
-    row.appendChild(a);
+}
+
+function filterRowNumberFromName(name) {
+  var match = name && name.match(/^_filter_column_(\d+)$/);
+  return match ? parseInt(match[1], 10) : 0;
+}
+
+function nextFilterRowNumber(manager) {
+  return filterRowsWithControls(manager).reduce((max, row) => {
     var column = row.querySelector("select");
-    if (!column.value) {
-      a.style.display = "none";
+    return Math.max(max, filterRowNumberFromName(column && column.name));
+  }, 0) + 1;
+}
+
+function setFilterRowNumber(row, number) {
+  row.querySelector("select").name = `_filter_column_${number}`;
+  row.querySelector(".filter-op select").name = `_filter_op_${number}`;
+  row.querySelector("input.filter-value").name = `_filter_value_${number}`;
+}
+
+function resetFilterRow(row) {
+  row.querySelector("select").value = "";
+  row.querySelector(".filter-op select").value = "exact";
+  row.querySelector("input.filter-value").value = "";
+}
+
+function updateFilterRowButtons(manager) {
+  var rows = filterRowsWithControls(manager);
+  rows.forEach((row, index) => {
+    var removeButton = row.querySelector(".filter-row-remove");
+    var addButton = row.querySelector(".filter-row-add");
+    var column = row.querySelector("select");
+    if (removeButton) {
+      removeButton.hidden = index === 0;
+    }
+    if (addButton) {
+      addButton.hidden = index !== rows.length - 1 || !column.value;
+    }
+    var visibleButtonCount = [removeButton, addButton].filter(function (button) {
+      return button && !button.hidden;
+    }).length;
+    row.classList.toggle(
+      "filter-controls-row-has-buttons",
+      visibleButtonCount > 0,
+    );
+    row.classList.toggle(
+      "filter-controls-row-one-button",
+      visibleButtonCount === 1,
+    );
+    row.classList.toggle(
+      "filter-controls-row-two-buttons",
+      visibleButtonCount === 2,
+    );
+  });
+}
+
+function cloneFilterRow(row) {
+  var clone = row.cloneNode(true);
+  clone.querySelector("select").name = "_filter_column";
+  clone.querySelector(".filter-op select").name = "_filter_op";
+  clone.querySelector("input.filter-value").name = "_filter_value";
+  resetFilterRow(clone);
+  clone.querySelectorAll(".filter-row-icon").forEach((button) => button.remove());
+  return clone;
+}
+
+var FILTER_REMOVE_ICON_SVG = `<svg class="filter-row-remove-icon" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.1" stroke-linecap="round" stroke-linejoin="round">
+  <path d="M3 6h18"></path>
+  <path d="M8 6V4a2 2 0 0 1 2-2h4a2 2 0 0 1 2 2v2"></path>
+  <path d="M19 6l-1 14a2 2 0 0 1-2 2H8a2 2 0 0 1-2-2L5 6"></path>
+  <path d="M10 11v6"></path>
+  <path d="M14 11v6"></path>
+</svg>`;
+
+var FILTER_ADD_ICON_SVG = `<svg class="filter-row-add-icon" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="3" stroke-linecap="round" stroke-linejoin="round">
+  <path d="M5 12h14"></path>
+  <path d="M12 5v14"></path>
+</svg>`;
+
+function addFilterRowButtons(row, manager) {
+  var removeButton = document.createElement("button");
+  removeButton.type = "button";
+  removeButton.className = "filter-row-icon filter-row-remove";
+  removeButton.setAttribute("aria-label", "Remove this filter");
+  removeButton.title = "Remove this filter";
+  removeButton.tabIndex = 0;
+  removeButton.innerHTML = FILTER_REMOVE_ICON_SVG;
+  removeButton.addEventListener("click", (ev) => {
+    var row = ev.currentTarget.closest(filterRowSelector(manager));
+    var rows = filterRowsWithControls(manager);
+    var rowIndex = rows.indexOf(row);
+    var focusRow = rows[rowIndex + 1] || rows[rowIndex - 1] || null;
+    row.remove();
+    updateFilterRowButtons(manager);
+    if (focusRow) {
+      var focusTarget =
+        focusRow.querySelector(".filter-row-add:not([hidden])") ||
+        focusRow.querySelector("select");
+      if (focusTarget) {
+        focusTarget.focus();
+      }
     }
   });
+  row.appendChild(removeButton);
+
+  var addButton = document.createElement("button");
+  addButton.type = "button";
+  addButton.className = "filter-row-icon filter-row-add";
+  addButton.setAttribute("aria-label", "Add another filter");
+  addButton.title = "Add another filter";
+  addButton.tabIndex = 0;
+  addButton.innerHTML = FILTER_ADD_ICON_SVG;
+  addButton.addEventListener("click", (ev) => {
+    var row = ev.currentTarget.closest(filterRowSelector(manager));
+    if (row.querySelector("select").name === "_filter_column") {
+      setFilterRowNumber(row, nextFilterRowNumber(manager));
+    }
+    var clone = cloneFilterRow(row);
+    addFilterRowButtons(clone, manager);
+    row.parentNode.insertBefore(clone, row.nextSibling);
+    updateFilterRowButtons(manager);
+    clone.querySelector("select").focus();
+  });
+  row.appendChild(addButton);
+
+  row.querySelector("select").addEventListener("change", () => {
+    updateFilterRowButtons(manager);
+  });
+}
+
+/* Add buttons to the filter rows */
+function addButtonsToFilterRows(manager) {
+  var rows = filterRowsWithControls(manager);
+  rows.forEach((row) => {
+    addFilterRowButtons(row, manager);
+  });
+  updateFilterRowButtons(manager);
 }
 
 /* Set up datalist autocomplete for filter values */
@@ -319,21 +806,66 @@ function initAutocompleteForFilterValues(manager) {
     });
   }
   createDataLists();
-  // When any select with name=_filter_column changes, update the datalist
+  // When any filter column select changes, update the datalist
   document.body.addEventListener("change", function (event) {
-    if (event.target.name === "_filter_column") {
+    if (event.target.name && event.target.name.startsWith("_filter_column")) {
       event.target
-        .closest(manager.selectors.filterRow)
+        .closest(filterRowSelector(manager))
         .querySelector(".filter-value")
         .setAttribute("list", "datalist-" + event.target.value);
     }
   });
 }
 
+/** Open the column-chooser web component */
+function openColumnChooser() {
+  var chooser = document.querySelector("column-chooser");
+  var data = window._columnChooserData;
+  if (!chooser || !data) return;
+
+  var nonPkColumns = data.allColumns.filter(function (col) {
+    return data.primaryKeys.indexOf(col) === -1;
+  });
+  var selected = data.selectedColumns.filter(function (col) {
+    return data.primaryKeys.indexOf(col) === -1;
+  });
+
+  chooser.open({
+    columns: nonPkColumns,
+    selected: selected,
+    onApply: function (cols) {
+      var params = new URLSearchParams(location.search);
+      params.delete("_col");
+      params.delete("_nocol");
+      params.delete("_next");
+
+      if (cols.length === nonPkColumns.length) {
+        // Check if order matches original - if so, no params needed
+        var orderMatches = cols.every(function (col, i) {
+          return col === nonPkColumns[i];
+        });
+        if (!orderMatches) {
+          cols.forEach(function (col) {
+            params.append("_col", col);
+          });
+        }
+      } else {
+        cols.forEach(function (col) {
+          params.append("_col", col);
+        });
+      }
+      var qs = params.toString();
+      location.href = qs ? "?" + qs : location.pathname;
+    },
+  });
+}
+
 // Ensures Table UI is initialized only after the Manager is ready.
 document.addEventListener("datasette_init", function (evt) {
   const { detail: manager } = evt;
 
+  initializeColumnActions(manager);
+
   // Main table
   initDatasetteTable(manager);
 
diff --git a/datasette/stored_queries.py b/datasette/stored_queries.py
new file mode 100644
index 00000000..a6123daa
--- /dev/null
+++ b/datasette/stored_queries.py
@@ -0,0 +1,581 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+import json
+from typing import Any, Iterable
+
+from .utils import tilde_encode, urlsafe_components
+
+UNCHANGED = object()
+
+
+QUERY_OPTION_FIELDS = (
+    "hide_sql",
+    "fragment",
+    "on_success_message",
+    "on_success_message_sql",
+    "on_success_redirect",
+    "on_error_message",
+    "on_error_redirect",
+)
+
+
+@dataclass
+class StoredQuery:
+    database: str
+    name: str
+    sql: str
+    title: str | None
+    description: str | None
+    description_html: str | None
+    hide_sql: bool
+    fragment: str | None
+    parameters: list[str]
+    is_write: bool
+    is_private: bool
+    is_trusted: bool
+    source: str
+    owner_id: str | None
+    on_success_message: str | None
+    on_success_message_sql: str | None
+    on_success_redirect: str | None
+    on_error_message: str | None
+    on_error_redirect: str | None
+    private: bool | None = None
+
+
+@dataclass
+class StoredQueryPage:
+    queries: list[StoredQuery]
+    next: str | None
+    has_more: bool
+    limit: int
+
+
+def stored_query_to_dict(query: StoredQuery) -> dict[str, Any]:
+    data = {
+        "database": query.database,
+        "name": query.name,
+        "sql": query.sql,
+        "title": query.title,
+        "description": query.description,
+        "description_html": query.description_html,
+        "hide_sql": query.hide_sql,
+        "fragment": query.fragment,
+        "params": list(query.parameters),
+        "parameters": list(query.parameters),
+        "is_write": query.is_write,
+        "is_private": query.is_private,
+        "is_trusted": query.is_trusted,
+        "source": query.source,
+        "owner_id": query.owner_id,
+        "on_success_message": query.on_success_message,
+        "on_success_message_sql": query.on_success_message_sql,
+        "on_success_redirect": query.on_success_redirect,
+        "on_error_message": query.on_error_message,
+        "on_error_redirect": query.on_error_redirect,
+    }
+    if query.private is not None:
+        data["private"] = query.private
+    return data
+
+
+def stored_query_page_to_dict(page: StoredQueryPage) -> dict[str, Any]:
+    return {
+        "queries": [stored_query_to_dict(query) for query in page.queries],
+        "next": page.next,
+        "has_more": page.has_more,
+        "limit": page.limit,
+    }
+
+
+async def save_queries_from_config(datasette: Any) -> None:
+    # Apply configured query entries from datasette.yaml to the internal table.
+    await datasette.get_internal_database().execute_write(
+        "DELETE FROM queries WHERE source = 'config'"
+    )
+    for dbname, db_config in ((datasette.config or {}).get("databases") or {}).items():
+        for query_name, query_config in (db_config.get("queries") or {}).items():
+            if not isinstance(query_config, dict):
+                query_config = {"sql": query_config}
+            await datasette.add_query(
+                dbname,
+                query_name,
+                query_config["sql"],
+                title=query_config.get("title"),
+                description=query_config.get("description"),
+                description_html=query_config.get("description_html"),
+                hide_sql=bool(query_config.get("hide_sql")),
+                fragment=query_config.get("fragment"),
+                parameters=query_config.get("params"),
+                is_write=bool(query_config.get("write")),
+                is_trusted=bool(query_config.get("is_trusted", True)),
+                source="config",
+                on_success_message=query_config.get("on_success_message"),
+                on_success_message_sql=query_config.get("on_success_message_sql"),
+                on_success_redirect=query_config.get("on_success_redirect"),
+                on_error_message=query_config.get("on_error_message"),
+                on_error_redirect=query_config.get("on_error_redirect"),
+            )
+
+
+def query_row_to_stored_query(
+    row: Any, private: bool | None = None
+) -> StoredQuery | None:
+    if row is None:
+        return None
+    parameters = json.loads(row["parameters"] or "[]")
+    options = json.loads(row["options"] or "{}")
+    return StoredQuery(
+        database=row["database_name"],
+        name=row["name"],
+        sql=row["sql"],
+        title=row["title"],
+        description=row["description"],
+        description_html=row["description_html"],
+        hide_sql=bool(options.get("hide_sql")),
+        fragment=options.get("fragment"),
+        parameters=parameters,
+        is_write=bool(row["is_write"]),
+        is_private=bool(row["is_private"]),
+        is_trusted=bool(row["is_trusted"]),
+        source=row["source"],
+        owner_id=row["owner_id"],
+        on_success_message=options.get("on_success_message"),
+        on_success_message_sql=options.get("on_success_message_sql"),
+        on_success_redirect=options.get("on_success_redirect"),
+        on_error_message=options.get("on_error_message"),
+        on_error_redirect=options.get("on_error_redirect"),
+        private=private,
+    )
+
+
+def query_options_json(options: dict[str, Any]) -> str:
+    options_dict = {}
+    for field in QUERY_OPTION_FIELDS:
+        value = options.get(field)
+        if field == "hide_sql":
+            if value:
+                options_dict[field] = True
+        elif value is not None:
+            options_dict[field] = value
+    return json.dumps(options_dict, sort_keys=True)
+
+
+async def add_query(
+    datasette: Any,
+    database: str,
+    name: str,
+    sql: str,
+    *,
+    title: str | None = None,
+    description: str | None = None,
+    description_html: str | None = None,
+    hide_sql: bool = False,
+    fragment: str | None = None,
+    parameters: Iterable[str] | None = None,
+    is_write: bool = False,
+    is_private: bool = False,
+    is_trusted: bool = False,
+    source: str = "plugin",
+    owner_id: str | None = None,
+    on_success_message: str | None = None,
+    on_success_message_sql: str | None = None,
+    on_success_redirect: str | None = None,
+    on_error_message: str | None = None,
+    on_error_redirect: str | None = None,
+    replace: bool = True,
+) -> None:
+    parameters_json = json.dumps(list(parameters or []))
+    options_json = query_options_json(
+        {
+            "hide_sql": hide_sql,
+            "fragment": fragment,
+            "on_success_message": on_success_message,
+            "on_success_message_sql": on_success_message_sql,
+            "on_success_redirect": on_success_redirect,
+            "on_error_message": on_error_message,
+            "on_error_redirect": on_error_redirect,
+        }
+    )
+    sql_statement = """
+        INSERT INTO queries (
+            database_name, name, sql, title, description, description_html,
+            options, parameters, is_write, is_private, is_trusted, source, owner_id
+        ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    """
+    if replace:
+        sql_statement += """
+            ON CONFLICT(database_name, name) DO UPDATE SET
+                sql = excluded.sql,
+                title = excluded.title,
+                description = excluded.description,
+                description_html = excluded.description_html,
+                options = excluded.options,
+                parameters = excluded.parameters,
+                is_write = excluded.is_write,
+                is_private = excluded.is_private,
+                is_trusted = excluded.is_trusted,
+                source = excluded.source,
+                owner_id = excluded.owner_id,
+                updated_at = CURRENT_TIMESTAMP
+        """
+    await datasette.get_internal_database().execute_write(
+        sql_statement,
+        [
+            database,
+            name,
+            sql,
+            title,
+            description,
+            description_html,
+            options_json,
+            parameters_json,
+            int(bool(is_write)),
+            int(bool(is_private)),
+            int(bool(is_trusted)),
+            source,
+            owner_id,
+        ],
+    )
+
+
+async def update_query(
+    datasette: Any,
+    database: str,
+    name: str,
+    *,
+    sql=UNCHANGED,
+    title=UNCHANGED,
+    description=UNCHANGED,
+    description_html=UNCHANGED,
+    hide_sql=UNCHANGED,
+    fragment=UNCHANGED,
+    parameters=UNCHANGED,
+    is_write=UNCHANGED,
+    is_private=UNCHANGED,
+    is_trusted=UNCHANGED,
+    source=UNCHANGED,
+    owner_id=UNCHANGED,
+    on_success_message=UNCHANGED,
+    on_success_message_sql=UNCHANGED,
+    on_success_redirect=UNCHANGED,
+    on_error_message=UNCHANGED,
+    on_error_redirect=UNCHANGED,
+) -> None:
+    fields = {
+        "sql": sql,
+        "title": title,
+        "description": description,
+        "description_html": description_html,
+        "parameters": parameters,
+        "is_write": is_write,
+        "is_private": is_private,
+        "is_trusted": is_trusted,
+        "source": source,
+        "owner_id": owner_id,
+    }
+    option_fields = {
+        "hide_sql": hide_sql,
+        "fragment": fragment,
+        "on_success_message": on_success_message,
+        "on_success_message_sql": on_success_message_sql,
+        "on_success_redirect": on_success_redirect,
+        "on_error_message": on_error_message,
+        "on_error_redirect": on_error_redirect,
+    }
+    updates = []
+    params = []
+    for field, value in fields.items():
+        if value is UNCHANGED:
+            continue
+        if field in {"is_write", "is_private", "is_trusted"}:
+            value = int(bool(value))
+        elif field == "parameters":
+            value = json.dumps(list(value or []))
+        updates.append(f"{field} = ?")
+        params.append(value)
+    changed_options = {
+        field: value for field, value in option_fields.items() if value is not UNCHANGED
+    }
+    if changed_options:
+        rows = await datasette.get_internal_database().execute(
+            """
+            SELECT options FROM queries
+            WHERE database_name = ? AND name = ?
+            """,
+            [database, name],
+        )
+        row = rows.first()
+        options = json.loads(row["options"] or "{}") if row is not None else {}
+        for field, value in changed_options.items():
+            if field == "hide_sql":
+                if value:
+                    options[field] = True
+                else:
+                    options.pop(field, None)
+            elif value is None:
+                options.pop(field, None)
+            else:
+                options[field] = value
+        updates.append("options = ?")
+        params.append(json.dumps(options, sort_keys=True))
+    if not updates:
+        return
+    updates.append("updated_at = CURRENT_TIMESTAMP")
+    params.extend([database, name])
+    await datasette.get_internal_database().execute_write(
+        """
+        UPDATE queries
+        SET {}
+        WHERE database_name = ? AND name = ?
+        """.format(", ".join(updates)),
+        params,
+    )
+
+
+async def remove_query(
+    datasette: Any, database: str, name: str, source: str | None = None
+) -> None:
+    sql = "DELETE FROM queries WHERE database_name = ? AND name = ?"
+    params = [database, name]
+    if source is not None:
+        sql += " AND source = ?"
+        params.append(source)
+    await datasette.get_internal_database().execute_write(sql, params)
+
+
+async def get_query(datasette: Any, database: str, name: str) -> StoredQuery | None:
+    rows = await datasette.get_internal_database().execute(
+        """
+        SELECT * FROM queries
+        WHERE database_name = ? AND name = ?
+        """,
+        [database, name],
+    )
+    return query_row_to_stored_query(rows.first())
+
+
+async def count_queries(
+    datasette: Any,
+    database: str | None = None,
+    *,
+    actor: dict[str, Any] | None = None,
+    q: str | None = None,
+    is_write: bool | None = None,
+    is_private: bool | None = None,
+    is_trusted: bool | None = None,
+    source: str | None = None,
+    owner_id: str | None = None,
+) -> int:
+    allowed_sql, allowed_params = await datasette.allowed_resources_sql(
+        action="view-query",
+        actor=actor,
+        parent=database,
+    )
+    params = dict(allowed_params)
+    where_clauses = []
+    if database is not None:
+        params["query_database"] = database
+        where_clauses.append("q.database_name = :query_database")
+
+    if q:
+        where_clauses.append("""
+            (
+                q.name LIKE :query_search
+                OR q.title LIKE :query_search
+                OR q.description LIKE :query_search
+                OR q.sql LIKE :query_search
+            )
+            """)
+        params["query_search"] = "%{}%".format(q)
+    if is_write is not None:
+        where_clauses.append("q.is_write = :query_is_write")
+        params["query_is_write"] = int(bool(is_write))
+    if is_private is not None:
+        where_clauses.append("q.is_private = :query_is_private")
+        params["query_is_private"] = int(bool(is_private))
+    if is_trusted is not None:
+        where_clauses.append("q.is_trusted = :query_is_trusted")
+        params["query_is_trusted"] = int(bool(is_trusted))
+    if source is not None:
+        where_clauses.append("q.source = :query_source")
+        params["query_source"] = source
+    if owner_id is not None:
+        where_clauses.append("q.owner_id = :query_owner_id")
+        params["query_owner_id"] = owner_id
+
+    row = (
+        await datasette.get_internal_database().execute(
+            """
+            SELECT count(*) AS count
+            FROM queries q
+            JOIN (
+                {allowed_sql}
+            ) allowed
+              ON allowed.parent = q.database_name
+             AND allowed.child = q.name
+            WHERE {where}
+            """.format(
+                allowed_sql=allowed_sql,
+                where=" AND ".join(where_clauses) or "1 = 1",
+            ),
+            params,
+        )
+    ).first()
+    return row["count"]
+
+
+async def list_queries(
+    datasette: Any,
+    database: str | None = None,
+    *,
+    actor: dict[str, Any] | None = None,
+    limit: int = 50,
+    cursor: str | None = None,
+    q: str | None = None,
+    is_write: bool | None = None,
+    is_private: bool | None = None,
+    is_trusted: bool | None = None,
+    source: str | None = None,
+    owner_id: str | None = None,
+    include_private: bool = False,
+) -> StoredQueryPage:
+    limit = min(max(1, int(limit)), 1000)
+    allowed_sql, allowed_params = await datasette.allowed_resources_sql(
+        action="view-query",
+        actor=actor,
+        parent=database,
+        include_is_private=include_private,
+    )
+    params = dict(allowed_params)
+    params.update({"limit": limit + 1})
+    sort_key_sql = "lower(coalesce(nullif(q.title, ''), q.name))"
+    where_clauses = []
+    order_by = "q.database_name, sort_key, q.name"
+    if database is not None:
+        params["query_database"] = database
+        where_clauses.append("q.database_name = :query_database")
+        order_by = "sort_key, q.name"
+
+    if cursor:
+        try:
+            components = urlsafe_components(cursor)
+        except ValueError:
+            components = []
+        if database is None and len(components) == 3:
+            where_clauses.append("""
+                (
+                    q.database_name > :cursor_database
+                    OR (
+                        q.database_name = :cursor_database
+                        AND (
+                            {sort_key_sql} > :cursor_sort_key
+                            OR (
+                                {sort_key_sql} = :cursor_sort_key
+                                AND q.name > :cursor_name
+                            )
+                        )
+                    )
+                )
+                """.format(sort_key_sql=sort_key_sql))
+            params["cursor_database"] = components[0]
+            params["cursor_sort_key"] = components[1]
+            params["cursor_name"] = components[2]
+        elif database is not None and len(components) == 2:
+            where_clauses.append("""
+                (
+                    {sort_key_sql} > :cursor_sort_key
+                    OR (
+                        {sort_key_sql} = :cursor_sort_key
+                        AND q.name > :cursor_name
+                    )
+                )
+                """.format(sort_key_sql=sort_key_sql))
+            params["cursor_sort_key"] = components[0]
+            params["cursor_name"] = components[1]
+
+    if q:
+        where_clauses.append("""
+            (
+                q.name LIKE :query_search
+                OR q.title LIKE :query_search
+                OR q.description LIKE :query_search
+                OR q.sql LIKE :query_search
+            )
+            """)
+        params["query_search"] = "%{}%".format(q)
+    if is_write is not None:
+        where_clauses.append("q.is_write = :query_is_write")
+        params["query_is_write"] = int(bool(is_write))
+    if is_private is not None:
+        where_clauses.append("q.is_private = :query_is_private")
+        params["query_is_private"] = int(bool(is_private))
+    if is_trusted is not None:
+        where_clauses.append("q.is_trusted = :query_is_trusted")
+        params["query_is_trusted"] = int(bool(is_trusted))
+    if source is not None:
+        where_clauses.append("q.source = :query_source")
+        params["query_source"] = source
+    if owner_id is not None:
+        where_clauses.append("q.owner_id = :query_owner_id")
+        params["query_owner_id"] = owner_id
+
+    private_select = ", allowed.is_private AS private" if include_private else ""
+    rows = list(
+        (
+            await datasette.get_internal_database().execute(
+                """
+                SELECT q.*, {sort_key_sql} AS sort_key{private_select}
+                FROM queries q
+                JOIN (
+                    {allowed_sql}
+                ) allowed
+                  ON allowed.parent = q.database_name
+                 AND allowed.child = q.name
+                WHERE {where}
+                ORDER BY {order_by}
+                LIMIT :limit
+                """.format(
+                    allowed_sql=allowed_sql,
+                    private_select=private_select,
+                    sort_key_sql=sort_key_sql,
+                    where=" AND ".join(where_clauses) or "1 = 1",
+                    order_by=order_by,
+                ),
+                params,
+            )
+        ).rows
+    )
+    has_more = len(rows) > limit
+    if has_more:
+        rows = rows[:limit]
+
+    queries = []
+    for row in rows:
+        query = query_row_to_stored_query(
+            row, private=bool(row["private"]) if include_private else None
+        )
+        assert query is not None
+        queries.append(query)
+
+    next_token = None
+    if has_more and rows:
+        last_row = rows[-1]
+        if database is None:
+            next_token = "{},{},{}".format(
+                tilde_encode(last_row["database_name"]),
+                tilde_encode(last_row["sort_key"]),
+                tilde_encode(last_row["name"]),
+            )
+        else:
+            next_token = "{},{}".format(
+                tilde_encode(last_row["sort_key"]),
+                tilde_encode(last_row["name"]),
+            )
+    return StoredQueryPage(
+        queries=queries,
+        next=next_token,
+        has_more=has_more,
+        limit=limit,
+    )
diff --git a/datasette/template_contexts.py b/datasette/template_contexts.py
new file mode 100644
index 00000000..232eb051
--- /dev/null
+++ b/datasette/template_contexts.py
@@ -0,0 +1,40 @@
+"""
+Index of the documented template contexts for Datasette's core HTML pages.
+
+This module deliberately contains no documentation strings of its own -
+the documentation lives next to the code it describes:
+
+- Every page renders a Context dataclass defined in its view module
+  (DatabaseContext, QueryContext in views/database.py, TableContext in
+  views/table.py, RowContext in views/row.py). Fields added by view code
+  carry ``help`` metadata; fields declared with from_extra() take their
+  documentation from the description on the matching Extra class in
+  views/table_extras.py.
+- The keys render_template() adds to every page are documented in
+  TEMPLATE_BASE_CONTEXT in datasette/app.py, next to the code that adds
+  them.
+
+The contract tests in tests/test_template_context.py assert that the real
+rendered context for each page exactly matches what is documented, and
+docs/template_context_doc.py generates docs/template_context.rst from the
+same classes.
+"""
+
+from datasette.app import TEMPLATE_BASE_CONTEXT
+from datasette.views.database import DatabaseContext, QueryContext
+from datasette.views.row import RowContext
+from datasette.views.table import TableContext
+
+PAGES = {
+    "database": DatabaseContext,
+    "query": QueryContext,
+    "table": TableContext,
+    "row": RowContext,
+}
+
+
+def documented_context_keys(page_name):
+    "Set of every documented key for the named page, including base context keys"
+    return set(TEMPLATE_BASE_CONTEXT) | {
+        f.name for f in PAGES[page_name].documented_fields()
+    }
diff --git a/datasette/templates/_action_menu.html b/datasette/templates/_action_menu.html
index 7d1d4a55..86089992 100644
--- a/datasette/templates/_action_menu.html
+++ b/datasette/templates/_action_menu.html
@@ -1,7 +1,7 @@
 {% if action_links %}
 <div class="page-action-menu">
 <details class="actions-menu-links details-menu">
-    <summary>
+    <summary aria-haspopup="menu" aria-expanded="false">
         <div class="icon-text">
             <svg class="icon" aria-labelledby="actions-menu-links-title" role="img" style="color: #fff" xmlns="http://www.w3.org/2000/svg" width="28" height="28" viewBox="0 0 28 28" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
                 <title id="actions-menu-links-title">{{ action_title }}</title>
@@ -13,16 +13,24 @@
     </summary>
     <div class="dropdown-menu">
         <div class="hook"></div>
-        <ul>
+        <ul role="menu">
             {% for link in action_links %}
-            <li><a href="{{ link.href }}">{{ link.label }}
-            {% if link.description %}
-                <p class="dropdown-description">{{ link.description }}</p>
-            {% endif %}</a>
+            <li role="none">
+            {% if link.get("type") == "button" %}
+                <button type="button" class="button-as-link action-menu-button" role="menuitem" tabindex="-1"{% for name, value in (link.get("attrs") or {}).items() %} {{ name }}="{{ value }}"{% endfor %}>{{ link.label }}
+                {% if link.description %}
+                    <span class="dropdown-description">{{ link.description }}</span>
+                {% endif %}</button>
+            {% else %}
+                <a href="{{ link.href }}" role="menuitem" tabindex="-1">{{ link.label }}
+                {% if link.description %}
+                    <span class="dropdown-description">{{ link.description }}</span>
+                {% endif %}</a>
+            {% endif %}
             </li>
             {% endfor %}
         </ul>
     </div>
 </details>
 </div>
-{% endif %}
\ No newline at end of file
+{% endif %}
diff --git a/datasette/templates/_close_open_menus.html b/datasette/templates/_close_open_menus.html
index 3302d77d..a24633d0 100644
--- a/datasette/templates/_close_open_menus.html
+++ b/datasette/templates/_close_open_menus.html
@@ -13,4 +13,50 @@ document.body.addEventListener('click', (ev) => {
         (details) => details.open && details != detailsClickedWithin
     ).forEach(details => details.open = false);
 });
+
+/* Sync aria-expanded and add keyboard navigation for details-menu elements */
+document.querySelectorAll('details.details-menu').forEach(function(details) {
+    var summary = details.querySelector('summary');
+    details.addEventListener('toggle', function() {
+        if (summary) {
+            summary.setAttribute('aria-expanded', details.open ? 'true' : 'false');
+        }
+        if (details.open) {
+            /* Focus first menu item when menu opens */
+            var firstItem = details.querySelector('[role="menuitem"]');
+            if (firstItem) { firstItem.focus(); }
+        }
+    });
+});
+
+document.body.addEventListener('keydown', function(ev) {
+    /* Keyboard navigation for open details-menu elements */
+    var openDetails = Array.from(document.querySelectorAll('details.details-menu[open]'));
+    if (!openDetails.length) { return; }
+
+    if (ev.key === 'Escape') {
+        openDetails.forEach(function(details) {
+            details.open = false;
+            var summary = details.querySelector('summary');
+            if (summary) { summary.focus(); }
+        });
+        return;
+    }
+
+    if (ev.key === 'ArrowDown' || ev.key === 'ArrowUp') {
+        var focused = document.activeElement;
+        openDetails.forEach(function(details) {
+            var items = Array.from(details.querySelectorAll('[role="menuitem"]'));
+            if (!items.length) { return; }
+            var idx = items.indexOf(focused);
+            if (idx === -1) { return; }
+            ev.preventDefault();
+            if (ev.key === 'ArrowDown') {
+                items[(idx + 1) % items.length].focus();
+            } else {
+                items[(idx - 1 + items.length) % items.length].focus();
+            }
+        });
+    }
+});
 </script>
diff --git a/datasette/templates/_codemirror.html b/datasette/templates/_codemirror.html
index c4629aeb..75c16168 100644
--- a/datasette/templates/_codemirror.html
+++ b/datasette/templates/_codemirror.html
@@ -1,5 +1,5 @@
-<script src="{{ base_url }}-/static/sql-formatter-2.3.3.min.js" defer></script>
-<script src="{{ base_url }}-/static/cm-editor-6.0.1.bundle.js"></script>
+<script src="{{ static('sql-formatter-2.3.3.min.js') }}" defer></script>
+<script src="{{ static('cm-editor-6.0.1.bundle.js') }}"></script>
 <style>
   .cm-editor {
     resize: both;
diff --git a/datasette/templates/_execute_write_analysis_scripts.html b/datasette/templates/_execute_write_analysis_scripts.html
new file mode 100644
index 00000000..a19bae13
--- /dev/null
+++ b/datasette/templates/_execute_write_analysis_scripts.html
@@ -0,0 +1,111 @@
+<script>
+window.datasetteSqlAnalysis = (() => {
+  if (
+    window.datasetteSqlAnalysis &&
+    window.datasetteSqlAnalysis.renderAnalysis
+  ) {
+    return window.datasetteSqlAnalysis;
+  }
+
+  function appendCodeCell(row, value, emptyText) {
+    const cell = document.createElement("td");
+    if (value) {
+      const code = document.createElement("code");
+      code.textContent = value;
+      cell.appendChild(code);
+    } else if (emptyText) {
+      appendNotApplicable(cell);
+    }
+    row.appendChild(cell);
+  }
+
+  function appendNotApplicable(cell) {
+    const notApplicable = document.createElement("span");
+    notApplicable.className = "execute-write-analysis-na";
+    notApplicable.textContent = "n/a";
+    cell.appendChild(notApplicable);
+  }
+
+  function renderAnalysis(section, data) {
+    if (!section) {
+      return;
+    }
+    section.replaceChildren();
+    if (data.has_sql === false) {
+      section.hidden = true;
+      return;
+    }
+    section.hidden = false;
+
+    const heading = document.createElement("h2");
+    heading.textContent = "Query operations";
+    section.appendChild(heading);
+
+    if (data.analysis_error) {
+      const error = document.createElement("p");
+      error.className = "message-error";
+      error.textContent = data.analysis_error;
+      section.appendChild(error);
+      return;
+    }
+
+    const rows = data.analysis_rows || [];
+    if (!rows.length) {
+      const empty = document.createElement("p");
+      empty.textContent =
+        "Analysis will show each affected table and required permission.";
+      section.appendChild(empty);
+      return;
+    }
+
+    const wrapper = document.createElement("div");
+    wrapper.className = "table-wrapper";
+    const table = document.createElement("table");
+    table.className = "execute-write-analysis";
+    const thead = document.createElement("thead");
+    const headerRow = document.createElement("tr");
+    [
+      "Operation",
+      "Database",
+      "Table",
+      "Required permission",
+      "Allowed",
+    ].forEach((label) => {
+      const th = document.createElement("th");
+      th.scope = "col";
+      th.textContent = label;
+      headerRow.appendChild(th);
+    });
+    thead.appendChild(headerRow);
+    table.appendChild(thead);
+
+    const tbody = document.createElement("tbody");
+    rows.forEach((analysisRow) => {
+      const row = document.createElement("tr");
+      appendCodeCell(row, analysisRow.operation);
+      appendCodeCell(row, analysisRow.database);
+      appendCodeCell(row, analysisRow.table);
+      appendCodeCell(row, analysisRow.required_permission, "n/a");
+
+      const allowedCell = document.createElement("td");
+      if (analysisRow.allowed !== null && analysisRow.allowed !== undefined) {
+        const allowed = document.createElement("span");
+        allowed.className = analysisRow.allowed
+          ? "execute-write-analysis-allowed"
+          : "execute-write-analysis-denied";
+        allowed.textContent = analysisRow.allowed ? "yes" : "no";
+        allowedCell.appendChild(allowed);
+      } else {
+        appendNotApplicable(allowedCell);
+      }
+      row.appendChild(allowedCell);
+      tbody.appendChild(row);
+    });
+    table.appendChild(tbody);
+    wrapper.appendChild(table);
+    section.appendChild(wrapper);
+  }
+
+  return { renderAnalysis };
+})();
+</script>
diff --git a/datasette/templates/_execute_write_analysis_styles.html b/datasette/templates/_execute_write_analysis_styles.html
new file mode 100644
index 00000000..165cfe9f
--- /dev/null
+++ b/datasette/templates/_execute_write_analysis_styles.html
@@ -0,0 +1,41 @@
+<style>
+.execute-write-analysis {
+    border-collapse: collapse;
+    font-size: 0.9rem;
+    margin: 0.25rem 0 1rem;
+    min-width: 44rem;
+}
+.execute-write-analysis th,
+.execute-write-analysis td {
+    border-bottom: 1px solid #d7dde5;
+    padding: 0.45rem 0.7rem;
+    text-align: left;
+    vertical-align: top;
+}
+.execute-write-analysis th {
+    background-color: #edf6fb;
+    border-top: 1px solid #d7dde5;
+    color: #39445a;
+    font-weight: 700;
+}
+.execute-write-analysis tbody tr:nth-child(even) {
+    background-color: rgba(39, 104, 144, 0.05);
+}
+.execute-write-analysis code {
+    background: transparent;
+    font-size: 0.9em;
+    white-space: nowrap;
+}
+.execute-write-analysis-allowed {
+    color: #267a3e;
+    font-weight: 700;
+}
+.execute-write-analysis-denied {
+    color: #b00020;
+    font-weight: 700;
+}
+.execute-write-analysis-na {
+    color: #687386;
+    font-style: italic;
+}
+</style>
diff --git a/datasette/templates/_facet_results.html b/datasette/templates/_facet_results.html
index 034e9678..570bb37e 100644
--- a/datasette/templates/_facet_results.html
+++ b/datasette/templates/_facet_results.html
@@ -12,9 +12,9 @@
             <ul class="tight-bullets">
                 {% for facet_value in facet_info.results %}
                     {% if not facet_value.selected %}
-                        <li><a href="{{ facet_value.toggle_url }}" data-facet-value="{{ facet_value.value }}">{{ (facet_value.label | string()) or "-" }}</a> {{ "{:,}".format(facet_value.count) }}</li>
+                        <li><a href="{{ facet_value.toggle_url }}" data-facet-value="{{ facet_value.value }}">{{ (facet_value.label | string()) or "-" }}</a> <span class="facet-count">{{ "{:,}".format(facet_value.count) }}</span></li>
                     {% else %}
-                        <li>{{ facet_value.label or "-" }} &middot; {{ "{:,}".format(facet_value.count) }} <a href="{{ facet_value.toggle_url }}" class="cross">&#x2716;</a></li>
+                        <li>{{ facet_value.label or "-" }} &middot; <span class="facet-count">{{ "{:,}".format(facet_value.count) }}</span> <a href="{{ facet_value.toggle_url }}" class="cross">&#x2716;</a></li>
                     {% endif %}
                 {% endfor %}
                 {% if facet_info.truncated %}
diff --git a/datasette/templates/_query_form_styles.html b/datasette/templates/_query_form_styles.html
new file mode 100644
index 00000000..cf2dd42c
--- /dev/null
+++ b/datasette/templates/_query_form_styles.html
@@ -0,0 +1,138 @@
+<style>
+.query-create-page {
+    max-width: 64rem;
+}
+.query-create-form {
+    --query-create-label-width: clamp(7rem, 18vw, 10rem);
+    --query-create-column-gap: 0.8rem;
+    --query-create-control-width: minmax(16rem, 1fr);
+}
+.query-create-fields {
+    margin: 0 0 0.85rem;
+    max-width: 52rem;
+}
+.query-create-field {
+    align-items: start;
+    column-gap: var(--query-create-column-gap);
+    display: grid;
+    grid-template-columns: var(--query-create-label-width) var(--query-create-control-width);
+    margin: 0 0 0.65rem;
+}
+.query-create-field label {
+    padding-top: 0.55rem;
+    width: auto;
+}
+.query-create-field input[type=text],
+.query-create-field textarea {
+    box-sizing: border-box;
+    width: 100%;
+}
+form.sql .query-create-field textarea {
+    width: 100%;
+}
+.query-create-url-control {
+    align-items: center;
+    box-sizing: border-box;
+    display: grid;
+    gap: 0.35rem;
+    grid-template-columns: max-content minmax(12rem, 1fr);
+    width: 100%;
+}
+.query-create-url-prefix {
+    color: #4f5b6d;
+    font-family: var(--font-monospace, monospace);
+    white-space: nowrap;
+}
+.query-create-url-control input[type=text] {
+    border: 1px solid #ccc;
+    border-radius: 3px;
+}
+.query-create-url-static {
+    color: #39445a;
+    font-family: var(--font-monospace, monospace);
+    word-break: break-all;
+}
+.query-create-field textarea {
+    border: 1px solid #ccc;
+    border-radius: 3px;
+    display: block;
+    font-family: Helvetica, sans-serif;
+    font-size: 1em;
+    min-height: 5rem;
+    padding: 9px 4px;
+    resize: vertical;
+}
+form.sql .query-create-sql {
+    column-gap: var(--query-create-column-gap);
+    display: grid;
+    grid-template-columns: var(--query-create-label-width) var(--query-create-control-width);
+    margin: 0.9rem 0 0.75rem;
+    max-width: 52rem;
+}
+.query-create-sql .cm-editor,
+form.sql .query-create-sql textarea#sql-editor {
+    grid-column: 2;
+    width: 100%;
+}
+.query-create-options {
+    align-items: center;
+    display: flex;
+    flex-wrap: wrap;
+    gap: 0.8rem 1.4rem;
+    margin: 0 0 0.9rem calc(var(--query-create-label-width) + var(--query-create-column-gap));
+    max-width: calc(52rem - var(--query-create-label-width) - var(--query-create-column-gap));
+}
+.query-create-options label {
+    align-items: center;
+    display: inline-flex;
+    gap: 0.35rem;
+    width: auto;
+}
+.query-create-options input[type=checkbox] {
+    margin: 0;
+}
+.query-create-option-note,
+.query-create-analysis-note {
+    color: #4f5b6d;
+    flex-basis: 100%;
+    font-size: 0.82rem;
+}
+.query-create-option-note {
+    margin: -0.45rem 0 0;
+}
+.query-create-analysis-note {
+    margin: 0;
+}
+.query-create-analysis {
+    margin-top: 0.8rem;
+}
+.query-create-submit {
+    margin-left: calc(var(--query-create-label-width) + var(--query-create-column-gap));
+    margin-bottom: 0.9rem;
+    margin-top: 1rem;
+}
+@media (max-width: 560px) {
+    .query-create-form {
+        --query-create-label-width: 1fr;
+        --query-create-column-gap: 0;
+    }
+    .query-create-field {
+        grid-template-columns: 1fr;
+        row-gap: 0.25rem;
+    }
+    .query-create-field label {
+        padding-top: 0;
+    }
+    form.sql .query-create-sql {
+        grid-template-columns: 1fr;
+    }
+    .query-create-sql .cm-editor,
+    form.sql .query-create-sql textarea#sql-editor {
+        grid-column: 1;
+    }
+    .query-create-options,
+    .query-create-submit {
+        margin-left: 0;
+    }
+}
+</style>
diff --git a/datasette/templates/_query_results.html b/datasette/templates/_query_results.html
new file mode 100644
index 00000000..5e1e2f72
--- /dev/null
+++ b/datasette/templates/_query_results.html
@@ -0,0 +1,20 @@
+{% if display_rows %}
+<div class="table-wrapper"><table class="rows-and-columns">
+    <thead>
+        <tr>
+            {% for column in columns %}<th class="col-{{ column|to_css_class }}" scope="col">{{ column }}</th>{% endfor %}
+        </tr>
+    </thead>
+    <tbody>
+    {% for row in display_rows %}
+        <tr>
+            {% for column, td in zip(columns, row) %}
+                <td class="col-{{ column|to_css_class }}">{{ td }}</td>
+            {% endfor %}
+        </tr>
+    {% endfor %}
+    </tbody>
+</table></div>
+{% elif show_zero_results %}
+    <p class="zero-results">0 results</p>
+{% endif %}
diff --git a/datasette/templates/_sql_parameter_scripts.html b/datasette/templates/_sql_parameter_scripts.html
new file mode 100644
index 00000000..9b83889e
--- /dev/null
+++ b/datasette/templates/_sql_parameter_scripts.html
@@ -0,0 +1,307 @@
+<script>
+window.datasetteSqlParameters = (() => {
+  if (
+    window.datasetteSqlParameters &&
+    window.datasetteSqlParameters.setupSqlParameterRefresh
+  ) {
+    return window.datasetteSqlParameters;
+  }
+
+  function currentSql(form) {
+    if (window.editor) {
+      return window.editor.state.doc.toString();
+    }
+    const sqlInput = form.querySelector("textarea#sql-editor, input[name=sql]");
+    return sqlInput ? sqlInput.value : "";
+  }
+
+  function controlState(control) {
+    return {
+      value: control.value,
+      expanded: control.tagName.toLowerCase() === "textarea",
+    };
+  }
+
+  function syncParameterState(manager) {
+    manager.parameterState = new Map();
+    manager.section
+      .querySelectorAll("[data-parameter-control]")
+      .forEach((control) => {
+        manager.parameterState.set(
+          control.dataset.parameterName,
+          controlState(control)
+        );
+      });
+  }
+
+  function createControl(parameter, id, state, namePrefix) {
+    const control = document.createElement(state.expanded ? "textarea" : "input");
+    control.id = id;
+    control.name = `${namePrefix || ""}${parameter}`;
+    control.value = state.value;
+    control.setAttribute("data-parameter-control", "");
+    control.dataset.parameterName = parameter;
+    if (state.expanded) {
+      control.rows = 5;
+    } else {
+      control.type = "text";
+    }
+    return control;
+  }
+
+  function replaceParameterControl(
+    manager,
+    control,
+    button,
+    expand,
+    value,
+    selectionStart
+  ) {
+    const parameter = control.dataset.parameterName;
+    const replacement = createControl(
+      parameter,
+      control.id,
+      {
+        value: value === undefined ? control.value : value,
+        expanded: expand,
+      },
+      manager.namePrefix
+    );
+    button.textContent = expand ? "Collapse" : "Expand";
+    button.setAttribute("aria-expanded", expand ? "true" : "false");
+    control.replaceWith(replacement);
+    replacement.focus();
+    if (selectionStart !== undefined && replacement.setSelectionRange) {
+      replacement.setSelectionRange(selectionStart, selectionStart);
+    }
+    manager.parameterState.set(parameter, controlState(replacement));
+  }
+
+  function renderParameters(manager, parameters) {
+    syncParameterState(manager);
+    const previousState = manager.parameterState;
+    const nextState = new Map();
+    manager.section.replaceChildren();
+    if (!parameters.length) {
+      manager.parameterState = nextState;
+      return;
+    }
+
+    const heading = document.createElement("h2");
+    heading.textContent = "Parameters";
+    manager.section.appendChild(heading);
+
+    parameters.forEach((parameter, index) => {
+      const id = `qp${index + 1}`;
+      const state = previousState.get(parameter) || {
+        value: "",
+        expanded: false,
+      };
+      if (!manager.allowExpand) {
+        state.expanded = false;
+      }
+      nextState.set(parameter, state);
+
+      const row = document.createElement("p");
+      row.className = "sql-parameter-row";
+
+      const label = document.createElement("label");
+      label.htmlFor = id;
+      label.textContent = parameter;
+
+      const control = createControl(parameter, id, state, manager.namePrefix);
+
+      row.append(label, control);
+      if (manager.allowExpand) {
+        const button = document.createElement("button");
+        button.type = "button";
+        button.className = "sql-parameter-toggle";
+        button.setAttribute("data-parameter-toggle", "");
+        button.setAttribute("aria-controls", id);
+        button.setAttribute("aria-expanded", state.expanded ? "true" : "false");
+        button.textContent = state.expanded ? "Collapse" : "Expand";
+        row.append(" ", button);
+      }
+      manager.section.appendChild(row);
+    });
+
+    manager.parameterState = nextState;
+  }
+
+  function bindParameterControls(manager) {
+    manager.form.addEventListener("input", (event) => {
+      const control = event.target;
+      if (!control.matches || !control.matches("[data-parameter-control]")) {
+        return;
+      }
+      manager.parameterState.set(
+        control.dataset.parameterName,
+        controlState(control)
+      );
+    });
+
+    if (!manager.allowExpand) {
+      return;
+    }
+
+    manager.form.addEventListener("click", (event) => {
+      const button = event.target.closest
+        ? event.target.closest("[data-parameter-toggle]")
+        : null;
+      if (!button || !manager.form.contains(button)) {
+        return;
+      }
+      const control = document.getElementById(button.getAttribute("aria-controls"));
+      if (!control) {
+        return;
+      }
+      const expanded = control.tagName.toLowerCase() === "textarea";
+      replaceParameterControl(manager, control, button, !expanded);
+    });
+
+    manager.form.addEventListener("paste", (event) => {
+      const control = event.target;
+      if (
+        !(control instanceof HTMLInputElement) ||
+        !control.matches("[data-parameter-control]")
+      ) {
+        return;
+      }
+      const pasted = event.clipboardData ? event.clipboardData.getData("text") : "";
+      if (!/[\r\n]/.test(pasted)) {
+        return;
+      }
+      const button = document.querySelector(
+        `[data-parameter-toggle][aria-controls="${control.id}"]`
+      );
+      if (!button) {
+        return;
+      }
+      event.preventDefault();
+      const selectionStart = control.selectionStart ?? control.value.length;
+      const selectionEnd = control.selectionEnd ?? selectionStart;
+      const value =
+        control.value.slice(0, selectionStart) +
+        pasted +
+        control.value.slice(selectionEnd);
+      replaceParameterControl(
+        manager,
+        control,
+        button,
+        true,
+        value,
+        selectionStart + pasted.length
+      );
+    });
+  }
+
+  function bindEditorChanges(form, callback) {
+    const editorElement = form.querySelector(".cm-content");
+    if (editorElement) {
+      editorElement.addEventListener("input", callback);
+    }
+    if (!window.editor) {
+      const sqlInput = form.querySelector("textarea#sql-editor");
+      if (sqlInput) {
+        sqlInput.addEventListener("input", callback);
+      }
+      return;
+    }
+    if (!window.editor.datasetteSqlParameterCallbacks) {
+      const editor = window.editor;
+      const originalDispatch = editor.dispatch.bind(editor);
+      editor.datasetteSqlParameterCallbacks = [];
+      editor.dispatch = (...transactions) => {
+        const before = editor.state.doc.toString();
+        originalDispatch(...transactions);
+        if (editor.state.doc.toString() !== before) {
+          editor.datasetteSqlParameterCallbacks.forEach((listener) => listener());
+        }
+      };
+    }
+    window.editor.datasetteSqlParameterCallbacks.push(callback);
+  }
+
+  function setupSqlParameterRefresh(options) {
+    const form =
+      options.form || document.querySelector("form.sql.core[data-parameters-url]");
+    if (!form) {
+      return null;
+    }
+    const shouldRenderParameters = options.renderParameters !== false;
+    const section =
+      options.section || form.querySelector("[data-sql-parameters-section]");
+    if (shouldRenderParameters && !section) {
+      return null;
+    }
+    const manager = {
+      form,
+      section,
+      allowExpand:
+        options.allowExpand === undefined
+          ? section
+            ? section.dataset.allowExpand === "1"
+            : false
+          : options.allowExpand,
+      namePrefix: section ? section.dataset.parameterNamePrefix || "" : "",
+      parameterState: new Map(),
+    };
+    if (section) {
+      bindParameterControls(manager);
+      syncParameterState(manager);
+    }
+
+    const url = options.url || form.dataset.parametersUrl;
+    let refreshTimer = null;
+    let refreshSequence = 0;
+
+    async function refreshParameters() {
+      if (!url) {
+        return;
+      }
+      const sequence = ++refreshSequence;
+      try {
+        const requestUrl = new URL(url, window.location.href);
+        requestUrl.searchParams.set("sql", currentSql(form));
+        const response = await fetch(requestUrl, {
+          headers: { accept: "application/json" },
+        });
+        const data = await response.json();
+        if (sequence !== refreshSequence) {
+          return;
+        }
+        if (!response.ok) {
+          throw new Error((data.errors || [response.statusText]).join("; "));
+        }
+        if (shouldRenderParameters) {
+          renderParameters(manager, data.parameters || []);
+        }
+        if (options.onData) {
+          options.onData(data, manager);
+        }
+      } catch (error) {
+        if (sequence !== refreshSequence) {
+          return;
+        }
+        if (options.onError) {
+          options.onError(error, manager);
+        }
+      }
+    }
+
+    function scheduleRefresh() {
+      clearTimeout(refreshTimer);
+      refreshTimer = setTimeout(refreshParameters, options.debounceMs || 350);
+    }
+
+    bindEditorChanges(form, scheduleRefresh);
+    return {
+      currentSql: () => currentSql(form),
+      refreshParameters,
+      renderParameters: (parameters) => renderParameters(manager, parameters),
+    };
+  }
+
+  return { setupSqlParameterRefresh };
+})();
+</script>
diff --git a/datasette/templates/_sql_parameter_styles.html b/datasette/templates/_sql_parameter_styles.html
new file mode 100644
index 00000000..bc6838f5
--- /dev/null
+++ b/datasette/templates/_sql_parameter_styles.html
@@ -0,0 +1,58 @@
+<style>
+form.sql .sql-editor {
+    max-width: 52rem;
+}
+form.sql .sql-editor textarea#sql-editor {
+    width: 100%;
+}
+form.sql .sql-parameters-section {
+    max-width: 52rem;
+}
+form.sql .sql-parameter-row {
+    align-items: start;
+    column-gap: 0.6rem;
+    display: grid;
+    grid-template-columns: minmax(8rem, 11rem) minmax(16rem, 1fr) auto;
+    margin: 0 0 0.65rem;
+    max-width: 52rem;
+}
+form.sql .sql-parameter-row label {
+    overflow-wrap: anywhere;
+    padding-top: 0.55rem;
+    width: auto;
+}
+form.sql .sql-parameter-row input[data-parameter-control],
+form.sql .sql-parameter-row textarea[data-parameter-control] {
+    box-sizing: border-box;
+    width: 100%;
+}
+form.sql .sql-parameter-row textarea[data-parameter-control] {
+    border: 1px solid #ccc;
+    border-radius: 3px;
+    display: block;
+    font-family: Helvetica, sans-serif;
+    font-size: 1em;
+    min-height: 7rem;
+    padding: 9px 4px;
+}
+form.sql.core button.sql-parameter-toggle[type=button] {
+    font-size: 0.72rem;
+    height: 1.8rem;
+    line-height: 1;
+    margin: 0.25rem 0 0;
+    padding: 0.25rem 0.45rem;
+}
+@media (max-width: 480px) {
+    form.sql .sql-parameter-row {
+        grid-template-columns: 1fr;
+        row-gap: 0.25rem;
+    }
+    form.sql .sql-parameter-row label {
+        padding-top: 0;
+    }
+    form.sql.core button.sql-parameter-toggle[type=button] {
+        justify-self: start;
+        margin-top: 0;
+    }
+}
+</style>
diff --git a/datasette/templates/_sql_parameters.html b/datasette/templates/_sql_parameters.html
new file mode 100644
index 00000000..b5c1bde8
--- /dev/null
+++ b/datasette/templates/_sql_parameters.html
@@ -0,0 +1,10 @@
+{% set sql_parameter_name_prefix = sql_parameter_name_prefix|default("") %}
+<div id="{{ sql_parameters_section_id|default("sql-parameters-section") }}" class="sql-parameters-section" data-sql-parameters-section{% if sql_parameter_name_prefix %} data-parameter-name-prefix="{{ sql_parameter_name_prefix }}"{% endif %}{% if sql_parameters_allow_expand|default(false) %} data-allow-expand="1"{% endif %}>
+    {% if parameter_names %}
+        <h2>Parameters</h2>
+        {% for parameter in parameter_names %}
+            {% set parameter_id = (sql_parameter_id_prefix|default("qp")) ~ loop.index %}
+            <p class="sql-parameter-row"><label for="{{ parameter_id }}">{{ parameter }}</label> <input type="text" id="{{ parameter_id }}" name="{{ sql_parameter_name_prefix }}{{ parameter }}" value="{{ parameter_values.get(parameter, "") }}" data-parameter-control data-parameter-name="{{ parameter }}">{% if sql_parameters_allow_expand|default(false) %} <button type="button" class="sql-parameter-toggle" data-parameter-toggle aria-controls="{{ parameter_id }}" aria-expanded="false">Expand</button>{% endif %}</p>
+        {% endfor %}
+    {% endif %}
+</div>
diff --git a/datasette/templates/_table.html b/datasette/templates/_table.html
index a1329ba7..171b6442 100644
--- a/datasette/templates/_table.html
+++ b/datasette/templates/_table.html
@@ -1,12 +1,12 @@
 <!-- above-table-panel is a hook node for plugins to attach to . Displays even if no data available -->
 <div class="above-table-panel"> </div>
-{% if display_rows %}
+{% if display_columns %}
 <div class="table-wrapper">
     <table class="rows-and-columns">
         <thead>
             <tr>
                 {% for column in display_columns %}
-                    <th {% if column.description %}data-column-description="{{ column.description }}" {% endif %}class="col-{{ column.name|to_css_class }}" scope="col" data-column="{{ column.name }}" data-column-type="{{ column.type.lower() }}" data-column-not-null="{{ column.notnull }}" data-is-pk="{% if column.is_pk %}1{% else %}0{% endif %}">
+                    <th {% if column.description %}data-column-description="{{ column.description }}" {% endif %}class="col-{{ column.name|to_css_class }}" scope="col" data-column="{{ column.name }}" data-column-type="{{ column.type.lower() }}" data-column-not-null="{{ column.notnull }}" data-is-pk="{% if column.is_pk %}1{% else %}0{% endif %}"{% if column.is_special_link_column %} data-is-link-column="1"{% endif %}>
                         {% if not column.sortable %}
                             {{ column.name }}
                         {% else %}
@@ -22,7 +22,7 @@
         </thead>
         <tbody>
         {% for row in display_rows %}
-            <tr>
+            <tr{% if row.pk_path is not none %} data-row="{{ row.row_path }}"{% if row.row_label %} data-row-label="{{ row.row_label }}"{% endif %}{% endif %}>
                 {% for cell in row %}
                     <td class="col-{{ cell.column|to_css_class }} type-{{ cell.value_type }}">{{ cell.value }}</td>
                 {% endfor %}
@@ -31,6 +31,7 @@
         </tbody>
     </table>
 </div>
-{% else %}
+{% endif %}
+{% if not display_rows %}
     <p class="zero-results">0 records</p>
 {% endif %}
diff --git a/datasette/templates/api_explorer.html b/datasette/templates/api_explorer.html
index dc393c20..4927cb8d 100644
--- a/datasette/templates/api_explorer.html
+++ b/datasette/templates/api_explorer.html
@@ -3,7 +3,7 @@
 {% block title %}API Explorer{% endblock %}
 
 {% block extra_head %}
-<script src="{{ base_url }}-/static/json-format-highlight-1.0.1.js"></script>
+<script src="{{ static('json-format-highlight-1.0.1.js') }}"></script>
 {% endblock %}
 
 {% block content %}
@@ -19,7 +19,7 @@
 </p>
 <details open style="border: 2px solid #ccc; border-bottom: none; padding: 0.5em">
   <summary style="cursor: pointer;">GET</summary>
-  <form class="core" method="get" id="api-explorer-get" style="margin-top: 0.7em">
+  <form class="core" method="get" action="{{ urls.path('-/api') }}" id="api-explorer-get" style="margin-top: 0.7em">
     <div>
       <label for="path">API path:</label>
       <input type="text" id="path" name="path" style="width: 60%">
@@ -29,7 +29,7 @@
 </details>
 <details style="border: 2px solid #ccc; padding: 0.5em">
   <summary style="cursor: pointer">POST</summary>
-  <form class="core" method="post" id="api-explorer-post" style="margin-top: 0.7em">
+  <form class="core" method="post" action="{{ urls.path('-/api') }}" id="api-explorer-post" style="margin-top: 0.7em">
     <div>
       <label for="path">API path:</label>
       <input type="text" id="path" name="path" style="width: 60%">
diff --git a/datasette/templates/base.html b/datasette/templates/base.html
index 0d89e11c..18288439 100644
--- a/datasette/templates/base.html
+++ b/datasette/templates/base.html
@@ -2,13 +2,13 @@
 <html lang="en">
 <head>
     <title>{% block title %}{% endblock %}</title>
-    <link rel="stylesheet" href="{{ urls.static('app.css') }}?{{ app_css_hash }}">
+    <link rel="stylesheet" href="{{ static('app.css') }}">
     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 {% for url in extra_css_urls %}
     <link rel="stylesheet" href="{{ url.url }}"{% if url.get("sri") %} integrity="{{ url.sri }}" crossorigin="anonymous"{% endif %}>
 {% endfor %}
 <script>window.datasetteVersion = '{{ datasette_version }}';</script>
-<script src="{{ urls.static('datasette-manager.js') }}" defer></script>
+<script src="{{ static('datasette-manager.js') }}" defer></script>
 {% for url in extra_js_urls %}
     <script {% if url.module %}type="module" {% endif %}src="{{ url.url }}"{% if url.get("sri") %} integrity="{{ url.sri }}" crossorigin="anonymous"{% endif %}></script>
 {% endfor %}
@@ -20,7 +20,7 @@
 <body class="{% block body_class %}{% endblock %}">
 <div class="not-footer">
 <header class="hd"><nav>{% block nav %}{% block crumbs %}{{ crumbs.nav(request=request) }}{% endblock %}
-    {% set links = menu_links() %}{% if links or show_logout %}
+    {% set links = menu_links() %}
     <details class="nav-menu details-menu">
         <summary><svg aria-labelledby="nav-menu-svg-title" role="img"
             fill="currentColor" stroke="currentColor" xmlns="http://www.w3.org/2000/svg"
@@ -29,20 +29,18 @@
                 <path fill-rule="evenodd" d="M1 2.75A.75.75 0 011.75 2h12.5a.75.75 0 110 1.5H1.75A.75.75 0 011 2.75zm0 5A.75.75 0 011.75 7h12.5a.75.75 0 110 1.5H1.75A.75.75 0 011 7.75zM1.75 12a.75.75 0 100 1.5h12.5a.75.75 0 100-1.5H1.75z"></path>
         </svg></summary>
         <div class="nav-menu-inner">
-            {% if links %}
             <ul>
+                <li><button type="button" class="button-as-link" data-navigation-search-open aria-haspopup="dialog" aria-expanded="false" aria-keyshortcuts="/">Jump to... <kbd class="keyboard-shortcut" aria-hidden="true" title="Keyboard shortcut: press / to open Jump to">/</kbd></button></li>
                 {% for link in links %}
                 <li><a href="{{ link.href }}">{{ link.label }}</a></li>
                 {% endfor %}
             </ul>
-            {% endif %}
             {% if show_logout %}
             <form class="nav-menu-logout" action="{{ urls.logout() }}" method="post">
-                <input type="hidden" name="csrftoken" value="{{ csrftoken() }}">
                 <button class="button-as-link">Log out</button>
             </form>{% endif %}
         </div>
-    </details>{% endif %}
+    </details>
     {% if actor %}
     <div class="actor">
         <strong>{{ display_actor(actor) }}</strong>
@@ -72,7 +70,7 @@
 {% endfor %}
 
 {% if select_templates %}<!-- Templates considered: {{ select_templates|join(", ") }} -->{% endif %}
-<script src="{{ urls.static('navigation-search.js') }}" defer></script>
-<navigation-search url="/-/tables"></navigation-search>
+<script src="{{ static('navigation-search.js') }}" defer></script>
+<navigation-search url="{{ urls.path("/-/jump") }}"></navigation-search>
 </body>
 </html>
diff --git a/datasette/templates/create_token.html b/datasette/templates/create_token.html
index ad7c71b6..270d9c86 100644
--- a/datasette/templates/create_token.html
+++ b/datasette/templates/create_token.html
@@ -50,7 +50,6 @@
       </select>
     </div>
     <input type="text" name="expire_duration" style="width: 10%">
-    <input type="hidden" name="csrftoken" value="{{ csrftoken() }}">
     <input type="submit" value="Create token">
 
   <details style="margin-top: 1em" id="restrict-permissions">
diff --git a/datasette/templates/csrf_error.html b/datasette/templates/csrf_error.html
index 7cd4b42b..b84749d3 100644
--- a/datasette/templates/csrf_error.html
+++ b/datasette/templates/csrf_error.html
@@ -1,5 +1,5 @@
 {% extends "base.html" %}
-{% block title %}CSRF check failed){% endblock %}
+{% block title %}CSRF check failed{% endblock %}
 {% block content %}
 <h1>Form origin check failed</h1>
 
@@ -7,7 +7,7 @@
 
 <details><summary>Technical details</summary>
   <p>Developers: consult Datasette's <a href="https://docs.datasette.io/en/latest/internals.html#csrf-protection">CSRF protection documentation</a>.</p>
-  <p>Error code is {{ message_name }}.</p>
+  <p>Reason: {{ reason }}</p>
 </details>
 
 {% endblock %}
diff --git a/datasette/templates/database.html b/datasette/templates/database.html
index 42b4ca0b..a9fad8dd 100644
--- a/datasette/templates/database.html
+++ b/datasette/templates/database.html
@@ -5,6 +5,11 @@
 {% block extra_head %}
 {{- super() -}}
 {% include "_codemirror.html" %}
+{% include "_sql_parameter_styles.html" %}
+{% if database_page_data.createTable %}
+<script>window._datasetteDatabaseData = {{ database_page_data|tojson }};</script>
+<script src="{{ static('edit-tools.js') }}" defer></script>
+{% endif %}
 {% endblock %}
 
 {% block body_class %}db db-{{ database|to_css_class }}{% endblock %}
@@ -25,9 +30,13 @@
 {% block description_source_license %}{% include "_description_source_license.html" %}{% endblock %}
 
 {% if allow_execute_sql %}
-    <form class="sql core" action="{{ urls.database(database) }}/-/query" method="get">
+    <form class="sql core" action="{{ urls.database(database) }}/-/query" method="get" data-parameters-url="{{ urls.database(database) }}/-/query/parameters">
         <h3>Custom SQL query</h3>
-        <p><textarea id="sql-editor" name="sql">{% if tables %}select * from {{ tables[0].name|escape_sqlite }}{% else %}select sqlite_version(){% endif %}</textarea></p>
+        <p class="sql-editor"><textarea id="sql-editor" name="sql">{% if tables %}select * from {{ tables[0].name|escape_sqlite }}{% else %}select sqlite_version(){% endif %}</textarea></p>
+        {% set parameter_names = [] %}
+        {% set parameter_values = {} %}
+        {% set sql_parameters_allow_expand = false %}
+        {% include "_sql_parameters.html" %}
         <p>
             <button id="sql-format" type="button" hidden>Format SQL</button>
             <input type="submit" value="Run SQL">
@@ -53,6 +62,9 @@
             <li><a href="{{ urls.query(database, query.name) }}{% if query.fragment %}#{{ query.fragment }}{% endif %}" title="{{ query.description or query.sql }}">{{ query.title or query.name }}</a>{% if query.private %} 🔒{% endif %}</li>
         {% endfor %}
     </ul>
+    {% if queries_more %}
+        <p><a href="{{ urls.database(database) }}/-/queries">View {{ "{:,}".format(queries_count) }} quer{% if queries_count == 1 %}y{% else %}ies{% endif %}</a></p>
+    {% endif %}
 {% endif %}
 
 {% if tables %}
@@ -64,7 +76,7 @@
 <div class="db-table">
     <h3><a href="{{ urls.table(database, table.name) }}">{{ table.name }}</a>{% if table.private %} 🔒{% endif %}{% if table.hidden %}<em> (hidden)</em>{% endif %}</h3>
     <p><em>{% for column in table.columns %}{{ column }}{% if not loop.last %}, {% endif %}{% endfor %}</em></p>
-    <p>{% if table.count is none %}Many rows{% elif table.count == count_limit + 1 %}&gt;{{ "{:,}".format(count_limit) }} rows{% else %}{{ "{:,}".format(table.count) }} row{% if table.count == 1 %}{% else %}s{% endif %}{% endif %}</p>
+    <p>{% if table.count is none %}Many rows{% elif table.count_truncated %}&gt;{{ "{:,}".format(table.count - 1) }} rows{% else %}{{ "{:,}".format(table.count) }} row{% if table.count == 1 %}{% else %}s{% endif %}{% endif %}</p>
 </div>
 {% endif %}
 {% endfor %}
@@ -87,5 +99,11 @@
 {% endif %}
 
 {% include "_codemirror_foot.html" %}
+{% include "_sql_parameter_scripts.html" %}
+<script>
+window.addEventListener("DOMContentLoaded", () => {
+  window.datasetteSqlParameters.setupSqlParameterRefresh({});
+});
+</script>
 
 {% endblock %}
diff --git a/datasette/templates/debug_allowed.html b/datasette/templates/debug_allowed.html
index add3154a..4f8106b8 100644
--- a/datasette/templates/debug_allowed.html
+++ b/datasette/templates/debug_allowed.html
@@ -3,7 +3,7 @@
 {% block title %}Allowed Resources{% endblock %}
 
 {% block extra_head %}
-<script src="{{ base_url }}-/static/json-format-highlight-1.0.1.js"></script>
+<script src="{{ static('json-format-highlight-1.0.1.js') }}"></script>
 {% include "_permission_ui_styles.html" %}
 {% include "_debug_common_functions.html" %}
 {% endblock %}
diff --git a/datasette/templates/debug_autocomplete.html b/datasette/templates/debug_autocomplete.html
new file mode 100644
index 00000000..380639a3
--- /dev/null
+++ b/datasette/templates/debug_autocomplete.html
@@ -0,0 +1,78 @@
+{% extends "base.html" %}
+
+{% block title %}Debug autocomplete{% endblock %}
+
+{% block extra_head %}
+{{ super() }}
+<script src="{{ static('autocomplete.js') }}" defer></script>
+{% endblock %}
+
+{% block content %}
+<h1>Debug autocomplete</h1>
+
+<form class="core debug-autocomplete-form" action="{{ urls.path('-/debug/autocomplete') }}" method="get">
+    <p>
+        <label for="debug-autocomplete-database">Database</label>
+        <input id="debug-autocomplete-database" type="text" name="database" value="{{ database_name or "" }}">
+    </p>
+    <p>
+        <label for="debug-autocomplete-table">Table</label>
+        <input id="debug-autocomplete-table" type="text" name="table" value="{{ table_name or "" }}">
+    </p>
+    <p><input type="submit" value="Open autocomplete"></p>
+</form>
+
+{% if error %}
+    <p class="message-error">{{ error }}</p>
+{% elif autocomplete_url %}
+    <h2>{{ database_name }} / {{ table_name }}</h2>
+    {% if label_column %}
+        <p>Label column: <code>{{ label_column }}</code></p>
+    {% else %}
+        <p>No label column detected. Results will use primary key values.</p>
+    {% endif %}
+    <div class="debug-autocomplete-demo">
+        <label for="debug-autocomplete-input">Search rows</label>
+        <datasette-autocomplete src="{{ autocomplete_url }}">
+            <input id="debug-autocomplete-input" type="text">
+        </datasette-autocomplete>
+    </div>
+    <h3>Selected row</h3>
+    <pre class="debug-autocomplete-selected" aria-live="polite">No row selected.</pre>
+    <script>
+    document.addEventListener("datasette-autocomplete-select", function (event) {
+        var output = document.querySelector(".debug-autocomplete-selected");
+        if (output) {
+            output.textContent = JSON.stringify(event.detail.row, null, 2);
+        }
+    });
+    </script>
+{% else %}
+    <h2>Suggested tables</h2>
+    {% if suggestions %}
+        <p>Showing up to five tables with a detected label column.</p>
+        <table class="rows-and-columns">
+            <thead>
+                <tr>
+                    <th>Database</th>
+                    <th>Table</th>
+                    <th>Label column</th>
+                </tr>
+            </thead>
+            <tbody>
+                {% for suggestion in suggestions %}
+                    <tr>
+                        <td>{{ suggestion.database }}</td>
+                        <td><a href="{{ suggestion.url }}">{{ suggestion.table }}</a></td>
+                        <td><code>{{ suggestion.label_column }}</code></td>
+                    </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+    {% else %}
+        <p>No tables with detected label columns found.</p>
+    {% endif %}
+    <p>Scanned {{ scanned }} table{% if scanned != 1 %}s{% endif %}{% if reached_scan_limit %}; stopped at the 100 table scan limit{% endif %}.</p>
+{% endif %}
+
+{% endblock %}
diff --git a/datasette/templates/debug_check.html b/datasette/templates/debug_check.html
index c2e7997f..3b229a25 100644
--- a/datasette/templates/debug_check.html
+++ b/datasette/templates/debug_check.html
@@ -3,7 +3,7 @@
 {% block title %}Permission Check{% endblock %}
 
 {% block extra_head %}
-<script src="{{ base_url }}-/static/json-format-highlight-1.0.1.js"></script>
+<script src="{{ static('json-format-highlight-1.0.1.js') }}"></script>
 {% include "_permission_ui_styles.html" %}
 {% include "_debug_common_functions.html" %}
 <style>
diff --git a/datasette/templates/debug_permissions_playground.html b/datasette/templates/debug_permissions_playground.html
index 91ce1fcf..4410a677 100644
--- a/datasette/templates/debug_permissions_playground.html
+++ b/datasette/templates/debug_permissions_playground.html
@@ -52,7 +52,6 @@ textarea {
 
 <div class="permission-form">
     <form action="{{ urls.path('-/permissions') }}" id="debug-post" method="post">
-        <input type="hidden" name="csrftoken" value="{{ csrftoken() }}">
         <div class="two-col">
             <div class="form-section">
                 <label>Actor</label>
diff --git a/datasette/templates/debug_rules.html b/datasette/templates/debug_rules.html
index 9a290803..aafa755d 100644
--- a/datasette/templates/debug_rules.html
+++ b/datasette/templates/debug_rules.html
@@ -3,7 +3,7 @@
 {% block title %}Permission Rules{% endblock %}
 
 {% block extra_head %}
-<script src="{{ base_url }}-/static/json-format-highlight-1.0.1.js"></script>
+<script src="{{ static('json-format-highlight-1.0.1.js') }}"></script>
 {% include "_permission_ui_styles.html" %}
 {% include "_debug_common_functions.html" %}
 {% endblock %}
diff --git a/datasette/templates/execute_write.html b/datasette/templates/execute_write.html
new file mode 100644
index 00000000..592577f8
--- /dev/null
+++ b/datasette/templates/execute_write.html
@@ -0,0 +1,337 @@
+{% extends "base.html" %}
+
+{% block title %}Write to this database{% endblock %}
+
+{% block extra_head %}
+{{- super() -}}
+{% include "_codemirror.html" %}
+<style>
+.execute-write-template-menu {
+    margin: 0.9rem 0 0.8rem;
+    max-width: 52rem;
+}
+.execute-write-template-menu summary {
+    cursor: pointer;
+    font-weight: 600;
+    margin-bottom: 0.35rem;
+}
+.execute-write-template-controls {
+    align-items: center;
+    display: flex;
+    flex-wrap: wrap;
+    gap: 0.4rem;
+    margin: 0.4rem 0 0.7rem;
+}
+.execute-write-template-menu .execute-write-template-controls label {
+    margin-right: 0.25rem;
+    width: auto;
+}
+.execute-write-template-controls select,
+.execute-write-template-controls button[type=button] {
+    box-sizing: border-box;
+    font-size: 0.78rem;
+    height: 2rem;
+    line-height: 1.1;
+    padding: 0.35rem 0.55rem;
+}
+.execute-write-template-controls select {
+    background-color: #fff;
+    border: 1px solid #777;
+    border-radius: 0.25rem;
+    min-width: 13rem;
+}
+.execute-write-submit-row {
+    align-items: center;
+    display: flex;
+    flex-wrap: wrap;
+    gap: 0.45rem 0.75rem;
+}
+.execute-write-submit-row [hidden] {
+    display: none;
+}
+form.sql.core input[data-execute-write-submit]:disabled {
+    background: #d0d7de;
+    border-color: #b6c0cc;
+    color: #5f6975;
+    cursor: not-allowed;
+    opacity: 1;
+}
+.execute-write form.sql .sql-editor-min-lines .cm-content,
+.execute-write form.sql .sql-editor-min-lines .cm-gutter {
+    /* Four visible editor lines without adding blank lines to the SQL value. */
+    min-height: calc(5.6em + 8px);
+}
+.execute-write-disabled-reason {
+    color: #4f5b6d;
+    font-size: 0.85rem;
+}
+</style>
+{% include "_execute_write_analysis_styles.html" %}
+{% include "_sql_parameter_styles.html" %}
+{% endblock %}
+
+{% block body_class %}execute-write db-{{ database|to_css_class }}{% endblock %}
+
+{% block crumbs %}
+{{ crumbs.nav(request=request, database=database) }}
+{% endblock %}
+
+{% block content %}
+
+<h1 style="padding-left: 10px; border-left: 10px solid #{{ database_color }}">Write to this database</h1>
+
+<p>Execute SQL to insert, update or delete rows in this database.</p>
+
+{% if execution_message %}
+    <p class="{% if execution_ok %}message-info{% else %}message-error{% endif %}">{{ execution_message }}{% for link in execution_links %} <a href="{{ link.href }}">{{ link.label }}</a>{% endfor %}</p>
+{% endif %}
+
+{% if execute_write_returns_rows %}
+    <h2>Returned rows</h2>
+    {% if execute_write_truncated %}
+        <p class="message-warning">Only the first {{ "{:,}".format(execute_write_display_rows|length) }} returned rows are shown.</p>
+    {% endif %}
+    {% set columns = execute_write_columns %}
+    {% set display_rows = execute_write_display_rows %}
+    {% set show_zero_results = true %}
+    {% include "_query_results.html" %}
+{% endif %}
+
+<form class="sql core" action="{{ urls.database(database) }}/-/execute-write" method="post" data-analyze-url="{{ urls.database(database) }}/-/execute-write/analyze">
+    {% if write_create_table_template_sql or write_template_tables %}
+        <div class="execute-write-template-menu">
+            <details>
+                <summary>Start with a template</summary>
+                <p class="execute-write-template-controls">
+                    {% if write_create_table_template_sql %}
+                        <button type="button" data-sql-template="create" data-template-sql="{{ write_create_table_template_sql }}">Create table</button>
+                    {% endif %}
+                    {% if write_template_tables %}
+                        <label for="execute-write-template-table">{% if write_create_table_template_sql %}or table:{% else %}Table{% endif %}</label>
+                        <select id="execute-write-template-table">
+                            {% for table_name, table in write_template_tables|dictsort %}
+                                <option value="{{ table_name }}"{% for operation, template_sql in table.templates|dictsort %} data-template-{{ operation }}-sql="{{ template_sql }}"{% endfor %}>{{ table_name }}</option>
+                            {% endfor %}
+                        </select>
+                        {% for operation in write_template_operations %}
+                            <button type="button" data-sql-template="{{ operation.name }}">{{ operation.label }}</button>
+                        {% endfor %}
+                    {% endif %}
+                </p>
+            </details>
+        </div>
+    {% else %}
+        <p class="message-warning execute-write-template-unavailable">There are no tables that you can currently edit.</p>
+    {% endif %}
+
+    <p class="sql-editor{% if not sql %} sql-editor-min-lines{% endif %}"><textarea id="sql-editor" name="sql"{% if sql %} style="height: {{ sql.split("\n")|length + 2 }}em"{% endif %}>{{ sql }}</textarea></p>
+
+    {% set sql_parameters_section_id = "execute-write-parameters-section" %}
+    {% set sql_parameters_allow_expand = true %}
+    {% include "_sql_parameters.html" %}
+
+    <div id="execute-write-analysis-section">
+        <h2>Query operations</h2>
+        {% if analysis_error %}
+            <p class="message-error">{{ analysis_error }}</p>
+        {% elif analysis_rows %}
+            <div class="table-wrapper"><table class="execute-write-analysis">
+                <thead>
+                    <tr>
+                        <th scope="col">Operation</th>
+                        <th scope="col">Database</th>
+                        <th scope="col">Table</th>
+                        <th scope="col">Required permission</th>
+                        <th scope="col">Allowed</th>
+                    </tr>
+                </thead>
+                <tbody>
+                    {% for row in analysis_rows %}
+                        <tr>
+                            <td><code>{{ row.operation }}</code></td>
+                            <td><code>{{ row.database }}</code></td>
+                            <td><code>{{ row.table }}</code></td>
+                            <td>{% if row.required_permission %}<code>{{ row.required_permission }}</code>{% endif %}</td>
+                            <td>{% if row.allowed is none %}{% elif row.allowed %}<span class="execute-write-analysis-allowed">yes</span>{% else %}<span class="execute-write-analysis-denied">no</span>{% endif %}</td>
+                        </tr>
+                    {% endfor %}
+                </tbody>
+            </table></div>
+        {% else %}
+            <p>Analysis will show each affected table and required permission.</p>
+        {% endif %}
+    </div>
+
+    <p class="execute-write-submit-row"{% if save_query_base_url %} data-save-query-base-url="{{ save_query_base_url }}"{% endif %}>
+        <input type="submit" value="Execute" data-execute-write-submit aria-describedby="execute-write-disabled-reason"{% if execute_disabled %} disabled{% endif %}>
+        <span id="execute-write-disabled-reason" class="execute-write-disabled-reason" data-execute-write-disabled-reason aria-live="polite"{% if not execute_disabled_reason %} hidden{% endif %}>{{ execute_disabled_reason or "" }}</span>
+        {% if save_query_url %}<a href="{{ save_query_url }}" class="save-query" data-save-query-link>Save this query</a>{% endif %}
+    </p>
+</form>
+
+{% include "_codemirror_foot.html" %}
+{% include "_sql_parameter_scripts.html" %}
+{% include "_execute_write_analysis_scripts.html" %}
+
+<script>
+window.addEventListener("DOMContentLoaded", () => {
+  const executeWriteSqlInput = document.querySelector("textarea#sql-editor");
+  const form = document.querySelector("form.sql.core");
+  const analysisSection = document.querySelector("#execute-write-analysis-section");
+  const submitButton = form
+    ? form.querySelector("[data-execute-write-submit]")
+    : null;
+  const submitDisabledReason = form
+    ? form.querySelector("[data-execute-write-disabled-reason]")
+    : null;
+  const submitRow = form
+    ? form.querySelector(".execute-write-submit-row")
+    : null;
+  let saveQueryLink = form
+    ? form.querySelector("[data-save-query-link]")
+    : null;
+
+  function updateSubmitState(data) {
+    if (submitButton) {
+      submitButton.disabled = data.execute_disabled;
+    }
+    if (!submitDisabledReason) {
+      return;
+    }
+    const reason = data.execute_disabled_reason || "";
+    submitDisabledReason.textContent = reason;
+    submitDisabledReason.hidden = !reason;
+  }
+
+  function updateSaveQueryLink(data) {
+    if (!submitRow || !submitRow.dataset.saveQueryBaseUrl) {
+      return;
+    }
+    const sql = window.editor
+      ? window.editor.state.doc.toString()
+      : executeWriteSqlInput.value;
+    if (!sql.trim() || !data.ok || data.execute_disabled) {
+      if (saveQueryLink) {
+        saveQueryLink.remove();
+        saveQueryLink = null;
+      }
+      return;
+    }
+    if (!saveQueryLink) {
+      saveQueryLink = document.createElement("a");
+      saveQueryLink.className = "save-query";
+      saveQueryLink.setAttribute("data-save-query-link", "");
+      saveQueryLink.textContent = "Save this query";
+      submitRow.appendChild(saveQueryLink);
+    }
+    const url = new URL(
+      submitRow.dataset.saveQueryBaseUrl,
+      window.location.href
+    );
+    url.searchParams.set("sql", sql);
+    saveQueryLink.href = url.pathname + url.search + url.hash;
+  }
+
+  window.datasetteSqlParameters.setupSqlParameterRefresh({
+    form,
+    url: form.dataset.analyzeUrl,
+    allowExpand: true,
+    onData(data) {
+      window.datasetteSqlAnalysis.renderAnalysis(analysisSection, data);
+      updateSubmitState(data);
+      updateSaveQueryLink(data);
+    },
+    onError(error) {
+      window.datasetteSqlAnalysis.renderAnalysis(analysisSection, {
+        analysis_error: error.message,
+        analysis_rows: [],
+      });
+      updateSubmitState({
+        execute_disabled: true,
+        execute_disabled_reason: error.message,
+      });
+      updateSaveQueryLink({ ok: false, execute_disabled: true });
+    },
+  });
+});
+</script>
+
+{% if write_create_table_template_sql or write_template_tables %}
+<script>
+window.addEventListener("DOMContentLoaded", () => {
+  const tableSelect = document.querySelector("#execute-write-template-table");
+  const templateButtons = document.querySelectorAll("[data-sql-template]");
+  const sqlInput = document.querySelector("textarea#sql-editor");
+
+  function dataKey(operation) {
+    return `template${operation.charAt(0).toUpperCase()}${operation.slice(1)}Sql`;
+  }
+
+  function selectedOption() {
+    return tableSelect ? tableSelect.options[tableSelect.selectedIndex] : null;
+  }
+
+  function templateSql(button) {
+    if (button.dataset.templateSql) {
+      return button.dataset.templateSql;
+    }
+    const operation = button.dataset.sqlTemplate;
+    const option = selectedOption();
+    return option ? option.dataset[dataKey(operation)] || "" : "";
+  }
+
+  function updateTemplateButtons() {
+    templateButtons.forEach((button) => {
+      button.hidden = !templateSql(button);
+    });
+  }
+
+  function updateSqlUrl(sql) {
+    if (!window.history || !window.history.replaceState) {
+      return;
+    }
+    const url = new URL(window.location.href);
+    url.searchParams.set("sql", sql);
+    window.history.replaceState(null, "", url.toString());
+  }
+
+  function setEditorSql(sql) {
+    if (window.editor) {
+      window.editor.dispatch({
+        changes: {
+          from: 0,
+          to: window.editor.state.doc.length,
+          insert: sql,
+        },
+        selection: { anchor: sql.length },
+      });
+      window.editor.focus();
+      if (sqlInput) {
+        sqlInput.value = sql;
+      }
+    } else if (sqlInput) {
+      sqlInput.value = sql;
+      sqlInput.dispatchEvent(new Event("input", { bubbles: true }));
+      sqlInput.focus();
+    }
+    updateSqlUrl(sql);
+  }
+
+  templateButtons.forEach((button) => {
+    button.addEventListener("click", () => {
+      const sql = templateSql(button);
+      if (!sql) {
+        return;
+      }
+      setEditorSql(sql);
+    });
+  });
+  if (tableSelect) {
+    tableSelect.addEventListener("change", updateTemplateButtons);
+  }
+  updateTemplateButtons();
+});
+</script>
+{% endif %}
+
+{% endblock %}
diff --git a/datasette/templates/logout.html b/datasette/templates/logout.html
index c8fc642a..a99870e6 100644
--- a/datasette/templates/logout.html
+++ b/datasette/templates/logout.html
@@ -10,7 +10,6 @@
 
 <form class="core" action="{{ urls.logout() }}" method="post">
     <div>
-        <input type="hidden" name="csrftoken" value="{{ csrftoken() }}">
         <input type="submit" value="Log out">
     </div>
 </form>
diff --git a/datasette/templates/messages_debug.html b/datasette/templates/messages_debug.html
index 2940cd69..891cf915 100644
--- a/datasette/templates/messages_debug.html
+++ b/datasette/templates/messages_debug.html
@@ -19,7 +19,6 @@
                 <option>all</option>
             </select>
         </div>
-        <input type="hidden" name="csrftoken" value="{{ csrftoken() }}">
         <input type="submit" value="Add message">
     </div>
 </form>
diff --git a/datasette/templates/patterns.html b/datasette/templates/patterns.html
index 7770f7d4..075c0117 100644
--- a/datasette/templates/patterns.html
+++ b/datasette/templates/patterns.html
@@ -2,7 +2,7 @@
 <html lang="en">
 <head>
     <title>Datasette: Pattern Portfolio</title>
-    <link rel="stylesheet" href="{{ base_url }}-/static/app.css?{{ app_css_hash }}">
+    <link rel="stylesheet" href="{{ static('app.css') }}">
     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
     <meta name="robots" content="noindex">
     <style></style>
@@ -11,7 +11,7 @@
 
 <header class="hd"><nav>
     <p class="crumbs">
-        <a href="/">home</a>
+        <a href="{{ base_url }}">home</a>
     </p>
     <details class="nav-menu details-menu">
         <summary><svg aria-labelledby="nav-menu-svg-title" role="img"
@@ -22,11 +22,11 @@
         </svg></summary>
         <div class="nav-menu-inner">
             <ul>
-                <li><a href="/-/databases">Databases</a></li>
-                <li><a href="/-/plugins">Installed plugins</a></li>
-                <li><a href="/-/versions">Version info</a></li>
+                <li><a href="{{ base_url }}-/databases">Databases</a></li>
+                <li><a href="{{ base_url }}-/plugins">Installed plugins</a></li>
+                <li><a href="{{ base_url }}-/versions">Version info</a></li>
             </ul>
-            <form class="nav-menu-logout" action="/-/logout" method="post">
+            <form class="nav-menu-logout" action="{{ base_url }}-/logout" method="post">
                 <button class="button-as-link">Log out</button>
             </form>
         </div>
@@ -48,9 +48,9 @@
 <header class="hd">
   <nav>
       <p class="crumbs">
-          <a href="/">home</a> /
-          <a href="/fixtures">fixtures</a> /
-          <a href="/fixtures/attraction_characteristic">attraction_characteristic</a>
+          <a href="{{ base_url }}">home</a> /
+          <a href="{{ base_url }}fixtures">fixtures</a> /
+          <a href="{{ base_url }}fixtures/attraction_characteristic">attraction_characteristic</a>
       </p>
       <div class="actor">
           <strong>testuser</strong>
@@ -80,16 +80,16 @@
             <a href="https://github.com/simonw/datasette">
         About Datasette</a>
     </p>
-    <h2 style="padding-left: 10px; border-left: 10px solid #9403e5"><a href="/fixtures">fixtures</a></h2>
+    <h2 style="padding-left: 10px; border-left: 10px solid #9403e5"><a href="{{ base_url }}fixtures">fixtures</a></h2>
     <p>
         1,258 rows in 24 tables, 206 rows in 5 hidden tables, 4 views
     </p>
-    <p><a href="/fixtures/compound_three_primary_keys" title="1001 rows">compound_three_primary_keys</a>, <a href="/fixtures/sortable" title="201 rows">sortable</a>, <a href="/fixtures/facetable" title="15 rows">facetable</a>, <a href="/fixtures/roadside_attraction_characteristics" title="5 rows">roadside_attraction_characteristics</a>, <a href="/fixtures/simple_primary_key" title="4 rows">simple_primary_key</a>, <a href="/fixtures">...</a></p>
-    <h2 style="padding-left: 10px; border-left: 10px solid #8d777f"><a href="/data">data</a></h2>
+    <p><a href="{{ base_url }}fixtures/compound_three_primary_keys" title="1001 rows">compound_three_primary_keys</a>, <a href="{{ base_url }}fixtures/sortable" title="201 rows">sortable</a>, <a href="{{ base_url }}fixtures/facetable" title="15 rows">facetable</a>, <a href="{{ base_url }}fixtures/roadside_attraction_characteristics" title="5 rows">roadside_attraction_characteristics</a>, <a href="{{ base_url }}fixtures/simple_primary_key" title="4 rows">simple_primary_key</a>, <a href="{{ base_url }}fixtures">...</a></p>
+    <h2 style="padding-left: 10px; border-left: 10px solid #8d777f"><a href="{{ base_url }}data">data</a></h2>
     <p>
         6 rows in 2 tables
     </p>
-    <p><a href="/data/names" title="6 rows">names</a>, <a href="/data/foo">foo</a></p>
+    <p><a href="{{ base_url }}data/names" title="6 rows">names</a>, <a href="{{ base_url }}data/foo">foo</a></p>
 </section>
 
 <h2 class="pattern-heading">.bd for /database</h2>
@@ -134,7 +134,7 @@
             <a href="https://github.com/simonw/datasette">
         About Datasette</a>
     </p>
-    <form class="sql" action="/fixtures" method="get">
+    <form class="sql" action="{{ base_url }}fixtures" method="get">
         <h3>Custom SQL query</h3>
         <p><textarea id="sql-editor" name="sql">select * from [123_starts_with_digits]</textarea></p>
         <p>
@@ -143,17 +143,17 @@
         </p>
     </form>
     <div class="db-table">
-        <h2><a href="/fixtures/123_starts_with_digits">123_starts_with_digits</a></h2>
+        <h2><a href="{{ base_url }}fixtures/123_starts_with_digits">123_starts_with_digits</a></h2>
         <p><em>content</em></p>
         <p>0 rows</p>
     </div>
     <div class="db-table">
-        <h2><a href="/fixtures/Table+With+Space+In+Name">Table With Space In Name</a></h2>
+        <h2><a href="{{ base_url }}fixtures/Table+With+Space+In+Name">Table With Space In Name</a></h2>
         <p><em>pk, content</em></p>
         <p>0 rows</p>
     </div>
     <div class="db-table">
-        <h2><a href="/fixtures/attraction_characteristic">attraction_characteristic</a></h2>
+        <h2><a href="{{ base_url }}fixtures/attraction_characteristic">attraction_characteristic</a></h2>
         <p><em>pk, name</em></p>
         <p>2 rows</p>
     </div>
@@ -202,9 +202,9 @@
     <h3>3 rows
         where characteristic_id = 2
     </h3>
-    <form class="filters" action="/fixtures/roadside_attraction_characteristics" method="get">
+    <form class="core filters" action="{{ base_url }}fixtures/roadside_attraction_characteristics" method="get">
     <div class="search-row"><label for="_search">Search:</label><input id="_search" type="search" name="_search" value=""></div>
-        <div class="filter-row">
+        <div class="filter-row filter-controls-row">
             <div class="select-wrapper">
                 <select name="_filter_column_1">
                     <option value="">- remove filter -</option>
@@ -238,7 +238,7 @@
                 </select>
             </div><input type="text" name="_filter_value_1" class="filter-value" value="2">
         </div>
-    <div class="filter-row">
+    <div class="filter-row filter-controls-row">
         <div class="select-wrapper">
             <select name="_filter_column">
                 <option value="">- column -</option>
@@ -272,8 +272,8 @@
             </select>
         </div><input type="text" name="_filter_value" class="filter-value">
     </div>
-    <div class="filter-row">
-            <div class="select-wrapper small-screen-only">
+    <div class="filter-row filter-actions-row">
+            <div class="select-wrapper">
                 <select name="_sort" id="sort_by">
                     <option value="">Sort...</option>
                     <option value="rowid" selected>Sort by rowid</option>
@@ -281,8 +281,8 @@
                     <option value="characteristic_id">Sort by characteristic_id</option>
                 </select>
             </div>
-            <label class="sort_by_desc small-screen-only"><input type="checkbox" name="_sort_by_desc"> descending</label>
-        <input type="submit" value="Apply">
+            <label class="sort_by_desc"><input type="checkbox" name="_sort_by_desc"> descending</label>
+        <input type="submit" value="Apply filters">
     </div>
   </form>
 
@@ -290,16 +290,16 @@
     <h3>2 extra where clauses</h3>
     <ul>
 
-        <li><code>planet_int=1</code> [<a href="/fixtures/facetable?_where=state%3D%27CA%27">remove</a>]</li>
+        <li><code>planet_int=1</code> [<a href="{{ base_url }}fixtures/facetable?_where=state%3D%27CA%27">remove</a>]</li>
 
-        <li><code>state='CA'</code> [<a href="/fixtures/facetable?_where=planet_int%3D1">remove</a>]</li>
+        <li><code>state='CA'</code> [<a href="{{ base_url }}fixtures/facetable?_where=planet_int%3D1">remove</a>]</li>
 
     </ul>
   </div>
 
-  <p><a class="not-underlined" title="select rowid, attraction_id, characteristic_id from roadside_attraction_characteristics where &#34;characteristic_id&#34; = :p0 order by rowid limit 101" href="/fixtures?sql=select+rowid%2C+attraction_id%2C+characteristic_id+from+roadside_attraction_characteristics+where+%22characteristic_id%22+%3D+%3Ap0+order+by+rowid+limit+101&amp;p0=2">&#x270e; <span class="underlined">View and edit SQL</span></a></p>
+  <p><a class="not-underlined" title="select rowid, attraction_id, characteristic_id from roadside_attraction_characteristics where &#34;characteristic_id&#34; = :p0 order by rowid limit 101" href="{{ base_url }}fixtures?sql=select+rowid%2C+attraction_id%2C+characteristic_id+from+roadside_attraction_characteristics+where+%22characteristic_id%22+%3D+%3Ap0+order+by+rowid+limit+101&amp;p0=2">&#x270e; <span class="underlined">View and edit SQL</span></a></p>
 
-  <p class="export-links">This data as <a href="/fixtures/roadside_attraction_characteristics.json?characteristic_id=2&amp;_labels=on">json</a>, <a href="/fixtures/roadside_attraction_characteristics.csv?characteristic_id=2&amp;_labels=on&amp;_size=max">CSV</a> (<a href="#export">advanced</a>)</p>
+  <p class="export-links">This data as <a href="{{ base_url }}fixtures/roadside_attraction_characteristics.json?characteristic_id=2&amp;_labels=on">json</a>, <a href="{{ base_url }}fixtures/roadside_attraction_characteristics.csv?characteristic_id=2&amp;_labels=on&amp;_size=max">CSV</a> (<a href="#export">advanced</a>)</p>
 
   <p class="suggested-facets">
         Suggested facets: <a href="http://latest.datasette.io/fixtures/facetable?_where=planet_int%3D1&amp;_where=state%3D%27CA%27&amp;_facet=city_id&amp;_facet=created&amp;_facet=complex_array&amp;_facet=tags#facet-tags">tags</a>, <a href="http://latest.datasette.io/fixtures/facetable?_where=planet_int%3D1&amp;_where=state%3D%27CA%27&amp;_facet=city_id&amp;_facet=created&amp;_facet=complex_array&amp;_facet_date=created#facet-created">created</a> (date), <a href="http://latest.datasette.io/fixtures/facetable?_where=planet_int%3D1&amp;_where=state%3D%27CA%27&amp;_facet=city_id&amp;_facet=created&amp;_facet=complex_array&amp;_facet_array=tags#facet-tags">tags</a> (array)
@@ -311,7 +311,7 @@
                 <p class="facet-info-name">
                     <strong>tags (array)</strong>
 
-                        <a href="/fixtures/facetable?_where=planet_int%3D1&amp;_where=state%3D%27CA%27&amp;_facet=city_id&amp;_facet=created" class="cross">✖</a>
+                        <a href="{{ base_url }}fixtures/facetable?_where=planet_int%3D1&amp;_where=state%3D%27CA%27&amp;_facet=city_id&amp;_facet=created" class="cross">✖</a>
 
                 </p>
                 <ul>
@@ -336,7 +336,7 @@
                 <p class="facet-info-name">
                     <strong>created</strong>
 
-                        <a href="/fixtures/facetable?_where=planet_int%3D1&amp;_where=state%3D%27CA%27&amp;_facet=city_id&amp;_facet_array=tags" class="cross">✖</a>
+                        <a href="{{ base_url }}fixtures/facetable?_where=planet_int%3D1&amp;_where=state%3D%27CA%27&amp;_facet=city_id&amp;_facet_array=tags" class="cross">✖</a>
 
                 </p>
                 <ul>
@@ -361,7 +361,7 @@
                 <p class="facet-info-name">
                     <strong>city_id</strong>
 
-                        <a href="/fixtures/facetable?_where=planet_int%3D1&amp;_where=state%3D%27CA%27&amp;_facet=created&amp;_facet_array=tags" class="cross">✖</a>
+                        <a href="{{ base_url }}fixtures/facetable?_where=planet_int%3D1&amp;_where=state%3D%27CA%27&amp;_facet=created&amp;_facet_array=tags" class="cross">✖</a>
 
                 </p>
                 <ul>
@@ -387,45 +387,45 @@
                                 Link
                         </th>
                     <th class="col-rowid" scope="col">
-                                            <a href="/fixtures/roadside_attraction_characteristics?characteristic_id=2&amp;_sort_desc=rowid" rel="nofollow">rowid&nbsp;▼</a>
+                                            <a href="{{ base_url }}fixtures/roadside_attraction_characteristics?characteristic_id=2&amp;_sort_desc=rowid" rel="nofollow">rowid&nbsp;▼</a>
                                 </th>
                     <th class="col-attraction_id" scope="col">
-                                            <a href="/fixtures/roadside_attraction_characteristics?characteristic_id=2&amp;_sort=attraction_id" rel="nofollow">attraction_id</a>
+                                            <a href="{{ base_url }}fixtures/roadside_attraction_characteristics?characteristic_id=2&amp;_sort=attraction_id" rel="nofollow">attraction_id</a>
                                 </th>
                     <th class="col-characteristic_id" scope="col">
-                                            <a href="/fixtures/roadside_attraction_characteristics?characteristic_id=2&amp;_sort=characteristic_id" rel="nofollow">characteristic_id</a>
+                                            <a href="{{ base_url }}fixtures/roadside_attraction_characteristics?characteristic_id=2&amp;_sort=characteristic_id" rel="nofollow">characteristic_id</a>
                                 </th>
             </tr>
         </thead>
         <tbody>
             <tr>
-                    <td class="col-Link"><a href="/fixtures/roadside_attraction_characteristics/1">1</a></td>
+                    <td class="col-Link"><a href="{{ base_url }}fixtures/roadside_attraction_characteristics/1">1</a></td>
                     <td class="col-rowid">1</td>
-                    <td class="col-attraction_id"><a href="/fixtures/roadside_attractions/1">The Mystery Spot</a>&nbsp;<em>1</em></td>
-                    <td class="col-characteristic_id"><a href="/fixtures/attraction_characteristic/2">Paranormal</a>&nbsp;<em>2</em></td>
+                    <td class="col-attraction_id"><a href="{{ base_url }}fixtures/roadside_attractions/1">The Mystery Spot</a>&nbsp;<em>1</em></td>
+                    <td class="col-characteristic_id"><a href="{{ base_url }}fixtures/attraction_characteristic/2">Paranormal</a>&nbsp;<em>2</em></td>
             </tr>
             <tr>
-                    <td class="col-Link"><a href="/fixtures/roadside_attraction_characteristics/2">2</a></td>
+                    <td class="col-Link"><a href="{{ base_url }}fixtures/roadside_attraction_characteristics/2">2</a></td>
                     <td class="col-rowid">2</td>
-                    <td class="col-attraction_id"><a href="/fixtures/roadside_attractions/2">Winchester Mystery House</a>&nbsp;<em>2</em></td>
-                    <td class="col-characteristic_id"><a href="/fixtures/attraction_characteristic/2">Paranormal</a>&nbsp;<em>2</em></td>
+                    <td class="col-attraction_id"><a href="{{ base_url }}fixtures/roadside_attractions/2">Winchester Mystery House</a>&nbsp;<em>2</em></td>
+                    <td class="col-characteristic_id"><a href="{{ base_url }}fixtures/attraction_characteristic/2">Paranormal</a>&nbsp;<em>2</em></td>
             </tr>
             <tr>
-                    <td class="col-Link"><a href="/fixtures/roadside_attraction_characteristics/3">3</a></td>
+                    <td class="col-Link"><a href="{{ base_url }}fixtures/roadside_attraction_characteristics/3">3</a></td>
                     <td class="col-rowid">3</td>
-                    <td class="col-attraction_id"><a href="/fixtures/roadside_attractions/4">Bigfoot Discovery Museum</a>&nbsp;<em>4</em></td>
-                    <td class="col-characteristic_id"><a href="/fixtures/attraction_characteristic/2">Paranormal</a>&nbsp;<em>2</em></td>
+                    <td class="col-attraction_id"><a href="{{ base_url }}fixtures/roadside_attractions/4">Bigfoot Discovery Museum</a>&nbsp;<em>4</em></td>
+                    <td class="col-characteristic_id"><a href="{{ base_url }}fixtures/attraction_characteristic/2">Paranormal</a>&nbsp;<em>2</em></td>
             </tr>
         </tbody>
     </table>
     <div id="export" class="advanced-export">
         <h3>Advanced export</h3>
         <p>JSON shape:
-            <a href="/fixtures/roadside_attraction_characteristics.json?characteristic_id=2&amp;_labels=on">default</a>,
-            <a href="/fixtures/roadside_attraction_characteristics.json?characteristic_id=2&amp;_labels=on&amp;_shape=array">array</a>,
-            <a href="/fixtures/roadside_attraction_characteristics.json?characteristic_id=2&amp;_labels=on&amp;_shape=array&amp;_nl=on">newline-delimited</a>
+            <a href="{{ base_url }}fixtures/roadside_attraction_characteristics.json?characteristic_id=2&amp;_labels=on">default</a>,
+            <a href="{{ base_url }}fixtures/roadside_attraction_characteristics.json?characteristic_id=2&amp;_labels=on&amp;_shape=array">array</a>,
+            <a href="{{ base_url }}fixtures/roadside_attraction_characteristics.json?characteristic_id=2&amp;_labels=on&amp;_shape=array&amp;_nl=on">newline-delimited</a>
         </p>
-        <form action="/fixtures/roadside_attraction_characteristics.csv" method="get">
+        <form action="{{ base_url }}fixtures/roadside_attraction_characteristics.csv" method="get">
             <p>
                 CSV options:
                 <label><input type="checkbox" name="_dl"> download file</label>
@@ -445,7 +445,7 @@
 <h2 class="pattern-heading">.bd for /database/table/row</h2>
 <section class="content">
     <h1 style="padding-left: 10px; border-left: 10px solid #ff0000">roadside_attractions: 2</h1>
-    <p>This data as <a href="/fixtures/roadside_attractions/2.json">json</a></p>
+    <p>This data as <a href="{{ base_url }}fixtures/roadside_attractions/2.json">json</a></p>
     <table class="rows-and-columns">
         <thead>
             <tr>
@@ -479,7 +479,7 @@
     <h2>Links from other tables</h2>
     <ul>
             <li>
-                <a href="/fixtures/roadside_attraction_characteristics?attraction_id=2">
+                <a href="{{ base_url }}fixtures/roadside_attraction_characteristics?attraction_id=2">
                     1 row</a>
                 from attraction_id in roadside_attraction_characteristics
             </li>
diff --git a/datasette/templates/query.html b/datasette/templates/query.html
index a6e9a3aa..8dd1037f 100644
--- a/datasette/templates/query.html
+++ b/datasette/templates/query.html
@@ -14,9 +14,10 @@
 </style>
 {% endif %}
 {% include "_codemirror.html" %}
+{% include "_sql_parameter_styles.html" %}
 {% endblock %}
 
-{% block body_class %}query db-{{ database|to_css_class }}{% if canned_query %} query-{{ canned_query|to_css_class }}{% endif %}{% endblock %}
+{% block body_class %}query db-{{ database|to_css_class }}{% if stored_query %} query-{{ stored_query|to_css_class }}{% endif %}{% endblock %}
 
 {% block crumbs %}
 {{ crumbs.nav(request=request, database=database) }}
@@ -24,19 +25,19 @@
 
 {% block content %}
 
-{% if canned_query_write and db_is_immutable %}
+{% if stored_query_write and db_is_immutable %}
     <p class="message-error">This query cannot be executed because the database is immutable.</p>
 {% endif %}
 
-<h1 style="padding-left: 10px; border-left: 10px solid #{{ database_color }}">{{ metadata.title or database }}{% if canned_query and not metadata.title %}: {{ canned_query }}{% endif %}{% if private %} 🔒{% endif %}</h1>
+<h1 style="padding-left: 10px; border-left: 10px solid #{{ database_color }}">{{ metadata.title or database }}{% if stored_query and not metadata.title %}: {{ stored_query }}{% endif %}{% if private %} 🔒{% endif %}</h1>
 {% set action_links, action_title = query_actions(), "Query actions" %}
 {% include "_action_menu.html" %}
 
-{% if canned_query %}{{ top_canned_query() }}{% else %}{{ top_query() }}{% endif %}
+{% if stored_query %}{{ top_stored_query() }}{% else %}{{ top_query() }}{% endif %}
 
 {% block description_source_license %}{% include "_description_source_license.html" %}{% endblock %}
 
-<form class="sql core" action="{{ urls.database(database) }}{% if canned_query %}/{{ canned_query }}{% endif %}" method="{% if canned_query_write %}post{% else %}get{% endif %}">
+<form class="sql core" action="{{ urls.database(database) }}{% if stored_query %}/{{ stored_query }}{% endif %}" method="{% if stored_query_write %}post{% else %}get{% endif %}" data-parameters-url="{{ urls.database(database) }}/-/query/parameters">
     <h3>Custom SQL query{% if display_rows %} returning {% if truncated %}more than {% endif %}{{ "{:,}".format(display_rows|length) }} row{% if display_rows|length == 1 %}{% else %}s{% endif %}{% endif %}{% if not query_error %}
         <span class="show-hide-sql">(<a href="{{ show_hide_link }}">{{ show_hide_text }}</a>)</span>
     {% endif %}</h3>
@@ -45,57 +46,43 @@
     {% endif %}
     {% if not hide_sql %}
         {% if editable and allow_execute_sql %}
-            <p><textarea id="sql-editor" name="sql"{% if query and query.sql %} style="height: {{ query.sql.split("\n")|length + 2 }}em"{% endif %}
-            >{% if query and query.sql %}{{ query.sql }}{% else %}select * from {{ tables[0].name|escape_sqlite }}{% endif %}</textarea></p>
+            <p class="sql-editor"><textarea id="sql-editor" name="sql"{% if query and query.sql %} style="height: {{ query.sql.split("\n")|length + 2 }}em"{% endif %}
+            >{% if query and query.sql %}{{ query.sql }}{% elif tables %}select * from {{ tables[0].name|escape_sqlite }}{% endif %}</textarea></p>
         {% else %}
             <pre id="sql-query">{% if query %}{{ query.sql }}{% endif %}</pre>
         {% endif %}
     {% else %}
-        {% if not canned_query %}
+        {% if not stored_query %}
             <input type="hidden" name="sql"
-                value="{% if query and query.sql %}{{ query.sql }}{% else %}select * from {{ tables[0].name|escape_sqlite }}{% endif %}"
+                value="{% if query and query.sql %}{{ query.sql }}{% elif tables %}select * from {{ tables[0].name|escape_sqlite }}{% endif %}"
             >
         {% endif %}
     {% endif %}
-    {% if named_parameter_values %}
-        <h3>Query parameters</h3>
-        {% for name, value in named_parameter_values.items() %}
-            <p><label for="qp{{ loop.index }}">{{ name }}</label> <input type="text" id="qp{{ loop.index }}" name="{{ name }}" value="{{ value }}"></p>
-        {% endfor %}
-    {% endif %}
+    {% set parameter_names = named_parameter_values.keys()|list %}
+    {% set parameter_values = named_parameter_values %}
+    {% set sql_parameters_allow_expand = false %}
+    {% include "_sql_parameters.html" %}
     <p>
         {% if not hide_sql %}<button id="sql-format" type="button" hidden>Format SQL</button>{% endif %}
-        {% if canned_query_write %}<input type="hidden" name="csrftoken" value="{{ csrftoken() }}">{% endif %}
-        <input type="submit" value="Run SQL"{% if canned_query_write and db_is_immutable %} disabled{% endif %}>
+        <input type="submit" value="Run SQL"{% if stored_query_write and db_is_immutable %} disabled{% endif %}>
         {{ show_hide_hidden }}
-        {% if canned_query and edit_sql_url %}<a href="{{ edit_sql_url }}" class="canned-query-edit-sql">Edit SQL</a>{% endif %}
+        {% if save_query_url %}<a href="{{ save_query_url }}" class="save-query">Save this query</a>{% endif %}
+        {% if stored_query and edit_sql_url %}<a href="{{ edit_sql_url }}" class="stored-query-edit-sql">Edit SQL</a>{% endif %}
     </p>
 </form>
 
 {% if display_rows %}
 <p class="export-links">This data as {% for name, url in renderers.items() %}<a href="{{ url }}">{{ name }}</a>{{ ", " if not loop.last }}{% endfor %}, <a href="{{ url_csv }}">CSV</a></p>
-<div class="table-wrapper"><table class="rows-and-columns">
-    <thead>
-        <tr>
-            {% for column in columns %}<th class="col-{{ column|to_css_class }}" scope="col">{{ column }}</th>{% endfor %}
-        </tr>
-    </thead>
-    <tbody>
-    {% for row in display_rows %}
-        <tr>
-            {% for column, td in zip(columns, row) %}
-                <td class="col-{{ column|to_css_class }}">{{ td }}</td>
-            {% endfor %}
-        </tr>
-    {% endfor %}
-    </tbody>
-</table></div>
-{% else %}
-    {% if not canned_query_write and not error %}
-        <p class="zero-results">0 results</p>
-    {% endif %}
 {% endif %}
+{% set show_zero_results = not stored_query_write and not error %}
+{% include "_query_results.html" %}
 
 {% include "_codemirror_foot.html" %}
+{% include "_sql_parameter_scripts.html" %}
+<script>
+window.addEventListener("DOMContentLoaded", () => {
+  window.datasetteSqlParameters.setupSqlParameterRefresh({});
+});
+</script>
 
 {% endblock %}
diff --git a/datasette/templates/query_create.html b/datasette/templates/query_create.html
new file mode 100644
index 00000000..f2016f27
--- /dev/null
+++ b/datasette/templates/query_create.html
@@ -0,0 +1,163 @@
+{% extends "base.html" %}
+
+{% block title %}Create query{% endblock %}
+
+{% block extra_head %}
+{{- super() -}}
+{% include "_codemirror.html" %}
+{% include "_execute_write_analysis_styles.html" %}
+{% include "_query_form_styles.html" %}
+{% endblock %}
+
+{% block body_class %}query-create db-{{ database|to_css_class }}{% endblock %}
+
+{% block crumbs %}
+{{ crumbs.nav(request=request, database=database) }}
+{% endblock %}
+
+{% block content %}
+
+<div class="query-create-page">
+
+<h1 style="padding-left: 10px; border-left: 10px solid #{{ database_color }}">Create query</h1>
+
+<form class="sql core query-create-form" action="{{ urls.database(database) }}/-/queries/store" method="post" data-analyze-url="{{ urls.database(database) }}/-/queries/analyze">
+    <div class="query-create-fields">
+        <p class="query-create-field"><label for="query-title">Title</label> <input id="query-title" name="title" type="text" value="{{ title or "" }}"></p>
+        <p class="query-create-field"><label for="query-url-slug">URL</label> <span class="query-create-url-control"><span class="query-create-url-prefix">{{ urls.database(database) }}/</span><input id="query-url-slug" name="name" type="text" value="{{ name or "" }}"></span></p>
+        <p class="query-create-field"><label for="query-description">Description</label> <textarea id="query-description" name="description" rows="3">{{ description or "" }}</textarea></p>
+    </div>
+
+    <p class="query-create-sql sql-editor"><textarea id="sql-editor" name="sql"{% if sql %} style="height: {{ sql.split("\n")|length + 2 }}em"{% endif %}>{{ sql }}</textarea></p>
+
+    <p class="query-create-options">
+        <span class="query-create-analysis-note" data-query-create-analysis-note aria-live="polite">{% if analysis_error %}This query cannot be saved until the SQL is valid.{% elif not has_sql %}Enter SQL to analyze this query.{% elif analysis_is_write %}This query updates data in the database.{% else %}This is a read-only query.{% endif %}</span>
+        <input type="hidden" name="is_private" value="0">
+        <label><input type="checkbox" name="is_private" value="1"{% if is_private %} checked{% endif %}> Private</label>
+        <span class="query-create-option-note">Queries marked private can only be seen by you, their creator.</span>
+    </p>
+    <p class="query-create-submit"><input type="submit" value="Save query" data-query-create-submit{% if save_disabled %} disabled{% endif %}></p>
+
+    <div class="query-create-analysis" id="query-create-analysis-section"{% if not has_sql %} hidden{% endif %}>
+        {% if has_sql %}
+            <h2>Query operations</h2>
+            {% if analysis_error %}
+                <p class="message-error">{{ analysis_error }}</p>
+            {% elif analysis_rows %}
+                <div class="table-wrapper"><table class="execute-write-analysis">
+                    <thead>
+                        <tr>
+                            <th scope="col">Operation</th>
+                            <th scope="col">Database</th>
+                            <th scope="col">Table</th>
+                            <th scope="col">Required permission</th>
+                            <th scope="col">Allowed</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                        {% for row in analysis_rows %}
+                            <tr>
+                                <td><code>{{ row.operation }}</code></td>
+                                <td><code>{{ row.database }}</code></td>
+                                <td><code>{{ row.table }}</code></td>
+                                <td>{% if row.required_permission %}<code>{{ row.required_permission }}</code>{% else %}<span class="execute-write-analysis-na">n/a</span>{% endif %}</td>
+                                <td>{% if row.allowed is none %}<span class="execute-write-analysis-na">n/a</span>{% elif row.allowed %}<span class="execute-write-analysis-allowed">yes</span>{% else %}<span class="execute-write-analysis-denied">no</span>{% endif %}</td>
+                            </tr>
+                        {% endfor %}
+                    </tbody>
+                </table></div>
+            {% else %}
+                <p>Analysis will show each affected table and required permission.</p>
+            {% endif %}
+        {% endif %}
+    </div>
+</form>
+
+</div>
+
+{% include "_codemirror_foot.html" %}
+{% include "_sql_parameter_scripts.html" %}
+{% include "_execute_write_analysis_scripts.html" %}
+
+<script>
+window.addEventListener("DOMContentLoaded", () => {
+  const titleInput = document.querySelector("#query-title");
+  const urlInput = document.querySelector("#query-url-slug");
+  let urlEdited = Boolean(urlInput && urlInput.value);
+
+  function slugify(value) {
+    return value
+      .normalize("NFKD")
+      .replace(/[\u0300-\u036f]/g, "")
+      .toLowerCase()
+      .trim()
+      .replace(/[^a-z0-9_-]+/g, "-")
+      .replace(/-+/g, "-")
+      .replace(/^-|-$/g, "");
+  }
+
+  if (titleInput && urlInput) {
+    titleInput.addEventListener("input", () => {
+      if (!urlEdited) {
+        urlInput.value = slugify(titleInput.value);
+      }
+    });
+    urlInput.addEventListener("input", () => {
+      urlEdited = true;
+    });
+  }
+});
+</script>
+
+<script>
+window.addEventListener("DOMContentLoaded", () => {
+  const form = document.querySelector("form.sql.core");
+  const analysisSection = document.querySelector("#query-create-analysis-section");
+  const submitButton = form
+    ? form.querySelector("[data-query-create-submit]")
+    : null;
+  const analysisNote = form
+    ? form.querySelector("[data-query-create-analysis-note]")
+    : null;
+
+  function updateAnalysisNote(data) {
+    if (!analysisNote) {
+      return;
+    }
+    if (data.analysis_error) {
+      analysisNote.textContent = "This query cannot be saved until the SQL is valid.";
+    } else if (data.has_sql === false) {
+      analysisNote.textContent = "Enter SQL to analyze this query.";
+    } else if (data.analysis_is_write) {
+      analysisNote.textContent = "This query updates data in the database.";
+    } else {
+      analysisNote.textContent = "This is a read-only query.";
+    }
+  }
+
+  window.datasetteSqlParameters.setupSqlParameterRefresh({
+    form,
+    url: form.dataset.analyzeUrl,
+    renderParameters: false,
+    onData(data) {
+      window.datasetteSqlAnalysis.renderAnalysis(analysisSection, data);
+      if (submitButton) {
+        submitButton.disabled = data.save_disabled;
+      }
+      updateAnalysisNote(data);
+    },
+    onError(error) {
+      window.datasetteSqlAnalysis.renderAnalysis(analysisSection, {
+        analysis_error: error.message,
+        analysis_rows: [],
+      });
+      if (submitButton) {
+        submitButton.disabled = true;
+      }
+      updateAnalysisNote({ analysis_error: error.message });
+    },
+  });
+});
+</script>
+
+{% endblock %}
diff --git a/datasette/templates/query_delete.html b/datasette/templates/query_delete.html
new file mode 100644
index 00000000..4d0699a7
--- /dev/null
+++ b/datasette/templates/query_delete.html
@@ -0,0 +1,82 @@
+{% extends "base.html" %}
+
+{% block title %}Delete query: {{ query.name }}{% endblock %}
+
+{% block extra_head %}
+{{- super() -}}
+<style>
+.query-delete-page {
+    max-width: 48rem;
+}
+.query-delete-summary {
+    background-color: #f7f7f9;
+    border: 1px solid #d7dde5;
+    border-radius: 4px;
+    margin: 0.75rem 0 1.25rem;
+    padding: 0.75rem 1rem;
+}
+.query-delete-summary dt {
+    color: #4f5b6d;
+    font-size: 0.82rem;
+    font-weight: 700;
+}
+.query-delete-summary dd {
+    margin: 0 0 0.6rem;
+}
+.query-delete-summary dd pre {
+    margin: 0.2rem 0 0;
+    white-space: pre-wrap;
+}
+.query-delete-actions {
+    align-items: center;
+    display: flex;
+    gap: 1rem;
+}
+.query-delete-form input[type=submit] {
+    background: linear-gradient(180deg, #d73a31 0%, #b42318 100%);
+    border-color: #b42318;
+    font-weight: 700;
+}
+.query-delete-form input[type=submit]:hover,
+.query-delete-form input[type=submit]:focus {
+    background: linear-gradient(180deg, #c3342b 0%, #971c14 100%);
+    border-color: #971c14;
+}
+</style>
+{% endblock %}
+
+{% block body_class %}query-delete db-{{ database|to_css_class }}{% endblock %}
+
+{% block crumbs %}
+{{ crumbs.nav(request=request, database=database) }}
+{% endblock %}
+
+{% block content %}
+
+<div class="query-delete-page">
+
+<h1 style="padding-left: 10px; border-left: 10px solid #{{ database_color }}">Delete query: {{ query.title or query.name }}</h1>
+
+<p>Are you sure you want to delete this saved query? This cannot be undone.</p>
+
+<dl class="query-delete-summary">
+    <dt>URL</dt>
+    <dd><a href="{{ query_url }}">{{ query_url }}</a></dd>
+    {% if query.description %}
+        <dt>Description</dt>
+        <dd>{{ query.description }}</dd>
+    {% endif %}
+    <dt>SQL</dt>
+    <dd><pre>{{ query.sql }}</pre></dd>
+</dl>
+
+<form class="core query-delete-form" action="{{ query_url }}/-/delete" method="post">
+    <p class="query-delete-actions">
+        <input type="submit" value="Delete query">
+        <a href="{{ query_url }}">Cancel</a>
+    </p>
+</form>
+
+</div>
+
+{% endblock %}
diff --git a/datasette/templates/query_edit.html b/datasette/templates/query_edit.html
new file mode 100644
index 00000000..3eadf42a
--- /dev/null
+++ b/datasette/templates/query_edit.html
@@ -0,0 +1,133 @@
+{% extends "base.html" %}
+
+{% block title %}Edit query: {{ name }}{% endblock %}
+
+{% block extra_head %}
+{{- super() -}}
+{% include "_codemirror.html" %}
+{% include "_execute_write_analysis_styles.html" %}
+{% include "_query_form_styles.html" %}
+{% endblock %}
+
+{% block body_class %}query-edit db-{{ database|to_css_class }}{% endblock %}
+
+{% block crumbs %}
+{{ crumbs.nav(request=request, database=database) }}
+{% endblock %}
+
+{% block content %}
+
+<div class="query-create-page">
+
+<h1 style="padding-left: 10px; border-left: 10px solid #{{ database_color }}">Edit query: {{ title or name }}</h1>
+
+<form class="sql core query-create-form" action="{{ query_url }}/-/edit" method="post" data-analyze-url="{{ urls.database(database) }}/-/queries/analyze">
+    <div class="query-create-fields">
+        <p class="query-create-field"><label for="query-title">Title</label> <input id="query-title" name="title" type="text" value="{{ title or "" }}"></p>
+        <p class="query-create-field"><label>URL</label> <span class="query-create-url-static">{{ query_url }}</span></p>
+        <p class="query-create-field"><label for="query-description">Description</label> <textarea id="query-description" name="description" rows="3">{{ description or "" }}</textarea></p>
+    </div>
+
+    <p class="query-create-sql sql-editor"><textarea id="sql-editor" name="sql"{% if sql %} style="height: {{ sql.split("\n")|length + 2 }}em"{% endif %}>{{ sql }}</textarea></p>
+
+    <p class="query-create-options">
+        <span class="query-create-analysis-note" data-query-create-analysis-note aria-live="polite">{% if analysis_error %}This query cannot be saved until the SQL is valid.{% elif not has_sql %}Enter SQL to analyze this query.{% elif analysis_is_write %}This query updates data in the database.{% else %}This is a read-only query.{% endif %}</span>
+        <input type="hidden" name="is_private" value="0">
+        <label><input type="checkbox" name="is_private" value="1"{% if is_private %} checked{% endif %}> Private</label>
+        <span class="query-create-option-note">Queries marked private can only be seen and edited by you, their owner.</span>
+    </p>
+    <p class="query-create-submit"><input type="submit" value="Save changes" data-query-create-submit{% if save_disabled %} disabled{% endif %}> <a href="{{ query_url }}">Cancel</a></p>
+
+    <div class="query-create-analysis" id="query-create-analysis-section"{% if not has_sql %} hidden{% endif %}>
+        {% if has_sql %}
+            <h2>Query operations</h2>
+            {% if analysis_error %}
+                <p class="message-error">{{ analysis_error }}</p>
+            {% elif analysis_rows %}
+                <div class="table-wrapper"><table class="execute-write-analysis">
+                    <thead>
+                        <tr>
+                            <th scope="col">Operation</th>
+                            <th scope="col">Database</th>
+                            <th scope="col">Table</th>
+                            <th scope="col">Required permission</th>
+                            <th scope="col">Allowed</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                        {% for row in analysis_rows %}
+                            <tr>
+                                <td><code>{{ row.operation }}</code></td>
+                                <td><code>{{ row.database }}</code></td>
+                                <td><code>{{ row.table }}</code></td>
+                                <td>{% if row.required_permission %}<code>{{ row.required_permission }}</code>{% else %}<span class="execute-write-analysis-na">n/a</span>{% endif %}</td>
+                                <td>{% if row.allowed is none %}<span class="execute-write-analysis-na">n/a</span>{% elif row.allowed %}<span class="execute-write-analysis-allowed">yes</span>{% else %}<span class="execute-write-analysis-denied">no</span>{% endif %}</td>
+                            </tr>
+                        {% endfor %}
+                    </tbody>
+                </table></div>
+            {% else %}
+                <p>Analysis will show each affected table and required permission.</p>
+            {% endif %}
+        {% endif %}
+    </div>
+</form>
+
+</div>
+
+{% include "_codemirror_foot.html" %}
+{% include "_sql_parameter_scripts.html" %}
+{% include "_execute_write_analysis_scripts.html" %}
+
+<script>
+window.addEventListener("DOMContentLoaded", () => {
+  const form = document.querySelector("form.sql.core");
+  const analysisSection = document.querySelector("#query-create-analysis-section");
+  const submitButton = form
+    ? form.querySelector("[data-query-create-submit]")
+    : null;
+  const analysisNote = form
+    ? form.querySelector("[data-query-create-analysis-note]")
+    : null;
+
+  function updateAnalysisNote(data) {
+    if (!analysisNote) {
+      return;
+    }
+    if (data.analysis_error) {
+      analysisNote.textContent = "This query cannot be saved until the SQL is valid.";
+    } else if (data.has_sql === false) {
+      analysisNote.textContent = "Enter SQL to analyze this query.";
+    } else if (data.analysis_is_write) {
+      analysisNote.textContent = "This query updates data in the database.";
+    } else {
+      analysisNote.textContent = "This is a read-only query.";
+    }
+  }
+
+  window.datasetteSqlParameters.setupSqlParameterRefresh({
+    form,
+    url: form.dataset.analyzeUrl,
+    renderParameters: false,
+    onData(data) {
+      window.datasetteSqlAnalysis.renderAnalysis(analysisSection, data);
+      if (submitButton) {
+        submitButton.disabled = data.save_disabled;
+      }
+      updateAnalysisNote(data);
+    },
+    onError(error) {
+      window.datasetteSqlAnalysis.renderAnalysis(analysisSection, {
+        analysis_error: error.message,
+        analysis_rows: [],
+      });
+      if (submitButton) {
+        submitButton.disabled = true;
+      }
+      updateAnalysisNote({ analysis_error: error.message });
+    },
+  });
+});
+</script>
+
+{% endblock %}
diff --git a/datasette/templates/query_list.html b/datasette/templates/query_list.html
new file mode 100644
index 00000000..a8c9a391
--- /dev/null
+++ b/datasette/templates/query_list.html
@@ -0,0 +1,281 @@
+{% extends "base.html" %}
+
+{% block title %}{% if database %}{{ database }}: {% endif %}queries{% endblock %}
+
+{% block extra_head %}
+{{- super() -}}
+<style>
+.query-list-page {
+    max-width: 64rem;
+}
+.query-list-filters {
+    margin: 0.5rem 0 0.75rem;
+}
+.query-list-search {
+    align-items: center;
+    display: flex;
+    flex-wrap: wrap;
+    gap: 0.45rem;
+    margin: 0 0 0.75rem;
+}
+.query-list-search label {
+    width: auto;
+}
+.query-list-search input[type=search] {
+    box-sizing: border-box;
+    flex: 1 1 18rem;
+    max-width: 24rem;
+}
+.query-list-search button[type=submit] {
+    font-size: 0.78rem;
+    height: 2rem;
+    line-height: 1.1;
+    padding: 0.35rem 0.65rem;
+}
+.query-list-facets {
+    align-items: flex-start;
+    display: flex;
+    flex-wrap: wrap;
+    gap: 1rem 1.6rem;
+    margin: 0 0 1rem;
+}
+.query-list-facet {
+    margin: 0;
+}
+.query-list-facet h2 {
+    font-size: 0.9rem;
+    line-height: 1.2;
+    margin: 0 0 0.35rem;
+}
+.query-list-facet ul {
+    display: flex;
+    flex-wrap: wrap;
+    gap: 0.35rem;
+    margin: 0;
+    padding: 0;
+    list-style: none;
+}
+.query-list-facet-link,
+.query-list-facet-link:link,
+.query-list-facet-link:visited,
+.query-list-facet-link:hover,
+.query-list-facet-link:focus,
+.query-list-facet-link:active {
+    align-items: center;
+    border: 1px solid #c8d1dc;
+    border-radius: 0.25rem;
+    color: #39445a;
+    display: inline-flex;
+    font-size: 0.82rem;
+    gap: 0.4rem;
+    line-height: 1.1;
+    padding: 0.35rem 0.55rem;
+    text-decoration: none;
+}
+.query-list-facet-link:hover {
+    border-color: #7ca5c8;
+    color: #1f5d85;
+}
+.query-list-facet-link-active {
+    background-color: #edf6fb;
+    border-color: #6d9fc0;
+    font-weight: 700;
+}
+.query-list-facet-disabled {
+    color: #7b8794;
+    cursor: default;
+}
+.query-list-facet-count {
+    color: #4f5b6d;
+    font-variant-numeric: tabular-nums;
+}
+.query-list-results {
+    border-collapse: collapse;
+    font-size: 0.9rem;
+    margin: 0.25rem 0 1rem;
+    min-width: 42rem;
+    width: 100%;
+}
+.query-list-results th,
+.query-list-results td {
+    border-bottom: 1px solid #d7dde5;
+    padding: 0.45rem 0.7rem;
+    text-align: left;
+    vertical-align: top;
+}
+.query-list-results th {
+    background-color: #edf6fb;
+    border-top: 1px solid #d7dde5;
+    color: #39445a;
+    font-weight: 700;
+}
+.query-list-results tbody tr:nth-child(even) {
+    background-color: rgba(39, 104, 144, 0.05);
+}
+.query-list-results a.query-list-title {
+    font-weight: 700;
+}
+.query-list-description {
+    color: #4f5b6d;
+    font-size: 0.78rem;
+    margin: 0.15rem 0 0;
+}
+.query-list-owner {
+    color: #39445a;
+    font-family: var(--font-monospace, monospace);
+    white-space: nowrap;
+}
+.query-list-flags {
+    display: flex;
+    flex-wrap: wrap;
+    gap: 0.3rem;
+}
+.query-list-pill {
+    background-color: #eef1f5;
+    border: 1px solid #d7dde5;
+    border-radius: 0.25rem;
+    color: #39445a;
+    display: inline-block;
+    font-size: 0.75rem;
+    font-weight: 700;
+    line-height: 1;
+    padding: 0.25rem 0.4rem;
+    white-space: nowrap;
+}
+.query-list-pill-write {
+    background-color: #fff4db;
+    border-color: #e2b64e;
+}
+.query-list-pill-public {
+    background-color: #e7f5ec;
+    border-color: #9ecfab;
+    color: #267a3e;
+}
+.query-list-pill-private {
+    background-color: #f7edf0;
+    border-color: #dbb8c1;
+}
+.query-list-pill-trusted {
+    background-color: #e7f5ec;
+    border-color: #9ecfab;
+    color: #267a3e;
+}
+.query-list-empty {
+    color: #6b7280;
+}
+.query-list-footnotes {
+    border-top: 1px solid #d7dde5;
+    color: #4f5b6d;
+    font-size: 0.82rem;
+    margin: 0.35rem 0 1rem;
+    padding-top: 0.55rem;
+}
+.query-list-footnotes p {
+    margin: 0.25rem 0;
+}
+.query-list-footnotes .query-list-pill {
+    margin-right: 0.35rem;
+}
+.query-list-pagination a {
+    border: 1px solid #007bff;
+    border-radius: 0.25rem;
+    display: inline-block;
+    padding: 0.45rem 0.7rem;
+}
+.query-list-pagination-bottom {
+    margin-top: 0.75rem;
+}
+@media (max-width: 700px) {
+    .query-list-search input[type=search] {
+        max-width: none;
+    }
+}
+</style>
+{% endblock %}
+
+{% block body_class %}query-list{% if database %} db-{{ database|to_css_class }}{% endif %}{% endblock %}
+
+{% block crumbs %}
+{{ crumbs.nav(request=request, database=database) }}
+{% endblock %}
+
+{% block content %}
+
+<div class="query-list-page">
+
+<h1 style="padding-left: 10px; border-left: 10px solid #{% if database_color %}{{ database_color }}{% else %}666{% endif %}">Queries</h1>
+
+{% if queries %}
+    <form class="query-list-filters core" action="{{ query_list_path }}" method="get">
+        <p class="query-list-search">
+            <label for="query-search">Search</label>
+            <input id="query-search" type="search" name="q" value="{{ filters.q }}">
+            {% if filters.is_write %}<input type="hidden" name="is_write" value="{{ filters.is_write }}">{% endif %}
+            {% if filters.is_private %}<input type="hidden" name="is_private" value="{{ filters.is_private }}">{% endif %}
+            {% if filters.source %}<input type="hidden" name="source" value="{{ filters.source }}">{% endif %}
+            {% if filters.owner_id %}<input type="hidden" name="owner_id" value="{{ filters.owner_id }}">{% endif %}
+            <button type="submit">Search</button>
+        </p>
+    </form>
+
+    <nav class="query-list-facets" aria-label="Query filters">
+        {% for facet in facets %}
+            <section class="query-list-facet">
+                <h2>{{ facet.title }}</h2>
+                <ul>
+                    {% for item in facet["items"] %}
+                        <li>{% if item.href %}<a class="query-list-facet-link{% if item.active %} query-list-facet-link-active{% endif %}" href="{{ item.href }}"{% if item.active %} aria-current="true"{% endif %}>{% else %}<span class="query-list-facet-link query-list-facet-disabled">{% endif %}<span>{{ item.label }}</span><span class="query-list-facet-count">{{ item.count }}</span>{% if item.href %}</a>{% else %}</span>{% endif %}</li>
+                    {% endfor %}
+                </ul>
+            </section>
+        {% endfor %}
+    </nav>
+
+    <div class="table-wrapper"><table class="query-list-results">
+        <thead>
+            <tr>
+                {% if show_database %}<th scope="col">Database</th>{% endif %}
+                <th scope="col">Query</th>
+                <th scope="col">Owner</th>
+                <th scope="col">Flags</th>
+            </tr>
+        </thead>
+        <tbody>
+            {% for query in queries %}
+                <tr>
+                    {% if show_database %}
+                        <td><a class="query-list-database" href="{{ urls.database(query.database) }}">{{ query.database }}</a></td>
+                    {% endif %}
+                    <td>
+                        <a class="query-list-title" href="{{ urls.query(query.database, query.name) }}{% if query.fragment %}#{{ query.fragment }}{% endif %}" title="{{ query.description or query.sql }}">{{ query.title or query.name }}</a>{% if query.private %} 🔒{% endif %}
+                        {% if query.description %}<p class="query-list-description">{{ query.description }}</p>{% endif %}
+                    </td>
+                    <td class="query-list-owner">{% if query.owner_id is not none %}{{ query.owner_id }}{% else %}<span class="query-list-empty">-</span>{% endif %}</td>
+                    <td>
+                        <span class="query-list-flags">
+                            {% if query.is_write %}<span class="query-list-pill query-list-pill-write">Writable</span>{% else %}<span class="query-list-pill">Read-only</span>{% endif %}
+                            {% if query.is_private %}<span class="query-list-pill query-list-pill-private">Private</span>{% endif %}
+                            {% if query.is_trusted %}<span class="query-list-pill query-list-pill-trusted">Trusted</span>{% endif %}
+                        </span>
+                    </td>
+                </tr>
+            {% endfor %}
+        </tbody>
+    </table></div>
+    {% if show_private_note or show_trusted_note %}
+        <div class="query-list-footnotes">
+            {% if show_private_note %}<p><span class="query-list-pill query-list-pill-private">Private</span>Only the owning actor can view this query.</p>{% endif %}
+            {% if show_trusted_note %}<p><span class="query-list-pill query-list-pill-trusted">Trusted</span>Execution skips the usual SQL and write permission checks after view-query allows access.</p>{% endif %}
+        </div>
+    {% endif %}
+{% else %}
+    <p>No queries found.</p>
+{% endif %}
+
+{% if next_url %}
+    <nav class="query-list-pagination query-list-pagination-bottom" aria-label="Query pagination"><a href="{{ next_url }}">Next page</a></nav>
+{% endif %}
+
+</div>
+
+{% endblock %}
diff --git a/datasette/templates/row.html b/datasette/templates/row.html
index db43e71a..aa1f0ecd 100644
--- a/datasette/templates/row.html
+++ b/datasette/templates/row.html
@@ -4,6 +4,13 @@
 
 {% block extra_head %}
 {{- super() -}}
+{% if row_mutation_ui %}
+<script>window._datasetteTableData = {{ table_page_data|tojson }};</script>
+{% if table_page_data.foreignKeys %}
+<script src="{{ static('autocomplete.js') }}" defer></script>
+{% endif %}
+<script src="{{ static('edit-tools.js') }}" defer></script>
+{% endif %}
 <style>
 @media only screen and (max-width: 576px) {
 {% for column in columns %}
diff --git a/datasette/templates/table.html b/datasette/templates/table.html
index 25ff31ef..c2131360 100644
--- a/datasette/templates/table.html
+++ b/datasette/templates/table.html
@@ -1,10 +1,17 @@
 {% extends "base.html" %}
 
-{% block title %}{{ database }}: {{ table }}: {% if count or count == 0 %}{{ "{:,}".format(count) }} row{% if count == 1 %}{% else %}s{% endif %}{% endif %}{% if human_description_en %} {{ human_description_en }}{% endif %}{% endblock %}
+{% block title %}{{ database }}: {{ table }}: {% if count_truncated %}&gt;{{ "{:,}".format(count - 1) }} rows{% elif count or count == 0 %}{{ "{:,}".format(count) }} row{% if count == 1 %}{% else %}s{% endif %}{% endif %}{% if human_description_en %} {{ human_description_en }}{% endif %}{% endblock %}
 
 {% block extra_head %}
 {{- super() -}}
-<script src="{{ urls.static('table.js') }}" defer></script>
+<script>window._datasetteTableData = {{ table_page_data|tojson }};</script>
+<script src="{{ static('column-chooser.js') }}" defer></script>
+{% if table_page_data.foreignKeys %}
+<script src="{{ static('autocomplete.js') }}" defer></script>
+{% endif %}
+<script src="{{ static('edit-tools.js') }}" defer></script>
+<script src="{{ static('table.js') }}" defer></script>
+<script src="{{ static('mobile-column-actions.js') }}" defer></script>
 <script>DATASETTE_ALLOW_FACET = {{ datasette_allow_facet }};</script>
 <style>
 @media only screen and (max-width: 576px) {
@@ -41,19 +48,19 @@
 
 {% if count or human_description_en %}
     <h3>
-        {% if count == count_limit + 1 %}&gt;{{ "{:,}".format(count_limit) }} rows
+        {% if count_truncated %}&gt;{{ "{:,}".format(count - 1) }} rows
         {% if allow_execute_sql and query.sql %} <a class="count-sql" style="font-size: 0.8em;" href="{{ urls.database_query(database, count_sql) }}">count all</a>{% endif %}
         {% elif count or count == 0 %}{{ "{:,}".format(count) }} row{% if count == 1 %}{% else %}s{% endif %}{% endif %}
         {% if human_description_en %}{{ human_description_en }}{% endif %}
     </h3>
 {% endif %}
 
-<form class="core" class="filters" action="{{ urls.table(database, table) }}" method="get">
+<form class="core filters" action="{{ urls.table(database, table) }}" method="get">
     {% if supports_search %}
         <div class="search-row"><label for="_search">Search:</label><input id="_search" type="search" name="_search" value="{{ search }}"></div>
     {% endif %}
     {% for column, lookup, value in filters.selections() %}
-        <div class="filter-row">
+        <div class="filter-row filter-controls-row">
             <div class="select-wrapper">
                 <select name="_filter_column_{{ loop.index }}">
                     <option value="">- remove filter -</option>
@@ -70,7 +77,7 @@
             </div><input type="text" name="_filter_value_{{ loop.index }}" class="filter-value" value="{{ value }}">
         </div>
     {% endfor %}
-    <div class="filter-row">
+    <div class="filter-row filter-controls-row">
         <div class="select-wrapper">
             <select name="_filter_column">
                 <option value="">- column -</option>
@@ -86,9 +93,9 @@
             </select>
         </div><input type="text" name="_filter_value" class="filter-value">
     </div>
-    <div class="filter-row">
+    <div class="filter-row filter-actions-row">
         {% if is_sortable %}
-            <div class="select-wrapper small-screen-only">
+            <div class="select-wrapper">
                 <select name="_sort" id="sort_by">
                     <option value="">Sort...</option>
                     {% for column in display_columns %}
@@ -98,12 +105,12 @@
                     {% endfor %}
                 </select>
             </div>
-            <label class="sort_by_desc small-screen-only"><input type="checkbox" name="_sort_by_desc"{% if sort_desc %} checked{% endif %}> descending</label>
+            <label class="sort_by_desc"><input type="checkbox" name="_sort_by_desc" tabindex="0"{% if sort_desc %} checked{% endif %}> descending</label>
         {% endif %}
         {% for key, value in form_hidden_args %}
             <input type="hidden" name="{{ key }}" value="{{ value }}">
         {% endfor %}
-        <input type="submit" value="Apply">
+        <input type="submit" value="Apply filters" tabindex="0">
     </div>
 </form>
 
@@ -136,6 +143,39 @@
     {% include "_facet_results.html" %}
 {% endif %}
 
+{% if all_columns %}
+<column-chooser></column-chooser>
+<button class="choose-columns-mobile small-screen-only" onclick="openColumnChooser()">Choose columns</button>
+<button type="button" class="column-actions-mobile small-screen-only">
+    <svg aria-hidden="true" xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+        <circle cx="12" cy="12" r="3"></circle>
+        <path d="M19.4 15a1.65 1.65 0 0 0 .33 1.82l.06.06a2 2 0 0 1 0 2.83 2 2 0 0 1-2.83 0l-.06-.06a1.65 1.65 0 0 0-1.82-.33 1.65 1.65 0 0 0-1 1.51V21a2 2 0 0 1-2 2 2 2 0 0 1-2-2v-.09A1.65 1.65 0 0 0 9 19.4a1.65 1.65 0 0 0-1.82.33l-.06.06a2 2 0 0 1-2.83 0 2 2 0 0 1 0-2.83l.06-.06a1.65 1.65 0 0 0 .33-1.82 1.65 1.65 0 0 0-1.51-1H3a2 2 0 0 1-2-2 2 2 0 0 1 2-2h.09A1.65 1.65 0 0 0 4.6 9a1.65 1.65 0 0 0-.33-1.82l-.06-.06a2 2 0 0 1 0-2.83 2 2 0 0 1 2.83 0l.06.06a1.65 1.65 0 0 0 1.82.33H9a1.65 1.65 0 0 0 1-1.51V3a2 2 0 0 1 2-2 2 2 0 0 1 2 2v.09a1.65 1.65 0 0 0 1 1.51 1.65 1.65 0 0 0 1.82-.33l.06-.06a2 2 0 0 1 2.83 0 2 2 0 0 1 0 2.83l-.06.06a1.65 1.65 0 0 0-.33 1.82V9a1.65 1.65 0 0 0 1.51 1H21a2 2 0 0 1 2 2 2 2 0 0 1-2 2h-.09a1.65 1.65 0 0 0-1.51 1z"></path>
+    </svg>
+    <span>Column actions</span>
+</button>
+<script>
+window._columnChooserData = {{ {"allColumns": all_columns, "selectedColumns": display_columns|map(attribute='name')|list, "primaryKeys": primary_keys}|tojson }};
+</script>
+{% endif %}
+{% if set_column_type_ui %}
+<script>
+window._setColumnTypeData = {{ set_column_type_ui|tojson }};
+</script>
+{% endif %}
+
+{% if table_insert_ui %}
+<div class="table-row-toolbar">
+    <button type="button" class="core table-insert-row" data-table-action="insert-row">
+        <svg class="row-inline-action-icon" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+            <rect width="18" height="18" x="3" y="3" rx="2"></rect>
+            <path d="M8 12h8"></path>
+            <path d="M12 8v8"></path>
+        </svg>
+        <span>Insert row</span>
+    </button>
+</div>
+{% endif %}
+
 {% include custom_table_templates %}
 
 {% if next_url %}
diff --git a/datasette/tokens.py b/datasette/tokens.py
index 5a12d8e0..38a55529 100644
--- a/datasette/tokens.py
+++ b/datasette/tokens.py
@@ -52,6 +52,38 @@ class TokenRestrictions:
         self.resource.setdefault(database, {}).setdefault(resource, []).append(action)
         return self
 
+    def abbreviated(self, datasette: "Datasette") -> Optional[dict]:
+        """
+        Return the abbreviated ``_r`` dictionary shape for this set of
+        restrictions, using action abbreviations registered with ``datasette``.
+        Returns ``None`` if no restrictions are set.
+        """
+        if not (self.all or self.database or self.resource):
+            return None
+
+        def abbreviate_action(action):
+            action_obj = datasette.actions.get(action)
+            if not action_obj:
+                return action
+            return action_obj.abbr or action
+
+        result: dict = {}
+        if self.all:
+            result["a"] = [abbreviate_action(a) for a in self.all]
+        if self.database:
+            result["d"] = {
+                database: [abbreviate_action(a) for a in actions]
+                for database, actions in self.database.items()
+            }
+        if self.resource:
+            result["r"] = {}
+            for database, resources in self.resource.items():
+                for resource, actions in resources.items():
+                    result["r"].setdefault(database, {})[resource] = [
+                        abbreviate_action(a) for a in actions
+                    ]
+        return result
+
 
 class TokenHandler:
     """
@@ -104,31 +136,12 @@ class SignedTokenHandler(TokenHandler):
 
         token = {"a": actor_id, "t": int(time.time())}
 
-        def abbreviate_action(action):
-            action_obj = datasette.actions.get(action)
-            if not action_obj:
-                return action
-            return action_obj.abbr or action
-
         if expires_after:
             token["d"] = expires_after
-        if restrictions and (
-            restrictions.all or restrictions.database or restrictions.resource
-        ):
-            token["_r"] = {}
-            if restrictions.all:
-                token["_r"]["a"] = [abbreviate_action(a) for a in restrictions.all]
-            if restrictions.database:
-                token["_r"]["d"] = {}
-                for database, actions in restrictions.database.items():
-                    token["_r"]["d"][database] = [abbreviate_action(a) for a in actions]
-            if restrictions.resource:
-                token["_r"]["r"] = {}
-                for database, resources in restrictions.resource.items():
-                    for resource, actions in resources.items():
-                        token["_r"]["r"].setdefault(database, {})[resource] = [
-                            abbreviate_action(a) for a in actions
-                        ]
+        if restrictions is not None:
+            abbreviated = restrictions.abbreviated(datasette)
+            if abbreviated is not None:
+                token["_r"] = abbreviated
         return "dstok_{}".format(datasette.sign(token, namespace="token"))
 
     async def verify_token(self, datasette: "Datasette", token: str) -> Optional[dict]:
diff --git a/datasette/tracer.py b/datasette/tracer.py
index 9e66613b..28f3cc09 100644
--- a/datasette/tracer.py
+++ b/datasette/tracer.py
@@ -27,8 +27,10 @@ def get_task_id():
 @contextmanager
 def trace_child_tasks():
     token = trace_task_id.set(get_task_id())
-    yield
-    trace_task_id.reset(token)
+    try:
+        yield
+    finally:
+        trace_task_id.reset(token)
 
 
 @contextmanager
diff --git a/datasette/utils/__init__.py b/datasette/utils/__init__.py
index c6973d06..1caff3a8 100644
--- a/datasette/utils/__init__.py
+++ b/datasette/utils/__init__.py
@@ -155,9 +155,15 @@ Column = namedtuple(
 functions_marked_as_documented = []
 
 
-def documented(fn):
-    functions_marked_as_documented.append(fn)
-    return fn
+def documented(fn=None, *, label=None):
+    def decorate(fn):
+        fn._datasette_docs_label = label or "internals_utils_{}".format(fn.__name__)
+        functions_marked_as_documented.append(fn)
+        return fn
+
+    if fn is None:
+        return decorate
+    return decorate(fn)
 
 
 @documented
@@ -218,7 +224,31 @@ def compound_keys_after_sql(pks, start_index=0):
     return "({})".format("\n  or\n".join(or_clauses))
 
 
+@documented
 class CustomJSONEncoder(json.JSONEncoder):
+    """
+    The CustomJSONEncoder class handles serialization for objects commonly used by Datasette,
+    including SQLite cursors and binary blobs. Datasette uses it internally to serve .json endpoints,
+    and plugins that return JSON can use it to match Datasette's own handling.
+
+    Built-in types (text, numbers, lists, etc) are encoded the same as Python's built-in ``json`` module.
+
+    - ``sqlite3.Row`` becomes a tuple
+    - ``sqlite3.Cursor`` becomes a list
+
+    If a binary blob can be decoded as UTF-8, the encoder returns it as text.
+
+    If it can't (for example, images), it is encoded as an object, with the actual
+    data base64-encoded, like so: ::
+
+        {
+            "$base64": True,
+            "encoded": ...,
+        }
+
+    Example: https://latest.datasette.io/fixtures/binary_data.json
+    """
+
     def default(self, obj):
         if isinstance(obj, sqlite3.Row):
             return tuple(obj)
@@ -404,8 +434,7 @@ def escape_css_string(s):
 def escape_sqlite(s):
     if _boring_keyword_re.match(s) and (s.lower() not in reserved_words):
         return s
-    else:
-        return f"[{s}]"
+    return '"{}"'.format(s.replace('"', '""'))
 
 
 def make_dockerfile(
@@ -681,13 +710,18 @@ def detect_fts_sql(table):
 
 
 def detect_json1(conn=None):
+    close_conn = False
     if conn is None:
         conn = sqlite3.connect(":memory:")
+        close_conn = True
     try:
         conn.execute("SELECT json('{}')")
         return True
     except Exception:
         return False
+    finally:
+        if close_conn:
+            conn.close()
 
 
 def table_columns(conn, table):
@@ -826,7 +860,8 @@ def path_with_format(
     *, request=None, path=None, format=None, extra_qs=None, replace_format=None
 ):
     qs = extra_qs or {}
-    path = request.path if request else path
+    if path is None and request:
+        path = request.path
     if replace_format and path.endswith(f".{replace_format}"):
         path = path[: -(1 + len(replace_format))]
     if "." in path:
@@ -1086,12 +1121,35 @@ def _gather_arguments(fn, kwargs):
     return call_with
 
 
+@documented
 def call_with_supported_arguments(fn, **kwargs):
+    """
+    Call ``fn`` with the subset of ``**kwargs`` matching its signature.
+
+    This implements dependency injection: the caller provides all available
+    keyword arguments and the function receives only the ones it declares
+    as parameters.
+
+    :param fn: A callable (sync function)
+    :param kwargs: All available keyword arguments
+    :returns: The return value of ``fn``
+    """
     call_with = _gather_arguments(fn, kwargs)
     return fn(*call_with)
 
 
+@documented
 async def async_call_with_supported_arguments(fn, **kwargs):
+    """
+    Async version of :func:`call_with_supported_arguments`.
+
+    Calls ``await fn(...)`` with the subset of ``**kwargs`` matching its
+    signature.
+
+    :param fn: An async callable
+    :param kwargs: All available keyword arguments
+    :returns: The return value of ``await fn(...)``
+    """
     call_with = _gather_arguments(fn, kwargs)
     return await fn(*call_with)
 
@@ -1509,6 +1567,17 @@ def md5_not_usedforsecurity(s):
 _etag_cache = {}
 
 
+def sha256_file(filepath, chunk_size=4096):
+    hasher = hashlib.sha256()
+    with open(filepath, "rb") as fp:
+        while True:
+            chunk = fp.read(chunk_size)
+            if not chunk:
+                break
+            hasher.update(chunk)
+    return hasher.hexdigest()
+
+
 async def calculate_etag(filepath, chunk_size=4096):
     if filepath in _etag_cache:
         return _etag_cache[filepath]
diff --git a/datasette/utils/actions_sql.py b/datasette/utils/actions_sql.py
index 14383253..c7137e6b 100644
--- a/datasette/utils/actions_sql.py
+++ b/datasette/utils/actions_sql.py
@@ -21,6 +21,8 @@ The core pattern is:
 - Across levels, child beats parent beats global
 """
 
+import asyncio
+import re
 from typing import TYPE_CHECKING
 
 from datasette.utils.permissions import gather_permission_sql_from_hooks
@@ -147,7 +149,9 @@ async def _build_single_action_sql(
         raise ValueError(f"Unknown action: {action}")
 
     # Get base resources SQL from the resource class
-    base_resources_sql = await action_obj.resource_class.resources_sql(datasette)
+    base_resources_sql = await action_obj.resource_class.resources_sql(
+        datasette, actor=actor
+    )
 
     permission_sqls = await gather_permission_sql_from_hooks(
         datasette=datasette,
@@ -239,6 +243,14 @@ async def _build_single_action_sql(
                     "),",
                 ]
             )
+        else:
+            query_parts.extend(
+                [
+                    "anon_rules AS (",
+                    "  SELECT NULL AS parent, NULL AS child, 0 AS allow, NULL AS reason WHERE 0",
+                    "),",
+                ]
+            )
 
     # Continue with the cascading logic
     query_parts.extend(
@@ -485,6 +497,153 @@ async def build_permission_rules_sql(
     return rules_union, all_params, restriction_sqls
 
 
+async def check_permissions_for_actions(
+    *,
+    datasette: "Datasette",
+    actor: dict | None,
+    actions: list[str],
+    parent: str | None,
+    child: str | None,
+) -> dict[str, bool]:
+    """
+    Check several actions for one actor and resource in a single query.
+
+    Args:
+        datasette: The Datasette instance
+        actor: The actor dict (or None)
+        actions: List of action names to check
+        parent: The parent resource identifier (e.g., database name, or None)
+        child: The child resource identifier (e.g., table name, or None)
+
+    Returns:
+        Dict mapping each action name to True (allowed) or False (denied)
+
+    Each action contributes its own tagged block of permission rules
+    (gathered from the permission_resources_sql hook, with parameters
+    namespaced per action to avoid collisions) plus an optional
+    restriction allowlist CTE. One internal database query resolves
+    the winning rule per action using the same specificity-then-deny
+    ordering as the rest of the permission system.
+
+    Note: this resolves each action independently - also_requires
+    dependencies are handled by the caller (Datasette.allowed_many).
+    """
+    from datasette.utils.permissions import SKIP_PERMISSION_CHECKS
+
+    for action in actions:
+        if not datasette.actions.get(action):
+            raise ValueError(f"Unknown action: {action}")
+
+    # Dedupe while preserving order
+    unique_actions = list(dict.fromkeys(actions))
+    if not unique_actions:
+        return {}
+
+    # Gather hook results for each action concurrently - hooks within a
+    # single action still run sequentially, preserving existing semantics
+    gathered = await asyncio.gather(
+        *(
+            gather_permission_sql_from_hooks(
+                datasette=datasette, actor=actor, action=action
+            )
+            for action in unique_actions
+        )
+    )
+
+    if any(result is SKIP_PERMISSION_CHECKS for result in gathered):
+        return {action: True for action in unique_actions}
+
+    params = {"_check_parent": parent, "_check_child": child}
+    ctes = []
+    result_rows = []
+    verdicts = {}
+
+    for i, (action, permission_sqls) in enumerate(zip(unique_actions, gathered)):
+        prefix = f"a{i}_"
+        rule_parts = []
+        restriction_parts = []
+
+        for permission_sql in permission_sqls:
+            sql = permission_sql.sql
+            restriction_sql = permission_sql.restriction_sql
+            # Namespace this block's params so identical names used for
+            # different actions cannot collide
+            for key in permission_sql.params or {}:
+                new_key = prefix + key
+                params[new_key] = permission_sql.params[key]
+                pattern = re.compile(":" + re.escape(key) + r"(?![A-Za-z0-9_])")
+                if sql:
+                    sql = pattern.sub(":" + new_key, sql)
+                if restriction_sql:
+                    restriction_sql = pattern.sub(":" + new_key, restriction_sql)
+
+            if restriction_sql:
+                restriction_parts.append(restriction_sql)
+
+            # Skip plugins that only provide restriction_sql (no permission rules)
+            if sql is None:
+                continue
+            rule_parts.append(
+                f"SELECT parent, child, allow, reason, '{permission_sql.source}' AS source_plugin FROM (\n{sql}\n)"
+            )
+
+        if not rule_parts:
+            # No rules from any plugin - default deny. Restrictions can
+            # only restrict, never grant, so no SQL is needed at all
+            verdicts[action] = False
+            continue
+        ctes.append(f"a{i}_rules AS (\n" + "\nUNION ALL\n".join(rule_parts) + "\n)")
+
+        # Winning rule for this action: most specific depth first, then
+        # deny-beats-allow, then source_plugin as a stable tie-break
+        verdict_sql = f"""COALESCE((
+  SELECT allow FROM (
+    SELECT allow, source_plugin,
+      CASE
+        WHEN child IS NOT NULL THEN 2
+        WHEN parent IS NOT NULL THEN 1
+        ELSE 0
+      END AS depth
+    FROM a{i}_rules
+    WHERE (parent IS NULL OR parent = :_check_parent)
+      AND (child IS NULL OR child = :_check_child)
+    ORDER BY
+      depth DESC,
+      CASE WHEN allow = 0 THEN 0 ELSE 1 END,
+      source_plugin
+    LIMIT 1
+  )
+), 0)"""
+
+        if restriction_parts:
+            # Database-level restrictions (parent, NULL) match all children
+            restriction_intersect = "\nINTERSECT\n".join(
+                f"SELECT * FROM ({sql})" for sql in restriction_parts
+            )
+            ctes.append(f"a{i}_restriction AS (\n{restriction_intersect}\n)")
+            verdict_sql = f"""({verdict_sql}) AND EXISTS (
+  SELECT 1 FROM a{i}_restriction r
+  WHERE (r.parent = :_check_parent OR r.parent IS NULL)
+    AND (r.child = :_check_child OR r.child IS NULL)
+)"""
+
+        result_rows.append(f"({i}, ({verdict_sql}))")
+
+    if result_rows:
+        ctes.append(
+            "results(action_idx, is_allowed) AS (VALUES\n"
+            + ",\n".join(result_rows)
+            + "\n)"
+        )
+        query = (
+            "WITH\n" + ",\n".join(ctes) + "\nSELECT action_idx, is_allowed FROM results"
+        )
+        result = await datasette.get_internal_database().execute(query, params)
+        for row in result.rows:
+            verdicts[unique_actions[row[0]]] = bool(row[1])
+    return verdicts
+
+
 async def check_permission_for_resource(
     *,
     datasette: "Datasette",
@@ -505,77 +664,12 @@ async def check_permission_for_resource(
 
     Returns:
         True if the actor is allowed, False otherwise
-
-    This builds the cascading permission query and checks if the specific
-    resource is in the allowed set.
     """
-    rules_union, all_params, restriction_sqls = await build_permission_rules_sql(
-        datasette, actor, action
+    results = await check_permissions_for_actions(
+        datasette=datasette,
+        actor=actor,
+        actions=[action],
+        parent=parent,
+        child=child,
     )
-
-    # If no rules (empty SQL), default deny
-    if not rules_union:
-        return False
-
-    # Add parameters for the resource we're checking
-    all_params["_check_parent"] = parent
-    all_params["_check_child"] = child
-
-    # If there are restriction filters, check if the resource passes them first
-    if restriction_sqls:
-        # Check if resource is in restriction allowlist
-        # Database-level restrictions (parent, NULL) should match all children (parent, *)
-        # Wrap each restriction_sql in a subquery to avoid operator precedence issues
-        restriction_check = "\nINTERSECT\n".join(
-            f"SELECT * FROM ({sql})" for sql in restriction_sqls
-        )
-        restriction_query = f"""
-WITH restriction_list AS (
-    {restriction_check}
-)
-SELECT EXISTS (
-    SELECT 1 FROM restriction_list
-    WHERE (parent = :_check_parent OR parent IS NULL)
-      AND (child = :_check_child OR child IS NULL)
-) AS in_allowlist
-"""
-        result = await datasette.get_internal_database().execute(
-            restriction_query, all_params
-        )
-        if result.rows and not result.rows[0][0]:
-            # Resource not in restriction allowlist - deny
-            return False
-
-    query = f"""
-WITH
-all_rules AS (
-  {rules_union}
-),
-matched_rules AS (
-  SELECT ar.*,
-    CASE
-      WHEN ar.child IS NOT NULL THEN 2  -- child-level (most specific)
-      WHEN ar.parent IS NOT NULL THEN 1  -- parent-level
-      ELSE 0                             -- root/global
-    END AS depth
-  FROM all_rules ar
-  WHERE (ar.parent IS NULL OR ar.parent = :_check_parent)
-    AND (ar.child IS NULL OR ar.child = :_check_child)
-),
-winner AS (
-  SELECT *
-  FROM matched_rules
-  ORDER BY
-    depth DESC,                          -- specificity first (higher depth wins)
-    CASE WHEN allow=0 THEN 0 ELSE 1 END, -- then deny over allow
-    source_plugin                        -- stable tie-break
-  LIMIT 1
-)
-SELECT COALESCE((SELECT allow FROM winner), 0) AS is_allowed
-"""
-
-    # Execute the query against the internal database
-    result = await datasette.get_internal_database().execute(query, all_params)
-    if result.rows:
-        return bool(result.rows[0][0])
-    return False
+    return results[action]
diff --git a/datasette/utils/asgi.py b/datasette/utils/asgi.py
index 35f243b6..e1631b10 100644
--- a/datasette/utils/asgi.py
+++ b/datasette/utils/asgi.py
@@ -1,6 +1,6 @@
 import json
 from typing import Optional
-from datasette.utils import MultiParams, calculate_etag
+from datasette.utils import MultiParams, calculate_etag, sha256_file
 from datasette.utils.multipart import (
     parse_form_data,
     MultipartParseError,
@@ -155,6 +155,10 @@ class Request:
         body = await self.post_body()
         return dict(parse_qsl(body.decode("utf-8"), keep_blank_values=True))
 
+    async def json(self):
+        body = await self.post_body()
+        return json.loads(body)
+
     async def form(
         self,
         files: bool = False,
@@ -330,9 +334,11 @@ async def asgi_send_html(send, html, status=200, headers=None):
 
 
 async def asgi_send_redirect(send, location, status=302):
-    # Prevent open redirect vulnerability: strip multiple leading slashes
-    # //example.com would be interpreted as a protocol-relative URL (e.g., https://example.com/)
-    location = re.sub(r"^/+", "/", location)
+    # Prevent open redirect vulnerability: collapse leading slashes and
+    # backslashes down to a single slash. //example.com is a protocol-relative
+    # URL, and browsers normalise backslashes to slashes so /\example.com would
+    # be treated as //example.com - https://github.com/simonw/datasette/issues/2680
+    location = re.sub(r"^[/\\]+", "/", location)
     await asgi_send(
         send,
         "",
@@ -391,6 +397,9 @@ async def asgi_send_file(
             )
 
 
+HASHED_STATIC_CACHE_CONTROL = "max-age=31536000, immutable, public"
+
+
 def asgi_static(root_path, chunk_size=4096, headers=None, content_type=None):
     root_path = Path(root_path)
     static_headers = {}
@@ -417,11 +426,17 @@ def asgi_static(root_path, chunk_size=4096, headers=None, content_type=None):
             return
         try:
             # Calculate ETag for filepath
+            hash_value = request.args.get("_hash")
+            if (
+                hash_value
+                and hash_value == sha256_file(full_path, chunk_size=chunk_size)[:12]
+            ):
+                headers["Cache-Control"] = HASHED_STATIC_CACHE_CONTROL
             etag = await calculate_etag(full_path, chunk_size=chunk_size)
             headers["ETag"] = etag
             if_none_match = request.headers.get("if-none-match")
             if if_none_match and if_none_match == etag:
-                return await asgi_send(send, "", 304)
+                return await asgi_send(send, "", 304, headers=headers)
             await asgi_send_file(
                 send, full_path, chunk_size=chunk_size, headers=headers
             )
diff --git a/datasette/utils/internal_db.py b/datasette/utils/internal_db.py
index e4ebddde..bf172667 100644
--- a/datasette/utils/internal_db.py
+++ b/datasette/utils/internal_db.py
@@ -103,6 +103,37 @@ async def initialize_metadata_tables(db):
             value text,
             unique(database_name, resource_name, column_name, key)
         );
+
+        CREATE TABLE IF NOT EXISTS column_types (
+            database_name TEXT NOT NULL,
+            resource_name TEXT NOT NULL,
+            column_name TEXT NOT NULL,
+            column_type TEXT NOT NULL,
+            config TEXT,
+            PRIMARY KEY (database_name, resource_name, column_name)
+        );
+
+        CREATE TABLE IF NOT EXISTS queries (
+            database_name TEXT NOT NULL,
+            name TEXT NOT NULL,
+            sql TEXT NOT NULL,
+            title TEXT,
+            description TEXT,
+            description_html TEXT,
+            options TEXT NOT NULL DEFAULT '{}',
+            parameters TEXT NOT NULL DEFAULT '[]',
+            is_write INTEGER NOT NULL DEFAULT 0 CHECK (is_write IN (0, 1)),
+            is_private INTEGER NOT NULL DEFAULT 0 CHECK (is_private IN (0, 1)),
+            is_trusted INTEGER NOT NULL DEFAULT 0 CHECK (is_trusted IN (0, 1)),
+            source TEXT NOT NULL DEFAULT 'user',
+            owner_id TEXT,
+            created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+            updated_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+            PRIMARY KEY (database_name, name)
+        );
+
+        CREATE INDEX IF NOT EXISTS queries_owner_idx
+            ON queries(owner_id);
             """))
 
 
diff --git a/datasette/utils/sql_analysis.py b/datasette/utils/sql_analysis.py
new file mode 100644
index 00000000..0a3a947c
--- /dev/null
+++ b/datasette/utils/sql_analysis.py
@@ -0,0 +1,550 @@
+from dataclasses import dataclass
+from typing import Literal
+
+from datasette.utils.sqlite import SQLiteTableType, sqlite3, sqlite_table_type
+
+SQLOperation = Literal[
+    "read",
+    "insert",
+    "update",
+    "delete",
+    "select",
+    "function",
+    "create",
+    "alter",
+    "drop",
+    "begin",
+    "commit",
+    "rollback",
+    "savepoint",
+    "attach",
+    "detach",
+    "pragma",
+    "analyze",
+    "reindex",
+    "vacuum",
+    "unknown",
+]
+SQLTargetType = Literal[
+    "table",
+    "index",
+    "view",
+    "trigger",
+    "virtual-table",
+    "schema",
+    "statement",
+    "transaction",
+    "database",
+    "pragma",
+    "function",
+    "unknown",
+]
+SQLTableOperation = Literal["read", "insert", "update", "delete"]
+SQLSchemaOperation = Literal["create", "drop"]
+SQLSchemaTargetType = Literal["index", "table", "trigger", "view", "virtual-table"]
+
+
+@dataclass(frozen=True)
+class Operation:
+    operation: SQLOperation
+    target_type: SQLTargetType
+    database: str | None
+    table: str | None
+    sqlite_schema: str | None
+    table_kind: SQLiteTableType | None = None
+    target: str | None = None
+    columns: tuple[str, ...] = ()
+    source: str | None = None
+    internal: bool = False
+
+
+@dataclass(frozen=True)
+class SQLAnalysis:
+    operations: tuple[Operation, ...]
+
+
+# Hashable dict key for grouping repeated authorizer callbacks while collecting columns.
+@dataclass(frozen=True)
+class OperationKey:
+    operation: SQLOperation
+    target_type: SQLTargetType
+    database: str | None
+    table: str | None
+    sqlite_schema: str | None
+    target: str | None
+    source: str | None
+    internal: bool
+
+
+_ACTION_TO_OPERATION: dict[int, SQLTableOperation] = {
+    sqlite3.SQLITE_READ: "read",
+    sqlite3.SQLITE_INSERT: "insert",
+    sqlite3.SQLITE_UPDATE: "update",
+    sqlite3.SQLITE_DELETE: "delete",
+}
+
+# Values are (operation, target_type) pairs used to construct Operation objects.
+_CREATE_ACTIONS: dict[int, tuple[SQLSchemaOperation, SQLSchemaTargetType]] = {
+    sqlite3.SQLITE_CREATE_INDEX: ("create", "index"),
+    sqlite3.SQLITE_CREATE_TABLE: ("create", "table"),
+    sqlite3.SQLITE_CREATE_TRIGGER: ("create", "trigger"),
+    sqlite3.SQLITE_CREATE_VIEW: ("create", "view"),
+}
+_DROP_ACTIONS: dict[int, tuple[SQLSchemaOperation, SQLSchemaTargetType]] = {
+    sqlite3.SQLITE_DROP_INDEX: ("drop", "index"),
+    sqlite3.SQLITE_DROP_TABLE: ("drop", "table"),
+    sqlite3.SQLITE_DROP_TRIGGER: ("drop", "trigger"),
+    sqlite3.SQLITE_DROP_VIEW: ("drop", "view"),
+}
+
+
+def _add_schema_action(
+    action_name: str,
+    operation: SQLSchemaOperation,
+    target_type: SQLSchemaTargetType,
+) -> None:
+    action_value = getattr(sqlite3, action_name, None)
+    if action_value is not None:
+        actions = _CREATE_ACTIONS if operation == "create" else _DROP_ACTIONS
+        actions[action_value] = (operation, target_type)
+
+
+_TEMP_SCHEMA_ACTIONS: tuple[
+    tuple[str, SQLSchemaOperation, SQLSchemaTargetType], ...
+] = (
+    ("SQLITE_CREATE_TEMP_INDEX", "create", "index"),
+    ("SQLITE_CREATE_TEMP_TABLE", "create", "table"),
+    ("SQLITE_CREATE_TEMP_TRIGGER", "create", "trigger"),
+    ("SQLITE_CREATE_TEMP_VIEW", "create", "view"),
+    ("SQLITE_DROP_TEMP_INDEX", "drop", "index"),
+    ("SQLITE_DROP_TEMP_TABLE", "drop", "table"),
+    ("SQLITE_DROP_TEMP_TRIGGER", "drop", "trigger"),
+    ("SQLITE_DROP_TEMP_VIEW", "drop", "view"),
+)
+for schema_action in _TEMP_SCHEMA_ACTIONS:
+    _add_schema_action(*schema_action)
+
+_VTABLE_SCHEMA_ACTIONS: tuple[
+    tuple[str, SQLSchemaOperation, SQLSchemaTargetType], ...
+] = (
+    ("SQLITE_CREATE_VTABLE", "create", "virtual-table"),
+    ("SQLITE_DROP_VTABLE", "drop", "virtual-table"),
+)
+for schema_action in _VTABLE_SCHEMA_ACTIONS:
+    _add_schema_action(*schema_action)
+
+_SQLITE_SCHEMA_TABLES = {
+    "sqlite_master",
+    "sqlite_schema",
+    "sqlite_temp_master",
+    "sqlite_temp_schema",
+}
+_SQLITE_INTERNAL_SCHEMA_FUNCTIONS = {
+    "length",
+    "like",
+    "printf",
+    "sqlite_drop_column",
+    "sqlite_rename_column",
+    "sqlite_rename_quotefix",
+    "sqlite_rename_table",
+    "sqlite_rename_test",
+    "substr",
+}
+
+_AUTHORIZER_ACTION_NAMES = {
+    getattr(sqlite3, name): name
+    for name in (
+        "SQLITE_CREATE_INDEX",
+        "SQLITE_CREATE_TABLE",
+        "SQLITE_CREATE_TEMP_INDEX",
+        "SQLITE_CREATE_TEMP_TABLE",
+        "SQLITE_CREATE_TEMP_TRIGGER",
+        "SQLITE_CREATE_TEMP_VIEW",
+        "SQLITE_CREATE_TRIGGER",
+        "SQLITE_CREATE_VIEW",
+        "SQLITE_DELETE",
+        "SQLITE_DROP_INDEX",
+        "SQLITE_DROP_TABLE",
+        "SQLITE_DROP_TEMP_INDEX",
+        "SQLITE_DROP_TEMP_TABLE",
+        "SQLITE_DROP_TEMP_TRIGGER",
+        "SQLITE_DROP_TEMP_VIEW",
+        "SQLITE_DROP_TRIGGER",
+        "SQLITE_DROP_VIEW",
+        "SQLITE_INSERT",
+        "SQLITE_PRAGMA",
+        "SQLITE_READ",
+        "SQLITE_SELECT",
+        "SQLITE_TRANSACTION",
+        "SQLITE_UPDATE",
+        "SQLITE_ATTACH",
+        "SQLITE_DETACH",
+        "SQLITE_ALTER_TABLE",
+        "SQLITE_REINDEX",
+        "SQLITE_ANALYZE",
+        "SQLITE_CREATE_VTABLE",
+        "SQLITE_DROP_VTABLE",
+        "SQLITE_FUNCTION",
+        "SQLITE_SAVEPOINT",
+        "SQLITE_RECURSIVE",
+    )
+    if hasattr(sqlite3, name)
+}
+
+
+def _allow_authorizer_action(*args):
+    return sqlite3.SQLITE_OK
+
+
+def analyze_sql_tables(
+    conn,
+    sql: str,
+    params=None,
+    *,
+    database_name: str | None = None,
+    schema_to_database: dict[str, str] | None = None,
+) -> SQLAnalysis:
+    """
+    Return operations performed by a SQL statement according to SQLite's authorizer.
+
+    This function is synchronous and connection-based. It temporarily installs a
+    SQLite authorizer, prepares ``EXPLAIN <sql>``, and returns the operation
+    callbacks observed while SQLite compiles the statement.
+    """
+    operations: dict[OperationKey, set[str]] = {}
+
+    def database_for_schema(sqlite_schema):
+        if schema_to_database and sqlite_schema in schema_to_database:
+            return schema_to_database[sqlite_schema]
+        if sqlite_schema == "main" and database_name is not None:
+            return database_name
+        return sqlite_schema
+
+    def record(
+        operation: SQLOperation,
+        target_type: SQLTargetType,
+        *,
+        database: str | None,
+        table: str | None,
+        sqlite_schema: str | None,
+        target: str | None,
+        source: str | None,
+        column: str | None = None,
+        internal: bool = False,
+    ):
+        key = OperationKey(
+            operation=operation,
+            target_type=target_type,
+            database=database,
+            table=table,
+            sqlite_schema=sqlite_schema,
+            target=target,
+            source=source,
+            internal=internal,
+        )
+        columns = operations.setdefault(key, set())
+        if column is not None:
+            columns.add(column)
+
+    def authorizer(action, arg1, arg2, sqlite_schema, source):
+        operation = _ACTION_TO_OPERATION.get(action)
+        if operation is not None and arg1 is not None:
+            target_type = "schema" if arg1 in _SQLITE_SCHEMA_TABLES else "table"
+            column = (
+                arg2 if operation in ("read", "update") and arg2 is not None else None
+            )
+            record(
+                operation,
+                target_type,
+                database=database_for_schema(sqlite_schema),
+                table=arg1 if target_type == "table" else None,
+                sqlite_schema=sqlite_schema,
+                target=arg1,
+                source=source,
+                column=column,
+            )
+            return sqlite3.SQLITE_OK
+
+        create_operation = _CREATE_ACTIONS.get(action)
+        if create_operation is not None and arg1 is not None:
+            operation, target_type = create_operation
+            related_table = arg2 if target_type in {"index", "trigger"} else arg1
+            record(
+                operation,
+                target_type,
+                database=database_for_schema(sqlite_schema),
+                table=related_table,
+                sqlite_schema=sqlite_schema,
+                target=arg1,
+                source=source,
+            )
+            return sqlite3.SQLITE_OK
+
+        drop_operation = _DROP_ACTIONS.get(action)
+        if drop_operation is not None and arg1 is not None:
+            operation, target_type = drop_operation
+            related_table = arg2 if target_type in {"index", "trigger"} else arg1
+            record(
+                operation,
+                target_type,
+                database=database_for_schema(sqlite_schema),
+                table=related_table,
+                sqlite_schema=sqlite_schema,
+                target=arg1,
+                source=source,
+            )
+            return sqlite3.SQLITE_OK
+
+        if action == sqlite3.SQLITE_ALTER_TABLE and arg2 is not None:
+            record(
+                "alter",
+                "table",
+                database=database_for_schema(arg1),
+                table=arg2,
+                sqlite_schema=arg1,
+                target=arg2,
+                source=source,
+            )
+            return sqlite3.SQLITE_OK
+
+        if action == sqlite3.SQLITE_TRANSACTION and arg1 is not None:
+            record(
+                arg1.lower(),
+                "transaction",
+                database=None,
+                table=None,
+                sqlite_schema=None,
+                target=arg1,
+                source=source,
+            )
+            return sqlite3.SQLITE_OK
+
+        if action == sqlite3.SQLITE_ATTACH and arg1 is not None:
+            record(
+                "attach",
+                "database",
+                database=None,
+                table=None,
+                sqlite_schema=None,
+                target=arg1,
+                source=source,
+            )
+            return sqlite3.SQLITE_OK
+
+        if action == sqlite3.SQLITE_DETACH and arg1 is not None:
+            record(
+                "detach",
+                "database",
+                database=None,
+                table=None,
+                sqlite_schema=None,
+                target=arg1,
+                source=source,
+            )
+            return sqlite3.SQLITE_OK
+
+        if action == sqlite3.SQLITE_PRAGMA and arg1 is not None:
+            record(
+                "pragma",
+                "pragma",
+                database=None,
+                table=None,
+                sqlite_schema=sqlite_schema,
+                target=arg1,
+                source=source,
+            )
+            return sqlite3.SQLITE_OK
+
+        if action == sqlite3.SQLITE_ANALYZE:
+            record(
+                "analyze",
+                "database" if arg1 is None else "table",
+                database=database_for_schema(sqlite_schema),
+                table=arg1,
+                sqlite_schema=sqlite_schema,
+                target=arg1,
+                source=source,
+            )
+            return sqlite3.SQLITE_OK
+
+        if action == sqlite3.SQLITE_REINDEX and arg1 is not None:
+            record(
+                "reindex",
+                "index",
+                database=database_for_schema(sqlite_schema),
+                table=None,
+                sqlite_schema=sqlite_schema,
+                target=arg1,
+                source=source,
+            )
+            return sqlite3.SQLITE_OK
+
+        if action == sqlite3.SQLITE_SELECT:
+            record(
+                "select",
+                "statement",
+                database=None,
+                table=None,
+                sqlite_schema=sqlite_schema,
+                target=None,
+                source=source,
+            )
+            return sqlite3.SQLITE_OK
+
+        if action == sqlite3.SQLITE_FUNCTION and arg2 is not None:
+            record(
+                "function",
+                "function",
+                database=None,
+                table=None,
+                sqlite_schema=sqlite_schema,
+                target=arg2,
+                source=source,
+            )
+            return sqlite3.SQLITE_OK
+
+        if action == sqlite3.SQLITE_SAVEPOINT and arg1 is not None:
+            record(
+                "savepoint",
+                "transaction",
+                database=None,
+                table=None,
+                sqlite_schema=sqlite_schema,
+                target="{} {}".format(arg1, arg2) if arg2 is not None else arg1,
+                source=source,
+            )
+            return sqlite3.SQLITE_OK
+
+        action_name = _AUTHORIZER_ACTION_NAMES.get(action, "SQLITE_{}".format(action))
+        record(
+            "unknown",
+            "unknown",
+            database=database_for_schema(sqlite_schema),
+            table=None,
+            sqlite_schema=sqlite_schema,
+            target=action_name,
+            source=source,
+        )
+        return sqlite3.SQLITE_OK
+
+    table_kind_cache: dict[tuple[str | None, str], SQLiteTableType | None] = {}
+
+    conn.set_authorizer(authorizer)
+    try:
+        explain_rows = conn.execute(
+            "EXPLAIN " + sql, params if params is not None else {}
+        ).fetchall()
+        # Passing None before these lookups leaves a failing callback installed
+        # on Python 3.10, so use a permissive callback until they are complete.
+        conn.set_authorizer(_allow_authorizer_action)
+
+        if not operations:
+            vacuum_row = next((row for row in explain_rows if row[1] == "Vacuum"), None)
+            if vacuum_row is not None:
+                schema_by_index = {
+                    row[0]: row[1] for row in conn.execute("PRAGMA database_list")
+                }
+                sqlite_schema = schema_by_index.get(vacuum_row[2])
+                database = database_for_schema(sqlite_schema)
+                record(
+                    "vacuum",
+                    "database",
+                    database=database,
+                    table=None,
+                    sqlite_schema=sqlite_schema,
+                    target=database,
+                    source=None,
+                )
+            else:
+                record(
+                    "unknown",
+                    "statement",
+                    database=database_name,
+                    table=None,
+                    sqlite_schema=None,
+                    target=None,
+                    source=None,
+                )
+
+        for key in operations:
+            if (
+                key.target_type == "table"
+                and key.operation in {"read", "insert", "update", "delete"}
+                and key.table is not None
+            ):
+                cache_key = (key.sqlite_schema, key.table)
+                if cache_key not in table_kind_cache:
+                    table_kind_cache[cache_key] = sqlite_table_type(
+                        conn, key.table, schema=key.sqlite_schema
+                    )
+    finally:
+        conn.set_authorizer(None)
+
+    has_schema_operation = any(
+        key.target_type in {"table", "index", "view", "trigger", "virtual-table"}
+        and key.operation in {"create", "alter", "drop"}
+        for key in operations
+    )
+    dropped_tables = {
+        (key.database, key.table)
+        for key in operations
+        if key.operation == "drop" and key.target_type == "table"
+    }
+
+    def key_is_drop_table_delete(key: OperationKey) -> bool:
+        return (
+            key.operation == "delete"
+            and key.target_type == "table"
+            and (key.database, key.table) in dropped_tables
+        )
+
+    has_user_table_access_in_schema_operation = any(
+        key.operation in {"read", "insert", "update", "delete"}
+        and key.target_type == "table"
+        and not key.internal
+        and not key_is_drop_table_delete(key)
+        for key in operations
+    )
+
+    def operation_is_internal(key: OperationKey) -> bool:
+        if key.internal or (has_schema_operation and key.target_type == "schema"):
+            return True
+        if has_schema_operation and key.operation == "reindex":
+            return True
+        if (
+            has_schema_operation
+            and not has_user_table_access_in_schema_operation
+            and key.operation == "function"
+            and key.target in _SQLITE_INTERNAL_SCHEMA_FUNCTIONS
+        ):
+            return True
+        if key_is_drop_table_delete(key):
+            return True
+        return False
+
+    def table_kind_for(key: OperationKey) -> SQLiteTableType | None:
+        if (
+            key.target_type != "table"
+            or key.operation not in {"read", "insert", "update", "delete"}
+            or key.table is None
+        ):
+            return None
+        return table_kind_cache[(key.sqlite_schema, key.table)]
+
+    return SQLAnalysis(
+        operations=tuple(
+            Operation(
+                operation=key.operation,
+                target_type=key.target_type,
+                database=key.database,
+                table=key.table,
+                sqlite_schema=key.sqlite_schema,
+                table_kind=table_kind_for(key),
+                target=key.target,
+                columns=tuple(sorted(columns)),
+                source=key.source,
+                internal=operation_is_internal(key),
+            )
+            for key, columns in operations.items()
+        )
+    )
diff --git a/datasette/utils/sqlite.py b/datasette/utils/sqlite.py
index 342ff3fa..4743ae4c 100644
--- a/datasette/utils/sqlite.py
+++ b/datasette/utils/sqlite.py
@@ -1,3 +1,6 @@
+import re
+from typing import Literal
+
 using_pysqlite3 = False
 try:
     import pysqlite3 as sqlite3
@@ -10,6 +13,19 @@ if hasattr(sqlite3, "enable_callback_tracebacks"):
     sqlite3.enable_callback_tracebacks(True)
 
 _cached_sqlite_version = None
+_cached_supports_returning = None
+SQLiteTableType = Literal["table", "view", "virtual", "shadow"]
+_VIRTUAL_TABLE_MODULE_RE = re.compile(
+    r"\bCREATE\s+VIRTUAL\s+TABLE\b.*?\bUSING\s+([^\s(]+)",
+    re.IGNORECASE | re.DOTALL,
+)
+_VIRTUAL_TABLE_SHADOW_SUFFIXES = {
+    "fts3": ("_content", "_segdir", "_segments", "_stat", "_docsize"),
+    "fts4": ("_content", "_segdir", "_segments", "_stat", "_docsize"),
+    "fts5": ("_data", "_idx", "_docsize", "_content", "_config"),
+    "rtree": ("_node", "_parent", "_rowid"),
+    "rtree_i32": ("_node", "_parent", "_rowid"),
+}
 
 
 def sqlite_version():
@@ -20,20 +36,162 @@ def sqlite_version():
 
 
 def _sqlite_version():
-    return tuple(
-        map(
-            int,
-            sqlite3.connect(":memory:")
-            .execute("select sqlite_version()")
-            .fetchone()[0]
-            .split("."),
+    conn = sqlite3.connect(":memory:")
+    try:
+        return tuple(
+            map(
+                int,
+                conn.execute("select sqlite_version()").fetchone()[0].split("."),
+            )
         )
-    )
+    finally:
+        conn.close()
 
 
 def supports_table_xinfo():
     return sqlite_version() >= (3, 26, 0)
 
 
+def supports_table_list():
+    return sqlite_version() >= (3, 37, 0)
+
+
 def supports_generated_columns():
     return sqlite_version() >= (3, 31, 0)
+
+
+def supports_returning():
+    global _cached_supports_returning
+    if _cached_supports_returning is None:
+        conn = sqlite3.connect(":memory:")
+        try:
+            conn.execute("create table t (id integer primary key)")
+            conn.execute("insert into t default values returning id").fetchone()
+            _cached_supports_returning = True
+        except sqlite3.DatabaseError:
+            _cached_supports_returning = False
+        finally:
+            conn.close()
+    return _cached_supports_returning
+
+
+def sqlite_table_type(
+    conn,
+    table: str,
+    *,
+    schema: str | None = "main",
+) -> SQLiteTableType | None:
+    if supports_table_list():
+        try:
+            query = "select type from pragma_table_list where name = ?"
+            params: tuple[str, ...] = (table,)
+            if schema is not None:
+                query += " and schema = ?"
+                params = (table, schema)
+            row = conn.execute(query, params).fetchone()
+            if row is not None and row[0] in {"table", "view", "virtual", "shadow"}:
+                return row[0]
+        except sqlite3.DatabaseError:
+            pass
+    return _sqlite_table_type_from_schema(conn, table, schema=schema)
+
+
+def sqlite_hidden_table_names(conn, *, schema: str | None = "main") -> list[str]:
+    schema_table = _sqlite_schema_table(schema)
+    try:
+        rows = conn.execute(
+            "select name, sql from {} where type = 'table'".format(schema_table)
+        ).fetchall()
+    except sqlite3.DatabaseError:
+        return []
+    hidden_tables = []
+    content_fts_tables = []
+    for name, sql in rows:
+        if (
+            name in {"sqlite_stat1", "sqlite_stat2", "sqlite_stat3", "sqlite_stat4"}
+            or name.startswith("_")
+            or sqlite_table_type(conn, name, schema=schema) == "shadow"
+        ):
+            hidden_tables.append(name)
+        elif _is_fts_content_virtual_table(sql):
+            content_fts_tables.append(name)
+    return sorted(hidden_tables) + content_fts_tables
+
+
+def _sqlite_table_type_from_schema(
+    conn,
+    table: str,
+    *,
+    schema: str | None = "main",
+) -> SQLiteTableType | None:
+    schema_table = _sqlite_schema_table(schema)
+    try:
+        row = conn.execute(
+            "select type, sql from {} where name = ?".format(schema_table),
+            (table,),
+        ).fetchone()
+    except sqlite3.DatabaseError:
+        return None
+    if row is None:
+        return None
+    object_type, sql = row
+    if object_type == "view":
+        return "view"
+    if object_type != "table":
+        return None
+    if _virtual_table_module(sql) is not None:
+        return "virtual"
+    if _is_known_shadow_table(conn, table, schema=schema):
+        return "shadow"
+    return "table"
+
+
+def _is_known_shadow_table(
+    conn,
+    table: str,
+    *,
+    schema: str | None = "main",
+) -> bool:
+    schema_table = _sqlite_schema_table(schema)
+    try:
+        rows = conn.execute(
+            "select name, sql from {} where type = 'table'".format(schema_table)
+        ).fetchall()
+    except sqlite3.DatabaseError:
+        return False
+    for virtual_table, sql in rows:
+        module = _virtual_table_module(sql)
+        if module is None:
+            continue
+        for suffix in _VIRTUAL_TABLE_SHADOW_SUFFIXES.get(module, ()):
+            if table == virtual_table + suffix:
+                return True
+    return False
+
+
+def _sqlite_schema_table(schema: str | None) -> str:
+    if schema is None or schema == "main":
+        return "sqlite_master"
+    if schema == "temp":
+        return "sqlite_temp_master"
+    return "{}.sqlite_master".format(_quote_identifier(schema))
+
+
+def _quote_identifier(value: str) -> str:
+    return '"{}"'.format(value.replace('"', '""'))
+
+
+def _virtual_table_module(sql: str | None) -> str | None:
+    if not sql:
+        return None
+    match = _VIRTUAL_TABLE_MODULE_RE.search(sql)
+    if match is None:
+        return None
+    return match.group(1).strip("\"'[]`").lower()
+
+
+def _is_fts_content_virtual_table(sql: str | None) -> bool:
+    return (
+        _virtual_table_module(sql) in {"fts3", "fts4", "fts5"}
+        and "content=" in sql.lower()
+    )
diff --git a/datasette/utils/testing.py b/datasette/utils/testing.py
index 1606da05..de7e94af 100644
--- a/datasette/utils/testing.py
+++ b/datasette/utils/testing.py
@@ -95,15 +95,8 @@ class TestClient:
         cookies = cookies or {}
         post_data = post_data or {}
         assert not (post_data and body), "Provide one or other of body= or post_data="
-        # Maybe fetch a csrftoken first
-        if csrftoken_from is not None:
-            assert body is None, "body= is not compatible with csrftoken_from="
-            if csrftoken_from is True:
-                csrftoken_from = path
-            token_response = await self._request(csrftoken_from, cookies=cookies)
-            csrftoken = token_response.cookies["ds_csrftoken"]
-            cookies["ds_csrftoken"] = csrftoken
-            post_data["csrftoken"] = csrftoken
+        # csrftoken_from is accepted for backward compatibility but is now a no-op.
+        # Datasette no longer uses CSRF tokens - see CrossOriginProtectionMiddleware.
         if post_data:
             body = urlencode(post_data, doseq=True)
         return await self._request(
diff --git a/datasette/version.py b/datasette/version.py
index 2907e537..49d270e4 100644
--- a/datasette/version.py
+++ b/datasette/version.py
@@ -1,2 +1,2 @@
-__version__ = "1.0a25"
+__version__ = "1.0a35"
 __version_info__ = tuple(__version__.split("."))
diff --git a/datasette/views/__init__.py b/datasette/views/__init__.py
index 88106737..ed7e175f 100644
--- a/datasette/views/__init__.py
+++ b/datasette/views/__init__.py
@@ -1,2 +1,89 @@
+from dataclasses import dataclass
+import dataclasses
+import types
+import typing
+
+
+@dataclass(frozen=True)
+class ContextField:
+    name: str
+    type_name: str
+    help: str
+    from_extra: bool = False
+
+
+def _type_name(type_):
+    if type_ is type(None):
+        return "None"
+    origin = typing.get_origin(type_)
+    args = typing.get_args(type_)
+    if origin in (typing.Union, types.UnionType):
+        return " | ".join(_type_name(arg) for arg in args)
+    if origin is not None:
+        name = getattr(origin, "__name__", str(origin).removeprefix("typing."))
+        return "{}[{}]".format(name, ", ".join(_type_name(arg) for arg in args))
+    return getattr(type_, "__name__", str(type_).removeprefix("typing."))
+
+
+def from_extra():
+    """
+    Declare a Context dataclass field whose value comes from a registered
+    Extra of the same name - its documentation is the Extra description,
+    so the doc string lives next to the resolve() code rather than being
+    duplicated on the dataclass.
+    """
+    return dataclasses.field(metadata={"from_extra": True})
+
+
 class Context:
     "Base class for all documented contexts"
+
+    # Set on subclasses whose from_extra() fields should be resolved
+    # against the extras registry for this scope
+    extras_scope = None
+
+    @classmethod
+    def documented_fields(cls):
+        "List of ContextField describing the documented fields of this context"
+        documented = []
+        for f in dataclasses.fields(cls):
+            if f.name.startswith("_"):
+                continue
+            is_from_extra = bool(f.metadata.get("from_extra"))
+            if is_from_extra:
+                help_text = cls._extra_description(f.name)
+            else:
+                help_text = f.metadata.get("help", "")
+            documented.append(
+                ContextField(
+                    name=f.name,
+                    type_name=_type_name(f.type),
+                    help=help_text,
+                    from_extra=is_from_extra,
+                )
+            )
+        return documented
+
+    @classmethod
+    def _extra_description(cls, name):
+        # Imported lazily - table_extras is not needed just to define
+        # Context subclasses
+        from datasette.views.table_extras import table_extra_registry
+
+        try:
+            extra_class = table_extra_registry.classes_by_name[name]
+        except KeyError:
+            raise KeyError(
+                "{}.{} is declared with from_extra() but there is no "
+                "registered extra of that name".format(cls.__name__, name)
+            )
+        if cls.extras_scope is not None and not extra_class.available_for(
+            cls.extras_scope
+        ):
+            raise ValueError(
+                "{}.{} is declared with from_extra() but the {} extra is "
+                "not available for scope {}".format(
+                    cls.__name__, name, name, cls.extras_scope
+                )
+            )
+        return extra_class.description or ""
diff --git a/datasette/views/base.py b/datasette/views/base.py
index e4c1c738..30026f4b 100644
--- a/datasette/views/base.py
+++ b/datasette/views/base.py
@@ -1,31 +1,19 @@
-import asyncio
 import csv
 import hashlib
 import sys
-import textwrap
-import time
-import urllib
-from markupsafe import escape
 
-
-from datasette.database import QueryInterrupted
 from datasette.utils.asgi import Request
 from datasette.utils import (
     add_cors_headers,
-    await_me_maybe,
     EscapeHtmlWriter,
     InvalidSql,
     LimitedWriter,
-    call_with_supported_arguments,
     path_from_row_pks,
-    path_with_added_args,
-    path_with_removed_args,
     path_with_format,
     sqlite3,
 )
 from datasette.utils.asgi import (
     AsgiStream,
-    NotFound,
     Response,
     BadRequest,
 )
@@ -153,7 +141,13 @@ class BaseView:
         if self.has_json_alternate:
             alternate_url_json = self.ds.absolute_url(
                 request,
-                self.ds.urls.path(path_with_format(request=request, format="json")),
+                self.ds.urls.path(
+                    path_with_format(
+                        request=request,
+                        path=request.scope.get("route_path"),
+                        format="json",
+                    )
+                ),
             )
             template_context["alternate_url_json"] = alternate_url_json
             headers.update(
@@ -186,219 +180,6 @@ class BaseView:
         return view
 
 
-class DataView(BaseView):
-    name = ""
-
-    def redirect(self, request, path, forward_querystring=True, remove_args=None):
-        if request.query_string and "?" not in path and forward_querystring:
-            path = f"{path}?{request.query_string}"
-        if remove_args:
-            path = path_with_removed_args(request, remove_args, path=path)
-        r = Response.redirect(path)
-        r.headers["Link"] = f"<{path}>; rel=preload"
-        if self.ds.cors:
-            add_cors_headers(r.headers)
-        return r
-
-    async def data(self, request):
-        raise NotImplementedError
-
-    async def as_csv(self, request, database):
-        return await stream_csv(self.ds, self.data, request, database)
-
-    async def get(self, request):
-        db = await self.ds.resolve_database(request)
-        database = db.name
-        database_route = db.route
-
-        _format = request.url_vars["format"]
-        data_kwargs = {}
-
-        if _format == "csv":
-            return await self.as_csv(request, database_route)
-
-        if _format is None:
-            # HTML views default to expanding all foreign key labels
-            data_kwargs["default_labels"] = True
-
-        extra_template_data = {}
-        start = time.perf_counter()
-        status_code = None
-        templates = []
-        try:
-            response_or_template_contexts = await self.data(request, **data_kwargs)
-            if isinstance(response_or_template_contexts, Response):
-                return response_or_template_contexts
-            # If it has four items, it includes an HTTP status code
-            if len(response_or_template_contexts) == 4:
-                (
-                    data,
-                    extra_template_data,
-                    templates,
-                    status_code,
-                ) = response_or_template_contexts
-            else:
-                data, extra_template_data, templates = response_or_template_contexts
-        except QueryInterrupted as ex:
-            raise DatasetteError(
-                textwrap.dedent("""
-                <p>SQL query took too long. The time limit is controlled by the
-                <a href="https://docs.datasette.io/en/stable/settings.html#sql-time-limit-ms">sql_time_limit_ms</a>
-                configuration option.</p>
-                <textarea style="width: 90%">{}</textarea>
-                <script>
-                let ta = document.querySelector("textarea");
-                ta.style.height = ta.scrollHeight + "px";
-                </script>
-            """.format(escape(ex.sql))).strip(),
-                title="SQL Interrupted",
-                status=400,
-                message_is_html=True,
-            )
-        except (sqlite3.OperationalError, InvalidSql) as e:
-            raise DatasetteError(str(e), title="Invalid SQL", status=400)
-
-        except sqlite3.OperationalError as e:
-            raise DatasetteError(str(e))
-
-        except DatasetteError:
-            raise
-
-        end = time.perf_counter()
-        data["query_ms"] = (end - start) * 1000
-
-        # Special case for .jsono extension - redirect to _shape=objects
-        if _format == "jsono":
-            return self.redirect(
-                request,
-                path_with_added_args(
-                    request,
-                    {"_shape": "objects"},
-                    path=request.path.rsplit(".jsono", 1)[0] + ".json",
-                ),
-                forward_querystring=False,
-            )
-
-        if _format in self.ds.renderers.keys():
-            # Dispatch request to the correct output format renderer
-            # (CSV is not handled here due to streaming)
-            result = call_with_supported_arguments(
-                self.ds.renderers[_format][0],
-                datasette=self.ds,
-                columns=data.get("columns") or [],
-                rows=data.get("rows") or [],
-                sql=data.get("query", {}).get("sql", None),
-                query_name=data.get("query_name"),
-                database=database,
-                table=data.get("table"),
-                request=request,
-                view_name=self.name,
-                truncated=False,  # TODO: support this
-                error=data.get("error"),
-                # These will be deprecated in Datasette 1.0:
-                args=request.args,
-                data=data,
-            )
-            if asyncio.iscoroutine(result):
-                result = await result
-            if result is None:
-                raise NotFound("No data")
-            if isinstance(result, dict):
-                r = Response(
-                    body=result.get("body"),
-                    status=result.get("status_code", status_code or 200),
-                    content_type=result.get("content_type", "text/plain"),
-                    headers=result.get("headers"),
-                )
-            elif isinstance(result, Response):
-                r = result
-                if status_code is not None:
-                    # Over-ride the status code
-                    r.status = status_code
-            else:
-                assert False, f"{result} should be dict or Response"
-        else:
-            extras = {}
-            if callable(extra_template_data):
-                extras = extra_template_data()
-                if asyncio.iscoroutine(extras):
-                    extras = await extras
-            else:
-                extras = extra_template_data
-            url_labels_extra = {}
-            if data.get("expandable_columns"):
-                url_labels_extra = {"_labels": "on"}
-
-            renderers = {}
-            for key, (_, can_render) in self.ds.renderers.items():
-                it_can_render = call_with_supported_arguments(
-                    can_render,
-                    datasette=self.ds,
-                    columns=data.get("columns") or [],
-                    rows=data.get("rows") or [],
-                    sql=data.get("query", {}).get("sql", None),
-                    query_name=data.get("query_name"),
-                    database=database,
-                    table=data.get("table"),
-                    request=request,
-                    view_name=self.name,
-                )
-                it_can_render = await await_me_maybe(it_can_render)
-                if it_can_render:
-                    renderers[key] = self.ds.urls.path(
-                        path_with_format(
-                            request=request, format=key, extra_qs={**url_labels_extra}
-                        )
-                    )
-
-            url_csv_args = {"_size": "max", **url_labels_extra}
-            url_csv = self.ds.urls.path(
-                path_with_format(request=request, format="csv", extra_qs=url_csv_args)
-            )
-            url_csv_path = url_csv.split("?")[0]
-            context = {
-                **data,
-                **extras,
-                **{
-                    "renderers": renderers,
-                    "url_csv": url_csv,
-                    "url_csv_path": url_csv_path,
-                    "url_csv_hidden_args": [
-                        (key, value)
-                        for key, value in urllib.parse.parse_qsl(request.query_string)
-                        if key not in ("_labels", "_facet", "_size")
-                    ]
-                    + [("_size", "max")],
-                    "settings": self.ds.settings_dict(),
-                },
-            }
-            if "metadata" not in context:
-                context["metadata"] = await self.ds.get_instance_metadata()
-            r = await self.render(templates, request=request, context=context)
-            if status_code is not None:
-                r.status = status_code
-
-        ttl = request.args.get("_ttl", None)
-        if ttl is None or not ttl.isdigit():
-            ttl = self.ds.setting("default_cache_ttl")
-
-        return self.set_response_headers(r, ttl)
-
-    def set_response_headers(self, response, ttl):
-        # Set far-future cache expiry
-        if self.ds.cache_headers and response.status == 200:
-            ttl = int(ttl)
-            if ttl == 0:
-                ttl_header = "no-cache"
-            else:
-                ttl_header = f"max-age={ttl}"
-            response.headers["Cache-Control"] = ttl_header
-        response.headers["Referrer-Policy"] = "no-referrer"
-        if self.ds.cors:
-            add_cors_headers(response.headers)
-        return response
-
-
 def _error(messages, status=400):
     return Response.json({"ok": False, "errors": messages}, status=status)
 
diff --git a/datasette/views/database.py b/datasette/views/database.py
index 93ad8eda..e02de657 100644
--- a/datasette/views/database.py
+++ b/datasette/views/database.py
@@ -1,4 +1,4 @@
-from dataclasses import dataclass, field
+from dataclasses import asdict, dataclass, field
 from urllib.parse import parse_qsl, urlencode
 import asyncio
 import hashlib
@@ -6,13 +6,13 @@ import itertools
 import json
 import markupsafe
 import os
-import re
-import sqlite_utils
 import textwrap
 
-from datasette.events import AlterTableEvent, CreateTableEvent, InsertRowsEvent
+from datasette.extras import extra_names_from_request
 from datasette.database import QueryInterrupted
 from datasette.resources import DatabaseResource, QueryResource
+from datasette.stored_queries import StoredQuery, stored_query_to_dict
+from datasette.write_sql import QueryWriteRejected
 from datasette.utils import (
     add_cors_headers,
     await_me_maybe,
@@ -34,10 +34,40 @@ from datasette.utils import (
 from datasette.utils.asgi import AsgiFileDownload, NotFound, Response, Forbidden
 from datasette.plugins import pm
 
-from .base import BaseView, DatasetteError, View, _error, stream_csv
+from .base import DatasetteError, View, stream_csv
+from .query_helpers import _ensure_stored_query_execution_permissions, _table_columns
+from .table_extras import (
+    QueryExtraContext,
+    resolve_query_extras,
+    table_extra_registry,
+)
+from .table_create_alter import _create_table_ui_context
 from . import Context
 
 
+@dataclass
+class DatabaseTable:
+    "Summary of a table or view shown on database and query pages."
+
+    name: str
+    columns: list[str]
+    primary_keys: list[str]
+    count: int | None
+    count_truncated: bool
+    hidden: bool
+    fts_table: str | None
+    foreign_keys: dict[str, list[dict[str, str]]]
+    private: bool
+
+
+@dataclass
+class DatabaseViewInfo:
+    "Summary of a SQLite view shown on the database page."
+
+    name: str
+    private: bool
+
+
 class DatabaseView(View):
     async def get(self, request, datasette):
         format_ = request.url_vars.get("format") or "html"
@@ -57,12 +87,16 @@ class DatabaseView(View):
 
         sql = (request.args.get("sql") or "").strip()
         if sql:
-            redirect_url = "/" + request.url_vars.get("database") + "/-/query"
+            redirect_url = datasette.urls.database(database) + "/-/query"
             if request.url_vars.get("format"):
-                redirect_url += "." + request.url_vars.get("format")
+                redirect_url = path_with_format(
+                    path=redirect_url, format=request.url_vars.get("format")
+                )
             redirect_url += "?" + request.query_string
-            return Response.redirect(redirect_url)
-            return await QueryView()(request, datasette)
+            response = Response.redirect(redirect_url)
+            if datasette.cors:
+                add_cors_headers(response.headers)
+            return response
 
         if format_ not in ("html", "json"):
             raise NotFound("Invalid format: {}".format(format_))
@@ -83,34 +117,57 @@ class DatabaseView(View):
         # Filter to just views
         view_names_set = set(await db.view_names())
         sql_views = [
-            {"name": name, "private": allowed_dict[name].private}
+            DatabaseViewInfo(name=name, private=allowed_dict[name].private)
             for name in allowed_dict
             if name in view_names_set
         ]
 
         tables = await get_tables(datasette, request, db, allowed_dict)
 
-        # Get allowed queries using the new permission system
-        allowed_query_page = await datasette.allowed_resources(
-            "view-query",
-            request.actor,
-            parent=database,
-            include_is_private=True,
-            limit=1000,
+        queries_page = await datasette.list_queries(
+            database,
+            actor=request.actor,
+            limit=5,
+            include_private=True,
+        )
+        stored_queries = queries_page.queries
+        queries_more = queries_page.has_more
+        queries_count = (
+            await datasette.count_queries(database, actor=request.actor)
+            if queries_more
+            else len(stored_queries)
         )
 
-        # Build canned_queries list by looking up each allowed query
-        all_queries = await datasette.get_canned_queries(database, request.actor)
-        canned_queries = []
-        for query_resource in allowed_query_page.resources:
-            query_name = query_resource.child
-            if query_name in all_queries:
-                canned_queries.append(
-                    dict(all_queries[query_name], private=query_resource.private)
-                )
+        # Resolve the registered database-level actions for this database in
+        # one batched query, seeding the request permission cache so allowed()
+        # calls made inside plugin hooks below are served from the cache.
+        database_action_permissions = await datasette.allowed_many(
+            actions=[
+                name
+                for name, action in datasette.actions.items()
+                if action.resource_class is DatabaseResource
+            ],
+            resource=DatabaseResource(database),
+            actor=request.actor,
+        )
+        create_table_ui = await _create_table_ui_context(
+            datasette, request, db, database, database_action_permissions
+        )
 
         async def database_actions():
             links = []
+            if create_table_ui:
+                links.append(
+                    {
+                        "type": "button",
+                        "label": "Create table",
+                        "description": "Create a new table in this database.",
+                        "attrs": {
+                            "aria-label": "Create table in {}".format(database),
+                            "data-database-action": "create-table",
+                        },
+                    }
+                )
             for hook in pm.hook.database_actions(
                 datasette=datasette,
                 database=database,
@@ -130,14 +187,17 @@ class DatabaseView(View):
             actor=request.actor,
         )
         json_data = {
+            "ok": True,
             "database": database,
             "private": private,
             "path": datasette.urls.database(database),
             "size": db.size,
-            "tables": tables,
-            "hidden_count": len([t for t in tables if t["hidden"]]),
-            "views": sql_views,
-            "queries": canned_queries,
+            "tables": [asdict(table) for table in tables],
+            "hidden_count": len([table for table in tables if table.hidden]),
+            "views": [asdict(view) for view in sql_views],
+            "queries": [stored_query_to_dict(query) for query in stored_queries],
+            "queries_more": queries_more,
+            "queries_count": queries_count,
             "allow_execute_sql": allow_execute_sql,
             "table_columns": (
                 await _table_columns(datasette, database) if allow_execute_sql else {}
@@ -154,7 +214,13 @@ class DatabaseView(View):
         assert format_ == "html"
         alternate_url_json = datasette.absolute_url(
             request,
-            datasette.urls.path(path_with_format(request=request, format="json")),
+            datasette.urls.path(
+                path_with_format(
+                    request=request,
+                    path=request.scope.get("route_path"),
+                    format="json",
+                )
+            ),
         )
         templates = (f"database-{to_css_class(database)}.html", "database.html")
         environment = datasette.get_jinja_environment(request)
@@ -168,9 +234,11 @@ class DatabaseView(View):
                     path=datasette.urls.database(database),
                     size=db.size,
                     tables=tables,
-                    hidden_count=len([t for t in tables if t["hidden"]]),
+                    hidden_count=len([table for table in tables if table.hidden]),
                     views=sql_views,
-                    queries=canned_queries,
+                    queries=stored_queries,
+                    queries_more=queries_more,
+                    queries_count=queries_count,
                     allow_execute_sql=allow_execute_sql,
                     table_columns=(
                         await _table_columns(datasette, database)
@@ -179,10 +247,12 @@ class DatabaseView(View):
                     ),
                     metadata=metadata,
                     database_color=db.color,
+                    database_page_data=(
+                        {"createTable": create_table_ui} if create_table_ui else {}
+                    ),
                     database_actions=database_actions,
                     show_hidden=request.args.get("_show_hidden"),
                     editable=True,
-                    count_limit=db.count_limit,
                     allow_download=datasette.setting("allow_download")
                     and not db.is_mutable
                     and not db.is_memory,
@@ -209,62 +279,102 @@ class DatabaseView(View):
 
 @dataclass
 class DatabaseContext(Context):
+    "The page listing the tables, views and queries in a database, e.g. /fixtures."
+
+    documented_template = "database.html"
+
     database: str = field(metadata={"help": "The name of the database"})
     private: bool = field(
         metadata={"help": "Boolean indicating if this is a private database"}
     )
     path: str = field(metadata={"help": "The URL path to this database"})
     size: int = field(metadata={"help": "The size of the database in bytes"})
-    tables: list = field(metadata={"help": "List of table objects in the database"})
+    tables: list[DatabaseTable] = field(
+        metadata={
+            "help": "List of ``DatabaseTable`` objects describing tables in the database. Each item has ``name``, ``columns``, ``primary_keys``, ``count``, ``count_truncated``, ``hidden``, ``fts_table``, ``foreign_keys`` and ``private`` attributes. ``count_truncated`` is true if ``count`` is a capped lower bound rather than an exact total."
+        }
+    )
     hidden_count: int = field(metadata={"help": "Count of hidden tables"})
-    views: list = field(metadata={"help": "List of view objects in the database"})
-    queries: list = field(metadata={"help": "List of canned query objects"})
+    views: list[DatabaseViewInfo] = field(
+        metadata={
+            "help": "List of ``DatabaseViewInfo`` objects describing SQLite views in the database. Each item has ``name`` and ``private`` attributes."
+        }
+    )
+    queries: list[StoredQuery] = field(
+        metadata={
+            "help": "List of ``StoredQuery`` objects. Each has attributes including ``name``, ``sql``, ``title``, ``description``, ``description_html``, ``hide_sql``, ``fragment``, ``parameters``, ``is_write`` and ``private``."
+        }
+    )
+    queries_more: bool = field(
+        metadata={"help": "Boolean indicating if more stored queries are available"}
+    )
+    queries_count: int = field(metadata={"help": "Count of visible stored queries"})
     allow_execute_sql: bool = field(
         metadata={"help": "Boolean indicating if custom SQL can be executed"}
     )
     table_columns: dict = field(
-        metadata={"help": "Dictionary mapping table names to their column lists"}
+        metadata={
+            "help": "Dictionary mapping table names to lists of column names, used to power SQL autocomplete."
+        }
+    )
+    metadata: dict = field(
+        metadata={
+            "help": "Metadata dictionary for the database, such as ``title``, ``description``, ``license`` and ``source`` values from Datasette metadata."
+        }
     )
-    metadata: dict = field(metadata={"help": "Metadata for the database"})
     database_color: str = field(metadata={"help": "The color assigned to the database"})
+    database_page_data: dict = field(
+        metadata={
+            "help": 'JSON data used by JavaScript on the database page. Currently ``{}`` or ``{"createTable": {...}}`` where ``createTable`` includes ``path``, ``foreignKeyTargetsPath``, ``databaseName``, ``columnTypes``, ``defaultExpressions`` and optional ``customColumnTypes``.'
+        }
+    )
     database_actions: callable = field(
         metadata={
-            "help": "Callable returning list of action links for the database menu"
+            "help": 'Async callable returning action items for the database menu. Each item is either a link with ``href``, ``label`` and optional ``description`` keys, or a button with ``type: "button"``, ``label``, optional ``description`` and optional ``attrs``. See :ref:`plugin_actions` and :ref:`plugin_hook_database_actions`.'
         }
     )
     show_hidden: str = field(metadata={"help": "Value of _show_hidden query parameter"})
     editable: bool = field(
         metadata={"help": "Boolean indicating if the database is editable"}
     )
-    count_limit: int = field(metadata={"help": "The maximum number of rows to count"})
     allow_download: bool = field(
         metadata={"help": "Boolean indicating if database download is allowed"}
     )
     attached_databases: list = field(
-        metadata={"help": "List of names of attached databases"}
+        metadata={
+            "help": "List of names of databases attached to this SQLite connection. This is only populated for the special ``/_memory`` database when Datasette is started with ``--crossdb`` for :ref:`cross_database_queries`."
+        }
     )
     alternate_url_json: str = field(
         metadata={"help": "URL for the alternate JSON version of this page"}
     )
     select_templates: list = field(
         metadata={
-            "help": "List of templates that were considered for rendering this page"
+            "help": "List of template names that were considered for this page, with the selected template prefixed by ``*``."
         }
     )
     top_database: callable = field(
-        metadata={"help": "Callable to render the top_database slot"}
+        metadata={
+            "help": "Async callable that renders the ``top_database`` plugin slot for this database and returns HTML."
+        }
     )
 
 
 @dataclass
 class QueryContext(Context):
+    "The page for arbitrary SQL queries (/database/-/query?sql=...) and stored queries (/database/query-name)."
+
+    documented_template = "query.html"
+
     database: str = field(metadata={"help": "The name of the database being queried"})
     database_color: str = field(metadata={"help": "The color of the database"})
     query: dict = field(
-        metadata={"help": "The SQL query object containing the `sql` string"}
+        metadata={
+            "help": "Dictionary describing the SQL query being executed, with ``sql`` and ``params`` keys."
+        }
     )
-    canned_query: str = field(
-        metadata={"help": "The name of the canned query if this is a canned query"}
+    stored_query: str = field(
+        metadata={"help": "The name of the stored query if this is a stored query"}
     )
     private: bool = field(
         metadata={"help": "Boolean indicating if this is a private database"}
@@ -272,13 +382,15 @@ class QueryContext(Context):
     # urls: dict = field(
     #     metadata={"help": "Object containing URL helpers like `database()`"}
     # )
-    canned_query_write: bool = field(
+    stored_query_write: bool = field(
         metadata={
-            "help": "Boolean indicating if this is a canned query that allows writes"
+            "help": "Boolean indicating if this is a stored query that allows writes"
         }
     )
     metadata: dict = field(
-        metadata={"help": "Metadata about the database or the canned query"}
+        metadata={
+            "help": "Metadata dictionary for the database or stored query. Stored query metadata may include options such as ``hide_sql``, ``on_success_message`` and ``on_error_redirect``."
+        }
     )
     db_is_immutable: bool = field(
         metadata={"help": "Boolean indicating if this database is immutable"}
@@ -299,22 +411,47 @@ class QueryContext(Context):
     allow_execute_sql: bool = field(
         metadata={"help": "Boolean indicating if custom SQL can be executed"}
     )
-    tables: list = field(metadata={"help": "List of table objects in the database"})
+    save_query_url: str = field(
+        metadata={"help": "URL to save the current arbitrary SQL as a query"}
+    )
+    tables: list[DatabaseTable] = field(
+        metadata={
+            "help": "List of ``DatabaseTable`` objects describing tables in the database. Each item has ``name``, ``columns``, ``primary_keys``, ``count``, ``count_truncated``, ``hidden``, ``fts_table``, ``foreign_keys`` and ``private`` attributes. ``count_truncated`` is true if ``count`` is a capped lower bound rather than an exact total."
+        }
+    )
     named_parameter_values: dict = field(
-        metadata={"help": "Dictionary of parameter names/values"}
+        metadata={
+            "help": "Dictionary of named SQL parameter values, keyed by parameter name without the leading ``:``."
+        }
     )
     edit_sql_url: str = field(
-        metadata={"help": "URL to edit the SQL for a canned query"}
+        metadata={"help": "URL to edit the SQL for a stored query"}
+    )
+    display_rows: list = field(
+        metadata={
+            "help": "List of result rows formatted for HTML display. Each row is a list of rendered cell values in the same order as ``columns``."
+        }
+    )
+    columns: list = field(
+        metadata={
+            "help": "List of result column names in the order they appear in ``display_rows`` and ``rows``."
+        }
+    )
+    renderers: dict = field(
+        metadata={
+            "help": "Dictionary mapping output format names such as ``json`` to URLs for this query in that format."
+        }
     )
-    display_rows: list = field(metadata={"help": "List of result rows to display"})
-    columns: list = field(metadata={"help": "List of column names"})
-    renderers: dict = field(metadata={"help": "Dictionary of renderer name to URL"})
     url_csv: str = field(metadata={"help": "URL for CSV export"})
     show_hide_hidden: str = field(
-        metadata={"help": "Hidden input field for the _show_sql parameter"}
+        metadata={
+            "help": "Rendered hidden ``<input>`` HTML preserving the current ``_hide_sql`` or ``_show_sql`` state."
+        }
     )
     table_columns: dict = field(
-        metadata={"help": "Dictionary of table name to list of column names"}
+        metadata={
+            "help": "Dictionary mapping table names to lists of column names, used to power SQL autocomplete."
+        }
     )
     alternate_url_json: str = field(
         metadata={"help": "URL for alternate JSON version of this page"}
@@ -322,23 +459,27 @@ class QueryContext(Context):
     # TODO: refactor this to somewhere else, probably ds.render_template()
     select_templates: list = field(
         metadata={
-            "help": "List of templates that were considered for rendering this page"
+            "help": "List of template names that were considered for this page, with the selected template prefixed by ``*``."
         }
     )
     top_query: callable = field(
-        metadata={"help": "Callable to render the top_query slot"}
+        metadata={
+            "help": "Async callable that renders the ``top_query`` plugin slot for this query and returns HTML."
+        }
     )
-    top_canned_query: callable = field(
-        metadata={"help": "Callable to render the top_canned_query slot"}
+    top_stored_query: callable = field(
+        metadata={
+            "help": "Async callable that renders the ``top_stored_query`` plugin slot for stored queries and returns HTML."
+        }
     )
     query_actions: callable = field(
         metadata={
-            "help": "Callable returning a list of links for the query action menu"
+            "help": 'Async callable returning action items for the query menu. Each item is either a link with ``href``, ``label`` and optional ``description`` keys, or a button with ``type: "button"``, ``label``, optional ``description`` and optional ``attrs``. See :ref:`plugin_actions` and :ref:`plugin_hook_query_actions`.'
         }
     )
 
 
-async def get_tables(datasette, request, db, allowed_dict):
+async def get_tables(datasette, request, db, allowed_dict) -> list[DatabaseTable]:
     """
     Get list of tables with metadata for the database view.
 
@@ -359,21 +500,36 @@ async def get_tables(datasette, request, db, allowed_dict):
 
         table_columns = await db.table_columns(table)
         tables.append(
-            {
-                "name": table,
-                "columns": table_columns,
-                "primary_keys": await db.primary_keys(table),
-                "count": table_counts[table],
-                "hidden": table in hidden_table_names,
-                "fts_table": await db.fts_table(table),
-                "foreign_keys": all_foreign_keys[table],
-                "private": allowed_dict[table].private,
-            }
+            DatabaseTable(
+                name=table,
+                columns=table_columns,
+                primary_keys=await db.primary_keys(table),
+                count=table_counts[table],
+                count_truncated=_table_count_truncated(
+                    datasette, db, table, table_counts[table]
+                ),
+                hidden=table in hidden_table_names,
+                fts_table=await db.fts_table(table),
+                foreign_keys=all_foreign_keys[table],
+                private=allowed_dict[table].private,
+            )
         )
-    tables.sort(key=lambda t: (t["hidden"], t["name"]))
+    tables.sort(key=lambda table: (table.hidden, table.name))
     return tables
 
 
+def _table_count_truncated(datasette, db, table, count):
+    if count != db.count_limit + 1:
+        return False
+    if not db.is_mutable and datasette.inspect_data:
+        try:
+            datasette.inspect_data[db.name]["tables"][table]["count"]
+            return False
+        except KeyError:
+            pass
+    return True
+
+
 async def database_download(request, datasette):
     from datasette.resources import DatabaseResource
 
@@ -420,21 +576,47 @@ class QueryView(View):
 
         db = await datasette.resolve_database(request)
 
-        # We must be a canned query
+        # We must be a stored query
         table_found = False
         try:
             await datasette.resolve_table(request)
             table_found = True
         except TableNotFound as table_not_found:
-            canned_query = await datasette.get_canned_query(
-                table_not_found.database_name, table_not_found.table, request.actor
+            stored_query = await datasette.get_query(
+                table_not_found.database_name, table_not_found.table
             )
-            if canned_query is None:
+            if stored_query is None:
                 raise
         if table_found:
             # That should not have happened
             raise DatasetteError("Unexpected table found on POST", status=404)
 
+        if not await datasette.allowed(
+            action="view-query",
+            resource=QueryResource(database=db.name, query=stored_query.name),
+            actor=request.actor,
+        ):
+            raise Forbidden("You do not have permission to view this query")
+
+        try:
+            await _ensure_stored_query_execution_permissions(
+                datasette, db, stored_query, request.actor
+            )
+        except QueryWriteRejected as ex:
+            if request.headers.get("accept") == "application/json" or request.args.get(
+                "_json"
+            ):
+                return Response.json(
+                    {
+                        "ok": False,
+                        "message": ex.message,
+                        "redirect": None,
+                    },
+                    status=403,
+                )
+            datasette.add_message(request, ex.message, datasette.ERROR)
+            return Response.redirect(stored_query.on_error_redirect or request.path)
+
         # If database is immutable, return an error
         if not db.is_mutable:
             raise Forbidden("Database is immutable")
@@ -459,20 +641,18 @@ class QueryView(View):
             or request.args.get("_json")
             or params.get("_json")
         )
-        params_for_query = MagicParameters(
-            canned_query["sql"], params, request, datasette
-        )
+        params_for_query = MagicParameters(stored_query.sql, params, request, datasette)
         await params_for_query.execute_params()
         ok = None
         redirect_url = None
         try:
             cursor = await db.execute_write(
-                canned_query["sql"], params_for_query, request=request
+                stored_query.sql, params_for_query, request=request
             )
             # success message can come from on_success_message or on_success_message_sql
             message = None
             message_type = datasette.INFO
-            on_success_message_sql = canned_query.get("on_success_message_sql")
+            on_success_message_sql = stored_query.on_success_message_sql
             if on_success_message_sql:
                 try:
                     message_result = (
@@ -484,18 +664,21 @@ class QueryView(View):
                     message = "Error running on_success_message_sql: {}".format(ex)
                     message_type = datasette.ERROR
             if not message:
-                message = canned_query.get(
-                    "on_success_message"
-                ) or "Query executed, {} row{} affected".format(
-                    cursor.rowcount, "" if cursor.rowcount == 1 else "s"
-                )
+                if stored_query.on_success_message:
+                    message = stored_query.on_success_message
+                elif cursor.rowcount == -1:
+                    message = "Query executed"
+                else:
+                    message = "Query executed, {} row{} affected".format(
+                        cursor.rowcount, "" if cursor.rowcount == 1 else "s"
+                    )
 
-            redirect_url = canned_query.get("on_success_redirect")
+            redirect_url = stored_query.on_success_redirect
             ok = True
         except Exception as ex:
-            message = canned_query.get("on_error_message") or str(ex)
+            message = stored_query.on_error_message or str(ex)
             message_type = datasette.ERROR
-            redirect_url = canned_query.get("on_error_redirect")
+            redirect_url = stored_query.on_error_redirect
             ok = False
         if should_return_json:
             return Response.json(
@@ -528,53 +711,59 @@ class QueryView(View):
         # Create lookup dict for quick access
         allowed_dict = {r.child: r for r in allowed_tables_page.resources}
 
-        # Are we a canned query?
-        canned_query = None
-        canned_query_write = False
+        # Are we a stored query?
+        stored_query = None
+        stored_query_write = False
         if "table" in request.url_vars:
             try:
                 await datasette.resolve_table(request)
             except TableNotFound as table_not_found:
-                # Was this actually a canned query?
-                canned_query = await datasette.get_canned_query(
-                    table_not_found.database_name, table_not_found.table, request.actor
+                # Was this actually a stored query?
+                stored_query = await datasette.get_query(
+                    table_not_found.database_name, table_not_found.table
                 )
-                if canned_query is None:
+                if stored_query is None:
                     raise
-                canned_query_write = bool(canned_query.get("write"))
+                stored_query_write = stored_query.is_write
 
         private = False
-        if canned_query:
-            # Respect canned query permissions
+        if stored_query:
+            # Respect stored query permissions
             visible, private = await datasette.check_visibility(
                 request.actor,
                 action="view-query",
-                resource=QueryResource(database=database, query=canned_query["name"]),
+                resource=QueryResource(database=database, query=stored_query.name),
             )
             if not visible:
                 raise Forbidden("You do not have permission to view this query")
+            if not stored_query_write:
+                await _ensure_stored_query_execution_permissions(
+                    datasette, db, stored_query, request.actor
+                )
 
         else:
-            await datasette.ensure_permission(
+            visible, private = await datasette.check_visibility(
+                request.actor,
                 action="execute-sql",
                 resource=DatabaseResource(database=database),
-                actor=request.actor,
             )
+            if not visible:
+                raise Forbidden("execute-sql")
 
         # Flattened because of ?sql=&name1=value1&name2=value2 feature
         params = {key: request.args.get(key) for key in request.args}
         sql = None
 
-        if canned_query:
-            sql = canned_query["sql"]
+        if stored_query:
+            sql = stored_query.sql
         elif "sql" in params:
             sql = params.pop("sql")
 
         # Extract any :named parameters
         named_parameters = []
-        if canned_query and canned_query.get("params"):
-            named_parameters = canned_query["params"]
-        if not named_parameters:
+        if stored_query and stored_query.parameters:
+            named_parameters = stored_query.parameters
+        if not named_parameters and sql:
             named_parameters = derive_named_parameters(sql)
         named_parameter_values = {
             named_parameter: params.get(named_parameter) or ""
@@ -599,13 +788,13 @@ class QueryView(View):
 
         params_for_query = params
 
-        if not canned_query_write:
+        if sql and not stored_query_write:
             try:
-                if not canned_query:
+                if not stored_query:
                     # For regular queries we only allow SELECT, plus other rules
                     validate_sql_select(sql)
                 else:
-                    # Canned queries can run magic parameters
+                    # Stored queries can run magic parameters
                     params_for_query = MagicParameters(sql, params, request, datasette)
                     await params_for_query.execute_params()
                 results = await datasette.execute(
@@ -641,8 +830,17 @@ class QueryView(View):
             except DatasetteError:
                 raise
 
+        async def query_metadata():
+            if stored_query:
+                metadata = stored_query_to_dict(stored_query)
+                metadata.pop("source", None)
+                return metadata
+            return await datasette.get_database_metadata(database)
+
         # Handle formats from plugins
         if format_ == "csv":
+            if not sql:
+                raise DatasetteError("?sql= is required", status=400)
 
             async def fetch_data_for_csv(request, _next=None):
                 results = await db.execute(sql, params, truncate=True)
@@ -651,6 +849,25 @@ class QueryView(View):
 
             return await stream_csv(datasette, fetch_data_for_csv, request, db.name)
         elif format_ in datasette.renderers.keys():
+            data = {"ok": True, "rows": rows, "columns": columns}
+            extras = extra_names_from_request(request)
+            if extras:
+                query_extra_context = QueryExtraContext(
+                    datasette=datasette,
+                    request=request,
+                    db=db,
+                    database_name=database,
+                    private=private,
+                    rows=rows,
+                    columns=columns,
+                    sql=sql,
+                    params=named_parameter_values,
+                    query_name=stored_query.name if stored_query else None,
+                    metadata=await query_metadata(),
+                    extras=extras,
+                    extra_registry=table_extra_registry,
+                )
+                data.update(await resolve_query_extras(extras, query_extra_context))
             # Dispatch request to the correct output format renderer
             # (CSV is not handled here due to streaming)
             result = call_with_supported_arguments(
@@ -659,7 +876,7 @@ class QueryView(View):
                 columns=columns,
                 rows=rows,
                 sql=sql,
-                query_name=canned_query["name"] if canned_query else None,
+                query_name=stored_query.name if stored_query else None,
                 database=database,
                 table=None,
                 request=request,
@@ -668,7 +885,7 @@ class QueryView(View):
                 error=query_error,
                 # These will be deprecated in Datasette 1.0:
                 args=request.args,
-                data={"ok": True, "rows": rows, "columns": columns},
+                data=data,
             )
             if asyncio.iscoroutine(result):
                 result = await result
@@ -691,19 +908,33 @@ class QueryView(View):
         elif format_ == "html":
             headers = {}
             templates = [f"query-{to_css_class(database)}.html", "query.html"]
-            if canned_query:
+            if stored_query:
                 templates.insert(
                     0,
-                    f"query-{to_css_class(database)}-{to_css_class(canned_query['name'])}.html",
+                    f"query-{to_css_class(database)}-{to_css_class(stored_query.name)}.html",
                 )
 
             environment = datasette.get_jinja_environment(request)
             template = environment.select_template(templates)
             alternate_url_json = datasette.absolute_url(
                 request,
-                datasette.urls.path(path_with_format(request=request, format="json")),
+                datasette.urls.path(
+                    path_with_format(
+                        request=request,
+                        path=request.scope.get("route_path"),
+                        format="json",
+                    )
+                ),
             )
-            data = {}
+            data = {
+                "ok": query_error is None,
+                "rows": rows,
+                "columns": columns,
+                "query": {"sql": sql, "params": params},
+                "query_name": stored_query.name if stored_query else None,
+                "database": database,
+                "table": None,
+            }
             headers.update(
                 {
                     "Link": '<{}>; rel="alternate"; type="application/json+datasette"'.format(
@@ -711,8 +942,7 @@ class QueryView(View):
                     )
                 }
             )
-            metadata = await datasette.get_database_metadata(database)
-
+            metadata = await query_metadata()
             renderers = {}
             for key, (_, can_render) in datasette.renderers.items():
                 it_can_render = call_with_supported_arguments(
@@ -730,7 +960,11 @@ class QueryView(View):
                 it_can_render = await await_me_maybe(it_can_render)
                 if it_can_render:
                     renderers[key] = datasette.urls.path(
-                        path_with_format(request=request, format=key)
+                        path_with_format(
+                            request=request,
+                            path=request.scope.get("route_path"),
+                            format=key,
+                        )
                     )
 
             allow_execute_sql = await datasette.allowed(
@@ -738,9 +972,14 @@ class QueryView(View):
                 resource=DatabaseResource(database=database),
                 actor=request.actor,
             )
+            allow_store_query = await datasette.allowed(
+                action="store-query",
+                resource=DatabaseResource(database=database),
+                actor=request.actor,
+            )
 
             show_hide_hidden = ""
-            if canned_query and canned_query.get("hide_sql"):
+            if stored_query and stored_query.hide_sql:
                 if bool(params.get("_show_sql")):
                     show_hide_link = path_with_removed_args(request, {"_show_sql"})
                     show_hide_text = "hide"
@@ -768,24 +1007,38 @@ class QueryView(View):
             # - No magic parameters, so no :_ in the SQL string
             edit_sql_url = None
             is_validated_sql = False
-            try:
-                validate_sql_select(sql)
-                is_validated_sql = True
-            except InvalidSql:
-                pass
-            if allow_execute_sql and is_validated_sql and ":_" not in sql:
-                edit_sql_url = (
-                    datasette.urls.database(database)
-                    + "/-/query"
-                    + "?"
-                    + urlencode(
-                        {
-                            **{
-                                "sql": sql,
-                            },
-                            **named_parameter_values,
-                        }
+            if sql:
+                try:
+                    validate_sql_select(sql)
+                    is_validated_sql = True
+                except InvalidSql:
+                    pass
+                if allow_execute_sql and is_validated_sql and ":_" not in sql:
+                    edit_sql_url = (
+                        datasette.urls.database(database)
+                        + "/-/query"
+                        + "?"
+                        + urlencode(
+                            {
+                                **{
+                                    "sql": sql,
+                                },
+                                **named_parameter_values,
+                            }
+                        )
                     )
+            save_query_url = None
+            if (
+                not stored_query
+                and allow_execute_sql
+                and allow_store_query
+                and is_validated_sql
+                and ":_" not in sql
+            ):
+                save_query_url = (
+                    datasette.urls.database(database)
+                    + "/-/queries/store?"
+                    + urlencode({"sql": sql})
                 )
 
             async def query_actions():
@@ -794,7 +1047,7 @@ class QueryView(View):
                     datasette=datasette,
                     actor=request.actor,
                     database=database,
-                    query_name=canned_query["name"] if canned_query else None,
+                    query_name=stored_query.name if stored_query else None,
                     request=request,
                     sql=sql,
                     params=params,
@@ -814,16 +1067,17 @@ class QueryView(View):
                             "sql": sql,
                             "params": params,
                         },
-                        canned_query=canned_query["name"] if canned_query else None,
+                        stored_query=stored_query.name if stored_query else None,
                         private=private,
-                        canned_query_write=canned_query_write,
+                        stored_query_write=stored_query_write,
                         db_is_immutable=not db.is_mutable,
                         error=query_error,
                         hide_sql=hide_sql,
                         show_hide_link=datasette.urls.path(show_hide_link),
                         show_hide_text=show_hide_text,
-                        editable=not canned_query,
+                        editable=not stored_query,
                         allow_execute_sql=allow_execute_sql,
+                        save_query_url=save_query_url,
                         tables=await get_tables(datasette, request, db, allowed_dict),
                         named_parameter_values=named_parameter_values,
                         edit_sql_url=edit_sql_url,
@@ -839,11 +1093,14 @@ class QueryView(View):
                         renderers=renderers,
                         url_csv=datasette.urls.path(
                             path_with_format(
-                                request=request, format="csv", extra_qs={"_size": "max"}
+                                request=request,
+                                path=request.scope.get("route_path"),
+                                format="csv",
+                                extra_qs={"_size": "max"},
                             )
                         ),
                         show_hide_hidden=markupsafe.Markup(show_hide_hidden),
-                        metadata=canned_query or metadata,
+                        metadata=metadata,
                         alternate_url_json=alternate_url_json,
                         select_templates=[
                             f"{'*' if template_name == template.name else ''}{template_name}"
@@ -852,12 +1109,12 @@ class QueryView(View):
                         top_query=make_slot_function(
                             "top_query", datasette, request, database=database, sql=sql
                         ),
-                        top_canned_query=make_slot_function(
-                            "top_canned_query",
+                        top_stored_query=make_slot_function(
+                            "top_stored_query",
                             datasette,
                             request,
                             database=database,
-                            query_name=canned_query["name"] if canned_query else None,
+                            query_name=stored_query.name if stored_query else None,
                         ),
                         query_actions=query_actions,
                     ),
@@ -915,277 +1172,6 @@ class MagicParameters(dict):
             return super().__getitem__(key)
 
 
-class TableCreateView(BaseView):
-    name = "table-create"
-
-    _valid_keys = {
-        "table",
-        "rows",
-        "row",
-        "columns",
-        "pk",
-        "pks",
-        "ignore",
-        "replace",
-        "alter",
-    }
-    _supported_column_types = {
-        "text",
-        "integer",
-        "float",
-        "blob",
-    }
-    # Any string that does not contain a newline or start with sqlite_
-    _table_name_re = re.compile(r"^(?!sqlite_)[^\n]+$")
-
-    def __init__(self, datasette):
-        self.ds = datasette
-
-    async def post(self, request):
-        db = await self.ds.resolve_database(request)
-        database_name = db.name
-
-        # Must have create-table permission
-        if not await self.ds.allowed(
-            action="create-table",
-            resource=DatabaseResource(database=database_name),
-            actor=request.actor,
-        ):
-            return _error(["Permission denied"], 403)
-
-        body = await request.post_body()
-        try:
-            data = json.loads(body)
-        except json.JSONDecodeError as e:
-            return _error(["Invalid JSON: {}".format(e)])
-
-        if not isinstance(data, dict):
-            return _error(["JSON must be an object"])
-
-        invalid_keys = set(data.keys()) - self._valid_keys
-        if invalid_keys:
-            return _error(["Invalid keys: {}".format(", ".join(invalid_keys))])
-
-        # ignore and replace are mutually exclusive
-        if data.get("ignore") and data.get("replace"):
-            return _error(["ignore and replace are mutually exclusive"])
-
-        # ignore and replace only allowed with row or rows
-        if "ignore" in data or "replace" in data:
-            if not data.get("row") and not data.get("rows"):
-                return _error(["ignore and replace require row or rows"])
-
-        # ignore and replace require pk or pks
-        if "ignore" in data or "replace" in data:
-            if not data.get("pk") and not data.get("pks"):
-                return _error(["ignore and replace require pk or pks"])
-
-        ignore = data.get("ignore")
-        replace = data.get("replace")
-
-        if replace:
-            # Must have update-row permission
-            if not await self.ds.allowed(
-                action="update-row",
-                resource=DatabaseResource(database=database_name),
-                actor=request.actor,
-            ):
-                return _error(["Permission denied: need update-row"], 403)
-
-        table_name = data.get("table")
-        if not table_name:
-            return _error(["Table is required"])
-
-        if not self._table_name_re.match(table_name):
-            return _error(["Invalid table name"])
-
-        table_exists = await db.table_exists(data["table"])
-        columns = data.get("columns")
-        rows = data.get("rows")
-        row = data.get("row")
-        if not columns and not rows and not row:
-            return _error(["columns, rows or row is required"])
-
-        if rows and row:
-            return _error(["Cannot specify both rows and row"])
-
-        if rows or row:
-            # Must have insert-row permission
-            if not await self.ds.allowed(
-                action="insert-row",
-                resource=DatabaseResource(database=database_name),
-                actor=request.actor,
-            ):
-                return _error(["Permission denied: need insert-row"], 403)
-
-        alter = False
-        if rows or row:
-            if not table_exists:
-                # if table is being created for the first time, alter=True
-                alter = True
-            else:
-                # alter=True only if they request it AND they have permission
-                if data.get("alter"):
-                    if not await self.ds.allowed(
-                        action="alter-table",
-                        resource=DatabaseResource(database=database_name),
-                        actor=request.actor,
-                    ):
-                        return _error(["Permission denied: need alter-table"], 403)
-                    alter = True
-
-        if columns:
-            if rows or row:
-                return _error(["Cannot specify columns with rows or row"])
-            if not isinstance(columns, list):
-                return _error(["columns must be a list"])
-            for column in columns:
-                if not isinstance(column, dict):
-                    return _error(["columns must be a list of objects"])
-                if not column.get("name") or not isinstance(column.get("name"), str):
-                    return _error(["Column name is required"])
-                if not column.get("type"):
-                    column["type"] = "text"
-                if column["type"] not in self._supported_column_types:
-                    return _error(
-                        ["Unsupported column type: {}".format(column["type"])]
-                    )
-            # No duplicate column names
-            dupes = {c["name"] for c in columns if columns.count(c) > 1}
-            if dupes:
-                return _error(["Duplicate column name: {}".format(", ".join(dupes))])
-
-        if row:
-            rows = [row]
-
-        if rows:
-            if not isinstance(rows, list):
-                return _error(["rows must be a list"])
-            for row in rows:
-                if not isinstance(row, dict):
-                    return _error(["rows must be a list of objects"])
-
-        pk = data.get("pk")
-        pks = data.get("pks")
-
-        if pk and pks:
-            return _error(["Cannot specify both pk and pks"])
-        if pk:
-            if not isinstance(pk, str):
-                return _error(["pk must be a string"])
-        if pks:
-            if not isinstance(pks, list):
-                return _error(["pks must be a list"])
-            for pk in pks:
-                if not isinstance(pk, str):
-                    return _error(["pks must be a list of strings"])
-
-        # If table exists already, read pks from that instead
-        if table_exists:
-            actual_pks = await db.primary_keys(table_name)
-            # if pk passed and table already exists check it does not change
-            bad_pks = False
-            if len(actual_pks) == 1 and data.get("pk") and data["pk"] != actual_pks[0]:
-                bad_pks = True
-            elif (
-                len(actual_pks) > 1
-                and data.get("pks")
-                and set(data["pks"]) != set(actual_pks)
-            ):
-                bad_pks = True
-            if bad_pks:
-                return _error(["pk cannot be changed for existing table"])
-            pks = actual_pks
-
-        initial_schema = None
-        if table_exists:
-            initial_schema = await db.execute_fn(
-                lambda conn: sqlite_utils.Database(conn)[table_name].schema
-            )
-
-        def create_table(conn):
-            table = sqlite_utils.Database(conn)[table_name]
-            if rows:
-                table.insert_all(
-                    rows, pk=pks or pk, ignore=ignore, replace=replace, alter=alter
-                )
-            else:
-                table.create(
-                    {c["name"]: c["type"] for c in columns},
-                    pk=pks or pk,
-                )
-            return table.schema
-
-        try:
-            schema = await db.execute_write_fn(create_table, request=request)
-        except Exception as e:
-            return _error([str(e)])
-
-        if initial_schema is not None and initial_schema != schema:
-            await self.ds.track_event(
-                AlterTableEvent(
-                    request.actor,
-                    database=database_name,
-                    table=table_name,
-                    before_schema=initial_schema,
-                    after_schema=schema,
-                )
-            )
-
-        table_url = self.ds.absolute_url(
-            request, self.ds.urls.table(db.name, table_name)
-        )
-        table_api_url = self.ds.absolute_url(
-            request, self.ds.urls.table(db.name, table_name, format="json")
-        )
-        details = {
-            "ok": True,
-            "database": db.name,
-            "table": table_name,
-            "table_url": table_url,
-            "table_api_url": table_api_url,
-            "schema": schema,
-        }
-        if rows:
-            details["row_count"] = len(rows)
-
-        if not table_exists:
-            # Only log creation if we created a table
-            await self.ds.track_event(
-                CreateTableEvent(
-                    request.actor, database=db.name, table=table_name, schema=schema
-                )
-            )
-        if rows:
-            await self.ds.track_event(
-                InsertRowsEvent(
-                    request.actor,
-                    database=db.name,
-                    table=table_name,
-                    num_rows=len(rows),
-                    ignore=ignore,
-                    replace=replace,
-                )
-            )
-        return Response.json(details, status=201)
-
-
-async def _table_columns(datasette, database_name):
-    internal_db = datasette.get_internal_database()
-    result = await internal_db.execute(
-        "select table_name, name from catalog_columns where database_name = ?",
-        [database_name],
-    )
-    table_columns = {}
-    for row in result.rows:
-        table_columns.setdefault(row["table_name"], []).append(row["name"])
-    # Add views
-    db = datasette.get_database(database_name)
-    for view_name in await db.view_names():
-        table_columns[view_name] = []
-    return table_columns
-
-
 async def display_rows(datasette, database, request, rows, columns):
     display_rows = []
     truncate_cells = datasette.setting("truncate_cells_html")
@@ -1205,6 +1191,7 @@ async def display_rows(datasette, database, request, rows, columns):
                 database=database,
                 datasette=datasette,
                 request=request,
+                column_type=None,
             ):
                 candidate = await await_me_maybe(candidate)
                 if candidate is not None:
diff --git a/datasette/views/execute_write.py b/datasette/views/execute_write.py
new file mode 100644
index 00000000..b7e8288e
--- /dev/null
+++ b/datasette/views/execute_write.py
@@ -0,0 +1,507 @@
+import re
+from urllib.parse import urlencode
+
+from datasette.resources import DatabaseResource
+from datasette.utils import sqlite3
+from datasette.utils.asgi import Response
+
+from .base import BaseView, _error
+from .database import display_rows as display_query_rows
+from .query_helpers import (
+    QueryValidationError,
+    SQL_PARAMETER_FORM_PREFIX,
+    _analysis_is_write,
+    _analysis_rows,
+    _analysis_rows_with_permissions,
+    _block_framing,
+    _coerce_execute_write_payload,
+    _derived_query_parameters,
+    _execute_write_analysis_data,
+    _execute_write_disabled_reason,
+    _inserted_row_url,
+    _json_or_form_payload,
+    _prepare_execute_write,
+    _table_columns,
+    _wants_json,
+)
+
+WRITE_TEMPLATE_LABELS = {
+    "insert": "Insert row",
+    "update": "Update rows",
+    "delete": "Delete rows",
+}
+WRITE_TEMPLATE_OPERATIONS = tuple(WRITE_TEMPLATE_LABELS)
+CREATE_TABLE_TEMPLATE_SQL = "\n".join(
+    (
+        "create table new_table (",
+        "  id integer primary key,",
+        "  name text",
+        "  -- created text default (datetime('now'))",
+        ")",
+    )
+)
+
+
+def _parameter_names(columns):
+    seen = set()
+    names = {}
+    for column in columns:
+        base = re.sub(r"[^a-z0-9_]+", "_", column.lower())
+        base = base.strip("_") or "value"
+        if base[0].isdigit():
+            base = "p_{}".format(base)
+        name = base
+        index = 2
+        while name in seen:
+            name = "{}_{}".format(base, index)
+            index += 1
+        seen.add(name)
+        names[column] = name
+    return names
+
+
+def _quote_identifier(identifier):
+    return '"{}"'.format(identifier.replace('"', '""'))
+
+
+def _preferred_where_column(table, columns):
+    lower_table_id = "{}_id".format(table.lower())
+    return (
+        next((column for column in columns if column.lower() == "id"), None)
+        or next(
+            (column for column in columns if column.lower() == lower_table_id), None
+        )
+        or columns[0]
+    )
+
+
+def _auto_incrementing_primary_key(columns):
+    primary_keys = [column for column in columns if column.is_pk]
+    if len(primary_keys) != 1:
+        return None
+    primary_key = primary_keys[0]
+    if primary_key.type and primary_key.type.lower() == "integer":
+        return primary_key.name
+    return None
+
+
+def _insert_template_sql(table, columns):
+    column_names = [column.name for column in columns]
+    auto_pk = _auto_incrementing_primary_key(columns)
+    insert_columns = [column for column in column_names if column != auto_pk]
+    if not insert_columns:
+        return "insert into {}\ndefault values".format(_quote_identifier(table))
+    names = _parameter_names(insert_columns)
+    return "\n".join(
+        (
+            "insert into {} (".format(_quote_identifier(table)),
+            ",\n".join(
+                "  {}".format(_quote_identifier(column)) for column in insert_columns
+            ),
+            ")",
+            "values (",
+            ",\n".join("  :{}".format(names[column]) for column in insert_columns),
+            ")",
+        )
+    )
+
+
+def _update_template_sql(table, columns):
+    column_names = [column.name for column in columns]
+    names = _parameter_names(column_names)
+    where_column = _preferred_where_column(table, column_names)
+    set_columns = [column for column in column_names if column != where_column]
+    if not set_columns:
+        return "\n".join(
+            (
+                "update {}".format(_quote_identifier(table)),
+                "set {} = :new_{}".format(
+                    _quote_identifier(where_column), names[where_column]
+                ),
+                "where {} = :{}".format(
+                    _quote_identifier(where_column), names[where_column]
+                ),
+            )
+        )
+    return "\n".join(
+        (
+            "update {}".format(_quote_identifier(table)),
+            "set "
+            + ",\n".join(
+                "{}{} = :{}".format(
+                    "    " if index else "",
+                    _quote_identifier(column),
+                    names[column],
+                )
+                for index, column in enumerate(set_columns)
+            ),
+            "where {} = :{}".format(
+                _quote_identifier(where_column), names[where_column]
+            ),
+        )
+    )
+
+
+def _delete_template_sql(table, columns):
+    column_names = [column.name for column in columns]
+    names = _parameter_names(column_names)
+    where_column = _preferred_where_column(table, column_names)
+    return "\n".join(
+        (
+            "delete from {}".format(_quote_identifier(table)),
+            "where {} = :{}".format(
+                _quote_identifier(where_column), names[where_column]
+            ),
+        )
+    )
+
+
+def _template_sqls_for_table(table, columns):
+    return {
+        "insert": _insert_template_sql(table, columns),
+        "update": _update_template_sql(table, columns),
+        "delete": _delete_template_sql(table, columns),
+    }
+
+
+async def _template_sql_allowed(datasette, db, sql, actor):
+    params = {parameter: "" for parameter in _derived_query_parameters(sql)}
+    try:
+        analysis = await db.analyze_sql(sql, params)
+    except sqlite3.DatabaseError:
+        return False
+    if not _analysis_is_write(analysis):
+        return False
+    analysis_rows = await _analysis_rows_with_permissions(datasette, analysis, actor)
+    return _execute_write_disabled_reason(sql, None, analysis_rows) is None
+
+
+async def _write_template_tables(
+    datasette, db, table_columns, hidden_table_names, actor
+):
+    write_template_tables = {}
+    for table in table_columns:
+        if table in hidden_table_names or not table_columns[table]:
+            continue
+        column_details = [
+            column
+            for column in await db.table_column_details(table)
+            if not column.hidden
+        ]
+        if not column_details:
+            continue
+        templates = {}
+        for operation, sql in _template_sqls_for_table(table, column_details).items():
+            if await _template_sql_allowed(datasette, db, sql, actor):
+                templates[operation] = sql
+        if templates:
+            write_template_tables[table] = {
+                "templates": templates,
+            }
+    return write_template_tables
+
+
+def _write_template_operations(write_template_tables):
+    operations = []
+    for operation in WRITE_TEMPLATE_OPERATIONS:
+        if any(
+            operation in table["templates"] for table in write_template_tables.values()
+        ):
+            operations.append(
+                {
+                    "name": operation,
+                    "label": WRITE_TEMPLATE_LABELS[operation],
+                }
+            )
+    return operations
+
+
+async def _create_table_template_sql(datasette, db, actor):
+    if await datasette.allowed(
+        action="create-table",
+        resource=DatabaseResource(db.name),
+        actor=actor,
+    ):
+        return CREATE_TABLE_TEMPLATE_SQL
+    return None
+
+
+def _analysis_changes_schema(analysis):
+    return any(
+        operation.operation in {"create", "alter", "drop"}
+        for operation in analysis.operations
+    )
+
+
+class ExecuteWriteView(BaseView):
+    name = "execute-write"
+    has_json_alternate = False
+
+    async def _render_form(
+        self,
+        request,
+        db,
+        *,
+        sql="",
+        parameter_values=None,
+        analysis=None,
+        analysis_error=None,
+        execution_message=None,
+        execution_links=None,
+        execution_ok=None,
+        execute_write_returns_rows=False,
+        execute_write_columns=None,
+        execute_write_display_rows=None,
+        execute_write_truncated=False,
+        status=200,
+    ):
+        parameter_values = parameter_values or {}
+        execution_links = execution_links or []
+        execute_write_columns = execute_write_columns or []
+        execute_write_display_rows = execute_write_display_rows or []
+        parameter_names = []
+        analysis_rows = []
+        table_columns = await _table_columns(self.ds, db.name)
+        hidden_table_names = set(await db.hidden_table_names())
+        write_template_tables = await _write_template_tables(
+            self.ds, db, table_columns, hidden_table_names, request.actor
+        )
+        write_template_operations = _write_template_operations(write_template_tables)
+        write_create_table_template_sql = await _create_table_template_sql(
+            self.ds, db, request.actor
+        )
+        if sql and analysis_error is None:
+            try:
+                parameter_names = _derived_query_parameters(sql)
+                if analysis is None:
+                    params = {parameter: "" for parameter in parameter_names}
+                    analysis = await db.analyze_sql(sql, params)
+                if _analysis_is_write(analysis):
+                    analysis_rows = await _analysis_rows_with_permissions(
+                        self.ds, analysis, request.actor
+                    )
+                else:
+                    analysis_error = (
+                        "Use /-/query for read-only SQL; "
+                        "this endpoint only executes writes"
+                    )
+            except (QueryValidationError, sqlite3.DatabaseError) as ex:
+                analysis_error = getattr(ex, "message", str(ex))
+
+        allow_save_query = await self.ds.allowed(
+            action="execute-sql",
+            resource=DatabaseResource(db.name),
+            actor=request.actor,
+        ) and await self.ds.allowed(
+            action="store-query",
+            resource=DatabaseResource(db.name),
+            actor=request.actor,
+        )
+        save_query_base_url = None
+        save_query_url = None
+        execute_disabled_reason = _execute_write_disabled_reason(
+            sql, analysis_error, analysis_rows
+        )
+        if allow_save_query:
+            save_query_base_url = self.ds.urls.database(db.name) + "/-/queries/store"
+            if not execute_disabled_reason:
+                save_query_url = save_query_base_url + "?" + urlencode({"sql": sql})
+
+        response = await self.render(
+            ["execute_write.html"],
+            request,
+            {
+                "database": db.name,
+                "database_color": db.color,
+                "sql": sql,
+                "parameter_names": parameter_names,
+                "parameter_values": parameter_values,
+                "analysis_error": analysis_error,
+                "analysis_rows": analysis_rows,
+                "execution_message": execution_message,
+                "execution_links": execution_links,
+                "execution_ok": execution_ok,
+                "execute_write_returns_rows": execute_write_returns_rows,
+                "execute_write_columns": execute_write_columns,
+                "execute_write_display_rows": execute_write_display_rows,
+                "execute_write_truncated": execute_write_truncated,
+                "sql_parameter_name_prefix": SQL_PARAMETER_FORM_PREFIX,
+                "execute_disabled": bool(execute_disabled_reason),
+                "execute_disabled_reason": execute_disabled_reason,
+                "table_columns": table_columns,
+                "write_template_tables": write_template_tables,
+                "write_template_operations": write_template_operations,
+                "write_create_table_template_sql": write_create_table_template_sql,
+                "save_query_url": save_query_url,
+                "save_query_base_url": save_query_base_url,
+            },
+        )
+        response.status = status
+        return _block_framing(response)
+
+    async def get(self, request):
+        db = await self.ds.resolve_database(request)
+        await self.ds.ensure_permission(
+            action="execute-write-sql",
+            resource=DatabaseResource(db.name),
+            actor=request.actor,
+        )
+        if not db.is_mutable:
+            return _block_framing(
+                _error(
+                    ["Cannot execute write SQL because this database is immutable."],
+                    403,
+                )
+            )
+        return await self._render_form(
+            request,
+            db,
+            sql=request.args.get("sql") or "",
+        )
+
+    async def post(self, request):
+        db = await self.ds.resolve_database(request)
+        if not await self.ds.allowed(
+            action="execute-write-sql",
+            resource=DatabaseResource(db.name),
+            actor=request.actor,
+        ):
+            return _block_framing(
+                _error(["Permission denied: need execute-write-sql"], 403)
+            )
+        if not db.is_mutable:
+            return _block_framing(_error(["Database is immutable"], 403))
+
+        data = {}
+        is_json = request.headers.get("content-type", "").startswith("application/json")
+        sql = ""
+        provided_params = {}
+        try:
+            data, is_json = await _json_or_form_payload(request)
+            sql, provided_params = _coerce_execute_write_payload(data, is_json)
+            parameter_names, params, analysis = await _prepare_execute_write(
+                self.ds, db, sql, provided_params, request.actor
+            )
+        except QueryValidationError as ex:
+            if _wants_json(request, is_json, data):
+                return _block_framing(_error([ex.message], ex.status))
+            if ex.flash:
+                self.ds.add_message(request, ex.message, self.ds.ERROR)
+            return await self._render_form(
+                request,
+                db,
+                sql=sql or "",
+                parameter_values=provided_params,
+                analysis_error=None if ex.flash else ex.message,
+                execution_message=None if ex.flash else ex.message,
+                execution_ok=False,
+                status=ex.status,
+            )
+
+        wants_json = _wants_json(request, is_json, data)
+        try:
+            execute_write_kwargs = {"request": request}
+            cursor = await db.execute_write(sql, params, **execute_write_kwargs)
+        except sqlite3.DatabaseError as ex:
+            message = str(ex)
+            if wants_json:
+                return _block_framing(_error([message], 400))
+            return await self._render_form(
+                request,
+                db,
+                sql=sql,
+                parameter_values=params,
+                analysis=analysis,
+                execution_message=message,
+                execution_ok=False,
+                status=400,
+            )
+
+        if _analysis_changes_schema(analysis):
+            await self.ds.refresh_schemas(force=True)
+
+        if cursor.rowcount == -1:
+            message = "Query executed"
+        else:
+            message = "Query executed, {} row{} affected".format(
+                cursor.rowcount, "" if cursor.rowcount == 1 else "s"
+            )
+        if wants_json:
+            data = {
+                "ok": True,
+                "message": message,
+                "rowcount": cursor.rowcount,
+                "rows": [],
+                "truncated": False,
+                "analysis": _analysis_rows(analysis),
+            }
+            if cursor.description is not None:
+                data["rows"] = [dict(row) for row in cursor.fetchall()]
+                data["truncated"] = cursor.truncated
+            return _block_framing(Response.json(data))
+
+        inserted_row_url = await _inserted_row_url(self.ds, db, analysis, cursor)
+        execution_links = (
+            [{"href": inserted_row_url, "label": "View row"}]
+            if inserted_row_url
+            else []
+        )
+        execute_write_returns_rows = cursor.description is not None
+        execute_write_columns = []
+        execute_write_display_rows = []
+        if execute_write_returns_rows:
+            execute_write_columns = [
+                description[0] for description in cursor.description
+            ]
+            execute_write_display_rows = await display_query_rows(
+                self.ds,
+                db.name,
+                request,
+                cursor.fetchall(),
+                execute_write_columns,
+            )
+        return await self._render_form(
+            request,
+            db,
+            sql=sql,
+            parameter_values={name: params.get(name, "") for name in parameter_names},
+            analysis=analysis,
+            execution_message=message,
+            execution_links=execution_links,
+            execution_ok=True,
+            execute_write_returns_rows=execute_write_returns_rows,
+            execute_write_columns=execute_write_columns,
+            execute_write_display_rows=execute_write_display_rows,
+            execute_write_truncated=cursor.truncated,
+        )
+
+
+class ExecuteWriteAnalyzeView(BaseView):
+    name = "execute-write-analyze"
+    has_json_alternate = False
+
+    async def get(self, request):
+        db = await self.ds.resolve_database(request)
+        if not await self.ds.allowed(
+            action="execute-write-sql",
+            resource=DatabaseResource(db.name),
+            actor=request.actor,
+        ):
+            return _block_framing(
+                _error(["Permission denied: need execute-write-sql"], 403)
+            )
+
+        invalid_keys = set(request.args) - {"sql"}
+        if invalid_keys:
+            return _block_framing(
+                _error(
+                    ["Invalid keys: {}".format(", ".join(sorted(invalid_keys)))],
+                    400,
+                )
+            )
+        sql = request.args.get("sql") or ""
+        return _block_framing(
+            Response.json(
+                await _execute_write_analysis_data(self.ds, db, sql, request.actor)
+            )
+        )
diff --git a/datasette/views/query_helpers.py b/datasette/views/query_helpers.py
new file mode 100644
index 00000000..026a999f
--- /dev/null
+++ b/datasette/views/query_helpers.py
@@ -0,0 +1,638 @@
+import json
+import re
+
+from datasette.resources import DatabaseResource
+from datasette.stored_queries import (
+    StoredQuery,
+)
+from datasette.write_sql import (
+    IgnoreWriteSqlOperation,
+    QueryWriteRejected,
+    RequireWriteSqlPermissions,
+    decision_for_write_sql_operation,
+    operation_is_write,
+)
+from datasette.utils import (
+    named_parameters as derive_named_parameters,
+    escape_sqlite,
+    path_from_row_pks,
+    sqlite3,
+    validate_sql_select,
+    InvalidSql,
+)
+from datasette.utils.asgi import Forbidden
+from datasette.utils.sql_analysis import Operation, SQLAnalysis
+
+_query_name_re = re.compile(r"^[^/\.\n]+$")
+
+_query_fields = {
+    "sql",
+    "title",
+    "description",
+    "hide_sql",
+    "fragment",
+    "parameters",
+    "params",
+    "is_private",
+    "on_success_message",
+    "on_success_redirect",
+    "on_error_message",
+    "on_error_redirect",
+}
+
+_query_create_fields = _query_fields | {"name", "mode", "csrftoken"}
+_query_update_fields = _query_fields
+_query_write_fields = {
+    "on_success_message",
+    "on_success_redirect",
+    "on_error_message",
+    "on_error_redirect",
+}
+
+SQL_PARAMETER_FORM_PREFIX = "_sql_param_"
+
+
+class QueryValidationError(Exception):
+    def __init__(self, message, status=400, *, flash=False):
+        self.message = message
+        self.status = status
+        self.flash = flash
+        super().__init__(message)
+
+
+def _actor_id(actor):
+    if isinstance(actor, dict):
+        return actor.get("id")
+    return None
+
+
+def _as_bool(value):
+    if isinstance(value, bool):
+        return value
+    if value is None:
+        return False
+    if isinstance(value, int):
+        return bool(value)
+    if isinstance(value, str):
+        return value.lower() in {"1", "true", "t", "yes", "on"}
+    return bool(value)
+
+
+def _as_optional_bool(value, name):
+    if value is None or value == "":
+        return None
+    if isinstance(value, bool):
+        return value
+    if isinstance(value, int):
+        return bool(value)
+    if isinstance(value, str):
+        lowered = value.lower()
+        if lowered in {"1", "true", "t", "yes", "on"}:
+            return True
+        if lowered in {"0", "false", "f", "no", "off"}:
+            return False
+    raise QueryValidationError("{} must be 0 or 1".format(name))
+
+
+def _query_list_limit(value, default=50):
+    if value in (None, ""):
+        return default
+    try:
+        return min(max(1, int(value)), 1000)
+    except ValueError as ex:
+        raise QueryValidationError("_size must be an integer") from ex
+
+
+def _derived_query_parameters(sql):
+    parameters = []
+    seen = set()
+    for parameter in derive_named_parameters(sql):
+        if parameter.startswith("_"):
+            raise QueryValidationError("Magic parameters are not allowed")
+        if parameter not in seen:
+            parameters.append(parameter)
+            seen.add(parameter)
+    return parameters
+
+
+def _coerce_query_parameters(value, derived):
+    if value is None:
+        return derived
+    if isinstance(value, str):
+        parameters = [
+            parameter.strip()
+            for parameter in re.split(r"[\s,]+", value)
+            if parameter.strip()
+        ]
+    elif isinstance(value, list):
+        parameters = value
+    else:
+        raise QueryValidationError("parameters must be a list of strings")
+    if not all(isinstance(parameter, str) for parameter in parameters):
+        raise QueryValidationError("parameters must be a list of strings")
+    if any(parameter.startswith("_") for parameter in parameters):
+        raise QueryValidationError("Magic parameters are not allowed")
+    if set(parameters) != set(derived):
+        raise QueryValidationError("parameters must match SQL named parameters")
+    return parameters
+
+
+def _analysis_is_write(analysis: SQLAnalysis) -> bool:
+    return any(operation_is_write(operation) for operation in analysis.operations)
+
+
+def _block_framing(response):
+    response.headers["Content-Security-Policy"] = "frame-ancestors 'none'"
+    response.headers["X-Frame-Options"] = "DENY"
+    return response
+
+
+def _wants_json(request, is_json, data):
+    return (
+        is_json
+        or request.headers.get("accept") == "application/json"
+        or (isinstance(data, dict) and data.get("_json"))
+    )
+
+
+def _query_create_form_error_message(message):
+    return {
+        "Query name is required": "URL is required",
+        "Invalid query name": "Invalid URL",
+        "Query name conflicts with a table or view": (
+            "URL conflicts with an existing table or view"
+        ),
+        "Query already exists": "A query already exists at that URL",
+    }.get(message, message)
+
+
+async def _json_or_form_payload(request):
+    content_type = request.headers.get("content-type", "")
+    if content_type.startswith("application/json"):
+        body = await request.post_body()
+        try:
+            return json.loads(body or b"{}"), True
+        except json.JSONDecodeError as e:
+            raise QueryValidationError("Invalid JSON: {}".format(e))
+    return await request.post_vars(), False
+
+
+async def _check_query_name(db, name, *, existing=False):
+    if not name or not isinstance(name, str):
+        raise QueryValidationError("Query name is required")
+    if not _query_name_re.match(name):
+        raise QueryValidationError("Invalid query name")
+    if not existing and (await db.table_exists(name) or await db.view_exists(name)):
+        raise QueryValidationError("Query name conflicts with a table or view")
+
+
+async def _analyze_user_query(datasette, db, sql, *, actor):
+    if not sql or not isinstance(sql, str):
+        raise QueryValidationError("SQL is required")
+    derived = _derived_query_parameters(sql)
+    params = {parameter: "" for parameter in derived}
+    try:
+        analysis = await db.analyze_sql(sql, params)
+    except sqlite3.DatabaseError as ex:
+        raise QueryValidationError("Could not analyze query: {}".format(ex)) from ex
+
+    is_write = _analysis_is_write(analysis)
+    if is_write:
+        try:
+            await datasette.ensure_query_write_permissions(
+                db.name, sql, actor=actor, analysis=analysis
+            )
+        except QueryWriteRejected as ex:
+            raise QueryValidationError(ex.message, status=403, flash=True) from ex
+        except Forbidden as ex:
+            raise QueryValidationError(str(ex), status=403) from ex
+    else:
+        try:
+            validate_sql_select(sql)
+        except InvalidSql as ex:
+            raise QueryValidationError(str(ex)) from ex
+    return is_write, derived, analysis
+
+
+def _display_operations(analysis: SQLAnalysis) -> list[Operation]:
+    operations = []
+    for operation in analysis.operations:
+        if isinstance(
+            decision_for_write_sql_operation(operation), IgnoreWriteSqlOperation
+        ):
+            continue
+        operations.append(operation)
+    return operations
+
+
+def _analysis_rows(analysis: SQLAnalysis) -> list[dict[str, object]]:
+    rows = []
+    for operation in _display_operations(analysis):
+        decision = decision_for_write_sql_operation(operation)
+        required_permission = (
+            ", ".join(permission.action for permission in decision.permissions)
+            if isinstance(decision, RequireWriteSqlPermissions)
+            else ""
+        )
+        rows.append(
+            {
+                "operation": operation.operation,
+                "database": operation.database,
+                "table": operation.table or operation.target,
+                "required_permission": required_permission,
+                "source": operation.source,
+            }
+        )
+    return rows
+
+
+async def _analysis_rows_with_permissions(
+    datasette, analysis: SQLAnalysis, actor
+) -> list[dict[str, object]]:
+    rows = _analysis_rows(analysis)
+    is_write = _analysis_is_write(analysis)
+    for row, operation in zip(rows, _display_operations(analysis)):
+        decision = decision_for_write_sql_operation(operation)
+        if isinstance(decision, RequireWriteSqlPermissions):
+            row["allowed"] = True
+            for permission in decision.permissions:
+                if not await datasette.allowed(
+                    action=permission.action,
+                    resource=permission.resource,
+                    actor=actor,
+                ):
+                    row["allowed"] = False
+                    break
+        elif is_write:
+            row["allowed"] = False
+        else:
+            row["allowed"] = None
+    return rows
+
+
+def _execute_write_disabled_reason(sql, analysis_error, analysis_rows):
+    if not (sql and sql.strip()):
+        return "Enter writable SQL before executing."
+    if analysis_error:
+        return analysis_error
+    if any(row.get("allowed") is False for row in analysis_rows):
+        return "You do not have permission for every operation listed above."
+    return None
+
+
+def _coerce_execute_write_payload(data, is_json):
+    if not isinstance(data, dict):
+        raise QueryValidationError("JSON must be a dictionary")
+    if is_json:
+        invalid_keys = set(data) - {"sql", "params"}
+        if invalid_keys:
+            raise QueryValidationError(
+                "Invalid keys: {}".format(", ".join(sorted(invalid_keys)))
+            )
+        params = data.get("params") or {}
+    else:
+        params = {}
+        for key, value in data.items():
+            if key in {"sql", "csrftoken", "_json"}:
+                continue
+            if key.startswith(SQL_PARAMETER_FORM_PREFIX):
+                key = key[len(SQL_PARAMETER_FORM_PREFIX) :]
+            params[key] = value
+    if not isinstance(params, dict):
+        raise QueryValidationError("params must be a dictionary")
+    return data.get("sql"), params
+
+
+async def _prepare_execute_write(datasette, db, sql, params, actor):
+    if not sql or not isinstance(sql, str):
+        raise QueryValidationError("SQL is required")
+    parameter_names = _derived_query_parameters(sql)
+    extra_params = set(params) - set(parameter_names)
+    if extra_params:
+        raise QueryValidationError(
+            "Unknown parameters: {}".format(", ".join(sorted(extra_params)))
+        )
+    params = {name: params.get(name, "") for name in parameter_names}
+    try:
+        analysis = await db.analyze_sql(sql, params)
+    except sqlite3.DatabaseError as ex:
+        raise QueryValidationError("Could not analyze query: {}".format(ex)) from ex
+    if not _analysis_is_write(analysis):
+        raise QueryValidationError(
+            "Use /-/query for read-only SQL; this endpoint only executes writes"
+        )
+    try:
+        await datasette.ensure_query_write_permissions(
+            db.name, sql, actor=actor, analysis=analysis
+        )
+    except QueryWriteRejected as ex:
+        raise QueryValidationError(ex.message, status=403, flash=True) from ex
+    except Forbidden as ex:
+        raise QueryValidationError(str(ex), status=403) from ex
+    return parameter_names, params, analysis
+
+
+async def _ensure_stored_query_execution_permissions(
+    datasette, db, query: StoredQuery, actor
+):
+    if query.is_trusted:
+        return
+    if query.is_write:
+        await datasette.ensure_permission(
+            action="execute-write-sql",
+            resource=DatabaseResource(db.name),
+            actor=actor,
+        )
+        await datasette.ensure_query_write_permissions(db.name, query.sql, actor=actor)
+    else:
+        await datasette.ensure_permission(
+            action="execute-sql",
+            resource=DatabaseResource(db.name),
+            actor=actor,
+        )
+
+
+async def _execute_write_analysis_data(datasette, db, sql, actor):
+    parameter_names = []
+    analysis_rows = []
+    analysis_error = None
+    if sql:
+        try:
+            parameter_names = _derived_query_parameters(sql)
+            params = {parameter: "" for parameter in parameter_names}
+            analysis = await db.analyze_sql(sql, params)
+            if _analysis_is_write(analysis):
+                analysis_rows = await _analysis_rows_with_permissions(
+                    datasette, analysis, actor
+                )
+            else:
+                analysis_error = (
+                    "Use /-/query for read-only SQL; "
+                    "this endpoint only executes writes"
+                )
+        except (QueryValidationError, sqlite3.DatabaseError) as ex:
+            analysis_error = getattr(ex, "message", str(ex))
+    execute_disabled_reason = _execute_write_disabled_reason(
+        sql, analysis_error, analysis_rows
+    )
+    return {
+        "ok": analysis_error is None,
+        "parameters": parameter_names,
+        "analysis_error": analysis_error,
+        "analysis_rows": analysis_rows,
+        "execute_disabled": bool(execute_disabled_reason),
+        "execute_disabled_reason": execute_disabled_reason,
+    }
+
+
+async def _query_create_analysis_data(datasette, db, sql, actor):
+    has_sql = bool(sql and sql.strip())
+    parameter_names = []
+    analysis_rows = []
+    analysis_error = None
+    analysis: SQLAnalysis | None = None
+    if has_sql:
+        try:
+            parameter_names = _derived_query_parameters(sql)
+            params = {parameter: "" for parameter in parameter_names}
+            analysis = await db.analyze_sql(sql, params)
+            analysis_rows = await _analysis_rows_with_permissions(
+                datasette, analysis, actor
+            )
+        except (QueryValidationError, sqlite3.DatabaseError) as ex:
+            analysis_error = getattr(ex, "message", str(ex))
+    return {
+        "ok": analysis_error is None,
+        "parameters": parameter_names,
+        "analysis_error": analysis_error,
+        "analysis_rows": analysis_rows,
+        "has_sql": has_sql,
+        "analysis_is_write": _analysis_is_write(analysis) if analysis else False,
+        "save_disabled": bool(
+            (not has_sql)
+            or analysis_error
+            or any(row["allowed"] is False for row in analysis_rows)
+        ),
+    }
+
+
+async def _query_create_form_context(
+    datasette,
+    request,
+    db,
+    *,
+    sql="",
+    name="",
+    title="",
+    description="",
+    is_private=True,
+):
+    analysis_data = await _query_create_analysis_data(datasette, db, sql, request.actor)
+    return {
+        "database": db.name,
+        "database_color": db.color,
+        "sql": sql,
+        "name": name,
+        "title": title,
+        "description": description,
+        "is_private": is_private,
+        **analysis_data,
+    }
+
+
+async def _query_edit_form_context(
+    datasette,
+    request,
+    db,
+    existing: StoredQuery,
+    *,
+    sql=None,
+    title=None,
+    description=None,
+    is_private=None,
+):
+    sql = existing.sql if sql is None else sql
+    title = existing.title if title is None else title
+    description = existing.description if description is None else description
+    is_private = existing.is_private if is_private is None else is_private
+    analysis_data = await _query_create_analysis_data(datasette, db, sql, request.actor)
+    return {
+        "database": db.name,
+        "database_color": db.color,
+        "name": existing.name,
+        "sql": sql,
+        "title": title or "",
+        "description": description or "",
+        "is_private": is_private,
+        "query_url": datasette.urls.table(db.name, existing.name),
+        **analysis_data,
+    }
+
+
+async def _inserted_row_url(datasette, db, analysis, cursor):
+    if cursor.rowcount != 1:
+        return None
+    lastrowid = getattr(cursor, "lastrowid", None)
+    if lastrowid is None:
+        return None
+    direct_inserts = [
+        operation
+        for operation in analysis.operations
+        if operation.operation == "insert"
+        and operation.target_type == "table"
+        and not operation.internal
+        and operation.source is None
+        and operation.database == db.name
+    ]
+    if len(direct_inserts) != 1:
+        return None
+    table = direct_inserts[0].table
+    if table is None:
+        return None
+    pks = await db.primary_keys(table)
+    use_rowid = not pks
+    select = (
+        "rowid"
+        if use_rowid
+        else ", ".join(escape_sqlite(primary_key) for primary_key in pks)
+    )
+    try:
+        result = await db.execute(
+            "select {} from {} where rowid = ?".format(select, escape_sqlite(table)),
+            [lastrowid],
+        )
+    except sqlite3.DatabaseError:
+        return None
+    row = result.first()
+    if row is None:
+        return None
+    row_path = path_from_row_pks(row, pks, use_rowid)
+    return datasette.urls.row(db.name, table, row_path)
+
+
+def _apply_query_data_types(data):
+    typed = dict(data)
+    for key in ("hide_sql", "is_private"):
+        if key in typed:
+            typed[key] = _as_bool(typed[key])
+    return typed
+
+
+async def _prepare_query_create(datasette, request, db, data):
+    invalid_keys = set(data) - _query_create_fields
+    if invalid_keys:
+        raise QueryValidationError(
+            "Invalid keys: {}".format(", ".join(sorted(invalid_keys)))
+        )
+
+    data = _apply_query_data_types(data)
+    name = data.get("name")
+    await _check_query_name(db, name)
+    if await datasette.get_query(db.name, name) is not None:
+        raise QueryValidationError("Query already exists")
+
+    is_write, derived, analysis = await _analyze_user_query(
+        datasette,
+        db,
+        data.get("sql"),
+        actor=request.actor,
+    )
+    if not is_write and any(data.get(field) for field in _query_write_fields):
+        raise QueryValidationError("Writable query fields require writable SQL")
+
+    parameters = _coerce_query_parameters(
+        data.get("parameters", data.get("params")),
+        derived,
+    )
+    return {
+        "name": name,
+        "sql": data["sql"],
+        "title": data.get("title"),
+        "description": data.get("description"),
+        "hide_sql": _as_bool(data.get("hide_sql")),
+        "fragment": data.get("fragment"),
+        "parameters": parameters,
+        "is_write": is_write,
+        "is_private": _as_bool(data.get("is_private", True)),
+        "is_trusted": False,
+        "source": "user",
+        "owner_id": _actor_id(request.actor),
+        "on_success_message": data.get("on_success_message"),
+        "on_success_redirect": data.get("on_success_redirect"),
+        "on_error_message": data.get("on_error_message"),
+        "on_error_redirect": data.get("on_error_redirect"),
+        "analysis": analysis,
+    }
+
+
+async def _prepare_query_update(datasette, request, db, existing: StoredQuery, update):
+    invalid_keys = set(update) - _query_update_fields
+    if invalid_keys:
+        raise QueryValidationError(
+            "Invalid keys: {}".format(", ".join(sorted(invalid_keys)))
+        )
+
+    update = _apply_query_data_types(update)
+    sql = update.get("sql", existing.sql)
+    query_is_write = existing.is_write
+    derived = _derived_query_parameters(sql)
+    parameters = None
+
+    if "sql" in update:
+        query_is_write, derived, _ = await _analyze_user_query(
+            datasette,
+            db,
+            sql,
+            actor=request.actor,
+        )
+
+    if "parameters" in update or "params" in update:
+        parameters = _coerce_query_parameters(
+            update.get("parameters", update.get("params")),
+            derived,
+        )
+    elif "sql" in update:
+        parameters = derived
+
+    if not query_is_write and any(update.get(field) for field in _query_write_fields):
+        raise QueryValidationError("Writable query fields require writable SQL")
+
+    field_values = {
+        "sql": sql,
+        "title": update.get("title"),
+        "description": update.get("description"),
+        "hide_sql": update.get("hide_sql"),
+        "fragment": update.get("fragment"),
+        "parameters": parameters,
+        "is_write": query_is_write,
+        "is_private": update.get("is_private"),
+        "on_success_message": update.get("on_success_message"),
+        "on_success_redirect": update.get("on_success_redirect"),
+        "on_error_message": update.get("on_error_message"),
+        "on_error_redirect": update.get("on_error_redirect"),
+    }
+    update_kwargs = {}
+    for field_name, value in field_values.items():
+        if field_name in update:
+            update_kwargs[field_name] = value
+    if parameters is not None:
+        update_kwargs["parameters"] = parameters
+    if "sql" in update:
+        update_kwargs["is_write"] = query_is_write
+    return update_kwargs
+
+
+async def _table_columns(datasette, database_name):
+    internal_db = datasette.get_internal_database()
+    result = await internal_db.execute(
+        "select table_name, name from catalog_columns where database_name = ?",
+        [database_name],
+    )
+    table_columns = {}
+    for row in result.rows:
+        table_columns.setdefault(row["table_name"], []).append(row["name"])
+    # Add views
+    db = datasette.get_database(database_name)
+    for view_name in await db.view_names():
+        table_columns[view_name] = []
+    return table_columns
diff --git a/datasette/views/row.py b/datasette/views/row.py
index 9c59cd3b..129216b9 100644
--- a/datasette/views/row.py
+++ b/datasette/views/row.py
@@ -1,23 +1,404 @@
+import asyncio
+import json
+import textwrap
+import time
+import urllib.parse
+from dataclasses import dataclass, field
+
+import markupsafe
+import sqlite_utils
+
 from datasette.utils.asgi import NotFound, Forbidden, Response
 from datasette.database import QueryInterrupted
 from datasette.events import UpdateRowEvent, DeleteRowEvent
 from datasette.resources import TableResource
-from .base import DataView, BaseView, _error
+from .base import BaseView, DatasetteError, _error, stream_csv
 from datasette.utils import (
+    add_cors_headers,
     await_me_maybe,
+    call_with_supported_arguments,
+    CustomRow,
+    InvalidSql,
     make_slot_function,
+    path_from_row_pks,
+    path_with_added_args,
+    path_with_format,
+    path_with_removed_args,
     to_css_class,
     escape_sqlite,
+    sqlite3,
 )
 from datasette.plugins import pm
-import json
-import sqlite_utils
-from .table import display_columns_and_rows, _get_extras
+from datasette.extras import extra_names_from_request, ExtraScope
+from . import Context, from_extra
+from .table import (
+    display_columns_and_rows,
+    _table_page_data,
+    row_label_from_label_column,
+)
+from .table_extras import RowExtraContext, resolve_row_extras, table_extra_registry
 
 
-class RowView(DataView):
+@dataclass
+class RowContext(Context):
+    "The page showing an individual row, e.g. /fixtures/facetable/1."
+
+    documented_template = "row.html"
+    extras_scope = ExtraScope.ROW
+
+    # Fields resolved by registered extras - their documentation comes
+    # from the description on each Extra class in table_extras.py
+    columns: list = from_extra()
+    database: str = from_extra()
+    database_color: str = from_extra()
+    foreign_key_tables: list = from_extra()
+    metadata: dict = from_extra()
+    primary_keys: list = from_extra()
+    private: bool = from_extra()
+    table: str = from_extra()
+
+    # Fields added by the view code
+    ok: bool = field(
+        metadata={"help": "True if the data for this page was retrieved without errors"}
+    )
+    rows: list = field(
+        metadata={
+            "help": "A single-item list containing this row as a dictionary mapping column name to raw value."
+        }
+    )
+    primary_key_values: list = field(
+        metadata={"help": "Values of the primary keys for this row, from the URL"}
+    )
+    query_ms: float = field(
+        metadata={
+            "help": "Time taken by the SQL queries for this page, in milliseconds"
+        }
+    )
+    display_columns: list = field(
+        metadata={
+            "help": "Column metadata used by the HTML table display. Each item includes ``name``, ``sortable``, ``is_pk``, ``type``, ``notnull``, ``description``, ``column_type`` and ``column_type_config`` keys."
+        }
+    )
+    display_rows: list = field(
+        metadata={
+            "help": "Rows formatted for the HTML table display. Each row is iterable and contains cell dictionaries with ``column``, ``value``, ``raw`` and ``value_type`` keys."
+        }
+    )
+    custom_table_templates: list = field(
+        metadata={
+            "help": "Custom template names that were considered for displaying this row's table, in lookup order."
+        }
+    )
+    row_actions: list = field(
+        metadata={
+            "help": 'Row actions made available by core and plugin hooks. Each item is either a link with ``href``, ``label`` and optional ``description`` keys, or a button with ``type: "button"``, ``label``, optional ``description`` and optional ``attrs``. See :ref:`plugin_actions` and :ref:`plugin_hook_row_actions`.'
+        }
+    )
+    row_mutation_ui: bool = field(
+        metadata={"help": "True if the row edit/delete JavaScript UI should be enabled"}
+    )
+    table_page_data: dict = field(
+        metadata={
+            "help": "JSON data used by JavaScript on the row page. Includes ``database``, ``table`` and ``tableUrl``, plus optional ``foreignKeys`` mapping column names to autocomplete URLs."
+        }
+    )
+    top_row: callable = field(
+        metadata={
+            "help": "Async callable that renders the ``top_row`` plugin slot for this row and returns HTML."
+        }
+    )
+    renderers: dict = field(
+        metadata={
+            "help": "Dictionary mapping output format names such as ``json`` to URLs for this row in that format."
+        }
+    )
+    url_csv: str = field(metadata={"help": "URL for the CSV export of this page"})
+    url_csv_path: str = field(metadata={"help": "Path portion of the CSV export URL"})
+    url_csv_hidden_args: list = field(
+        metadata={
+            "help": "List of ``(name, value)`` pairs for hidden form fields used by the CSV export form, preserving current options while forcing ``_size=max``."
+        }
+    )
+    settings: dict = field(
+        metadata={
+            "help": "Dictionary of Datasette's current settings, keyed by setting name."
+        }
+    )
+    select_templates: list = field(
+        metadata={
+            "help": "List of template names that were considered for this page, with the selected template prefixed by ``*``."
+        }
+    )
+    alternate_url_json: str = field(
+        metadata={"help": "URL for the JSON version of this page"}
+    )
+
+
+class RowView(BaseView):
     name = "row"
 
+    def redirect(self, request, path, forward_querystring=True, remove_args=None):
+        if request.query_string and "?" not in path and forward_querystring:
+            path = f"{path}?{request.query_string}"
+        if remove_args:
+            path = path_with_removed_args(request, remove_args, path=path)
+        response = Response.redirect(path)
+        response.headers["Link"] = f"<{path}>; rel=preload"
+        if self.ds.cors:
+            add_cors_headers(response.headers)
+        return response
+
+    async def as_csv(self, request, database):
+        return await stream_csv(self.ds, self.data, request, database)
+
+    async def get(self, request):
+        db = await self.ds.resolve_database(request)
+        database = db.name
+        database_route = db.route
+        format_ = request.url_vars.get("format") or "html"
+        data_kwargs = {}
+
+        if format_ == "csv":
+            return await self.as_csv(request, database_route)
+
+        if format_ == "html":
+            # HTML views default to expanding all foreign key labels
+            data_kwargs["default_labels"] = True
+
+        extra_template_data = {}
+        start = time.perf_counter()
+        status_code = None
+        templates = ()
+        try:
+            response_or_template_contexts = await self.data(request, **data_kwargs)
+            if isinstance(response_or_template_contexts, Response):
+                return response_or_template_contexts
+            # If it has four items, it includes an HTTP status code
+            if len(response_or_template_contexts) == 4:
+                (
+                    data,
+                    extra_template_data,
+                    templates,
+                    status_code,
+                ) = response_or_template_contexts
+            else:
+                data, extra_template_data, templates = response_or_template_contexts
+        except QueryInterrupted as ex:
+            raise DatasetteError(
+                textwrap.dedent("""
+                <p>SQL query took too long. The time limit is controlled by the
+                <a href="https://docs.datasette.io/en/stable/settings.html#sql-time-limit-ms">sql_time_limit_ms</a>
+                configuration option.</p>
+                <textarea style="width: 90%">{}</textarea>
+                <script>
+                let ta = document.querySelector("textarea");
+                ta.style.height = ta.scrollHeight + "px";
+                </script>
+            """.format(markupsafe.escape(ex.sql))).strip(),
+                title="SQL Interrupted",
+                status=400,
+                message_is_html=True,
+            )
+        except (sqlite3.OperationalError, InvalidSql) as e:
+            raise DatasetteError(str(e), title="Invalid SQL", status=400)
+        except sqlite3.OperationalError as e:
+            raise DatasetteError(str(e))
+        except DatasetteError:
+            raise
+
+        end = time.perf_counter()
+        data["query_ms"] = (end - start) * 1000
+
+        # Special case for .jsono extension - redirect to _shape=objects
+        if format_ == "jsono":
+            return self.redirect(
+                request,
+                path_with_added_args(
+                    request,
+                    {"_shape": "objects"},
+                    path=request.path.rsplit(".jsono", 1)[0] + ".json",
+                ),
+                forward_querystring=False,
+            )
+
+        if format_ in self.ds.renderers.keys():
+            # Dispatch request to the correct output format renderer
+            # (CSV is not handled here due to streaming)
+            result = call_with_supported_arguments(
+                self.ds.renderers[format_][0],
+                datasette=self.ds,
+                columns=data.get("columns") or [],
+                rows=data.get("rows") or [],
+                sql=data.get("query", {}).get("sql", None),
+                query_name=data.get("query_name"),
+                database=database,
+                table=data.get("table"),
+                request=request,
+                view_name=self.name,
+                truncated=False,  # TODO: support this
+                error=data.get("error"),
+                # These will be deprecated in Datasette 1.0:
+                args=request.args,
+                data=data,
+            )
+            if asyncio.iscoroutine(result):
+                result = await result
+            if result is None:
+                raise NotFound("No data")
+            if isinstance(result, dict):
+                response = Response(
+                    body=result.get("body"),
+                    status=result.get("status_code", status_code or 200),
+                    content_type=result.get("content_type", "text/plain"),
+                    headers=result.get("headers"),
+                )
+            elif isinstance(result, Response):
+                response = result
+                if status_code is not None:
+                    # Over-ride the status code
+                    response.status = status_code
+            else:
+                assert False, f"{result} should be dict or Response"
+        elif format_ == "html":
+            response = await self.html(request, data, extra_template_data, templates)
+            if status_code is not None:
+                response.status = status_code
+        else:
+            raise NotFound("Invalid format: {}".format(format_))
+
+        ttl = request.args.get("_ttl", None)
+        if ttl is None or not ttl.isdigit():
+            ttl = self.ds.setting("default_cache_ttl")
+
+        return self.set_response_headers(response, ttl)
+
+    async def html(self, request, data, extra_template_data, templates):
+        extras = {}
+        if callable(extra_template_data):
+            extras = extra_template_data()
+            if asyncio.iscoroutine(extras):
+                extras = await extras
+        else:
+            extras = extra_template_data
+
+        url_labels_extra = {}
+        if data.get("expandable_columns"):
+            url_labels_extra = {"_labels": "on"}
+
+        renderers = {}
+        for key, (_, can_render) in self.ds.renderers.items():
+            it_can_render = call_with_supported_arguments(
+                can_render,
+                datasette=self.ds,
+                columns=data.get("columns") or [],
+                rows=data.get("rows") or [],
+                sql=data.get("query", {}).get("sql", None),
+                query_name=data.get("query_name"),
+                database=data.get("database"),
+                table=data.get("table"),
+                request=request,
+                view_name=self.name,
+            )
+            it_can_render = await await_me_maybe(it_can_render)
+            if it_can_render:
+                renderers[key] = self.ds.urls.path(
+                    path_with_format(
+                        request=request,
+                        path=request.scope.get("route_path"),
+                        format=key,
+                        extra_qs={**url_labels_extra},
+                    )
+                )
+
+        url_csv_args = {"_size": "max", **url_labels_extra}
+        url_csv = self.ds.urls.path(
+            path_with_format(
+                request=request,
+                path=request.scope.get("route_path"),
+                format="csv",
+                extra_qs=url_csv_args,
+            )
+        )
+        url_csv_path = url_csv.split("?")[0]
+        context = {**data, **extras}
+        if "metadata" not in context:
+            context["metadata"] = await self.ds.get_instance_metadata()
+
+        environment = self.ds.get_jinja_environment(request)
+        template = environment.select_template(templates)
+        alternate_url_json = self.ds.absolute_url(
+            request,
+            self.ds.urls.path(
+                path_with_format(
+                    request=request,
+                    path=request.scope.get("route_path"),
+                    format="json",
+                )
+            ),
+        )
+        return Response.html(
+            await self.ds.render_template(
+                template,
+                RowContext(
+                    columns=context["columns"],
+                    database=context["database"],
+                    database_color=context["database_color"],
+                    foreign_key_tables=context["foreign_key_tables"],
+                    metadata=context["metadata"],
+                    primary_keys=context["primary_keys"],
+                    private=context["private"],
+                    table=context["table"],
+                    ok=context["ok"],
+                    rows=context["rows"],
+                    primary_key_values=context["primary_key_values"],
+                    query_ms=context["query_ms"],
+                    display_columns=context["display_columns"],
+                    display_rows=context["display_rows"],
+                    custom_table_templates=context["custom_table_templates"],
+                    row_actions=context["row_actions"],
+                    row_mutation_ui=context["row_mutation_ui"],
+                    table_page_data=context["table_page_data"],
+                    top_row=context["top_row"],
+                    renderers=renderers,
+                    url_csv=url_csv,
+                    url_csv_path=url_csv_path,
+                    url_csv_hidden_args=[
+                        (key, value)
+                        for key, value in urllib.parse.parse_qsl(request.query_string)
+                        if key not in ("_labels", "_facet", "_size")
+                    ]
+                    + [("_size", "max")],
+                    settings=self.ds.settings_dict(),
+                    select_templates=[
+                        f"{'*' if template_name == template.name else ''}{template_name}"
+                        for template_name in templates
+                    ],
+                    alternate_url_json=alternate_url_json,
+                ),
+                request=request,
+                view_name=self.name,
+            ),
+            headers={
+                "Link": '<{}>; rel="alternate"; type="application/json+datasette"'.format(
+                    alternate_url_json
+                )
+            },
+        )
+
+    def set_response_headers(self, response, ttl):
+        # Set far-future cache expiry
+        if self.ds.cache_headers and response.status == 200:
+            ttl = int(ttl)
+            if ttl == 0:
+                ttl_header = "no-cache"
+            else:
+                ttl_header = f"max-age={ttl}"
+            response.headers["Cache-Control"] = ttl_header
+        response.headers["Referrer-Policy"] = "no-referrer"
+        if self.ds.cors:
+            add_cors_headers(response.headers)
+        return response
+
     async def data(self, request, default_labels=False):
         resolved = await self.ds.resolve_row(request)
         db = resolved.db
@@ -42,13 +423,63 @@ class RowView(DataView):
         if not rows:
             raise NotFound(f"Record not found: {pk_values}")
 
+        pks = resolved.pks
+
         async def template_data():
+            is_table = await db.table_exists(table)
+            # Reorder columns so primary keys come first
+            pk_set = set(pks)
+            pk_cols = [d for d in results.description if d[0] in pk_set]
+            non_pk_cols = [d for d in results.description if d[0] not in pk_set]
+            reordered_description = pk_cols + non_pk_cols
+            reordered_columns = [d[0] for d in reordered_description]
+
+            # Reorder row data to match
+            reordered_rows = []
+            for row in rows:
+                new_row = CustomRow(reordered_columns)
+                for col in reordered_columns:
+                    new_row[col] = row[col]
+                reordered_rows.append(new_row)
+
+            # Expand foreign key columns into dicts so display_columns_and_rows
+            # renders them as hyperlinks, matching the table view behavior
+            expanded_rows = reordered_rows
+            for fk in await db.foreign_keys_for_table(table):
+                column = fk["column"]
+                if column not in reordered_columns:
+                    continue
+                column_index = reordered_columns.index(column)
+                values = [row[column_index] for row in expanded_rows]
+                expanded_labels = await self.ds.expand_foreign_keys(
+                    request.actor, database, table, column, values
+                )
+                if expanded_labels:
+                    new_rows = []
+                    for row in expanded_rows:
+                        new_row = CustomRow(reordered_columns)
+                        for col in reordered_columns:
+                            value = row[col]
+                            if (
+                                col == column
+                                and (col, value) in expanded_labels
+                                and value is not None
+                            ):
+                                new_row[col] = {
+                                    "value": value,
+                                    "label": expanded_labels[(col, value)],
+                                }
+                            else:
+                                new_row[col] = value
+                        new_rows.append(new_row)
+                    expanded_rows = new_rows
+
             display_columns, display_rows = await display_columns_and_rows(
                 self.ds,
                 database,
                 table,
-                results.description,
-                rows,
+                reordered_description,
+                expanded_rows,
                 link_column=False,
                 truncate_cells=0,
                 request=request,
@@ -56,7 +487,68 @@ class RowView(DataView):
             for column in display_columns:
                 column["sortable"] = False
 
+            # Bold primary key cell values
+            for row in display_rows:
+                for cell in row:
+                    if cell["column"] in pk_set:
+                        cell["value"] = markupsafe.Markup(
+                            "<strong>{}</strong>".format(cell["value"])
+                        )
+
+            label_column = await db.label_column_for_table(table) if is_table else None
+            row_path = path_from_row_pks(rows[0], pks, False)
+            pk_path = path_from_row_pks(rows[0], pks, False, False)
+            row_label = row_label_from_label_column(expanded_rows[0], label_column)
+            for display_row in display_rows:
+                display_row.pk_path = pk_path
+                display_row.row_path = row_path
+                display_row.row_label = row_label
+
+            row_action_label = pk_path
+            if row_label and row_label != pk_path:
+                row_action_label = "{} {}".format(pk_path, row_label)
+
+            row_action_permissions = {}
+            if is_table and db.is_mutable:
+                row_action_permissions = await self.ds.allowed_many(
+                    actions=["update-row", "delete-row"],
+                    resource=TableResource(database=database, table=table),
+                    actor=request.actor,
+                )
+
             row_actions = []
+            if row_action_permissions.get("update-row"):
+                attrs = {
+                    "aria-label": "Edit row {}".format(row_action_label),
+                    "data-row": row_path,
+                    "data-row-action": "edit",
+                }
+                if row_label:
+                    attrs["data-row-label"] = row_label
+                row_actions.append(
+                    {
+                        "type": "button",
+                        "label": "Edit row",
+                        "description": "Open a dialog to edit this row.",
+                        "attrs": attrs,
+                    }
+                )
+            if row_action_permissions.get("delete-row"):
+                attrs = {
+                    "aria-label": "Delete row {}".format(row_action_label),
+                    "data-row": row_path,
+                    "data-row-action": "delete",
+                }
+                if row_label:
+                    attrs["data-row-label"] = row_label
+                row_actions.append(
+                    {
+                        "type": "button",
+                        "label": "Delete row",
+                        "description": "Open a confirmation dialog to delete this row.",
+                        "attrs": attrs,
+                    }
+                )
             for hook in pm.hook.row_actions(
                 datasette=self.ds,
                 actor=request.actor,
@@ -71,6 +563,7 @@ class RowView(DataView):
 
             return {
                 "private": private,
+                "columns": reordered_columns,
                 "foreign_key_tables": await self.foreign_key_tables(
                     database, table, pk_values
                 ),
@@ -82,6 +575,17 @@ class RowView(DataView):
                     f"_table-row-{to_css_class(database)}-{to_css_class(table)}.html",
                     "_table.html",
                 ],
+                "row_mutation_ui": any(row_action_permissions.values()),
+                "table_page_data": await _table_page_data(
+                    datasette=self.ds,
+                    request=request,
+                    db=db,
+                    database_name=database,
+                    table_name=table,
+                    is_view=not is_table,
+                    table_insert_ui=None,
+                    table_alter_ui=None,
+                ),
                 "row_actions": row_actions,
                 "top_row": make_slot_function(
                     "top_row",
@@ -104,45 +608,27 @@ class RowView(DataView):
             "primary_key_values": pk_values,
         }
 
-        # Handle _extra parameter (new style)
-        extras = _get_extras(request)
-
-        # Also support legacy _extras parameter for backward compatibility
-        if "foreign_key_tables" in (request.args.get("_extras") or "").split(","):
-            extras.add("foreign_key_tables")
+        extras = extra_names_from_request(request)
 
         # Process extras
-        if "foreign_key_tables" in extras:
-            data["foreign_key_tables"] = await self.foreign_key_tables(
-                database, table, pk_values
-            )
-
-        if "render_cell" in extras:
-            # Call render_cell plugin hook for each cell
-            rendered_rows = []
-            for row in rows:
-                rendered_row = {}
-                for value, column in zip(row, columns):
-                    # Call render_cell plugin hook
-                    plugin_display_value = None
-                    for candidate in pm.hook.render_cell(
-                        row=row,
-                        value=value,
-                        column=column,
-                        table=table,
-                        pks=resolved.pks,
-                        database=database,
-                        datasette=self.ds,
-                        request=request,
-                    ):
-                        candidate = await await_me_maybe(candidate)
-                        if candidate is not None:
-                            plugin_display_value = candidate
-                            break
-                    if plugin_display_value:
-                        rendered_row[column] = str(plugin_display_value)
-                rendered_rows.append(rendered_row)
-            data["render_cell"] = rendered_rows
+        row_extra_context = RowExtraContext(
+            datasette=self.ds,
+            request=request,
+            db=db,
+            database_name=database,
+            table_name=table,
+            private=private,
+            rows=rows,
+            columns=columns,
+            pks=pks,
+            pk_values=pk_values,
+            sql=resolved.sql,
+            params=resolved.params,
+            extras=extras,
+            extra_registry=table_extra_registry,
+            foreign_key_tables=self.foreign_key_tables,
+        )
+        data.update(await resolve_row_extras(extras, row_extra_context))
 
         return (
             data,
@@ -205,6 +691,27 @@ class RowError(Exception):
         self.error = error
 
 
+ROW_FLASH_LABEL_MAX_LENGTH = 80
+
+
+def _truncated_row_flash_label(label):
+    label = " ".join(str(label).split())
+    if len(label) <= ROW_FLASH_LABEL_MAX_LENGTH:
+        return label
+    return label[: ROW_FLASH_LABEL_MAX_LENGTH - 1] + "\u2026"
+
+
+async def _row_flash_message(db, action, resolved, row=None):
+    pk_label = ", ".join(resolved.pk_values)
+    label_column = await db.label_column_for_table(resolved.table)
+    label = row_label_from_label_column(row or resolved.row, label_column)
+    if label:
+        label = _truncated_row_flash_label(label)
+    if label and label != pk_label:
+        return "{} row {} ({})".format(action, pk_label, label)
+    return "{} row {}".format(action, pk_label)
+
+
 async def _resolve_row_and_check_permission(datasette, request, permission):
     from datasette.app import DatabaseNotFound, TableNotFound, RowNotFound
 
@@ -259,6 +766,15 @@ class RowDeleteView(BaseView):
             )
         )
 
+        if request.args.get("_redirect_to_table"):
+            table_url = self.ds.urls.table(resolved.db.name, resolved.table)
+            self.ds.add_message(
+                request,
+                await _row_flash_message(resolved.db, "Deleted", resolved),
+                self.ds.INFO,
+            )
+            return Response.json({"ok": True, "redirect": str(table_url)}, status=200)
+
         return Response.json({"ok": True}, status=200)
 
 
@@ -275,9 +791,8 @@ class RowUpdateView(BaseView):
         if not ok:
             return resolved
 
-        body = await request.post_body()
         try:
-            data = json.loads(body)
+            data = await request.json()
         except json.JSONDecodeError as e:
             return _error(["Invalid JSON: {}".format(e)])
 
@@ -292,6 +807,15 @@ class RowUpdateView(BaseView):
 
         update = data["update"]
 
+        # Validate column types
+        from datasette.views.table import _validate_column_types
+
+        ct_errors = await _validate_column_types(
+            self.ds, resolved.db.name, resolved.table, [update]
+        )
+        if ct_errors:
+            return _error(ct_errors, 400)
+
         alter = data.get("alter")
         if alter and not await self.ds.allowed(
             action="alter-table",
@@ -311,11 +835,13 @@ class RowUpdateView(BaseView):
             return _error([str(e)], 400)
 
         result = {"ok": True}
+        returned_row = None
         if data.get("return"):
             results = await resolved.db.execute(
                 resolved.sql, resolved.params, truncate=True
             )
-            result["row"] = results.dicts()[0]
+            returned_row = results.dicts()[0]
+            result["row"] = returned_row
 
         await self.ds.track_event(
             UpdateRowEvent(
@@ -326,4 +852,19 @@ class RowUpdateView(BaseView):
             )
         )
 
+        if request.args.get("_message"):
+            message_row = returned_row
+            if message_row is None:
+                results = await resolved.db.execute(
+                    resolved.sql, resolved.params, truncate=True
+                )
+                message_row = results.first()
+            self.ds.add_message(
+                request,
+                await _row_flash_message(
+                    resolved.db, "Updated", resolved, row=message_row
+                ),
+                self.ds.INFO,
+            )
+
         return Response.json(result, status=200)
diff --git a/datasette/views/special.py b/datasette/views/special.py
index dbe5eab1..3245bc13 100644
--- a/datasette/views/special.py
+++ b/datasette/views/special.py
@@ -1,11 +1,14 @@
 import json
 import logging
+from datasette.jump import JumpSQL, namespace_sql_params
+from datasette.plugins import pm
 from datasette.events import LogoutEvent, LoginEvent, CreateTokenEvent
 from datasette.resources import DatabaseResource, TableResource
 from datasette.utils.asgi import Response, Forbidden
 from datasette.utils import (
     actor_matches_allow,
     add_cors_headers,
+    await_me_maybe,
     tilde_encode,
     tilde_decode,
 )
@@ -64,7 +67,7 @@ class JsonDataView(BaseView):
             context = {
                 "filename": self.filename,
                 "data": data,
-                "data_json": json.dumps(data, indent=4, default=repr),
+                "data_json": json.dumps(data, indent=2, default=repr),
             }
             # Add has_debug_permission if this view requires permissions-debug
             if self.permission == "permissions-debug":
@@ -88,6 +91,110 @@ class PatternPortfolioView(View):
         )
 
 
+class AutocompleteDebugView(BaseView):
+    name = "autocomplete_debug"
+    has_json_alternate = False
+
+    async def _suggested_tables(self, request):
+        scanned = 0
+        reached_scan_limit = False
+        suggestions = []
+        for database_name, db in self.ds.databases.items():
+            if scanned >= 100 or len(suggestions) >= 5:
+                break
+            remaining = 100 - scanned
+            results = await db.execute(
+                "select name from sqlite_master where type = 'table' order by name limit ?",
+                [remaining],
+            )
+            for row in results.rows:
+                table_name = row["name"]
+                scanned += 1
+                if scanned >= 100:
+                    reached_scan_limit = True
+                visible, _ = await self.ds.check_visibility(
+                    request.actor,
+                    action="view-table",
+                    resource=TableResource(database=database_name, table=table_name),
+                )
+                if not visible:
+                    if scanned >= 100:
+                        break
+                    continue
+                label_column = await db.label_column_for_table(table_name)
+                if label_column:
+                    suggestions.append(
+                        {
+                            "database": database_name,
+                            "table": table_name,
+                            "label_column": label_column,
+                            "url": self.ds.urls.path(
+                                "-/debug/autocomplete?"
+                                + urllib.parse.urlencode(
+                                    {
+                                        "database": database_name,
+                                        "table": table_name,
+                                    }
+                                )
+                            ),
+                        }
+                    )
+                    if len(suggestions) >= 5:
+                        break
+                if scanned >= 100:
+                    break
+        return suggestions, scanned, reached_scan_limit
+
+    async def get(self, request):
+        await self.ds.ensure_permission(action="view-instance", actor=request.actor)
+        database_name = request.args.get("database")
+        table_name = request.args.get("table")
+        context = {
+            "database_name": database_name,
+            "table_name": table_name,
+        }
+
+        if database_name or table_name:
+            if not database_name or not table_name:
+                context["error"] = "Both database and table are required."
+            elif database_name not in self.ds.databases:
+                context["error"] = "Database not found."
+            else:
+                db = self.ds.databases[database_name]
+                if not await db.table_exists(table_name):
+                    context["error"] = "Table not found."
+                else:
+                    await self.ds.ensure_permission(
+                        action="view-table",
+                        resource=TableResource(
+                            database=database_name,
+                            table=table_name,
+                        ),
+                        actor=request.actor,
+                    )
+                    context.update(
+                        {
+                            "autocomplete_url": "{}/-/autocomplete".format(
+                                self.ds.urls.table(database_name, table_name)
+                            ),
+                            "label_column": await db.label_column_for_table(table_name),
+                        }
+                    )
+        else:
+            suggestions, scanned, reached_scan_limit = await self._suggested_tables(
+                request
+            )
+            context.update(
+                {
+                    "suggestions": suggestions,
+                    "scanned": scanned,
+                    "reached_scan_limit": reached_scan_limit,
+                }
+            )
+
+        return await self.render(["debug_autocomplete.html"], request, context)
+
+
 class AuthTokenView(BaseView):
     name = "auth_token"
     has_json_alternate = False
@@ -494,11 +601,13 @@ async def _check_permission_for_actor(ds, action, parent, child, actor):
     if action_obj.resource_class is None:
         resource_obj = None
     elif action_obj.takes_parent and action_obj.takes_child:
-        # Child-level resource (e.g., TableResource, QueryResource)
-        resource_obj = action_obj.resource_class(database=parent, table=child)
+        # Child-level resource (e.g., TableResource, QueryResource). The child
+        # argument is named differently per resource class (table, query, ...),
+        # so pass positionally - https://github.com/simonw/datasette/issues/2756
+        resource_obj = action_obj.resource_class(parent, child)
     elif action_obj.takes_parent:
         # Parent-level resource (e.g., DatabaseResource)
-        resource_obj = action_obj.resource_class(database=parent)
+        resource_obj = action_obj.resource_class(parent)
     else:
         # This shouldn't happen given validation in Action.__post_init__
         return {"error": f"Invalid action configuration: {action}"}, 500
@@ -813,9 +922,18 @@ class ApiExplorerView(BaseView):
                                 "json": {
                                     "rows": [
                                         {
-                                            column: None
-                                            for column in await db.table_columns(table)
-                                            if column not in pks
+                                            column: "<{}{}>".format(
+                                                column,
+                                                (
+                                                    " (primary key)"
+                                                    if column in (pks or ["rowid"])
+                                                    else ""
+                                                ),
+                                            )
+                                            for column in (
+                                                (["rowid"] if not pks else [])
+                                                + await db.table_columns(table)
+                                            )
                                         }
                                     ]
                                 },
@@ -880,14 +998,15 @@ class ApiExplorerView(BaseView):
             raise Forbidden("You do not have permission to view this instance")
 
         def api_path(link):
-            return "/-/api#{}".format(
+            return "{}#{}".format(
+                self.ds.urls.path("/-/api"),
                 urllib.parse.urlencode(
                     {
                         key: json.dumps(value, indent=2) if key == "json" else value
                         for key, value in link.items()
                         if key in ("path", "method", "json")
                     }
-                )
+                ),
             )
 
         return await self.render(
@@ -901,75 +1020,183 @@ class ApiExplorerView(BaseView):
         )
 
 
-class TablesView(BaseView):
+class JumpView(BaseView):
     """
-    Simple endpoint that uses the new allowed_resources() API.
-    Returns JSON list of all tables the actor can view.
-
-    Supports ?q=foo+bar to filter tables matching .*foo.*bar.* pattern,
-    ordered by shortest name first.
+    Endpoint for the jump menu. Returns JSON navigation items the actor can use.
     """
 
-    name = "tables"
+    name = "jump"
     has_json_alternate = False
 
-    async def get(self, request):
-        # Get search query parameter
-        q = request.args.get("q", "").strip()
+    async def _fragments(self, request):
+        fragments = []
+        for hook in pm.hook.jump_items_sql(
+            datasette=self.ds,
+            actor=request.actor,
+            request=request,
+        ):
+            value = await await_me_maybe(hook)
+            if value is None:
+                continue
+            if isinstance(value, JumpSQL):
+                fragments.append(value)
+            elif isinstance(value, (list, tuple)):
+                for fragment in value:
+                    if fragment is not None:
+                        assert isinstance(
+                            fragment, JumpSQL
+                        ), "jump_items_sql must return JumpSQL instances"
+                        fragments.append(fragment)
+            else:
+                raise TypeError("jump_items_sql must return JumpSQL instances")
+        return fragments
 
-        # Get SQL for allowed resources using the permission system
-        permission_sql, params = await self.ds.allowed_resources_sql(
-            action="view-table", actor=request.actor
-        )
+    def _resolve_url(self, url):
+        if not url or url.startswith("/"):
+            return url
 
-        # Build query based on whether we have a search query
-        if q:
-            # Build SQL LIKE pattern from search terms
-            # Split search terms by whitespace and build pattern: %term1%term2%term3%
-            terms = q.split()
-            pattern = "%" + "%".join(terms) + "%"
+        descriptor = json.loads(url)
+        if not isinstance(descriptor, dict):
+            raise TypeError("jump item url JSON must be an object")
+        method_name = descriptor.get("method")
+        if not isinstance(method_name, str) or not method_name:
+            raise TypeError("jump item url JSON must include a method")
+        if method_name.startswith("_"):
+            raise AttributeError(f"datasette.urls has no method named {method_name!r}")
+        try:
+            method = getattr(self.ds.urls, method_name)
+        except AttributeError as ex:
+            raise AttributeError(
+                f"datasette.urls has no method named {method_name!r}"
+            ) from ex
+        if not callable(method):
+            raise TypeError(f"datasette.urls.{method_name} is not callable")
+        kwargs = {key: value for key, value in descriptor.items() if key != "method"}
+        try:
+            return method(**kwargs)
+        except TypeError as ex:
+            raise TypeError(
+                f"Invalid arguments for datasette.urls.{method_name}(): {ex}"
+            ) from ex
 
-            # Build query with CTE to filter by search pattern
-            sql = f"""
-            WITH allowed_tables AS (
-                {permission_sql}
-            )
-            SELECT parent, child
-            FROM allowed_tables
-            WHERE child LIKE :pattern COLLATE NOCASE
-            ORDER BY length(child), child
-            """
-            all_params = {**params, "pattern": pattern}
+    def _sort_key(self, row, q):
+        display_label = row["display_name"] or row["label"]
+        display_label_lower = display_label.lower()
+        q_lower = q.lower()
+        if display_label_lower == q_lower:
+            relevance = 0
+        elif display_label_lower.startswith(q_lower):
+            relevance = 1
         else:
-            # No search query - return all tables, ordered by name
-            # Fetch 101 to detect if we need to truncate
-            sql = f"""
-            WITH allowed_tables AS (
-                {permission_sql}
+            relevance = 2
+        type_sort = {
+            "database": 10,
+            "table": 20,
+            "view": 25,
+            "query": 30,
+        }.get(row["type"], 50)
+        return (relevance, type_sort, len(display_label), row["label"])
+
+    async def _rows_for_database(self, database_name, indexed_fragments, q, pattern):
+        params = {"q": q, "pattern": pattern}
+        union_parts = []
+        for index, fragment in indexed_fragments:
+            fragment_sql, fragment_params = namespace_sql_params(
+                fragment.sql,
+                fragment.params or {},
+                f"jump_{index}",
             )
-            SELECT parent, child
-            FROM allowed_tables
-            ORDER BY parent, child
-            LIMIT 101
-            """
-            all_params = params
+            union_parts.append(f"""
+                SELECT
+                    type,
+                    label,
+                    description,
+                    url,
+                    search_text,
+                    display_name
+                FROM (
+                    {fragment_sql}
+                )
+            """)
+            params.update(fragment_params)
+        sql = f"""
+        WITH jump_items AS (
+            {" UNION ALL ".join(union_parts)}
+        )
+        SELECT
+            type,
+            label,
+            description,
+            url,
+            search_text,
+            display_name
+        FROM jump_items
+        WHERE :q = ''
+           OR search_text LIKE :pattern COLLATE NOCASE
+        ORDER BY
+            CASE
+                WHEN lower(COALESCE(display_name, label)) = lower(:q) THEN 0
+                WHEN lower(COALESCE(display_name, label)) LIKE lower(:q || '%') THEN 1
+                ELSE 2
+            END,
+            CASE type
+                WHEN 'database' THEN 10
+                WHEN 'table' THEN 20
+                WHEN 'view' THEN 25
+                WHEN 'query' THEN 30
+                ELSE 50
+            END,
+            length(COALESCE(display_name, label)),
+            label
+        LIMIT 101
+        """
+        db = (
+            self.ds.get_internal_database()
+            if database_name is None
+            else self.ds.get_database(database_name)
+        )
+        result = await db.execute(sql, params)
+        return list(result.rows)
 
-        # Execute against internal database
-        result = await self.ds.get_internal_database().execute(sql, all_params)
+    async def get(self, request):
+        q = request.args.get("q", "").strip()
+        terms = q.split()
+        pattern = "%" + "%".join(terms) + "%" if terms else "%"
+        fragments = await self._fragments(request)
 
-        # Build response with truncation
-        rows = list(result.rows)
-        truncated = len(rows) > 100
-        if truncated:
+        fragments_by_database = {}
+        for index, fragment in enumerate(fragments):
+            fragments_by_database.setdefault(fragment.database, []).append(
+                (index, fragment)
+            )
+
+        rows = []
+        truncated = False
+        for database_name, indexed_fragments in fragments_by_database.items():
+            database_rows = await self._rows_for_database(
+                database_name, indexed_fragments, q, pattern
+            )
+            if len(database_rows) > 100:
+                truncated = True
+                database_rows = database_rows[:100]
+            rows.extend(database_rows)
+        rows.sort(key=lambda row: self._sort_key(row, q))
+
+        if len(rows) > 100:
+            truncated = True
             rows = rows[:100]
 
-        matches = [
-            {
-                "name": f"{row['parent']}: {row['child']}",
-                "url": self.ds.urls.table(row["parent"], row["child"]),
+        matches = []
+        for row in rows:
+            match = {
+                "name": row["label"],
+                "url": self._resolve_url(row["url"]),
+                "type": row["type"],
+                "description": row["description"],
             }
-            for row in rows
-        ]
+            if row["display_name"]:
+                match["display_name"] = row["display_name"]
+            matches.append(match)
 
         return Response.json({"matches": matches, "truncated": truncated})
 
diff --git a/datasette/views/stored_queries.py b/datasette/views/stored_queries.py
new file mode 100644
index 00000000..2753f876
--- /dev/null
+++ b/datasette/views/stored_queries.py
@@ -0,0 +1,644 @@
+from urllib.parse import parse_qsl, urlencode
+
+from datasette.resources import DatabaseResource, QueryResource
+from datasette.stored_queries import stored_query_to_dict
+from datasette.utils import sqlite3, tilde_decode
+from datasette.utils.asgi import Response
+
+from .base import BaseView, _error
+from .query_helpers import (
+    QueryValidationError,
+    _as_bool,
+    _as_optional_bool,
+    _block_framing,
+    _derived_query_parameters,
+    _json_or_form_payload,
+    _prepare_query_create,
+    _prepare_query_update,
+    _query_create_analysis_data,
+    _query_create_form_context,
+    _query_create_form_error_message,
+    _query_edit_form_context,
+    _query_list_limit,
+)
+
+
+class QueryParametersView(BaseView):
+    name = "query-parameters"
+    has_json_alternate = False
+
+    async def get(self, request):
+        db = await self.ds.resolve_database(request)
+        if not await self.ds.allowed(
+            action="execute-sql",
+            resource=DatabaseResource(db.name),
+            actor=request.actor,
+        ):
+            return _block_framing(_error(["Permission denied: need execute-sql"], 403))
+
+        invalid_keys = set(request.args) - {"sql"}
+        if invalid_keys:
+            return _block_framing(
+                _error(
+                    ["Invalid keys: {}".format(", ".join(sorted(invalid_keys)))],
+                    400,
+                )
+            )
+        try:
+            parameters = _derived_query_parameters(request.args.get("sql") or "")
+        except QueryValidationError as ex:
+            return _block_framing(_error([ex.message], ex.status))
+        return _block_framing(Response.json({"ok": True, "parameters": parameters}))
+
+
+def _query_list_url(path, query_string, *, set_args=None, remove_args=None):
+    set_args = set_args or {}
+    remove_args = set(remove_args or ())
+    skip = set(set_args) | remove_args | {"_next"}
+    pairs = [
+        (key, value)
+        for key, value in parse_qsl(query_string, keep_blank_values=True)
+        if key not in skip
+    ]
+    for key, value in set_args.items():
+        if value not in (None, ""):
+            pairs.append((key, value))
+    return path + (("?" + urlencode(pairs)) if pairs else "")
+
+
+class QueryListView(BaseView):
+    name = "query-list"
+
+    async def database_name(self, request):
+        return (await self.ds.resolve_database(request)).name
+
+    def query_list_path(self, database):
+        return self.ds.urls.database(database) + "/-/queries"
+
+    async def get(self, request):
+        database = await self.database_name(request)
+        format_ = request.url_vars.get("format") or "html"
+        try:
+            limit = _query_list_limit(
+                request.args.get("_size"),
+                default=20 if format_ == "html" else 50,
+            )
+            is_write = _as_optional_bool(request.args.get("is_write"), "is_write")
+            is_private = _as_optional_bool(request.args.get("is_private"), "is_private")
+        except QueryValidationError as ex:
+            return _error([ex.message], ex.status)
+
+        page = await self.ds.list_queries(
+            database,
+            actor=request.actor,
+            limit=limit,
+            cursor=request.args.get("_next"),
+            q=request.args.get("q") or None,
+            is_write=is_write,
+            is_private=is_private,
+            source=request.args.get("source") or None,
+            owner_id=request.args.get("owner_id") or None,
+            include_private=True,
+        )
+        query_list_path = self.query_list_path(database)
+        next_url = None
+        if page.next:
+            pairs = [
+                (key, value)
+                for key, value in parse_qsl(
+                    request.query_string, keep_blank_values=True
+                )
+                if key != "_next"
+            ]
+            pairs.append(("_next", page.next))
+            next_url = "{}?{}".format(
+                query_list_path,
+                urlencode(pairs),
+            )
+
+        current_filters = {
+            "actor": request.actor,
+            "q": request.args.get("q") or None,
+            "is_write": is_write,
+            "is_private": is_private,
+            "source": request.args.get("source") or None,
+            "owner_id": request.args.get("owner_id") or None,
+        }
+
+        async def facet_count(field, value):
+            if current_filters[field] is not None and current_filters[field] != value:
+                return 0
+            filters = dict(current_filters)
+            filters[field] = value
+            return await self.ds.count_queries(database, **filters)
+
+        def facet_href(field, value):
+            if current_filters[field] == value:
+                return _query_list_url(
+                    query_list_path,
+                    request.query_string,
+                    remove_args=[field],
+                )
+            if current_filters[field] is not None:
+                return None
+            return _query_list_url(
+                query_list_path,
+                request.query_string,
+                set_args={field: str(int(value))},
+            )
+
+        async def facet_item(label, field, value):
+            count = await facet_count(field, value)
+            active = current_filters[field] == value
+            if not active and not count:
+                return None
+            return {
+                "label": label,
+                "count": count,
+                "href": facet_href(field, value) if active or count else None,
+                "active": active,
+            }
+
+        async def facet_items(items):
+            return [
+                item
+                for item in [
+                    await facet_item(label, field, value)
+                    for label, field, value in items
+                ]
+                if item is not None
+            ]
+
+        facets = [
+            {
+                "title": "Mode",
+                "items": await facet_items(
+                    [
+                        ("Read-only", "is_write", False),
+                        ("Writable", "is_write", True),
+                    ]
+                ),
+            },
+            {
+                "title": "Visibility",
+                "items": await facet_items(
+                    [
+                        ("Not private", "is_private", False),
+                        ("Private", "is_private", True),
+                    ]
+                ),
+            },
+        ]
+
+        data = {
+            "ok": True,
+            "database": database,
+            "database_color": (
+                self.ds.get_database(database).color if database is not None else None
+            ),
+            "queries": page.queries,
+            "next": page.next,
+            "next_url": next_url,
+            "has_more": page.has_more,
+            "limit": page.limit,
+            "show_private_note": any(query.is_private for query in page.queries),
+            "show_trusted_note": any(query.is_trusted for query in page.queries),
+            "query_list_path": query_list_path,
+            "show_database": database is None,
+            "facets": facets,
+            "filters": {
+                "q": request.args.get("q") or "",
+                "is_write": request.args.get("is_write") or "",
+                "is_private": request.args.get("is_private") or "",
+                "source": request.args.get("source") or "",
+                "owner_id": request.args.get("owner_id") or "",
+            },
+        }
+        if format_ == "json":
+            return Response.json(
+                {
+                    **data,
+                    "queries": [stored_query_to_dict(query) for query in page.queries],
+                }
+            )
+        return await self.render(
+            ["query_list.html"],
+            request,
+            data,
+        )
+
+
+class GlobalQueryListView(QueryListView):
+    name = "global-query-list"
+
+    async def database_name(self, request):
+        return None
+
+    def query_list_path(self, database):
+        return self.ds.urls.path("/-/queries")
+
+
+class QueryCreateView(BaseView):
+    name = "query-create"
+    has_json_alternate = False
+
+    async def _render_form(
+        self,
+        request,
+        db,
+        *,
+        sql="",
+        name="",
+        title="",
+        description="",
+        is_private=True,
+        status=200,
+    ):
+        response = await self.render(
+            ["query_create.html"],
+            request,
+            await _query_create_form_context(
+                self.ds,
+                request,
+                db,
+                sql=sql,
+                name=name,
+                title=title,
+                description=description,
+                is_private=is_private,
+            ),
+        )
+        response.status = status
+        return response
+
+    async def get(self, request):
+        db = await self.ds.resolve_database(request)
+        await self.ds.ensure_permission(
+            action="execute-sql",
+            resource=DatabaseResource(db.name),
+            actor=request.actor,
+        )
+        await self.ds.ensure_permission(
+            action="store-query",
+            resource=DatabaseResource(db.name),
+            actor=request.actor,
+        )
+
+        return await self._render_form(request, db, sql=request.args.get("sql") or "")
+
+
+class QueryCreateAnalyzeView(BaseView):
+    name = "query-create-analyze"
+    has_json_alternate = False
+
+    async def get(self, request):
+        db = await self.ds.resolve_database(request)
+        if not await self.ds.allowed(
+            action="execute-sql",
+            resource=DatabaseResource(db.name),
+            actor=request.actor,
+        ):
+            return _block_framing(_error(["Permission denied: need execute-sql"], 403))
+        if not await self.ds.allowed(
+            action="store-query",
+            resource=DatabaseResource(db.name),
+            actor=request.actor,
+        ):
+            return _block_framing(_error(["Permission denied: need store-query"], 403))
+
+        invalid_keys = set(request.args) - {"sql"}
+        if invalid_keys:
+            return _block_framing(
+                _error(
+                    ["Invalid keys: {}".format(", ".join(sorted(invalid_keys)))],
+                    400,
+                )
+            )
+        sql = request.args.get("sql") or ""
+        return _block_framing(
+            Response.json(
+                await _query_create_analysis_data(self.ds, db, sql, request.actor)
+            )
+        )
+
+
+class QueryStoreView(QueryCreateView):
+    name = "query-store"
+
+    async def _error_response(self, request, db, query_data, message, status):
+        message = _query_create_form_error_message(message)
+        self.ds.add_message(request, message, self.ds.ERROR)
+        return await self._render_form(
+            request,
+            db,
+            sql=query_data.get("sql") or "",
+            name=query_data.get("name") or "",
+            title=query_data.get("title") or "",
+            description=query_data.get("description") or "",
+            is_private=_as_bool(query_data.get("is_private", True)),
+            status=status,
+        )
+
+    async def post(self, request):
+        db = await self.ds.resolve_database(request)
+        if not await self.ds.allowed(
+            action="execute-sql",
+            resource=DatabaseResource(db.name),
+            actor=request.actor,
+        ):
+            return _error(["Permission denied: need execute-sql"], 403)
+        if not await self.ds.allowed(
+            action="store-query",
+            resource=DatabaseResource(db.name),
+            actor=request.actor,
+        ):
+            return _error(["Permission denied: need store-query"], 403)
+
+        is_json = False
+        query_data = {}
+        try:
+            data, is_json = await _json_or_form_payload(request)
+            if not isinstance(data, dict):
+                raise QueryValidationError("JSON must be a dictionary")
+            query_data = data.get("query") if is_json else data
+            if not isinstance(query_data, dict):
+                raise QueryValidationError("JSON must contain a query dictionary")
+            prepared = await _prepare_query_create(self.ds, request, db, query_data)
+        except QueryValidationError as ex:
+            if not is_json and isinstance(query_data, dict):
+                return await self._error_response(
+                    request, db, query_data, ex.message, ex.status
+                )
+            return _error([ex.message], ex.status)
+
+        prepared.pop("analysis")
+        name = prepared.pop("name")
+        try:
+            await self.ds.add_query(db.name, name, replace=False, **prepared)
+        except sqlite3.IntegrityError as ex:
+            if not is_json and isinstance(query_data, dict):
+                return await self._error_response(request, db, query_data, str(ex), 400)
+            return _error([str(ex)], 400)
+
+        query = await self.ds.get_query(db.name, name)
+        assert query is not None
+        if is_json:
+            return Response.json(
+                {"ok": True, "query": stored_query_to_dict(query)}, status=201
+            )
+        self.ds.add_message(request, "Query saved", self.ds.INFO)
+        return Response.redirect(self.ds.urls.path(self.ds.urls.table(db.name, name)))
+
+
+class QueryDefinitionView(BaseView):
+    name = "query-definition"
+
+    async def get(self, request):
+        db = await self.ds.resolve_database(request)
+        query_name = tilde_decode(request.url_vars["query"])
+        query = await self.ds.get_query(db.name, query_name)
+        if query is None:
+            return _error(["Query not found: {}".format(query_name)], 404)
+        if not await self.ds.allowed(
+            action="view-query",
+            resource=QueryResource(db.name, query_name),
+            actor=request.actor,
+        ):
+            return _error(["Permission denied"], 403)
+        return Response.json({"ok": True, "query": stored_query_to_dict(query)})
+
+
+class QueryUpdateView(BaseView):
+    name = "query-update"
+
+    async def post(self, request):
+        db = await self.ds.resolve_database(request)
+        query_name = tilde_decode(request.url_vars["query"])
+        existing = await self.ds.get_query(db.name, query_name)
+        if existing is None:
+            return _error(["Query not found: {}".format(query_name)], 404)
+        if not await self.ds.allowed(
+            action="update-query",
+            resource=QueryResource(db.name, query_name),
+            actor=request.actor,
+        ):
+            return _error(["Permission denied: need update-query"], 403)
+        if existing.is_trusted:
+            return _error(["Trusted queries cannot be updated using the API"], 403)
+
+        try:
+            data, _ = await _json_or_form_payload(request)
+            if not isinstance(data, dict):
+                raise QueryValidationError("JSON must be a dictionary")
+            invalid_keys = set(data) - {"update", "return"}
+            if invalid_keys:
+                raise QueryValidationError(
+                    "Invalid keys: {}".format(", ".join(invalid_keys))
+                )
+            update = data.get("update")
+            if not isinstance(update, dict):
+                raise QueryValidationError("JSON must contain an update dictionary")
+            if "sql" in update and not await self.ds.allowed(
+                action="execute-sql",
+                resource=DatabaseResource(db.name),
+                actor=request.actor,
+            ):
+                raise QueryValidationError(
+                    "Permission denied: need execute-sql", status=403
+                )
+            update_kwargs = await _prepare_query_update(
+                self.ds, request, db, existing, update
+            )
+        except QueryValidationError as ex:
+            return _error([ex.message], ex.status)
+
+        await self.ds.update_query(db.name, query_name, **update_kwargs)
+        if data.get("return"):
+            query = await self.ds.get_query(db.name, query_name)
+            assert query is not None
+            return Response.json(
+                {
+                    "ok": True,
+                    "query": stored_query_to_dict(query),
+                }
+            )
+        return Response.json({"ok": True})
+
+
+class QueryEditView(BaseView):
+    name = "query-edit"
+    has_json_alternate = False
+
+    async def _load(self, request):
+        db = await self.ds.resolve_database(request)
+        query_name = tilde_decode(request.url_vars["query"])
+        existing = await self.ds.get_query(db.name, query_name)
+        return db, query_name, existing
+
+    async def _render_form(
+        self,
+        request,
+        db,
+        existing,
+        *,
+        sql=None,
+        title=None,
+        description=None,
+        is_private=None,
+        status=200,
+    ):
+        response = await self.render(
+            ["query_edit.html"],
+            request,
+            await _query_edit_form_context(
+                self.ds,
+                request,
+                db,
+                existing,
+                sql=sql,
+                title=title,
+                description=description,
+                is_private=is_private,
+            ),
+        )
+        response.status = status
+        return response
+
+    async def get(self, request):
+        db, query_name, existing = await self._load(request)
+        if existing is None:
+            return _error(["Query not found: {}".format(query_name)], 404)
+        await self.ds.ensure_permission(
+            action="update-query",
+            resource=QueryResource(db.name, query_name),
+            actor=request.actor,
+        )
+        if existing.is_trusted:
+            return _error(["Trusted queries cannot be edited"], 403)
+        return await self._render_form(request, db, existing)
+
+    async def post(self, request):
+        db, query_name, existing = await self._load(request)
+        if existing is None:
+            return _error(["Query not found: {}".format(query_name)], 404)
+        if not await self.ds.allowed(
+            action="update-query",
+            resource=QueryResource(db.name, query_name),
+            actor=request.actor,
+        ):
+            return _error(["Permission denied: need update-query"], 403)
+        if existing.is_trusted:
+            return _error(["Trusted queries cannot be edited"], 403)
+
+        data, _ = await _json_or_form_payload(request)
+        if not isinstance(data, dict):
+            return _error(["Invalid form submission"], 400)
+        sql = data.get("sql")
+        sql = existing.sql if sql is None else sql.strip()
+        title = data.get("title") or ""
+        description = data.get("description") or ""
+        is_private = _as_bool(data.get("is_private"))
+
+        update = {
+            "title": title,
+            "description": description,
+            "is_private": is_private,
+        }
+        if sql != existing.sql:
+            if not await self.ds.allowed(
+                action="execute-sql",
+                resource=DatabaseResource(db.name),
+                actor=request.actor,
+            ):
+                self.ds.add_message(
+                    request,
+                    "Permission denied: need execute-sql to change the SQL",
+                    self.ds.ERROR,
+                )
+                return await self._render_form(
+                    request,
+                    db,
+                    existing,
+                    sql=sql,
+                    title=title,
+                    description=description,
+                    is_private=is_private,
+                    status=403,
+                )
+            update["sql"] = sql
+
+        try:
+            update_kwargs = await _prepare_query_update(
+                self.ds, request, db, existing, update
+            )
+        except QueryValidationError as ex:
+            self.ds.add_message(request, ex.message, self.ds.ERROR)
+            return await self._render_form(
+                request,
+                db,
+                existing,
+                sql=sql,
+                title=title,
+                description=description,
+                is_private=is_private,
+                status=ex.status,
+            )
+
+        await self.ds.update_query(db.name, query_name, **update_kwargs)
+        self.ds.add_message(request, "Query updated", self.ds.INFO)
+        return Response.redirect(
+            self.ds.urls.path(self.ds.urls.table(db.name, query_name))
+        )
+
+
+class QueryDeleteView(BaseView):
+    name = "query-delete"
+    has_json_alternate = False
+
+    async def _load(self, request):
+        db = await self.ds.resolve_database(request)
+        query_name = tilde_decode(request.url_vars["query"])
+        existing = await self.ds.get_query(db.name, query_name)
+        return db, query_name, existing
+
+    async def get(self, request):
+        db, query_name, existing = await self._load(request)
+        if existing is None:
+            return _error(["Query not found: {}".format(query_name)], 404)
+        await self.ds.ensure_permission(
+            action="delete-query",
+            resource=QueryResource(db.name, query_name),
+            actor=request.actor,
+        )
+        return await self.render(
+            ["query_delete.html"],
+            request,
+            {
+                "database": db.name,
+                "database_color": db.color,
+                "query": stored_query_to_dict(existing),
+                "query_url": self.ds.urls.table(db.name, query_name),
+            },
+        )
+
+    async def post(self, request):
+        db, query_name, existing = await self._load(request)
+        if existing is None:
+            return _error(["Query not found: {}".format(query_name)], 404)
+        if not await self.ds.allowed(
+            action="delete-query",
+            resource=QueryResource(db.name, query_name),
+            actor=request.actor,
+        ):
+            return _error(["Permission denied: need delete-query"], 403)
+
+        data, is_json = await _json_or_form_payload(request)
+        await self.ds.remove_query(db.name, query_name)
+        if is_json:
+            return Response.json({"ok": True})
+        self.ds.add_message(
+            request,
+            "Query “{}” deleted".format(existing.title or query_name),
+            self.ds.INFO,
+        )
+        return Response.redirect(self.ds.urls.path(self.ds.urls.database(db.name)))
diff --git a/datasette/views/table.py b/datasette/views/table.py
index e1e5507f..1fc151e6 100644
--- a/datasette/views/table.py
+++ b/datasette/views/table.py
@@ -2,18 +2,20 @@ import asyncio
 import itertools
 import json
 import urllib
+import urllib.parse
 
-from asyncinject import Registry
 import markupsafe
 
+from datasette.column_types import SQLiteType
+from datasette.extras import extra_names_from_request
 from datasette.plugins import pm
-from datasette.database import QueryInterrupted
 from datasette.events import (
     AlterTableEvent,
     DropTableEvent,
     InsertRowsEvent,
     UpsertRowsEvent,
 )
+from datasette.database import QueryInterrupted
 from datasette import tracer
 from datasette.resources import DatabaseResource, TableResource
 from datasette.utils import (
@@ -41,11 +43,177 @@ from datasette.utils import (
     InvalidSql,
     sqlite3,
 )
-from datasette.utils.asgi import BadRequest, Forbidden, NotFound, Response
+from datasette.utils.asgi import BadRequest, Forbidden, NotFound, Request, Response
 from datasette.filters import Filters
 import sqlite_utils
+from dataclasses import dataclass, field
+
+from datasette.extras import ExtraScope
+from . import Context, from_extra
 from .base import BaseView, DatasetteError, _error, stream_csv
 from .database import QueryView
+from .table_create_alter import (
+    ALTER_TABLE_COLUMN_TYPES,
+    ALTER_TABLE_TYPE_FOR_SQLITE_TYPE,
+    _custom_column_type_options_for_create_table,
+    default_expr_for_sql,
+    default_expression_options,
+)
+from .table_extras import (
+    TABLE_EXTRA_BUNDLES,
+    TableExtraContext,
+    precompute_database_action_permissions,
+    precompute_table_action_permissions,
+    resolve_table_extras,
+    table_extra_registry,
+)
+
+
+@dataclass
+class TableContext(Context):
+    "The page showing the rows in a table or SQL view, e.g. /fixtures/facetable."
+
+    documented_template = "table.html"
+    extras_scope = ExtraScope.TABLE
+
+    # Fields resolved by registered extras - their documentation comes
+    # from the description on each Extra class in table_extras.py
+    actions: callable = from_extra()
+    all_columns: list = from_extra()
+    columns: list = from_extra()
+    count: int = from_extra()
+    count_sql: str = from_extra()
+    custom_table_templates: list = from_extra()
+    database: str = from_extra()
+    database_color: str = from_extra()
+    display_columns: list = from_extra()
+    display_rows: list = from_extra()
+    expandable_columns: list = from_extra()
+    facet_results: dict = from_extra()
+    facets_timed_out: list = from_extra()
+    filters: Filters = from_extra()
+    form_hidden_args: list = from_extra()
+    human_description_en: str = from_extra()
+    is_view: bool = from_extra()
+    metadata: dict = from_extra()
+    next_url: str = from_extra()
+    primary_keys: list = from_extra()
+    private: bool = from_extra()
+    query: dict = from_extra()
+    renderers: dict = from_extra()
+    set_column_type_ui: dict = from_extra()
+    sorted_facet_results: list = from_extra()
+    suggested_facets: list = from_extra()
+    table: str = from_extra()
+    table_definition: str = from_extra()
+    view_definition: str = from_extra()
+
+    # Fields added by the view code
+    ok: bool = field(
+        metadata={"help": "True if the data for this page was retrieved without errors"}
+    )
+    next: str = field(metadata={"help": "Pagination token for the next page, or None"})
+    count_truncated: bool = field(
+        metadata={
+            "help": "True if ``count`` is a capped lower bound rather than an exact total, because Datasette stopped counting after its configured row-count limit."
+        }
+    )
+    rows: list = field(
+        metadata={
+            "help": "The rows for this page, as a list of dictionaries mapping column name to raw value."
+        }
+    )
+    filter_columns: list = field(
+        metadata={
+            "help": "List of column names offered by the filter interface, including currently displayed columns and any hidden columns that can still be filtered."
+        }
+    )
+    supports_search: bool = field(
+        metadata={"help": "True if this table has full-text search configured"}
+    )
+    extra_wheres_for_ui: list = field(
+        metadata={
+            "help": "Extra where clauses from ``?_where=`` for display in the UI. Each item has ``text`` for the SQL fragment and ``remove_url`` for a URL that removes that fragment."
+        }
+    )
+    url_csv: str = field(metadata={"help": "URL for the CSV export of this page"})
+    url_csv_path: str = field(metadata={"help": "Path portion of the CSV export URL"})
+    url_csv_hidden_args: list = field(
+        metadata={
+            "help": "List of ``(name, value)`` pairs for hidden form fields used by the CSV export form, preserving current filters while forcing ``_size=max``."
+        }
+    )
+    sort: str = field(metadata={"help": "Column the page is sorted by, or None"})
+    sort_desc: str = field(
+        metadata={"help": "Column the page is sorted by in descending order, or None"}
+    )
+    append_querystring: callable = field(
+        metadata={
+            "help": "Function ``append_querystring(url, querystring)`` that appends additional query string arguments to a URL, using ``?`` or ``&`` as appropriate."
+        }
+    )
+    path_with_replaced_args: callable = field(
+        metadata={
+            "help": "Function for building the current path with modified query string arguments. Pass the current ``request`` and a dictionary of argument names to replacement values, using ``None`` to remove an argument."
+        }
+    )
+    fix_path: callable = field(
+        metadata={
+            "help": "Function that applies the configured ``base_url`` prefix to a path."
+        }
+    )
+    settings: dict = field(
+        metadata={
+            "help": "Dictionary of Datasette's current settings, keyed by setting name."
+        }
+    )
+    alternate_url_json: str = field(
+        metadata={"help": "URL for the JSON version of this page"}
+    )
+    datasette_allow_facet: str = field(
+        metadata={
+            "help": 'The string "true" or "false" reflecting the allow_facet setting'
+        }
+    )
+    is_sortable: bool = field(
+        metadata={"help": "True if any of the displayed columns can be used to sort"}
+    )
+    allow_execute_sql: bool = field(
+        metadata={
+            "help": "True if the current actor can execute custom SQL against this database"
+        }
+    )
+    query_ms: float = field(
+        metadata={
+            "help": "Time taken by the SQL queries for this page, in milliseconds"
+        }
+    )
+    select_templates: list = field(
+        metadata={
+            "help": "List of template names that were considered for this page, with the selected template prefixed by ``*``."
+        }
+    )
+    top_table: callable = field(
+        metadata={
+            "help": "Async callable that renders the ``top_table`` plugin slot for this table or view and returns HTML."
+        }
+    )
+    table_page_data: dict = field(
+        metadata={
+            "help": "JSON data used by JavaScript on the table page. Includes ``database``, ``table`` and ``tableUrl``, plus optional ``foreignKeys`` mapping column names to autocomplete URLs, optional ``insertRow`` data and optional ``alterTable`` data."
+        }
+    )
+    table_insert_ui: dict = field(
+        metadata={
+            "help": "Information needed to enable the row insertion UI, or ``None`` if row insertion is not available to the current actor. When present it has ``path``, ``tableName``, ``columns`` and ``primaryKeys`` keys; each column includes ``name``, ``sqlite_type``, ``notnull``, ``default``, ``has_default``, ``is_pk``, ``value_kind`` and ``column_type`` keys."
+        }
+    )
+    table_alter_ui: dict = field(
+        metadata={
+            "help": "Information needed to enable the alter table UI, or ``None`` if altering this table is not available to the current actor. When present it has ``path``, ``tableName``, ``columns``, ``primaryKeys``, ``columnTypes``, ``defaultExpressions`` and ``foreignKeyTargetsPath`` keys, plus optional ``customColumnTypes`` and ``dropPath`` keys."
+        }
+    )
+
 
 LINK_WITH_LABEL = (
     '<a href="{base_url}{database}/{table}/{link_id}">{label}</a>&nbsp;<em>{id}</em>'
@@ -54,8 +222,17 @@ LINK_WITH_VALUE = '<a href="{base_url}{database}/{table}/{link_id}">{id}</a>'
 
 
 class Row:
-    def __init__(self, cells):
+    def __init__(
+        self,
+        cells,
+        pk_path=None,
+        row_path=None,
+        row_label=None,
+    ):
         self.cells = cells
+        self.pk_path = pk_path
+        self.row_path = row_path
+        self.row_label = row_label
 
     def __iter__(self):
         return iter(self.cells)
@@ -82,6 +259,20 @@ class Row:
         return json.dumps(d, default=repr, indent=2)
 
 
+def row_label_from_label_column(row, label_column):
+    if not label_column:
+        return None
+    try:
+        value = row[label_column]
+    except (KeyError, IndexError):
+        return None
+    if isinstance(value, dict):
+        value = value.get("label")
+    if value is None or value == "":
+        return None
+    return str(value)
+
+
 async def run_sequential(*args):
     # This used to be swappable for asyncio.gather() to run things in
     # parallel, but this lead to hard-to-debug locking issues with
@@ -92,6 +283,66 @@ async def run_sequential(*args):
     return results
 
 
+def _exact_filter_key(column):
+    if column.startswith("_"):
+        return f"{column}__exact"
+    return column
+
+
+def _request_with_query_string(request, query_string):
+    scope = dict(request.scope)
+    scope["query_string"] = query_string.encode("latin-1")
+    return Request(scope, request.receive)
+
+
+async def _fragment_request_for_row(request, resolved):
+    row_path = request.args.get("_row")
+    if not row_path:
+        return request
+    if resolved.is_view:
+        raise BadRequest("_row is not supported for views")
+
+    pks = await resolved.db.primary_keys(resolved.table)
+    row_pks = pks or ["rowid"]
+    pk_values = urlsafe_components(row_path)
+    if len(pk_values) != len(row_pks):
+        raise BadRequest("_row does not match the primary key for this table")
+
+    row_pk_filter_keys = {
+        key
+        for pk in row_pks
+        for key in {
+            _exact_filter_key(pk),
+            f"{pk}__exact",
+        }
+    }
+    args = [
+        (key, value)
+        for key, value in urllib.parse.parse_qsl(
+            request.query_string, keep_blank_values=True
+        )
+        if key
+        not in {
+            "_row",
+            "_next",
+            "_nocount",
+            "_nofacet",
+            "_nosuggest",
+        }.union(row_pk_filter_keys)
+    ]
+    args.extend(
+        [(_exact_filter_key(pk), value) for pk, value in zip(row_pks, pk_values)]
+    )
+    args.extend(
+        [
+            ("_nocount", "1"),
+            ("_nofacet", "1"),
+            ("_nosuggest", "1"),
+        ]
+    )
+    return _request_with_query_string(request, urllib.parse.urlencode(args))
+
+
 def _redirect(datasette, request, path, forward_querystring=True, remove_args=None):
     if request.query_string and "?" not in path and forward_querystring:
         path = f"{path}?{request.query_string}"
@@ -134,6 +385,227 @@ async def _redirect_if_needed(datasette, request, resolved):
         )
 
 
+async def _validate_column_types(datasette, database_name, table_name, rows):
+    """Validate row values against assigned column types. Returns list of error strings."""
+    ct_map = await datasette.get_column_types(database_name, table_name)
+    if not ct_map:
+        return []
+    errors = []
+    for row in rows:
+        for col_name, ct in ct_map.items():
+            if col_name not in row:
+                continue
+            error = await ct.validate(row[col_name], datasette)
+            if error:
+                errors.append(f"{col_name}: {error}")
+    return errors
+
+
+def _column_value_kind_for_insert_form(column_detail):
+    sqlite_type = SQLiteType.from_declared_type(column_detail.type)
+    if sqlite_type in (SQLiteType.INTEGER, SQLiteType.REAL):
+        return "number"
+    return "string"
+
+
+def _column_sqlite_type_for_insert_form(column_detail):
+    sqlite_type = SQLiteType.from_declared_type(column_detail.type)
+    return sqlite_type.value if sqlite_type is not None else None
+
+
+async def _foreign_key_autocomplete_urls(
+    datasette, request, db, database_name, table_name
+):
+    autocomplete_urls = {}
+    for fk in await db.foreign_keys_for_table(table_name):
+        if not await db.table_exists(fk["other_table"]):
+            continue
+        other_pks = await db.primary_keys(fk["other_table"])
+        other_column = fk["other_column"]
+        if other_column is None and len(other_pks) == 1:
+            other_column = other_pks[0]
+        if len(other_pks) != 1 or other_column != other_pks[0]:
+            continue
+        visible, _ = await datasette.check_visibility(
+            request.actor,
+            action="view-table",
+            resource=TableResource(database=database_name, table=fk["other_table"]),
+        )
+        if not visible:
+            continue
+        autocomplete_urls[fk["column"]] = "{}/-/autocomplete".format(
+            datasette.urls.table(database_name, fk["other_table"])
+        )
+    return autocomplete_urls
+
+
+async def _table_page_data(
+    datasette,
+    request,
+    db,
+    database_name,
+    table_name,
+    is_view,
+    table_insert_ui,
+    table_alter_ui,
+):
+    data = {
+        "database": database_name,
+        "table": table_name,
+        "tableUrl": datasette.urls.table(database_name, table_name),
+    }
+    if table_insert_ui:
+        data["insertRow"] = table_insert_ui
+    if table_alter_ui:
+        data["alterTable"] = table_alter_ui
+    if not is_view:
+        foreign_keys = await _foreign_key_autocomplete_urls(
+            datasette, request, db, database_name, table_name
+        )
+        if foreign_keys:
+            data["foreignKeys"] = foreign_keys
+    return data
+
+
+async def _table_insert_ui(
+    datasette, request, db, database_name, table_name, is_view, pks
+):
+    if is_view or not db.is_mutable:
+        return None
+
+    if not await datasette.allowed(
+        action="insert-row",
+        resource=TableResource(database=database_name, table=table_name),
+        actor=request.actor,
+    ):
+        return None
+
+    column_types_map = await datasette.get_column_types(database_name, table_name)
+    columns = []
+    column_details = await db.table_column_details(table_name)
+    for column in column_details:
+        if column.hidden:
+            continue
+        is_pk = column.name in pks
+        is_auto_pk = (
+            is_pk
+            and len(pks) == 1
+            and SQLiteType.from_declared_type(column.type) == SQLiteType.INTEGER
+        )
+        if is_auto_pk:
+            continue
+        column_type = column_types_map.get(column.name)
+        columns.append(
+            {
+                "name": column.name,
+                "sqlite_type": _column_sqlite_type_for_insert_form(column),
+                "notnull": column.notnull,
+                "default": column.default_value,
+                "has_default": column.default_value is not None,
+                "is_pk": is_pk,
+                "value_kind": _column_value_kind_for_insert_form(column),
+                "column_type": (
+                    {"type": column_type.name, "config": column_type.config}
+                    if column_type is not None
+                    else None
+                ),
+            }
+        )
+
+    return {
+        "path": "{}/-/insert".format(datasette.urls.table(database_name, table_name)),
+        "tableName": table_name,
+        "columns": columns,
+        "primaryKeys": pks,
+    }
+
+
+async def _table_alter_ui(
+    datasette, request, db, database_name, table_name, is_view, pks
+):
+    if is_view or not db.is_mutable:
+        return None
+
+    if not await datasette.allowed(
+        action="alter-table",
+        resource=TableResource(database=database_name, table=table_name),
+        actor=request.actor,
+    ):
+        return None
+
+    column_types_map = await datasette.get_column_types(database_name, table_name)
+    foreign_keys_by_column = {}
+    for fk in await db.foreign_keys_for_table(table_name):
+        other_column = fk["other_column"]
+        if other_column is None and await db.table_exists(fk["other_table"]):
+            other_pks = await db.primary_keys(fk["other_table"])
+            if len(other_pks) == 1:
+                other_column = other_pks[0]
+        if other_column is None:
+            continue
+        foreign_keys_by_column[fk["column"]] = {
+            "fk_table": fk["other_table"],
+            "fk_column": other_column,
+        }
+    columns = []
+    for column in await db.table_column_details(table_name):
+        if column.hidden:
+            continue
+        sqlite_type = SQLiteType.from_declared_type(column.type)
+        column_type = column_types_map.get(column.name)
+        default_expr = default_expr_for_sql(column.default_value)
+        column_data = {
+            "name": column.name,
+            "type": ALTER_TABLE_TYPE_FOR_SQLITE_TYPE.get(sqlite_type, "text"),
+            "sqlite_type": sqlite_type.value,
+            "notnull": column.notnull,
+            "default": None if default_expr else column.default_value,
+            "has_default": column.default_value is not None,
+            "is_pk": column.name in pks,
+            "foreign_key": foreign_keys_by_column.get(column.name),
+            "column_type": (
+                {"type": column_type.name, "config": column_type.config}
+                if column_type is not None
+                else None
+            ),
+        }
+        if default_expr:
+            column_data["default_expr"] = default_expr
+        columns.append(column_data)
+
+    data = {
+        "path": "{}/-/alter".format(datasette.urls.table(database_name, table_name)),
+        "tableName": table_name,
+        "columns": columns,
+        "primaryKeys": pks,
+        "columnTypes": ALTER_TABLE_COLUMN_TYPES,
+        "defaultExpressions": default_expression_options(),
+        "foreignKeyTargetsPath": "{}/-/foreign-key-targets?table={}".format(
+            datasette.urls.database(database_name),
+            urllib.parse.quote(table_name, safe=""),
+        ),
+    }
+    can_set_column_type = await datasette.allowed(
+        action="set-column-type",
+        resource=TableResource(database=database_name, table=table_name),
+        actor=request.actor,
+    )
+    if can_set_column_type:
+        data["customColumnTypes"] = _custom_column_type_options_for_create_table(
+            datasette
+        )
+    can_drop_table = await datasette.allowed(
+        action="drop-table",
+        resource=TableResource(database=database_name, table=table_name),
+        actor=request.actor,
+    )
+    if can_drop_table:
+        data["dropPath"] = "{}/-/drop".format(
+            datasette.urls.table(database_name, table_name)
+        )
+    return data
+
+
 async def display_columns_and_rows(
     datasette,
     database_name,
@@ -163,6 +635,9 @@ async def display_columns_and_rows(
         )
     )
 
+    # Look up column types for this table
+    column_types_map = await datasette.get_column_types(database_name, table_name)
+
     column_details = {
         col.name: col for col in await db.table_column_details(table_name)
     }
@@ -170,6 +645,16 @@ async def display_columns_and_rows(
     pks_for_display = pks
     if not pks_for_display:
         pks_for_display = ["rowid"]
+    label_column = None
+    if link_column:
+        label_column = await db.label_column_for_table(table_name)
+    row_action_permissions = {}
+    if link_column and request is not None and db.is_mutable:
+        row_action_permissions = await datasette.allowed_many(
+            actions=["update-row", "delete-row"],
+            resource=TableResource(database=database_name, table=table_name),
+            actor=request.actor,
+        )
 
     columns = []
     for r in description:
@@ -179,16 +664,21 @@ async def display_columns_and_rows(
         else:
             type_ = column_details[r[0]].type
             notnull = column_details[r[0]].notnull
-        columns.append(
-            {
-                "name": r[0],
-                "sortable": r[0] in sortable_columns,
-                "is_pk": r[0] in pks_for_display,
-                "type": type_,
-                "notnull": notnull,
-                "description": column_descriptions.get(r[0]),
-            }
-        )
+        col_dict = {
+            "name": r[0],
+            "sortable": r[0] in sortable_columns,
+            "is_pk": r[0] in pks_for_display,
+            "type": type_,
+            "notnull": notnull,
+            "description": column_descriptions.get(r[0]),
+            "column_type": None,
+            "column_type_config": None,
+        }
+        ct = column_types_map.get(r[0])
+        if ct:
+            col_dict["column_type"] = ct.name
+            col_dict["column_type_config"] = ct.config
+        columns.append(col_dict)
 
     column_to_foreign_key_table = {
         fk["column"]: fk["other_table"]
@@ -204,19 +694,72 @@ async def display_columns_and_rows(
         if link_column:
             is_special_link_column = len(pks) != 1
             pk_path = path_from_row_pks(row, pks, not pks, False)
+            row_path = path_from_row_pks(row, pks, not pks)
+            row_label = row_label_from_label_column(row, label_column)
+            row_action_label = pk_path
+            if row_label and row_label != pk_path:
+                row_action_label = "{} {}".format(pk_path, row_label)
+            table_path = datasette.urls.table(database_name, table_name)
+            row_link = '<a href="{table_path}/{flat_pks_quoted}">{flat_pks}</a>'.format(
+                table_path=table_path,
+                flat_pks=str(markupsafe.escape(pk_path)),
+                flat_pks_quoted=row_path,
+            )
+            edit_icon = (
+                '<svg class="row-inline-action-icon" aria-hidden="true" '
+                'xmlns="http://www.w3.org/2000/svg" width="14" height="14" '
+                'viewBox="0 0 24 24" fill="none" stroke="currentColor" '
+                'stroke-width="2" stroke-linecap="round" stroke-linejoin="round">'
+                '<path d="M11 4H4a2 2 0 0 0-2 2v14a2 2 0 0 0 2 2h14a2 2 0 0 0 2-2v-7"></path>'
+                '<path d="M18.5 2.5a2.12 2.12 0 0 1 3 3L12 15l-4 1 1-4 9.5-9.5z"></path>'
+                "</svg>"
+            )
+            delete_icon = (
+                '<svg class="row-inline-action-icon" aria-hidden="true" '
+                'xmlns="http://www.w3.org/2000/svg" width="14" height="14" '
+                'viewBox="0 0 24 24" fill="none" stroke="currentColor" '
+                'stroke-width="2" stroke-linecap="round" stroke-linejoin="round">'
+                '<path d="M3 6h18"></path>'
+                '<path d="M8 6V4a2 2 0 0 1 2-2h4a2 2 0 0 1 2 2v2"></path>'
+                '<path d="M19 6l-1 14a2 2 0 0 1-2 2H8a2 2 0 0 1-2-2L5 6"></path>'
+                '<path d="M10 11v6"></path>'
+                '<path d="M14 11v6"></path>'
+                "</svg>"
+            )
+            row_actions = []
+            if row_action_permissions.get("update-row"):
+                row_actions.append(
+                    '<button type="button" class="row-inline-action row-inline-action-edit" '
+                    'aria-label="Edit row {row_label}" title="Edit row" '
+                    'data-row-action="edit">'
+                    "{edit_icon}</button>".format(
+                        edit_icon=edit_icon,
+                        row_label=markupsafe.escape(row_action_label),
+                    )
+                )
+            if row_action_permissions.get("delete-row"):
+                row_actions.append(
+                    '<button type="button" class="row-inline-action row-inline-action-delete" '
+                    'aria-label="Delete row {row_label}" title="Delete row" '
+                    'data-row-action="delete">'
+                    "{delete_icon}</button>".format(
+                        delete_icon=delete_icon,
+                        row_label=markupsafe.escape(row_action_label),
+                    )
+                )
+            if row_actions:
+                row_link = (
+                    '<span class="row-link-with-actions">{row_link}'
+                    '<span class="row-inline-actions" aria-label="Row actions">'
+                    "{row_actions}</span></span>"
+                ).format(row_link=row_link, row_actions="".join(row_actions))
             cells.append(
                 {
                     "column": pks[0] if len(pks) == 1 else "Link",
                     "value_type": "pk",
                     "is_special_link_column": is_special_link_column,
                     "raw": pk_path,
-                    "value": markupsafe.Markup(
-                        '<a href="{table_path}/{flat_pks_quoted}">{flat_pks}</a>'.format(
-                            table_path=datasette.urls.table(database_name, table_name),
-                            flat_pks=str(markupsafe.escape(pk_path)),
-                            flat_pks_quoted=path_from_row_pks(row, pks, not pks),
-                        )
-                    ),
+                    "value": markupsafe.Markup(row_link),
                 }
             )
 
@@ -227,23 +770,37 @@ async def display_columns_and_rows(
                 # already shown in the link column.
                 continue
 
-            # First let the plugins have a go
+            # First try column type render_cell, then plugins
             # pylint: disable=no-member
             plugin_display_value = None
-            for candidate in pm.hook.render_cell(
-                row=row,
-                value=value,
-                column=column,
-                table=table_name,
-                pks=pks_for_display,
-                database=database_name,
-                datasette=datasette,
-                request=request,
-            ):
-                candidate = await await_me_maybe(candidate)
+            ct = column_types_map.get(column)
+            if ct:
+                candidate = await ct.render_cell(
+                    value=value,
+                    column=column,
+                    table=table_name,
+                    database=database_name,
+                    datasette=datasette,
+                    request=request,
+                )
                 if candidate is not None:
                     plugin_display_value = candidate
-                    break
+            if plugin_display_value is None:
+                for candidate in pm.hook.render_cell(
+                    row=row,
+                    value=value,
+                    column=column,
+                    table=table_name,
+                    pks=pks_for_display,
+                    database=database_name,
+                    datasette=datasette,
+                    request=request,
+                    column_type=ct,
+                ):
+                    candidate = await await_me_maybe(candidate)
+                    if candidate is not None:
+                        plugin_display_value = candidate
+                        break
             if plugin_display_value:
                 display_value = plugin_display_value
             elif isinstance(value, bytes):
@@ -308,7 +865,17 @@ async def display_columns_and_rows(
                     ),
                 }
             )
-        cell_rows.append(Row(cells))
+        if link_column:
+            cell_rows.append(
+                Row(
+                    cells,
+                    pk_path=pk_path,
+                    row_path=row_path,
+                    row_label=row_label,
+                )
+            )
+        else:
+            cell_rows.append(Row(cells))
 
     if link_column:
         # Add the link column header.
@@ -331,6 +898,7 @@ async def display_columns_and_rows(
                 "is_pk": False,
                 "type": "",
                 "notnull": 0,
+                "is_special_link_column": True,
             }
         columns = [first_column] + columns
     return columns, cell_rows
@@ -360,9 +928,8 @@ class TableInsertView(BaseView):
         if not request.headers.get("content-type").startswith("application/json"):
             # TODO: handle form-encoded data
             return _errors(["Invalid content-type, must be application/json"])
-        body = await request.post_body()
         try:
-            data = json.loads(body)
+            data = await request.json()
         except json.JSONDecodeError as e:
             return _errors(["Invalid JSON: {}".format(e)])
         if not isinstance(data, dict):
@@ -422,6 +989,13 @@ class TableInsertView(BaseView):
                             i, '", "'.join(missing_pks)
                         )
                     )
+                null_pks = [pk for pk in pks_list if pk in row and row[pk] is None]
+                if null_pks:
+                    errors.append(
+                        'Row {} has null primary key column(s): "{}"'.format(
+                            i, '", "'.join(null_pks)
+                        )
+                    )
             invalid_columns = set(row.keys()) - columns
             if invalid_columns and not extras.get("alter"):
                 errors.append(
@@ -484,6 +1058,13 @@ class TableInsertView(BaseView):
         if errors:
             return _error(errors, 400)
 
+        # Validate column types
+        ct_errors = await _validate_column_types(
+            self.ds, database_name, table_name, rows
+        )
+        if ct_errors:
+            return _error(ct_errors, 400)
+
         num_rows = len(rows)
 
         # No that we've passed pks to _validate_data it's safe to
@@ -620,6 +1201,122 @@ class TableUpsertView(TableInsertView):
         return await super().post(request, upsert=True)
 
 
+class TableSetColumnTypeView(BaseView):
+    name = "table-set-column-type"
+
+    def __init__(self, datasette):
+        self.ds = datasette
+
+    async def post(self, request):
+        try:
+            resolved = await self.ds.resolve_table(request)
+        except NotFound as e:
+            return _error([e.args[0]], 404)
+
+        database_name = resolved.db.name
+        table_name = resolved.table
+
+        if not await self.ds.allowed(
+            action="set-column-type",
+            resource=TableResource(database=database_name, table=table_name),
+            actor=request.actor,
+        ):
+            return _error(["Permission denied"], 403)
+
+        content_type = request.headers.get("content-type") or ""
+        if not content_type.startswith("application/json"):
+            return _error(["Invalid content-type, must be application/json"], 400)
+
+        try:
+            data = await request.json()
+        except json.JSONDecodeError as e:
+            return _error(["Invalid JSON: {}".format(e)], 400)
+
+        if not isinstance(data, dict):
+            return _error(["JSON must be a dictionary"], 400)
+
+        invalid_keys = set(data.keys()) - {"column", "column_type"}
+        if invalid_keys:
+            return _error(
+                ['Invalid parameter: "{}"'.format('", "'.join(sorted(invalid_keys)))],
+                400,
+            )
+
+        if "column" not in data:
+            return _error(['"column" is required'], 400)
+        column = data["column"]
+        if not isinstance(column, str):
+            return _error(['"column" must be a string'], 400)
+
+        if "column_type" not in data:
+            return _error(['"column_type" is required'], 400)
+
+        column_details = await self.ds._get_resource_column_details(
+            database_name, table_name
+        )
+        if column not in column_details:
+            return _error(["Column not found: {}".format(column)], 400)
+
+        column_type_data = data["column_type"]
+        if column_type_data is None:
+            await self.ds.remove_column_type(database_name, table_name, column)
+            return Response.json(
+                {
+                    "ok": True,
+                    "database": database_name,
+                    "table": table_name,
+                    "column": column,
+                    "column_type": None,
+                },
+                status=200,
+            )
+
+        if not isinstance(column_type_data, dict):
+            return _error(['"column_type" must be an object or null'], 400)
+
+        invalid_column_type_keys = set(column_type_data.keys()) - {"type", "config"}
+        if invalid_column_type_keys:
+            return _error(
+                [
+                    'Invalid column_type parameter: "{}"'.format(
+                        '", "'.join(sorted(invalid_column_type_keys))
+                    )
+                ],
+                400,
+            )
+
+        if "type" not in column_type_data:
+            return _error(['"column_type.type" is required'], 400)
+        column_type = column_type_data["type"]
+        if not isinstance(column_type, str):
+            return _error(['"column_type.type" must be a string'], 400)
+
+        config = column_type_data.get("config")
+        if config is not None and not isinstance(config, dict):
+            return _error(['"column_type.config" must be a dictionary'], 400)
+
+        if column_type not in self.ds._column_types:
+            return _error(["Unknown column type: {}".format(column_type)], 400)
+
+        try:
+            await self.ds.set_column_type(
+                database_name, table_name, column, column_type, config
+            )
+        except ValueError as e:
+            return _error([str(e)], 400)
+
+        return Response.json(
+            {
+                "ok": True,
+                "database": database_name,
+                "table": table_name,
+                "column": column,
+                "column_type": {"type": column_type, "config": config},
+            },
+            status=200,
+        )
+
+
 class TableDropView(BaseView):
     name = "table-drop"
 
@@ -648,7 +1345,7 @@ class TableDropView(BaseView):
             return _error(["Database is immutable"], 403)
         confirm = False
         try:
-            data = json.loads(await request.post_body())
+            data = await request.json()
             confirm = data.get("confirm")
         except json.JSONDecodeError:
             pass
@@ -677,15 +1374,225 @@ class TableDropView(BaseView):
                 actor=request.actor, database=database_name, table=table_name
             )
         )
+        self.ds.add_message(
+            request,
+            "Table {} dropped".format(table_name),
+            self.ds.WARNING,
+        )
         return Response.json({"ok": True}, status=200)
 
 
-def _get_extras(request):
-    extra_bits = request.args.getlist("_extra")
-    extras = set()
-    for bit in extra_bits:
-        extras.update(bit.split(","))
-    return extras
+class TableFragmentView(BaseView):
+    name = "table-fragment"
+
+    def __init__(self, datasette):
+        self.ds = datasette
+
+    async def get(self, request):
+        resolved = await self.ds.resolve_table(request)
+        request = await _fragment_request_for_row(request, resolved)
+        view_data = await table_view_data(
+            self.ds,
+            request,
+            resolved,
+            extra_extras={"_html"},
+            context_for_html_hack=True,
+            default_labels=True,
+        )
+        if isinstance(view_data, Response):
+            return view_data
+        data, _rows, _columns, _expanded_columns, _sql, _next_url = view_data
+        templates = data["custom_table_templates"]
+        html = await self.ds.render_template(
+            templates,
+            dict(
+                data,
+                append_querystring=append_querystring,
+                path_with_replaced_args=path_with_replaced_args,
+                fix_path=self.ds.urls.path,
+                settings=self.ds.settings_dict(),
+            ),
+            request=request,
+            view_name="table",
+        )
+        return Response.html(html)
+
+
+def _escape_like(value):
+    return value.replace("\\", "\\\\").replace("%", "\\%").replace("_", "\\_")
+
+
+# Returns the exclusive upper bound for an indexed prefix search:
+# For example, values beginning with "abc" fall below the next prefix boundary.
+# The LIKE clause is still applied separately for exact escaped-LIKE semantics.
+def _prefix_range_end(value):
+    if not value:
+        return None
+    characters = list(value)
+    for i in range(len(characters) - 1, -1, -1):
+        if ord(characters[i]) < 0x10FFFF:
+            return "{}{}".format("".join(characters[:i]), chr(ord(characters[i]) + 1))
+    return None
+
+
+def _autocomplete_like(column):
+    return "{} like :like escape char(92)".format(escape_sqlite(column))
+
+
+def _autocomplete_prefix_like(column):
+    return "{} like :prefix escape char(92)".format(escape_sqlite(column))
+
+
+def _autocomplete_order_by(pks, label_column, exact_pk, label_matches_first=True):
+    clauses = []
+    if exact_pk:
+        clauses.append(
+            "case when cast({} as text) = :q then 0 else 1 end".format(
+                escape_sqlite(pks[0])
+            )
+        )
+    if label_column:
+        label_like = _autocomplete_like(label_column)
+        if label_matches_first:
+            clauses.append("case when {} then 0 else 1 end".format(label_like))
+        clauses.append(
+            "case when {} then length(cast({} as text)) end".format(
+                label_like, escape_sqlite(label_column)
+            )
+        )
+    else:
+        clauses.append("length(cast({} as text))".format(escape_sqlite(pks[0])))
+    clauses.extend(escape_sqlite(pk) for pk in pks)
+    return ", ".join(clauses)
+
+
+def _autocomplete_pk_order_by(pks):
+    return ", ".join(escape_sqlite(pk) for pk in pks)
+
+
+def _autocomplete_initial_order_by(pks):
+    order_by = [f"{escape_sqlite(pks[0])} desc"]
+    order_by.extend(escape_sqlite(pk) for pk in pks[1:])
+    return ", ".join(order_by)
+
+
+def _autocomplete_response_rows(rows, pks, label_column):
+    response_rows = []
+    for row in rows:
+        item = {"pks": {pk: row[pk] for pk in pks}}
+        if label_column:
+            item["label"] = row[label_column]
+        response_rows.append(item)
+    return response_rows
+
+
+AUTOCOMPLETE_TIME_LIMIT_MS = 500
+
+
+class TableAutocompleteView(BaseView):
+    name = "table-autocomplete"
+
+    async def get(self, request):
+        resolved = await self.ds.resolve_table(request)
+        if resolved.is_view:
+            raise BadRequest("Autocomplete is only available for tables")
+
+        db = resolved.db
+        database_name = db.name
+        table_name = resolved.table
+        visible, _ = await self.ds.check_visibility(
+            request.actor,
+            action="view-table",
+            resource=TableResource(database=database_name, table=table_name),
+        )
+        if not visible:
+            raise Forbidden("You do not have permission to view this table")
+
+        pks = await db.primary_keys(table_name)
+        if not pks:
+            pks = ["rowid"]
+        label_column = await db.label_column_for_table(table_name)
+        select_columns = list(
+            dict.fromkeys(pks + ([label_column] if label_column else []))
+        )
+        select_sql = ", ".join(escape_sqlite(column) for column in select_columns)
+        q = request.args.get("q") or ""
+        initial_arg = request.args.get("_initial")
+        initial = (
+            not q
+            and initial_arg is not None
+            and initial_arg != ""
+            and value_as_boolean(initial_arg)
+        )
+        if not q and not initial:
+            return Response.json({"rows": []})
+        params = {
+            "q": q,
+            "like": "%{}%".format(_escape_like(q)),
+            "prefix": "{}%".format(_escape_like(q)),
+        }
+
+        like_columns = pks[:]
+        if label_column and label_column not in like_columns:
+            like_columns.append(label_column)
+        where_sql = " or ".join(_autocomplete_like(column) for column in like_columns)
+        exact_pk = len(pks) == 1
+        order_by = _autocomplete_order_by(pks, label_column, exact_pk)
+
+        if initial:
+            where_sql = "1 = 1"
+            order_by = _autocomplete_initial_order_by(pks)
+
+        sql = """
+            select {select_sql}
+            from {table}
+            where {where}
+            order by {order_by}
+            limit 10
+        """.format(
+            select_sql=select_sql,
+            table=escape_sqlite(table_name),
+            where=where_sql,
+            order_by=order_by,
+        )
+
+        try:
+            results = await db.execute(
+                sql, params, custom_time_limit=AUTOCOMPLETE_TIME_LIMIT_MS
+            )
+        except QueryInterrupted:
+            fallback_where = _autocomplete_prefix_like(pks[0])
+            prefix_end = _prefix_range_end(q)
+            if prefix_end:
+                params["prefix_end"] = prefix_end
+                first_pk = escape_sqlite(pks[0])
+                fallback_where = (
+                    "{first_pk} >= :q and {first_pk} < :prefix_end and {like}"
+                ).format(first_pk=first_pk, like=fallback_where)
+            fallback_sql = """
+                select {select_sql}
+                from {table}
+                where {where}
+                order by {order_by}
+                limit 10
+            """.format(
+                select_sql=select_sql,
+                table=escape_sqlite(table_name),
+                where=fallback_where,
+                order_by=_autocomplete_pk_order_by(pks),
+            )
+            try:
+                results = await db.execute(
+                    fallback_sql,
+                    params,
+                    custom_time_limit=AUTOCOMPLETE_TIME_LIMIT_MS,
+                )
+            except QueryInterrupted:
+                return Response.json({"rows": []})
+
+        return Response.json(
+            {"rows": _autocomplete_response_rows(results.rows, pks, label_column)}
+        )
 
 
 async def _columns_to_select(table_columns, pks, request):
@@ -699,8 +1606,8 @@ async def _columns_to_select(table_columns, pks, request):
                 "_col={} - invalid columns".format(", ".join(bad_columns)),
                 status=400,
             )
-        # De-duplicate maintaining order:
-        columns.extend(dict.fromkeys(_cols))
+        # De-duplicate maintaining order, skipping columns already added (pks):
+        columns.extend(c for c in dict.fromkeys(_cols) if c not in columns)
     if "_nocol" in request.args:
         # Return all columns EXCEPT these
         bad_columns = [
@@ -794,12 +1701,12 @@ async def table_view_traced(datasette, request):
     try:
         resolved = await datasette.resolve_table(request)
     except TableNotFound as not_found:
-        # Was this actually a canned query?
-        canned_query = await datasette.get_canned_query(
-            not_found.database_name, not_found.table, request.actor
+        # Was this actually a stored query?
+        stored_query = await datasette.get_query(
+            not_found.database_name, not_found.table
         )
-        # If this is a canned query, not a table, then dispatch to QueryView instead
-        if canned_query:
+        # If this is a stored query, not a table, then dispatch to QueryView instead
+        if stored_query:
             return await QueryView()(request, datasette)
         else:
             raise
@@ -903,7 +1810,13 @@ async def table_view_traced(datasette, request):
         template = environment.select_template(templates)
         alternate_url_json = datasette.absolute_url(
             request,
-            datasette.urls.path(path_with_format(request=request, format="json")),
+            datasette.urls.path(
+                path_with_format(
+                    request=request,
+                    path=request.scope.get("route_path"),
+                    format="json",
+                )
+            ),
         )
         headers.update(
             {
@@ -912,40 +1825,82 @@ async def table_view_traced(datasette, request):
                 )
             }
         )
+        table_context = TableContext(
+            actions=data["actions"],
+            all_columns=data["all_columns"],
+            columns=data["columns"],
+            count=data["count"],
+            count_sql=data["count_sql"],
+            custom_table_templates=data["custom_table_templates"],
+            database=data["database"],
+            database_color=data["database_color"],
+            display_columns=data["display_columns"],
+            display_rows=data["display_rows"],
+            expandable_columns=data["expandable_columns"],
+            facet_results=data["facet_results"],
+            facets_timed_out=data["facets_timed_out"],
+            filters=data["filters"],
+            form_hidden_args=data["form_hidden_args"],
+            human_description_en=data["human_description_en"],
+            is_view=data["is_view"],
+            metadata=data["metadata"],
+            next_url=data["next_url"],
+            primary_keys=data["primary_keys"],
+            private=data["private"],
+            query=data["query"],
+            renderers=data["renderers"],
+            set_column_type_ui=data["set_column_type_ui"],
+            sorted_facet_results=data["sorted_facet_results"],
+            suggested_facets=data["suggested_facets"],
+            table=data["table"],
+            table_definition=data["table_definition"],
+            view_definition=data["view_definition"],
+            ok=data["ok"],
+            next=data["next"],
+            count_truncated=data["count_truncated"],
+            rows=data["rows"],
+            filter_columns=data["filter_columns"],
+            supports_search=data["supports_search"],
+            extra_wheres_for_ui=data["extra_wheres_for_ui"],
+            url_csv=data["url_csv"],
+            url_csv_path=data["url_csv_path"],
+            url_csv_hidden_args=data["url_csv_hidden_args"],
+            sort=data["sort"],
+            sort_desc=data["sort_desc"],
+            append_querystring=append_querystring,
+            path_with_replaced_args=path_with_replaced_args,
+            fix_path=datasette.urls.path,
+            settings=datasette.settings_dict(),
+            alternate_url_json=alternate_url_json,
+            datasette_allow_facet=(
+                "true" if datasette.setting("allow_facet") else "false"
+            ),
+            is_sortable=any(c["sortable"] for c in data["display_columns"]),
+            allow_execute_sql=await datasette.allowed(
+                action="execute-sql",
+                resource=DatabaseResource(database=resolved.db.name),
+                actor=request.actor,
+            ),
+            query_ms=1.2,
+            select_templates=[
+                f"{'*' if template_name == template.name else ''}{template_name}"
+                for template_name in templates
+            ],
+            top_table=make_slot_function(
+                "top_table",
+                datasette,
+                request,
+                database=resolved.db.name,
+                table=resolved.table,
+            ),
+            table_page_data=data["table_page_data"],
+            table_insert_ui=data["table_insert_ui"],
+            table_alter_ui=data["table_alter_ui"],
+        )
         r = Response.html(
             await datasette.render_template(
                 template,
-                dict(
-                    data,
-                    append_querystring=append_querystring,
-                    path_with_replaced_args=path_with_replaced_args,
-                    fix_path=datasette.urls.path,
-                    settings=datasette.settings_dict(),
-                    # TODO: review up all of these hacks:
-                    alternate_url_json=alternate_url_json,
-                    datasette_allow_facet=(
-                        "true" if datasette.setting("allow_facet") else "false"
-                    ),
-                    is_sortable=any(c["sortable"] for c in data["display_columns"]),
-                    allow_execute_sql=await datasette.allowed(
-                        action="execute-sql",
-                        resource=DatabaseResource(database=resolved.db.name),
-                        actor=request.actor,
-                    ),
-                    query_ms=1.2,
-                    select_templates=[
-                        f"{'*' if template_name == template.name else ''}{template_name}"
-                        for template_name in templates
-                    ],
-                    top_table=make_slot_function(
-                        "top_table",
-                        datasette,
-                        request,
-                        database=resolved.db.name,
-                        table=resolved.table,
-                    ),
-                    count_limit=resolved.db.count_limit,
-                ),
+                table_context,
                 request=request,
                 view_name="table",
             ),
@@ -988,6 +1943,15 @@ async def table_view_data(
     if redirect_response:
         return redirect_response
 
+    if context_for_html_hack:
+        await precompute_database_action_permissions(
+            datasette, request.actor, database_name
+        )
+        if not is_view:
+            await precompute_table_action_permissions(
+                datasette, request.actor, database_name, table_name
+            )
+
     # Introspect columns and primary keys for table
     pks = await db.primary_keys(table_name)
     table_columns = await db.table_columns(table_name)
@@ -1285,7 +2249,7 @@ async def table_view_data(
     rows = rows[:page_size]
 
     # Resolve extras
-    extras = _get_extras(request)
+    extras = extra_names_from_request(request)
     if any(k for k in request.args.keys() if k == "_facet" or k.startswith("_facet_")):
         extras.add("facet_results")
     if request.args.get("_shape") == "object":
@@ -1293,485 +2257,84 @@ async def table_view_data(
     if extra_extras:
         extras.update(extra_extras)
 
-    async def extra_count_sql():
-        return count_sql
-
-    async def extra_count():
-        "Total count of rows matching these filters"
-        # Calculate the total count for this query
-        count = None
-        if (
-            not db.is_mutable
-            and datasette.inspect_data
-            and count_sql == f"select count(*) from {table_name} "
-        ):
-            # We can use a previously cached table row count
-            try:
-                count = datasette.inspect_data[database_name]["tables"][table_name][
-                    "count"
-                ]
-            except KeyError:
-                pass
-
-        # Otherwise run a select count(*) ...
-        if count_sql and count is None and not nocount:
-            count_sql_limited = (
-                f"select count(*) from (select * {from_sql} limit 10001)"
-            )
-            try:
-                count_rows = list(await db.execute(count_sql_limited, from_sql_params))
-                count = count_rows[0][0]
-            except QueryInterrupted:
-                pass
-        return count
-
-    async def facet_instances(extra_count):
-        facet_instances = []
-        facet_classes = list(
-            itertools.chain.from_iterable(pm.hook.register_facet_classes())
-        )
-        for facet_class in facet_classes:
-            facet_instances.append(
-                facet_class(
-                    datasette,
-                    request,
-                    database_name,
-                    sql=sql_no_order_no_limit,
-                    params=params,
-                    table=table_name,
-                    table_config=table_metadata,
-                    row_count=extra_count,
-                )
-            )
-        return facet_instances
-
-    async def extra_facet_results(facet_instances):
-        "Results of facets calculated against this data"
-        facet_results = {}
-        facets_timed_out = []
-
-        if not nofacet:
-            # Run them in parallel
-            facet_awaitables = [facet.facet_results() for facet in facet_instances]
-            facet_awaitable_results = await run_sequential(*facet_awaitables)
-            for (
-                instance_facet_results,
-                instance_facets_timed_out,
-            ) in facet_awaitable_results:
-                for facet_info in instance_facet_results:
-                    base_key = facet_info["name"]
-                    key = base_key
-                    i = 1
-                    while key in facet_results:
-                        i += 1
-                        key = f"{base_key}_{i}"
-                    facet_results[key] = facet_info
-                facets_timed_out.extend(instance_facets_timed_out)
-
-        return {
-            "results": facet_results,
-            "timed_out": facets_timed_out,
-        }
-
-    async def extra_suggested_facets(facet_instances):
-        "Suggestions for facets that might return interesting results"
-        suggested_facets = []
-        # Calculate suggested facets
-        if (
-            datasette.setting("suggest_facets")
-            and datasette.setting("allow_facet")
-            and not _next
-            and not nofacet
-            and not nosuggest
-        ):
-            # Run them in parallel
-            facet_suggest_awaitables = [facet.suggest() for facet in facet_instances]
-            for suggest_result in await run_sequential(*facet_suggest_awaitables):
-                suggested_facets.extend(suggest_result)
-        return suggested_facets
-
     # Faceting
     if not datasette.setting("allow_facet") and any(
         arg.startswith("_facet") for arg in request.args
     ):
         raise BadRequest("_facet= is not allowed")
 
-    # human_description_en combines filters AND search, if provided
-    async def extra_human_description_en():
-        "Human-readable description of the filters"
-        human_description_en = filters.human_description_en(
-            extra=extra_human_descriptions
-        )
-        if sort or sort_desc:
-            human_description_en = " ".join(
-                [b for b in [human_description_en, sorted_by] if b]
-            )
-        return human_description_en
-
-    if sort or sort_desc:
-        sorted_by = "sorted by {}{}".format(
-            (sort or sort_desc), " descending" if sort_desc else ""
-        )
-
-    async def extra_next_url():
-        "Full URL for the next page of results"
-        return next_url
-
-    async def extra_columns():
-        "Column names returned by this query"
-        return columns
-
-    async def extra_primary_keys():
-        "Primary keys for this table"
-        return pks
-
-    async def extra_actions():
-        async def actions():
-            links = []
-            kwargs = {
-                "datasette": datasette,
-                "database": database_name,
-                "actor": request.actor,
-                "request": request,
-            }
-            if is_view:
-                kwargs["view"] = table_name
-                method = pm.hook.view_actions
-            else:
-                kwargs["table"] = table_name
-                method = pm.hook.table_actions
-            for hook in method(**kwargs):
-                extra_links = await await_me_maybe(hook)
-                if extra_links:
-                    links.extend(extra_links)
-            return links
-
-        return actions
-
-    async def extra_is_view():
-        return is_view
-
-    async def extra_debug():
-        "Extra debug information"
-        return {
-            "resolved": repr(resolved),
-            "url_vars": request.url_vars,
-            "nofacet": nofacet,
-            "nosuggest": nosuggest,
-        }
-
-    async def extra_request():
-        "Full information about the request"
-        return {
-            "url": request.url,
-            "path": request.path,
-            "full_path": request.full_path,
-            "host": request.host,
-            "args": request.args._data,
-        }
-
-    async def run_display_columns_and_rows():
-        display_columns, display_rows = await display_columns_and_rows(
-            datasette,
-            database_name,
-            table_name,
-            results.description,
-            rows,
-            link_column=not is_view,
-            truncate_cells=datasette.setting("truncate_cells_html"),
-            sortable_columns=sortable_columns,
-            request=request,
-        )
-        return {
-            "columns": display_columns,
-            "rows": display_rows,
-        }
-
-    async def extra_display_columns(run_display_columns_and_rows):
-        return run_display_columns_and_rows["columns"]
-
-    async def extra_display_rows(run_display_columns_and_rows):
-        return run_display_columns_and_rows["rows"]
-
-    async def extra_render_cell():
-        "Rendered HTML for each cell using the render_cell plugin hook"
-        pks_for_display = pks if pks else (["rowid"] if not is_view else [])
-        columns = [col[0] for col in results.description]
-        rendered_rows = []
-        for row in rows:
-            rendered_row = {}
-            for value, column in zip(row, columns):
-                # Call render_cell plugin hook
-                plugin_display_value = None
-                for candidate in pm.hook.render_cell(
-                    row=row,
-                    value=value,
-                    column=column,
-                    table=table_name,
-                    pks=pks_for_display,
-                    database=database_name,
-                    datasette=datasette,
-                    request=request,
-                ):
-                    candidate = await await_me_maybe(candidate)
-                    if candidate is not None:
-                        plugin_display_value = candidate
-                        break
-                if plugin_display_value:
-                    rendered_row[column] = str(plugin_display_value)
-            rendered_rows.append(rendered_row)
-        return rendered_rows
-
-    async def extra_query():
-        "Details of the underlying SQL query"
-        return {
-            "sql": sql,
-            "params": params,
-        }
-
-    async def extra_metadata():
-        "Metadata about the table and database"
-        tablemetadata = await datasette.get_resource_metadata(database_name, table_name)
-
-        rows = await datasette.get_internal_database().execute(
-            """
-              SELECT
-                column_name,
-                value
-              FROM metadata_columns
-              WHERE database_name = ?
-                AND resource_name = ?
-                AND key = 'description'
-            """,
-            [database_name, table_name],
-        )
-        tablemetadata["columns"] = dict(rows)
-        return tablemetadata
-
-    async def extra_database():
-        return database_name
-
-    async def extra_table():
-        return table_name
-
-    async def extra_database_color():
-        return db.color
-
-    async def extra_form_hidden_args():
-        form_hidden_args = []
-        for key in request.args:
-            if (
-                key.startswith("_")
-                and key not in ("_sort", "_sort_desc", "_search", "_next")
-                and "__" not in key
-            ):
-                for value in request.args.getlist(key):
-                    form_hidden_args.append((key, value))
-        return form_hidden_args
-
-    async def extra_filters():
-        return filters
-
-    async def extra_custom_table_templates():
-        return [
-            f"_table-{to_css_class(database_name)}-{to_css_class(table_name)}.html",
-            f"_table-table-{to_css_class(database_name)}-{to_css_class(table_name)}.html",
-            "_table.html",
-        ]
-
-    async def extra_sorted_facet_results(extra_facet_results):
-        facet_configs = table_metadata.get("facets", [])
-        if facet_configs:
-            # Build ordered list of facet names from metadata config
-            metadata_facet_names = []
-            for fc in facet_configs:
-                if isinstance(fc, str):
-                    metadata_facet_names.append(fc)
-                elif isinstance(fc, dict):
-                    metadata_facet_names.append(list(fc.values())[0])
-            metadata_order = {name: i for i, name in enumerate(metadata_facet_names)}
-            metadata_facets = []
-            request_facets = []
-            for f in extra_facet_results["results"].values():
-                if f["name"] in metadata_order:
-                    metadata_facets.append(f)
-                else:
-                    request_facets.append(f)
-            metadata_facets.sort(key=lambda f: metadata_order[f["name"]])
-            request_facets.sort(
-                key=lambda f: (len(f["results"]), f["name"]),
-                reverse=True,
-            )
-            return metadata_facets + request_facets
-        else:
-            return sorted(
-                extra_facet_results["results"].values(),
-                key=lambda f: (len(f["results"]), f["name"]),
-                reverse=True,
-            )
-
-    async def extra_table_definition():
-        return await db.get_table_definition(table_name)
-
-    async def extra_view_definition():
-        return await db.get_view_definition(table_name)
-
-    async def extra_renderers(extra_expandable_columns, extra_query):
-        renderers = {}
-        url_labels_extra = {}
-        if extra_expandable_columns:
-            url_labels_extra = {"_labels": "on"}
-        for key, (_, can_render) in datasette.renderers.items():
-            it_can_render = call_with_supported_arguments(
-                can_render,
-                datasette=datasette,
-                columns=columns or [],
-                rows=rows or [],
-                sql=extra_query.get("sql", None),
-                query_name=None,
-                database=database_name,
-                table=table_name,
-                request=request,
-                view_name="table",
-            )
-            it_can_render = await await_me_maybe(it_can_render)
-            if it_can_render:
-                renderers[key] = datasette.urls.path(
-                    path_with_format(
-                        request=request, format=key, extra_qs={**url_labels_extra}
-                    )
-                )
-        return renderers
-
-    async def extra_private():
-        return private
-
-    async def extra_expandable_columns():
-        expandables = []
-        db = datasette.databases[database_name]
-        for fk in await db.foreign_keys_for_table(table_name):
-            label_column = await db.label_column_for_table(fk["other_table"])
-            expandables.append((fk, label_column))
-        return expandables
-
-    async def extra_extras():
-        "Available ?_extra= blocks"
-        all_extras = [
-            (key[len("extra_") :], fn.__doc__)
-            for key, fn in registry._registry.items()
-            if key.startswith("extra_")
-        ]
-        return [
-            {
-                "name": name,
-                "description": doc,
-                "toggle_url": datasette.absolute_url(
-                    request,
-                    datasette.urls.path(
-                        path_with_added_args(request, {"_extra": name})
-                        if name not in extras
-                        else path_with_removed_args(request, {"_extra": name})
-                    ),
-                ),
-                "selected": name in extras,
-            }
-            for name, doc in all_extras
-        ]
-
-    async def extra_facets_timed_out(extra_facet_results):
-        return extra_facet_results["timed_out"]
-
-    bundles = {
-        "html": [
-            "suggested_facets",
-            "facet_results",
-            "facets_timed_out",
-            "count",
-            "count_sql",
-            "human_description_en",
-            "next_url",
-            "metadata",
-            "query",
-            "columns",
-            "display_columns",
-            "display_rows",
-            "database",
-            "table",
-            "database_color",
-            "actions",
-            "filters",
-            "renderers",
-            "custom_table_templates",
-            "sorted_facet_results",
-            "table_definition",
-            "view_definition",
-            "is_view",
-            "private",
-            "primary_keys",
-            "expandable_columns",
-            "form_hidden_args",
-        ]
-    }
-
-    for key, values in bundles.items():
+    for key, values in TABLE_EXTRA_BUNDLES.items():
         if f"_{key}" in extras:
             extras.update(values)
         extras.discard(f"_{key}")
 
-    registry = Registry(
-        extra_count,
-        extra_count_sql,
-        extra_facet_results,
-        extra_facets_timed_out,
-        extra_suggested_facets,
-        facet_instances,
-        extra_human_description_en,
-        extra_next_url,
-        extra_columns,
-        extra_primary_keys,
-        run_display_columns_and_rows,
-        extra_display_columns,
-        extra_display_rows,
-        extra_render_cell,
-        extra_debug,
-        extra_request,
-        extra_query,
-        extra_metadata,
-        extra_extras,
-        extra_database,
-        extra_table,
-        extra_database_color,
-        extra_actions,
-        extra_filters,
-        extra_renderers,
-        extra_custom_table_templates,
-        extra_sorted_facet_results,
-        extra_table_definition,
-        extra_view_definition,
-        extra_is_view,
-        extra_private,
-        extra_expandable_columns,
-        extra_form_hidden_args,
+    table_extra_context = TableExtraContext(
+        datasette=datasette,
+        request=request,
+        resolved=resolved,
+        db=db,
+        database_name=database_name,
+        table_name=table_name,
+        is_view=is_view,
+        private=private,
+        rows=rows,
+        columns=columns,
+        results_description=results.description,
+        table_columns=table_columns,
+        pks=pks,
+        count_sql=count_sql,
+        from_sql=from_sql,
+        from_sql_params=from_sql_params,
+        nocount=nocount,
+        nofacet=nofacet,
+        nosuggest=nosuggest,
+        next_arg=request.args.get("_next"),
+        next_url=next_url,
+        sql=sql,
+        sql_no_order_no_limit=sql_no_order_no_limit,
+        params=params,
+        table_metadata=table_metadata,
+        filters=filters,
+        extra_human_descriptions=extra_human_descriptions,
+        sort=sort,
+        sort_desc=sort_desc,
+        sortable_columns=sortable_columns,
+        extras=extras,
+        extra_registry=table_extra_registry,
+        display_columns_and_rows=display_columns_and_rows,
+        run_sequential=run_sequential,
     )
 
-    results = await registry.resolve_multi(
-        ["extra_{}".format(extra) for extra in extras]
-    )
     data = {
         "ok": True,
         "next": next_value and str(next_value) or None,
     }
     data.update(
-        {
-            key.replace("extra_", ""): value
-            for key, value in results.items()
-            if key.startswith("extra_") and key.replace("extra_", "") in extras
-        }
+        await resolve_table_extras(
+            extras,
+            table_extra_context,
+            # The HTML view needs extras that are not JSON serializable
+            include_internal=bool(extra_extras),
+        )
     )
     raw_sqlite_rows = rows[:page_size]
-    data["rows"] = [dict(r) for r in raw_sqlite_rows]
+    # Apply transform_value for columns with assigned types
+    ct_map = await datasette.get_column_types(database_name, table_name)
+    transformed_rows = []
+    for r in raw_sqlite_rows:
+        row_dict = dict(r)
+        for col_name, ct in ct_map.items():
+            if col_name in row_dict:
+                row_dict[col_name] = await ct.transform_value(
+                    row_dict[col_name], datasette
+                )
+        transformed_rows.append(row_dict)
+    data["rows"] = transformed_rows
 
     if context_for_html_hack:
+        data["count_truncated"] = _count_truncated_for_table_page(
+            datasette, db, database_name, table_name, count_sql, data.get("count")
+        )
         data.update(extra_context_from_filters)
         # filter_columns combine the columns we know are available
         # in the table with any additional columns (such as rowid)
@@ -1786,7 +2349,12 @@ async def table_view_data(
             url_labels_extra = {"_labels": "on"}
         url_csv_args = {"_size": "max", **url_labels_extra}
         url_csv = datasette.urls.path(
-            path_with_format(request=request, format="csv", extra_qs=url_csv_args)
+            path_with_format(
+                request=request,
+                path=request.scope.get("route_path"),
+                format="csv",
+                extra_qs=url_csv_args,
+            )
         )
         url_csv_path = url_csv.split("?")[0]
         data.update(
@@ -1810,10 +2378,46 @@ async def table_view_data(
                 sort = "rowid"
         data["sort"] = sort
         data["sort_desc"] = sort_desc
+        table_insert_ui = await _table_insert_ui(
+            datasette, request, db, database_name, table_name, is_view, pks
+        )
+        table_alter_ui = await _table_alter_ui(
+            datasette, request, db, database_name, table_name, is_view, pks
+        )
+        data["table_insert_ui"] = table_insert_ui
+        data["table_alter_ui"] = table_alter_ui
+        data["table_page_data"] = await _table_page_data(
+            datasette=datasette,
+            request=request,
+            db=db,
+            database_name=database_name,
+            table_name=table_name,
+            is_view=is_view,
+            table_insert_ui=table_insert_ui,
+            table_alter_ui=table_alter_ui,
+        )
 
     return data, rows[:page_size], columns, expanded_columns, sql, next_url
 
 
+def _count_truncated_for_table_page(
+    datasette, db, database_name, table_name, count_sql, count
+):
+    if count != db.count_limit + 1:
+        return False
+    if (
+        not db.is_mutable
+        and datasette.inspect_data
+        and count_sql == f"select count(*) from {table_name} "
+    ):
+        try:
+            datasette.inspect_data[database_name]["tables"][table_name]["count"]
+            return False
+        except KeyError:
+            pass
+    return True
+
+
 async def _next_value_and_url(
     datasette,
     db,
diff --git a/datasette/views/table_create_alter.py b/datasette/views/table_create_alter.py
new file mode 100644
index 00000000..ffeb7f14
--- /dev/null
+++ b/datasette/views/table_create_alter.py
@@ -0,0 +1,1353 @@
+import json
+import re
+import time
+from typing import Annotated, Any, Literal, Union
+
+from datasette.database import QueryInterrupted
+from pydantic import (
+    BaseModel,
+    ConfigDict,
+    Field,
+    ValidationError,
+    field_validator,
+    model_validator,
+)
+from pydantic_core import PydanticCustomError
+import sqlite_utils
+from sqlite_utils.db import DEFAULT as SQLITE_UTILS_DEFAULT
+
+from datasette.column_types import SQLiteType
+from datasette.events import AlterTableEvent, CreateTableEvent, InsertRowsEvent
+from datasette.resources import DatabaseResource, TableResource
+from datasette.utils import (
+    escape_sqlite,
+    get_outbound_foreign_keys,
+    table_column_details,
+)
+from datasette.utils.asgi import NotFound, Response
+from datasette.utils.sqlite import sqlite_hidden_table_names
+
+from .base import BaseView, _error
+
+CREATE_TABLE_COLUMN_TYPES = ["text", "integer", "float", "blob"]
+CREATE_TABLE_SQLITE_TYPES = {
+    "text": SQLiteType.TEXT,
+    "integer": SQLiteType.INTEGER,
+    "float": SQLiteType.REAL,
+    "blob": SQLiteType.BLOB,
+}
+CREATE_TABLE_TYPE_FOR_SQLITE_TYPE = {
+    sqlite_type: column_type
+    for column_type, sqlite_type in CREATE_TABLE_SQLITE_TYPES.items()
+}
+TABLE_NAME_RE = re.compile(r"^(?!sqlite_)[^\n]+$")
+ALTER_TABLE_COLUMN_TYPES = CREATE_TABLE_COLUMN_TYPES
+ALTER_TABLE_TYPE_FOR_SQLITE_TYPE = {
+    SQLiteType.TEXT: "text",
+    SQLiteType.INTEGER: "integer",
+    SQLiteType.REAL: "float",
+    SQLiteType.BLOB: "blob",
+}
+FOREIGN_KEY_SUGGESTION_ROW_LIMIT = 500
+FOREIGN_KEY_SUGGESTION_TIME_LIMIT_MS = 50
+FOREIGN_KEY_SUGGESTION_TOTAL_TIME_LIMIT_MS = 200
+FOREIGN_KEY_TARGETS_SQL = """
+select
+  m.name as fk_table,
+  p.name as fk_column,
+  case
+    when upper(coalesce(p.type, '')) like '%INT%' then 'integer'
+    when upper(coalesce(p.type, '')) like '%CHAR%'
+      or upper(coalesce(p.type, '')) like '%CLOB%'
+      or upper(coalesce(p.type, '')) like '%TEXT%' then 'text'
+    when upper(coalesce(p.type, '')) like '%BLOB%'
+      or coalesce(p.type, '') = '' then 'blob'
+    when upper(coalesce(p.type, '')) like '%REAL%'
+      or upper(coalesce(p.type, '')) like '%FLOA%'
+      or upper(coalesce(p.type, '')) like '%' || 'DOU' || 'B' || '%' then 'real'
+    else 'numeric'
+  end as type
+from sqlite_master as m
+cross join pragma_table_info(m.name) as p
+where m.type = 'table'
+  and m.name not like 'sqlite_%'
+  and p.pk > 0
+  and (
+    select count(*)
+    from pragma_table_info(m.name) as p2
+    where p2.pk > 0
+  ) = 1
+order by m.name
+"""
+
+
+class ForeignKeySuggestionTimedOut(Exception):
+    pass
+
+
+def _sqlite_type_affinity(type_name):
+    type_name = (type_name or "").upper()
+    if "INT" in type_name:
+        return "integer"
+    if any(token in type_name for token in ("CHAR", "CLOB", "TEXT")):
+        return "text"
+    if "BLOB" in type_name or not type_name:
+        return "blob"
+    if any(
+        token in type_name
+        for token in ("REAL", "FLOA", "DOUB")  # codespell:ignore doub
+    ):
+        return "real"
+    return "numeric"
+
+
+def _foreign_key_type_compatible(source_affinity, target_affinity):
+    if source_affinity == target_affinity:
+        return True
+    numeric_affinities = {"integer", "real", "numeric"}
+    if source_affinity == "numeric":
+        return target_affinity in numeric_affinities
+    if target_affinity == "numeric":
+        return source_affinity in numeric_affinities
+    return False
+
+
+def _public_foreign_key_target(target):
+    return {
+        "fk_table": target["fk_table"],
+        "fk_column": target["fk_column"],
+        "type": target["type"],
+    }
+
+
+def _singular(name):
+    if name.endswith("ies") and len(name) > 3:
+        return name[:-3] + "y"
+    if name.endswith("s") and len(name) > 1:
+        return name[:-1]
+    return name
+
+
+def _foreign_key_name_reasons(source_column, target):
+    source = source_column.lower()
+    table = target["fk_table"].lower()
+    singular_table = _singular(table)
+    column = target["fk_column"].lower()
+    possible_names = {
+        "{}_{}".format(table, column),
+        "{}_{}".format(singular_table, column),
+    }
+    if column == "id":
+        possible_names.update(
+            {
+                "{}_id".format(table),
+                "{}_id".format(singular_table),
+            }
+        )
+    return ["name_match"] if source in possible_names else []
+
+
+def _foreign_key_option_sort_key(source_column, target):
+    has_name_match = bool(_foreign_key_name_reasons(source_column, target))
+    return (
+        0 if has_name_match else 1,
+        target["fk_table"],
+        target["fk_column"],
+    )
+
+
+def _foreign_key_suggestion_metadata(conn, table_name):
+    hidden_tables = set(sqlite_hidden_table_names(conn))
+    source_columns = [
+        {
+            "column": column.name,
+            "type": (column.type or "").upper(),
+            "affinity": _sqlite_type_affinity(column.type),
+        }
+        for column in table_column_details(conn, table_name)
+        if not column.hidden
+    ]
+    current_by_column = {
+        fk["column"]: {
+            "fk_table": fk["other_table"],
+            "fk_column": fk["other_column"],
+        }
+        for fk in get_outbound_foreign_keys(conn, table_name)
+    }
+    table_names = [
+        row[0]
+        for row in conn.execute(
+            "select name from sqlite_master where type = 'table' order by name"
+        ).fetchall()
+        if not row[0].startswith("sqlite_")
+    ]
+    targets = []
+    for candidate_table in table_names:
+        if candidate_table == table_name or candidate_table in hidden_tables:
+            continue
+        columns = [column for column in table_column_details(conn, candidate_table)]
+        pks = [column for column in columns if column.is_pk and not column.hidden]
+        pks.sort(key=lambda column: column.is_pk)
+        if len(pks) != 1:
+            continue
+        pk = pks[0]
+        targets.append(
+            {
+                "fk_table": candidate_table,
+                "fk_column": pk.name,
+                "type": (pk.type or "").upper(),
+                "affinity": _sqlite_type_affinity(pk.type),
+            }
+        )
+    return source_columns, targets, current_by_column
+
+
+async def _foreign_key_suggestion_samples(db, table_name, columns):
+    if not columns:
+        return 0, {}
+    sql = "select {} from {} limit {}".format(
+        ", ".join(escape_sqlite(column) for column in columns),
+        escape_sqlite(table_name),
+        FOREIGN_KEY_SUGGESTION_ROW_LIMIT,
+    )
+    try:
+        results = await db.execute(
+            sql,
+            custom_time_limit=FOREIGN_KEY_SUGGESTION_TIME_LIMIT_MS,
+            log_sql_errors=False,
+        )
+    except QueryInterrupted as e:
+        raise ForeignKeySuggestionTimedOut from e
+    values_by_column = {column: [] for column in columns}
+    seen_by_column = {column: set() for column in columns}
+    for row in results.rows:
+        for column in columns:
+            value = row[column]
+            if value is None or value in seen_by_column[column]:
+                continue
+            seen_by_column[column].add(value)
+            values_by_column[column].append(value)
+    return len(results.rows), values_by_column
+
+
+async def _foreign_key_suggestion_values_exist(db, target, values, time_limit_ms):
+    if not values:
+        return False
+    sql = "select {} from {} where {} in ({})".format(
+        escape_sqlite(target["fk_column"]),
+        escape_sqlite(target["fk_table"]),
+        escape_sqlite(target["fk_column"]),
+        ", ".join("?" for _ in values),
+    )
+    try:
+        results = await db.execute(
+            sql,
+            params=values,
+            custom_time_limit=time_limit_ms,
+            log_sql_errors=False,
+        )
+    except QueryInterrupted as e:
+        raise ForeignKeySuggestionTimedOut from e
+    found = {row[0] for row in results.rows}
+    return all(value in found for value in values)
+
+
+async def _create_table_ui_context(
+    datasette, request, db, database_name, database_action_permissions
+):
+    if not db.is_mutable:
+        return None
+    if not database_action_permissions.get("create-table"):
+        return None
+    data = {
+        "path": "{}/-/create".format(datasette.urls.database(database_name)),
+        "foreignKeyTargetsPath": "{}/-/foreign-key-targets".format(
+            datasette.urls.database(database_name)
+        ),
+        "databaseName": database_name,
+        "columnTypes": CREATE_TABLE_COLUMN_TYPES,
+        "defaultExpressions": default_expression_options(),
+    }
+    can_set_column_type = await datasette.allowed(
+        action="set-column-type",
+        resource=TableResource(database=database_name, table="__new_table__"),
+        actor=request.actor,
+    )
+    if can_set_column_type:
+        data["customColumnTypes"] = _custom_column_type_options_for_create_table(
+            datasette
+        )
+    return data
+
+
+def _custom_column_type_options_for_create_table(datasette):
+    options = []
+    for name, ct_cls in sorted(datasette._column_types.items()):
+        sqlite_types = getattr(ct_cls, "sqlite_types", None)
+        if sqlite_types is None:
+            option_sqlite_types = CREATE_TABLE_COLUMN_TYPES[:]
+        else:
+            option_sqlite_types = [
+                create_table_type
+                for create_table_type, sqlite_type in CREATE_TABLE_SQLITE_TYPES.items()
+                if sqlite_type in sqlite_types
+            ]
+        if not option_sqlite_types:
+            continue
+        option = {
+            "name": name,
+            "description": ct_cls.description,
+            "sqliteTypes": option_sqlite_types,
+        }
+        if sqlite_types is not None and len(sqlite_types) == 1:
+            fixed_sqlite_type = CREATE_TABLE_TYPE_FOR_SQLITE_TYPE.get(sqlite_types[0])
+            if fixed_sqlite_type is not None:
+                option["fixedSqliteType"] = fixed_sqlite_type
+        options.append(option)
+    return options
+
+
+SqliteApiType = Literal["text", "integer", "float", "blob"]
+DEFAULT_EXPRESSIONS = {
+    "current_timestamp": {
+        "sql": "CURRENT_TIMESTAMP",
+        "label": "Current timestamp in UTC, e.g. 2026-05-01 13:34:00",
+        "sqliteType": "text",
+    },
+    "current_date": {
+        "sql": "CURRENT_DATE",
+        "label": "Current date in UTC, e.g. 2026-05-01",
+        "sqliteType": "text",
+    },
+    "current_time": {
+        "sql": "CURRENT_TIME",
+        "label": "Current time in UTC, e.g. 13:34:00",
+        "sqliteType": "text",
+    },
+    "current_unixtime": {
+        "sql": "(CAST(strftime('%s', 'now') AS INTEGER))",
+        "label": "Current Unix time, integer seconds since the epoch",
+        "sqliteType": "integer",
+    },
+    "current_unixtime_ms": {
+        "sql": "(CAST((julianday('now') - 2440587.5) * 86400000 AS INTEGER))",
+        "label": "Current Unix time, integer milliseconds since the epoch",
+        "sqliteType": "integer",
+    },
+}
+DefaultExpr = str
+DEFAULT_EXPR_SQL = {
+    name: metadata["sql"] for name, metadata in DEFAULT_EXPRESSIONS.items()
+}
+
+
+def _strip_wrapping_parentheses(expression):
+    expression = expression.strip()
+    while expression.startswith("(") and expression.endswith(")"):
+        depth = 0
+        in_single_quote = False
+        wraps_whole_expression = True
+        i = 0
+        while i < len(expression):
+            char = expression[i]
+            if char == "'":
+                if (
+                    in_single_quote
+                    and i + 1 < len(expression)
+                    and expression[i + 1] == "'"
+                ):
+                    i += 2
+                    continue
+                in_single_quote = not in_single_quote
+            elif not in_single_quote:
+                if char == "(":
+                    depth += 1
+                elif char == ")":
+                    depth -= 1
+                    if depth == 0 and i != len(expression) - 1:
+                        wraps_whole_expression = False
+                        break
+            i += 1
+        if not wraps_whole_expression or depth != 0 or in_single_quote:
+            break
+        expression = expression[1:-1].strip()
+    return expression
+
+
+def _default_expression_lookup_key(expression):
+    return re.sub(r"\s+", " ", _strip_wrapping_parentheses(expression)).lower()
+
+
+DEFAULT_EXPR_BY_SQL = {
+    _default_expression_lookup_key(sql): name for name, sql in DEFAULT_EXPR_SQL.items()
+}
+
+
+def default_expr_for_sql(expression):
+    if expression is None:
+        return None
+    return DEFAULT_EXPR_BY_SQL.get(_default_expression_lookup_key(expression))
+
+
+def _quoted_options(options):
+    if len(options) == 1:
+        return "'{}'".format(options[0])
+    return "{} or '{}'".format(
+        ", ".join("'{}'".format(option) for option in options[:-1]),
+        options[-1],
+    )
+
+
+def _default_expr_error_message():
+    return "Input should be {}".format(_quoted_options(list(DEFAULT_EXPRESSIONS)))
+
+
+def default_expression_options():
+    return [
+        {
+            "value": value,
+            "label": metadata["label"],
+            "sqliteType": metadata["sqliteType"],
+        }
+        for value, metadata in DEFAULT_EXPRESSIONS.items()
+    ]
+
+
+class _StrictPydanticModel(BaseModel):
+    model_config = ConfigDict(extra="forbid")
+
+
+class _DefaultArgsMixin(_StrictPydanticModel):
+    default: Any | None = None
+    default_expr: DefaultExpr | None = None
+
+    @field_validator("default_expr")
+    @classmethod
+    def validate_default_expr_value(cls, value):
+        if value is not None and value not in DEFAULT_EXPRESSIONS:
+            raise PydanticCustomError("default_expr", _default_expr_error_message())
+        return value
+
+    @model_validator(mode="after")
+    def validate_default_fields(self):
+        has_default = "default" in self.model_fields_set
+        has_default_expr = "default_expr" in self.model_fields_set
+        if has_default and has_default_expr:
+            raise ValueError("default and default_expr cannot both be provided")
+        if has_default_expr and self.default_expr is None:
+            raise ValueError("default_expr cannot be null")
+        return self
+
+
+class CreateTableColumn(_DefaultArgsMixin):
+
+    name: Any = None
+    type: Any = "text"
+    fk_table: str | None = None
+    fk_column: str | None = None
+    not_null: bool = False
+
+    @model_validator(mode="after")
+    def validate_column(self):
+        if not self.name or not isinstance(self.name, str):
+            raise PydanticCustomError("create_table", "Column name is required")
+        if not self.type:
+            self.type = "text"
+        elif self.type not in CREATE_TABLE_COLUMN_TYPES:
+            raise PydanticCustomError(
+                "create_table", "Unsupported column type: {type}", {"type": self.type}
+            )
+        if self.fk_column and not self.fk_table:
+            raise PydanticCustomError(
+                "create_table_with_location",
+                "fk_column requires fk_table",
+            )
+        return self
+
+
+class CreateTableRequest(_StrictPydanticModel):
+    table: Any = None
+    rows: Any = None
+    row: Any = None
+    columns: list[CreateTableColumn] | None = None
+    pk: Any = None
+    pks: Any = None
+    ignore: bool | None = None
+    replace: bool | None = None
+    alter: bool | None = None
+
+    @field_validator("columns", mode="before")
+    @classmethod
+    def validate_columns_list(cls, value):
+        if value is None:
+            return value
+        if not isinstance(value, list):
+            raise PydanticCustomError("create_table", "columns must be a list")
+        if not all(isinstance(column, dict) for column in value):
+            raise PydanticCustomError(
+                "create_table", "columns must be a list of objects"
+            )
+        return value
+
+    @model_validator(mode="after")
+    def validate_request(self):
+        if not self.table:
+            raise PydanticCustomError("create_table", "Table is required")
+        if not isinstance(self.table, str) or not TABLE_NAME_RE.match(self.table):
+            raise PydanticCustomError("create_table", "Invalid table name")
+        if not self.columns and not self.rows and not self.row:
+            raise PydanticCustomError(
+                "create_table", "columns, rows or row is required"
+            )
+        if self.rows and self.row:
+            raise PydanticCustomError(
+                "create_table", "Cannot specify both rows and row"
+            )
+        if self.columns and (self.rows or self.row):
+            raise PydanticCustomError(
+                "create_table", "Cannot specify columns with rows or row"
+            )
+        if self.columns is not None:
+            seen = set()
+            duplicates = []
+            for column in self.columns:
+                if column.name in seen and column.name not in duplicates:
+                    duplicates.append(column.name)
+                seen.add(column.name)
+            if duplicates:
+                raise PydanticCustomError(
+                    "create_table",
+                    "Duplicate column name: {names}",
+                    {"names": ", ".join(duplicates)},
+                )
+        if self.rows is not None:
+            if not isinstance(self.rows, list):
+                raise PydanticCustomError("create_table", "rows must be a list")
+            if not all(isinstance(row, dict) for row in self.rows):
+                raise PydanticCustomError(
+                    "create_table", "rows must be a list of objects"
+                )
+        if self.pk is not None and not isinstance(self.pk, str):
+            raise PydanticCustomError("create_table", "pk must be a string")
+        if self.pk and self.pks:
+            raise PydanticCustomError("create_table", "Cannot specify both pk and pks")
+        if self.pks is not None:
+            if not isinstance(self.pks, list):
+                raise PydanticCustomError("create_table", "pks must be a list")
+            if not all(isinstance(pk, str) for pk in self.pks):
+                raise PydanticCustomError(
+                    "create_table", "pks must be a list of strings"
+                )
+        if self.ignore and self.replace:
+            raise PydanticCustomError(
+                "create_table", "ignore and replace are mutually exclusive"
+            )
+        if {"ignore", "replace"} & self.model_fields_set:
+            if not self.row and not self.rows:
+                raise PydanticCustomError(
+                    "create_table", "ignore and replace require row or rows"
+                )
+            if not self.pk and not self.pks:
+                raise PydanticCustomError(
+                    "create_table", "ignore and replace require pk or pks"
+                )
+        return self
+
+    @property
+    def rows_list(self):
+        return [self.row] if self.row else self.rows
+
+    @property
+    def foreign_keys(self):
+        if not self.columns:
+            return None
+        foreign_keys = []
+        for column in self.columns:
+            if column.fk_table and column.fk_column:
+                foreign_keys.append((column.name, column.fk_table, column.fk_column))
+            elif column.fk_table:
+                foreign_keys.append((column.name, column.fk_table))
+        return foreign_keys or None
+
+
+class AddColumnArgs(_DefaultArgsMixin):
+    name: str
+    type: SqliteApiType = "text"
+    not_null: bool = False
+
+
+class RenameColumnArgs(_StrictPydanticModel):
+    name: str
+    to: str
+
+
+class RenameTableArgs(_StrictPydanticModel):
+    to: str
+
+    @field_validator("to")
+    @classmethod
+    def validate_table_name(cls, v):
+        if not TABLE_NAME_RE.match(v):
+            raise PydanticCustomError(
+                "alter_table_rename_table",
+                "Invalid table name",
+            )
+        return v
+
+
+class AlterColumnArgs(_DefaultArgsMixin):
+    name: str
+    type: SqliteApiType | None = None
+    not_null: bool | None = None
+
+    @model_validator(mode="after")
+    def require_change(self):
+        if not (
+            {"type", "not_null", "default", "default_expr"} & self.model_fields_set
+        ):
+            raise ValueError(
+                "At least one of type, not_null, default or default_expr must be provided"
+            )
+        return self
+
+
+class DropColumnArgs(_StrictPydanticModel):
+    name: str
+
+
+class SetPrimaryKeyArgs(_StrictPydanticModel):
+    columns: list[str] = Field(min_length=1)
+
+
+class ReorderColumnsArgs(_StrictPydanticModel):
+    columns: list[str] = Field(min_length=1)
+
+
+class ForeignKeyArgs(_StrictPydanticModel):
+    column: str
+    fk_table: str | None = None
+    fk_column: str | None = None
+
+    @model_validator(mode="after")
+    def validate_foreign_key(self):
+        if self.fk_column and not self.fk_table:
+            raise PydanticCustomError(
+                "alter_table_foreign_key",
+                "fk_column requires fk_table",
+            )
+        if not self.fk_table:
+            raise PydanticCustomError(
+                "alter_table_foreign_key",
+                "fk_table is required",
+            )
+        return self
+
+    @property
+    def tuple(self):
+        if self.fk_column:
+            return (self.column, self.fk_table, self.fk_column)
+        return (self.column, self.fk_table)
+
+
+class DropForeignKeyArgs(_StrictPydanticModel):
+    column: str
+
+
+class SetForeignKeysArgs(_StrictPydanticModel):
+    foreign_keys: list[ForeignKeyArgs]
+
+
+class AddColumnOperation(_StrictPydanticModel):
+    op: Literal["add_column"]
+    args: AddColumnArgs
+
+
+class RenameColumnOperation(_StrictPydanticModel):
+    op: Literal["rename_column"]
+    args: RenameColumnArgs
+
+
+class RenameTableOperation(_StrictPydanticModel):
+    op: Literal["rename_table"]
+    args: RenameTableArgs
+
+
+class AlterColumnOperation(_StrictPydanticModel):
+    op: Literal["alter_column"]
+    args: AlterColumnArgs
+
+
+class DropColumnOperation(_StrictPydanticModel):
+    op: Literal["drop_column"]
+    args: DropColumnArgs
+
+
+class SetPrimaryKeyOperation(_StrictPydanticModel):
+    op: Literal["set_primary_key"]
+    args: SetPrimaryKeyArgs
+
+
+class ReorderColumnsOperation(_StrictPydanticModel):
+    op: Literal["reorder_columns"]
+    args: ReorderColumnsArgs
+
+
+class AddForeignKeyOperation(_StrictPydanticModel):
+    op: Literal["add_foreign_key"]
+    args: ForeignKeyArgs
+
+
+class DropForeignKeyOperation(_StrictPydanticModel):
+    op: Literal["drop_foreign_key"]
+    args: DropForeignKeyArgs
+
+
+class SetForeignKeysOperation(_StrictPydanticModel):
+    op: Literal["set_foreign_keys"]
+    args: SetForeignKeysArgs
+
+
+AlterTableOperation = Annotated[
+    Union[
+        AddColumnOperation,
+        RenameColumnOperation,
+        RenameTableOperation,
+        AlterColumnOperation,
+        DropColumnOperation,
+        SetPrimaryKeyOperation,
+        ReorderColumnsOperation,
+        AddForeignKeyOperation,
+        DropForeignKeyOperation,
+        SetForeignKeysOperation,
+    ],
+    Field(discriminator="op"),
+]
+
+
+class AlterTableRequest(_StrictPydanticModel):
+    operations: list[AlterTableOperation] = Field(min_length=1)
+
+
+def _pydantic_errors(validation_error):
+    errors = []
+    for error in validation_error.errors():
+        location = ".".join(str(item) for item in error["loc"])
+        message = error["msg"]
+        errors.append("{}: {}".format(location, message) if location else message)
+    return errors
+
+
+def _create_table_pydantic_errors(validation_error):
+    errors = validation_error.errors()
+    invalid_keys = sorted(
+        str(error["loc"][0])
+        for error in errors
+        if error["type"] == "extra_forbidden" and len(error["loc"]) == 1
+    )
+    if invalid_keys:
+        return ["Invalid keys: {}".format(", ".join(invalid_keys))]
+
+    output = []
+    for error in errors:
+        message = error["msg"]
+        if error["type"] == "create_table":
+            output.append(message)
+            continue
+        location = ".".join(str(item) for item in error["loc"])
+        output.append("{}: {}".format(location, message) if location else message)
+    return output
+
+
+def _table_schema_from_conn(conn, table_name):
+    row = conn.execute(
+        "select sql from sqlite_master where type = 'table' and name = ?",
+        [table_name],
+    ).fetchone()
+    return row[0] if row else None
+
+
+def _primary_key_value(columns):
+    if len(columns) == 1:
+        return columns[0]
+    return tuple(columns)
+
+
+def _default_expression_sql(default_expr):
+    return DEFAULT_EXPR_SQL[default_expr]
+
+
+def _literal_default(db, value):
+    if isinstance(value, str):
+        return db.quote(value)
+    return value
+
+
+class TableCreateView(BaseView):
+    name = "table-create"
+
+    def __init__(self, datasette):
+        self.ds = datasette
+
+    async def post(self, request):
+        db = await self.ds.resolve_database(request)
+        database_name = db.name
+
+        # Must have create-table permission
+        if not await self.ds.allowed(
+            action="create-table",
+            resource=DatabaseResource(database=database_name),
+            actor=request.actor,
+        ):
+            return _error(["Permission denied"], 403)
+
+        try:
+            data = await request.json()
+        except json.JSONDecodeError as e:
+            return _error(["Invalid JSON: {}".format(e)])
+
+        if not isinstance(data, dict):
+            return _error(["JSON must be an object"])
+
+        try:
+            create_request = CreateTableRequest.model_validate(data)
+        except ValidationError as e:
+            return _error(_create_table_pydantic_errors(e))
+
+        ignore = create_request.ignore
+        replace = create_request.replace
+
+        if replace:
+            # Must have update-row permission
+            if not await self.ds.allowed(
+                action="update-row",
+                resource=DatabaseResource(database=database_name),
+                actor=request.actor,
+            ):
+                return _error(["Permission denied: need update-row"], 403)
+
+        table_name = create_request.table
+        table_exists = await db.table_exists(table_name)
+        columns = create_request.columns
+        rows = create_request.rows_list
+
+        if rows:
+            # Must have insert-row permission
+            if not await self.ds.allowed(
+                action="insert-row",
+                resource=DatabaseResource(database=database_name),
+                actor=request.actor,
+            ):
+                return _error(["Permission denied: need insert-row"], 403)
+
+        alter = False
+        if rows:
+            if not table_exists:
+                # if table is being created for the first time, alter=True
+                alter = True
+            else:
+                # alter=True only if they request it AND they have permission
+                if create_request.alter:
+                    if not await self.ds.allowed(
+                        action="alter-table",
+                        resource=DatabaseResource(database=database_name),
+                        actor=request.actor,
+                    ):
+                        return _error(["Permission denied: need alter-table"], 403)
+                    alter = True
+
+        pk = create_request.pk
+        pks = create_request.pks
+
+        # If table exists already, read pks from that instead
+        if table_exists:
+            actual_pks = await db.primary_keys(table_name)
+            # if pk passed and table already exists check it does not change
+            bad_pks = False
+            if len(actual_pks) == 1 and pk and pk != actual_pks[0]:
+                bad_pks = True
+            elif len(actual_pks) > 1 and pks and set(pks) != set(actual_pks):
+                bad_pks = True
+            if bad_pks:
+                return _error(["pk cannot be changed for existing table"])
+            pks = actual_pks
+
+        initial_schema = None
+        if table_exists:
+            initial_schema = await db.execute_fn(
+                lambda conn: sqlite_utils.Database(conn)[table_name].schema
+            )
+
+        def create_table(conn):
+            db_for_write = sqlite_utils.Database(conn)
+            table = db_for_write[table_name]
+            if rows:
+                table.insert_all(
+                    rows, pk=pks or pk, ignore=ignore, replace=replace, alter=alter
+                )
+            else:
+                not_null = [column.name for column in columns if column.not_null]
+                defaults = {}
+                for column in columns:
+                    if "default_expr" in column.model_fields_set:
+                        defaults[column.name] = _default_expression_sql(
+                            column.default_expr
+                        )
+                    elif (
+                        "default" in column.model_fields_set
+                        and column.default is not None
+                    ):
+                        defaults[column.name] = _literal_default(
+                            db_for_write, column.default
+                        )
+                table.create(
+                    {column.name: column.type for column in columns},
+                    pk=pks or pk,
+                    foreign_keys=create_request.foreign_keys,
+                    not_null=not_null or None,
+                    defaults=defaults or None,
+                )
+            return table.schema
+
+        try:
+            schema = await db.execute_write_fn(create_table, request=request)
+        except Exception as e:
+            return _error([str(e)])
+
+        if initial_schema is not None and initial_schema != schema:
+            await self.ds.track_event(
+                AlterTableEvent(
+                    request.actor,
+                    database=database_name,
+                    table=table_name,
+                    before_schema=initial_schema,
+                    after_schema=schema,
+                )
+            )
+
+        table_url = self.ds.absolute_url(
+            request, self.ds.urls.table(db.name, table_name)
+        )
+        table_api_url = self.ds.absolute_url(
+            request, self.ds.urls.table(db.name, table_name, format="json")
+        )
+        details = {
+            "ok": True,
+            "database": db.name,
+            "table": table_name,
+            "table_url": table_url,
+            "table_api_url": table_api_url,
+            "schema": schema,
+        }
+        if rows:
+            details["row_count"] = len(rows)
+
+        if not table_exists:
+            # Only log creation if we created a table
+            await self.ds.track_event(
+                CreateTableEvent(
+                    request.actor, database=db.name, table=table_name, schema=schema
+                )
+            )
+        if rows:
+            await self.ds.track_event(
+                InsertRowsEvent(
+                    request.actor,
+                    database=db.name,
+                    table=table_name,
+                    num_rows=len(rows),
+                    ignore=ignore,
+                    replace=replace,
+                )
+            )
+        return Response.json(details, status=201)
+
+
+class DatabaseForeignKeyTargetsView(BaseView):
+    name = "database-foreign-key-targets"
+
+    def __init__(self, datasette):
+        self.ds = datasette
+
+    async def get(self, request):
+        db = await self.ds.resolve_database(request)
+        database_name = db.name
+
+        table_name = request.args.get("table")
+        can_create_table = await self.ds.allowed(
+            action="create-table",
+            resource=DatabaseResource(database=database_name),
+            actor=request.actor,
+        )
+        can_alter_table = False
+        if table_name and await db.table_exists(table_name):
+            can_alter_table = await self.ds.allowed(
+                action="alter-table",
+                resource=TableResource(database=database_name, table=table_name),
+                actor=request.actor,
+            )
+        if not (can_create_table or can_alter_table):
+            return _error(["Permission denied: need create-table"], 403)
+
+        hidden_tables = await db.execute_fn(
+            lambda conn: set(sqlite_hidden_table_names(conn))
+        )
+        targets = [
+            target
+            for target in (await db.execute(FOREIGN_KEY_TARGETS_SQL)).dicts()
+            if target["fk_table"] not in hidden_tables
+        ]
+        return Response.json(
+            {
+                "ok": True,
+                "database": database_name,
+                "targets": targets,
+            }
+        )
+
+
+class TableForeignKeySuggestionsView(BaseView):
+    name = "table-foreign-key-suggestions"
+
+    def __init__(self, datasette):
+        self.ds = datasette
+
+    async def get(self, request):
+        try:
+            resolved = await self.ds.resolve_table(request)
+        except NotFound as e:
+            return _error([e.args[0]], 404)
+
+        db = resolved.db
+        database_name = db.name
+        table_name = resolved.table
+
+        if resolved.is_view:
+            return _error(["Cannot suggest foreign keys for a view"], 400)
+
+        if not await self.ds.allowed(
+            action="alter-table",
+            resource=TableResource(database=database_name, table=table_name),
+            actor=request.actor,
+        ):
+            return _error(["Permission denied: need alter-table"], 403)
+
+        source_columns, targets, current_by_column = await db.execute_fn(
+            lambda conn: _foreign_key_suggestion_metadata(conn, table_name)
+        )
+
+        columns = []
+        options_by_column = {}
+        for source_column in source_columns:
+            options = sorted(
+                [
+                    target
+                    for target in targets
+                    if _foreign_key_type_compatible(
+                        source_column["affinity"], target["affinity"]
+                    )
+                ],
+                key=lambda target: _foreign_key_option_sort_key(
+                    source_column["column"], target
+                ),
+            )
+            options_by_column[source_column["column"]] = options
+            columns.append(
+                {
+                    "column": source_column["column"],
+                    "type": source_column["type"],
+                    "affinity": source_column["affinity"],
+                    "current": current_by_column.get(source_column["column"]),
+                    "suggestions": [],
+                    "options": [
+                        _public_foreign_key_target(option) for option in options
+                    ],
+                }
+            )
+
+        columns_to_sample = [
+            column["column"]
+            for column in columns
+            if options_by_column[column["column"]]
+        ]
+        row_check = {
+            "attempted": bool(columns_to_sample),
+            "status": "completed" if columns_to_sample else "skipped",
+            "row_limit": FOREIGN_KEY_SUGGESTION_ROW_LIMIT,
+            "sampled_rows": 0,
+            "checked_options": 0,
+        }
+
+        try:
+            sampled_rows, values_by_column = await _foreign_key_suggestion_samples(
+                db, table_name, columns_to_sample
+            )
+            row_check["sampled_rows"] = sampled_rows
+            deadline = time.perf_counter() + (
+                FOREIGN_KEY_SUGGESTION_TOTAL_TIME_LIMIT_MS / 1000
+            )
+            for column_info in columns:
+                values = values_by_column.get(column_info["column"]) or []
+                if not values:
+                    continue
+                for option in options_by_column[column_info["column"]]:
+                    remaining_ms = int((deadline - time.perf_counter()) * 1000)
+                    if remaining_ms <= 0:
+                        raise ForeignKeySuggestionTimedOut
+                    if await _foreign_key_suggestion_values_exist(
+                        db,
+                        option,
+                        values,
+                        min(FOREIGN_KEY_SUGGESTION_TIME_LIMIT_MS, remaining_ms),
+                    ):
+                        reasons = [
+                            "type_match",
+                            "sample_values_exist",
+                        ] + _foreign_key_name_reasons(column_info["column"], option)
+                        column_info["suggestions"].append(
+                            {
+                                "fk_table": option["fk_table"],
+                                "fk_column": option["fk_column"],
+                                "confidence": "sampled",
+                                "sampled_values": len(values),
+                                "reasons": reasons,
+                            }
+                        )
+                    row_check["checked_options"] += 1
+        except ForeignKeySuggestionTimedOut:
+            row_check["status"] = "timed_out"
+
+        return Response.json(
+            {
+                "ok": True,
+                "database": database_name,
+                "table": table_name,
+                "row_check": row_check,
+                "columns": columns,
+            }
+        )
+
+
+class TableAlterView(BaseView):
+    name = "table-alter"
+
+    def __init__(self, datasette):
+        self.ds = datasette
+
+    async def post(self, request):
+        try:
+            resolved = await self.ds.resolve_table(request)
+        except NotFound as e:
+            return _error([e.args[0]], 404)
+
+        db = resolved.db
+        database_name = db.name
+        table_name = resolved.table
+
+        if not await self.ds.allowed(
+            action="alter-table",
+            resource=TableResource(database=database_name, table=table_name),
+            actor=request.actor,
+        ):
+            return _error(["Permission denied: need alter-table"], 403)
+
+        if not db.is_mutable:
+            return _error(["Database is immutable"], 403)
+
+        content_type = request.headers.get("content-type") or ""
+        if not content_type.startswith("application/json"):
+            return _error(["Invalid content-type, must be application/json"], 400)
+
+        try:
+            data = await request.json()
+        except json.JSONDecodeError as e:
+            return _error(["Invalid JSON: {}".format(e)], 400)
+
+        if not isinstance(data, dict):
+            return _error(["JSON must be a dictionary"], 400)
+
+        try:
+            alter_request = AlterTableRequest.model_validate(data)
+        except ValidationError as e:
+            return _error(_pydantic_errors(e), 400)
+
+        def alter_table(conn):
+            before_schema = _table_schema_from_conn(conn, table_name)
+
+            def apply_operations(operation_conn):
+                db_for_write = sqlite_utils.Database(operation_conn)
+                table = db_for_write[table_name]
+                current_table_name = table_name
+
+                add_columns = []
+                types = {}
+                rename = {}
+                rename_table_to = None
+                drop = set()
+                not_null = {}
+                defaults = {}
+                column_order = None
+                pk = SQLITE_UTILS_DEFAULT
+                add_foreign_keys = []
+                drop_foreign_keys = []
+                foreign_keys = None
+
+                for operation in alter_request.operations:
+                    args = operation.args
+                    if operation.op == "add_column":
+                        if args.not_null and not (
+                            (
+                                "default" in args.model_fields_set
+                                and args.default is not None
+                            )
+                            or "default_expr" in args.model_fields_set
+                        ):
+                            raise ValueError(
+                                "add_column args.default or args.default_expr is required when not_null is true"
+                            )
+                        add_columns.append(args)
+                        if "default" in args.model_fields_set and not args.not_null:
+                            defaults[args.name] = _literal_default(
+                                db_for_write, args.default
+                            )
+                        if (
+                            "default_expr" in args.model_fields_set
+                            and not args.not_null
+                        ):
+                            defaults[args.name] = _default_expression_sql(
+                                args.default_expr
+                            )
+                    elif operation.op == "rename_table":
+                        rename_table_to = args.to
+                    elif operation.op == "rename_column":
+                        rename[args.name] = args.to
+                    elif operation.op == "alter_column":
+                        if args.type is not None:
+                            types[args.name] = args.type
+                        if args.not_null is not None:
+                            not_null[args.name] = args.not_null
+                        if "default" in args.model_fields_set:
+                            defaults[args.name] = (
+                                None
+                                if args.default is None
+                                else _literal_default(db_for_write, args.default)
+                            )
+                        if "default_expr" in args.model_fields_set:
+                            defaults[args.name] = _default_expression_sql(
+                                args.default_expr
+                            )
+                    elif operation.op == "drop_column":
+                        drop.add(args.name)
+                    elif operation.op == "set_primary_key":
+                        pk = _primary_key_value(args.columns)
+                    elif operation.op == "reorder_columns":
+                        column_order = args.columns
+                    elif operation.op == "add_foreign_key":
+                        add_foreign_keys.append(args.tuple)
+                    elif operation.op == "drop_foreign_key":
+                        drop_foreign_keys.append(args.column)
+                    elif operation.op == "set_foreign_keys":
+                        foreign_keys = [fk.tuple for fk in args.foreign_keys]
+
+                with operation_conn:
+                    for column in add_columns:
+                        not_null_default = None
+                        if column.not_null:
+                            if "default_expr" in column.model_fields_set:
+                                not_null_default = _default_expression_sql(
+                                    column.default_expr
+                                )
+                            else:
+                                not_null_default = _literal_default(
+                                    db_for_write, column.default
+                                )
+                        table.add_column(
+                            column.name,
+                            column.type,
+                            not_null_default=not_null_default,
+                        )
+
+                    should_transform = any(
+                        (
+                            types,
+                            rename,
+                            drop,
+                            not_null,
+                            defaults,
+                            column_order is not None,
+                            pk is not SQLITE_UTILS_DEFAULT,
+                            add_foreign_keys,
+                            drop_foreign_keys,
+                            foreign_keys is not None,
+                        )
+                    )
+                    if should_transform:
+                        table.transform(
+                            types=types or None,
+                            rename=rename or None,
+                            drop=drop or None,
+                            pk=pk,
+                            not_null=not_null or None,
+                            defaults=defaults or None,
+                            column_order=column_order,
+                            add_foreign_keys=add_foreign_keys or None,
+                            drop_foreign_keys=drop_foreign_keys or None,
+                            foreign_keys=foreign_keys,
+                        )
+                    if (
+                        rename_table_to is not None
+                        and rename_table_to != current_table_name
+                    ):
+                        operation_conn.execute(
+                            "alter table {} rename to {}".format(
+                                escape_sqlite(current_table_name),
+                                escape_sqlite(rename_table_to),
+                            )
+                        )
+                        current_table_name = rename_table_to
+
+                return current_table_name, _table_schema_from_conn(
+                    operation_conn, current_table_name
+                )
+
+            after_table_name, after_schema = apply_operations(conn)
+            return before_schema, after_schema, after_table_name
+
+        try:
+            before_schema, after_schema, after_table_name = await db.execute_write_fn(
+                alter_table, request=request
+            )
+        except Exception as e:
+            return _error([str(e)], 400)
+
+        altered = before_schema != after_schema
+        if altered:
+            await self.ds.track_event(
+                AlterTableEvent(
+                    request.actor,
+                    database=database_name,
+                    table=after_table_name,
+                    before_schema=before_schema,
+                    after_schema=after_schema,
+                )
+            )
+
+        table_url = self.ds.absolute_url(
+            request, self.ds.urls.table(database_name, after_table_name)
+        )
+        table_api_url = self.ds.absolute_url(
+            request, self.ds.urls.table(database_name, after_table_name, format="json")
+        )
+        return Response.json(
+            {
+                "ok": True,
+                "database": database_name,
+                "table": after_table_name,
+                "table_url": table_url,
+                "table_api_url": table_api_url,
+                "altered": altered,
+                "schema": after_schema,
+                "before_schema": before_schema,
+                "operations_applied": len(alter_request.operations),
+            },
+            status=200,
+        )
diff --git a/datasette/views/table_extras.py b/datasette/views/table_extras.py
new file mode 100644
index 00000000..db659c80
--- /dev/null
+++ b/datasette/views/table_extras.py
@@ -0,0 +1,1252 @@
+import itertools
+from dataclasses import dataclass
+
+from datasette.database import QueryInterrupted
+from datasette.extras import Extra, ExtraExample, ExtraRegistry, ExtraScope, Provider
+from datasette.plugins import pm
+from datasette.resources import DatabaseResource, TableResource
+from datasette.utils import (
+    await_me_maybe,
+    call_with_supported_arguments,
+    path_with_added_args,
+    path_with_format,
+    path_with_removed_args,
+    to_css_class,
+)
+
+
+@dataclass(frozen=True)
+class TableExtraContext:
+    datasette: object
+    request: object
+    resolved: object
+    db: object
+    database_name: str
+    table_name: str
+    is_view: bool
+    private: bool
+    rows: list
+    columns: list
+    results_description: list
+    table_columns: list
+    pks: list
+    count_sql: str
+    from_sql: str
+    from_sql_params: dict
+    nocount: object
+    nofacet: object
+    nosuggest: object
+    next_arg: object
+    next_url: str | None
+    sql: str
+    sql_no_order_no_limit: str
+    params: dict
+    table_metadata: dict
+    filters: object
+    extra_human_descriptions: list
+    sort: str | None
+    sort_desc: str | None
+    sortable_columns: set
+    extras: set
+    extra_registry: ExtraRegistry
+    display_columns_and_rows: object
+    run_sequential: object
+    query_name: str | None = None
+    scope: ExtraScope = ExtraScope.TABLE
+
+
+@dataclass(frozen=True)
+class RowExtraContext:
+    datasette: object
+    request: object
+    db: object
+    database_name: str
+    table_name: str
+    private: bool
+    rows: list
+    columns: list
+    pks: list
+    pk_values: list
+    sql: str
+    params: dict
+    extras: set
+    extra_registry: ExtraRegistry
+    foreign_key_tables: object
+    is_view: bool = False
+    scope: ExtraScope = ExtraScope.ROW
+
+
+@dataclass(frozen=True)
+class QueryExtraContext:
+    datasette: object
+    request: object
+    db: object
+    database_name: str
+    private: bool
+    rows: list
+    columns: list
+    sql: str | None
+    params: dict
+    query_name: str | None
+    metadata: dict
+    extras: set
+    extra_registry: ExtraRegistry
+    table_name: str | None = None
+    is_view: bool = False
+    pks: list | None = None
+    scope: ExtraScope = ExtraScope.QUERY
+
+
+class CountSqlExtra(Extra):
+    description = "SQL query string used to calculate the total count for the current table view, including active filters."
+    example = ExtraExample("/fixtures/facetable.json?_size=0&_extra=count_sql")
+    scopes = {ExtraScope.TABLE}
+
+    async def resolve(self, context):
+        return context.count_sql
+
+
+class CountExtra(Extra):
+    description = "Total count of rows matching these filters"
+    example = ExtraExample("/fixtures/facetable.json?_extra=count")
+    scopes = {ExtraScope.TABLE}
+    expensive = True
+
+    async def resolve(self, context):
+        count = None
+        if (
+            not context.db.is_mutable
+            and context.datasette.inspect_data
+            and context.count_sql == f"select count(*) from {context.table_name} "
+        ):
+            try:
+                count = context.datasette.inspect_data[context.database_name]["tables"][
+                    context.table_name
+                ]["count"]
+            except KeyError:
+                pass
+
+        if context.count_sql and count is None and not context.nocount:
+            count_sql_limited = "select count(*) from (select * {} limit {})".format(
+                context.from_sql, context.db.count_limit + 1
+            )
+            try:
+                count_rows = list(
+                    await context.db.execute(count_sql_limited, context.from_sql_params)
+                )
+                count = count_rows[0][0]
+            except QueryInterrupted:
+                pass
+        return count
+
+
+class FacetInstancesProvider(Provider):
+    scopes = {ExtraScope.TABLE}
+
+    async def resolve(self, context, count):
+        facet_instances = []
+        facet_classes = list(
+            itertools.chain.from_iterable(pm.hook.register_facet_classes())
+        )
+        for facet_class in facet_classes:
+            facet_instances.append(
+                facet_class(
+                    context.datasette,
+                    context.request,
+                    context.database_name,
+                    sql=context.sql_no_order_no_limit,
+                    params=context.params,
+                    table=context.table_name,
+                    table_config=context.table_metadata,
+                    row_count=count,
+                )
+            )
+        return facet_instances
+
+
+class FacetResultsExtra(Extra):
+    description = "Results of facets calculated against this data. A dictionary with ``results`` and ``timed_out`` keys: ``results`` maps facet names to facet dictionaries with ``name``, ``type``, ``results`` and URL keys, and each facet result item includes ``value``, ``label``, ``count`` and ``toggle_url``."
+    example = ExtraExample(
+        value={
+            "results": {
+                "state": {
+                    "name": "state",
+                    "type": "column",
+                    "results": [
+                        {"value": "CA", "label": "CA", "count": 10},
+                        {"value": "MI", "label": "MI", "count": 4},
+                    ],
+                }
+            },
+            "timed_out": [],
+        },
+        note="Shape abbreviated from /fixtures/facetable.json?_facet=state&_extra=facet_results.",
+    )
+    scopes = {ExtraScope.TABLE}
+    expensive = True
+    docs_note = "See :ref:`facets` for details of how facets work."
+
+    async def resolve(self, context, facet_instances):
+        facet_results = {}
+        facets_timed_out = []
+
+        if not context.nofacet:
+            facet_awaitables = [facet.facet_results() for facet in facet_instances]
+            facet_awaitable_results = await context.run_sequential(*facet_awaitables)
+            for (
+                instance_facet_results,
+                instance_facets_timed_out,
+            ) in facet_awaitable_results:
+                for facet_info in instance_facet_results:
+                    base_key = facet_info["name"]
+                    key = base_key
+                    i = 1
+                    while key in facet_results:
+                        i += 1
+                        key = f"{base_key}_{i}"
+                    facet_results[key] = facet_info
+                facets_timed_out.extend(instance_facets_timed_out)
+
+        return {
+            "results": facet_results,
+            "timed_out": facets_timed_out,
+        }
+
+
+class FacetsTimedOutExtra(Extra):
+    description = (
+        "List of names of facet calculations that exceeded the facet time limit."
+    )
+    example = ExtraExample(
+        "/fixtures/facetable.json?_facet=state&_extra=facets_timed_out",
+        note=(
+            "A list of the names of any facets that exceeded the "
+            ":ref:`setting_facet_time_limit_ms` time limit - an empty list "
+            "if every facet calculation completed."
+        ),
+    )
+    scopes = {ExtraScope.TABLE}
+
+    async def resolve(self, context, facet_results):
+        return facet_results["timed_out"]
+
+
+class SuggestedFacetsExtra(Extra):
+    description = "Suggestions for facets that might return interesting results. Each item is a dictionary with ``name`` and ``toggle_url`` keys, and may include extra keys such as ``type`` or ``label`` depending on the facet class."
+    example = ExtraExample(
+        value=[
+            {
+                "name": "state",
+                "toggle_url": "http://localhost/fixtures/facetable.json?_extra=suggested_facets&_facet=state",
+            }
+        ],
+        note="Shape abbreviated from /fixtures/facetable.json?_extra=suggested_facets.",
+    )
+    scopes = {ExtraScope.TABLE}
+    expensive = True
+    docs_note = (
+        "Suggestions are controlled by the :ref:`setting_suggest_facets` setting."
+    )
+
+    async def resolve(self, context, facet_instances):
+        suggested_facets = []
+        if (
+            context.datasette.setting("suggest_facets")
+            and context.datasette.setting("allow_facet")
+            and not context.next_arg
+            and not context.nofacet
+            and not context.nosuggest
+        ):
+            facet_suggest_awaitables = [facet.suggest() for facet in facet_instances]
+            for suggest_result in await context.run_sequential(
+                *facet_suggest_awaitables
+            ):
+                suggested_facets.extend(suggest_result)
+        return suggested_facets
+
+
+class HumanDescriptionEnExtra(Extra):
+    description = "Human-readable description of the filters"
+    example = ExtraExample(
+        "/fixtures/facetable.json?state=CA&_sort=pk&_extra=human_description_en"
+    )
+    scopes = {ExtraScope.TABLE}
+
+    async def resolve(self, context):
+        human_description_en = context.filters.human_description_en(
+            extra=context.extra_human_descriptions
+        )
+        if context.sort or context.sort_desc:
+            sorted_by = "sorted by {}{}".format(
+                (context.sort or context.sort_desc),
+                " descending" if context.sort_desc else "",
+            )
+            human_description_en = " ".join(
+                [b for b in [human_description_en, sorted_by] if b]
+            )
+        return human_description_en
+
+
+class NextUrlExtra(Extra):
+    description = "Full URL for the next page of results"
+    example = ExtraExample(
+        "/fixtures/facetable.json?_size=1&_extra=next_url",
+        note=(
+            "``null`` if there are no more pages of results. "
+            "See :ref:`json_api_pagination`."
+        ),
+    )
+    scopes = {ExtraScope.TABLE}
+
+    async def resolve(self, context):
+        return context.next_url
+
+
+class ColumnsExtra(Extra):
+    description = "List of column names returned by this table, row or query."
+    example = ExtraExample("/fixtures/facetable.json?_extra=columns")
+    examples = {
+        ExtraScope.ROW: ExtraExample(
+            "/fixtures/simple_primary_key/1.json?_extra=columns"
+        ),
+        ExtraScope.QUERY: ExtraExample(
+            "/fixtures/-/query.json?sql=select+1+as+one&_extra=columns"
+        ),
+    }
+    scopes = {ExtraScope.TABLE, ExtraScope.ROW, ExtraScope.QUERY}
+
+    async def resolve(self, context):
+        return context.columns
+
+
+class AllColumnsExtra(Extra):
+    description = "List of all column names in the table, regardless of ``_col=`` or ``_nocol=`` filtering."
+    example = ExtraExample("/fixtures/facetable.json?_col=pk&_extra=all_columns")
+    scopes = {ExtraScope.TABLE}
+
+    async def resolve(self, context):
+        return list(context.table_columns)
+
+
+class PrimaryKeysExtra(Extra):
+    description = "List of primary key column names for this table, or an empty list if the table has no explicit primary key."
+    example = ExtraExample("/fixtures/facetable.json?_extra=primary_keys")
+    examples = {
+        ExtraScope.ROW: ExtraExample(
+            "/fixtures/simple_primary_key/1.json?_extra=primary_keys"
+        )
+    }
+    scopes = {ExtraScope.TABLE, ExtraScope.ROW}
+
+    async def resolve(self, context):
+        return context.pks
+
+
+class ActionsExtra(Extra):
+    description = 'Async callable returning table or view actions made available by core and plugin hooks. Each item is either a link with ``href``, ``label`` and optional ``description`` keys, or a button with ``type: "button"``, ``label``, optional ``description`` and optional ``attrs``. See :ref:`plugin_actions`, :ref:`plugin_hook_table_actions` and :ref:`plugin_hook_view_actions`.'
+    scopes = {ExtraScope.TABLE}
+    # Returns an async function for the HTML templates - not JSON serializable
+    public = False
+
+    async def resolve(self, context):
+        async def actions():
+            links = []
+            kwargs = {
+                "datasette": context.datasette,
+                "database": context.database_name,
+                "actor": context.request.actor,
+                "request": context.request,
+            }
+            if context.is_view:
+                kwargs["view"] = context.table_name
+                method = pm.hook.view_actions
+            else:
+                kwargs["table"] = context.table_name
+                method = pm.hook.table_actions
+                # Resolve the registered table-level actions for this table
+                # and the database-level actions for its database in two
+                # batched queries, seeding the request permission cache so
+                # that allowed() calls made inside the plugin hooks below
+                # are served from the cache
+                datasette = context.datasette
+                await precompute_table_action_permissions(
+                    datasette,
+                    context.request.actor,
+                    context.database_name,
+                    context.table_name,
+                )
+                await precompute_database_action_permissions(
+                    datasette, context.request.actor, context.database_name
+                )
+            for hook in method(**kwargs):
+                extra_links = await await_me_maybe(hook)
+                if extra_links:
+                    links.extend(extra_links)
+            return links
+
+        return actions
+
+
+async def precompute_table_action_permissions(
+    datasette, actor, database_name, table_name
+):
+    await datasette.allowed_many(
+        actions=[
+            name
+            for name, action in datasette.actions.items()
+            if action.resource_class is TableResource
+        ],
+        resource=TableResource(database_name, table_name),
+        actor=actor,
+    )
+
+
+async def precompute_database_action_permissions(datasette, actor, database_name):
+    await datasette.allowed_many(
+        actions=[
+            name
+            for name, action in datasette.actions.items()
+            if action.resource_class is DatabaseResource
+        ],
+        resource=DatabaseResource(database_name),
+        actor=actor,
+    )
+
+
+class IsViewExtra(Extra):
+    description = "Whether this resource is a view instead of a table"
+    example = ExtraExample("/fixtures/simple_view.json?_extra=is_view")
+    scopes = {ExtraScope.TABLE}
+
+    async def resolve(self, context):
+        return context.is_view
+
+
+class DebugExtra(Extra):
+    description = "Extra debug information dictionary. This is intended for development only and its shape is not part of the stable template contract."
+    docs_note = (
+        "The contents of this block are not a stable part of the Datasette "
+        "API and may change without warning."
+    )
+    example = ExtraExample("/fixtures/facetable.json?_extra=debug")
+    examples = {
+        ExtraScope.ROW: ExtraExample(
+            "/fixtures/simple_primary_key/1.json?_extra=debug"
+        ),
+        ExtraScope.QUERY: ExtraExample(
+            "/fixtures/-/query.json?sql=select+1+as+one&_extra=debug"
+        ),
+    }
+    scopes = {ExtraScope.TABLE, ExtraScope.ROW, ExtraScope.QUERY}
+
+    async def resolve(self, context):
+        debug = {
+            "url_vars": context.request.url_vars,
+        }
+        if context.scope == ExtraScope.TABLE:
+            debug["resolved"] = repr(context.resolved)
+            debug["nofacet"] = context.nofacet
+            debug["nosuggest"] = context.nosuggest
+        elif context.scope == ExtraScope.ROW:
+            debug["resolved"] = {
+                "table": context.table_name,
+                "sql": context.sql,
+                "params": context.params,
+                "pks": context.pks,
+                "pk_values": context.pk_values,
+            }
+        return debug
+
+
+class RequestExtra(Extra):
+    description = "Dictionary with request details: ``url``, ``path``, ``full_path``, ``host`` and ``args`` where ``args`` maps query string parameter names to their values."
+    example = ExtraExample("/fixtures/facetable.json?_extra=request")
+    examples = {
+        ExtraScope.ROW: ExtraExample(
+            "/fixtures/simple_primary_key/1.json?_extra=request"
+        ),
+        ExtraScope.QUERY: ExtraExample(
+            "/fixtures/-/query.json?sql=select+1+as+one&_extra=request"
+        ),
+    }
+    scopes = {ExtraScope.TABLE, ExtraScope.ROW, ExtraScope.QUERY}
+
+    async def resolve(self, context):
+        return {
+            "url": context.request.url,
+            "path": context.request.path,
+            "full_path": context.request.full_path,
+            "host": context.request.host,
+            "args": context.request.args._data,
+        }
+
+
+class DisplayColumnsAndRowsProvider(Provider):
+    scopes = {ExtraScope.TABLE}
+
+    async def resolve(self, context):
+        display_columns, display_rows = await context.display_columns_and_rows(
+            context.datasette,
+            context.database_name,
+            context.table_name,
+            context.results_description,
+            context.rows,
+            link_column=not context.is_view,
+            truncate_cells=context.datasette.setting("truncate_cells_html"),
+            sortable_columns=context.sortable_columns,
+            request=context.request,
+        )
+        return {
+            "columns": display_columns,
+            "rows": display_rows,
+        }
+
+
+class DisplayColumnsExtra(Extra):
+    description = "Column metadata used by the HTML table display. Each item includes ``name``, ``sortable``, ``is_pk``, ``type``, ``notnull``, ``description``, ``column_type`` and ``column_type_config`` keys."
+    example = ExtraExample(
+        value=[
+            {
+                "name": "pk",
+                "sortable": True,
+                "is_pk": True,
+                "type": "INTEGER",
+                "notnull": 0,
+            },
+            {
+                "name": "created",
+                "sortable": True,
+                "is_pk": False,
+                "type": "TEXT",
+                "notnull": 0,
+                "description": None,
+                "column_type": None,
+                "column_type_config": None,
+            },
+        ],
+        note="Shape abbreviated from /fixtures/facetable.json?_size=1&_extra=display_columns.",
+    )
+    scopes = {ExtraScope.TABLE}
+
+    async def resolve(self, context, display_columns_and_rows):
+        return display_columns_and_rows["columns"]
+
+
+class DisplayRowsExtra(Extra):
+    description = "Rows formatted for the HTML table display. Each row is iterable and contains cell dictionaries with ``column``, ``value``, ``raw`` and ``value_type`` keys; table pages may also provide ``pk_path``, ``row_path`` and ``row_label`` attributes on each row object."
+    scopes = {ExtraScope.TABLE}
+    # Contains markupsafe/sqlite3.Row values - not JSON serializable
+    public = False
+
+    async def resolve(self, context, display_columns_and_rows):
+        return display_columns_and_rows["rows"]
+
+
+class RenderCellExtra(Extra):
+    description = "Rendered HTML for each cell using the render_cell plugin hook"
+    docs_note = (
+        "See the :ref:`render_cell() plugin hook <plugin_hook_render_cell>` "
+        "documentation."
+    )
+    example = ExtraExample(
+        value={
+            "rows": [
+                {"id": 1, "content": "hello"},
+                {"id": 4, "content": "RENDER_CELL_DEMO"},
+            ],
+            "render_cell": [
+                {},
+                {"content": "<strong>Custom rendered HTML</strong>"},
+            ],
+        },
+        note=(
+            "The ``render_cell`` array has one item per row, in the same order as "
+            "the ``rows`` array. Each object is keyed by column name. Only columns "
+            "whose rendered value differs from the default are included."
+        ),
+    )
+    examples = {
+        ExtraScope.ROW: ExtraExample(
+            value={
+                "rows": [{"id": 4, "content": "RENDER_CELL_DEMO"}],
+                "render_cell": [{"content": "<strong>Custom rendered HTML</strong>"}],
+            },
+            note=(
+                "The ``render_cell`` array has one item for the requested row. "
+                "The object is keyed by column name. Only columns whose rendered "
+                "value differs from the default are included."
+            ),
+        ),
+        ExtraScope.QUERY: ExtraExample(
+            value={
+                "rows": [{"content": "RENDER_CELL_DEMO"}],
+                "render_cell": [{"content": "<strong>Custom rendered HTML</strong>"}],
+            },
+            note=(
+                "The ``render_cell`` array has one item per query result row, in "
+                "the same order as the ``rows`` array. Each object is keyed by "
+                "column name. Only columns whose rendered value differs from the "
+                "default are included."
+            ),
+        ),
+    }
+    scopes = {ExtraScope.TABLE, ExtraScope.ROW, ExtraScope.QUERY}
+
+    async def resolve(self, context):
+        table_name = context.table_name
+        pks_for_display = context.pks or (
+            ["rowid"] if table_name and not context.is_view else []
+        )
+        ct_map = (
+            await context.datasette.get_column_types(context.database_name, table_name)
+            if table_name
+            else {}
+        )
+        rendered_rows = []
+        for row in context.rows:
+            rendered_row = {}
+            for value, column in zip(row, context.columns):
+                ct = ct_map.get(column)
+                plugin_display_value = None
+                if ct:
+                    candidate = await ct.render_cell(
+                        value=value,
+                        column=column,
+                        table=table_name,
+                        database=context.database_name,
+                        datasette=context.datasette,
+                        request=context.request,
+                    )
+                    if candidate is not None:
+                        plugin_display_value = candidate
+                if plugin_display_value is None:
+                    for candidate in pm.hook.render_cell(
+                        row=row,
+                        value=value,
+                        column=column,
+                        table=table_name,
+                        pks=pks_for_display,
+                        database=context.database_name,
+                        datasette=context.datasette,
+                        request=context.request,
+                        column_type=ct,
+                    ):
+                        candidate = await await_me_maybe(candidate)
+                        if candidate is not None:
+                            plugin_display_value = candidate
+                            break
+                if plugin_display_value:
+                    rendered_row[column] = str(plugin_display_value)
+            rendered_rows.append(rendered_row)
+        return rendered_rows
+
+
+class QueryExtra(Extra):
+    description = "Details of the underlying SQL query as a dictionary with ``sql`` and ``params`` keys."
+    example = ExtraExample("/fixtures/facetable.json?_size=1&_extra=query")
+    examples = {
+        ExtraScope.ROW: ExtraExample(
+            "/fixtures/simple_primary_key/1.json?_extra=query"
+        ),
+        ExtraScope.QUERY: [
+            ExtraExample("/fixtures/-/query.json?sql=select+1+as+one&_extra=query"),
+            ExtraExample("/fixtures/neighborhood_search.json?text=town&_extra=query"),
+        ],
+    }
+    scopes = {ExtraScope.TABLE, ExtraScope.ROW, ExtraScope.QUERY}
+
+    async def resolve(self, context):
+        return {
+            "sql": context.sql,
+            "params": context.params,
+        }
+
+
+class ColumnTypesExtra(Extra):
+    description = 'Column type assignments for this table. A dictionary mapping column names to ``{"type": type_name, "config": config}`` dictionaries.'
+    docs_note = (
+        "An empty object if no column types have been assigned. Column types "
+        "can be assigned in :ref:`configuration "
+        "<table_configuration_column_types>` or using the :ref:`set column "
+        "type API <TableSetColumnTypeView>`."
+    )
+    example = ExtraExample(
+        "/fixtures/facetable.json?_size=0&_extra=column_types",
+        note=(
+            "This example is from an instance where the ``tags`` column has "
+            "been assigned the ``json`` column type."
+        ),
+    )
+    examples = {
+        ExtraScope.ROW: ExtraExample(
+            "/fixtures/facetable/1.json?_extra=column_types",
+            note=(
+                "This example is from an instance where the ``tags`` column "
+                "has been assigned the ``json`` column type."
+            ),
+        )
+    }
+    scopes = {ExtraScope.TABLE, ExtraScope.ROW}
+
+    async def resolve(self, context):
+        ct_map = await context.datasette.get_column_types(
+            context.database_name, context.table_name
+        )
+        return {
+            col_name: {
+                "type": ct.name,
+                "config": ct.config,
+            }
+            for col_name, ct in ct_map.items()
+        }
+
+
+class SetColumnTypeUiExtra(Extra):
+    description = "Information needed to build an interface for assigning column types, or ``None`` if unavailable. When present it has ``path`` and ``columns`` keys; ``columns`` maps column names to ``current`` and ``options`` values."
+    docs_note = (
+        "``null`` unless the current actor is allowed to use the :ref:`set "
+        "column type API <TableSetColumnTypeView>` for this table."
+    )
+    example = ExtraExample(
+        value={
+            "path": "/fixtures/facetable/-/set-column-type",
+            "columns": {
+                "created": {
+                    "current": None,
+                    "options": [
+                        {"name": "email", "description": "Email address"},
+                        {"name": "json", "description": "JSON data"},
+                        {"name": "url", "description": "URL"},
+                    ],
+                },
+                "tags": {
+                    "current": {"type": "json", "config": None},
+                    "options": [
+                        {"name": "email", "description": "Email address"},
+                        {"name": "json", "description": "JSON data"},
+                        {"name": "url", "description": "URL"},
+                    ],
+                },
+            },
+        },
+        note=(
+            "Shape abbreviated to two columns, as seen by an actor with "
+            "``set-column-type`` permission. ``current`` is the column type "
+            "currently assigned to each column and ``options`` lists the "
+            "types that could be assigned to it."
+        ),
+    )
+    scopes = {ExtraScope.TABLE}
+
+    async def resolve(self, context):
+        if context.is_view:
+            return None
+
+        if not await context.datasette.allowed(
+            action="set-column-type",
+            resource=TableResource(
+                database=context.database_name, table=context.table_name
+            ),
+            actor=context.request.actor,
+        ):
+            return None
+
+        column_details = await context.datasette._get_resource_column_details(
+            context.database_name, context.table_name
+        )
+        ct_map = await context.datasette.get_column_types(
+            context.database_name, context.table_name
+        )
+        columns = {}
+        for column_name, column_detail in column_details.items():
+            current = ct_map.get(column_name)
+            columns[column_name] = {
+                "current": (
+                    {"type": current.name, "config": current.config}
+                    if current is not None
+                    else None
+                ),
+                "options": [
+                    {
+                        "name": name,
+                        "description": ct_cls.description,
+                    }
+                    for name, ct_cls in sorted(context.datasette._column_types.items())
+                    if context.datasette._column_type_is_applicable(
+                        ct_cls, column_detail
+                    )
+                ],
+            }
+        return {
+            "path": "{}/-/set-column-type".format(
+                context.datasette.urls.table(context.database_name, context.table_name)
+            ),
+            "columns": columns,
+        }
+
+
+class MetadataExtra(Extra):
+    description = "Metadata dictionary for the table, database or stored query. Table and row metadata include a ``columns`` dictionary mapping column names to descriptions; stored query metadata returns the stored query configuration."
+    docs_note = "See :ref:`metadata` for how to attach metadata to tables."
+    example = ExtraExample(
+        "/fixtures/facetable.json?_extra=metadata",
+        note=(
+            "This example is from an instance where the ``facetable`` table "
+            "has a metadata ``description`` and a :ref:`column description "
+            "<metadata_column_descriptions>` for its ``state`` column. The "
+            "``columns`` object is empty for tables with no column "
+            "descriptions."
+        ),
+    )
+    examples = {
+        ExtraScope.ROW: ExtraExample(
+            "/fixtures/simple_primary_key/1.json?_extra=metadata",
+            note=(
+                "This table has no metadata, so only an empty ``columns`` "
+                "object is returned."
+            ),
+        ),
+        ExtraScope.QUERY: ExtraExample(
+            "/fixtures/neighborhood_search.json?text=town&_extra=metadata",
+            note=(
+                "For stored queries this returns the full configuration of "
+                "the query, including the :ref:`stored query options "
+                "<queries_options>`. For ``?sql=`` queries it returns an "
+                "empty object."
+            ),
+        ),
+    }
+    scopes = {ExtraScope.TABLE, ExtraScope.ROW, ExtraScope.QUERY}
+
+    async def resolve(self, context):
+        if context.scope == ExtraScope.QUERY:
+            return context.metadata
+
+        tablemetadata = await context.datasette.get_resource_metadata(
+            context.database_name, context.table_name
+        )
+
+        rows = await context.datasette.get_internal_database().execute(
+            """
+              SELECT
+                column_name,
+                value
+              FROM metadata_columns
+              WHERE database_name = ?
+                AND resource_name = ?
+                AND key = 'description'
+            """,
+            [context.database_name, context.table_name],
+        )
+        tablemetadata["columns"] = dict(rows)
+        return tablemetadata
+
+
+class DatabaseExtra(Extra):
+    description = "Database name"
+    example = ExtraExample("/fixtures/facetable.json?_extra=database")
+    examples = {
+        ExtraScope.ROW: ExtraExample(
+            "/fixtures/simple_primary_key/1.json?_extra=database"
+        ),
+        ExtraScope.QUERY: ExtraExample(
+            "/fixtures/-/query.json?sql=select+1+as+one&_extra=database"
+        ),
+    }
+    scopes = {ExtraScope.TABLE, ExtraScope.ROW, ExtraScope.QUERY}
+
+    async def resolve(self, context):
+        return context.database_name
+
+
+class TableExtra(Extra):
+    description = "Table name"
+    example = ExtraExample("/fixtures/facetable.json?_extra=table")
+    examples = {
+        ExtraScope.ROW: ExtraExample("/fixtures/simple_primary_key/1.json?_extra=table")
+    }
+    scopes = {ExtraScope.TABLE, ExtraScope.ROW}
+
+    async def resolve(self, context):
+        return context.table_name
+
+
+class DatabaseColorExtra(Extra):
+    description = "Color assigned to the database"
+    docs_note = (
+        "A six character hex color, without the leading ``#``, derived from "
+        "a hash of the database name and used in the Datasette interface."
+    )
+    example = ExtraExample("/fixtures/facetable.json?_extra=database_color")
+    examples = {
+        ExtraScope.ROW: ExtraExample(
+            "/fixtures/simple_primary_key/1.json?_extra=database_color"
+        ),
+        ExtraScope.QUERY: ExtraExample(
+            "/fixtures/-/query.json?sql=select+1+as+one&_extra=database_color"
+        ),
+    }
+    scopes = {ExtraScope.TABLE, ExtraScope.ROW, ExtraScope.QUERY}
+
+    async def resolve(self, context):
+        return context.db.color
+
+
+class FormHiddenArgsExtra(Extra):
+    description = "List of ``(name, value)`` pairs for hidden form fields used by the HTML table interface to preserve current query string options."
+    example = ExtraExample(
+        "/fixtures/facetable.json?_facet=state&_size=1&_extra=form_hidden_args"
+    )
+    scopes = {ExtraScope.TABLE}
+
+    async def resolve(self, context):
+        form_hidden_args = []
+        for key in context.request.args:
+            if (
+                key.startswith("_")
+                and key not in ("_sort", "_sort_desc", "_search", "_next")
+                and "__" not in key
+            ):
+                for value in context.request.args.getlist(key):
+                    form_hidden_args.append((key, value))
+        return form_hidden_args
+
+
+class FiltersExtra(Extra):
+    description = "``Filters`` object used by the HTML table interface. Useful methods include ``filters.human_description_en()``; this is not JSON serializable."
+    scopes = {ExtraScope.TABLE}
+    # Returns a Filters instance for the HTML templates - not JSON serializable
+    public = False
+
+    async def resolve(self, context):
+        return context.filters
+
+
+class CustomTableTemplatesExtra(Extra):
+    description = "List of custom template names considered for rendering table rows, in lookup order."
+    docs_note = (
+        "The first template in this list that exists will be used to render "
+        "the table on the HTML version of this page. See "
+        ":ref:`customization_custom_templates`."
+    )
+    example = ExtraExample("/fixtures/facetable.json?_extra=custom_table_templates")
+    scopes = {ExtraScope.TABLE}
+
+    async def resolve(self, context):
+        return [
+            f"_table-{to_css_class(context.database_name)}-{to_css_class(context.table_name)}.html",
+            f"_table-table-{to_css_class(context.database_name)}-{to_css_class(context.table_name)}.html",
+            "_table.html",
+        ]
+
+
+class SortedFacetResultsExtra(Extra):
+    description = "Facet result dictionaries sorted for display. Each item has the same shape as an entry from ``facet_results['results']``."
+    docs_note = (
+        "The same data as ``facet_results``, as a list in the order used by "
+        "the HTML interface: facets from :ref:`facet configuration "
+        "<facets_metadata>` first, then other facets ordered by their number "
+        "of results."
+    )
+    example = ExtraExample(
+        "/fixtures/facetable.json?_facet=state&_extra=sorted_facet_results"
+    )
+    scopes = {ExtraScope.TABLE}
+
+    async def resolve(self, context, facet_results):
+        facet_configs = context.table_metadata.get("facets", [])
+        if facet_configs:
+            metadata_facet_names = []
+            for fc in facet_configs:
+                if isinstance(fc, str):
+                    metadata_facet_names.append(fc)
+                elif isinstance(fc, dict):
+                    metadata_facet_names.append(list(fc.values())[0])
+            metadata_order = {name: i for i, name in enumerate(metadata_facet_names)}
+            metadata_facets = []
+            request_facets = []
+            for f in facet_results["results"].values():
+                if f["name"] in metadata_order:
+                    metadata_facets.append(f)
+                else:
+                    request_facets.append(f)
+            metadata_facets.sort(key=lambda f: metadata_order[f["name"]])
+            request_facets.sort(
+                key=lambda f: (len(f["results"]), f["name"]),
+                reverse=True,
+            )
+            return metadata_facets + request_facets
+        else:
+            return sorted(
+                facet_results["results"].values(),
+                key=lambda f: (len(f["results"]), f["name"]),
+                reverse=True,
+            )
+
+
+class TableDefinitionExtra(Extra):
+    description = "SQL definition for this table"
+    example = ExtraExample("/fixtures/facetable.json?_extra=table_definition")
+    scopes = {ExtraScope.TABLE}
+
+    async def resolve(self, context):
+        return await context.db.get_table_definition(context.table_name)
+
+
+class ViewDefinitionExtra(Extra):
+    description = "SQL definition for this view"
+    example = ExtraExample("/fixtures/simple_view.json?_extra=view_definition")
+    scopes = {ExtraScope.TABLE}
+
+    async def resolve(self, context):
+        return await context.db.get_view_definition(context.table_name)
+
+
+class RenderersExtra(Extra):
+    description = "Dictionary mapping output format names such as ``json`` or plugin-provided renderer names to URLs for this data in that format."
+    example = ExtraExample(
+        "/fixtures/facetable.json?_extra=renderers",
+        note=(
+            "Each key is the name of an output format, each value the URL "
+            "for this data in that format. Plugins can add additional "
+            "formats using the :ref:`register_output_renderer() plugin hook "
+            "<plugin_register_output_renderer>`."
+        ),
+    )
+    scopes = {ExtraScope.TABLE}
+
+    async def resolve(self, context, expandable_columns, query):
+        renderers = {}
+        url_labels_extra = {}
+        if expandable_columns:
+            url_labels_extra = {"_labels": "on"}
+        table_name = context.table_name
+        view_name = "table" if context.scope == ExtraScope.TABLE else "database"
+        for key, (_, can_render) in context.datasette.renderers.items():
+            it_can_render = call_with_supported_arguments(
+                can_render,
+                datasette=context.datasette,
+                columns=context.columns or [],
+                rows=context.rows or [],
+                sql=query.get("sql", None),
+                query_name=context.query_name,
+                database=context.database_name,
+                table=table_name,
+                request=context.request,
+                view_name=view_name,
+            )
+            it_can_render = await await_me_maybe(it_can_render)
+            if it_can_render:
+                renderers[key] = context.datasette.urls.path(
+                    path_with_format(
+                        request=context.request,
+                        path=context.request.scope.get("route_path"),
+                        format=key,
+                        extra_qs={**url_labels_extra},
+                    )
+                )
+        return renderers
+
+
+class PrivateExtra(Extra):
+    description = "Whether this resource is private to the current actor"
+    docs_note = (
+        "``true`` if the current actor can see this resource but an "
+        "anonymous user could not. See :ref:`authentication_permissions`."
+    )
+    example = ExtraExample("/fixtures/facetable.json?_extra=private")
+    examples = {
+        ExtraScope.ROW: ExtraExample(
+            "/fixtures/simple_primary_key/1.json?_extra=private"
+        ),
+        ExtraScope.QUERY: ExtraExample(
+            "/fixtures/-/query.json?sql=select+1+as+one&_extra=private"
+        ),
+    }
+    scopes = {ExtraScope.TABLE, ExtraScope.ROW, ExtraScope.QUERY}
+
+    async def resolve(self, context):
+        return context.private
+
+
+class ExpandableColumnsExtra(Extra):
+    description = "List of foreign key columns that can be expanded with labels. Each item is a ``(foreign_key, label_column)`` pair where ``foreign_key`` is the SQLite foreign key dictionary and ``label_column`` is the label column in the referenced table, or ``None``."
+    docs_note = "See :ref:`expand_foreign_keys` for how to expand these labels."
+    example = ExtraExample(
+        "/fixtures/facetable.json?_extra=expandable_columns",
+        note=(
+            "Each item is a ``[foreign_key, label_column]`` pair: the "
+            "foreign key relationship, then the column in the other table "
+            "that would be used as the label for each expanded value."
+        ),
+    )
+    scopes = {ExtraScope.TABLE}
+
+    async def resolve(self, context):
+        expandables = []
+        db = context.datasette.databases[context.database_name]
+        for fk in await db.foreign_keys_for_table(context.table_name):
+            label_column = await db.label_column_for_table(fk["other_table"])
+            expandables.append((fk, label_column))
+        return expandables
+
+
+class ForeignKeyTablesExtra(Extra):
+    description = "List of tables that link to this row using foreign keys. Each item includes the foreign key fields plus ``count`` for matching rows and ``link`` for the filtered table URL."
+    example = ExtraExample(
+        "/fixtures/simple_primary_key/1.json?_extra=foreign_key_tables",
+        note=(
+            "``count`` is the number of rows in the other table that "
+            "reference this row, and ``link`` is a URL to browse those rows."
+        ),
+    )
+    scopes = {ExtraScope.ROW}
+    expensive = True
+
+    async def resolve(self, context):
+        return await context.foreign_key_tables(
+            context.database_name, context.table_name, context.pk_values
+        )
+
+
+class ExtrasExtra(Extra):
+    description = "List of ``?_extra=`` blocks that can be used on this page. Each item has ``name``, ``description``, ``toggle_url`` and ``selected`` keys."
+    example = ExtraExample(
+        value=[
+            {
+                "name": "count",
+                "description": "Total count of rows matching these filters",
+                "toggle_url": "http://localhost/fixtures/facetable.json?_extra=extras&_extra=count",
+                "selected": False,
+            },
+            {
+                "name": "extras",
+                "description": "List of ?_extra= blocks that can be used on this page",
+                "toggle_url": "http://localhost/fixtures/facetable.json",
+                "selected": True,
+            },
+        ],
+        note=(
+            "Shape abbreviated from /fixtures/facetable.json?_extra=extras - "
+            "the full response lists every extra described on this page. "
+            "``toggle_url`` is the current URL with that extra added or "
+            "removed, and ``selected`` is ``true`` for extras included in "
+            "the current request."
+        ),
+    )
+    scopes = {ExtraScope.TABLE, ExtraScope.ROW, ExtraScope.QUERY}
+
+    async def resolve(self, context):
+        all_extras = [
+            (cls.key(), cls.description)
+            for cls in context.extra_registry.public_classes_for_scope(context.scope)
+        ]
+        return [
+            {
+                "name": name,
+                "description": description,
+                "toggle_url": context.datasette.absolute_url(
+                    context.request,
+                    context.datasette.urls.path(
+                        path_with_added_args(context.request, {"_extra": name})
+                        if name not in context.extras
+                        else path_with_removed_args(context.request, {"_extra": name})
+                    ),
+                ),
+                "selected": name in context.extras,
+            }
+            for name, description in all_extras
+        ]
+
+
+TABLE_EXTRA_BUNDLES = {
+    "html": [
+        "suggested_facets",
+        "facet_results",
+        "facets_timed_out",
+        "count",
+        "count_sql",
+        "human_description_en",
+        "next_url",
+        "metadata",
+        "query",
+        "columns",
+        "display_columns",
+        "display_rows",
+        "database",
+        "table",
+        "database_color",
+        "actions",
+        "filters",
+        "renderers",
+        "custom_table_templates",
+        "sorted_facet_results",
+        "table_definition",
+        "view_definition",
+        "is_view",
+        "private",
+        "primary_keys",
+        "all_columns",
+        "expandable_columns",
+        "form_hidden_args",
+        "set_column_type_ui",
+    ]
+}
+
+
+TABLE_EXTRA_CLASSES = [
+    CountExtra,
+    CountSqlExtra,
+    FacetResultsExtra,
+    FacetsTimedOutExtra,
+    SuggestedFacetsExtra,
+    FacetInstancesProvider,
+    HumanDescriptionEnExtra,
+    NextUrlExtra,
+    ColumnsExtra,
+    AllColumnsExtra,
+    PrimaryKeysExtra,
+    DisplayColumnsAndRowsProvider,
+    DisplayColumnsExtra,
+    DisplayRowsExtra,
+    RenderCellExtra,
+    DebugExtra,
+    RequestExtra,
+    QueryExtra,
+    ColumnTypesExtra,
+    SetColumnTypeUiExtra,
+    MetadataExtra,
+    ExtrasExtra,
+    DatabaseExtra,
+    TableExtra,
+    DatabaseColorExtra,
+    ActionsExtra,
+    FiltersExtra,
+    RenderersExtra,
+    CustomTableTemplatesExtra,
+    SortedFacetResultsExtra,
+    TableDefinitionExtra,
+    ViewDefinitionExtra,
+    IsViewExtra,
+    PrivateExtra,
+    ExpandableColumnsExtra,
+    ForeignKeyTablesExtra,
+    FormHiddenArgsExtra,
+]
+
+
+table_extra_registry = ExtraRegistry(TABLE_EXTRA_CLASSES)
+
+
+async def resolve_table_extras(extras, context, include_internal=False):
+    return await table_extra_registry.resolve(
+        extras, context, ExtraScope.TABLE, include_internal=include_internal
+    )
+
+
+async def resolve_row_extras(extras, context):
+    return await table_extra_registry.resolve(extras, context, ExtraScope.ROW)
+
+
+async def resolve_query_extras(extras, context):
+    return await table_extra_registry.resolve(extras, context, ExtraScope.QUERY)
diff --git a/datasette/write_sql.py b/datasette/write_sql.py
new file mode 100644
index 00000000..cdc0c6d3
--- /dev/null
+++ b/datasette/write_sql.py
@@ -0,0 +1,253 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import TYPE_CHECKING
+
+from .permissions import Resource
+from .resources import DatabaseResource, TableResource
+from .utils import named_parameters, sqlite3
+from .utils.asgi import Forbidden
+from .utils.sql_analysis import Operation, SQLAnalysis
+
+if TYPE_CHECKING:
+    from .app import Datasette
+
+
+class QueryWriteRejected(Exception):
+    def __init__(self, message: str):
+        self.message = message
+        super().__init__(message)
+
+
+@dataclass(frozen=True)
+class PermissionRequirement:
+    action: str
+    resource: Resource
+
+
+PermissionRequirements = tuple[PermissionRequirement, ...]
+
+
+class WriteSqlOperationDecision:
+    """What Datasette should do with one operation in user-supplied write SQL."""
+
+
+@dataclass(frozen=True)
+class IgnoreWriteSqlOperation(WriteSqlOperationDecision):
+    reason: str
+
+
+@dataclass(frozen=True)
+class RequireWriteSqlPermissions(WriteSqlOperationDecision):
+    permissions: PermissionRequirements
+
+
+@dataclass(frozen=True)
+class RejectWriteSqlOperation(WriteSqlOperationDecision):
+    message: str
+
+
+@dataclass(frozen=True)
+class UnsupportedWriteSqlOperation(WriteSqlOperationDecision):
+    message: str
+
+
+def row_mutation_requirements(database: str, table: str) -> PermissionRequirements:
+    resource = TableResource(database=database, table=table)
+    return tuple(
+        PermissionRequirement(action=action, resource=resource)
+        for action in ("insert-row", "update-row", "delete-row")
+    )
+
+
+def decision_for_write_sql_operation(
+    operation: Operation,
+) -> WriteSqlOperationDecision:
+    unsupported_message = (
+        f"Unsupported SQL operation: {operation.operation} {operation.target_type}"
+    )
+    if operation.internal:
+        return IgnoreWriteSqlOperation("internal SQLite operation")
+    if operation.operation == "select":
+        return IgnoreWriteSqlOperation("select statement")
+    if operation.operation == "vacuum":
+        return RejectWriteSqlOperation("VACUUM is not allowed in user-supplied SQL")
+    if operation.operation in {"insert", "update", "delete"}:
+        if operation.table_kind == "virtual":
+            return RejectWriteSqlOperation(
+                "Writes to virtual tables are not allowed in user-supplied SQL"
+            )
+        if operation.table_kind == "shadow":
+            return RejectWriteSqlOperation(
+                "Writes to shadow tables are not allowed in user-supplied SQL"
+            )
+    if operation.operation == "function":
+        return IgnoreWriteSqlOperation("SQL function")
+    if (
+        operation.operation == "read"
+        and operation.target_type == "table"
+        and operation.database is not None
+        and operation.table is not None
+    ):
+        return RequireWriteSqlPermissions(
+            (
+                PermissionRequirement(
+                    action="view-table",
+                    resource=TableResource(
+                        database=operation.database, table=operation.table
+                    ),
+                ),
+            )
+        )
+    if (
+        operation.operation in {"insert", "update"}
+        and operation.target_type == "table"
+        and operation.database is not None
+        and operation.table is not None
+    ):
+        return RequireWriteSqlPermissions(
+            row_mutation_requirements(
+                database=operation.database,
+                table=operation.table,
+            )
+        )
+    if (
+        operation.operation == "delete"
+        and operation.target_type == "table"
+        and operation.database is not None
+        and operation.table is not None
+    ):
+        return RequireWriteSqlPermissions(
+            (
+                PermissionRequirement(
+                    action="delete-row",
+                    resource=TableResource(
+                        database=operation.database, table=operation.table
+                    ),
+                ),
+            )
+        )
+    if operation.operation == "create" and operation.target_type == "table":
+        if operation.database is None:
+            return UnsupportedWriteSqlOperation(unsupported_message)
+        return RequireWriteSqlPermissions(
+            (
+                PermissionRequirement(
+                    action="create-table",
+                    resource=DatabaseResource(database=operation.database),
+                ),
+            )
+        )
+    if (
+        operation.operation == "alter"
+        and operation.target_type == "table"
+        and operation.database is not None
+        and operation.table is not None
+    ):
+        return RequireWriteSqlPermissions(
+            (
+                PermissionRequirement(
+                    action="alter-table",
+                    resource=TableResource(
+                        database=operation.database, table=operation.table
+                    ),
+                ),
+            )
+        )
+    if (
+        operation.operation == "drop"
+        and operation.target_type == "table"
+        and operation.database is not None
+        and operation.table is not None
+    ):
+        return RequireWriteSqlPermissions(
+            (
+                PermissionRequirement(
+                    action="drop-table",
+                    resource=TableResource(
+                        database=operation.database, table=operation.table
+                    ),
+                ),
+            )
+        )
+    if (
+        operation.operation in {"create", "drop"}
+        and operation.target_type == "index"
+        and operation.database is not None
+        and operation.table is not None
+    ):
+        return RequireWriteSqlPermissions(
+            (
+                PermissionRequirement(
+                    action="alter-table",
+                    resource=TableResource(
+                        database=operation.database, table=operation.table
+                    ),
+                ),
+            )
+        )
+    return UnsupportedWriteSqlOperation(unsupported_message)
+
+
+def operation_is_write(operation: Operation) -> bool:
+    return operation.operation in {
+        "insert",
+        "update",
+        "delete",
+        "create",
+        "alter",
+        "drop",
+        "begin",
+        "commit",
+        "rollback",
+        "savepoint",
+        "attach",
+        "detach",
+        "pragma",
+        "analyze",
+        "reindex",
+        "vacuum",
+        "unknown",
+    }
+
+
+async def ensure_query_write_permissions(
+    datasette: Datasette,
+    database: str,
+    sql: str,
+    *,
+    actor: dict[str, object] | None = None,
+    params: dict[str, object] | None = None,
+    analysis: SQLAnalysis | None = None,
+) -> SQLAnalysis:
+    db = datasette.get_database(database)
+    if analysis is None:
+        if params is None:
+            params = {name: "" for name in named_parameters(sql)}
+        try:
+            analysis = await db.analyze_sql(sql, params)
+        except sqlite3.DatabaseError as ex:
+            raise Forbidden(f"Could not analyze query: {ex}") from ex
+
+    for operation in analysis.operations:
+        decision = decision_for_write_sql_operation(operation)
+        if isinstance(decision, IgnoreWriteSqlOperation):
+            continue
+        if isinstance(decision, RejectWriteSqlOperation):
+            raise QueryWriteRejected(decision.message)
+        if isinstance(decision, UnsupportedWriteSqlOperation):
+            raise Forbidden(decision.message)
+        permissions = decision.permissions
+        if operation.database != database:
+            raise Forbidden("Writable queries may not access attached databases")
+        for permission in permissions:
+            if not await datasette.allowed(
+                action=permission.action,
+                resource=permission.resource,
+                actor=actor,
+            ):
+                raise Forbidden(
+                    f"Permission denied: need {permission.action} "
+                    f"on {permission.resource}"
+                )
+    return analysis
diff --git a/docs/Makefile b/docs/Makefile
index 2b092179..a0d17c81 100644
--- a/docs/Makefile
+++ b/docs/Makefile
@@ -20,4 +20,4 @@ help:
 	@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
 
 livehtml:
-	sphinx-autobuild -b html "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(0)
+	sphinx-autobuild -b html --watch ../datasette "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(0)
diff --git a/docs/authentication.rst b/docs/authentication.rst
index 1b949f9a..8101699c 100644
--- a/docs/authentication.rst
+++ b/docs/authentication.rst
@@ -21,6 +21,23 @@ The actor dictionary can be any shape - the design of that data structure is lef
 
 Plugins can use the :ref:`plugin_hook_actor_from_request` hook to implement custom logic for authenticating an actor based on the incoming HTTP request.
 
+.. _authentication_actor_display:
+
+How actors are displayed
+------------------------
+
+In a number of places - such as the navigation menu and the ``/-/logout`` page - Datasette needs to display a short label representing the currently authenticated actor.
+
+To decide what to show, Datasette looks through the following keys in the actor dictionary and uses the value of the first one that is present and not empty:
+
+* ``display``
+* ``name``
+* ``username``
+* ``login``
+* ``id``
+
+If none of those keys have a value the actor dictionary is displayed as a string instead.
+
 .. _authentication_root:
 
 Using the "root" actor
@@ -33,7 +50,7 @@ The one exception is the "root" account, which you can sign into while using Dat
 The ``--root`` flag is designed for local development and testing. When you start Datasette with ``--root``, the root user automatically receives every permission, including:
 
 * All view permissions (``view-instance``, ``view-database``, ``view-table``, etc.)
-* All write permissions (``insert-row``, ``update-row``, ``delete-row``, ``create-table``, ``alter-table``, ``drop-table``)
+* All write permissions (``insert-row``, ``update-row``, ``delete-row``, ``create-table``, ``alter-table``, ``set-column-type``, ``drop-table``)
 * Debug permissions (``permissions-debug``, ``debug-menu``)
 * Any custom permissions defined by plugins
 
@@ -121,7 +138,7 @@ This configuration will deny access to everyone except the user with ``id`` of `
 How permissions are resolved
 ----------------------------
 
-Datasette performs permission checks using the internal :ref:`datasette_allowed`, method which accepts keyword arguments for ``action``, ``resource`` and an optional ``actor``. 
+Datasette performs permission checks using the internal :ref:`datasette_allowed`, method which accepts keyword arguments for ``action``, ``resource`` and an optional ``actor``.
 
 ``resource`` should be an instance of the appropriate ``Resource`` subclass from :mod:`datasette.resources`—for example ``InstanceResource()``, ``DatabaseResource(database="...``)`` or ``TableResource(database="...", table="...")``. This defaults to ``InstanceResource()`` if not specified.
 
@@ -468,7 +485,7 @@ You can control the following:
 * Access to the entire Datasette instance
 * Access to specific databases
 * Access to specific tables and views
-* Access to specific :ref:`canned_queries`
+* Access to specific :ref:`queries <queries>`
 
 If a user has permission to view a table they will be able to view that table, independent of if they have permission to view the database or instance that the table exists within.
 
@@ -641,12 +658,12 @@ This works for SQL views as well - you can list their names in the ``"tables"``
 
 .. _authentication_permissions_query:
 
-Access to specific canned queries
----------------------------------
+Access to specific queries
+--------------------------
 
-:ref:`canned_queries` allow you to configure named SQL queries in your ``datasette.yaml`` that can be executed by users. These queries can be set up to both read and write to the database, so controlling who can execute them can be important.
+:ref:`Queries <queries>` allow you to configure named SQL queries in your ``datasette.yaml`` that can be executed by users. These queries can be set up to both read and write to the database, so controlling who can execute them can be important.
 
-To limit access to the ``add_name`` canned query in your ``dogs.db`` database to just the :ref:`root user<authentication_root>`:
+To limit access to the ``add_name`` query in your ``dogs.db`` database to just the :ref:`root user<authentication_root>`:
 
 .. [[[cog
     config_example(cog, """
@@ -886,6 +903,8 @@ To grant ``create-table`` to the user with ``id`` of ``editor`` for the ``docs``
         }
 .. [[[end]]]
 
+Other table-scoped write permissions, including ``set-column-type``, can be configured in the same place.
+
 And for ``insert-row`` against the ``reports`` table in that ``docs`` database:
 
 .. [[[cog
@@ -1018,7 +1037,7 @@ You can also restrict permissions such that they can only be used within specifi
 
 The resulting token will only be able to insert rows, and only to tables in the ``mydatabase`` database.
 
-Finally, you can restrict permissions to individual resources - tables, SQL views and :ref:`named queries <canned_queries>` - within a specific database::
+Finally, you can restrict permissions to individual resources - tables, SQL views and :ref:`named queries <queries>` - within a specific database::
 
     datasette create-token root --resource mydatabase mytable insert-row
 
@@ -1283,12 +1302,46 @@ Actor is allowed to view a table (or view) page, e.g. https://latest.datasette.i
 view-query
 ----------
 
-Actor is allowed to view (and execute) a :ref:`canned query <canned_queries>` page, e.g. https://latest.datasette.io/fixtures/pragma_cache_size - this includes executing :ref:`canned_queries_writable`.
+Actor is allowed to view a stored query page, e.g. https://latest.datasette.io/fixtures/pragma_cache_size. Executing an untrusted stored query also requires ``execute-sql`` or the relevant write permissions; :ref:`trusted stored queries <trusted_stored_queries>` can execute with ``view-query`` alone.
 
 ``resource`` - ``datasette.resources.QueryResource(database, query)``
     ``database`` is the name of the database (string)
-    
-    ``query`` is the name of the canned query (string)
+
+    ``query`` is the name of the query (string)
+
+.. _actions_store_query:
+
+store-query
+-----------
+
+Actor is allowed to create stored queries against a database.
+
+``resource`` - ``datasette.resources.DatabaseResource(database)``
+    ``database`` is the name of the database (string)
+
+.. _actions_update_query:
+
+update-query
+------------
+
+Actor is allowed to update a stored query.
+
+``resource`` - ``datasette.resources.QueryResource(database, query)``
+    ``database`` is the name of the database (string)
+
+    ``query`` is the name of the query (string)
+
+.. _actions_delete_query:
+
+delete-query
+------------
+
+Actor is allowed to delete a stored query.
+
+``resource`` - ``datasette.resources.QueryResource(database, query)``
+    ``database`` is the name of the database (string)
+
+    ``query`` is the name of the query (string)
 
 .. _actions_insert_row:
 
@@ -1343,6 +1396,18 @@ alter-table
 
 Actor is allowed to alter a database table.
 
+``resource`` - ``datasette.resources.TableResource(database, table)``
+    ``database`` is the name of the database (string)
+
+    ``table`` is the name of the table (string)
+
+.. _actions_set_column_type:
+
+set-column-type
+---------------
+
+Actor is allowed to set assigned :ref:`column types <table_configuration_column_types>` for columns in a table.
+
 ``resource`` - ``datasette.resources.TableResource(database, table)``
     ``database`` is the name of the database (string)
 
@@ -1365,13 +1430,23 @@ Actor is allowed to drop a database table.
 execute-sql
 -----------
 
-Actor is allowed to run arbitrary SQL queries against a specific database, e.g. https://latest.datasette.io/fixtures/-/query?sql=select+100
+Actor is allowed to run arbitrary read-only SQL queries against a specific database using the :ref:`custom SQL query page <pages_custom_sql_queries>`, e.g. https://latest.datasette.io/fixtures/-/query?sql=select+100
 
 ``resource`` - ``datasette.resources.DatabaseResource(database)``
     ``database`` is the name of the database (string)
 
 See also :ref:`the default_allow_sql setting <setting_default_allow_sql>`.
 
+.. _actions_execute_write_sql:
+
+execute-write-sql
+-----------------
+
+Actor is allowed to run arbitrary writable SQL queries against a specific database using the :ref:`write SQL queries page <pages_execute_write>`, subject to table-level write permissions such as ``insert-row``, ``update-row`` and ``delete-row``. SQL functions are allowed and are not separately restricted by Datasette permissions.
+
+``resource`` - ``datasette.resources.DatabaseResource(database)``
+    ``database`` is the name of the database (string)
+
 .. _actions_permissions_debug:
 
 permissions-debug
@@ -1384,4 +1459,4 @@ Actor is allowed to view the ``/-/permissions`` debug tools.
 debug-menu
 ----------
 
-Controls if the various debug pages are displayed in the navigation menu.
+Controls if the various debug pages are displayed in the jump menu.
diff --git a/docs/changelog.rst b/docs/changelog.rst
index 1e6a8e90..ec32b57e 100644
--- a/docs/changelog.rst
+++ b/docs/changelog.rst
@@ -4,15 +4,249 @@
 Changelog
 =========
 
+.. _v1_0_a35:
+
+1.0a35 (2026-06-23)
+-------------------
+
+This release adds UI for **creating tables** and **altering tables**, to complement the insert and update row interfaces added in :ref:`v1_0_a34`.
+
+- New "Create table" interface in the database actions menu, backed by the ``/<database>/-/create`` :ref:`JSON API <TableCreateView>`. It can define columns, primary keys, custom column types, ``NOT NULL`` constraints, literal defaults, expression defaults and single-column foreign keys. (:issue:`2787`)
+- New "Alter table" table action and ``/<database>/<table>/-/alter`` :ref:`JSON API <TableAlterView>` for changing existing tables: add, rename, reorder and drop columns; change column types, defaults, ``NOT NULL`` constraints, primary keys and foreign keys; and rename the table. The alter table dialog also includes a "Drop table" button. (:issue:`2788`)
+- New ``/<database>/-/foreign-key-targets`` and ``/<database>/<table>/-/foreign-key-suggestions`` JSON APIs for discovering valid single-column foreign key targets and suggested relationships.
+- New :ref:`template_context` documentation listing the variables available to custom templates for Datasette's core pages. Variables documented there are treated as a stable API for custom templates until Datasette 2.0. The documentation is generated from dataclass definitions next to the view code, with tests that compare the documented fields against the actual contexts rendered by the database, table, query and row pages. (:issue:`1510`, :issue:`2127`, :issue:`1477`, :pr:`2803`)
+- The "Write to this database" page now includes a Create table starter template, alongside the existing Insert, Update and Delete templates. (:pr:`2794`)
+- New ``static()`` template function and ``datasette.static()`` method for generating cache-busting static asset URLs based on the file contents. Static assets served with a matching ``?_hash=`` parameter now receive far-future immutable cache headers. This works for Datasette's bundled static assets, plugin static assets and directories mounted using ``--static``. See :ref:`customization_static_files`.
+- Database and table pages now use the ``count_truncated`` template context value to display capped row counts as ``>N rows``.
+- Significant visual improvements to the table filter form UI, plus working add/remove filter buttons. (:issue:`2798`)
+- Improved edit row icon on table pages. (:issue:`2796`)
+- Documentation covers how actors are displayed. Thanks, `Sebastian Cao <https://github.com/cycsmail>`__. (:issue:`2002`)
+- Fix for bug where appending ``?_col=pk`` resulted in duplicate primary key columns in the response. Thanks, `Ritesh Kewlani <https://github.com/riteshkew>`__. (:issue:`1975`)
+
+.. _v1_0_a34:
+
+1.0a34 (2026-06-16)
+-------------------
+
+The big feature in this alpha is tools to **insert, edit and delete** rows within the Datasette interface. These features are available on table pages, and edit and delete are also available as action items on the row page.
+
+The edit interface takes :ref:`custom column types <table_configuration_column_types>` into account. Plugins that define their own column types can use JavaScript to customize how those column types are presented in the edit interface.
+
+- ``datasette.allowed_many()`` method for :ref:`resolving multiple permission checks at once <datasette_allowed_many>`. (:pr:`2775`)
+- Permission checks are now cached on a per-request basis, speeding up table pages with multiple plugins that check permissions in order to populate the :ref:`table actions menu <plugin_hook_table_actions>`.
+- Fixed a warning about ``gen.throw(*sys.exc_info())``. (:issue:`2776`)
+- New default custom column type ``textarea`` for multi-line text content. This is rendered as a ``<textarea>`` input in the edit UI.
+- The ``json`` column type now implements client-side validation in the edit UI.
+- The :ref:`makeColumnField() <javascript_plugins_makeColumnField>` JavaScript plugin hook allows plugins to define custom fields in the edit interface for their custom column types.
+- New UI for inserting, editing, and deleting rows within Datasette. (:issue:`2780`)
+- New ``/<database>/<table>/-/autocomplete?q=term`` :ref:`autocomplete JSON API <TableAutocompleteView>` for rapid autocomplete search against the contents of a table. This is used by the edit interface to select related rows for foreign keys. You can try it out on the ``/-/debug/autocomplete`` debug page.
+- New ``/<database>/<table>/-/fragment`` :ref:`HTML fragment endpoint  <TableFragmentView>` for returning the HTML used to display a specific row.
+- ``await request.json()`` utility method for consuming the request body as JSON. (:issue:`2767`)
+- Database, table, query and row action menus can now be modified by plugins to :ref:`display buttons in addition to links <plugin_actions>`. (:issue:`2782`)
+- Datasette :ref:`now uses Playwright <contributing_playwright>` for browser automation tests as part of the test suite. (:issue:`2779`)
+
+.. _v1_0_a33:
+
+1.0a33 (2026-06-11)
+-------------------
+
+Stored queries can now be edited and deleted through the web interface, and the JSON API ``?_extra=`` mechanism has been extended to cover row and query pages in addition to tables. This release also fixes two security issues: an identifier-quoting bug involving table and column names that contain ``]``, and an open redirect.
+
+Editing and deleting stored queries
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The stored query page gained a "Query actions" menu with **Edit this query** and **Delete this query** links for actors with the necessary permissions. The owner of a query can always edit or delete it; for queries that are not private, any actor with the :ref:`update-query <actions_update_query>` or :ref:`delete-query <actions_delete_query>` permission can do so too. Private queries remain editable and deletable only by their owner. See :ref:`stored_queries` for details. (:issue:`2735`)
+
+``?_extra=`` support for row and query pages
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Row and query JSON pages now support the same ``?_extra=`` mechanism as table pages. Row pages can request extras such as ``foreign_key_tables``, ``query``, ``metadata`` and ``database_color``; arbitrary SQL and stored query pages can request extras such as ``columns``, ``query``, ``metadata`` and ``private``. The implementation was refactored into a registry of extra classes shared by all three page types.
+
+New generated reference documentation describes every ``?_extra=`` parameter available on table, row and query JSON pages, with example output captured from a live Datasette instance at documentation build time. See :ref:`json_api_extra` for the full list.
+
+You can explore the new extras using this `Datasette extras API explorer tool <https://tools.simonwillison.net/datasette-extras-explorer>`__.
+
+Other improvements and fixes to the extras mechanism:
+
+- Extras that exist to serve the HTML interface (``filters``, ``actions``, ``display_rows``) are no longer advertised or reachable through the JSON API, where requesting them previously returned a 500 serialization error.
+- The pre-1.0 ``?_extras=`` (plural) parameter on row pages has been removed - use ``?_extra=foreign_key_tables`` instead.
+
+Security fixes
+~~~~~~~~~~~~~~
+
+- Fixed an identifier-quoting bug in ``datasette.utils.escape_sqlite()``. Datasette uses this helper when constructing SQL around table and column names; identifiers containing ``]`` could break out of SQLite bracket quoting and alter the generated SQL, for example by adding a ``UNION SELECT``. Identifiers containing ``]`` are now quoted using double quotes instead. (:issue:`2677`)
+- Fixed an open redirect vulnerability. Requesting a path such as ``/\example.com/`` produced a redirect with a ``Location: /\example.com`` header - browsers normalize backslashes to forward slashes, turning that into the protocol-relative URL ``//example.com`` and redirecting the user off-site. Any run of leading slashes and backslashes in a redirect path is now collapsed to a single slash. (:issue:`2680`)
+
+Bug fixes
+~~~~~~~~~
+
+- ``can_render()`` callbacks registered by the :ref:`register_output_renderer() <plugin_register_output_renderer>` plugin hook now receive the result ``rows`` and ``columns`` for stored queries. Previously renderers that inspect the available columns - such as `datasette-atom <https://github.com/simonw/datasette-atom>`__ and `datasette-ics <https://github.com/simonw/datasette-ics>`__ - never appeared as export options on stored query pages. (:issue:`2711`)
+- Fixed a 500 error from the :ref:`/-/check <PermissionCheckView>` permission debugging endpoint when checking query actions such as ``view-query``, ``update-query`` and ``delete-query``. (:issue:`2756`)
+- Write queries that use a named parameter called ``:sql`` no longer fail with an error. (:issue:`2761`)
+- :ref:`db.execute_isolated_fn() <database_execute_isolated_fn>` now works against immutable databases, using a read-only connection that bypasses the write thread. It previously always attempted to open a writable connection, which would fail - breaking features built on top of it, such as the SQL analysis step used when storing a query. An exception raised while opening the connection for an isolated function no longer crashes the write thread. (:issue:`2768`)
+- Facet counts are now displayed on the same line as the facet value instead of wrapping onto a second line. (:issue:`2754`)
+- Datasette's pytest plugin no longer imports the rest of Datasette at pytest startup time. This means plugin test suites using ``pytest-cov`` now correctly record coverage of code that runs when ``datasette`` modules are first imported.
+
+.. _v1_0_a32:
+
+1.0a32 (2026-05-31)
+-------------------
+
+SQLite INSERT ... RETURNING clauses are now supported by ``/db/-/execute-write``, plus several fixes relating to the :ref:`base_url setting <setting_base_url>`.
+
+- ``INSERT``/``UPDATE``/``DELETE`` statements that use SQLite's ``RETURNING`` clause now work correctly in the new ``/db/-/execute-write`` interface. Datasette fetches returned rows before committing the write transaction, displays them in the HTML UI and includes them in the ``"rows"`` key for the JSON API response. (:issue:`2762`, :pr:`2763`)
+- ``Database.execute_write()`` now returns an ``ExecuteWriteResult`` object instead of the raw ``sqlite3.Cursor`` returned by ``conn.execute()``. The new object exposes ``.rowcount``, ``.lastrowid``, ``.description``, ``.truncated`` and ``.fetchall()``, and adds ``return_all=`` and ``returning_limit=`` options for controlling how rows from ``RETURNING`` statements are buffered. (:pr:`2763`)
+- Fixed the ``/-/jump`` navigation search endpoint when Datasette is served with a configured ``base_url``. (:issue:`2757`)
+- Fixed JSON and CSV export links, plus ``Link:`` alternate headers, on table, row and query pages when ``base_url`` is configured. These could previously be prefixed twice. (:issue:`2759`)
+- Fixed several other ``base_url`` handling bugs, including the API explorer form actions and share links, the ``/-/patterns`` development page, permanent redirects such as ``/-`` to ``/-/`` and database query redirects from ``/<database>?sql=...`` to ``/<database>/-/query?sql=...``.
+
+.. _v1_0_a31:
+
+1.0a31 (2026-05-28)
+-------------------
+
+Datasette now offers users with the necessary permissions the ability to both **execute write queries** against their database and to **save stored queries** (renamed from "canned queries") both privately and for use by other members of their Datasette instance.
+
+The ability to write is controlled by the new ``execute-write-sql`` permission, but the user also needs the relevant ``insert-row``/``update-row``/``delete-row``/``create-table``/etc permissions for the query they are trying to execute.
+
+Write SQL UI
+~~~~~~~~~~~~
+
+- New "Write to this database" interface at ``/<database>/-/execute-write`` for running arbitrary writable SQL against mutable databases. The form extracts named parameters, analyzes the SQL, shows the table operations that will be attempted, includes starter templates for ``INSERT``, ``UPDATE`` and ``DELETE`` statements and links to a newly inserted row when a single-row insert succeeds. This is also available as a :ref:`JSON API <ExecuteWriteView>`. (:issue:`2742`)
+- Added the new :ref:`execute-write-sql <actions_execute_write_sql>` permission for running arbitrary writable SQL. Execution is also gated by table-level permissions such as :ref:`insert-row <actions_insert_row>`, :ref:`update-row <actions_update_row>` and :ref:`delete-row <actions_delete_row>`, and writes to attached databases are rejected. (:issue:`2742`)
+- The write SQL analyzer now uses a deny-by-default model for unsupported operations. Reads from source tables require :ref:`view-table <actions_view_table>` permission, schema changes require :ref:`create-table <actions_create_table>`, :ref:`alter-table <actions_alter_table>` or :ref:`drop-table <actions_drop_table>` as appropriate, and row mutation statements require the full ``insert-row``, ``update-row`` and ``delete-row`` permission set. SQL functions are allowed and are not separately permission-gated. (:issue:`2748`)
+- User-supplied write SQL rejects both ``VACUUM`` operations and writes to SQLite virtual or shadow tables. These restrictions also apply to untrusted stored write queries; trusted queries in ``datasette.yml`` skip these filters. (:issue:`2748`)
+
+Stored queries
+~~~~~~~~~~~~~~
+
+- The previous "canned queries" feature has been renamed and expanded into :ref:`stored queries <stored_queries>`. Queries configured in ``datasette.yaml`` are now loaded into a new ``queries`` table in Datasette's :ref:`internal database <internals_internal_schema>`, alongside user-created stored queries. (:issue:`2735`)
+- New stored query management API methods available to plugins: ``datasette.add_query()``, ``datasette.update_query()``, ``datasette.remove_query()``, ``datasette.get_query()``, ``datasette.list_queries()`` and ``datasette.count_queries()``. These replace the removed ``datasette.get_canned_query()`` and ``datasette.get_canned_queries()`` methods. (:issue:`2735`)
+- Users with :ref:`store-query <actions_store_query>` and :ref:`execute-sql <actions_execute_sql>` permission can create stored queries from the SQL query page or the new ``GET /<database>/-/queries/store`` form. (:issue:`2735`)
+- The database page now shows a count and preview of stored queries, capped at five, and links to new paginated query lists at ``/-/queries`` and ``/<database>/-/queries``. Those pages support search. (:issue:`2735`)
+- Stored queries created by users default to private and untrusted. Private stored queries can only be viewed, updated or deleted by their owner, even if another actor has broad ``view-query``, ``update-query`` or ``delete-query`` permission. Untrusted stored queries execute using the permissions of the actor running them. See :ref:`stored_queries` and :ref:`trusted_stored_queries` for details. (:issue:`2735`)
+- Configured queries from ``datasette.yaml`` are trusted by default, so they can execute with ``view-query`` permission alone. They can opt out of that behavior using ``is_trusted: false`` but cannot be made private; private queries are only available for user-created stored queries. (:issue:`2735`)
+- New ``store-query``, ``update-query`` and ``delete-query`` permissions, plus updated semantics for :ref:`view-query <actions_view_query>`. Trusted stored queries can still execute with ``view-query`` alone; untrusted read queries also require :ref:`execute-sql <actions_execute_sql>` and untrusted writable queries require :ref:`execute-write-sql <actions_execute_write_sql>` plus the relevant table-level write permissions. (:issue:`2735`)
+
+Plugin API changes
+~~~~~~~~~~~~~~~~~~
+
+- The ``top_canned_query()`` plugin hook has been renamed to :ref:`top_stored_query() <plugin_hook_top_stored_query>`. (:issue:`2747`)
+- The ``canned_queries()`` plugin hook has been removed. Plugins can use the new :ref:`stored query management methods <datasette_stored_queries>` together with :ref:`startup() <plugin_hook_startup>` to register queries. (:issue:`2735`)
+
+Bug fixes
+~~~~~~~~~
+
+- Fixed a bug where visiting ``/<database>/-/query`` without a ``?sql=`` parameter returned a 500 error. (:issue:`2743`)
+- The ``datasette inspect`` command now correctly records row counts for tables with more than 10,000 rows. (:issue:`2712`)
+
+.. _v1_0_a30:
+
+1.0a30 (2026-05-24)
+-------------------
+
+The "Jump to" menu, activated by hitting ``/`` or through the application menu, can now be extended by plugins.
+
+- New "Jump to..." menu item, always visible, for triggering the previously undocumented ``/`` menu. (:issue:`2725`)
+- The ``/`` jump-to search interface now covers databases, views, canned queries and plugin-provided items in addition to tables. The endpoint backing it has been renamed from ``/-/tables`` to ``/-/jump``.
+- New :ref:`plugin_hook_jump_items_sql` plugin hook, allowing plugins to contribute additional items to the jump-to menu by returning SQL. ``JumpSQL`` queries run against Datasette's internal database by default, or can target another database using the optional ``database=`` argument. (:issue:`2731`)
+- ``datasette.jump.JumpSQL.menu_item()`` is a shortcut for adding individual jump menu items that are not backed by resources in the internal catalog.
+- New :ref:`javascript_plugins_makeJumpSections` JavaScript plugin hook, allowing plugins to add custom blank-state sections to the jump-to menu before the user has typed a query.
+- Debug menu links now appear in the jump-to menu instead of the top-right app menu, with descriptions for each debug item.
+- Dropped Janus as a dependency, previously used to manage the write queue. This should not have any impact on plugin developers or end-users. (:issue:`1752`)
+- Fixed a bug where stale tables and other related resources were not removed from ``catalog_*`` tables when a database was removed. (:issue:`2723`)
+- New documented :ref:`datasette.fixtures.populate_fixture_database(conn) <datasette_fixtures_populate_fixture_database>` helper for creating the fixture database tables used by Datasette's own tests, intended for plugin test suites.
+- Keyboard accessibility and ARIA roles for actions menus, thanks `pintaste <https://github.com/pintaste>`__. (:pr:`2727`)
+
+.. _v1_0_a29:
+
+1.0a29 (2026-05-12)
+-------------------
+
+- New ``TokenRestrictions.abbreviated(datasette)`` :ref:`utility method <TokenRestrictions>` for creating ``"_r"`` dictionaries. (:issue:`2695`)
+- Table headers and column options are now visible even if a table contains zero rows. (:issue:`2701`)
+- Fixed bug with display of column actions dialog on Mobile Safari. (:issue:`2708`)
+- Fixed bug where tests could crash with a segfault due to a race condition between ``Datasette.close()`` and ``Datasette.close()``. (:issue:`2709`)
+
+.. _v1_0_a28:
+
+1.0a28 (2026-04-16)
+-------------------
+
+- Fixed a compatibility bug introduced in 1.0a27 where ``execute_write_fn()`` callbacks with a parameter name other than ``conn`` were seeing errors. (:issue:`2691`)
+- The :ref:`database.close() <database_close>` method now also shuts down the write connection for that database.
+- New :ref:`datasette.close() <datasette_close>` method for closing down all databases and resources associated with a Datasette instance. This is called automatically when the server shuts down. (:pr:`2693`)
+- Datasette now includes a pytest plugin which automatically calls ``datasette.close()`` on temporary instances created in function-scoped fixtures and during tests. See :ref:`testing_plugins_autoclose` for details. This helps avoid running out of file descriptors in plugin test suites that were written before the ``Database(is_temp_disk=True)`` feature introduced in Datasette 1.0a27. (:issue:`2692`)
+
+.. _v1_0_a27:
+
+1.0a27 (2026-04-15)
+-------------------
+
+CSRF protection no longer uses CSRF tokens
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Datasette's token-based CSRF protection has been replaced with a mechanism based on the ``Sec-Fetch-Site`` and ``Origin`` request headers, which are `supported by all modern browsers <https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-Fetch-Site>`__. See `this article by Filippo Valsorda <https://words.filippo.io/csrf/>`__ for more details of this approach. This removes the need for CSRF tokens in forms and AJAX requests. (:pr:`2689`)
+
+``RenameTableEvent`` when a table is renamed
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Renaming a table within Datasette will now fire a new :class:`~datasette.events.RenameTableEvent`, which plugins can use to react by updating ACL records or re-assigning comments or other associated records to the new table name. (:issue:`2681`)
+
+This event will not be fired if the table is renamed by SQL running in some other process.
+
+The ``datasette.track_event()`` method can now be called from within a write operation (using :ref:`database.execute_write() <database_execute_write>` and related methods) and the event will be fired after the write transaction has successfully committed. (:pr:`2682`)
+
+Other changes
+~~~~~~~~~~~~~
+
+- New :ref:`actor= parameter <internals_datasette_client_actor>` for ``datasette.client`` methods, allowing internal requests to be made as a specific actor. This is particularly useful for writing automated tests. (:pr:`2688`)
+- New ``Database(is_temp_disk=True)`` option, used internally for the internal database. This helps resolve intermittent database locked errors caused by the internal database being in-memory as opposed to on-disk. (:issue:`2683`) (:pr:`2684`)
+- The ``/<database>/<table>/-/upsert`` API (:ref:`docs <TableUpsertView>`) now rejects rows with ``null`` primary key values. (:issue:`1936`)
+- Improved example in the API explorer for the ``/-/upsert`` endpoint (:ref:`docs <TableUpsertView>`). (:issue:`1936`)
+- The ``/<database>.json`` endpoint now includes an ``"ok": true`` key, for consistency with other JSON API responses.
+- :ref:`call_with_supported_arguments() <internals_utils_call_with_supported_arguments>` is now documented as a supported public API. (:pr:`2678`)
+
+.. _v1_0_a26:
+
+1.0a26 (2026-03-18)
+-------------------
+
+New ``column_types`` system
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Table columns can now have custom column types assigned to them, using the new ``column_types`` table configuration option or at runtime using a new UI and ``POST /<database>/<table>/-/set-column-type`` JSON API.
+
+Built-in column types include ``url``, ``email``, and ``json``, and plugins can register additional types using the new :ref:`register_column_types() <plugin_register_column_types>` plugin hook. (:issue:`2664`, :issue:`2671`)
+
+Column types can customize HTML rendering, validate values written through the insert, update, and upsert APIs, and transform values returned by the JSON API. They can optionally restrict themselves to specific SQLite column types using ``sqlite_types``. This feature also introduces a new :ref:`set-column-type <actions_set_column_type>` permission for assigning column types to a table. (:issue:`2672`)
+
+The :ref:`render_cell() <plugin_hook_render_cell>` plugin hook now receives a ``column_type`` argument containing the assigned type instance, and a column type's own ``render_cell()`` method takes priority over the plugin hook chain.
+
+The `datasette-files <https://github.com/datasette/datasette-files>`__ plugin will be the first to use this new feature.
+
+UI for selecting columns and their order
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Table and view pages now include a dialog for selecting and re-ordering visible columns. (:issue:`2661`)
+
+Other changes
+~~~~~~~~~~~~~
+
+- Fixed ``allowed_resources("view-query", actor)`` so actor-specific canned queries are returned correctly. Any plugin that defines a ``resources_sql()`` method on a ``Resource`` subclass needs to update to the new signature, see :ref:`the resources_sql() method<plugin_resources_sql>` documentation for details.
+- Column actions can now be accessed in mobile view via a new "Column actions" button. Previously they were not available on mobile because table headers are not displayed there. (:issue:`2669`, :issue:`2670`)
+- Row pages now render foreign key values as links to the referenced row. (:issue:`1592`)
+- The ``startup()`` plugin hook now fires after metadata and internal schema tables have been populated, so plugins can reliably inspect that state during startup. (:issue:`2666`)
+
 .. _v1_0_a25:
 
 1.0a25 (2026-02-25)
 -------------------
 
-``write_wrapper`` plugin hook for intercepting write operations
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+``write_wrapper()`` plugin hook for intercepting write operations
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-A new :ref:`write_wrapper() <plugin_hook_write_wrapper>` plugin hook allows plugins to intercept and wrap database write operations. (`#2636 <https://github.com/simonw/datasette/pull/2636>`__)
+A new :ref:`write_wrapper() <plugin_hook_write_wrapper>` plugin hook allows plugins to intercept and wrap database write operations. (:pr:`2636`)
 
 Plugins implement the hook as a generator-based context manager:
 
@@ -30,20 +264,20 @@ Plugins implement the hook as a generator-based context manager:
 ``register_token_handler()`` plugin hook for custom API token backends
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-A new :ref:`register_token_handler() <plugin_hook_register_token_handler>` plugin hook allows plugins to provide custom token backends for API authentication. (`#2650 <https://github.com/simonw/datasette/pull/2650>`__)
+A new :ref:`register_token_handler() <plugin_hook_register_token_handler>` plugin hook allows plugins to provide custom token backends for API authentication. (:pr:`2650`)
 
 This includes a **backwards incompatible change**: the ``datasette.create_token()`` internal  method is now an ``async`` method. Consult the :ref:`upgrade guide <upgrade_guide_v1_a25>` for details on how to update your code.
 
 ``render_cell()`` now receives a ``pks`` parameter
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-The :ref:`render_cell() <plugin_hook_render_cell>` plugin hook now receives a ``pks`` parameter containing the list of primary key column names for the table being rendered. This avoids plugins needing to make redundant async calls to look up primary keys. (`#2641 <https://github.com/simonw/datasette/pull/2641>`__)
+The :ref:`render_cell() <plugin_hook_render_cell>` plugin hook now receives a ``pks`` parameter containing the list of primary key column names for the table being rendered. This avoids plugins needing to make redundant async calls to look up primary keys. (:pr:`2641`)
 
 Other changes
 ~~~~~~~~~~~~~
 
 - Facets defined in metadata now preserve their configured order, instead of being sorted by result count. Request-based facets added via the ``_facet`` parameter are still sorted by result count and appear after metadata-defined facets. (:issue:`2647`)
-- Fixed ``--reload`` incorrectly interpreting the ``serve`` command as a file argument. Thanks, `Daniel Bates <https://github.com/danielalanbates>`__. (`#2646 <https://github.com/simonw/datasette/pull/2646>`__)
+- Fixed ``--reload`` incorrectly interpreting the ``serve`` command as a file argument. Thanks, `Daniel Bates <https://github.com/danielalanbates>`__. (:pr:`2646`)
 
 .. _v1_0_a24:
 
@@ -53,7 +287,7 @@ Other changes
 ``request.form()`` method for POST data and file uploads
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Datasette now includes a ``request.form()`` method for parsing form submissions, including handling file uploads. (`#2626 <https://github.com/simonw/datasette/pull/2626>`__)
+Datasette now includes a ``request.form()`` method for parsing form submissions, including handling file uploads. (:pr:`2626`)
 
 This supports both ``application/x-www-form-urlencoded`` and ``multipart/form-data`` content types, and uses a new streaming multipart parser that processes uploads without buffering entire request bodies in memory.
 
@@ -204,7 +438,7 @@ Other changes
 - Fixed bug where ``link:`` HTTP headers used invalid syntax. (:issue:`2470`)
 - No longer tested against Python 3.8. Now tests against Python 3.13.
 - FTS tables are now hidden by default if they correspond to a content table. (:issue:`2477`)
-- Fixed bug with foreign key links to rows in databases with filenames containing a special character. Thanks, `Jack Stratton <https://github.com/phroa>`__. (`#2476 <https://github.com/simonw/datasette/pull/2476>`__)
+- Fixed bug with foreign key links to rows in databases with filenames containing a special character. Thanks, `Jack Stratton <https://github.com/phroa>`__. (:pr:`2476`)
 
 .. _v1_0_a17:
 
@@ -247,7 +481,7 @@ Other changes
 This release focuses on performance, in particular against large tables, and introduces some minor breaking changes for CSS styling in Datasette plugins.
 
 - Removed the unit conversions feature and its dependency, Pint. This means Datasette is now compatible with the upcoming Python 3.13. (:issue:`2400`, :issue:`2320`)
-- The ``datasette --pdb`` option now uses the `ipdb <https://github.com/gotcha/ipdb>`__ debugger if it is installed. You can install it using ``datasette install ipdb``. Thanks, `Tiago Ilieve <https://github.com/myhro>`__. (`#2342 <https://github.com/simonw/datasette/pull/2342>`__)
+- The ``datasette --pdb`` option now uses the `ipdb <https://github.com/gotcha/ipdb>`__ debugger if it is installed. You can install it using ``datasette install ipdb``. Thanks, `Tiago Ilieve <https://github.com/myhro>`__. (:pr:`2342`)
 - Fixed a confusing error that occurred if ``metadata.json`` contained nested objects. (:issue:`2403`)
 - Fixed a bug with ``?_trace=1`` where it returned a blank page if the response was larger than 256KB. (:issue:`2404`)
 - Tracing mechanism now also displays SQL queries that returned errors or ran out of time. `datasette-pretty-traces 0.5 <https://github.com/simonw/datasette-pretty-traces/releases/tag/0.5>`__ includes support for displaying this new type of trace. (:issue:`2405`)
@@ -277,7 +511,7 @@ This release focuses on performance, in particular against large tables, and int
 - Failed CSRF checks now display a more user-friendly error page. (:issue:`2390`)
 - Fixed a bug where the ``json1`` extension was not correctly detected on the ``/-/versions`` page. Thanks, `Seb Bacon <https://github.com/sebbacon>`__. (:issue:`2326`)
 - Fixed a bug where the Datasette write API did not correctly accept ``Content-Type: application/json; charset=utf-8``. (:issue:`2384`)
-- Fixed a bug where Datasette would fail to start if ``metadata.yml`` contained a ``queries`` block. (`#2386 <https://github.com/simonw/datasette/pull/2386>`__)
+- Fixed a bug where Datasette would fail to start if ``metadata.yml`` contained a ``queries`` block. (:pr:`2386`)
 
 .. _v1_0_a14:
 
@@ -290,13 +524,13 @@ This alpha introduces significant changes to Datasette's :ref:`metadata` system,
 - Metadata about tables, databases, instances and columns is now stored in :ref:`internals_internal`. Thanks, Alex Garcia. (:issue:`2341`)
 - Database write connections now execute using the ``IMMEDIATE`` isolation level for SQLite. This should help avoid a rare ``SQLITE_BUSY`` error that could occur when a transaction upgraded to a write mid-flight. (:issue:`2358`)
 - Fix for a bug where canned queries with named parameters could fail against SQLite 3.46. (:issue:`2353`)
-- Datasette now serves ``E-Tag`` headers for static files. Thanks, `Agustin Bacigalup <https://github.com/redraw>`__. (`#2306 <https://github.com/simonw/datasette/pull/2306>`__)
+- Datasette now serves ``E-Tag`` headers for static files. Thanks, `Agustin Bacigalup <https://github.com/redraw>`__. (:pr:`2306`)
 - Dropdown menus now use a ``z-index`` that should avoid them being hidden by plugins. (:issue:`2311`)
 - Incorrect table and row names are no longer reflected back on the resulting 404 page. (:issue:`2359`)
 - Improved documentation for async usage of the :ref:`plugin_hook_track_event` hook. (:issue:`2319`)
 - Fixed some HTTPX deprecation warnings. (:issue:`2307`)
 - Datasette now serves a ``<html lang="en">`` attribute. Thanks, `Charles Nepote <https://github.com/CharlesNepote>`__. (:issue:`2348`)
-- Datasette's automated tests now run against the maximum and minimum supported versions of SQLite: 3.25 (from September 2018) and 3.46 (from May 2024). Thanks, Alex Garcia. (`#2352 <https://github.com/simonw/datasette/pull/2352>`__)
+- Datasette's automated tests now run against the maximum and minimum supported versions of SQLite: 3.25 (from September 2018) and 3.46 (from May 2024). Thanks, Alex Garcia. (:pr:`2352`)
 - Fixed an issue where clicking twice on the URL output by ``datasette --root`` produced a confusing error. (:issue:`2375`)
 
 .. _v0_64_8:
@@ -437,7 +671,7 @@ Configuration
 - The ``-s/--setting`` option can now be used to set plugin configuration as well. See :ref:`configuration_cli` for details. (:issue:`2252`)
 
   The above YAML configuration example using ``-s/--setting`` looks like this:
-  
+
   .. code-block:: bash
 
         datasette mydatabase.db \
@@ -460,7 +694,7 @@ This provides two initial hooks, with more to come in the future:
 - :ref:`makeAboveTablePanelConfigs() <javascript_plugins_makeAboveTablePanelConfigs>` can add additional panels to the top of the table page.
 - :ref:`makeColumnActions() <javascript_plugins_makeColumnActions>` can add additional actions to the column menu.
 
-Thanks `Cameron Yick <https://github.com/hydrosquall>`__ for contributing this feature. (`#2052 <https://github.com/simonw/datasette/pull/2052>`__)
+Thanks `Cameron Yick <https://github.com/hydrosquall>`__ for contributing this feature. (:pr:`2052`)
 
 Plugin hooks
 ~~~~~~~~~~~~
@@ -526,7 +760,7 @@ Minor fixes
 - Datasette now checks if the user has permission to view a table linked to by a foreign key before turning that foreign key into a clickable link. (:issue:`2178`)
 - The ``execute-sql`` permission now implies that the actor can also view the database and instance. (:issue:`2169`)
 - Documentation describing a pattern for building plugins that themselves :ref:`define further hooks <writing_plugins_extra_hooks>` for other plugins. (:issue:`1765`)
-- Datasette is now tested against the Python 3.12 preview. (`#2175 <https://github.com/simonw/datasette/pull/2175>`__)
+- Datasette is now tested against the Python 3.12 preview. (:pr:`2175`)
 
 .. _v1_0_a5:
 
@@ -551,7 +785,7 @@ For more information and workarounds, read `the security advisory <https://githu
 Also in this alpha:
 
 - The new ``datasette plugins --requirements`` option outputs a list of currently installed plugins in Python ``requirements.txt`` format, useful for duplicating that installation elsewhere. (:issue:`2133`)
-- :ref:`canned_queries_writable` can now define a ``on_success_message_sql`` field in their configuration, containing a SQL query that should be executed upon successful completion of the write operation in order to generate a message to be shown to the user. (:issue:`2138`)
+- :ref:`queries_writable` can now define a ``on_success_message_sql`` field in their configuration, containing a SQL query that should be executed upon successful completion of the write operation in order to generate a message to be shown to the user. (:issue:`2138`)
 - The automatically generated border color for a database is now shown in more places around the application. (:issue:`2119`)
 - Every instance of example shell script code in the documentation should now include a working copy button, free from additional syntax. (:issue:`2140`)
 
@@ -729,11 +963,11 @@ Features
 ~~~~~~~~
 
 - Now tested against Python 3.11. Docker containers used by ``datasette publish`` and ``datasette package`` both now use that version of Python. (:issue:`1853`)
-- ``--load-extension`` option now supports entrypoints. Thanks, Alex Garcia. (`#1789 <https://github.com/simonw/datasette/pull/1789>`__)
+- ``--load-extension`` option now supports entrypoints. Thanks, Alex Garcia. (:pr:`1789`)
 - Facet size can now be set per-table with the new ``facet_size`` table metadata option. (:issue:`1804`)
 - The :ref:`setting_truncate_cells_html` setting now also affects long URLs in columns. (:issue:`1805`)
 - The non-JavaScript SQL editor textarea now increases height to fit the SQL query. (:issue:`1786`)
-- Facets are now displayed with better line-breaks in long values. Thanks, Daniel Rech. (`#1794 <https://github.com/simonw/datasette/pull/1794>`__)
+- Facets are now displayed with better line-breaks in long values. Thanks, Daniel Rech. (:pr:`1794`)
 - The ``settings.json`` file used in :ref:`config_dir` is now validated on startup. (:issue:`1816`)
 - SQL queries can now include leading SQL comments, using ``/* ... */`` or ``-- ...`` syntax. Thanks,  Charles Nepote. (:issue:`1860`)
 - SQL query is now re-displayed when terminated with a time limit error. (:issue:`1819`)
@@ -755,7 +989,7 @@ Documentation
 - New tutorial: `Cleaning data with sqlite-utils and Datasette <https://datasette.io/tutorials/clean-data>`__.
 - Screenshots in the documentation are now maintained using `shot-scraper <https://shot-scraper.datasette.io/>`__, as described in `Automating screenshots for the Datasette documentation using shot-scraper <https://simonwillison.net/2022/Oct/14/automating-screenshots/>`__. (:issue:`1844`)
 - More detailed command descriptions on the :ref:`CLI reference <cli_reference>` page. (:issue:`1787`)
-- New documentation on :ref:`deploying_openrc` - thanks, Adam Simpson. (`#1825 <https://github.com/simonw/datasette/pull/1825>`__)
+- New documentation on :ref:`deploying_openrc` - thanks, Adam Simpson. (:pr:`1825`)
 
 .. _v0_62:
 
@@ -771,14 +1005,14 @@ Features
 
 - Datasette is now compatible with `Pyodide <https://pyodide.org/>`__.  This is the enabling technology behind `Datasette Lite <https://lite.datasette.io/>`__. (:issue:`1733`)
 - Database file downloads now implement conditional GET using ETags. (:issue:`1739`)
-- HTML for facet results and suggested results has been extracted out into new templates ``_facet_results.html`` and ``_suggested_facets.html``. Thanks, M. Nasimul Haque. (`#1759 <https://github.com/simonw/datasette/pull/1759>`__)
+- HTML for facet results and suggested results has been extracted out into new templates ``_facet_results.html`` and ``_suggested_facets.html``. Thanks, M. Nasimul Haque. (:pr:`1759`)
 - Datasette now runs some SQL queries in parallel. This has limited impact on performance, see `this research issue <https://github.com/simonw/datasette/issues/1727>`__ for details.
 - New ``--nolock`` option for ignoring file locks when opening read-only databases. (:issue:`1744`)
 - Spaces in the database names in URLs are now encoded as ``+`` rather than ``~20``. (:issue:`1701`)
 - ``<Binary: 2427344 bytes>`` is now displayed as ``<Binary: 2,427,344 bytes>`` and is accompanied by tooltip showing "2.3MB". (:issue:`1712`)
 - The base Docker image used by ``datasette publish cloudrun``, ``datasette package`` and the `official Datasette image <https://hub.docker.com/datasetteproject/datasette>`__ has been upgraded to ``3.10.6-slim-bullseye``.  (:issue:`1768`)
 - Canned writable queries against immutable databases now show a warning message. (:issue:`1728`)
-- ``datasette publish cloudrun`` has a new ``--timeout`` option which can be used to increase the time limit applied by the Google Cloud build environment. Thanks, Tim Sherratt. (`#1717 <https://github.com/simonw/datasette/pull/1717>`__)
+- ``datasette publish cloudrun`` has a new ``--timeout`` option which can be used to increase the time limit applied by the Google Cloud build environment. Thanks, Tim Sherratt. (:pr:`1717`)
 - ``datasette publish cloudrun`` has new ``--min-instances`` and ``--max-instances`` options. (:issue:`1779`)
 
 Plugin hooks
@@ -786,7 +1020,7 @@ Plugin hooks
 
 - New plugin hook: :ref:`handle_exception() <plugin_hook_handle_exception>`, for custom handling of exceptions caught by Datasette. (:issue:`1770`)
 - The :ref:`render_cell() <plugin_hook_render_cell>` plugin hook is now also passed a ``row`` argument, representing the ``sqlite3.Row`` object that is being rendered. (:issue:`1300`)
-- The :ref:`configuration directory <config_dir>` is now stored in ``datasette.config_dir``, making it available to plugins. Thanks, Chris Amico. (`#1766 <https://github.com/simonw/datasette/pull/1766>`__)
+- The :ref:`configuration directory <config_dir>` is now stored in ``datasette.config_dir``, making it available to plugins. Thanks, Chris Amico. (:pr:`1766`)
 
 Bug fixes
 ~~~~~~~~~
@@ -839,7 +1073,7 @@ Datasette also now requires Python 3.7 or higher.
 - Common Datasette symbols can now be imported directly from the top-level ``datasette`` package, see :ref:`internals_shortcuts`. Those symbols are ``Response``, ``Forbidden``, ``NotFound``, ``hookimpl``, ``actor_matches_allow``. (:issue:`957`)
 - ``/-/versions`` page now returns additional details for libraries used by SpatiaLite. (:issue:`1607`)
 - Documentation now links to the `Datasette Tutorials <https://datasette.io/tutorials>`__.
-- Datasette will now also look for SpatiaLite in ``/opt/homebrew`` - thanks, Dan Peterson. (`#1649 <https://github.com/simonw/datasette/pull/1649>`__)
+- Datasette will now also look for SpatiaLite in ``/opt/homebrew`` - thanks, Dan Peterson. (:pr:`1649`)
 - Fixed bug where :ref:`custom pages <custom_pages>` did not work on Windows. Thanks, Robert Christie. (:issue:`1545`)
 - Fixed error caused when a table had a column named ``n``. (:issue:`1228`)
 
@@ -938,14 +1172,14 @@ Other small fixes
 - New :ref:`register_commands() <plugin_hook_register_commands>` plugin hook allows plugins to register additional Datasette CLI commands, e.g. ``datasette mycommand file.db``. (:issue:`1449`)
 - Adding ``?_facet_size=max`` to a table page now shows the number of unique values in each facet. (:issue:`1423`)
 - Upgraded dependency `httpx 0.20 <https://github.com/encode/httpx/releases/tag/0.20.0>`__ - the undocumented ``allow_redirects=`` parameter to :ref:`internals_datasette_client` is now ``follow_redirects=``, and defaults to ``False`` where it previously defaulted to ``True``. (:issue:`1488`)
-- The ``--cors`` option now causes Datasette to return the ``Access-Control-Allow-Headers: Authorization`` header, in addition to ``Access-Control-Allow-Origin: *``. (`#1467 <https://github.com/simonw/datasette/pull/1467>`__)
+- The ``--cors`` option now causes Datasette to return the ``Access-Control-Allow-Headers: Authorization`` header, in addition to ``Access-Control-Allow-Origin: *``. (:pr:`1467`)
 - Code that figures out which named parameters a SQL query takes in order to display form fields for them is no longer confused by strings that contain colon characters. (:issue:`1421`)
 - Renamed ``--help-config`` option to ``--help-settings``. (:issue:`1431`)
 - ``datasette.databases`` property is now a documented API. (:issue:`1443`)
 - The ``base.html`` template now wraps everything other than the ``<footer>`` in a ``<div class="not-footer">`` element, to help with advanced CSS customization. (:issue:`1446`)
 - The :ref:`render_cell() <plugin_hook_render_cell>` plugin hook can now return an awaitable function. This means the hook can execute SQL queries. (:issue:`1425`)
 - :ref:`plugin_register_routes` plugin hook now accepts an optional ``datasette`` argument. (:issue:`1404`)
-- New ``hide_sql`` canned query option for defaulting to hiding the SQL query used by a canned query, see :ref:`canned_queries_options`. (:issue:`1422`)
+- New ``hide_sql`` canned query option for defaulting to hiding the SQL query used by a canned query, see :ref:`queries_options`. (:issue:`1422`)
 - New ``--cpu`` option for :ref:`datasette publish cloudrun <publish_cloud_run>`. (:issue:`1420`)
 - If `Rich <https://github.com/willmcgugan/rich>`__ is installed in the same virtual environment as Datasette, it will be used to provide enhanced display of error tracebacks on the console. (:issue:`1416`)
 - ``datasette.utils`` :ref:`internals_utils_parse_metadata` function, used by the new `datasette-remote-metadata plugin <https://datasette.io/plugins/datasette-remote-metadata>`__, is now a documented API. (:issue:`1405`)
@@ -967,7 +1201,7 @@ Other small fixes
 - New ``datasette --uds /tmp/datasette.sock`` option for binding Datasette to a Unix domain socket, see :ref:`proxy documentation <deploying_proxy>` (:issue:`1388`)
 - ``"searchmode": "raw"`` table metadata option for defaulting a table to executing SQLite full-text search syntax without first escaping it, see :ref:`full_text_search_advanced_queries`. (:issue:`1389`)
 - New plugin hook: ``get_metadata()``, for returning custom metadata for an instance, database or table. Thanks, Brandon Roberts! (:issue:`1384`)
-- New plugin hook: :ref:`plugin_hook_skip_csrf`, for opting out of CSRF protection based on the incoming request. (:issue:`1377`)
+- New plugin hook: ``skip_csrf``, for opting out of CSRF protection based on the incoming request. (:issue:`1377`)
 - The :ref:`menu_links() <plugin_hook_menu_links>`, :ref:`table_actions() <plugin_hook_table_actions>` and :ref:`database_actions() <plugin_hook_database_actions>` plugin hooks all gained a new optional ``request`` argument providing access to the current request. (:issue:`1371`)
 - Major performance improvement for Datasette faceting. (:issue:`1394`)
 - Improved documentation for :ref:`deploying_proxy` to recommend using ``ProxyPreservehost On`` with Apache. (:issue:`1387`)
@@ -1037,8 +1271,8 @@ Documentation improvements, bug fixes and support for SpatiaLite 5.
 - The :ref:`Response.asgi_send() <internals_response_asgi_send>` method is now documented. (:issue:`1266`)
 - The official Datasette Docker image now bundles SpatiaLite version 5. (:issue:`1278`)
 - Fixed a ``no such table: pragma_database_list`` bug when running Datasette against SQLite versions prior to SQLite 3.16.0. (:issue:`1276`)
-- HTML lists displayed in table cells are now styled correctly. Thanks, Bob Whitelock. (:issue:`1141`, `#1252 <https://github.com/simonw/datasette/pull/1252>`__)
-- Configuration directory mode now correctly serves immutable databases that are listed in ``inspect-data.json``. Thanks Campbell Allen and Frankie Robertson. (`#1031 <https://github.com/simonw/datasette/pull/1031>`__, `#1229 <https://github.com/simonw/datasette/pull/1229>`__)
+- HTML lists displayed in table cells are now styled correctly. Thanks, Bob Whitelock. (:issue:`1141`, :pr:`1252`)
+- Configuration directory mode now correctly serves immutable databases that are listed in ``inspect-data.json``. Thanks Campbell Allen and Frankie Robertson. (:pr:`1031`, :pr:`1229`)
 
 .. _v0_55:
 
@@ -1215,7 +1449,7 @@ A new visual design, plugin hooks for adding navigation options, better handling
 New visual design
 ~~~~~~~~~~~~~~~~~
 
-Datasette is no longer white and grey with blue and purple links! `Natalie Downe <https://twitter.com/natbat>`__ has been working on a visual refresh, the first iteration of which is included in this release. (`#1056 <https://github.com/simonw/datasette/pull/1056>`__)
+Datasette is no longer white and grey with blue and purple links! `Natalie Downe <https://twitter.com/natbat>`__ has been working on a visual refresh, the first iteration of which is included in this release. (:pr:`1056`)
 
 .. image:: datasette-0.51.png
    :width: 740px
@@ -1292,7 +1526,7 @@ New :ref:`deploying` documentation with guides for deploying Datasette on a Linu
 
 Other improvements in this release:
 
-- :ref:`publish_cloud_run` documentation now covers Google Cloud SDK options. Thanks, Geoffrey Hing. (`#995 <https://github.com/simonw/datasette/pull/995>`__)
+- :ref:`publish_cloud_run` documentation now covers Google Cloud SDK options. Thanks, Geoffrey Hing. (:pr:`995`)
 - New ``datasette -o`` option which opens your browser as soon as Datasette starts up. (:issue:`970`)
 - Datasette now sets ``sqlite3.enable_callback_tracebacks(True)`` so that errors in custom SQL functions will display tracebacks. (:issue:`891`)
 - Fixed two rendering bugs with column headers in portrait mobile view. (:issue:`978`, :issue:`980`)
@@ -1319,7 +1553,7 @@ See also `Datasette 0.50: The annotated release notes <https://simonwillison.net
 
 See also `Datasette 0.49: The annotated release notes <https://simonwillison.net/2020/Sep/15/datasette-0-49/>`__.
 
-- Writable canned queries now expose a JSON API, see :ref:`canned_queries_json_api`. (:issue:`880`)
+- Writable canned queries now expose a JSON API, see :ref:`queries_json_api`. (:issue:`880`)
 - New mechanism for defining page templates with custom path parameters - a template file called ``pages/about/{slug}.html`` will be used to render any requests to ``/about/something``. See :ref:`custom_pages_parameters`. (:issue:`944`)
 - ``register_output_renderer()`` render functions can now return a ``Response``. (:issue:`953`)
 - New ``--upgrade`` option for ``datasette install``. (:issue:`945`)
@@ -1396,7 +1630,7 @@ See also `Datasette 0.49: The annotated release notes <https://simonwillison.net
 - ``tests`` are now excluded from the Datasette package properly - thanks, abeyerpath. (:issue:`456`)
 - The Datasette package published to PyPI now includes ``sdist`` as well as ``bdist_wheel``.
 - Better titles for canned query pages. (:issue:`887`)
-- Now only loads Python files from a directory passed using the ``--plugins-dir`` option - thanks, Amjith Ramanujam. (`#890 <https://github.com/simonw/datasette/pull/890>`__)
+- Now only loads Python files from a directory passed using the ``--plugins-dir`` option - thanks, Amjith Ramanujam. (:pr:`890`)
 - New documentation section on :ref:`publish_vercel`.
 
 .. _v0_45:
@@ -1411,7 +1645,7 @@ Magic parameters for canned queries, a log out feature, improved plugin document
 Magic parameters for canned queries
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Canned queries now support :ref:`canned_queries_magic_parameters`, which can be used to insert or select automatically generated values. For example::
+Canned queries now support :ref:`queries_magic_parameters`, which can be used to insert or select automatically generated values. For example::
 
     insert into logs
       (user_id, timestamp)
@@ -1442,7 +1676,7 @@ New plugin hooks
 
 - :ref:`plugin_hook_register_magic_parameters` can be used to define new types of magic canned query parameters.
 - :ref:`plugin_hook_startup` can run custom code when Datasette first starts up. `datasette-init <https://github.com/simonw/datasette-init>`__ is a new plugin that uses this hook to create database tables and views on startup if they have not yet been created. (:issue:`834`)
-- :ref:`plugin_hook_canned_queries` lets plugins provide additional canned queries beyond those defined in Datasette's metadata. See `datasette-saved-queries <https://github.com/simonw/datasette-saved-queries>`__ for an example of this hook in action. (:issue:`852`)
+- ``canned_queries()`` lets plugins provide additional canned queries beyond those defined in Datasette's metadata. See `datasette-saved-queries <https://github.com/simonw/datasette-saved-queries>`__ for an example of this hook in action. (:issue:`852`)
 - :ref:`plugin_hook_forbidden` is a hook for customizing how Datasette responds to 403 forbidden errors. (:issue:`812`)
 
 Smaller changes
@@ -1517,7 +1751,7 @@ A new debug page at ``/-/permissions`` shows recent permission checks, to help a
 Writable canned queries
 ~~~~~~~~~~~~~~~~~~~~~~~
 
-Datasette's :ref:`canned_queries` feature lets you define SQL queries in ``metadata.json`` which can then be executed by users visiting a specific URL. https://latest.datasette.io/fixtures/neighborhood_search for example.
+Datasette's :ref:`queries` feature lets you define SQL queries in ``metadata.json`` which can then be executed by users visiting a specific URL. https://latest.datasette.io/fixtures/neighborhood_search for example.
 
 Canned queries were previously restricted to ``SELECT``, but Datasette 0.44 introduces the ability for canned queries to execute ``INSERT`` or ``UPDATE`` queries as well, using the new ``"write": true`` property (:issue:`800`):
 
@@ -1536,7 +1770,7 @@ Canned queries were previously restricted to ``SELECT``, but Datasette 0.44 intr
         }
     }
 
-See :ref:`canned_queries_writable` for more details.
+See :ref:`queries_writable` for more details.
 
 Flash messages
 ~~~~~~~~~~~~~~
@@ -1591,7 +1825,7 @@ Smaller changes
 - New ``request.cookies`` property.
 - ``/-/plugins`` endpoint now shows a list of hooks implemented by each plugin, e.g. https://latest.datasette.io/-/plugins?all=1
 - ``request.post_vars()`` method no longer discards empty values.
-- New "params" canned query key for explicitly setting named parameters, see :ref:`canned_queries_named_parameters`. (:issue:`797`)
+- New "params" canned query key for explicitly setting named parameters, see :ref:`queries_named_parameters`. (:issue:`797`)
 - ``request.args`` is now a :ref:`MultiParams <internals_multiparams>` object.
 - Fixed a bug with the ``datasette plugins`` command. (:issue:`802`)
 - Nicer pattern for using ``make_app_client()`` in tests. (:issue:`395`)
@@ -1624,8 +1858,8 @@ The main focus of this release is a major upgrade to the :ref:`plugin_register_o
 * Redesign of :ref:`plugin_register_output_renderer` to provide more context to the render callback and support an optional ``"can_render"`` callback that controls if a suggested link to the output format is provided. (:issue:`581`, :issue:`770`)
 * Visually distinguish float and integer columns - useful for figuring out why order-by-column might be returning unexpected results. (:issue:`729`)
 * The :ref:`internals_request`, which is passed to several plugin hooks, is now documented. (:issue:`706`)
-* New ``metadata.json`` option for setting a custom default page size for specific tables and views, see :ref:`metadata_page_size`. (:issue:`751`)
-* Canned queries can now be configured with a default URL fragment hash, useful when working with plugins such as `datasette-vega <https://github.com/simonw/datasette-vega>`__, see :ref:`canned_queries_options`. (:issue:`706`)
+* New ``metadata.json`` option for setting a custom default page size for specific tables and views, see :ref:`table_configuration_size`. (:issue:`751`)
+* Canned queries can now be configured with a default URL fragment hash, useful when working with plugins such as `datasette-vega <https://github.com/simonw/datasette-vega>`__, see :ref:`queries_options`. (:issue:`706`)
 * Fixed a bug in ``datasette publish`` when running on operating systems where the ``/tmp`` directory lives in a different volume, using a backport of the Python 3.8 ``shutil.copytree()`` function. (:issue:`744`)
 * Every plugin hook is now covered by the unit tests, and a new unit test checks that each plugin hook has at least one corresponding test. (:issue:`771`, :issue:`773`)
 
@@ -1665,7 +1899,7 @@ Also in this release:
 * Datasette now has a *pattern portfolio* at ``/-/patterns`` - e.g. https://latest.datasette.io/-/patterns. This is a page that shows every Datasette user interface component in one place, to aid core development and people building custom CSS themes. (:issue:`151`)
 * SQLite `PRAGMA functions <https://www.sqlite.org/pragma.html#pragfunc>`__ such as ``pragma_table_info(tablename)`` are now allowed in Datasette SQL queries. (:issue:`761`)
 * Datasette pages now consistently return a ``content-type`` of ``text/html; charset=utf-8"``. (:issue:`752`)
-* Datasette now handles an ASGI ``raw_path`` value of ``None``, which should allow compatibility with the `Mangum <https://github.com/erm/mangum>`__ adapter for running ASGI apps on AWS Lambda. Thanks, Colin Dellow. (`#719 <https://github.com/simonw/datasette/pull/719>`__)
+* Datasette now handles an ASGI ``raw_path`` value of ``None``, which should allow compatibility with the `Mangum <https://github.com/erm/mangum>`__ adapter for running ASGI apps on AWS Lambda. Thanks, Colin Dellow. (:pr:`719`)
 * Installation documentation now covers how to :ref:`installation_pipx`. (:issue:`756`)
 * Improved the documentation for :ref:`full_text_search`. (:issue:`748`)
 
@@ -1688,7 +1922,7 @@ Also in this release:
 -----------------
 
 * New :ref:`setting_base_url` configuration setting for serving up the correct links while running Datasette under a different URL prefix. (:issue:`394`)
-* New metadata settings ``"sort"`` and ``"sort_desc"`` for setting the default sort order for a table. See :ref:`metadata_default_sort`. (:issue:`702`)
+* New metadata settings ``"sort"`` and ``"sort_desc"`` for setting the default sort order for a table. See :ref:`table_configuration_sort`. (:issue:`702`)
 * Sort direction arrow now displays by default on the primary key. This means you only have to click once (not twice) to sort in reverse order. (:issue:`677`)
 * New ``await Request(scope, receive).post_vars()`` method for accessing POST form variables. (:issue:`700`)
 * :ref:`plugin_hooks` documentation now links to example uses of each plugin. (:issue:`709`)
@@ -1718,7 +1952,7 @@ Also in this release:
 -----------------
 
 * Plugins now have a supported mechanism for writing to a database, using the new ``.execute_write()`` and ``.execute_write_fn()`` methods. :ref:`Documentation <database_execute_write>`. (:issue:`682`)
-* Immutable databases that have had their rows counted using the ``inspect`` command now use the calculated count more effectively - thanks, Kevin Keogh. (`#666 <https://github.com/simonw/datasette/pull/666>`__)
+* Immutable databases that have had their rows counted using the ``inspect`` command now use the calculated count more effectively - thanks, Kevin Keogh. (:pr:`666`)
 * ``--reload`` no longer restarts the server if a database file is modified, unless that database was opened immutable mode with ``-i``. (:issue:`494`)
 * New ``?_searchmode=raw`` option turns off escaping for FTS queries in ``?_search=`` allowing full use of SQLite's `FTS5 query syntax <https://www.sqlite.org/fts5.html#full_text_query_syntax>`__. (:issue:`676`)
 
@@ -1739,7 +1973,7 @@ Also in this release:
 
 * Added five new plugins and one new conversion tool to the :ref:`ecosystem`.
 * The ``Datasette`` class has a new ``render_template()`` method which can be used by plugins to render templates using Datasette's pre-configured `Jinja <https://jinja.palletsprojects.com/>`__ templating library.
-* You can now execute SQL queries that start with a ``-- comment`` - thanks, Jay Graves (`#653 <https://github.com/simonw/datasette/pull/653>`__)
+* You can now execute SQL queries that start with a ``-- comment`` - thanks, Jay Graves (:pr:`653`)
 
 .. _v0_34:
 
@@ -1747,7 +1981,7 @@ Also in this release:
 -----------------
 
 * ``_search=`` queries are now correctly escaped using a new ``escape_fts()`` custom SQL function. This means you can now run searches for strings like ``park.`` without seeing errors. (:issue:`651`)
-* `Google Cloud Run <https://cloud.google.com/run/>`__ is no longer in beta, so ``datasette publish cloudrun`` has been updated to work even if the user has not installed the ``gcloud`` beta components package. Thanks, Katie McLaughlin (`#660 <https://github.com/simonw/datasette/pull/660>`__)
+* `Google Cloud Run <https://cloud.google.com/run/>`__ is no longer in beta, so ``datasette publish cloudrun`` has been updated to work even if the user has not installed the ``gcloud`` beta components package. Thanks, Katie McLaughlin (:pr:`660`)
 * ``datasette package`` now accepts a ``--port`` option for specifying which port the resulting Docker container should listen on. (:issue:`661`)
 
 .. _v0_33:
@@ -1785,7 +2019,7 @@ Datasette now renders templates using `Jinja async mode <https://jinja.palletspr
 0.31.1 (2019-11-12)
 -------------------
 
-- Deployments created using ``datasette publish``  now use ``python:3.8`` base Docker image (`#629 <https://github.com/simonw/datasette/pull/629>`__)
+- Deployments created using ``datasette publish``  now use ``python:3.8`` base Docker image (:pr:`629`)
 
 .. _v0_31:
 
@@ -1798,10 +2032,10 @@ If you are still running Python 3.5 you should stick with ``0.30.2``, which you
 
     pip install datasette==0.30.2
 
-- Format SQL button now works with read-only SQL queries - thanks, Tobias Kunze (`#602 <https://github.com/simonw/datasette/pull/602>`__)
+- Format SQL button now works with read-only SQL queries - thanks, Tobias Kunze (:pr:`602`)
 - New ``?column__notin=x,y,z`` filter for table views (:issue:`614`)
 - Table view now uses ``select col1, col2, col3`` instead of ``select *``
-- Database filenames can now contain spaces - thanks, Tobias Kunze (`#590 <https://github.com/simonw/datasette/pull/590>`__)
+- Database filenames can now contain spaces - thanks, Tobias Kunze (:pr:`590`)
 - Removed obsolete ``?_group_count=col`` feature (:issue:`504`)
 - Improved user interface and documentation for ``datasette publish cloudrun`` (:issue:`608`)
 - Tables with indexes now show the ``CREATE INDEX`` statements on the table page (:issue:`618`)
@@ -1837,7 +2071,7 @@ If you are still running Python 3.5 you should stick with ``0.30.2``, which you
 - Allow ``EXPLAIN WITH...`` (:issue:`583`)
 - Button to format SQL - thanks, Tobias Kunze (:issue:`136`)
 - Sort databases on homepage by argument order - thanks, Tobias Kunze (:issue:`585`)
-- Display metadata footer on custom SQL queries - thanks, Tobias Kunze (`#589 <https://github.com/simonw/datasette/pull/589>`__)
+- Display metadata footer on custom SQL queries - thanks, Tobias Kunze (:pr:`589`)
 - Use ``--platform=managed`` for ``publish cloudrun`` (:issue:`587`)
 - Fixed bug returning non-ASCII characters in CSV (:issue:`584`)
 - Fix for ``/foo`` v.s. ``/foo-bar`` bug (:issue:`601`)
@@ -1848,7 +2082,7 @@ If you are still running Python 3.5 you should stick with ``0.30.2``, which you
 -------------------
 
 - Fixed implementation of CodeMirror on database page (:issue:`560`)
-- Documentation typo fixes - thanks, Min ho Kim (`#561 <https://github.com/simonw/datasette/pull/561>`__)
+- Documentation typo fixes - thanks, Min ho Kim (:pr:`561`)
 - Mechanism for detecting if a table has FTS enabled now works if the table name used alternative escaping mechanisms (:issue:`570`) - for compatibility with `a recent change to sqlite-utils <https://github.com/simonw/sqlite-utils/pull/57>`__.
 
 .. _v0_29_2:
@@ -1993,7 +2227,7 @@ Datasette :ref:`facets` provide an intuitive way to quickly summarize and intera
 
 Facet by array (:issue:`359`) is only available if your SQLite installation provides the ``json1`` extension. Datasette will automatically detect columns that contain JSON arrays of values and offer a faceting interface against those columns - useful for modelling things like tags without needing to break them out into a new table. See :ref:`facet_by_json_array` for more.
 
-The new :ref:`plugin_register_facet_classes` plugin hook (`#445 <https://github.com/simonw/datasette/pull/445>`__) can be used to register additional custom facet classes. Each facet class should provide two methods: ``suggest()`` which suggests facet selections that might be appropriate for a provided SQL query, and ``facet_results()`` which executes a facet operation and returns results. Datasette's own faceting implementations have been refactored to use the same API as these plugins.
+The new :ref:`plugin_register_facet_classes` plugin hook (:pr:`445`) can be used to register additional custom facet classes. Each facet class should provide two methods: ``suggest()`` which suggests facet selections that might be appropriate for a provided SQL query, and ``facet_results()`` which executes a facet operation and returns results. Datasette's own faceting implementations have been refactored to use the same API as these plugins.
 
 .. _v0_28_publish_cloudrun:
 
@@ -2002,7 +2236,7 @@ datasette publish cloudrun
 
 `Google Cloud Run <https://cloud.google.com/run/>`__ is a brand new serverless hosting platform from Google, which allows you to build a Docker container which will run only when HTTP traffic is received and will shut down (and hence cost you nothing) the rest of the time. It's similar to Zeit's Now v1 Docker hosting platform which sadly is `no longer accepting signups <https://hyperion.alpha.spectrum.chat/zeit/now/cannot-create-now-v1-deployments~d206a0d4-5835-4af5-bb5c-a17f0171fb25?m=MTU0Njk2NzgwODM3OA==>`__ from new users.
 
-The new ``datasette publish cloudrun`` command was contributed by Romain Primet (`#434 <https://github.com/simonw/datasette/pull/434>`__) and publishes selected databases to a new Datasette instance running on Google Cloud Run.
+The new ``datasette publish cloudrun`` command was contributed by Romain Primet (:pr:`434`) and publishes selected databases to a new Datasette instance running on Google Cloud Run.
 
 See :ref:`publish_cloud_run` for full documentation.
 
@@ -2011,7 +2245,7 @@ See :ref:`publish_cloud_run` for full documentation.
 register_output_renderer plugins
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Russ Garrett implemented a new Datasette plugin hook called :ref:`register_output_renderer <plugin_register_output_renderer>` (`#441 <https://github.com/simonw/datasette/pull/441>`__) which allows plugins to create additional output renderers in addition to Datasette's default ``.json`` and ``.csv``.
+Russ Garrett implemented a new Datasette plugin hook called :ref:`register_output_renderer <plugin_register_output_renderer>` (:pr:`441`) which allows plugins to create additional output renderers in addition to Datasette's default ``.json`` and ``.csv``.
 
 Russ's in-development `datasette-geo <https://github.com/russss/datasette-geo>`__ plugin includes `an example <https://github.com/russss/datasette-geo/blob/d4cecc020848bbde91e9e17bf352f7c70bc3dccf/datasette_plugin_geo/geojson.py>`__ of this hook being used to output ``.geojson`` automatically converted from SpatiaLite.
 
@@ -2020,7 +2254,7 @@ Russ's in-development `datasette-geo <https://github.com/russss/datasette-geo>`_
 Medium changes
 ~~~~~~~~~~~~~~
 
-- Datasette now conforms to the `Black coding style <https://github.com/python/black>`__ (`#449 <https://github.com/simonw/datasette/pull/449>`__) - and has a unit test to enforce this in the future
+- Datasette now conforms to the `Black coding style <https://github.com/python/black>`__ (:pr:`449`) - and has a unit test to enforce this in the future
 - New :ref:`json_api_table_arguments`:
    - ``?columnname__in=value1,value2,value3`` filter for executing SQL IN queries against a table, see :ref:`table_arguments` (:issue:`433`)
    - ``?columnname__date=yyyy-mm-dd`` filter which returns rows where the spoecified datetime column falls on the specified date (`583b22a <https://github.com/simonw/datasette/commit/583b22aa28e26c318de0189312350ab2688c90b1>`__)
@@ -2041,17 +2275,17 @@ Small changes
 
 - We now show the size of the database file next to the download link (:issue:`172`)
 - New ``/-/databases`` introspection page shows currently connected databases (:issue:`470`)
-- Binary data is no longer displayed on the table and row pages (`#442 <https://github.com/simonw/datasette/pull/442>`__ - thanks, Russ Garrett)
+- Binary data is no longer displayed on the table and row pages (:pr:`442` - thanks, Russ Garrett)
 - New show/hide SQL links on custom query pages (:issue:`415`)
-- The :ref:`extra_body_script <plugin_hook_extra_body_script>` plugin hook now accepts an optional ``view_name`` argument (`#443 <https://github.com/simonw/datasette/pull/443>`__ - thanks, Russ Garrett)
-- Bumped Jinja2 dependency to 2.10.1 (`#426 <https://github.com/simonw/datasette/pull/426>`__)
+- The :ref:`extra_body_script <plugin_hook_extra_body_script>` plugin hook now accepts an optional ``view_name`` argument (:pr:`443` - thanks, Russ Garrett)
+- Bumped Jinja2 dependency to 2.10.1 (:pr:`426`)
 - All table filters are now documented, and documentation is enforced via unit tests (`2c19a27 <https://github.com/simonw/datasette/commit/2c19a27d15a913e5f3dd443f04067169a6f24634>`__)
 - New project guideline: master should stay shippable at all times! (`31f36e1 <https://github.com/simonw/datasette/commit/31f36e1b97ccc3f4387c80698d018a69798b6228>`__)
 - Fixed a bug where ``sqlite_timelimit()`` occasionally failed to clean up after itself (`bac4e01 <https://github.com/simonw/datasette/commit/bac4e01f40ae7bd19d1eab1fb9349452c18de8f5>`__)
 - We no longer load additional plugins when executing pytest (:issue:`438`)
 - Homepage now links to database views if there are less than five tables in a database (:issue:`373`)
 - The ``--cors`` option is now respected by error pages (:issue:`453`)
-- ``datasette publish heroku`` now uses the ``--include-vcs-ignore`` option, which means it works under Travis CI (`#407 <https://github.com/simonw/datasette/pull/407>`__)
+- ``datasette publish heroku`` now uses the ``--include-vcs-ignore`` option, which means it works under Travis CI (:pr:`407`)
 - ``datasette publish heroku`` now publishes using Python 3.6.8 (`666c374 <https://github.com/simonw/datasette/commit/666c37415a898949fae0437099d62a35b1e9c430>`__)
 - Renamed ``datasette publish now`` to ``datasette publish nowv1`` (:issue:`472`)
 - ``datasette publish nowv1`` now accepts multiple ``--alias`` parameters (`09ef305 <https://github.com/simonw/datasette/commit/09ef305c687399384fe38487c075e8669682deb4>`__)
@@ -2123,7 +2357,7 @@ New plugin hooks, improved database view support and an easier way to use more r
 - New ``render_cell`` plugin hook. Plugins can now customize how values are displayed in the HTML tables produced by Datasette's browsable interface. `datasette-json-html <https://github.com/simonw/datasette-json-html>`__ and `datasette-render-images <https://github.com/simonw/datasette-render-images>`__ are two new plugins that use this hook. :ref:`render_cell documentation <plugin_hook_render_cell>`. Closes :issue:`352`
 - New ``extra_body_script`` plugin hook, enabling plugins to provide additional JavaScript that should be added to the page footer. :ref:`extra_body_script documentation <plugin_hook_extra_body_script>`.
 - ``extra_css_urls`` and ``extra_js_urls`` hooks now take additional optional parameters, allowing them to be more selective about which pages they apply to. :ref:`Documentation <plugin_hook_extra_css_urls>`.
-- You can now use the :ref:`sortable_columns metadata setting <metadata_sortable_columns>` to explicitly enable sort-by-column in the interface for database views, as well as for specific tables.
+- You can now use the :ref:`sortable_columns metadata setting <table_configuration_sortable_columns>` to explicitly enable sort-by-column in the interface for database views, as well as for specific tables.
 - The new ``fts_table`` and ``fts_pk`` metadata settings can now be used to :ref:`explicitly configure full-text search for a table or a view <full_text_search_table_or_view>`, even if that table is not directly coupled to the SQLite FTS feature in the database schema itself.
 - Datasette will now use `pysqlite3 <https://github.com/coleifer/pysqlite3>`__ in place of the standard library ``sqlite3`` module if it has been installed in the current environment. This makes it much easier to run Datasette against a more recent version of SQLite, including the just-released `SQLite 3.25.0 <https://www.sqlite.org/releaselog/3_25_0.html>`__ which adds window function support. More details on how to use this in :issue:`360`
 - New mechanism that allows :ref:`plugin configuration options <plugins_configuration>` to be set using ``metadata.json``.
@@ -2142,7 +2376,7 @@ A number of small new features:
 - Documentation for :ref:`datasette publish and datasette package <publishing>`, closes `#337 <https://github.com/simonw/datasette/issues/337>`_
 - Fixed compatibility with Python 3.7
 - ``datasette publish heroku`` now supports app names via the ``-n`` option, which can also be used to overwrite an existing application [Russ Garrett]
-- Title and description metadata can now be set for :ref:`canned SQL queries <canned_queries>`, closes `#342 <https://github.com/simonw/datasette/issues/342>`_
+- Title and description metadata can now be set for :ref:`canned SQL queries <queries>`, closes `#342 <https://github.com/simonw/datasette/issues/342>`_
 - New ``force_https_on`` config option, fixes ``https://`` API URLs when deploying to Zeit Now - closes `#333 <https://github.com/simonw/datasette/issues/333>`_
 - ``?_json_infinity=1`` query string argument for handling Infinity/-Infinity values in JSON, closes `#332 <https://github.com/simonw/datasette/issues/332>`_
 - URLs displayed in the results of custom SQL queries are now URLified, closes `#298 <https://github.com/simonw/datasette/issues/298>`_
@@ -2208,7 +2442,7 @@ Foreign key expansions
 ~~~~~~~~~~~~~~~~~~~~~~
 
 When Datasette detects a foreign key reference it attempts to resolve a label
-for that reference (automatically or using the :ref:`label_columns` metadata
+for that reference (automatically or using the :ref:`table_configuration_label_column` metadata
 option) so it can display a link to the associated row.
 
 This expansion is now also available for JSON and CSV representations of the
diff --git a/docs/conf.py b/docs/conf.py
index 0879eeb9..5dd06b57 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -51,6 +51,7 @@ markdown_uri_doc_suffix = ".html"
 
 extlinks = {
     "issue": ("https://github.com/simonw/datasette/issues/%s", "#%s"),
+    "pr": ("https://github.com/simonw/datasette/pull/%s", "#%s"),
 }
 
 # Add any paths that contain templates here, relative to this directory.
diff --git a/docs/configuration.rst b/docs/configuration.rst
index 425024da..d01f5153 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -87,6 +87,7 @@ This is equivalent to a ``datasette.yaml`` file containing the following:
         }
 .. [[[end]]]
 
+
 .. _configuration_reference:
 
 ``datasette.yaml`` reference
@@ -433,12 +434,12 @@ Here is a simple example:
 
 :ref:`authentication_permissions_config` has the full details.
 
-.. _configuration_reference_canned_queries:
+.. _configuration_reference_queries:
 
-Canned queries configuration
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Queries configuration
+~~~~~~~~~~~~~~~~~~~~~
 
-:ref:`Canned queries <canned_queries>` are named SQL queries that appear in the Datasette interface. They can be configured in ``datasette.yaml`` using the ``queries`` key at the database level:
+:ref:`Queries <queries>` are named SQL queries that appear in the Datasette interface. They can be configured in ``datasette.yaml`` using the ``queries`` key at the database level:
 
 .. [[[cog
     from metadata_doc import config_example, config_example
@@ -483,7 +484,7 @@ Canned queries configuration
         }
 .. [[[end]]]
 
-See the :ref:`canned queries documentation <canned_queries>` for more, including how to configure :ref:`writable canned queries <canned_queries_writable>`.
+See the :ref:`queries documentation <queries>` for more, including how to configure :ref:`writable queries <queries_writable>`.
 
 .. _configuration_reference_css_js:
 
@@ -634,5 +635,583 @@ Will produce this HTML:
 
     <script type="module" src="https://example.datasette.io/module.js"></script>
 
+.. _configuration_reference_table:
 
+Table configuration
+~~~~~~~~~~~~~~~~~~~
 
+Datasette supports a number of table-level configuration options inside ``datasette.yaml``. These are placed under ``databases.database_name.tables.table_name``.
+
+.. _table_configuration_sort:
+
+``sort`` / ``sort_desc``
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+By default Datasette tables are sorted by primary key. You can set a default sort order for a specific table using the ``sort`` or ``sort_desc`` properties:
+
+.. [[[cog
+    from metadata_doc import config_example
+    import textwrap
+    config_example(cog, textwrap.dedent(
+      """
+        databases:
+          mydatabase:
+            tables:
+              example_table:
+                sort: created
+      """).strip()
+    )
+.. ]]]
+
+.. tab:: datasette.yaml
+
+    .. code-block:: yaml
+
+        databases:
+          mydatabase:
+            tables:
+              example_table:
+                sort: created
+
+.. tab:: datasette.json
+
+    .. code-block:: json
+
+        {
+          "databases": {
+            "mydatabase": {
+              "tables": {
+                "example_table": {
+                  "sort": "created"
+                }
+              }
+            }
+          }
+        }
+.. [[[end]]]
+
+Or use ``sort_desc`` to sort in descending order:
+
+.. [[[cog
+    config_example(cog, textwrap.dedent(
+      """
+        databases:
+          mydatabase:
+            tables:
+              example_table:
+                sort_desc: created
+      """).strip()
+    )
+.. ]]]
+
+.. tab:: datasette.yaml
+
+    .. code-block:: yaml
+
+        databases:
+          mydatabase:
+            tables:
+              example_table:
+                sort_desc: created
+
+.. tab:: datasette.json
+
+    .. code-block:: json
+
+        {
+          "databases": {
+            "mydatabase": {
+              "tables": {
+                "example_table": {
+                  "sort_desc": "created"
+                }
+              }
+            }
+          }
+        }
+.. [[[end]]]
+
+.. _table_configuration_size:
+
+``size``
+^^^^^^^^
+
+Datasette defaults to displaying 100 rows per page, for both tables and views. You can change this on a per-table or per-view basis using the ``size`` key:
+
+.. [[[cog
+    config_example(cog, textwrap.dedent(
+      """
+        databases:
+          mydatabase:
+            tables:
+              example_table:
+                size: 10
+      """).strip()
+    )
+.. ]]]
+
+.. tab:: datasette.yaml
+
+    .. code-block:: yaml
+
+        databases:
+          mydatabase:
+            tables:
+              example_table:
+                size: 10
+
+.. tab:: datasette.json
+
+    .. code-block:: json
+
+        {
+          "databases": {
+            "mydatabase": {
+              "tables": {
+                "example_table": {
+                  "size": 10
+                }
+              }
+            }
+          }
+        }
+.. [[[end]]]
+
+This size can still be over-ridden by passing e.g. ``?_size=50`` in the query string.
+
+.. _table_configuration_sortable_columns:
+
+``sortable_columns``
+^^^^^^^^^^^^^^^^^^^^
+
+Datasette allows any column to be used for sorting by default. If you need to control which columns are available for sorting you can do so using ``sortable_columns``:
+
+.. [[[cog
+    config_example(cog, textwrap.dedent(
+      """
+        databases:
+          mydatabase:
+            tables:
+              example_table:
+                sortable_columns:
+                - height
+                - weight
+      """).strip()
+    )
+.. ]]]
+
+.. tab:: datasette.yaml
+
+    .. code-block:: yaml
+
+        databases:
+          mydatabase:
+            tables:
+              example_table:
+                sortable_columns:
+                - height
+                - weight
+
+.. tab:: datasette.json
+
+    .. code-block:: json
+
+        {
+          "databases": {
+            "mydatabase": {
+              "tables": {
+                "example_table": {
+                  "sortable_columns": [
+                    "height",
+                    "weight"
+                  ]
+                }
+              }
+            }
+          }
+        }
+.. [[[end]]]
+
+This will restrict sorting of ``example_table`` to just the ``height`` and ``weight`` columns.
+
+You can also disable sorting entirely by setting ``"sortable_columns": []``
+
+You can use ``sortable_columns`` to enable specific sort orders for a view called ``name_of_view`` in the database ``my_database`` like so:
+
+.. [[[cog
+    config_example(cog, textwrap.dedent(
+      """
+        databases:
+          my_database:
+            tables:
+              name_of_view:
+                sortable_columns:
+                - clicks
+                - impressions
+      """).strip()
+    )
+.. ]]]
+
+.. tab:: datasette.yaml
+
+    .. code-block:: yaml
+
+        databases:
+          my_database:
+            tables:
+              name_of_view:
+                sortable_columns:
+                - clicks
+                - impressions
+
+.. tab:: datasette.json
+
+    .. code-block:: json
+
+        {
+          "databases": {
+            "my_database": {
+              "tables": {
+                "name_of_view": {
+                  "sortable_columns": [
+                    "clicks",
+                    "impressions"
+                  ]
+                }
+              }
+            }
+          }
+        }
+.. [[[end]]]
+
+.. _table_configuration_label_column:
+
+``label_column``
+^^^^^^^^^^^^^^^^
+
+Datasette's HTML interface attempts to display foreign key references as labelled hyperlinks. By default, it automatically detects a label column using the following rules (in order):
+
+1. If there is exactly one unique text column, use that.
+2. If there is a column called ``name`` or ``title`` (case-insensitive), use that.
+3. If the table has only two columns - a primary key and one other - use the non-primary-key column.
+
+You can override this automatic detection by specifying which column should be used for the link label with the ``label_column`` property:
+
+.. [[[cog
+    config_example(cog, textwrap.dedent(
+      """
+        databases:
+          mydatabase:
+            tables:
+              example_table:
+                label_column: title
+      """).strip()
+    )
+.. ]]]
+
+.. tab:: datasette.yaml
+
+    .. code-block:: yaml
+
+        databases:
+          mydatabase:
+            tables:
+              example_table:
+                label_column: title
+
+.. tab:: datasette.json
+
+    .. code-block:: json
+
+        {
+          "databases": {
+            "mydatabase": {
+              "tables": {
+                "example_table": {
+                  "label_column": "title"
+                }
+              }
+            }
+          }
+        }
+.. [[[end]]]
+
+.. _table_configuration_hidden:
+
+``hidden``
+^^^^^^^^^^
+
+You can hide tables from the database listing view (in the same way that FTS and SpatiaLite tables are automatically hidden) using ``"hidden": true``:
+
+.. [[[cog
+    config_example(cog, textwrap.dedent(
+      """
+        databases:
+          mydatabase:
+            tables:
+              example_table:
+                hidden: true
+      """).strip()
+    )
+.. ]]]
+
+.. tab:: datasette.yaml
+
+    .. code-block:: yaml
+
+        databases:
+          mydatabase:
+            tables:
+              example_table:
+                hidden: true
+
+.. tab:: datasette.json
+
+    .. code-block:: json
+
+        {
+          "databases": {
+            "mydatabase": {
+              "tables": {
+                "example_table": {
+                  "hidden": true
+                }
+              }
+            }
+          }
+        }
+.. [[[end]]]
+
+.. _table_configuration_facets:
+
+``facets`` / ``facet_size``
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+You can turn on facets by default for specific tables. ``facet_size`` controls how many unique values are shown for each facet on that table (the default is controlled by the :ref:`setting_default_facet_size` setting). See :ref:`facets_metadata` for full details.
+
+.. [[[cog
+    config_example(cog, textwrap.dedent(
+      """
+        databases:
+          sf-trees:
+            tables:
+              Street_Tree_List:
+                facets:
+                - qLegalStatus
+                facet_size: 10
+      """).strip()
+    )
+.. ]]]
+
+.. tab:: datasette.yaml
+
+    .. code-block:: yaml
+
+        databases:
+          sf-trees:
+            tables:
+              Street_Tree_List:
+                facets:
+                - qLegalStatus
+                facet_size: 10
+
+.. tab:: datasette.json
+
+    .. code-block:: json
+
+        {
+          "databases": {
+            "sf-trees": {
+              "tables": {
+                "Street_Tree_List": {
+                  "facets": [
+                    "qLegalStatus"
+                  ],
+                  "facet_size": 10
+                }
+              }
+            }
+          }
+        }
+.. [[[end]]]
+
+You can also specify :ref:`array <facet_by_json_array>` or :ref:`date <facet_by_date>` facets using JSON objects with a single key of ``array`` or ``date``:
+
+.. code-block:: yaml
+
+    facets:
+    - array: tags
+    - date: created
+
+.. _table_configuration_fts:
+
+``fts_table`` / ``fts_pk`` / ``searchmode``
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+These configure :ref:`full-text search <full_text_search>` for a table or view. See :ref:`full_text_search_table_or_view` for full details.
+
+``fts_table`` specifies which FTS table to use for search. ``fts_pk`` sets the primary key column if it is something other than ``rowid``. ``searchmode`` can be set to ``"raw"`` to enable `SQLite advanced search operators <https://www.sqlite.org/fts5.html#full_text_query_syntax>`__.
+
+.. [[[cog
+    config_example(cog, textwrap.dedent(
+      """
+        databases:
+          russian-ads:
+            tables:
+              display_ads:
+                fts_table: ads_fts
+                fts_pk: id
+                searchmode: raw
+      """).strip()
+    )
+.. ]]]
+
+.. tab:: datasette.yaml
+
+    .. code-block:: yaml
+
+        databases:
+          russian-ads:
+            tables:
+              display_ads:
+                fts_table: ads_fts
+                fts_pk: id
+                searchmode: raw
+
+.. tab:: datasette.json
+
+    .. code-block:: json
+
+        {
+          "databases": {
+            "russian-ads": {
+              "tables": {
+                "display_ads": {
+                  "fts_table": "ads_fts",
+                  "fts_pk": "id",
+                  "searchmode": "raw"
+                }
+              }
+            }
+          }
+        }
+.. [[[end]]]
+
+.. _table_configuration_column_types:
+
+``column_types``
+^^^^^^^^^^^^^^^^
+
+You can assign semantic column types to columns, which affect how values are rendered, validated, transformed, and edited. Built-in column types include ``url``, ``email``, ``json``, and ``textarea``. Plugins can register additional column types using the :ref:`register_column_types <plugin_register_column_types>` plugin hook.
+
+Column types can optionally declare which SQLite column types they apply to using ``sqlite_types``. Datasette will reject incompatible assignments. The built-in ``url``, ``email``, ``json``, and ``textarea`` column types are all restricted to ``TEXT`` columns.
+
+The simplest form maps column names to type name strings:
+
+.. [[[cog
+    config_example(cog, textwrap.dedent(
+      """
+        databases:
+          mydatabase:
+            tables:
+              example_table:
+                column_types:
+                  website: url
+                  contact: email
+                  extra_data: json
+                  notes: textarea
+      """).strip()
+    )
+.. ]]]
+
+.. tab:: datasette.yaml
+
+    .. code-block:: yaml
+
+        databases:
+          mydatabase:
+            tables:
+              example_table:
+                column_types:
+                  website: url
+                  contact: email
+                  extra_data: json
+                  notes: textarea
+
+.. tab:: datasette.json
+
+    .. code-block:: json
+
+        {
+          "databases": {
+            "mydatabase": {
+              "tables": {
+                "example_table": {
+                  "column_types": {
+                    "website": "url",
+                    "contact": "email",
+                    "extra_data": "json",
+                    "notes": "textarea"
+                  }
+                }
+              }
+            }
+          }
+        }
+.. [[[end]]]
+
+For column types that accept additional configuration, use an object with ``type`` and ``config`` keys:
+
+.. [[[cog
+    config_example(cog, textwrap.dedent(
+      """
+        databases:
+          mydatabase:
+            tables:
+              example_table:
+                column_types:
+                  website:
+                    type: url
+                    config:
+                      prefix: "https://"
+      """).strip()
+    )
+.. ]]]
+
+.. tab:: datasette.yaml
+
+    .. code-block:: yaml
+
+        databases:
+          mydatabase:
+            tables:
+              example_table:
+                column_types:
+                  website:
+                    type: url
+                    config:
+                      prefix: "https://"
+
+.. tab:: datasette.json
+
+    .. code-block:: json
+
+        {
+          "databases": {
+            "mydatabase": {
+              "tables": {
+                "example_table": {
+                  "column_types": {
+                    "website": {
+                      "type": "url",
+                      "config": {
+                        "prefix": "https://"
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          }
+        }
+.. [[[end]]]
diff --git a/docs/contributing.rst b/docs/contributing.rst
index 635ca60e..692f94c8 100644
--- a/docs/contributing.rst
+++ b/docs/contributing.rst
@@ -62,6 +62,76 @@ You can run the tests faster using multiple CPU cores with `pytest-xdist <https:
 
     uv run pytest -m "serial"
 
+.. _contributing_playwright:
+
+Running Playwright tests
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+Datasette includes a small number of browser automation tests using Playwright_.
+These tests are skipped by default, so you can run the main test suite with
+``uv run pytest`` without installing Playwright or any browser binaries.
+
+.. _Playwright: https://playwright.dev/python/
+
+The Playwright tests use a separate dependency group. The easiest way to run
+them is using ``just``. First install the browser engine you want to test
+against. Chromium is used by default:
+
+.. code-block:: bash
+
+    just playwright-install
+
+Then run the Playwright test module:
+
+.. code-block:: bash
+
+    just playwright
+
+You can also run the same tests against Firefox or WebKit by installing that
+browser engine and passing it to ``just playwright``:
+
+.. code-block:: bash
+
+    just playwright-install firefox
+    just playwright firefox
+
+    just playwright-install webkit
+    just playwright webkit
+
+To install every supported browser engine and run the tests against all of
+them, use:
+
+.. code-block:: bash
+
+    just playwright-install-all
+    just playwright-all
+
+You can pass extra ``pytest`` options after the browser name:
+
+.. code-block:: bash
+
+    just playwright chromium -k permissions
+    just playwright-all -x
+
+You can add the ``--headed`` option to have Playwright open a browser window that you can see while it runs the tests. This only works if you specify a browser, for example:
+
+.. code-block:: bash
+
+    just playwright firefox --headed
+
+Combine this with ``-k`` to watch a specific test:
+
+.. code-block:: bash
+
+    just playwright chromium --headed -k test_insert_row
+
+If you are not using ``just``, the equivalent ``uv run`` commands are:
+
+.. code-block:: bash
+
+    uv run --group playwright playwright install chromium
+    uv run --group playwright pytest tests/test_playwright.py --playwright --browser chromium
+
 .. _contributing_using_fixtures:
 
 Using fixtures
@@ -87,6 +157,9 @@ If you want to change Datasette's Python code you can use the ``--reload`` optio
 
     uv run datasette --reload fixtures.db
 
+This also enables development mode for static asset cache busting, described in
+:ref:`customization_static_files`.
+
 You can also use the ``fixtures.py`` script to recreate the testing version of ``metadata.json`` used by the unit tests. To do that::
 
     uv run python tests/fixtures.py fixtures.db fixtures-metadata.json
@@ -239,6 +312,19 @@ To update these pages, run the following command::
 
     uv run cog -r docs/*.rst
 
+.. _contributing_template_contexts:
+
+Documented template contexts
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Datasette's documented template contexts are part of the public API for custom templates. They are defined as dataclasses next to the view code that renders them, for example ``DatabaseContext`` and ``QueryContext`` in ``datasette/views/database.py``.
+
+Every documented context class inherits from ``datasette.views.Context``. Fields that are added directly by view code should be declared as dataclass fields with ``help`` metadata, which is used to generate :ref:`template_context`. Fields resolved through the page extras system should use ``from_extra()`` so their documentation comes from the matching ``Extra`` class.
+
+Use ``documented_template`` on each context class to record the canonical template named in the generated documentation. This should be a string such as ``"database.html"``. Runtime template selection still happens in the view code, since most pages consider more specific template names before falling back to the canonical one.
+
+When a context field contains repeated structured data, prefer a small nested dataclass over an anonymous dictionary. For example, a field containing table summaries should be annotated as ``list[DatabaseTable]`` where ``DatabaseTable`` is a dataclass describing the keys and value types. This keeps the Python contract and generated documentation clear. JSON responses and ``?_context=1`` debug output will convert nested dataclasses back to JSON objects at the response boundary.
+
 .. _contributing_continuous_deployment:
 
 Continuously deployed demo instances
@@ -296,7 +382,7 @@ Don't forget to create the release from the correct branch - usually ``main``, b
 
 While the release is running you can confirm that the correct commits made it into the release using the https://github.com/simonw/datasette/compare/0.64.6...0.64.7 URL.
 
-Finally, post a news item about the release on `datasette.io <https://datasette.io/>`__ by editing the `news.yaml <https://github.com/simonw/datasette.io/blob/main/news.yaml>`__ file in that site's repository.
+Finally, post a news item about the release on `datasette.io <https://datasette.io/>`__ by editing the `news.yaml <https://github.com/simonw/datasette.io/blob/main/news.yaml>`__ file in that site's repository. Use `this preview tool <https://tools.simonwillison.net/datasette-io-preview>`__ to preview the edits to the YAML.
 
 .. _contributing_alpha_beta:
 
diff --git a/docs/custom_templates.rst b/docs/custom_templates.rst
index 8cc40f0f..50c23b3e 100644
--- a/docs/custom_templates.rst
+++ b/docs/custom_templates.rst
@@ -29,7 +29,7 @@ The custom SQL template (``/dbname?sql=...``) gets this:
 
     <body class="query db-dbname">
 
-A canned query template (``/dbname/queryname``) gets this:
+A stored query template (``/dbname/queryname``) gets this:
 
 .. code-block:: html
 
@@ -94,11 +94,55 @@ The ``core`` class is particularly useful - you can apply this directly to a ``<
 
 .. _customization_static_files:
 
-Serving static files
-~~~~~~~~~~~~~~~~~~~~
+Linking to static assets
+~~~~~~~~~~~~~~~~~~~~~~~~
 
-Datasette can serve static files for you, using the ``--static`` option.
-Consider the following directory structure::
+Use the ``static()`` template function to create cache-busting URLs to static
+assets from your custom templates. It returns a URL with a ``?_hash=`` parameter
+based on the file contents and takes the ``base_url`` setting into account.
+
+When the hash in the URL matches the current file contents, Datasette will serve
+the static asset with a far-future immutable ``Cache-Control`` header.
+
+When Datasette is run using ``--reload``, the file contents are hashed every time
+the template is rendered, so edits to static files will update their URLs
+without restarting Datasette. Without ``--reload``, the hash is cached for the
+lifetime of the Datasette process.
+
+For Datasette's bundled static assets, pass the path to the asset:
+
+.. code-block:: html+jinja
+
+    <link rel="stylesheet" href="{{ static('app.css') }}">
+
+For plugin static assets, pass the plugin name using ``plugin=`` and a path
+relative to the plugin's ``static/`` directory:
+
+.. code-block:: html+jinja
+
+    <script src="{{ static('plugin.js', plugin='datasette_plugin_name') }}" defer></script>
+
+For files served from a directory mounted using ``--static assets:static-files/``,
+pass the mount point name using ``mount=`` and a path relative to that mounted
+directory:
+
+.. code-block:: html+jinja
+
+    <link rel="stylesheet" href="{{ static('styles.css', mount='assets') }}">
+    <script src="{{ static('app.js', mount='assets') }}" defer></script>
+
+You can also use ``urls.path()`` if you want to link to a mounted file without
+adding a content hash:
+
+.. code-block:: html+jinja
+
+    <link rel="stylesheet" href="{{ urls.path('/assets/styles.css') }}">
+
+Serving files from a directory
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Datasette can serve static files from a directory for you, using the ``--static``
+option. Consider the following directory structure::
 
     metadata.json
     static-files/styles.css
@@ -177,6 +221,11 @@ this::
 Datasette will now first look for templates in that directory, and fall back on
 the defaults if no matches are found.
 
+The variables made available to each template are documented on the
+:ref:`template_context` page. Variables documented there are a stable API:
+custom templates that use them will keep working in future Datasette
+releases, up until the next major version.
+
 It is also possible to over-ride templates on a per-database, per-row or per-
 table basis.
 
@@ -193,8 +242,8 @@ The lookup rules Datasette uses are as follows::
         query-mydatabase.html
         query.html
 
-    Canned query page (/mydatabase/canned-query):
-        query-mydatabase-canned-query.html
+    Stored query page (/mydatabase/query-name):
+        query-mydatabase-query-name.html
         query-mydatabase.html
         query.html
 
@@ -230,7 +279,7 @@ will look something like this::
 
     <!-- Templates considered: *query-mydb-tz.html, query-mydb.html, query.html -->
 
-This example is from the canned query page for a query called "tz" in the
+This example is from the stored query page for a query called "tz" in the
 database called "mydb". The asterisk shows which template was selected - so in
 this case, Datasette found a template file called ``query-mydb-tz.html`` and
 used that - but if that template had not been found, it would have tried for
@@ -274,13 +323,28 @@ Here is an example of a custom ``_table.html`` template:
 .. code-block:: jinja
 
     {% for row in display_rows %}
-        <div>
+        <div data-row="{{ row.row_path }}">
             <h2>{{ row["title"] }}</h2>
             <p>{{ row["description"] }}<lp>
             <p>Category: {{ row.display("category_id") }}</p>
         </div>
     {% endfor %}
 
+If your custom table template should support Datasette's row editing UI, include
+``data-row="{{ row.row_path }}"`` on the outer element that represents each row.
+This does not need to be a ``<tr>``: it can be a ``<div>``, ``<li>`` or any other
+element that wraps the HTML for that row. Datasette uses this attribute to find
+the element to remove after a delete, or replace after an edit. Any edit or
+delete controls should be rendered inside that same element.
+
+The ``_action_menu.html`` template renders the action menus used by database,
+table, query and row pages. Plugin-provided actions can be link dictionaries
+with ``href`` and ``label`` keys, or button dictionaries using ``{"type":
+"button", "label": "...", "attrs": {...}}`` for JavaScript-backed interactions.
+Both shapes can include an optional ``description`` key. Custom
+``_action_menu.html`` templates should preserve support for both link and button
+action items.
+
 .. _custom_pages:
 
 Custom pages
diff --git a/docs/events.md b/docs/events.md
index 399317e9..f63d1893 100644
--- a/docs/events.md
+++ b/docs/events.md
@@ -5,6 +5,8 @@ Datasette includes a mechanism for tracking events that occur while the software
 
 The core Datasette application triggers events when certain things happen. This page describes those events.
 
+Note that these events will *not* fire for changes made to a SQLite database by a process other than Datasette itself.
+
 Plugins can listen for events using the {ref}`plugin_hook_track_event` plugin hook, which will be called with instances of the following classes - or additional classes {ref}`registered by other plugins <plugin_hook_register_events>`.
 
 ```{eval-rst}
diff --git a/docs/facets.rst b/docs/facets.rst
index 2a135b69..960ac03a 100644
--- a/docs/facets.rst
+++ b/docs/facets.rst
@@ -98,16 +98,16 @@ You can increase this on an individual page by adding ``?_facet_size=100`` to th
 
 .. _facets_metadata:
 
-Facets in metadata
-------------------
+Facets in configuration
+-----------------------
 
-You can turn facets on by default for specific tables by adding them to a ``"facets"`` key in a Datasette :ref:`metadata` file.
+You can turn facets on by default for specific tables by adding a ``"facets"`` key to the table configuration in ``datasette.yaml``. See also the :ref:`table configuration reference <table_configuration_facets>` for a quick overview.
 
 Here's an example that turns on faceting by default for the ``qLegalStatus`` column in the ``Street_Tree_List`` table in the ``sf-trees`` database:
 
 .. [[[cog
-    from metadata_doc import metadata_example
-    metadata_example(cog, {
+    from metadata_doc import config_example
+    config_example(cog, {
       "databases": {
         "sf-trees": {
           "tables": {
@@ -120,7 +120,7 @@ Here's an example that turns on faceting by default for the ``qLegalStatus`` col
     })
 .. ]]]
 
-.. tab:: metadata.yaml
+.. tab:: datasette.yaml
 
     .. code-block:: yaml
 
@@ -132,7 +132,7 @@ Here's an example that turns on faceting by default for the ``qLegalStatus`` col
                 - qLegalStatus
 
 
-.. tab:: metadata.json
+.. tab:: datasette.json
 
     .. code-block:: json
 
@@ -153,12 +153,12 @@ Here's an example that turns on faceting by default for the ``qLegalStatus`` col
 
 Facets defined in this way will always be shown in the interface and returned in the API, regardless of the ``_facet`` arguments passed to the view.
 
-Facets defined in metadata will be displayed in the order they are listed in the configuration. Any additional facets added via query string parameters (e.g. ``?_facet=column_name``) will appear after the metadata-defined facets, sorted by the number of unique values.
+Facets defined in configuration will be displayed in the order they are listed. Any additional facets added via query string parameters (e.g. ``?_facet=column_name``) will appear after the configured facets, sorted by the number of unique values.
 
-You can specify :ref:`array <facet_by_json_array>` or :ref:`date <facet_by_date>` facets in metadata using JSON objects with a single key of ``array`` or ``date`` and a value specifying the column, like this:
+You can specify :ref:`array <facet_by_json_array>` or :ref:`date <facet_by_date>` facets using JSON objects with a single key of ``array`` or ``date`` and a value specifying the column, like this:
 
 .. [[[cog
-    metadata_example(cog, {
+    config_example(cog, {
       "facets": [
         {"array": "tags"},
         {"date": "created"}
@@ -166,7 +166,7 @@ You can specify :ref:`array <facet_by_json_array>` or :ref:`date <facet_by_date>
     })
 .. ]]]
 
-.. tab:: metadata.yaml
+.. tab:: datasette.yaml
 
     .. code-block:: yaml
 
@@ -175,7 +175,7 @@ You can specify :ref:`array <facet_by_json_array>` or :ref:`date <facet_by_date>
         - date: created
 
 
-.. tab:: metadata.json
+.. tab:: datasette.json
 
     .. code-block:: json
 
@@ -194,7 +194,7 @@ You can specify :ref:`array <facet_by_json_array>` or :ref:`date <facet_by_date>
 You can change the default facet size (the number of results shown for each facet) for a table using ``facet_size``:
 
 .. [[[cog
-    metadata_example(cog, {
+    config_example(cog, {
       "databases": {
         "sf-trees": {
           "tables": {
@@ -208,7 +208,7 @@ You can change the default facet size (the number of results shown for each face
     })
 .. ]]]
 
-.. tab:: metadata.yaml
+.. tab:: datasette.yaml
 
     .. code-block:: yaml
 
@@ -221,7 +221,7 @@ You can change the default facet size (the number of results shown for each face
                 facet_size: 10
 
 
-.. tab:: metadata.json
+.. tab:: datasette.json
 
     .. code-block:: json
 
diff --git a/docs/full_text_search.rst b/docs/full_text_search.rst
index 7bb73b93..349ad149 100644
--- a/docs/full_text_search.rst
+++ b/docs/full_text_search.rst
@@ -52,7 +52,7 @@ Configuring full-text search for a table or view
 
 If a table has a corresponding FTS table set up using the ``content=`` argument to ``CREATE VIRTUAL TABLE`` shown below, Datasette will detect it automatically and add a search interface to the table page for that table.
 
-You can also manually configure which table should be used for full-text search using query string parameters or :ref:`metadata`. You can set the associated FTS table for a specific table and you can also set one for a view - if you do that, the page for that SQL view will offer a search option.
+You can also manually configure which table should be used for full-text search using query string parameters or table configuration in ``datasette.yaml`` (see :ref:`table_configuration_fts`). You can set the associated FTS table for a specific table and you can also set one for a view - if you do that, the page for that SQL view will offer a search option.
 
 Use ``?_fts_table=x`` to over-ride the FTS table for a specific page. If the primary key was something other than ``rowid`` you can use ``?_fts_pk=col`` to set that as well. This is particularly useful for views, for example:
 
@@ -65,8 +65,8 @@ The ``"searchmode": "raw"`` property can be used to default the table to accepti
 Here is an example which enables full-text search (with SQLite advanced search operators) for a ``display_ads`` view which is defined against the ``ads`` table and hence needs to run FTS against the ``ads_fts`` table, using the ``id`` as the primary key:
 
 .. [[[cog
-    from metadata_doc import metadata_example
-    metadata_example(cog, {
+    from metadata_doc import config_example
+    config_example(cog, {
         "databases": {
             "russian-ads": {
                 "tables": {
@@ -81,7 +81,7 @@ Here is an example which enables full-text search (with SQLite advanced search o
     })
 .. ]]]
 
-.. tab:: metadata.yaml
+.. tab:: datasette.yaml
 
     .. code-block:: yaml
 
@@ -94,7 +94,7 @@ Here is an example which enables full-text search (with SQLite advanced search o
                 searchmode: raw
 
 
-.. tab:: metadata.json
+.. tab:: datasette.json
 
     .. code-block:: json
 
diff --git a/docs/index.rst b/docs/index.rst
index c76969bc..d494fd17 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -58,6 +58,7 @@ Contents
    settings
    introspection
    custom_templates
+   template_context
    plugins
    writing_plugins
    javascript_plugins
diff --git a/docs/internals.rst b/docs/internals.rst
index 7d607bfe..9f75640f 100644
--- a/docs/internals.rst
+++ b/docs/internals.rst
@@ -106,6 +106,9 @@ The object also has the following awaitable methods:
 ``await request.post_vars()`` - dictionary
     Returns a dictionary of form variables that were submitted in the request body via ``POST`` using ``application/x-www-form-urlencoded`` encoding. For multipart forms or file uploads, use ``request.form()`` instead.
 
+``await request.json()`` - Any
+    Returns the parsed JSON body of a request submitted by ``POST``.
+
 ``await request.post_body()`` - bytes
     Returns the un-parsed body of a request submitted by ``POST`` - useful for things like incoming JSON data.
 
@@ -448,6 +451,52 @@ await .render_template(template, context=None, request=None)
 
 Renders a `Jinja template <https://jinja.palletsprojects.com/en/2.11.x/>`__ using Datasette's preconfigured instance of Jinja and returns the resulting string. The template will have access to Datasette's default template functions and any functions that have been made available by other plugins.
 
+.. _datasette_static:
+
+.static(path, plugin=None, mount=None)
+--------------------------------------
+
+``path`` - string
+    The path to the static asset, relative to the selected static directory.
+
+``plugin`` - string, optional
+    The plugin name, for linking to an asset in that plugin's ``static/``
+    directory.
+
+``mount`` - string, optional
+    The ``--static`` mount name, for linking to an asset in a directory mounted
+    using ``datasette --static mount_name:directory``.
+
+Returns a URL for a static asset with a ``?_hash=`` parameter based on the file
+contents. That URL takes the ``base_url`` setting into account.
+
+When the ``?_hash=`` parameter matches the current file contents, Datasette will
+serve the asset with ``Cache-Control: max-age=31536000, immutable, public``.
+
+Call this with just ``path`` for one of Datasette's bundled static assets:
+
+.. code-block:: python
+
+    datasette.static("app.css")
+
+Use ``plugin=`` for plugin static assets:
+
+.. code-block:: python
+
+    datasette.static(
+        "plugin.js", plugin="datasette_plugin_name"
+    )
+
+Use ``mount=`` for static directories mounted using the ``--static`` option:
+
+.. code-block:: python
+
+    datasette.static("styles.css", mount="assets")
+
+``plugin`` and ``mount`` are mutually exclusive. The same feature is available
+to Jinja templates as the ``static()`` template function, described in
+:ref:`customization_static_files`.
+
 .. _datasette_actors_from_ids:
 
 await .actors_from_ids(actor_ids)
@@ -512,6 +561,43 @@ Example usage:
 
 The method returns ``True`` if the permission is granted, ``False`` if denied.
 
+Results are cached for the duration of the current request, so checking the same ``(actor, action, resource)`` combination twice within one request only does the underlying permission resolution work once.
+
+.. _datasette_allowed_many:
+
+await .allowed_many(\*, actions, resource, actor=None)
+------------------------------------------------------
+
+``actions`` - list of strings
+    The names of the actions to permission check.
+
+``resource`` - Resource object
+    A Resource object representing the database, table, or other resource that each action is checked against. Omit for global actions.
+
+``actor`` - dictionary, optional
+    The authenticated actor. This is usually ``request.actor``. Defaults to ``None`` for unauthenticated requests.
+
+Checks several actions against the same resource for the same actor, returning a dictionary mapping each action name to ``True`` or ``False``. The whole batch - including any actions pulled in through ``also_requires`` dependencies - is resolved with a single SQL query against the internal database, so this is much faster than calling :ref:`datasette.allowed() <datasette_allowed>` once per action.
+
+Example usage:
+
+.. code-block:: python
+
+    from datasette.resources import TableResource
+
+    results = await datasette.allowed_many(
+        actions=["insert-row", "delete-row", "drop-table"],
+        resource=TableResource(
+            database="fixtures", table="facetable"
+        ),
+        actor=request.actor,
+    )
+    # {"insert-row": True, "delete-row": True, "drop-table": False}
+
+Each result is stored in the per-request permission check cache, so subsequent ``datasette.allowed()`` calls for the same checks within the same request are served from that cache. Datasette uses this before running the ``table_actions`` and ``database_actions`` plugin hooks: it resolves every registered table-level action against the current table and every database-level action against its database first, which means ``allowed()`` calls made by those plugin hooks are usually served from the cache instead of triggering additional queries.
+
+Actions for which no plugin provides any permission rules are resolved to ``False`` directly, without being included in the SQL query at all.
+
 .. _datasette_allowed_resources:
 
 await .allowed_resources(action, actor=None, \*, parent=None, include_is_private=False, include_reasons=False, limit=100, next=None)
@@ -725,10 +811,34 @@ The builder methods are:
 
 - ``allow_all(action)`` - allow an action across all databases and resources
 - ``allow_database(database, action)`` - allow an action on a specific database
-- ``allow_resource(database, resource, action)`` - allow an action on a specific resource (table, SQL view or :ref:`canned query <canned_queries>`) within a database
+- ``allow_resource(database, resource, action)`` - allow an action on a specific resource (table, SQL view or :ref:`stored query <stored_queries>`) within a database
 
 Each method returns the ``TokenRestrictions`` instance so calls can be chained.
 
+``TokenRestrictions`` also provides an ``abbreviated(datasette)`` method which returns the restrictions as a dictionary using the compact format described in :ref:`authentication_cli_create_token_restrict`, with action names replaced by their registered abbreviations. It returns the inner dictionary only - the ``"_r"`` wrapping key shown in that section is not included. Returns ``None`` if no restrictions are set. This is useful when writing a custom :ref:`plugin_hook_register_token_handler` that needs to embed restrictions in a token payload.
+
+For example, the following restrictions:
+
+.. code-block:: python
+
+    restrictions = (
+        TokenRestrictions()
+        .allow_all("view-instance")
+        .allow_database("docs", "view-query")
+        .allow_resource("docs", "attachments", "insert-row")
+    )
+    restrictions.abbreviated(datasette)
+
+Returns this dictionary, using the abbreviations registered for each action:
+
+.. code-block:: python
+
+    {
+        "a": ["vi"],
+        "d": {"docs": ["vq"]},
+        "r": {"docs": {"attachments": ["ir"]}},
+    }
+
 The following example creates a token that can access ``view-instance`` and ``view-table`` across everything, can additionally use ``view-query`` for anything in the ``docs`` database and is allowed to execute ``insert-row`` and ``update-row`` in the ``attachments`` table in that database:
 
 .. code-block:: python
@@ -813,10 +923,10 @@ await .get_resource_metadata(self, database_name, resource_name)
 ``database_name`` - string
     The name of the database to query.
 ``resource_name`` - string
-    The name of the resource (table, view, or canned query) inside ``database_name`` to query.
+    The name of the resource (table, view, or stored query) inside ``database_name`` to query.
 
 Returns metadata keys and values for the specified "resource" as a dictionary.
-A "resource" in this context can be a table, view, or canned query.
+A "resource" in this context can be a table, view, or stored query.
 Internally queries the ``metadata_resources`` table inside the :ref:`internal database <internals_internal>`.
 
 .. _datasette_get_column_metadata:
@@ -827,7 +937,7 @@ await .get_column_metadata(self, database_name, resource_name, column_name)
 ``database_name`` - string
     The name of the database to query.
 ``resource_name`` - string
-    The name of the resource (table, view, or canned query) inside ``database_name`` to query.
+    The name of the resource (table, view, or stored query) inside ``database_name`` to query.
 ``column_name`` - string
     The name of the column inside ``resource_name`` to query.
 
@@ -873,7 +983,7 @@ await .set_resource_metadata(self, database_name, resource_name, key, value)
 ``database_name`` - string
     The database the metadata entry belongs to.
 ``resource_name`` - string
-    The resource (table, view, or canned query) the metadata entry belongs to.
+    The resource (table, view, or stored query) the metadata entry belongs to.
 ``key`` - string
     The metadata entry key to insert (ex ``title``, ``description``, etc.)
 ``value`` - string
@@ -891,7 +1001,7 @@ await .set_column_metadata(self, database_name, resource_name, column_name, key,
 ``database_name`` - string
     The database the metadata entry belongs to.
 ``resource_name`` - string
-    The resource (table, view, or canned query) the metadata entry belongs to.
+    The resource (table, view, or stored query) the metadata entry belongs to.
 ``column-name`` - string
     The column the metadata entry belongs to.
 ``key`` - string
@@ -903,6 +1013,297 @@ Adds a new metadata entry for the specified column.
 Any previous column-level metadata entry with the same ``key`` will be overwritten.
 Internally upserts the value into the  the ``metadata_columns`` table inside the :ref:`internal database <internals_internal>`.
 
+.. _datasette_stored_queries:
+
+Stored queries
+--------------
+
+:ref:`Stored queries <stored_queries>` are stored in the ``queries`` table in the :ref:`internal database <internals_internal>`. Plugins can use the following methods to add, update, list and remove stored queries.
+
+.. _datasette_add_query:
+
+await .add_query(database, name, sql, ...)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Adds a stored query.
+
+.. code-block:: python
+
+    async def add_query(
+        self,
+        database,
+        name,
+        sql,
+        *,
+        title=None,
+        description=None,
+        description_html=None,
+        hide_sql=False,
+        fragment=None,
+        parameters=None,
+        is_write=False,
+        is_private=False,
+        is_trusted=False,
+        source="plugin",
+        owner_id=None,
+        on_success_message=None,
+        on_success_message_sql=None,
+        on_success_redirect=None,
+        on_error_message=None,
+        on_error_redirect=None,
+        replace=True,
+    ): ...
+
+``database`` - string
+    The name of the database this query should belong to.
+``name`` - string
+    The name of the stored query, used in the URL for that query.
+``sql`` - string
+    The SQL for the stored query.
+``title`` - string, optional
+    A display title for the query.
+``description`` - string, optional
+    A plain text description.
+``description_html`` - string, optional
+    An HTML description.
+``hide_sql`` - boolean, optional
+    Set to ``True`` to hide the SQL by default on the query page.
+``fragment`` - string, optional
+    A URL fragment to append to query links, for example ``"chart"``.
+``parameters`` - list of strings, optional
+    Explicit parameter names for the query form. If omitted, Datasette derives parameters from the SQL.
+``is_write`` - boolean, optional
+    Set to ``True`` for writable queries. They will the run against the SQLite write connection for the database.
+``is_private`` - boolean, optional
+    Set to ``True`` for private queries. Private queries can only be viewed, updated or deleted by their owner.
+``is_trusted`` - boolean, optional
+    Set to ``True`` for :ref:`trusted stored queries <trusted_stored_queries>`.
+``source`` - string, optional
+    Identifies where the query came from. Defaults to ``"plugin"``.
+``owner_id`` - string, optional
+    Actor ID of the query owner, used by private query permissions.
+``on_success_message``, ``on_success_message_sql``, ``on_success_redirect``, ``on_error_message``, ``on_error_redirect`` - strings, optional
+    Options for :ref:`writable queries <queries_writable>`.
+``replace`` - boolean, optional
+    Defaults to ``True``, which replaces any existing stored query with the same ``database`` and ``name``. Set this to ``False`` to raise a SQLite integrity error if the query already exists.
+
+Example:
+
+.. code-block:: python
+
+    await datasette.add_query(
+        database="fixtures",
+        name="recent_rows",
+        sql="select * from facetable order by created desc limit 10",
+        title="Recent rows",
+        source="my-plugin",
+    )
+
+.. _datasette_update_query:
+
+await .update_query(database, name, ...)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Updates fields for an existing stored query. Only keyword arguments that are provided will be changed.
+
+The available keyword arguments are the same as those for :ref:`datasette_add_query`, except for ``replace``. Pass ``None`` to clear optional text fields and options such as ``on_success_redirect``. Passing ``hide_sql=False`` removes the ``hide_sql`` option.
+
+Example:
+
+.. code-block:: python
+
+    await datasette.update_query(
+        database="fixtures",
+        name="recent_rows",
+        title="Latest rows",
+        is_private=True,
+        owner_id="alice",
+    )
+
+.. _datasette_get_query:
+
+await .get_query(database, name)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Returns a ``StoredQuery`` dataclass instance, or ``None`` if the query does not exist.
+
+``StoredQuery`` has the following attributes: ``database``, ``name``, ``sql``, ``title``, ``description``, ``description_html``, ``hide_sql``, ``fragment``, ``parameters``, ``is_write``, ``is_private``, ``is_trusted``, ``source``, ``owner_id``, ``on_success_message``, ``on_success_message_sql``, ``on_success_redirect``, ``on_error_message`` and ``on_error_redirect``.
+
+``parameters`` is a list of explicit parameter names.
+
+.. _datasette_list_queries:
+
+await .list_queries(database=None, ...)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Lists stored queries visible to the specified actor.
+
+.. code-block:: python
+
+    async def list_queries(
+        self,
+        database=None,
+        *,
+        actor=None,
+        limit=50,
+        cursor=None,
+        q=None,
+        is_write=None,
+        is_private=None,
+        is_trusted=None,
+        source=None,
+        owner_id=None,
+        include_private=False,
+    ): ...
+
+``database`` - string, optional
+    Restrict results to a specific database. Omit this to list queries across all databases.
+``actor`` - dictionary, optional
+    The authenticated actor. Results are filtered using that actor's ``view-query`` permission.
+``limit`` - integer, optional
+    Number of queries to return. Values are clamped to the range 1-1000.
+``cursor`` - string, optional
+    Pagination cursor from the previous page's ``next`` value.
+``q`` - string, optional
+    Search string matched against query name, title, description and SQL.
+``is_write``, ``is_private``, ``is_trusted`` - boolean, optional
+    Filter by those stored query flags.
+``source`` - string, optional
+    Filter by query source.
+``owner_id`` - string, optional
+    Filter by owner actor ID.
+``include_private`` - boolean, optional
+    Set to ``True`` to populate a ``private`` boolean on each returned ``StoredQuery`` indicating if anonymous users would be unable to view that query.
+
+The return value is a ``StoredQueryPage`` dataclass instance with these attributes:
+
+``queries`` - list of StoredQuery instances
+    Stored queries in the same format returned by :ref:`datasette_get_query`.
+``next`` - string or None
+    Pagination cursor for the next page, if one exists.
+``has_more`` - boolean
+    ``True`` if another page of results is available.
+``limit`` - integer
+    The limit used for this page.
+
+.. _datasette_count_queries:
+
+await .count_queries(database=None, ...)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Counts stored queries visible to the specified actor. This accepts the same filtering keyword arguments as :ref:`datasette_list_queries`, except for ``limit``, ``cursor`` and ``include_private``.
+
+.. _datasette_remove_query:
+
+await .remove_query(database, name, source=None)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Removes a stored query.
+
+``database`` - string
+    The database the query belongs to.
+``name`` - string
+    The query name.
+``source`` - string, optional
+    If provided, only a query with this source will be removed.
+
+.. _datasette_column_types:
+
+Column types
+------------
+
+Column types are stored in the ``column_types`` table in the :ref:`internal database <internals_internal>`. The following methods provide the API for reading and modifying column type assignments.
+
+.. _datasette_get_column_type:
+
+await .get_column_type(database, resource, column)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+``database`` - string
+    The name of the database.
+``resource`` - string
+    The name of the table or view.
+``column`` - string
+    The name of the column.
+
+Returns a ``ColumnType`` subclass instance with ``.config`` populated for the specified column, or ``None`` if no column type is assigned.
+
+.. code-block:: python
+
+    ct = await datasette.get_column_type(
+        "mydb", "mytable", "email_col"
+    )
+    if ct:
+        print(ct.name)  # "email"
+        print(ct.config)  # None or {...}
+
+.. _datasette_get_column_types:
+
+await .get_column_types(database, resource)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+``database`` - string
+    The name of the database.
+``resource`` - string
+    The name of the table or view.
+
+Returns a dictionary mapping column names to ``ColumnType`` subclass instances (with ``.config`` populated) for all columns that have assigned types on the given resource.
+
+.. code-block:: python
+
+    ct_map = await datasette.get_column_types("mydb", "mytable")
+    for col_name, ct in ct_map.items():
+        print(col_name, ct.name, ct.config)
+
+.. _datasette_set_column_type:
+
+await .set_column_type(database, resource, column, column_type, config=None)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+``database`` - string
+    The name of the database.
+``resource`` - string
+    The name of the table or view.
+``column`` - string
+    The name of the column.
+``column_type`` - string
+    The column type name to assign, e.g. ``"email"``.
+``config`` - dict, optional
+    Optional configuration dict for the column type.
+
+Assigns a column type to a column. Overwrites any existing assignment for that column.
+Raises ``ValueError`` if the column type declares ``sqlite_types`` and the target column does not match one of those SQLite types.
+
+.. code-block:: python
+
+    await datasette.set_column_type(
+        "mydb",
+        "mytable",
+        "location",
+        "point",
+        config={"srid": 4326},
+    )
+
+.. _datasette_remove_column_type:
+
+await .remove_column_type(database, resource, column)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+``database`` - string
+    The name of the database.
+``resource`` - string
+    The name of the table or view.
+``column`` - string
+    The name of the column.
+
+Removes the column type assignment for the specified column.
+
+.. code-block:: python
+
+    await datasette.remove_column_type(
+        "mydb", "mytable", "location"
+    )
+
 .. _datasette_add_database:
 
 .add_database(db, name=None, route=None)
@@ -982,6 +1383,19 @@ The ``name`` and ``route`` parameters are optional and work the same way as they
 
 This removes a database that has been previously added. ``name=`` is the unique name of that database.
 
+.. _datasette_close:
+
+.close()
+--------
+
+Release all resources held by this ``Datasette`` instance. This calls :ref:`database_close` on every attached database (including the internal database), shuts down the thread pool executor used to run SQL queries, and unlinks the temporary file used to back the internal database if one was created.
+
+``close()`` is synchronous, idempotent and one-way: after a call to ``close()`` any attempt to use the Datasette instance to execute SQL will raise a ``datasette.database.DatasetteClosedError`` exception. A closed ``Datasette`` cannot be reopened — callers that need a fresh instance should construct a new one.
+
+If a call to ``Database.close()`` on one of the attached databases raises an exception, ``Datasette.close()`` will continue trying to close the remaining databases and will re-raise the first exception after every database has been processed.
+
+When Datasette is being served over ASGI the ``close()`` method is wired up to the lifespan shutdown event, so resources are released cleanly on ``SIGTERM`` / ``SIGINT``.
+
 .. _datasette_track_event:
 
 await .track_event(event)
@@ -1215,6 +1629,28 @@ These methods can be used with :ref:`internals_datasette_urls` - for example:
 
 For documentation on available ``**kwargs`` options and the shape of the HTTPX Response object refer to the `HTTPX Async documentation <https://www.python-httpx.org/async/>`__.
 
+.. _internals_datasette_client_actor:
+
+Authenticating as an actor
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+All ``datasette.client`` methods accept an optional ``actor=`` parameter. When set to a dictionary describing an actor, the request is made with a signed ``ds_actor`` cookie identifying that actor — as if the request had been made by a user who is signed in as that actor.
+
+This is a convenient shorthand equivalent to signing the cookie manually using ``datasette.client.actor_cookie()``.
+
+Example usage:
+
+.. code-block:: python
+
+    response = await datasette.client.get(
+        "/-/actor.json", actor={"id": "root"}
+    )
+    assert response.json() == {"actor": {"id": "root"}}
+
+This parameter works with all HTTP methods (``get``, ``post``, ``put``, ``patch``, ``delete``, ``options``, ``head``) and the generic ``request`` method.
+
+Passing both ``actor=`` and a ``ds_actor`` cookie via ``cookies=`` raises a ``TypeError``. Other unrelated cookies can be combined with ``actor=``.
+
 Bypassing permission checks
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -1455,8 +1891,8 @@ Instances of the ``Database`` class can be used to execute queries against attac
 
 .. _database_constructor:
 
-Database(ds, path=None, is_mutable=True, is_memory=False, memory_name=None)
----------------------------------------------------------------------------
+Database(ds, path=None, is_mutable=True, is_memory=False, memory_name=None, is_temp_disk=False)
+-----------------------------------------------------------------------------------------------
 
 The ``Database()`` constructor can be used by plugins, in conjunction with :ref:`datasette_add_database`, to create and register new databases.
 
@@ -1477,6 +1913,13 @@ The arguments are as follows:
 ``memory_name`` - string or ``None``
     Use this to create a named in-memory database. Unlike regular memory databases these can be accessed by multiple threads and will persist an changes made to them for the lifetime of the Datasette server process.
 
+``is_temp_disk`` - boolean
+    Set this to ``True`` to create a temporary file-backed database. This creates a SQLite database in a temporary file on disk (using Python's ``tempfile.mkstemp()``) with WAL mode enabled for better concurrent read/write performance. The temporary file is automatically cleaned up when the database is closed or when the process exits.
+
+    Unlike named in-memory databases (``memory_name``), temporary disk databases support concurrent readers and writers without locking errors, because WAL mode allows readers and writers to operate simultaneously. This makes them suitable for use cases like the internal database where concurrent access is common.
+
+    When ``is_temp_disk=True``, the ``path``, ``is_mutable``, and ``mode`` parameters are set automatically and should not be provided.
+
 The first argument is the ``datasette`` instance you are attaching to, the second is a ``path=``, then ``is_mutable`` and ``is_memory`` are both optional arguments.
 
 .. _database_hash:
@@ -1571,8 +2014,8 @@ Example usage:
 
 .. _database_execute_write:
 
-await db.execute_write(sql, params=None, block=True)
-----------------------------------------------------
+await db.execute_write(sql, params=None, block=True, request=None, return_all=False, returning_limit=10)
+--------------------------------------------------------------------------------------------------------
 
 SQLite only allows one database connection to write at a time. Datasette handles this for you by maintaining a queue of writes to be executed against a given database. Plugins can submit write operations to this queue and they will be executed in the order in which they are received.
 
@@ -1580,7 +2023,30 @@ This method can be used to queue up a non-SELECT SQL query to be executed agains
 
 You can pass additional SQL parameters as a tuple or dictionary.
 
-The method will block until the operation is completed, and the return value will be the return from calling ``conn.execute(...)`` using the underlying ``sqlite3`` Python library.
+The optional ``request=`` argument is used internally by Datasette to pass request context to :ref:`write_wrapper plugin hooks <plugin_hook_write_wrapper>`.
+
+The method will block until the operation is completed, and the return value will be an ``ExecuteWriteResult`` object. This imitates a subset of the ``sqlite3.Cursor`` object:
+
+``.rowcount``
+    The number of rows modified by the statement, or ``-1`` if that number is unavailable.
+
+``.lastrowid``
+    The row ID of the last modified row, as returned by ``sqlite3.Cursor.lastrowid``.
+
+``.description``
+    The same column metadata exposed by Python's `sqlite3.Cursor.description <https://docs.python.org/3/library/sqlite3.html#sqlite3.Cursor.description>`__: one tuple per returned column, or ``None`` if the statement does not return rows.
+
+``.truncated``
+    ``True`` if the statement returned more rows than ``returning_limit``.
+
+``.fetchall()``
+    Returns any rows buffered by Datasette from the statement, such as rows from SQLite's ``RETURNING`` clause. This may be limited by ``returning_limit`` unless ``return_all=True`` was used. This method empties the buffer, so calling it again will return an empty list.
+
+SQLite statements using ``RETURNING`` must have their rows consumed before the transaction can commit. Datasette will fetch up to ``returning_limit + 1`` rows before committing, store up to ``returning_limit`` rows on the result object and set ``.truncated`` if there were more. The default ``returning_limit`` is ``10``.
+
+When ``.truncated`` is ``True``, ``.rowcount`` will be ``-1``. SQLite only reports the final row count for a ``RETURNING`` statement after every returned row has been fetched, and Datasette has deliberately stopped fetching rows after ``returning_limit`` to avoid buffering a potentially large result in memory.
+
+If you need to retrieve every row returned by a statement, pass ``return_all=True``. This will buffer all returned rows in memory before committing.
 
 If you pass ``block=False`` this behavior changes to "fire and forget" - queries will be added to the write queue and executed in a separate thread while your code can continue to do other things. The method will return a UUID representing the queued task.
 
@@ -1642,6 +2108,36 @@ For example:
     except Exception as e:
         print("An error occurred:", e)
 
+Your function can optionally accept a ``track_event`` parameter in addition to ``conn``.  If it does, it will be passed a callable that can be used to queue events for dispatch after the write transaction commits successfully.  Events queued this way are discarded if the write raises an exception.
+
+.. code-block:: python
+
+    from datasette.events import AlterTableEvent
+
+
+    def my_write(conn, track_event):
+        before_schema = conn.execute(
+            "select sql from sqlite_master where name = 'my_table'"
+        ).fetchone()[0]
+        conn.execute(
+            "alter table my_table add column new_col text"
+        )
+        after_schema = conn.execute(
+            "select sql from sqlite_master where name = 'my_table'"
+        ).fetchone()[0]
+        track_event(
+            AlterTableEvent(
+                actor=None,
+                database="mydb",
+                table="my_table",
+                before_schema=before_schema,
+                after_schema=after_schema,
+            )
+        )
+
+
+    await database.execute_write_fn(my_write)
+
 The value returned from ``await database.execute_write_fn(...)`` will be the return value from your function.
 
 If your function raises an exception that exception will be propagated up to the ``await`` line.
@@ -1661,6 +2157,8 @@ The :ref:`prepare_connection() <plugin_hook_prepare_connection>` plugin hook is
 
 This allows plugins to execute database operations that might conflict with how database connections are usually configured. For example, running a ``VACUUM`` operation while bypassing any restrictions placed by the `datasette-sqlite-authorizer <https://github.com/datasette/datasette-sqlite-authorizer>`__ plugin.
 
+Running ``VACUUM`` using this method also ensures it won't trigger incorrect :class:`~datasette.events.RenameTableEvent` events, since ``execute_isolated_fn()`` does not trigger the Datasette mechanism that detects renamed tables in a way that can be confused by a ``VACUUM``.
+
 Plugins can also use this method to load potentially dangerous SQLite extensions, use them to perform an operation and then have them safely unloaded at the end of the call, without risk of exposing them to other connections.
 
 Functions run using ``execute_isolated_fn()`` share the same queue as ``execute_write_fn()``, which guarantees that no writes can be executed at the same time as the isolated function is executing.
@@ -1672,7 +2170,11 @@ The return value of the function will be returned by this method. Any exceptions
 db.close()
 ----------
 
-Closes all of the open connections to file-backed databases. This is mainly intended to be used by large test suites, to avoid hitting limits on the number of open files.
+Release all resources held by this ``Database`` instance. This shuts down the background write thread (if one was started by a previous call to :ref:`database_execute_write_fn` or similar), closes the write connection, and closes any cached read connections.
+
+After ``db.close()`` has been called, any further call to :ref:`database_execute`, :ref:`database_execute_fn`, :ref:`database_execute_write`, :ref:`database_execute_write_fn`, :ref:`database_execute_write_many`, :ref:`database_execute_write_script` or :ref:`database_execute_isolated_fn` will raise a ``datasette.database.DatasetteClosedError`` exception.
+
+``close()`` is idempotent — calling it a second time is a no-op. It is one-way: a closed ``Database`` cannot be reopened.
 
 .. _internals_database_introspection:
 
@@ -1696,6 +2198,9 @@ The ``Database`` class also provides properties and methods for introspecting th
 ``db.is_memory`` - boolean
     Is this database an in-memory database?
 
+``db.is_temp_disk`` - boolean
+    Is this database a temporary file-backed database? See :ref:`database_constructor` for details. Temporary disk databases report ``hash`` as ``None`` but have real values for ``size`` and ``mtime_ns`` since they are backed by a file on disk.
+
 ``await db.attached_databases()`` - list of named tuples
     Returns a list of additional databases that have been connected to this database using the SQLite ATTACH command. Each named tuple has fields ``seq``, ``name`` and ``file``.
 
@@ -1724,13 +2229,13 @@ The ``Database`` class also provides properties and methods for introspecting th
     The name of the FTS table associated with this table, if one exists.
 
 ``await db.label_column_for_table(table)`` - string or None
-    The label column that is associated with this table - either automatically detected or using the ``"label_column"`` key from :ref:`metadata`, see :ref:`label_columns`.
+    The label column that is associated with this table - either automatically detected or using the ``"label_column"`` key in configuration, see :ref:`table_configuration_label_column`.
 
 ``await db.foreign_keys_for_table(table)`` - list of dictionaries
     Details of columns in this table which are foreign keys to other tables. A list of dictionaries where each dictionary is shaped like this: ``{"column": string, "other_table": string, "other_column": string}``.
 
 ``await db.hidden_table_names()`` - list of strings
-    List of tables which Datasette "hides" by default - usually these are tables associated with SQLite's full-text search feature, the SpatiaLite extension or tables hidden using the :ref:`metadata_hiding_tables` feature.
+    List of tables which Datasette "hides" by default - usually these are tables associated with SQLite's full-text search feature, the SpatiaLite extension or tables hidden using the :ref:`table_configuration_hidden` feature.
 
 ``await db.get_table_definition(table)`` - string
     Returns the SQL definition for the table - the ``CREATE TABLE`` statement and any associated ``CREATE INDEX`` statements.
@@ -1802,19 +2307,16 @@ The ``Database`` class also provides properties and methods for introspecting th
 CSRF protection
 ===============
 
-Datasette uses `asgi-csrf <https://github.com/simonw/asgi-csrf>`__ to guard against CSRF attacks on form POST submissions. Users receive a ``ds_csrftoken`` cookie which is compared against the ``csrftoken`` form field (or ``x-csrftoken`` HTTP header) for every incoming request.
+Datasette protects against Cross-Site Request Forgery by inspecting the browser-set ``Sec-Fetch-Site`` and ``Origin`` headers on every unsafe (non-``GET``/``HEAD``/``OPTIONS``) request, following the approach described in `Filippo Valsorda's article <https://words.filippo.io/csrf/>`__ and implemented in Go 1.25's ``http.CrossOriginProtection``.
 
-If your plugin implements a ``<form method="POST">`` anywhere you will need to include that token. You can do so with the following template snippet:
+A request is rejected with a ``403`` response if:
 
-.. code-block:: html
+- It carries ``Sec-Fetch-Site`` with any value other than ``same-origin`` or ``none``, or
+- It has no ``Sec-Fetch-Site`` header but does carry an ``Origin`` header whose host does not match the request ``Host``.
 
-    <input type="hidden" name="csrftoken" value="{{ csrftoken() }}">
+Requests from non-browser clients (``curl``, server-to-server scripts, etc.) do not send ``Sec-Fetch-Site`` or ``Origin`` and pass through unchanged - CSRF is a browser-only attack.
 
-If you are rendering templates using the :ref:`datasette_render_template` method the ``csrftoken()`` helper will only work if you provide the ``request=`` argument to that method. If you forget to do this you will see the following error::
-
-    form-urlencoded POST field did not match cookie
-
-You can selectively disable CSRF protection using the :ref:`plugin_hook_skip_csrf` hook.
+No token, cookie, or hidden form field is needed. Any ``<form method="POST">`` inside Datasette or a plugin will be accepted from the same origin without modification.
 
 .. _internals_internal:
 
@@ -1941,6 +2443,34 @@ The internal database schema is as follows:
         value text,
         unique(database_name, resource_name, column_name, key)
     );
+    CREATE TABLE column_types (
+        database_name TEXT NOT NULL,
+        resource_name TEXT NOT NULL,
+        column_name TEXT NOT NULL,
+        column_type TEXT NOT NULL,
+        config TEXT,
+        PRIMARY KEY (database_name, resource_name, column_name)
+    );
+    CREATE TABLE queries (
+        database_name TEXT NOT NULL,
+        name TEXT NOT NULL,
+        sql TEXT NOT NULL,
+        title TEXT,
+        description TEXT,
+        description_html TEXT,
+        options TEXT NOT NULL DEFAULT '{}',
+        parameters TEXT NOT NULL DEFAULT '[]',
+        is_write INTEGER NOT NULL DEFAULT 0 CHECK (is_write IN (0, 1)),
+        is_private INTEGER NOT NULL DEFAULT 0 CHECK (is_private IN (0, 1)),
+        is_trusted INTEGER NOT NULL DEFAULT 0 CHECK (is_trusted IN (0, 1)),
+        source TEXT NOT NULL DEFAULT 'user',
+        owner_id TEXT,
+        created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+        updated_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+        PRIMARY KEY (database_name, name)
+    );
+    CREATE INDEX queries_owner_idx
+        ON queries(owner_id);
 
 .. [[[end]]]
 
@@ -2010,8 +2540,52 @@ Note that the space character is a special case: it will be replaced with a ``+`
 
 .. autofunction:: datasette.utils.tilde_decode
 
+.. _internals_utils_call_with_supported_arguments:
+
+call_with_supported_arguments(fn, \*\*kwargs)
+---------------------------------------------
+
+Call ``fn``, passing it only those keyword arguments that match its function signature. This implements a dependency injection pattern - the caller provides all available arguments, and the function receives only the ones it declares as parameters.
+
+This is useful in plugins that want to define callback functions that only declare the arguments they need. For example:
+
+.. code-block:: python
+
+    from datasette.utils import call_with_supported_arguments
+
+
+    def my_callback(request, datasette): ...
+
+
+    # This will pass only request and datasette, ignoring other kwargs:
+    call_with_supported_arguments(
+        my_callback,
+        request=request,
+        datasette=datasette,
+        database=database,
+        table=table,
+    )
+
+.. autofunction:: datasette.utils.call_with_supported_arguments
+
+.. _internals_utils_async_call_with_supported_arguments:
+
+await async_call_with_supported_arguments(fn, \*\*kwargs)
+---------------------------------------------------------
+
+Async version of :ref:`call_with_supported_arguments <internals_utils_call_with_supported_arguments>`. Use this for ``async def`` callback functions.
+
+.. autofunction:: datasette.utils.async_call_with_supported_arguments
+
 .. _internals_tracer:
 
+JSON encoding
+-------------
+
+.. _internals_utils_CustomJSONEncoder:
+
+.. autoclass:: datasette.utils.CustomJSONEncoder
+
 datasette.tracer
 ================
 
diff --git a/docs/introspection.rst b/docs/introspection.rst
index 19c6bffb..4834f441 100644
--- a/docs/introspection.rst
+++ b/docs/introspection.rst
@@ -144,46 +144,71 @@ Shows currently attached databases. `Databases example <https://latest.datasette
         }
     ]
 
-.. _TablesView:
+.. _JumpView:
 
-/-/tables
----------
+/-/jump
+-------
 
-Returns a JSON list of all tables that the current actor has permission to view. This endpoint uses the resource-based permission system and respects database and table-level access controls.
+Returns a JSON list of items that the current actor has permission to view for Datasette's jump menu. By default this includes visible databases, tables, views and stored queries, and plugins can contribute additional items.
 
-The endpoint supports a ``?q=`` query parameter for filtering tables by name using case-insensitive regex matching.
+Each item includes a ``type`` string used as a category label in the menu. Items can also include an optional ``description`` with longer text describing that individual result.
 
-`Tables example <https://latest.datasette.io/-/tables>`_:
+The endpoint supports a ``?q=`` query parameter for filtering items by name.
+
+`Jump example <https://latest.datasette.io/-/jump>`_:
 
 .. code-block:: json
 
     {
         "matches": [
             {
-                "name": "fixtures/facetable",
-                "url": "/fixtures/facetable"
+                "name": "fixtures",
+                "url": "/fixtures",
+                "type": "database",
+                "description": null
             },
             {
-                "name": "fixtures/searchable",
-                "url": "/fixtures/searchable"
+                "name": "fixtures: facetable",
+                "url": "/fixtures/facetable",
+                "type": "table",
+                "description": null
+            },
+            {
+                "name": "fixtures: recent_releases",
+                "url": "/fixtures/recent_releases",
+                "type": "query",
+                "description": null
             }
-        ]
+        ],
+        "truncated": false
     }
 
-Search example with ``?q=facet`` returns only tables matching ``.*facet.*``:
+Search example with ``?q=facet`` returns only items matching ``.*facet.*``:
 
 .. code-block:: json
 
     {
         "matches": [
             {
-                "name": "fixtures/facetable",
-                "url": "/fixtures/facetable"
+                "name": "fixtures: facetable",
+                "url": "/fixtures/facetable",
+                "type": "table",
+                "description": null
             }
-        ]
+        ],
+        "truncated": false
     }
 
-When multiple search terms are provided (e.g., ``?q=user+profile``), tables must match the pattern ``.*user.*profile.*``. Results are ordered by shortest table name first.
+When multiple search terms are provided (e.g., ``?q=user+profile``), items must match the pattern ``.*user.*profile.*``. Results are ordered by relevance, then by item type and shortest display name.
+
+.. _AutocompleteDebugView:
+
+/-/debug/autocomplete
+---------------------
+
+The debug tool at ``/-/debug/autocomplete`` can be used to try out the autocomplete component against a specific table. Pass ``?database=db&table=table`` to display an autocomplete field backed by that table's ``/-/autocomplete`` endpoint.
+
+Without those query string arguments, the page lists up to five tables with detected label columns, scanning at most 100 tables.
 
 .. _JsonDataView_threads:
 
diff --git a/docs/javascript_plugins.rst b/docs/javascript_plugins.rst
index e7ee6817..c4283cac 100644
--- a/docs/javascript_plugins.rst
+++ b/docs/javascript_plugins.rst
@@ -46,6 +46,9 @@ The ``datasetteManager`` object
 ``registerPlugin(name, implementation)``
     Call this to register a plugin, passing its name and implementation
 
+``makeColumnField(context)``
+    Calls the ``makeColumnField()`` hook on registered plugins, returning the first custom insert/edit field control that matches the provided field context. This is used internally by Datasette's row insert and edit dialogs.
+
 ``selectors`` - object
     An object providing named aliases to useful CSS selectors, :ref:`listed below <javascript_datasette_manager_selectors>`
 
@@ -58,6 +61,52 @@ JavaScript plugins are blocks of code that can be registered with Datasette usin
 
 The ``implementation`` object passed to this method should include a ``version`` key defining the plugin version, and one or more of the following named functions providing the implementation of the plugin:
 
+.. _javascript_plugins_makeJumpSections:
+
+makeJumpSections(context)
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This method should return a JavaScript array of objects defining additional sections to be added to the blank state of the ``/`` jump menu, before the user starts typing a search.
+
+It should return an array of objects, each with the following:
+
+``id`` - string
+    A unique string ID for the section, for example ``agent-chat``
+``render(node, context)`` - function
+    A function that will be called with a DOM node to render the section into
+
+Datasette passes a ``context`` object to both ``makeJumpSections(context)`` and ``render(node, context)``. It has the following keys:
+
+``navigationSearch``
+    The ``<navigation-search>`` custom element instance.
+``container`` - only for ``render()``
+    The ``.results-container`` element used by the jump menu.
+``input`` - only for ``render()``
+    The ``.search-input`` element used by the jump menu.
+
+This example shows how a plugin might add a button for starting a new chat:
+
+.. code-block:: javascript
+
+    document.addEventListener('datasette_init', function(ev) {
+      ev.detail.registerPlugin('agent-plugin', {
+        version: 0.1,
+        makeJumpSections: (context) => {
+          return [
+            {
+              id: 'agent-chat',
+              render: (node, context) => {
+                node.innerHTML = '<button type="button">Start a new chat</button>';
+                node.querySelector('button').addEventListener('click', () => {
+                  location.href = '/-/agent/new';
+                });
+              }
+            }
+          ];
+        }
+      });
+    });
+
 .. _javascript_plugins_makeAboveTablePanelConfigs:
 
 makeAboveTablePanelConfigs()
@@ -146,6 +195,285 @@ This example plugin adds two menu items - one to copy the column name to the cli
       });
     });
 
+.. _javascript_plugins_makeColumnField:
+
+makeColumnField(context)
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+This method, if present, can provide a custom form field for a column in Datasette's row insert and edit dialogs.
+
+It is designed for plugins that :ref:`register custom column types <plugin_register_column_types>` using the Python ``register_column_types()`` plugin hook. For example, a plugin that defines a ``file`` column type can use ``makeColumnField()`` to replace a plain text input with a file picker, and a plugin that defines a rich text column type can use it to enhance the field with an editor.
+
+Datasette calls ``makeColumnField(context)`` on each registered JavaScript plugin when it renders an editable insert/edit field. Plugins should inspect the ``context`` object and only return a control object if they can handle that field. Otherwise, use a bare ``return;``.
+
+The first plugin to return a truthy control object is used for that field. Plugins are called in registration order. If a plugin raises an exception, Datasette logs the error to the browser console and continues to the next plugin.
+
+The row dialog tracks the value that will be sent to the insert/update API. The ``context`` object describes the column and form environment; custom controls should read and write field values using the ``field`` helper object passed to ``render(field)``.
+
+Context object
+^^^^^^^^^^^^^^
+
+``makeColumnField(context)`` is called with a context object describing the field. The current context object has these keys:
+
+``mode`` - string
+    ``"insert"`` or ``"edit"``.
+
+``database`` - string or null
+    The database name.
+
+``table`` - string or null
+    The table name.
+
+``tableUrl`` - string or null
+    The path to the table page, including any configured :ref:`base URL prefix <setting_base_url>`.
+
+``column`` - string
+    The column name.
+
+``columnType`` - object or null
+    The configured Datasette column type for this column, if one exists. This is ``null`` if no column type has been configured.
+
+    If present, this object has exactly these keys:
+
+    ``type`` - string
+        The :ref:`registered column type name <plugin_register_column_types>`, matching the ``name`` attribute of the Python ``ColumnType`` subclass.
+
+    ``config`` - object
+        Configuration for this specific column type assignment. This is ``{}`` if no configuration has been set.
+
+``sqliteType`` - string or null
+    The SQLite affinity for this column, if known. This is one of ``"TEXT"``, ``"INTEGER"``, ``"REAL"``, ``"BLOB"``, ``"NUMERIC"`` or ``null`` if Datasette could not determine the affinity.
+
+``notNull`` - boolean
+    True if the column is defined as ``NOT NULL``.
+
+``isPk`` - boolean
+    True if this column is part of the table's primary key.
+
+``defaultExpression`` - string or null
+    The SQLite default expression for the column, if available. This is ``null`` if the column has no SQLite default. For example, a column defined with ``DEFAULT (datetime('now'))`` will have ``"datetime('now')"`` here. This is the expression from the table schema, not the actual value SQLite will insert.
+
+``form`` - ``HTMLFormElement`` or null
+    The row insert/edit form element.
+
+``dialog`` - ``HTMLDialogElement`` or null
+    The modal dialog element.
+
+Returned control object
+^^^^^^^^^^^^^^^^^^^^^^^
+
+A plugin that wants to handle a field should return an object. Datasette currently recognizes these properties:
+
+``useTextarea`` - boolean, optional
+    If true, Datasette creates a ``<textarea>`` as the underlying ``field.input`` before calling ``render()``. If omitted, Datasette chooses either an ``<input>`` or ``<textarea>`` based on the column type and current value.
+
+``render(field)`` - function
+    Called once to render the custom field UI. ``field`` is a helper object described below.
+
+    The recommended pattern is to return a DOM node from ``render()``. Datasette appends that node to ``field.root``, a ``<div>`` inside the control area for that field in the row insert/edit dialog. A plugin can alternatively manipulate ``field.root`` directly and return nothing.
+
+``focus(field)`` - function, optional
+    Called when Datasette wants to focus this field, for example when focusing the first editable field in the dialog. Use this to focus the most useful interactive element inside the custom UI.
+
+``destroy(field)`` - function, optional
+    Called when Datasette tears down the insert/edit form. Use this to remove event listeners, close nested pickers, revoke object URLs, clear timers, or release other resources.
+
+The field helper object
+^^^^^^^^^^^^^^^^^^^^^^^
+
+The ``field`` object passed to ``render(field)``, ``focus(field)`` and ``destroy(field)`` provides stable IDs, DOM elements and value helpers for integrating with the row insert/edit dialog:
+
+``context`` - object
+    The original context object passed to ``makeColumnField()``.
+
+``id`` - string
+    The ID Datasette assigned to ``field.input``, the backing ``<input>`` or ``<textarea>`` element.
+
+``labelId`` - string
+    The ID of the visible field label.
+
+``descriptionId`` - string
+    The ID of the field metadata/help text. This metadata can include details such as ``Primary key``, ``Required``, ``Current value: NULL`` or ``Custom type: file``.
+
+``root`` - ``HTMLElement``
+    The empty ``<div>`` container created by Datasette for this custom field. It is inside the control area for the field in the row insert/edit dialog, next to the field label and above the field metadata. Datasette appends the DOM node returned by ``render(field)`` to this element. Plugins can alternatively manipulate this element directly and return nothing from ``render(field)``.
+
+``input`` - ``HTMLInputElement`` or ``HTMLTextAreaElement``
+    The core-owned backing form control. Plugins can keep this visible, wrap it or hide it, but should use the value helper methods below rather than mutating ``input.value`` directly.
+
+``control``
+    An alias for ``input``.
+
+``meta`` - ``HTMLElement`` or null
+    The field metadata/help text element.
+
+``form`` - ``HTMLFormElement`` or null
+    The containing row insert/edit form.
+
+``dialog`` - ``HTMLDialogElement`` or null
+    The containing modal dialog.
+
+``getValue()`` - function
+    Returns the current value for this field.
+
+    Datasette uses string values by default. Insert fields for ``"INTEGER"`` and ``"REAL"`` SQLite columns return numbers, or ``null`` if left blank. Plugins can use strings, numbers, booleans or ``null``. If a plugin is editing structured data stored in a SQLite ``TEXT`` column, such as JSON, it should serialize that data to a string before calling ``setValue()``.
+
+``setValue(value)`` - function
+    Sets the current value for this field. ``value`` should be a string, number, boolean or ``null``.
+
+    Calling ``setValue()`` also stops using the SQLite default for the field, if it was previously selected.
+
+``getInitialValue()`` - function
+    Returns the submitted-value representation the field had when the form was rendered. For edit forms this is the raw row value from the database. For insert forms this is the blank starting value.
+
+``hasChanged()`` - function
+    Returns true if the field has changed since Datasette last considered it unmodified. By default that means the field state when the insert/edit form was rendered.
+
+``clearValue()`` - function
+    Sets the value to ``null``.
+
+``markClean()`` - function
+    Tells Datasette to treat the field's current state as unmodified. After calling this method, ``hasChanged()`` returns false until the field value changes again or its SQLite-default state changes.
+
+    This is useful when a plugin rewrites the starting value into an equivalent representation while initializing its editor. For example, a rich text editor might normalize empty HTML or reserialize its initial document before the user has made any edits.
+
+``isUsingSqliteDefault()`` - function
+    Returns true if the insert dialog is currently set to omit this column and use the SQLite default.
+
+``setValidity(message)`` - function
+    Sets a custom validation message for this field, marks the backing input with ``aria-invalid="true"`` and shows the message in the field metadata area. Pass an empty string to clear the error.
+
+``clearValidity()`` - function
+    Clears any custom validation message previously set by ``setValidity()``.
+
+Submitted value contract
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+The ``field.setValue()`` method accepts the following value types:
+
+* string
+* number
+* boolean
+* ``null``
+
+These values are used as column values in requests to the :ref:`insert rows <TableInsertView>` and :ref:`update row <RowUpdateView>` JSON APIs.
+
+Plugins should not pass objects or arrays to ``field.setValue()``. If a column stores structured data in SQLite, such as JSON in a ``TEXT`` column, the plugin should serialize that data first and submit the serialized string. Client-side parsing can still be useful for validation or editor state, but the submitted value should match the SQLite value Datasette should write.
+
+Value helpers
+^^^^^^^^^^^^^
+
+Custom fields should use ``field.getValue()`` and ``field.setValue(value)`` for value handling:
+
+.. code-block:: javascript
+
+    const currentValue = field.getValue();
+    field.setValue("new value");
+    field.setValue(null);
+
+Plugins can keep the core input visible, wrap it in a custom element, or hide it and provide a richer interface. If the input is hidden, the custom UI must still expose an accessible name, state and keyboard interaction.
+
+``field.setValue()`` updates both ``field.input`` and the value used in the insert/update request.
+
+For example, a file picker that stores a selected file ID can hide the backing input and call ``field.setValue()`` when the selection changes:
+
+.. code-block:: javascript
+
+    field.input.type = "hidden";
+    field.setValue(fileId);
+
+For insert forms with a SQLite default, ``field.isUsingSqliteDefault()`` indicates whether Datasette will omit that column from the insert payload. Calling ``field.setValue(value)`` automatically stops using the SQLite default.
+
+Lazy loading large controls
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The JavaScript file that registers ``makeColumnField()`` should be small. If the actual control is large, load it from inside ``render()`` using dynamic ``import()``. That way the heavier code is only downloaded after a user opens an insert/edit dialog containing a matching column type.
+
+.. code-block:: javascript
+
+    const editorUrl = new URL("./editor.js", import.meta.url).href;
+
+    document.addEventListener("datasette_init", function (event) {
+      event.detail.registerPlugin("my-editor", {
+        version: "0.1",
+
+        makeColumnField(context) {
+          if (!context.columnType || context.columnType.type !== "my-editor") {
+            return;
+          }
+          return {
+            useTextarea: true,
+            render(field) {
+              import(editorUrl).then(function () {
+                // Enhance field.input here.
+              });
+              return field.input;
+            }
+          };
+        }
+      });
+    });
+
+Example: textarea-backed custom element
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+This example handles a ``markdown-editor`` column type by asking Datasette for a textarea and wrapping that textarea in a custom ``<my-markdown-editor>`` Web Component element:
+
+.. code-block:: javascript
+
+    document.addEventListener("datasette_init", function (event) {
+      event.detail.registerPlugin("markdown-editor", {
+        version: "0.1",
+
+        makeColumnField(context) {
+          if (!context.columnType || context.columnType.type !== "markdown-editor") {
+            return;
+          }
+
+          return {
+            useTextarea: true,
+
+            render(field) {
+              const editor = document.createElement("my-markdown-editor");
+              editor.appendChild(field.input);
+
+              if (field.labelId) {
+                field.input.setAttribute("aria-labelledby", field.labelId);
+              }
+              if (field.descriptionId) {
+                field.input.setAttribute("aria-describedby", field.descriptionId);
+              }
+
+              return editor;
+            },
+
+            focus(field) {
+              const editor = field.root.querySelector("my-markdown-editor");
+              if (editor && editor.focus) {
+                editor.focus();
+              } else {
+                field.input.focus();
+              }
+            }
+          };
+        }
+      });
+    });
+
+Accessibility
+^^^^^^^^^^^^^
+
+Custom fields are responsible for preserving the accessibility of the form:
+
+- The visible field label should name the control. Use ``field.labelId`` with ``aria-labelledby`` when wrapping or replacing the visible input.
+- Field metadata should remain available to assistive technology. Use ``field.descriptionId`` with ``aria-describedby``.
+- Keyboard users must be able to operate every part of the custom field.
+- If the field opens an inline picker or other nested UI, ``Escape`` should close that nested UI first and return focus to a sensible element.
+- If a control performs asynchronous loading, expose loading and error states in the UI. Use appropriate ARIA live regions where the state change is important to understand the field.
+- If a plugin hides ``field.input``, the replacement UI must still make the current value and available actions clear.
+
+Plugins should not submit the row themselves from inside ``makeColumnField()`` controls. Datasette owns the insert/edit dialog lifecycle, form submission, API call, error handling and row refresh.
+
 .. _javascript_datasette_manager_selectors:
 
 Selectors
diff --git a/docs/json_api.rst b/docs/json_api.rst
index 91a2bb15..eca22fdc 100644
--- a/docs/json_api.rst
+++ b/docs/json_api.rst
@@ -44,12 +44,31 @@ looks like this:
 
 ``"ok"`` is always ``true`` if an error did not occur.
 
-The ``"rows"`` key is a list of objects, each one representing a row. 
+The ``"rows"`` key is a list of objects, each one representing a row.
 
 The ``"truncated"`` key lets you know if the query was truncated. This can happen if a SQL query returns more than 1,000 results (or the :ref:`setting_max_returned_rows` setting).
 
 For table pages, an additional key ``"next"`` may be present. This indicates that the next page in the pagination set can be retrieved using ``?_next=VALUE``.
 
+.. _json_api_custom_sql:
+
+Executing custom SQL
+--------------------
+
+Actors with the :ref:`actions_execute_sql` permission can execute read-only SQL against a database using ``/-/query.json``:
+
+::
+
+    GET /<database>/-/query.json?sql=select+*+from+dogs
+
+Values for named SQL parameters can be provided as additional query string parameters:
+
+::
+
+    GET /<database>/-/query.json?sql=select+*+from+dogs+where+name=:name&name=Cleo
+
+The response uses the same default representation described above.
+
 .. _json_api_shapes:
 
 Different shapes
@@ -216,6 +235,1014 @@ query string arguments:
 
     Only available if the :ref:`setting_trace_debug` setting is enabled.
 
+.. _json_api_extra:
+
+Expanding JSON responses
+------------------------
+
+Table, row and query JSON responses can be expanded with one or more ``?_extra=`` parameters.
+These can be repeated or comma-separated:
+
+::
+
+    ?_extra=columns&_extra=count,next_url
+
+.. [[[cog
+    from json_api_doc import table_extras
+    table_extras(cog)
+.. ]]]
+
+Table JSON responses
+~~~~~~~~~~~~~~~~~~~~
+
+The available table extras are listed below.
+
+``count``
+    Total count of rows matching these filters (May execute additional queries.)
+
+    ``GET /fixtures/facetable.json?_extra=count``
+
+    .. code-block:: json
+
+        15
+
+``count_sql``
+    SQL query string used to calculate the total count for the current table view, including active filters.
+
+    ``GET /fixtures/facetable.json?_size=0&_extra=count_sql``
+
+    .. code-block:: json
+
+        "select count(*) from facetable "
+
+``facet_results``
+    Results of facets calculated against this data. A dictionary with ``results`` and ``timed_out`` keys: ``results`` maps facet names to facet dictionaries with ``name``, ``type``, ``results`` and URL keys, and each facet result item includes ``value``, ``label``, ``count`` and ``toggle_url``. (May execute additional queries. See :ref:`facets` for details of how facets work.)
+
+    Shape abbreviated from /fixtures/facetable.json?_facet=state&_extra=facet_results.
+
+    .. code-block:: json
+
+        {
+          "results": {
+            "state": {
+              "name": "state",
+              "type": "column",
+              "results": [
+                {
+                  "value": "CA",
+                  "label": "CA",
+                  "count": 10
+                },
+                {
+                  "value": "MI",
+                  "label": "MI",
+                  "count": 4
+                }
+              ]
+            }
+          },
+          "timed_out": []
+        }
+
+``facets_timed_out``
+    List of names of facet calculations that exceeded the facet time limit.
+
+    ``GET /fixtures/facetable.json?_facet=state&_extra=facets_timed_out``
+
+    A list of the names of any facets that exceeded the :ref:`setting_facet_time_limit_ms` time limit - an empty list if every facet calculation completed.
+
+    .. code-block:: json
+
+        []
+
+``suggested_facets``
+    Suggestions for facets that might return interesting results. Each item is a dictionary with ``name`` and ``toggle_url`` keys, and may include extra keys such as ``type`` or ``label`` depending on the facet class. (May execute additional queries. Suggestions are controlled by the :ref:`setting_suggest_facets` setting.)
+
+    Shape abbreviated from /fixtures/facetable.json?_extra=suggested_facets.
+
+    .. code-block:: json
+
+        [
+          {
+            "name": "state",
+            "toggle_url": "http://localhost/fixtures/facetable.json?_extra=suggested_facets&_facet=state"
+          }
+        ]
+
+``human_description_en``
+    Human-readable description of the filters
+
+    ``GET /fixtures/facetable.json?state=CA&_sort=pk&_extra=human_description_en``
+
+    .. code-block:: json
+
+        "where state = \"CA\" sorted by pk"
+
+``next_url``
+    Full URL for the next page of results
+
+    ``GET /fixtures/facetable.json?_size=1&_extra=next_url``
+
+    ``null`` if there are no more pages of results. See :ref:`json_api_pagination`.
+
+    .. code-block:: json
+
+        "http://localhost/fixtures/facetable.json?_size=1&_extra=next_url&_next=1"
+
+``columns``
+    List of column names returned by this table, row or query.
+
+    ``GET /fixtures/facetable.json?_extra=columns``
+
+    .. code-block:: json
+
+        [
+          "pk",
+          "created",
+          "planet_int",
+          "on_earth",
+          "state",
+          "_city_id",
+          "_neighborhood",
+          "tags",
+          "complex_array",
+          "distinct_some_null",
+          "n"
+        ]
+
+``all_columns``
+    List of all column names in the table, regardless of ``_col=`` or ``_nocol=`` filtering.
+
+    ``GET /fixtures/facetable.json?_col=pk&_extra=all_columns``
+
+    .. code-block:: json
+
+        [
+          "pk",
+          "created",
+          "planet_int",
+          "on_earth",
+          "state",
+          "_city_id",
+          "_neighborhood",
+          "tags",
+          "complex_array",
+          "distinct_some_null",
+          "n"
+        ]
+
+``primary_keys``
+    List of primary key column names for this table, or an empty list if the table has no explicit primary key.
+
+    ``GET /fixtures/facetable.json?_extra=primary_keys``
+
+    .. code-block:: json
+
+        [
+          "pk"
+        ]
+
+``display_columns``
+    Column metadata used by the HTML table display. Each item includes ``name``, ``sortable``, ``is_pk``, ``type``, ``notnull``, ``description``, ``column_type`` and ``column_type_config`` keys.
+
+    Shape abbreviated from /fixtures/facetable.json?_size=1&_extra=display_columns.
+
+    .. code-block:: json
+
+        [
+          {
+            "name": "pk",
+            "sortable": true,
+            "is_pk": true,
+            "type": "INTEGER",
+            "notnull": 0
+          },
+          {
+            "name": "created",
+            "sortable": true,
+            "is_pk": false,
+            "type": "TEXT",
+            "notnull": 0,
+            "description": null,
+            "column_type": null,
+            "column_type_config": null
+          }
+        ]
+
+``render_cell``
+    Rendered HTML for each cell using the render_cell plugin hook (See the :ref:`render_cell() plugin hook <plugin_hook_render_cell>` documentation.)
+
+    The ``render_cell`` array has one item per row, in the same order as the ``rows`` array. Each object is keyed by column name. Only columns whose rendered value differs from the default are included.
+
+    .. code-block:: json
+
+        {
+          "rows": [
+            {
+              "id": 1,
+              "content": "hello"
+            },
+            {
+              "id": 4,
+              "content": "RENDER_CELL_DEMO"
+            }
+          ],
+          "render_cell": [
+            {},
+            {
+              "content": "<strong>Custom rendered HTML</strong>"
+            }
+          ]
+        }
+
+``debug``
+    Extra debug information dictionary. This is intended for development only and its shape is not part of the stable template contract. (The contents of this block are not a stable part of the Datasette API and may change without warning.)
+
+    ``GET /fixtures/facetable.json?_extra=debug``
+
+    .. code-block:: json
+
+        {
+          "url_vars": {
+            "database": "fixtures",
+            "table": "facetable",
+            "format": "json"
+          },
+          "resolved": "ResolvedTable(db=<Database: fixtures (mutable, size=249856)>, table='facetable', is_view=False)",
+          "nofacet": null,
+          "nosuggest": null
+        }
+
+``request``
+    Dictionary with request details: ``url``, ``path``, ``full_path``, ``host`` and ``args`` where ``args`` maps query string parameter names to their values.
+
+    ``GET /fixtures/facetable.json?_extra=request``
+
+    .. code-block:: json
+
+        {
+          "url": "http://localhost/fixtures/facetable.json?_extra=request",
+          "path": "/fixtures/facetable.json",
+          "full_path": "/fixtures/facetable.json?_extra=request",
+          "host": "localhost",
+          "args": {
+            "_extra": [
+              "request"
+            ]
+          }
+        }
+
+``query``
+    Details of the underlying SQL query as a dictionary with ``sql`` and ``params`` keys.
+
+    ``GET /fixtures/facetable.json?_size=1&_extra=query``
+
+    .. code-block:: json
+
+        {
+          "sql": "select pk, created, planet_int, on_earth, state, _city_id, _neighborhood, tags, complex_array, distinct_some_null, n from facetable order by pk limit 2",
+          "params": {}
+        }
+
+``column_types``
+    Column type assignments for this table. A dictionary mapping column names to ``{"type": type_name, "config": config}`` dictionaries. (An empty object if no column types have been assigned. Column types can be assigned in :ref:`configuration <table_configuration_column_types>` or using the :ref:`set column type API <TableSetColumnTypeView>`.)
+
+    ``GET /fixtures/facetable.json?_size=0&_extra=column_types``
+
+    This example is from an instance where the ``tags`` column has been assigned the ``json`` column type.
+
+    .. code-block:: json
+
+        {
+          "tags": {
+            "type": "json",
+            "config": null
+          }
+        }
+
+``set_column_type_ui``
+    Information needed to build an interface for assigning column types, or ``None`` if unavailable. When present it has ``path`` and ``columns`` keys; ``columns`` maps column names to ``current`` and ``options`` values. (``null`` unless the current actor is allowed to use the :ref:`set column type API <TableSetColumnTypeView>` for this table.)
+
+    Shape abbreviated to two columns, as seen by an actor with ``set-column-type`` permission. ``current`` is the column type currently assigned to each column and ``options`` lists the types that could be assigned to it.
+
+    .. code-block:: json
+
+        {
+          "path": "/fixtures/facetable/-/set-column-type",
+          "columns": {
+            "created": {
+              "current": null,
+              "options": [
+                {
+                  "name": "email",
+                  "description": "Email address"
+                },
+                {
+                  "name": "json",
+                  "description": "JSON data"
+                },
+                {
+                  "name": "url",
+                  "description": "URL"
+                }
+              ]
+            },
+            "tags": {
+              "current": {
+                "type": "json",
+                "config": null
+              },
+              "options": [
+                {
+                  "name": "email",
+                  "description": "Email address"
+                },
+                {
+                  "name": "json",
+                  "description": "JSON data"
+                },
+                {
+                  "name": "url",
+                  "description": "URL"
+                }
+              ]
+            }
+          }
+        }
+
+``metadata``
+    Metadata dictionary for the table, database or stored query. Table and row metadata include a ``columns`` dictionary mapping column names to descriptions; stored query metadata returns the stored query configuration. (See :ref:`metadata` for how to attach metadata to tables.)
+
+    ``GET /fixtures/facetable.json?_extra=metadata``
+
+    This example is from an instance where the ``facetable`` table has a metadata ``description`` and a :ref:`column description <metadata_column_descriptions>` for its ``state`` column. The ``columns`` object is empty for tables with no column descriptions.
+
+    .. code-block:: json
+
+        {
+          "description": "A demo table of places, used to demonstrate facets",
+          "columns": {
+            "state": "Two letter US state code"
+          }
+        }
+
+``extras``
+    List of ``?_extra=`` blocks that can be used on this page. Each item has ``name``, ``description``, ``toggle_url`` and ``selected`` keys.
+
+    Shape abbreviated from /fixtures/facetable.json?_extra=extras - the full response lists every extra described on this page. ``toggle_url`` is the current URL with that extra added or removed, and ``selected`` is ``true`` for extras included in the current request.
+
+    .. code-block:: json
+
+        [
+          {
+            "name": "count",
+            "description": "Total count of rows matching these filters",
+            "toggle_url": "http://localhost/fixtures/facetable.json?_extra=extras&_extra=count",
+            "selected": false
+          },
+          {
+            "name": "extras",
+            "description": "List of ?_extra= blocks that can be used on this page",
+            "toggle_url": "http://localhost/fixtures/facetable.json",
+            "selected": true
+          }
+        ]
+
+``database``
+    Database name
+
+    ``GET /fixtures/facetable.json?_extra=database``
+
+    .. code-block:: json
+
+        "fixtures"
+
+``table``
+    Table name
+
+    ``GET /fixtures/facetable.json?_extra=table``
+
+    .. code-block:: json
+
+        "facetable"
+
+``database_color``
+    Color assigned to the database (A six character hex color, without the leading ``#``, derived from a hash of the database name and used in the Datasette interface.)
+
+    ``GET /fixtures/facetable.json?_extra=database_color``
+
+    .. code-block:: json
+
+        "9403e5"
+
+``renderers``
+    Dictionary mapping output format names such as ``json`` or plugin-provided renderer names to URLs for this data in that format.
+
+    ``GET /fixtures/facetable.json?_extra=renderers``
+
+    Each key is the name of an output format, each value the URL for this data in that format. Plugins can add additional formats using the :ref:`register_output_renderer() plugin hook <plugin_register_output_renderer>`.
+
+    .. code-block:: json
+
+        {
+          "json": "/fixtures/facetable.json?_extra=renderers&_format=json&_labels=on"
+        }
+
+``custom_table_templates``
+    List of custom template names considered for rendering table rows, in lookup order. (The first template in this list that exists will be used to render the table on the HTML version of this page. See :ref:`customization_custom_templates`.)
+
+    ``GET /fixtures/facetable.json?_extra=custom_table_templates``
+
+    .. code-block:: json
+
+        [
+          "_table-fixtures-facetable.html",
+          "_table-table-fixtures-facetable.html",
+          "_table.html"
+        ]
+
+``sorted_facet_results``
+    Facet result dictionaries sorted for display. Each item has the same shape as an entry from ``facet_results['results']``. (The same data as ``facet_results``, as a list in the order used by the HTML interface: facets from :ref:`facet configuration <facets_metadata>` first, then other facets ordered by their number of results.)
+
+    ``GET /fixtures/facetable.json?_facet=state&_extra=sorted_facet_results``
+
+    .. code-block:: json
+
+        [
+          {
+            "name": "state",
+            "type": "column",
+            "hideable": true,
+            "toggle_url": "/fixtures/facetable.json?_extra=sorted_facet_results",
+            "results": [
+              {
+                "value": "CA",
+                "label": "CA",
+                "count": 10,
+                "toggle_url": "http://localhost/fixtures/facetable.json?_facet=state&_extra=sorted_facet_results&state=CA",
+                "selected": false
+              },
+              {
+                "value": "MI",
+                "label": "MI",
+                "count": 4,
+                "toggle_url": "http://localhost/fixtures/facetable.json?_facet=state&_extra=sorted_facet_results&state=MI",
+                "selected": false
+              },
+              {
+                "value": "MC",
+                "label": "MC",
+                "count": 1,
+                "toggle_url": "http://localhost/fixtures/facetable.json?_facet=state&_extra=sorted_facet_results&state=MC",
+                "selected": false
+              }
+            ],
+            "truncated": false
+          }
+        ]
+
+``table_definition``
+    SQL definition for this table
+
+    ``GET /fixtures/facetable.json?_extra=table_definition``
+
+    .. code-block:: json
+
+        "CREATE TABLE facetable (\n    pk integer primary key,\n    created text,\n    planet_int integer,\n    on_earth integer,\n    state text,\n    _city_id integer,\n    _neighborhood text,\n    tags text,\n    complex_array text,\n    distinct_some_null,\n    n text,\n    FOREIGN KEY (\"_city_id\") REFERENCES [facet_cities](id)\n);"
+
+``view_definition``
+    SQL definition for this view
+
+    ``GET /fixtures/simple_view.json?_extra=view_definition``
+
+    .. code-block:: json
+
+        "CREATE VIEW simple_view AS\n    SELECT content, upper(content) AS upper_content FROM simple_primary_key;"
+
+``is_view``
+    Whether this resource is a view instead of a table
+
+    ``GET /fixtures/simple_view.json?_extra=is_view``
+
+    .. code-block:: json
+
+        true
+
+``private``
+    Whether this resource is private to the current actor (``true`` if the current actor can see this resource but an anonymous user could not. See :ref:`authentication_permissions`.)
+
+    ``GET /fixtures/facetable.json?_extra=private``
+
+    .. code-block:: json
+
+        false
+
+``expandable_columns``
+    List of foreign key columns that can be expanded with labels. Each item is a ``(foreign_key, label_column)`` pair where ``foreign_key`` is the SQLite foreign key dictionary and ``label_column`` is the label column in the referenced table, or ``None``. (See :ref:`expand_foreign_keys` for how to expand these labels.)
+
+    ``GET /fixtures/facetable.json?_extra=expandable_columns``
+
+    Each item is a ``[foreign_key, label_column]`` pair: the foreign key relationship, then the column in the other table that would be used as the label for each expanded value.
+
+    .. code-block:: json
+
+        [
+          [
+            {
+              "column": "_city_id",
+              "other_table": "facet_cities",
+              "other_column": "id"
+            },
+            "name"
+          ]
+        ]
+
+``form_hidden_args``
+    List of ``(name, value)`` pairs for hidden form fields used by the HTML table interface to preserve current query string options.
+
+    ``GET /fixtures/facetable.json?_facet=state&_size=1&_extra=form_hidden_args``
+
+    .. code-block:: json
+
+        [
+          [
+            "_facet",
+            "state"
+          ],
+          [
+            "_size",
+            "1"
+          ],
+          [
+            "_extra",
+            "form_hidden_args"
+          ]
+        ]
+
+Row JSON responses
+~~~~~~~~~~~~~~~~~~
+
+The following extras are available for row JSON responses.
+
+``columns``
+    List of column names returned by this table, row or query.
+
+    ``GET /fixtures/simple_primary_key/1.json?_extra=columns``
+
+    .. code-block:: json
+
+        [
+          "id",
+          "content"
+        ]
+
+``primary_keys``
+    List of primary key column names for this table, or an empty list if the table has no explicit primary key.
+
+    ``GET /fixtures/simple_primary_key/1.json?_extra=primary_keys``
+
+    .. code-block:: json
+
+        [
+          "id"
+        ]
+
+``render_cell``
+    Rendered HTML for each cell using the render_cell plugin hook (See the :ref:`render_cell() plugin hook <plugin_hook_render_cell>` documentation.)
+
+    The ``render_cell`` array has one item for the requested row. The object is keyed by column name. Only columns whose rendered value differs from the default are included.
+
+    .. code-block:: json
+
+        {
+          "rows": [
+            {
+              "id": 4,
+              "content": "RENDER_CELL_DEMO"
+            }
+          ],
+          "render_cell": [
+            {
+              "content": "<strong>Custom rendered HTML</strong>"
+            }
+          ]
+        }
+
+``debug``
+    Extra debug information dictionary. This is intended for development only and its shape is not part of the stable template contract. (The contents of this block are not a stable part of the Datasette API and may change without warning.)
+
+    ``GET /fixtures/simple_primary_key/1.json?_extra=debug``
+
+    .. code-block:: json
+
+        {
+          "url_vars": {
+            "database": "fixtures",
+            "table": "simple_primary_key",
+            "pks": "1",
+            "format": "json"
+          },
+          "resolved": {
+            "table": "simple_primary_key",
+            "sql": "select * from simple_primary_key where \"id\"=:p0",
+            "params": {
+              "p0": "1"
+            },
+            "pks": [
+              "id"
+            ],
+            "pk_values": [
+              "1"
+            ]
+          }
+        }
+
+``request``
+    Dictionary with request details: ``url``, ``path``, ``full_path``, ``host`` and ``args`` where ``args`` maps query string parameter names to their values.
+
+    ``GET /fixtures/simple_primary_key/1.json?_extra=request``
+
+    .. code-block:: json
+
+        {
+          "url": "http://localhost/fixtures/simple_primary_key/1.json?_extra=request",
+          "path": "/fixtures/simple_primary_key/1.json",
+          "full_path": "/fixtures/simple_primary_key/1.json?_extra=request",
+          "host": "localhost",
+          "args": {
+            "_extra": [
+              "request"
+            ]
+          }
+        }
+
+``query``
+    Details of the underlying SQL query as a dictionary with ``sql`` and ``params`` keys.
+
+    ``GET /fixtures/simple_primary_key/1.json?_extra=query``
+
+    .. code-block:: json
+
+        {
+          "sql": "select * from simple_primary_key where \"id\"=:p0",
+          "params": {
+            "p0": "1"
+          }
+        }
+
+``column_types``
+    Column type assignments for this table. A dictionary mapping column names to ``{"type": type_name, "config": config}`` dictionaries. (An empty object if no column types have been assigned. Column types can be assigned in :ref:`configuration <table_configuration_column_types>` or using the :ref:`set column type API <TableSetColumnTypeView>`.)
+
+    ``GET /fixtures/facetable/1.json?_extra=column_types``
+
+    This example is from an instance where the ``tags`` column has been assigned the ``json`` column type.
+
+    .. code-block:: json
+
+        {
+          "tags": {
+            "type": "json",
+            "config": null
+          }
+        }
+
+``metadata``
+    Metadata dictionary for the table, database or stored query. Table and row metadata include a ``columns`` dictionary mapping column names to descriptions; stored query metadata returns the stored query configuration. (See :ref:`metadata` for how to attach metadata to tables.)
+
+    ``GET /fixtures/simple_primary_key/1.json?_extra=metadata``
+
+    This table has no metadata, so only an empty ``columns`` object is returned.
+
+    .. code-block:: json
+
+        {
+          "columns": {}
+        }
+
+``extras``
+    List of ``?_extra=`` blocks that can be used on this page. Each item has ``name``, ``description``, ``toggle_url`` and ``selected`` keys.
+
+    Shape abbreviated from /fixtures/facetable.json?_extra=extras - the full response lists every extra described on this page. ``toggle_url`` is the current URL with that extra added or removed, and ``selected`` is ``true`` for extras included in the current request.
+
+    .. code-block:: json
+
+        [
+          {
+            "name": "count",
+            "description": "Total count of rows matching these filters",
+            "toggle_url": "http://localhost/fixtures/facetable.json?_extra=extras&_extra=count",
+            "selected": false
+          },
+          {
+            "name": "extras",
+            "description": "List of ?_extra= blocks that can be used on this page",
+            "toggle_url": "http://localhost/fixtures/facetable.json",
+            "selected": true
+          }
+        ]
+
+``database``
+    Database name
+
+    ``GET /fixtures/simple_primary_key/1.json?_extra=database``
+
+    .. code-block:: json
+
+        "fixtures"
+
+``table``
+    Table name
+
+    ``GET /fixtures/simple_primary_key/1.json?_extra=table``
+
+    .. code-block:: json
+
+        "simple_primary_key"
+
+``database_color``
+    Color assigned to the database (A six character hex color, without the leading ``#``, derived from a hash of the database name and used in the Datasette interface.)
+
+    ``GET /fixtures/simple_primary_key/1.json?_extra=database_color``
+
+    .. code-block:: json
+
+        "9403e5"
+
+``private``
+    Whether this resource is private to the current actor (``true`` if the current actor can see this resource but an anonymous user could not. See :ref:`authentication_permissions`.)
+
+    ``GET /fixtures/simple_primary_key/1.json?_extra=private``
+
+    .. code-block:: json
+
+        false
+
+``foreign_key_tables``
+    List of tables that link to this row using foreign keys. Each item includes the foreign key fields plus ``count`` for matching rows and ``link`` for the filtered table URL. (May execute additional queries.)
+
+    ``GET /fixtures/simple_primary_key/1.json?_extra=foreign_key_tables``
+
+    ``count`` is the number of rows in the other table that reference this row, and ``link`` is a URL to browse those rows.
+
+    .. code-block:: json
+
+        [
+          {
+            "other_table": "complex_foreign_keys",
+            "column": "id",
+            "other_column": "f1",
+            "count": 1,
+            "link": "/fixtures/complex_foreign_keys?f1=1"
+          },
+          {
+            "other_table": "complex_foreign_keys",
+            "column": "id",
+            "other_column": "f2",
+            "count": 0,
+            "link": "/fixtures/complex_foreign_keys?f2=1"
+          },
+          {
+            "other_table": "complex_foreign_keys",
+            "column": "id",
+            "other_column": "f3",
+            "count": 1,
+            "link": "/fixtures/complex_foreign_keys?f3=1"
+          },
+          {
+            "other_table": "foreign_key_references",
+            "column": "id",
+            "other_column": "foreign_key_with_blank_label",
+            "count": 0,
+            "link": "/fixtures/foreign_key_references?foreign_key_with_blank_label=1"
+          },
+          {
+            "other_table": "foreign_key_references",
+            "column": "id",
+            "other_column": "foreign_key_with_label",
+            "count": 1,
+            "link": "/fixtures/foreign_key_references?foreign_key_with_label=1"
+          }
+        ]
+
+Query JSON responses
+~~~~~~~~~~~~~~~~~~~~
+
+The following extras are available for arbitrary SQL query responses and stored, named query responses.
+
+``columns``
+    List of column names returned by this table, row or query.
+
+    ``GET /fixtures/-/query.json?sql=select+1+as+one&_extra=columns``
+
+    .. code-block:: json
+
+        [
+          "one"
+        ]
+
+``render_cell``
+    Rendered HTML for each cell using the render_cell plugin hook (See the :ref:`render_cell() plugin hook <plugin_hook_render_cell>` documentation.)
+
+    The ``render_cell`` array has one item per query result row, in the same order as the ``rows`` array. Each object is keyed by column name. Only columns whose rendered value differs from the default are included.
+
+    .. code-block:: json
+
+        {
+          "rows": [
+            {
+              "content": "RENDER_CELL_DEMO"
+            }
+          ],
+          "render_cell": [
+            {
+              "content": "<strong>Custom rendered HTML</strong>"
+            }
+          ]
+        }
+
+``debug``
+    Extra debug information dictionary. This is intended for development only and its shape is not part of the stable template contract. (The contents of this block are not a stable part of the Datasette API and may change without warning.)
+
+    ``GET /fixtures/-/query.json?sql=select+1+as+one&_extra=debug``
+
+    .. code-block:: json
+
+        {
+          "url_vars": {
+            "database": "fixtures",
+            "format": "json"
+          }
+        }
+
+``request``
+    Dictionary with request details: ``url``, ``path``, ``full_path``, ``host`` and ``args`` where ``args`` maps query string parameter names to their values.
+
+    ``GET /fixtures/-/query.json?sql=select+1+as+one&_extra=request``
+
+    .. code-block:: json
+
+        {
+          "url": "http://localhost/fixtures/-/query.json?sql=select+1+as+one&_extra=request",
+          "path": "/fixtures/-/query.json",
+          "full_path": "/fixtures/-/query.json?sql=select+1+as+one&_extra=request",
+          "host": "localhost",
+          "args": {
+            "sql": [
+              "select 1 as one"
+            ],
+            "_extra": [
+              "request"
+            ]
+          }
+        }
+
+``query``
+    Details of the underlying SQL query as a dictionary with ``sql`` and ``params`` keys.
+
+    ``GET /fixtures/-/query.json?sql=select+1+as+one&_extra=query``
+
+    .. code-block:: json
+
+        {
+          "sql": "select 1 as one",
+          "params": {}
+        }
+
+    ``GET /fixtures/neighborhood_search.json?text=town&_extra=query``
+
+    .. code-block:: json
+
+        {
+          "sql": "\nselect _neighborhood, facet_cities.name, state\nfrom facetable\n    join facet_cities\n        on facetable._city_id = facet_cities.id\nwhere _neighborhood like '%' || :text || '%'\norder by _neighborhood;\n",
+          "params": {
+            "text": "town"
+          }
+        }
+
+``metadata``
+    Metadata dictionary for the table, database or stored query. Table and row metadata include a ``columns`` dictionary mapping column names to descriptions; stored query metadata returns the stored query configuration. (See :ref:`metadata` for how to attach metadata to tables.)
+
+    ``GET /fixtures/neighborhood_search.json?text=town&_extra=metadata``
+
+    For stored queries this returns the full configuration of the query, including the :ref:`stored query options <queries_options>`. For ``?sql=`` queries it returns an empty object.
+
+    .. code-block:: json
+
+        {
+          "database": "fixtures",
+          "name": "neighborhood_search",
+          "sql": "\nselect _neighborhood, facet_cities.name, state\nfrom facetable\n    join facet_cities\n        on facetable._city_id = facet_cities.id\nwhere _neighborhood like '%' || :text || '%'\norder by _neighborhood;\n",
+          "title": "Search neighborhoods",
+          "description": null,
+          "description_html": null,
+          "hide_sql": false,
+          "fragment": null,
+          "params": [],
+          "parameters": [],
+          "is_write": false,
+          "is_private": false,
+          "is_trusted": true,
+          "owner_id": null,
+          "on_success_message": null,
+          "on_success_message_sql": null,
+          "on_success_redirect": null,
+          "on_error_message": null,
+          "on_error_redirect": null
+        }
+
+``extras``
+    List of ``?_extra=`` blocks that can be used on this page. Each item has ``name``, ``description``, ``toggle_url`` and ``selected`` keys.
+
+    Shape abbreviated from /fixtures/facetable.json?_extra=extras - the full response lists every extra described on this page. ``toggle_url`` is the current URL with that extra added or removed, and ``selected`` is ``true`` for extras included in the current request.
+
+    .. code-block:: json
+
+        [
+          {
+            "name": "count",
+            "description": "Total count of rows matching these filters",
+            "toggle_url": "http://localhost/fixtures/facetable.json?_extra=extras&_extra=count",
+            "selected": false
+          },
+          {
+            "name": "extras",
+            "description": "List of ?_extra= blocks that can be used on this page",
+            "toggle_url": "http://localhost/fixtures/facetable.json",
+            "selected": true
+          }
+        ]
+
+``database``
+    Database name
+
+    ``GET /fixtures/-/query.json?sql=select+1+as+one&_extra=database``
+
+    .. code-block:: json
+
+        "fixtures"
+
+``database_color``
+    Color assigned to the database (A six character hex color, without the leading ``#``, derived from a hash of the database name and used in the Datasette interface.)
+
+    ``GET /fixtures/-/query.json?sql=select+1+as+one&_extra=database_color``
+
+    .. code-block:: json
+
+        "9403e5"
+
+``private``
+    Whether this resource is private to the current actor (``true`` if the current actor can see this resource but an anonymous user could not. See :ref:`authentication_permissions`.)
+
+    ``GET /fixtures/-/query.json?sql=select+1+as+one&_extra=private``
+
+    .. code-block:: json
+
+        false
+
+.. [[[end]]]
+
+.. _TableAutocompleteView:
+
+Table autocomplete
+------------------
+
+The ``/<database>/<table>/-/autocomplete`` endpoint returns up to 10 primary key
+matches for a table, intended for building autocomplete interfaces such as
+foreign key pickers.
+
+::
+
+    GET /<database>/<table>/-/autocomplete?q=search
+
+The ``q`` parameter is required. If it is omitted or blank, the endpoint returns
+an empty ``"rows"`` list.
+
+The response includes a ``"pks"`` object containing the primary key value or
+values for each row. If Datasette can detect a label column, or one has been
+configured using ``label_column``, each row will also include ``"label"``:
+
+.. code-block:: json
+
+    {
+        "rows": [
+            {
+                "pks": {
+                    "id": 1
+                },
+                "label": "Example row"
+            }
+        ]
+    }
+
+The endpoint searches the primary key column or columns and the label column
+using escaped SQL ``LIKE`` queries. A single-column primary key exact match is
+returned first. Other matches are ordered by the shortest matching label value
+where a label column is available.
+
+The initial search runs with a 500ms time limit. If that query times out,
+Datasette falls back to a prefix match against the first primary key column so
+SQLite can use the primary key index.
+
 .. _table_arguments:
 
 Table arguments
@@ -438,7 +1465,7 @@ looks like:
     ]
 
 The column in the foreign key table that is used for the label can be specified
-in ``metadata.json`` - see :ref:`label_columns`.
+in ``datasette.yaml`` - see :ref:`table_configuration_label_column`.
 
 .. _json_api_discover_alternate:
 
@@ -505,6 +1532,110 @@ The JSON write API
 
 Datasette provides a write API for JSON data. This is a POST-only API that requires an authenticated API token, see :ref:`CreateTokenView`. The token will need to have the specified :ref:`authentication_permissions`.
 
+.. _ExecuteWriteView:
+
+Executing write SQL
+~~~~~~~~~~~~~~~~~~~
+
+Actors with the :ref:`actions_execute_write_sql` permission can execute arbitrary writable SQL against a mutable database using ``/-/execute-write``.
+
+::
+
+    POST /<database>/-/execute-write
+    Content-Type: application/json
+    Authorization: Bearer dstok_<rest-of-token>
+
+The request body must include a ``"sql"`` string. Named SQL parameters can be provided using the optional ``"params"`` object:
+
+.. code-block:: json
+
+    {
+        "sql": "insert into dogs (name) values (:name)",
+        "params": {
+            "name": "Cleo"
+        }
+    }
+
+The SQL must be writable. Read-only ``select`` queries should use the regular :ref:`custom SQL query JSON API <json_api_custom_sql>` instead.
+
+Datasette analyzes the SQL before executing it. The actor must have ``execute-write-sql`` permission for the database, and must also have any permissions required by the operations in the SQL. For example, inserts and updates against a table require ``insert-row``, ``update-row`` and ``delete-row`` permissions for that table. Reads performed as part of the write, such as ``insert into dogs select ... from other_table``, require ``view-table`` permission on the source table. Schema changes require ``create-table``, ``alter-table`` or ``drop-table`` permissions as appropriate.
+
+Unsupported SQL operations are rejected by default. ``VACUUM`` is not allowed in arbitrary write SQL, and writes to SQLite virtual tables or shadow tables are rejected. SQL functions are allowed and are not separately restricted by Datasette permissions.
+
+A successful response includes a message, the SQLite ``rowcount``, a ``"rows"``
+list, a ``"truncated"`` flag and a summary of the operations that were executed:
+
+The shape of the ``"analysis"`` block is not yet considered a stable API and may change in future Datasette releases.
+
+.. code-block:: json
+
+    {
+        "ok": true,
+        "message": "Query executed, 1 row affected",
+        "rowcount": 1,
+        "rows": [],
+        "truncated": false,
+        "analysis": [
+            {
+                "operation": "insert",
+                "database": "data",
+                "table": "dogs",
+                "required_permission": "insert-row, update-row, delete-row",
+                "source": null
+            }
+        ]
+    }
+
+If SQLite reports ``-1`` for the row count, the message will be ``"Query executed"``.
+
+For most write statements ``"rows"`` will be an empty list and ``"truncated"``
+will be ``false``. If the SQL uses SQLite's ``RETURNING`` clause, ``"rows"``
+will contain returned rows using the same default representation as table and
+query JSON responses. ``"truncated"`` indicates if more rows were returned than
+the execute-write returning row limit, which defaults to 10:
+
+.. code-block:: json
+
+    {
+        "ok": true,
+        "message": "Query executed, 1 row affected",
+        "rowcount": 1,
+        "rows": [
+            {
+                "id": 1,
+                "name": "Cleo"
+            }
+        ],
+        "truncated": false,
+        "analysis": [
+            {
+                "operation": "insert",
+                "database": "data",
+                "table": "dogs",
+                "required_permission": "insert-row, update-row, delete-row",
+                "source": null
+            },
+            {
+                "operation": "read",
+                "database": "data",
+                "table": "dogs",
+                "required_permission": "view-table",
+                "source": null
+            }
+        ]
+    }
+
+Errors use the standard Datasette error format:
+
+.. code-block:: json
+
+    {
+        "ok": false,
+        "errors": [
+            "Permission denied: need execute-write-sql"
+        ]
+    }
+
 .. _TableInsertView:
 
 Inserting rows
@@ -837,7 +1968,14 @@ To create a table, make a ``POST`` to ``/<database>/-/create``. This requires th
             },
             {
                 "name": "title",
-                "type": "text"
+                "type": "text",
+                "not_null": true,
+                "default": "Untitled"
+            },
+            {
+                "name": "created",
+                "type": "text",
+                "default_expr": "current_timestamp"
             }
         ],
         "pk": "id"
@@ -850,6 +1988,10 @@ The JSON here describes the table that will be created:
 
   - ``name`` is the name of the column. This is required.
   - ``type`` is the type of the column. This is optional - if not provided, ``text`` will be assumed. The valid types are ``text``, ``integer``, ``float`` and ``blob``.
+  - ``not_null`` can be set to ``true`` to create this column with a ``NOT NULL`` constraint.
+  - ``default`` can be used to set a literal default value for this column.
+  - ``default_expr`` can be used instead of ``default`` to set a SQLite default expression. See :ref:`default_expr values <json_api_default_expr_values>`.
+  - ``fk_table`` can be used to create a single-column foreign key constraint referencing another table. ``fk_column`` is optional and can be used to specify the referenced column - if omitted, Datasette will use the single primary key of ``fk_table``.
 
 * ``pk`` is the primary key for the table. This is optional - if not provided, Datasette will create a SQLite table with a hidden ``rowid`` column.
 
@@ -862,6 +2004,56 @@ The JSON here describes the table that will be created:
 * ``replace`` can be set to ``true`` to replace existing rows by primary key if the table already exists. This requires the :ref:`actions_update_row` permission.
 * ``alter`` can be set to ``true`` if you want to automatically add any missing columns to the table. This requires the :ref:`actions_alter_table` permission.
 
+.. _json_api_default_expr_values:
+
+``default_expr`` accepts these values:
+
+.. list-table::
+   :header-rows: 1
+
+   * - Value
+     - Recommended column type
+     - Example inserted value
+   * - ``current_timestamp``
+     - ``text``
+     - ``2026-05-01 13:34:00``
+   * - ``current_date``
+     - ``text``
+     - ``2026-05-01``
+   * - ``current_time``
+     - ``text``
+     - ``13:34:00``
+   * - ``current_unixtime``
+     - ``integer``
+     - ``1777642440``
+   * - ``current_unixtime_ms``
+     - ``integer``
+     - ``1777642440000``
+
+This example creates a foreign key from ``projects.owner_id`` to the single primary key of ``owners``:
+
+.. code-block:: json
+
+    {
+        "table": "projects",
+        "columns": [
+            {
+                "name": "id",
+                "type": "integer"
+            },
+            {
+                "name": "owner_id",
+                "type": "integer",
+                "fk_table": "owners"
+            },
+            {
+                "name": "title",
+                "type": "text"
+            }
+        ],
+        "pk": "id"
+    }
+
 If the table is successfully created this will return a ``201`` status code and the following response:
 
 .. code-block:: json
@@ -872,7 +2064,7 @@ If the table is successfully created this will return a ``201`` status code and
         "table": "name_of_new_table",
         "table_url": "http://127.0.0.1:8001/data/name_of_new_table",
         "table_api_url": "http://127.0.0.1:8001/data/name_of_new_table.json",
-        "schema": "CREATE TABLE [name_of_new_table] (\n   [id] INTEGER PRIMARY KEY,\n   [title] TEXT\n)"
+        "schema": "CREATE TABLE [name_of_new_table] (\n   [id] INTEGER PRIMARY KEY,\n   [title] TEXT NOT NULL DEFAULT 'Untitled',\n   [created] TEXT DEFAULT CURRENT_TIMESTAMP\n)"
     }
 
 .. _TableCreateView_example:
@@ -941,6 +2133,299 @@ To use the ``"replace": true`` option you will also need the :ref:`actions_updat
 
 Pass ``"alter": true`` to automatically add any missing columns to the existing table that are present in the rows you are submitting. This requires the :ref:`actions_alter_table` permission.
 
+.. _DatabaseForeignKeyTargetsView:
+
+Database foreign key targets
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``/<database>/-/foreign-key-targets`` endpoint returns the list of tables in a database that can be referenced by a single-column foreign key. This requires the :ref:`actions_create_table` permission.
+
+::
+
+    GET /<database>/-/foreign-key-targets
+
+The response includes only tables with exactly one primary key column. Hidden tables, tables with compound primary keys and tables with no explicit primary key are omitted.
+
+Each target includes the normalized SQLite type affinity for the primary key column in ``type``. The type is calculated using SQLite's documented affinity rules: ``INT`` maps to ``integer``; ``CHAR``, ``CLOB`` or ``TEXT`` maps to ``text``; ``BLOB`` or no type maps to ``blob``; ``REAL`` and floating-point declared types map to ``real``; everything else maps to ``numeric``.
+
+.. code-block:: json
+
+    {
+        "ok": true,
+        "database": "data",
+        "targets": [
+            {
+                "fk_table": "owners",
+                "fk_column": "id",
+                "type": "integer"
+            },
+            {
+                "fk_table": "categories",
+                "fk_column": "slug",
+                "type": "text"
+            }
+        ]
+    }
+
+.. _TableForeignKeySuggestionsView:
+
+Table foreign key suggestions
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``/<database>/<table>/-/foreign-key-suggestions`` endpoint suggests possible single-column foreign key relationships for a table. This requires the :ref:`actions_alter_table` permission.
+
+::
+
+    GET /<database>/<table>/-/foreign-key-suggestions
+
+The response includes every type-compatible single-column primary key target for each column in ``options``. Datasette also performs a bounded data check against up to 500 rows in the table: if the sampled non-null values for a column all exist in a target primary key, that target is included in ``suggestions``.
+
+If the bounded check takes too long, the endpoint fails open. It still returns the type-compatible ``options`` for each column, but ``row_check.status`` will be ``"timed_out"`` and there may be no ``suggestions``.
+
+.. code-block:: json
+
+    {
+        "ok": true,
+        "database": "data",
+        "table": "projects",
+        "row_check": {
+            "attempted": true,
+            "status": "completed",
+            "row_limit": 500,
+            "sampled_rows": 3,
+            "checked_options": 4
+        },
+        "columns": [
+            {
+                "column": "owner_id",
+                "type": "INTEGER",
+                "affinity": "integer",
+                "current": null,
+                "suggestions": [
+                    {
+                        "fk_table": "owners",
+                        "fk_column": "id",
+                        "confidence": "sampled",
+                        "sampled_values": 3,
+                        "reasons": [
+                            "type_match",
+                            "sample_values_exist",
+                            "name_match"
+                        ]
+                    }
+                ],
+                "options": [
+                    {
+                        "fk_table": "owners",
+                        "fk_column": "id",
+                        "type": "INTEGER"
+                    }
+                ]
+            }
+        ]
+    }
+
+.. _TableAlterView:
+
+Altering tables
+~~~~~~~~~~~~~~~
+
+To alter an existing table, make a ``POST`` to ``/<database>/<table>/-/alter``. This requires the :ref:`actions_alter_table` permission.
+
+::
+
+    POST /<database>/<table>/-/alter
+    Content-Type: application/json
+    Authorization: Bearer dstok_<rest-of-token>
+
+The request body should include an ``operations`` array. Each operation has the same top-level shape: an ``op`` string and an ``args`` object.
+
+.. code-block:: json
+
+    {
+        "operations": [
+            {
+                "op": "add_column",
+                "args": {
+                    "name": "slug",
+                    "type": "text",
+                    "not_null": true,
+                    "default": ""
+                }
+            },
+            {
+                "op": "add_column",
+                "args": {
+                    "name": "created",
+                    "type": "text",
+                    "default_expr": "current_timestamp"
+                }
+            },
+            {
+                "op": "rename_column",
+                "args": {
+                    "name": "title",
+                    "to": "headline"
+                }
+            },
+            {
+                "op": "rename_table",
+                "args": {
+                    "to": "published_posts"
+                }
+            },
+            {
+                "op": "alter_column",
+                "args": {
+                    "name": "score",
+                    "type": "float"
+                }
+            },
+            {
+                "op": "drop_column",
+                "args": {
+                    "name": "draft_notes"
+                }
+            },
+            {
+                "op": "set_primary_key",
+                "args": {
+                    "columns": ["id"]
+                }
+            },
+            {
+                "op": "add_foreign_key",
+                "args": {
+                    "column": "owner_id",
+                    "fk_table": "owners"
+                }
+            },
+            {
+                "op": "drop_foreign_key",
+                "args": {
+                    "column": "old_owner_id"
+                }
+            },
+            {
+                "op": "set_foreign_keys",
+                "args": {
+                    "foreign_keys": [
+                        {
+                            "column": "owner_id",
+                            "fk_table": "owners",
+                            "fk_column": "id"
+                        }
+                    ]
+                }
+            },
+            {
+                "op": "reorder_columns",
+                "args": {
+                    "columns": ["id", "headline", "slug", "created", "score"]
+                }
+            }
+        ]
+    }
+
+Supported operations:
+
+* ``add_column`` adds a new column. ``args`` accepts ``name``, optional ``type`` of ``text``, ``integer``, ``float`` or ``blob``, optional ``not_null``, optional literal ``default`` and optional ``default_expr``. If ``not_null`` is ``true`` either a non-null ``default`` or ``default_expr`` is required.
+* ``rename_column`` renames a column. ``args`` accepts ``name`` and ``to``.
+* ``rename_table`` renames the table. ``args`` accepts ``to``, the new table name. If combined with other operations, Datasette applies the column, primary key, foreign key and column order changes before renaming the table.
+* ``alter_column`` changes column properties. ``args`` accepts ``name`` and at least one of ``type``, ``not_null``, literal ``default`` or ``default_expr``. Passing ``"default": null`` removes an existing default.
+* ``drop_column`` drops a column. ``args`` accepts ``name``.
+* ``set_primary_key`` changes the table primary key. ``args`` accepts ``columns``, a list of one or more column names.
+* ``add_foreign_key`` adds a single-column foreign key constraint. ``args`` accepts ``column``, ``fk_table`` and optional ``fk_column``. If ``fk_column`` is omitted, Datasette will use the single primary key of ``fk_table``.
+* ``drop_foreign_key`` removes the foreign key constraint for a column. ``args`` accepts ``column``.
+* ``set_foreign_keys`` replaces all foreign key constraints on the table. ``args`` accepts ``foreign_keys``, a list of objects that each have ``column``, ``fk_table`` and optional ``fk_column``. An empty list removes all foreign key constraints.
+* ``reorder_columns`` reorders columns. ``args`` accepts ``columns``, a list of one or more column names. Columns omitted from this list will appear afterwards in their existing order.
+
+``default`` is always treated as a literal value. ``default_expr`` accepts the values shown in :ref:`default_expr values <json_api_default_expr_values>` and is rendered as the corresponding SQLite default expression.
+
+For foreign key operations that omit ``fk_column``, the referenced ``fk_table`` must have a single-column primary key. Datasette will return an error if it cannot identify a single primary key column for that table.
+
+A successful response returns the new schema and the previous schema. If the request used ``rename_table``, ``table``, ``table_url`` and ``table_api_url`` will use the new table name. Renaming a table through this endpoint triggers the :class:`~datasette.events.RenameTableEvent` event.
+
+.. code-block:: json
+
+    {
+        "ok": true,
+        "database": "data",
+        "table": "published_posts",
+        "table_url": "http://127.0.0.1:8001/data/published_posts",
+        "table_api_url": "http://127.0.0.1:8001/data/published_posts.json",
+        "altered": true,
+        "schema": "CREATE TABLE ...",
+        "before_schema": "CREATE TABLE ...",
+        "operations_applied": 11
+    }
+
+Any errors will return ``{"errors": ["... descriptive message ..."], "ok": false}``, and a ``400`` status code for a bad input or a ``403`` status code for an authentication or permission error.
+
+.. _TableSetColumnTypeView:
+
+Setting a column type
+~~~~~~~~~~~~~~~~~~~~~
+
+To set a column type for a table column, make a ``POST`` to ``/<database>/<table>/-/set-column-type``. This requires the :ref:`actions_set_column_type` permission.
+
+::
+
+    POST /<database>/<table>/-/set-column-type
+    Content-Type: application/json
+    Authorization: Bearer dstok_<rest-of-token>
+
+.. code-block:: json
+
+    {
+        "column": "title",
+        "column_type": {
+            "type": "email"
+        }
+    }
+
+This will return a ``200`` response like this:
+
+.. code-block:: json
+
+    {
+        "ok": true,
+        "database": "data",
+        "table": "posts",
+        "column": "title",
+        "column_type": {
+            "type": "email",
+            "config": null
+        }
+    }
+
+To provide column type configuration, include a ``config`` object:
+
+.. code-block:: json
+
+    {
+        "column": "title",
+        "column_type": {
+            "type": "url",
+            "config": {
+                "max_length": 200
+            }
+        }
+    }
+
+To clear an existing column type assignment, set ``column_type`` to ``null``:
+
+.. code-block:: json
+
+    {
+        "column": "title",
+        "column_type": null
+    }
+
+This API stores the assignment in Datasette's internal database, so it can be used with immutable databases as well as mutable ones.
+
+Any errors will return ``{"errors": ["... descriptive message ..."], "ok": false}``, and a ``400`` status code for a bad input or a ``403`` status code for an authentication or permission error.
+
 .. _TableDropView:
 
 Dropping tables
diff --git a/docs/json_api_doc.py b/docs/json_api_doc.py
new file mode 100644
index 00000000..422e67f4
--- /dev/null
+++ b/docs/json_api_doc.py
@@ -0,0 +1,148 @@
+import asyncio
+import json
+import pathlib
+import tempfile
+import textwrap
+
+
+def table_extras(cog):
+    from datasette.extras import ExtraScope
+    from datasette.views.table_extras import table_extra_registry
+
+    scopes = [
+        (
+            ExtraScope.TABLE,
+            "Table JSON responses",
+            "The available table extras are listed below.",
+        ),
+        (
+            ExtraScope.ROW,
+            "Row JSON responses",
+            "The following extras are available for row JSON responses.",
+        ),
+        (
+            ExtraScope.QUERY,
+            "Query JSON responses",
+            (
+                "The following extras are available for arbitrary SQL query "
+                "responses and stored, named query responses."
+            ),
+        ),
+    ]
+    classes_by_scope = [
+        (scope, heading, intro, table_extra_registry.public_classes_for_scope(scope))
+        for scope, heading, intro in scopes
+    ]
+
+    live_examples = asyncio.run(
+        _fetch_live_examples(
+            [
+                (scope, cls)
+                for scope, _, _, classes in classes_by_scope
+                for cls in classes
+            ]
+        )
+    )
+    cog.out("\n")
+    for scope, heading, intro, classes in classes_by_scope:
+        cog.out("{}\n{}\n\n".format(heading, "~" * len(heading)))
+        cog.out("{}\n\n".format(intro))
+        for cls in classes:
+            examples = _examples_for_scope(cls, scope)
+            description = cls.description or ""
+            notes = []
+            if cls.expensive:
+                notes.append("May execute additional queries.")
+            if cls.docs_note:
+                notes.append(cls.docs_note)
+            if notes:
+                description = "{} ({})".format(description, " ".join(notes)).strip()
+
+            cog.out("``{}``\n".format(cls.key()))
+            cog.out("    {}\n\n".format(description))
+            for example in examples:
+                if example.path:
+                    value = live_examples[(example.path, example.key or cls.key())]
+                    cog.out("    ``GET {}``\n\n".format(example.path))
+                else:
+                    value = example.value
+                if example.note:
+                    cog.out("    {}\n\n".format(example.note))
+                cog.out("    .. code-block:: json\n\n")
+                cog.out(textwrap.indent(json.dumps(value, indent=2), "        "))
+                cog.out("\n\n")
+
+
+def _examples_for_scope(cls, scope):
+    examples = cls.example_for_scope(scope)
+    if examples is None:
+        return []
+    if isinstance(examples, list):
+        return examples
+    return [examples]
+
+
+async def _fetch_live_examples(scoped_classes):
+    from datasette.app import Datasette
+    from datasette.fixtures import write_fixture_database
+
+    examples = {}
+    with tempfile.TemporaryDirectory() as tmpdir:
+        db_path = pathlib.Path(tmpdir) / "fixtures.db"
+        write_fixture_database(db_path)
+        datasette = Datasette(
+            [str(db_path)],
+            settings={"num_sql_threads": 1},
+            metadata={
+                "databases": {
+                    "fixtures": {
+                        "tables": {
+                            "facetable": {
+                                "description": "A demo table of places, used to demonstrate facets",
+                                "columns": {"state": "Two letter US state code"},
+                            }
+                        }
+                    }
+                }
+            },
+            config={
+                "databases": {
+                    "fixtures": {
+                        "tables": {
+                            "facetable": {
+                                "column_types": {"tags": "json"},
+                            }
+                        },
+                        "queries": {
+                            "neighborhood_search": {
+                                "sql": textwrap.dedent("""
+                                    select _neighborhood, facet_cities.name, state
+                                    from facetable
+                                        join facet_cities
+                                            on facetable._city_id = facet_cities.id
+                                    where _neighborhood like '%' || :text || '%'
+                                    order by _neighborhood;
+                                """),
+                                "title": "Search neighborhoods",
+                            }
+                        },
+                    }
+                }
+            },
+        )
+        try:
+            for scope, cls in scoped_classes:
+                for example in _examples_for_scope(cls, scope):
+                    if not example.path:
+                        continue
+                    key = example.key or cls.key()
+                    response = await datasette.client.get(example.path)
+                    assert response.status_code == 200, example.path
+                    data = response.json()
+                    assert key in data, "{} missing from {}".format(key, example.path)
+                    examples[(example.path, key)] = data[key]
+        finally:
+            for db in datasette.databases.values():
+                if not db.is_memory:
+                    db.close()
+    return examples
diff --git a/docs/metadata.rst b/docs/metadata.rst
index a3fa4040..d9d10b8c 100644
--- a/docs/metadata.rst
+++ b/docs/metadata.rst
@@ -205,370 +205,14 @@ These will be displayed at the top of the table page, and will also show in the
 
 You can see an example of how these look at `latest.datasette.io/fixtures/roadside_attractions <https://latest.datasette.io/fixtures/roadside_attractions>`__.
 
-.. _metadata_default_sort:
+.. _metadata_table_config:
 
-Setting a default sort order
-----------------------------
+Table configuration
+-------------------
 
-By default Datasette tables are sorted by primary key. You can over-ride this default for a specific table using the ``"sort"`` or ``"sort_desc"`` metadata properties:
+Datasette supports a range of table-level configuration options including sort order, page size, facets, full-text search, column types, and more. These are now documented in the :ref:`table configuration <configuration_reference_table>` section of the configuration reference.
 
-.. [[[cog
-    metadata_example(cog, {
-        "databases": {
-            "mydatabase": {
-                "tables": {
-                    "example_table": {
-                        "sort": "created"
-                    }
-                }
-            }
-        }
-    })
-.. ]]]
-
-.. tab:: metadata.yaml
-
-    .. code-block:: yaml
-
-        databases:
-          mydatabase:
-            tables:
-              example_table:
-                sort: created
-
-
-.. tab:: metadata.json
-
-    .. code-block:: json
-
-        {
-          "databases": {
-            "mydatabase": {
-              "tables": {
-                "example_table": {
-                  "sort": "created"
-                }
-              }
-            }
-          }
-        }
-.. [[[end]]]
-
-Or use ``"sort_desc"`` to sort in descending order:
-
-.. [[[cog
-    metadata_example(cog, {
-        "databases": {
-            "mydatabase": {
-                "tables": {
-                    "example_table": {
-                        "sort_desc": "created"
-                    }
-                }
-            }
-        }
-    })
-.. ]]]
-
-.. tab:: metadata.yaml
-
-    .. code-block:: yaml
-
-        databases:
-          mydatabase:
-            tables:
-              example_table:
-                sort_desc: created
-
-
-.. tab:: metadata.json
-
-    .. code-block:: json
-
-        {
-          "databases": {
-            "mydatabase": {
-              "tables": {
-                "example_table": {
-                  "sort_desc": "created"
-                }
-              }
-            }
-          }
-        }
-.. [[[end]]]
-
-.. _metadata_page_size:
-
-Setting a custom page size
---------------------------
-
-Datasette defaults to displaying 100 rows per page, for both tables and views. You can change this default page size on a per-table or per-view basis using the ``"size"`` key in ``metadata.json``:
-
-.. [[[cog
-    metadata_example(cog, {
-        "databases": {
-            "mydatabase": {
-                "tables": {
-                    "example_table": {
-                        "size": 10
-                    }
-                }
-            }
-        }
-    })
-.. ]]]
-
-.. tab:: metadata.yaml
-
-    .. code-block:: yaml
-
-        databases:
-          mydatabase:
-            tables:
-              example_table:
-                size: 10
-
-
-.. tab:: metadata.json
-
-    .. code-block:: json
-
-        {
-          "databases": {
-            "mydatabase": {
-              "tables": {
-                "example_table": {
-                  "size": 10
-                }
-              }
-            }
-          }
-        }
-.. [[[end]]]
-
-This size can still be over-ridden by passing e.g. ``?_size=50`` in the query string.
-
-.. _metadata_sortable_columns:
-
-Setting which columns can be used for sorting
----------------------------------------------
-
-Datasette allows any column to be used for sorting by default. If you need to
-control which columns are available for sorting you can do so using the optional
-``sortable_columns`` key:
-
-.. [[[cog
-    metadata_example(cog, {
-        "databases": {
-            "database1": {
-                "tables": {
-                    "example_table": {
-                        "sortable_columns": [
-                            "height",
-                            "weight"
-                        ]
-                    }
-                }
-            }
-        }
-    })
-.. ]]]
-
-.. tab:: metadata.yaml
-
-    .. code-block:: yaml
-
-        databases:
-          database1:
-            tables:
-              example_table:
-                sortable_columns:
-                - height
-                - weight
-
-
-.. tab:: metadata.json
-
-    .. code-block:: json
-
-        {
-          "databases": {
-            "database1": {
-              "tables": {
-                "example_table": {
-                  "sortable_columns": [
-                    "height",
-                    "weight"
-                  ]
-                }
-              }
-            }
-          }
-        }
-.. [[[end]]]
-
-This will restrict sorting of ``example_table`` to just the ``height`` and
-``weight`` columns.
-
-You can also disable sorting entirely by setting ``"sortable_columns": []``
-
-You can use ``sortable_columns`` to enable specific sort orders for a view called ``name_of_view`` in the database ``my_database`` like so:
-
-.. [[[cog
-    metadata_example(cog, {
-        "databases": {
-            "my_database": {
-                "tables": {
-                    "name_of_view": {
-                        "sortable_columns": [
-                            "clicks",
-                            "impressions"
-                        ]
-                    }
-                }
-            }
-        }
-    })
-.. ]]]
-
-.. tab:: metadata.yaml
-
-    .. code-block:: yaml
-
-        databases:
-          my_database:
-            tables:
-              name_of_view:
-                sortable_columns:
-                - clicks
-                - impressions
-
-
-.. tab:: metadata.json
-
-    .. code-block:: json
-
-        {
-          "databases": {
-            "my_database": {
-              "tables": {
-                "name_of_view": {
-                  "sortable_columns": [
-                    "clicks",
-                    "impressions"
-                  ]
-                }
-              }
-            }
-          }
-        }
-.. [[[end]]]
-
-.. _label_columns:
-
-Specifying the label column for a table
----------------------------------------
-
-Datasette's HTML interface attempts to display foreign key references as
-labelled hyperlinks. By default, it looks for referenced tables that only have
-two columns: a primary key column and one other. It assumes that the second
-column should be used as the link label.
-
-If your table has more than two columns you can specify which column should be
-used for the link label with the ``label_column`` property:
-
-.. [[[cog
-    metadata_example(cog, {
-        "databases": {
-            "database1": {
-                "tables": {
-                    "example_table": {
-                        "label_column": "title"
-                    }
-                }
-            }
-        }
-    })
-.. ]]]
-
-.. tab:: metadata.yaml
-
-    .. code-block:: yaml
-
-        databases:
-          database1:
-            tables:
-              example_table:
-                label_column: title
-
-
-.. tab:: metadata.json
-
-    .. code-block:: json
-
-        {
-          "databases": {
-            "database1": {
-              "tables": {
-                "example_table": {
-                  "label_column": "title"
-                }
-              }
-            }
-          }
-        }
-.. [[[end]]]
-
-.. _metadata_hiding_tables:
-
-Hiding tables
--------------
-
-You can hide tables from the database listing view (in the same way that FTS and
-SpatiaLite tables are automatically hidden) using ``"hidden": true``:
-
-.. [[[cog
-    metadata_example(cog, {
-        "databases": {
-            "database1": {
-                "tables": {
-                    "example_table": {
-                        "hidden": True
-                    }
-                }
-            }
-        }
-    })
-.. ]]]
-
-.. tab:: metadata.yaml
-
-    .. code-block:: yaml
-
-        databases:
-          database1:
-            tables:
-              example_table:
-                hidden: true
-
-
-.. tab:: metadata.json
-
-    .. code-block:: json
-
-        {
-          "databases": {
-            "database1": {
-              "tables": {
-                "example_table": {
-                  "hidden": true
-                }
-              }
-            }
-          }
-        }
-.. [[[end]]]
+For backwards compatibility these options can be specified in either ``metadata.yaml`` or ``datasette.yaml``.
 
 .. _metadata_reference:
 
@@ -613,7 +257,7 @@ Table-level metadata
 
 "Table-level" metadata refers to fields that can be specified for each table in a Datasette instance. These attributes should be listed under a specific table using the `"tables"` field.
 
-The following are the full list of allowed table-level metadata fields:
+The following metadata fields are supported at the table level:
 
 - ``source``
 - ``source_url``
@@ -621,13 +265,6 @@ The following are the full list of allowed table-level metadata fields:
 - ``license_url``
 - ``about``
 - ``about_url``
-- ``hidden``
-- ``sort/sort_desc``
-- ``size``
-- ``sortable_columns``
-- ``label_column``
-- ``facets``
-- ``fts_table``
-- ``fts_pk``
-- ``searchmode``
-- ``columns``
+- ``columns`` (see :ref:`metadata_column_descriptions`)
+
+Additionally, tables support a number of configuration options (``sort``, ``sort_desc``, ``size``, ``sortable_columns``, ``label_column``, ``hidden``, ``facets``, ``facet_size``, ``fts_table``, ``fts_pk``, ``searchmode``, ``column_types``). See :ref:`table configuration <configuration_reference_table>` for full details.
diff --git a/docs/pages.rst b/docs/pages.rst
index 2e54ce2f..ce88be12 100644
--- a/docs/pages.rst
+++ b/docs/pages.rst
@@ -28,7 +28,7 @@ The index page can also be accessed at ``/-/``, useful for if the default index
 Database
 ========
 
-Each database has a page listing the tables, views and canned queries available for that database. If the :ref:`actions_execute_sql` permission is enabled (it's on by default) there will also be an interface for executing arbitrary SQL select queries against the data.
+Each database has a page listing the tables, views and stored queries available for that database. If the :ref:`actions_execute_sql` permission is enabled (it's on by default) there will also be an interface for executing arbitrary SQL select queries against the data.
 
 Examples:
 
@@ -40,6 +40,8 @@ The JSON version of this page provides programmatic access to the underlying dat
 * `fivethirtyeight.datasettes.com/fivethirtyeight.json <https://fivethirtyeight.datasettes.com/fivethirtyeight.json>`_
 * `datasette.io/global-power-plants.json <https://datasette.io/global-power-plants.json>`_
 
+The returned object includes an ``"ok": true`` key alongside keys such as ``"database"``, ``"tables"``, ``"views"``, ``"queries"`` and ``"metadata"``.
+
 .. _DatabaseView_hidden:
 
 Hidden tables
@@ -50,7 +52,7 @@ Some tables listed on the database page are treated as hidden. Hidden tables are
 The following tables are hidden by default:
 
 - Any table with a name that starts with an underscore - this is a Datasette convention to help plugins easily hide their own internal tables.
-- Tables that have been configured as ``"hidden": true`` using :ref:`metadata_hiding_tables`.
+- Tables that have been configured as ``"hidden": true`` using :ref:`table_configuration_hidden`.
 - ``*_fts`` tables that implement SQLite full-text search indexes.
 - Tables relating to the inner workings of the SpatiaLite SQLite extension.
 - ``sqlite_stat`` tables used to store statistics used by the query optimizer.
@@ -60,16 +62,43 @@ The following tables are hidden by default:
 Queries
 =======
 
+.. _pages_custom_sql_queries:
+
+Custom SQL queries
+------------------
+
 The ``/database-name/-/query`` page can be used to execute an arbitrary SQL query against that database, if the :ref:`actions_execute_sql` permission is enabled. This query is passed as the ``?sql=`` query string parameter.
 
 This means you can link directly to a query by constructing the following URL:
 
 ``/database-name/-/query?sql=SELECT+*+FROM+table_name``
 
-Each configured :ref:`canned query <canned_queries>` has its own page, at ``/database-name/query-name``. Viewing this page will execute the query and display the results.
+Each configured :ref:`stored query <stored_queries>` has its own page, at ``/database-name/query-name``. Viewing this page will execute the query and display the results.
 
 In both cases adding a ``.json`` extension to the URL will return the results as JSON.
 
+.. _pages_execute_write:
+
+Write SQL queries
+-----------------
+
+The ``/database-name/-/execute-write`` page can be used to execute SQL statements that write to a mutable database, if the :ref:`actions_execute_write_sql` permission is enabled.
+
+This page extracts named parameters from the SQL, shows the tables that will be affected and lists the permissions required before the query can be executed. It also includes templates for common ``INSERT``, ``UPDATE`` and ``DELETE`` statements.
+
+Datasette checks additional permissions based on the operations in the SQL. Row changes require the relevant table-level permissions such as :ref:`actions_insert_row`, :ref:`actions_update_row` and :ref:`actions_delete_row`; reads from source tables require :ref:`actions_view_table`; and schema changes require permissions such as :ref:`actions_create_table`, :ref:`actions_alter_table` or :ref:`actions_drop_table`.
+
+Use the :ref:`ExecuteWriteView` JSON API to execute writable SQL programmatically.
+
+.. _pages_stored_query_browser:
+
+Stored query browsers
+---------------------
+
+The ``/-/queries`` page lists stored queries across every database visible to the current actor. The ``/database-name/-/queries`` page lists stored queries for a single database.
+
+These pages support search, pagination and filters for read-only or writable queries and private or public queries. Adding a ``.json`` extension to either URL returns the same list as JSON.
+
 .. _TableView:
 
 Table
@@ -89,6 +118,16 @@ Some examples:
 * `../antiquities-act%2Factions_under_antiquities_act <https://fivethirtyeight.datasettes.com/fivethirtyeight/antiquities-act%2Factions_under_antiquities_act>`_ is an interface for exploring the "actions under the antiquities act" data table published by FiveThirtyEight.
 * `../global-power-plants?country_long=United+Kingdom&primary_fuel=Gas <https://datasette.io/global-power-plants/global-power-plants?_facet=primary_fuel&_facet=owner&_facet=country_long&country_long__exact=United+Kingdom&primary_fuel=Gas>`_ is a filtered table page showing every Gas power plant in the United Kingdom. It includes some default facets (configured using `its metadata.json <https://datasette.io/-/metadata>`_) and uses the `datasette-cluster-map <https://github.com/simonw/datasette-cluster-map>`_ plugin to show a map of the results.
 
+.. _TableFragmentView:
+
+Table fragment
+--------------
+
+The ``/<database>/<table>/-/fragment`` endpoint returns the rendered table HTML
+for rows matching the provided filters. It is used by Datasette's row editing
+interface to refresh rows after changes while still respecting custom table
+templates and ``render_cell`` plugin hooks.
+
 .. _RowView:
 
 Row
diff --git a/docs/plugin_hooks.rst b/docs/plugin_hooks.rst
index b9701f7c..81ef4acd 100644
--- a/docs/plugin_hooks.rst
+++ b/docs/plugin_hooks.rst
@@ -78,12 +78,14 @@ write_wrapper(datasette, database, request, transaction)
 ``transaction`` - bool
     ``True`` if the write will be wrapped in a database transaction.
 
-Return a generator function that accepts a ``conn`` argument (a SQLite connection object).  The generator should ``yield`` exactly once.  Code before the ``yield`` runs before the write function executes; code after the ``yield`` runs after it completes.
+Return a generator function that accepts a ``conn`` argument (a SQLite connection object) and optionally a ``track_event`` argument.  The generator should ``yield`` exactly once.  Code before the ``yield`` runs before the write function executes; code after the ``yield`` runs after it completes.
 
 The result of the write function is sent back through the ``yield``, so you can capture it with ``result = yield``.
 
 If the write function raises an exception, it is thrown into the generator so you can handle it with a ``try`` / ``except`` around the ``yield``.
 
+If your generator accepts ``track_event``, you can call ``track_event(event)`` to queue an event that will be dispatched via :ref:`datasette.track_event() <datasette_track_event>` after the write commits successfully.  Events are discarded if the write raises an exception.
+
 Return ``None`` to skip wrapping for this particular write.
 
 This example logs every write operation:
@@ -228,6 +230,10 @@ Function that returns an awaitable function that returns a dictionary
 
 Datasette runs Jinja2 in `async mode <https://jinja.palletsprojects.com/en/2.10.x/api/#async-support>`__, which means you can add awaitable functions to the template scope and they will be automatically awaited when they are rendered by the template.
 
+.. warning::
+
+   Be careful not to accidentally define a variable that conflicts with one that Datasette is already using for something else. Check :ref:`the template context documentation <template_context>` to see the variables defined by Datasette core.
+
 Here's an example plugin that adds a ``"user_agent"`` variable to the template context containing the current request's User-Agent header:
 
 .. code-block:: python
@@ -474,8 +480,8 @@ Examples: `datasette-publish-fly <https://datasette.io/plugins/datasette-publish
 
 .. _plugin_hook_render_cell:
 
-render_cell(row, value, column, table, pks, database, datasette, request)
--------------------------------------------------------------------------
+render_cell(row, value, column, table, pks, database, datasette, request, column_type)
+--------------------------------------------------------------------------------------
 
 Lets you customize the display of values within table cells in the HTML table view.
 
@@ -503,6 +509,11 @@ Lets you customize the display of values within table cells in the HTML table vi
 ``request`` - :ref:`internals_request`
     The current request object
 
+``column_type`` - :ref:`ColumnType <datasette_column_types>` subclass instance or None
+    The :ref:`ColumnType <datasette_column_types>` subclass instance assigned to this column (with ``.config`` populated), or ``None`` if no column type is assigned. You can access ``column_type.name``, ``column_type.config``, etc.
+
+If a column has a :ref:`column type <datasette_column_types>` assigned and that column type's ``render_cell`` method returns a non-``None`` value, it will take priority over this plugin hook.
+
 If your hook returns ``None``, it will be ignored. Use this to indicate that your hook is not able to custom render this particular value.
 
 If the hook returns a string, that string will be rendered in the table cell.
@@ -602,7 +613,7 @@ When a request is received, the ``"render"`` callback function is called with ze
     The SQL query that was executed.
 
 ``query_name`` - string or None
-    If this was the execution of a :ref:`canned query <canned_queries>`, the name of that query.
+    If this was the execution of a :ref:`stored query <stored_queries>`, the name of that query.
 
 ``database`` - string
     The name of the database.
@@ -885,13 +896,15 @@ Actions define what operations can be performed on resources (like viewing a tab
         """A collection of documents."""
 
         name = "document-collection"
-        parent_name = None
+        parent_class = None
 
         def __init__(self, collection: str):
             super().__init__(parent=collection, child=None)
 
         @classmethod
-        def resources_sql(cls) -> str:
+        async def resources_sql(
+            cls, datasette, actor=None
+        ) -> str:
             return """
                 SELECT collection_name AS parent, NULL AS child
                 FROM document_collections
@@ -902,13 +915,15 @@ Actions define what operations can be performed on resources (like viewing a tab
         """A document in a collection."""
 
         name = "document"
-        parent_name = "document-collection"
+        parent_class = DocumentCollectionResource
 
         def __init__(self, collection: str, document: str):
             super().__init__(parent=collection, child=document)
 
         @classmethod
-        def resources_sql(cls) -> str:
+        async def resources_sql(
+            cls, datasette, actor=None
+        ) -> str:
             return """
                 SELECT collection_name AS parent, document_id AS child
                 FROM documents
@@ -954,13 +969,15 @@ The fields of the ``Action`` dataclass are as follows:
 
     - Define a ``name`` class attribute (e.g., ``"document"``)
     - Define a ``parent_class`` class attribute (``None`` for top-level resources like databases, or the parent ``Resource`` subclass for child resources)
-    - Implement a ``resources_sql()`` classmethod that returns SQL returning all resources as ``(parent, child)`` columns
+    - Implement an async ``resources_sql(cls, datasette, actor=None)`` classmethod that returns SQL returning all resources as ``(parent, child)`` columns
     - Have an ``__init__`` method that accepts appropriate parameters and calls ``super().__init__(parent=..., child=...)``
 
-The ``resources_sql()`` method
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.. _plugin_resources_sql:
 
-The ``resources_sql()`` classmethod returns a SQL query that lists all resources of that type that exist in the system.
+The ``resources_sql(datasette, actor)`` method
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``resources_sql()`` classmethod returns a SQL query that lists all resources of that type that exist in the system. It can be async because Datasette calls it with ``await``, and it receives the current ``datasette`` instance plus an optional ``actor`` argument.
 
 This query is used by Datasette to efficiently check permissions across multiple resources at once. When a user requests a list of resources (like tables, documents, or other entities), Datasette uses this SQL to:
 
@@ -979,7 +996,7 @@ For example, if you're building a document management plugin with collections an
 .. code-block:: python
 
     @classmethod
-    def resources_sql(cls) -> str:
+    async def resources_sql(cls, datasette, actor=None) -> str:
         return """
             SELECT collection_name AS parent, document_id AS child
             FROM documents
@@ -989,6 +1006,98 @@ This tells Datasette "here's how to find all documents in the system - look in t
 
 The permission system then uses this query along with rules from plugins to determine which documents each user can access, all efficiently in SQL rather than loading everything into Python.
 
+.. _plugin_register_column_types:
+
+register_column_types(datasette)
+--------------------------------
+
+Return a list of :ref:`ColumnType <datasette_column_types>` **subclasses** (not instances) to register custom column types. Column types define how values in specific columns are rendered, validated, and transformed.
+
+.. code-block:: python
+
+    from datasette import hookimpl
+    from datasette.column_types import ColumnType, SQLiteType
+    import markupsafe
+
+
+    class ColorColumnType(ColumnType):
+        name = "color"
+        description = "CSS color value"
+        sqlite_types = (SQLiteType.TEXT,)
+
+        async def render_cell(
+            self,
+            value,
+            column,
+            table,
+            database,
+            datasette,
+            request,
+        ):
+            if value:
+                return markupsafe.Markup(
+                    '<span style="background-color: {color}">'
+                    "{color}</span>"
+                ).format(color=markupsafe.escape(value))
+            return None
+
+        async def validate(self, value, datasette):
+            if value and not value.startswith("#"):
+                return "Color must start with #"
+            return None
+
+        async def transform_value(self, value, datasette):
+            # Normalize to uppercase
+            if isinstance(value, str):
+                return value.upper()
+            return value
+
+
+    @hookimpl
+    def register_column_types(datasette):
+        return [ColorColumnType]
+
+Each ``ColumnType`` subclass must define the following class attributes:
+
+``name`` - string
+    Unique identifier for the column type, e.g. ``"color"``. Must be unique across all plugins.
+
+``description`` - string
+    Human-readable label, e.g. ``"CSS color value"``.
+
+``sqlite_types`` - tuple of ``SQLiteType`` values, optional
+    Restrict assignments of this column type to columns with matching SQLite types, e.g. ``(SQLiteType.TEXT,)``. If omitted, the column type can be assigned to any column.
+
+And the following methods, all optional:
+
+``render_cell(self, value, column, table, database, datasette, request)``
+    Return an HTML string to render this cell value, or ``None`` to fall through to the default ``render_cell`` plugin hook chain. When a column type provides rendering, it takes priority over the ``render_cell`` plugin hook.
+
+``validate(self, value, datasette)``
+    Validate a value before it is written via the insert, update, or upsert API endpoints. Return ``None`` if valid, or a string error message if invalid. Null values and empty strings skip validation.
+
+``transform_value(self, value, datasette)``
+    Transform a value before it appears in JSON API output. Return the transformed value. The default implementation returns the value unchanged.
+
+Per-column configuration is available via ``self.config`` in all methods. When a column type is looked up for a specific column (via :ref:`get_column_type <datasette_get_column_type>` or :ref:`get_column_types <datasette_get_column_types>`), the returned instance has ``config`` set to the parsed JSON config dict for that column assignment, or ``None`` if no config was provided.
+
+Column types are assigned to columns via the :ref:`column_types <table_configuration_column_types>` table configuration option:
+
+.. code-block:: yaml
+
+    databases:
+      mydb:
+        tables:
+          mytable:
+            column_types:
+              bg_color: color
+              highlight:
+                type: color
+                config:
+                  format: rgb
+
+Datasette includes four built-in column types: ``url``, ``email``, ``json``, and ``textarea``. The ``textarea`` type is an editing hint that causes Datasette's insert/edit forms to use a multiline ``<textarea>`` control for that column.
+
 .. _plugin_asgi_wrapper:
 
 asgi_wrapper(datasette)
@@ -1102,85 +1211,6 @@ Potential use-cases:
 
 Examples: `datasette-saved-queries <https://datasette.io/plugins/datasette-saved-queries>`__, `datasette-init <https://datasette.io/plugins/datasette-init>`__
 
-.. _plugin_hook_canned_queries:
-
-canned_queries(datasette, database, actor)
-------------------------------------------
-
-``datasette`` - :ref:`internals_datasette`
-    You can use this to access plugin configuration options via ``datasette.plugin_config(your_plugin_name)``, or to execute SQL queries.
-
-``database`` - string
-    The name of the database.
-
-``actor`` - dictionary or None
-    The currently authenticated :ref:`actor <authentication_actor>`.
-
-Use this hook to return a dictionary of additional :ref:`canned query <canned_queries>` definitions for the specified database. The return value should be the same shape as the JSON described in the :ref:`canned query <canned_queries>` documentation.
-
-.. code-block:: python
-
-    from datasette import hookimpl
-
-
-    @hookimpl
-    def canned_queries(datasette, database):
-        if database == "mydb":
-            return {
-                "my_query": {
-                    "sql": "select * from my_table where id > :min_id"
-                }
-            }
-
-The hook can alternatively return an awaitable function that returns a list. Here's an example that returns queries that have been stored in the ``saved_queries`` database table, if one exists:
-
-.. code-block:: python
-
-    from datasette import hookimpl
-
-
-    @hookimpl
-    def canned_queries(datasette, database):
-        async def inner():
-            db = datasette.get_database(database)
-            if await db.table_exists("saved_queries"):
-                results = await db.execute(
-                    "select name, sql from saved_queries"
-                )
-                return {
-                    result["name"]: {"sql": result["sql"]}
-                    for result in results
-                }
-
-        return inner
-
-The actor parameter can be used to include the currently authenticated actor in your decision. Here's an example that returns saved queries that were saved by that actor:
-
-.. code-block:: python
-
-    from datasette import hookimpl
-
-
-    @hookimpl
-    def canned_queries(datasette, database, actor):
-        async def inner():
-            db = datasette.get_database(database)
-            if actor is not None and await db.table_exists(
-                "saved_queries"
-            ):
-                results = await db.execute(
-                    "select name, sql from saved_queries where actor_id = :id",
-                    {"id": actor["id"]},
-                )
-                return {
-                    result["name"]: {"sql": result["sql"]}
-                    for result in results
-                }
-
-        return inner
-
-Example: `datasette-saved-queries <https://datasette.io/plugins/datasette-saved-queries>`__
-
 .. _plugin_hook_actor_from_request:
 
 actor_from_request(datasette, request)
@@ -1599,7 +1629,7 @@ register_magic_parameters(datasette)
 ``datasette`` - :ref:`internals_datasette`
     You can use this to access plugin configuration options via ``datasette.plugin_config(your_plugin_name)``.
 
-:ref:`canned_queries_magic_parameters` can be used to add automatic parameters to :ref:`canned queries <canned_queries>`. This plugin hook allows additional magic parameters to be defined by plugins.
+:ref:`queries_magic_parameters` can be used to add automatic parameters to :ref:`configured queries <queries>`. This plugin hook allows additional magic parameters to be defined by plugins.
 
 Magic parameters all take this format: ``_prefix_rest_of_parameter``. The prefix indicates which magic parameter function should be called - the rest of the parameter is passed as an argument to that function.
 
@@ -1732,31 +1762,6 @@ This example logs an error to `Sentry <https://sentry.io/>`__ and then renders a
 
 Example: `datasette-sentry <https://datasette.io/plugins/datasette-sentry>`_
 
-.. _plugin_hook_skip_csrf:
-
-skip_csrf(datasette, scope)
----------------------------
-
-``datasette`` - :ref:`internals_datasette`
-    You can use this to access plugin configuration options via ``datasette.plugin_config(your_plugin_name)``, or to execute SQL queries.
-
-``scope`` - dictionary
-    The `ASGI scope <https://asgi.readthedocs.io/en/latest/specs/www.html#http-connection-scope>`__ for the incoming HTTP request.
-
-This hook can be used to skip :ref:`internals_csrf` for a specific incoming request. For example, you might have a custom path at ``/submit-comment`` which is designed to accept comments from anywhere, whether or not the incoming request originated on the site and has an accompanying CSRF token.
-
-This example will disable CSRF protection for that specific URL path:
-
-.. code-block:: python
-
-    from datasette import hookimpl
-
-
-    @hookimpl
-    def skip_csrf(scope):
-        return scope["path"] == "/submit-comment"
-
-If any of the currently active ``skip_csrf()`` plugin hooks return ``True``, CSRF protection will be skipped for the request.
 
 .. _plugin_hook_menu_links:
 
@@ -1801,6 +1806,106 @@ Using :ref:`internals_datasette_urls` here ensures that links in the menu will t
 
 Examples: `datasette-search-all <https://datasette.io/plugins/datasette-search-all>`_, `datasette-graphql <https://datasette.io/plugins/datasette-graphql>`_
 
+.. _plugin_hook_jump_items_sql:
+
+jump_items_sql(datasette, actor, request)
+-----------------------------------------
+
+``datasette`` - :ref:`internals_datasette`
+    You can use this to access plugin configuration options via ``datasette.plugin_config(your_plugin_name)``, or to execute SQL queries.
+
+``actor`` - dictionary or None
+    The currently authenticated :ref:`actor <authentication_actor>`.
+
+``request`` - :ref:`internals_request`
+    The current HTTP request.
+
+This hook allows plugins to add extra results to Datasette's ``/`` jump menu, which is powered by the ``/-/jump`` JSON endpoint.
+
+Return a ``datasette.jump.JumpSQL`` object, or a list of ``JumpSQL`` objects. Each ``JumpSQL`` object wraps a SQL query to be searched alongside Datasette's own databases, tables, views and stored query results. The hook can also be an ``async def`` function, or return an awaitable that resolves to one of these values.
+
+``JumpSQL`` queries run against Datasette's internal database by default. To run a query against another database, pass its name as the optional ``database=`` argument. For example, ``JumpSQL(database="content", sql="...")`` runs against the ``content`` database.
+
+Datasette groups ``JumpSQL`` queries by database and executes one ``UNION ALL`` query for each database.
+
+The SQL query must return these columns:
+
+``type``
+    A short type string for the result, for example ``"app"`` or ``"dashboard"``. The jump menu displays this above the item as a category label.
+
+``label``
+    The stable name for the result. This is returned as ``name`` in the JSON API and is used for sorting.
+
+``description``
+    Optional longer text describing this individual item, or ``NULL``. The jump menu displays this below the item's URL when it is present.
+
+``url``
+    The URL to navigate to when the item is selected. This can be either a string starting with ``/`` or a JSON object describing a call to one of the :ref:`internals_datasette_urls` methods. For example, ``json_object('method', 'table', 'database', 'fixtures', 'table', 'facetable')`` calls ``datasette.urls.table(database='fixtures', table='facetable')``. Unknown methods or invalid named arguments will result in an error.
+
+``search_text``
+    Text that should be searched by the ``?q=`` parameter.
+
+``display_name``
+    A human-readable label for the result, or ``NULL``. Datasette returns this as ``display_name`` in the JSON API, and the jump menu shows it as the primary readable label with ``name`` shown underneath.
+
+Use ``params=`` to pass SQL parameters. Datasette will automatically namespace those parameters before adding the SQL fragment to the per-database ``UNION ALL`` query.
+
+This example returns a SQL fragment that searches rows from a ``dashboards`` table in the ``content`` database. The ``url`` column uses ``json_object()`` to describe a call to ``datasette.urls.row(database='content', table='dashboards', row_path=slug)``:
+
+.. code-block:: python
+
+    from datasette import hookimpl
+    from datasette.jump import JumpSQL
+
+
+    @hookimpl
+    def jump_items_sql(datasette, actor, request):
+        if not actor:
+            return None
+        return JumpSQL(
+            sql="""
+            SELECT
+                'dashboard' AS type,
+                slug AS label,
+                description,
+                json_object(
+                    'method', 'row',
+                    'database', 'content',
+                    'table', 'dashboards',
+                    'row_path', slug
+                ) AS url,
+                slug || ' ' || COALESCE(title, '') || ' ' || COALESCE(description, '') AS search_text,
+                title AS display_name
+            FROM dashboards
+            WHERE owner_id = :actor_id
+            """,
+            params={"actor_id": actor["id"]},
+            database="content",
+        )
+
+This example uses the ``JumpSQL.menu_item()`` shortcut to add a single "Plugin dashboard" result for signed-in users:
+
+.. code-block:: python
+
+    from datasette import hookimpl
+    from datasette.jump import JumpSQL
+
+
+    @hookimpl
+    def jump_items_sql(datasette, actor, request):
+        if not actor:
+            return None
+        return JumpSQL.menu_item(
+            item_type="dashboard",
+            label="plugin-dashboard",
+            description="Review plugin status and configuration.",
+            url="/-/plugin-dashboard",
+            search_text="plugin dashboard",
+            display_name="Plugin dashboard",
+        )
+
+``JumpSQL.menu_item(...)`` is a shortcut for adding a single jump menu item from Python code. It accepts the keyword arguments shown above.
+
 .. _plugin_actions:
 
 Action hooks
@@ -1808,7 +1913,79 @@ Action hooks
 
 Action hooks can be used to add items to the action menus that appear at the top of different pages within Datasette. Unlike :ref:`menu_links() <plugin_hook_menu_links>`, actions which are displayed on every page, actions should only be relevant to the page the user is currently viewing.
 
-Each of these hooks should return return a list of ``{"href": "...", "label": "..."}`` menu items, with optional ``"description": "..."`` keys describing each action in more detail.
+Each of these hooks should return a list of menu items, with optional ``"description": "..."`` keys describing each action in more detail.
+
+The most common action item is a link to another page:
+
+.. code-block:: python
+
+    {
+        "href": datasette.urls.path("/-/custom-action"),
+        "label": "Custom action",
+        "description": "Run this action on a separate page.",
+    }
+
+Plugins can also return button actions for JavaScript-backed interactions:
+
+.. code-block:: python
+
+    {
+        "type": "button",
+        "label": "Open custom dialog",
+        "description": "Show a dialog without leaving this page.",
+        "attrs": {
+            "aria-label": "Open custom dialog",
+            "data-plugin-action": "open-custom-dialog",
+        },
+    }
+
+These are rendered as ``<button type="button" class="button-as-link action-menu-button" role="menuitem" tabindex="-1">``. The optional ``attrs`` dictionary is added to the button, and is useful for ``data-*`` attributes that your plugin's JavaScript can use to attach event handlers.
+
+Here is a minimal plugin example that adds a button to a table page and loads JavaScript to handle clicks on that button:
+
+.. code-block:: python
+
+    from datasette import hookimpl
+
+
+    @hookimpl
+    def table_actions(datasette, database, table):
+        return [
+            {
+                "type": "button",
+                "label": "Show table name",
+                "description": "Open a JavaScript-powered plugin action.",
+                "attrs": {
+                    "aria-label": "Show table name",
+                    "data-plugin-action": "show-table-name",
+                    "data-database": database,
+                    "data-table": table,
+                },
+            }
+        ]
+
+
+    @hookimpl
+    def extra_js_urls(datasette):
+        return [
+            datasette.static(
+                "show-table.js", plugin="datasette_show_table"
+            )
+        ]
+
+The ``static/show-table.js`` file in that plugin could look like this:
+
+.. code-block:: javascript
+
+    document.addEventListener("click", (event) => {
+      const button = event.target.closest(
+        "button[data-plugin-action='show-table-name']"
+      );
+      if (!button) {
+        return;
+      }
+      alert(`${button.dataset.database}.${button.dataset.table}`);
+    });
 
 They can alternatively return an ``async def`` awaitable function which, when called, returns a list of those menu items.
 
@@ -1893,7 +2070,7 @@ query_actions(datasette, actor, database, query_name, request, sql, params)
     The name of the database.
 
 ``query_name`` - string or None
-    The name of the canned query, or ``None`` if this is an arbitrary SQL query.
+    The name of the stored query, or ``None`` if this is an arbitrary SQL query.
 
 ``request`` - :ref:`internals_request`
     The current HTTP request.
@@ -1904,7 +2081,7 @@ query_actions(datasette, actor, database, query_name, request, sql, params)
 ``params`` - dictionary
     The parameters passed to the SQL query, if any.
 
-Populates a "Query actions" menu on the canned query and arbitrary SQL query pages.
+Populates a "Query actions" menu on the stored query and arbitrary SQL query pages.
 
 This example adds a new query action linking to a page for explaining a query:
 
@@ -2168,9 +2345,9 @@ top_query(datasette, request, database, sql)
 
 Returns HTML to be displayed at the top of the query results page.
 
-.. _plugin_hook_top_canned_query:
+.. _plugin_hook_top_stored_query:
 
-top_canned_query(datasette, request, database, query_name)
+top_stored_query(datasette, request, database, query_name)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 ``datasette`` - :ref:`internals_datasette`
@@ -2183,9 +2360,9 @@ top_canned_query(datasette, request, database, query_name)
     The name of the database.
 
 ``query_name`` - string
-    The name of the canned query.
+    The name of the stored query.
 
-Returns HTML to be displayed at the top of the canned query page.
+Returns HTML to be displayed at the top of the stored query page.
 
 .. _plugin_event_tracking:
 
@@ -2392,4 +2569,3 @@ Tokens can then be created and verified using :ref:`datasette.create_token() <da
     actor = await datasette.verify_token(token)
 
 If no handlers are registered, ``create_token()`` raises ``RuntimeError``. If the requested ``handler`` name is not found, it raises ``ValueError``.
-
diff --git a/docs/plugins.rst b/docs/plugins.rst
index 60bdc111..d2b5c20a 100644
--- a/docs/plugins.rst
+++ b/docs/plugins.rst
@@ -207,6 +207,42 @@ If you run ``datasette plugins --all`` it will include default plugins that ship
                 "register_actions"
             ]
         },
+        {
+            "name": "datasette.default_column_types",
+            "static": false,
+            "templates": false,
+            "version": null,
+            "hooks": [
+                "register_column_types"
+            ]
+        },
+        {
+            "name": "datasette.default_database_actions",
+            "static": false,
+            "templates": false,
+            "version": null,
+            "hooks": [
+                "database_actions"
+            ]
+        },
+        {
+            "name": "datasette.default_debug_menu",
+            "static": false,
+            "templates": false,
+            "version": null,
+            "hooks": [
+                "jump_items_sql"
+            ]
+        },
+        {
+            "name": "datasette.default_jump_items",
+            "static": false,
+            "templates": false,
+            "version": null,
+            "hooks": [
+                "jump_items_sql"
+            ]
+        },
         {
             "name": "datasette.default_magic_parameters",
             "static": false,
@@ -216,24 +252,13 @@ If you run ``datasette plugins --all`` it will include default plugins that ship
                 "register_magic_parameters"
             ]
         },
-        {
-            "name": "datasette.default_menu_links",
-            "static": false,
-            "templates": false,
-            "version": null,
-            "hooks": [
-                "menu_links"
-            ]
-        },
         {
             "name": "datasette.default_permissions",
             "static": false,
             "templates": false,
             "version": null,
             "hooks": [
-                "canned_queries",
-                "permission_resources_sql",
-                "skip_csrf"
+                "permission_resources_sql"
             ]
         },
         {
@@ -246,13 +271,32 @@ If you run ``datasette plugins --all`` it will include default plugins that ship
                 "register_token_handler"
             ]
         },
+        {
+            "name": "datasette.default_query_actions",
+            "static": false,
+            "templates": false,
+            "version": null,
+            "hooks": [
+                "query_actions"
+            ]
+        },
+        {
+            "name": "datasette.default_table_actions",
+            "static": false,
+            "templates": false,
+            "version": null,
+            "hooks": [
+                "table_actions"
+            ]
+        },
         {
             "name": "datasette.events",
             "static": false,
             "templates": false,
             "version": null,
             "hooks": [
-                "register_events"
+                "register_events",
+                "write_wrapper"
             ]
         },
         {
diff --git a/docs/spatialite.rst b/docs/spatialite.rst
index c93c1e00..bea679aa 100644
--- a/docs/spatialite.rst
+++ b/docs/spatialite.rst
@@ -30,7 +30,7 @@ Warning
     The following steps are recommended:
 
     - Disable arbitrary SQL queries by untrusted users. See :ref:`authentication_permissions_execute_sql` for ways to do this. The easiest is to start Datasette with the ``datasette --setting default_allow_sql off`` option.
-    - Define :ref:`canned_queries` with the SQL queries that use SpatiaLite functions that you want people to be able to execute.
+    - Define :ref:`queries <queries>` with the SQL queries that use SpatiaLite functions that you want people to be able to execute.
 
     The `Datasette SpatiaLite tutorial <https://datasette.io/tutorials/spatialite>`__ includes detailed instructions for running SpatiaLite safely using these techniques
 
diff --git a/docs/sql_queries.rst b/docs/sql_queries.rst
index 7c3cd4ac..371348fb 100644
--- a/docs/sql_queries.rst
+++ b/docs/sql_queries.rst
@@ -7,6 +7,8 @@ Datasette treats SQLite database files as read-only and immutable. This means it
 
 The easiest way to execute custom SQL against Datasette is through the web UI. The database index page includes a SQL editor that lets you run any SELECT query you like. You can also construct queries using the filter interface on the tables page, then click "View and edit SQL" to open that query in the custom SQL editor.
 
+For mutable databases, actors with the appropriate permissions can use the :ref:`write SQL page <pages_execute_write>` to execute SQL statements that insert, update or delete rows.
+
 Note that this interface is only available if the :ref:`actions_execute_sql` permission is allowed. See :ref:`authentication_permissions_execute_sql`.
 
 Any Datasette SQL query is reflected in the URL of the page, allowing you to bookmark them, share them with others and navigate through previous queries using your browser back button.
@@ -66,12 +68,12 @@ You can also use the `sqlite-utils <https://sqlite-utils.datasette.io/>`__ tool
 
     sqlite-utils create-view sf-trees.db demo_view "select qSpecies from Street_Tree_List"
 
-.. _canned_queries:
+.. _queries:
 
-Canned queries
---------------
+Queries
+-------
 
-As an alternative to adding views to your database, you can define canned queries inside your ``datasette.yaml`` file. Here's an example:
+As an alternative to adding views to your database, you can define named queries inside your ``datasette.yaml`` file. Here's an example:
 
 .. [[[cog
     from metadata_doc import config_example, config_example
@@ -120,24 +122,76 @@ Then run Datasette like this::
 
     datasette sf-trees.db -m metadata.json
 
-Each canned query will be listed on the database index page, and will also get its own URL at::
+Each configured query will be listed on the database index page, and will also get its own URL at::
 
-    /database-name/canned-query-name
+    /database-name/query-name
 
 For the above example, that URL would be::
 
     /sf-trees/just_species
 
-You can optionally include ``"title"`` and ``"description"`` keys to show a title and description on the canned query page. As with regular table metadata you can alternatively specify ``"description_html"`` to have your description rendered as HTML (rather than having HTML special characters escaped).
+You can optionally include ``"title"`` and ``"description"`` keys to show a title and description on the query page. As with regular table metadata you can alternatively specify ``"description_html"`` to have your description rendered as HTML (rather than having HTML special characters escaped).
 
-.. _canned_queries_named_parameters:
+.. _stored_queries:
+.. _saved_queries:
 
-Canned query parameters
-~~~~~~~~~~~~~~~~~~~~~~~
+Stored queries
+~~~~~~~~~~~~~~
 
-Canned queries support named parameters, so if you include those in the SQL you will then be able to enter them using the form fields on the canned query page or by adding them to the URL. This means canned queries can be used to create custom JSON APIs based on a carefully designed SQL statement.
+Datasette stores both configured queries and user-created queries in the ``queries`` table in the :ref:`internal database <internals_internal>`. Configured queries come from the ``queries`` section of ``datasette.yaml``. User-created stored queries can be created from the SQL query page by actors with the :ref:`actions_store_query` and :ref:`actions_execute_sql` permissions. Writable stored queries also require the permissions needed for the writes they perform.
 
-Here's an example of a canned query with a named parameter:
+Stored queries created by users default to private. Private stored queries can only be viewed, updated or deleted by the actor that created them. Broad ``view-query``, ``update-query`` or ``delete-query`` permission grants still do not allow other actors to access another actor's private stored queries.
+
+Editing and deleting stored queries
++++++++++++++++++++++++++++++++++++
+
+The page for a stored query includes a "Query actions" menu with **Edit this query** and **Delete this query** links for actors who have permission to use them.
+
+The owner of a stored query can always edit and delete it. For queries that are not private, any actor granted the ``update-query`` or ``delete-query`` permission can edit or delete the query, even if they did not create it. Private queries can only be edited or deleted by their owner, regardless of any broad permission grants.
+
+Editing a query lets you change its title, description, SQL and whether it is private. Changing the SQL also requires the ``execute-sql`` permission (and the relevant write permissions for writable queries). The same operations are available through the JSON API by sending a ``POST`` to ``/<database>/<query>/-/update`` or ``/<database>/<query>/-/delete``. Trusted stored queries cannot be edited or deleted through the web interface or the JSON API.
+
+Stored queries created by users are untrusted. This means they execute using the permissions of the actor who runs them, as if that actor had pasted the SQL into the regular custom SQL interface or write SQL interface. Read-only stored queries require ``execute-sql``. Writable stored queries require ``execute-write-sql`` plus the relevant table-level write permissions. SQL functions are allowed and are not separately restricted by Datasette permissions.
+
+.. _trusted_stored_queries:
+.. _trusted_saved_queries:
+
+Trusted stored queries
+++++++++++++++++++++++
+
+A trusted stored query can execute with ``view-query`` permission alone. It skips the additional ``execute-sql`` and write permission checks that are applied to untrusted stored queries.
+
+Trusted stored queries should only be used for SQL that has been reviewed by someone trusted to configure the Datasette instance. For that reason, trusted stored queries can only be added using configuration. Users cannot create trusted stored queries through the web interface or the stored query JSON API.
+
+Queries defined in ``datasette.yaml`` are trusted by default:
+
+.. code-block:: yaml
+
+    databases:
+      mydatabase:
+        queries:
+          report:
+            sql: select * from report
+
+You can opt out of this behavior for a configured query using ``is_trusted: false``:
+
+.. code-block:: yaml
+
+    databases:
+      mydatabase:
+        queries:
+          report:
+            sql: select * from report
+            is_trusted: false
+
+.. _queries_named_parameters:
+
+Query parameters
+~~~~~~~~~~~~~~~~
+
+Configured queries support named parameters, so if you include those in the SQL you will then be able to enter them using the form fields on the query page or by adding them to the URL. This means configured queries can be used to create custom JSON APIs based on a carefully designed SQL statement.
+
+Here's an example of a configured query with a named parameter:
 
 .. code-block:: sql
 
@@ -147,7 +201,7 @@ Here's an example of a canned query with a named parameter:
     where neighborhood like '%' || :text || '%'
     order by neighborhood;
 
-In the canned query configuration looks like this:
+The query configuration looks like this:
 
 
 .. [[[cog
@@ -204,7 +258,7 @@ In the canned query configuration looks like this:
 
 Note that we are using SQLite string concatenation here - the ``||`` operator - to add wildcard ``%`` characters to the string provided by the user.
 
-You can try this canned query out here:
+You can try this query out here:
 https://latest.datasette.io/fixtures/neighborhood_search?text=town
 
 In this example the ``:text`` named parameter is automatically extracted from the query using a regular expression.
@@ -270,17 +324,17 @@ You can alternatively provide an explicit list of named parameters using the ``"
         }
 .. [[[end]]]
 
-.. _canned_queries_options:
+.. _queries_options:
 
-Additional canned query options
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Additional query options
+~~~~~~~~~~~~~~~~~~~~~~~~
 
-Additional options can be specified for canned queries in the YAML or JSON configuration.
+Additional options can be specified for configured queries in the YAML or JSON configuration.
 
 hide_sql
 ++++++++
 
-Canned queries default to displaying their SQL query at the top of the page. If the query is extremely long you may want to hide it by default, with a "show" link that can be used to make it visible.
+Configured queries default to displaying their SQL query at the top of the page. If the query is extremely long you may want to hide it by default, with a "show" link that can be used to make it visible.
 
 Add the ``"hide_sql": true`` option to hide the SQL query by default.
 
@@ -289,7 +343,7 @@ fragment
 
 Some plugins, such as `datasette-vega <https://github.com/simonw/datasette-vega>`__, can be configured by including additional data in the fragment hash of the URL - the bit that comes after a ``#`` symbol.
 
-You can set a default fragment hash that will be included in the link to the canned query from the database index page using the ``"fragment"`` key.
+You can set a default fragment hash that will be included in the link to the query from the database index page using the ``"fragment"`` key.
 
 This example demonstrates both ``fragment`` and ``hide_sql``:
 
@@ -346,14 +400,14 @@ This example demonstrates both ``fragment`` and ``hide_sql``:
 
 `See here <https://latest.datasette.io/fixtures#queries>`__ for a demo of this in action.
 
-.. _canned_queries_writable:
+.. _queries_writable:
 
-Writable canned queries
-~~~~~~~~~~~~~~~~~~~~~~~
+Writable queries
+~~~~~~~~~~~~~~~~
 
-Canned queries by default are read-only. You can use the ``"write": true`` key to indicate that a canned query can write to the database.
+Configured queries are read-only by default. You can use the ``"write": true`` key to indicate that a query can write to the database.
 
-See :ref:`authentication_permissions_query` for details on how to add permission checks to canned queries, using the ``"allow"`` key.
+See :ref:`authentication_permissions_query` for details on how to add permission checks to queries, using the ``"allow"`` key.
 
 .. [[[cog
     config_example(cog, {
@@ -481,14 +535,14 @@ You can pre-populate form fields when the page first loads using a query string,
 
 If you specify a query in ``"on_success_message_sql"``, that query will be executed after the main query. The first column of the first row return by that query will be displayed as a success message. Named parameters from the main query will be made available to the success message query as well.
 
-.. _canned_queries_magic_parameters:
+.. _queries_magic_parameters:
 
 Magic parameters
 ~~~~~~~~~~~~~~~~
 
 Named parameters that start with an underscore are special: they can be used to automatically add values created by Datasette that are not contained in the incoming form fields or query string.
 
-These magic parameters are only supported for canned queries: to avoid security issues (such as queries that extract the user's private cookies) they are not available to SQL that is executed by the user as a custom SQL query.
+These magic parameters are only supported for configured queries: to avoid security issues (such as queries that extract the user's private cookies) they are not available to SQL that is executed by the user as a custom SQL query.
 
 Available magic parameters are:
 
@@ -578,14 +632,14 @@ The form presented at ``/mydatabase/add_message`` will have just a field for ``m
 
 Additional custom magic parameters can be added by plugins using the :ref:`plugin_hook_register_magic_parameters` hook.
 
-.. _canned_queries_json_api:
+.. _queries_json_api:
 
-JSON API for writable canned queries
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+JSON API for writable queries
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Writable canned queries can also be accessed using a JSON API. You can POST data to them using JSON, and you can request that their response is returned to you as JSON.
+Writable queries can also be accessed using a JSON API. You can POST data to them using JSON, and you can request that their response is returned to you as JSON.
 
-To submit JSON to a writable canned query, encode key/value parameters as a JSON document::
+To submit JSON to a writable query, encode key/value parameters as a JSON document::
 
     POST /mydatabase/add_message
 
diff --git a/docs/template_context.rst b/docs/template_context.rst
new file mode 100644
index 00000000..5c6b1567
--- /dev/null
+++ b/docs/template_context.rst
@@ -0,0 +1,497 @@
+.. _template_context:
+
+Template context
+================
+
+This page documents the variables that are available to custom templates
+for each of Datasette's core pages. See :ref:`customization_custom_templates`
+for how to provide your own templates.
+
+The variables documented here are a stable contract: custom templates that
+use them will continue to work across Datasette releases, up until the next
+major version (Datasette 2.0). Anything present in the template context but
+not documented on this page is not part of that contract and may change or
+be removed in any release.
+
+You can inspect the full context for any page by starting Datasette with
+``--setting template_debug 1`` and adding ``?_context=1`` to the page URL.
+
+.. [[[cog
+    from template_context_doc import template_context
+    template_context(cog)
+.. ]]]
+
+Base context
+------------
+
+These variables are available on every page rendered by Datasette, including pages rendered by plugins that use :ref:`datasette.render_template() <datasette_render_template>`. Plugins can add additional variables using the :ref:`plugin_hook_extra_template_vars` hook.
+
+``request``
+    The current :ref:`Request object <internals_request>`, or None. Common properties include ``request.path``, ``request.args``, ``request.actor``, ``request.url_vars`` and ``request.host``.
+
+``crumb_items``
+    Async function returning breadcrumb navigation items for the current page. Call it with ``request=request`` plus optional ``database=`` and ``table=`` arguments; it returns a list of ``{"href": url, "label": label}`` dictionaries.
+
+``urls``
+    Object with methods for constructing URLs within Datasette. Common methods include ``urls.instance()``, ``urls.database(database)``, ``urls.table(database, table)``, ``urls.query(database, query)``, ``urls.row(database, table, row_path)`` and ``urls.static(path)`` - see :ref:`internals_datasette_urls`.
+
+``actor``
+    The currently authenticated actor dictionary, or None. Actors usually include an ``id`` key and may include any other keys supplied by authentication plugins.
+
+``menu_links``
+    Async function returning links for the Datasette application menu, including links added by plugins. Each item is a link dictionary with ``href`` and ``label`` keys. See :ref:`plugin_hook_menu_links`; for page action menus that can also include JavaScript-backed buttons, see :ref:`plugin_actions`.
+
+``display_actor``
+    Function that accepts an actor dictionary and returns the display string used in the navigation menu.
+
+``show_logout``
+    True if the logout link should be shown in the navigation menu
+
+``zip``
+    Python's ``zip()`` builtin, made available to template logic
+
+``body_scripts``
+    List of JavaScript snippets contributed by plugins using :ref:`plugin_hook_extra_body_script`. Each item is a dictionary with ``script`` containing JavaScript source and ``module`` indicating whether Datasette will wrap it in ``<script type="module">``; otherwise Datasette wraps it in a regular ``<script>`` block.
+
+``format_bytes``
+    Function that accepts a byte count integer and returns a human-readable string such as ``1.2 MB``.
+
+``show_messages``
+    Function returning any messages set for the current user, clearing them in the process. Returns a list of ``(message, type)`` pairs, where ``type`` is one of Datasette's ``INFO``, ``WARNING`` or ``ERROR`` constants.
+
+``extra_css_urls``
+    List of extra CSS stylesheets to include on the page. Each item is a dictionary with ``url`` and optional ``sri`` keys, from plugins and configuration.
+
+``extra_js_urls``
+    List of extra JavaScript URLs to include on the page. Each item is a dictionary with ``url`` plus optional ``sri`` and ``module`` keys, from plugins and configuration.
+
+``base_url``
+    The configured :ref:`setting_base_url` setting
+
+``datasette_version``
+    The version of Datasette that is running
+
+Database page
+-------------
+
+The page listing the tables, views and queries in a database, e.g. /fixtures. Rendered using the ``database.html`` template.
+
+``allow_download`` - ``bool``
+    Boolean indicating if database download is allowed
+
+``allow_execute_sql`` - ``bool``
+    Boolean indicating if custom SQL can be executed
+
+``alternate_url_json`` - ``str``
+    URL for the alternate JSON version of this page
+
+``attached_databases`` - ``list``
+    List of names of databases attached to this SQLite connection. This is only populated for the special ``/_memory`` database when Datasette is started with ``--crossdb`` for :ref:`cross_database_queries`.
+
+``database`` - ``str``
+    The name of the database
+
+``database_actions`` - ``callable``
+    Async callable returning action items for the database menu. Each item is either a link with ``href``, ``label`` and optional ``description`` keys, or a button with ``type: "button"``, ``label``, optional ``description`` and optional ``attrs``. See :ref:`plugin_actions` and :ref:`plugin_hook_database_actions`.
+
+``database_color`` - ``str``
+    The color assigned to the database
+
+``database_page_data`` - ``dict``
+    JSON data used by JavaScript on the database page. Currently ``{}`` or ``{"createTable": {...}}`` where ``createTable`` includes ``path``, ``foreignKeyTargetsPath``, ``databaseName``, ``columnTypes``, ``defaultExpressions`` and optional ``customColumnTypes``.
+
+``editable`` - ``bool``
+    Boolean indicating if the database is editable
+
+``hidden_count`` - ``int``
+    Count of hidden tables
+
+``metadata`` - ``dict``
+    Metadata dictionary for the database, such as ``title``, ``description``, ``license`` and ``source`` values from Datasette metadata.
+
+``path`` - ``str``
+    The URL path to this database
+
+``private`` - ``bool``
+    Boolean indicating if this is a private database
+
+``queries`` - ``list[StoredQuery]``
+    List of ``StoredQuery`` objects. Each has attributes including ``name``, ``sql``, ``title``, ``description``, ``description_html``, ``hide_sql``, ``fragment``, ``parameters``, ``is_write`` and ``private``.
+
+``queries_count`` - ``int``
+    Count of visible stored queries
+
+``queries_more`` - ``bool``
+    Boolean indicating if more stored queries are available
+
+``select_templates`` - ``list``
+    List of template names that were considered for this page, with the selected template prefixed by ``*``.
+
+``show_hidden`` - ``str``
+    Value of _show_hidden query parameter
+
+``size`` - ``int``
+    The size of the database in bytes
+
+``table_columns`` - ``dict``
+    Dictionary mapping table names to lists of column names, used to power SQL autocomplete.
+
+``tables`` - ``list[DatabaseTable]``
+    List of ``DatabaseTable`` objects describing tables in the database. Each item has ``name``, ``columns``, ``primary_keys``, ``count``, ``count_truncated``, ``hidden``, ``fts_table``, ``foreign_keys`` and ``private`` attributes. ``count_truncated`` is true if ``count`` is a capped lower bound rather than an exact total.
+
+``top_database`` - ``callable``
+    Async callable that renders the ``top_database`` plugin slot for this database and returns HTML.
+
+``views`` - ``list[DatabaseViewInfo]``
+    List of ``DatabaseViewInfo`` objects describing SQLite views in the database. Each item has ``name`` and ``private`` attributes.
+
+Query page
+----------
+
+The page for arbitrary SQL queries (/database/-/query?sql=...) and stored queries (/database/query-name). Rendered using the ``query.html`` template.
+
+``allow_execute_sql`` - ``bool``
+    Boolean indicating if custom SQL can be executed
+
+``alternate_url_json`` - ``str``
+    URL for alternate JSON version of this page
+
+``columns`` - ``list``
+    List of result column names in the order they appear in ``display_rows`` and ``rows``.
+
+``database`` - ``str``
+    The name of the database being queried
+
+``database_color`` - ``str``
+    The color of the database
+
+``db_is_immutable`` - ``bool``
+    Boolean indicating if this database is immutable
+
+``display_rows`` - ``list``
+    List of result rows formatted for HTML display. Each row is a list of rendered cell values in the same order as ``columns``.
+
+``edit_sql_url`` - ``str``
+    URL to edit the SQL for a stored query
+
+``editable`` - ``bool``
+    Boolean indicating if the SQL can be edited
+
+``error`` - ``str``
+    Any query error message
+
+``hide_sql`` - ``bool``
+    Boolean indicating if the SQL should be hidden
+
+``metadata`` - ``dict``
+    Metadata dictionary for the database or stored query. Stored query metadata may include options such as ``hide_sql``, ``on_success_message`` and ``on_error_redirect``.
+
+``named_parameter_values`` - ``dict``
+    Dictionary of named SQL parameter values, keyed by parameter name without the leading ``:``.
+
+``private`` - ``bool``
+    Boolean indicating if this is a private database
+
+``query`` - ``dict``
+    Dictionary describing the SQL query being executed, with ``sql`` and ``params`` keys.
+
+``query_actions`` - ``callable``
+    Async callable returning action items for the query menu. Each item is either a link with ``href``, ``label`` and optional ``description`` keys, or a button with ``type: "button"``, ``label``, optional ``description`` and optional ``attrs``. See :ref:`plugin_actions` and :ref:`plugin_hook_query_actions`.
+
+``renderers`` - ``dict``
+    Dictionary mapping output format names such as ``json`` to URLs for this query in that format.
+
+``save_query_url`` - ``str``
+    URL to save the current arbitrary SQL as a query
+
+``select_templates`` - ``list``
+    List of template names that were considered for this page, with the selected template prefixed by ``*``.
+
+``show_hide_hidden`` - ``str``
+    Rendered hidden ``<input>`` HTML preserving the current ``_hide_sql`` or ``_show_sql`` state.
+
+``show_hide_link`` - ``str``
+    The URL to toggle showing/hiding the SQL
+
+``show_hide_text`` - ``str``
+    The text for the show/hide SQL link
+
+``stored_query`` - ``str``
+    The name of the stored query if this is a stored query
+
+``stored_query_write`` - ``bool``
+    Boolean indicating if this is a stored query that allows writes
+
+``table_columns`` - ``dict``
+    Dictionary mapping table names to lists of column names, used to power SQL autocomplete.
+
+``tables`` - ``list[DatabaseTable]``
+    List of ``DatabaseTable`` objects describing tables in the database. Each item has ``name``, ``columns``, ``primary_keys``, ``count``, ``count_truncated``, ``hidden``, ``fts_table``, ``foreign_keys`` and ``private`` attributes. ``count_truncated`` is true if ``count`` is a capped lower bound rather than an exact total.
+
+``top_query`` - ``callable``
+    Async callable that renders the ``top_query`` plugin slot for this query and returns HTML.
+
+``top_stored_query`` - ``callable``
+    Async callable that renders the ``top_stored_query`` plugin slot for stored queries and returns HTML.
+
+``url_csv`` - ``str``
+    URL for CSV export
+
+Table page
+----------
+
+The page showing the rows in a table or SQL view, e.g. /fixtures/facetable. Rendered using the ``table.html`` template.
+
+Many of these keys are shared with the :ref:`JSON API <json_api>` for this page.
+
+``actions`` - ``callable``
+    Async callable returning table or view actions made available by core and plugin hooks. Each item is either a link with ``href``, ``label`` and optional ``description`` keys, or a button with ``type: "button"``, ``label``, optional ``description`` and optional ``attrs``. See :ref:`plugin_actions`, :ref:`plugin_hook_table_actions` and :ref:`plugin_hook_view_actions`.
+
+``all_columns`` - ``list``
+    List of all column names in the table, regardless of ``_col=`` or ``_nocol=`` filtering.
+
+``allow_execute_sql`` - ``bool``
+    True if the current actor can execute custom SQL against this database
+
+``alternate_url_json`` - ``str``
+    URL for the JSON version of this page
+
+``append_querystring`` - ``callable``
+    Function ``append_querystring(url, querystring)`` that appends additional query string arguments to a URL, using ``?`` or ``&`` as appropriate.
+
+``columns`` - ``list``
+    List of column names returned by this table, row or query.
+
+``count`` - ``int``
+    Total count of rows matching these filters
+
+``count_sql`` - ``str``
+    SQL query string used to calculate the total count for the current table view, including active filters.
+
+``count_truncated`` - ``bool``
+    True if ``count`` is a capped lower bound rather than an exact total, because Datasette stopped counting after its configured row-count limit.
+
+``custom_table_templates`` - ``list``
+    List of custom template names considered for rendering table rows, in lookup order.
+
+``database`` - ``str``
+    Database name
+
+``database_color`` - ``str``
+    Color assigned to the database
+
+``datasette_allow_facet`` - ``str``
+    The string "true" or "false" reflecting the allow_facet setting
+
+``display_columns`` - ``list``
+    Column metadata used by the HTML table display. Each item includes ``name``, ``sortable``, ``is_pk``, ``type``, ``notnull``, ``description``, ``column_type`` and ``column_type_config`` keys.
+
+``display_rows`` - ``list``
+    Rows formatted for the HTML table display. Each row is iterable and contains cell dictionaries with ``column``, ``value``, ``raw`` and ``value_type`` keys; table pages may also provide ``pk_path``, ``row_path`` and ``row_label`` attributes on each row object.
+
+``expandable_columns`` - ``list``
+    List of foreign key columns that can be expanded with labels. Each item is a ``(foreign_key, label_column)`` pair where ``foreign_key`` is the SQLite foreign key dictionary and ``label_column`` is the label column in the referenced table, or ``None``.
+
+``extra_wheres_for_ui`` - ``list``
+    Extra where clauses from ``?_where=`` for display in the UI. Each item has ``text`` for the SQL fragment and ``remove_url`` for a URL that removes that fragment.
+
+``facet_results`` - ``dict``
+    Results of facets calculated against this data. A dictionary with ``results`` and ``timed_out`` keys: ``results`` maps facet names to facet dictionaries with ``name``, ``type``, ``results`` and URL keys, and each facet result item includes ``value``, ``label``, ``count`` and ``toggle_url``.
+
+``facets_timed_out`` - ``list``
+    List of names of facet calculations that exceeded the facet time limit.
+
+``filter_columns`` - ``list``
+    List of column names offered by the filter interface, including currently displayed columns and any hidden columns that can still be filtered.
+
+``filters`` - ``Filters``
+    ``Filters`` object used by the HTML table interface. Useful methods include ``filters.human_description_en()``; this is not JSON serializable.
+
+``fix_path`` - ``callable``
+    Function that applies the configured ``base_url`` prefix to a path.
+
+``form_hidden_args`` - ``list``
+    List of ``(name, value)`` pairs for hidden form fields used by the HTML table interface to preserve current query string options.
+
+``human_description_en`` - ``str``
+    Human-readable description of the filters
+
+``is_sortable`` - ``bool``
+    True if any of the displayed columns can be used to sort
+
+``is_view`` - ``bool``
+    Whether this resource is a view instead of a table
+
+``metadata`` - ``dict``
+    Metadata dictionary for the table, database or stored query. Table and row metadata include a ``columns`` dictionary mapping column names to descriptions; stored query metadata returns the stored query configuration.
+
+``next`` - ``str``
+    Pagination token for the next page, or None
+
+``next_url`` - ``str``
+    Full URL for the next page of results
+
+``ok`` - ``bool``
+    True if the data for this page was retrieved without errors
+
+``path_with_replaced_args`` - ``callable``
+    Function for building the current path with modified query string arguments. Pass the current ``request`` and a dictionary of argument names to replacement values, using ``None`` to remove an argument.
+
+``primary_keys`` - ``list``
+    List of primary key column names for this table, or an empty list if the table has no explicit primary key.
+
+``private`` - ``bool``
+    Whether this resource is private to the current actor
+
+``query`` - ``dict``
+    Details of the underlying SQL query as a dictionary with ``sql`` and ``params`` keys.
+
+``query_ms`` - ``float``
+    Time taken by the SQL queries for this page, in milliseconds
+
+``renderers`` - ``dict``
+    Dictionary mapping output format names such as ``json`` or plugin-provided renderer names to URLs for this data in that format.
+
+``rows`` - ``list``
+    The rows for this page, as a list of dictionaries mapping column name to raw value.
+
+``select_templates`` - ``list``
+    List of template names that were considered for this page, with the selected template prefixed by ``*``.
+
+``set_column_type_ui`` - ``dict``
+    Information needed to build an interface for assigning column types, or ``None`` if unavailable. When present it has ``path`` and ``columns`` keys; ``columns`` maps column names to ``current`` and ``options`` values.
+
+``settings`` - ``dict``
+    Dictionary of Datasette's current settings, keyed by setting name.
+
+``sort`` - ``str``
+    Column the page is sorted by, or None
+
+``sort_desc`` - ``str``
+    Column the page is sorted by in descending order, or None
+
+``sorted_facet_results`` - ``list``
+    Facet result dictionaries sorted for display. Each item has the same shape as an entry from ``facet_results['results']``.
+
+``suggested_facets`` - ``list``
+    Suggestions for facets that might return interesting results. Each item is a dictionary with ``name`` and ``toggle_url`` keys, and may include extra keys such as ``type`` or ``label`` depending on the facet class.
+
+``supports_search`` - ``bool``
+    True if this table has full-text search configured
+
+``table`` - ``str``
+    Table name
+
+``table_alter_ui`` - ``dict``
+    Information needed to enable the alter table UI, or ``None`` if altering this table is not available to the current actor. When present it has ``path``, ``tableName``, ``columns``, ``primaryKeys``, ``columnTypes``, ``defaultExpressions`` and ``foreignKeyTargetsPath`` keys, plus optional ``customColumnTypes`` and ``dropPath`` keys.
+
+``table_definition`` - ``str``
+    SQL definition for this table
+
+``table_insert_ui`` - ``dict``
+    Information needed to enable the row insertion UI, or ``None`` if row insertion is not available to the current actor. When present it has ``path``, ``tableName``, ``columns`` and ``primaryKeys`` keys; each column includes ``name``, ``sqlite_type``, ``notnull``, ``default``, ``has_default``, ``is_pk``, ``value_kind`` and ``column_type`` keys.
+
+``table_page_data`` - ``dict``
+    JSON data used by JavaScript on the table page. Includes ``database``, ``table`` and ``tableUrl``, plus optional ``foreignKeys`` mapping column names to autocomplete URLs, optional ``insertRow`` data and optional ``alterTable`` data.
+
+``top_table`` - ``callable``
+    Async callable that renders the ``top_table`` plugin slot for this table or view and returns HTML.
+
+``url_csv`` - ``str``
+    URL for the CSV export of this page
+
+``url_csv_hidden_args`` - ``list``
+    List of ``(name, value)`` pairs for hidden form fields used by the CSV export form, preserving current filters while forcing ``_size=max``.
+
+``url_csv_path`` - ``str``
+    Path portion of the CSV export URL
+
+``view_definition`` - ``str``
+    SQL definition for this view
+
+Row page
+--------
+
+The page showing an individual row, e.g. /fixtures/facetable/1. Rendered using the ``row.html`` template.
+
+Many of these keys are shared with the :ref:`JSON API <json_api>` for this page.
+
+``alternate_url_json`` - ``str``
+    URL for the JSON version of this page
+
+``columns`` - ``list``
+    List of column names returned by this table, row or query.
+
+``custom_table_templates`` - ``list``
+    Custom template names that were considered for displaying this row's table, in lookup order.
+
+``database`` - ``str``
+    Database name
+
+``database_color`` - ``str``
+    Color assigned to the database
+
+``display_columns`` - ``list``
+    Column metadata used by the HTML table display. Each item includes ``name``, ``sortable``, ``is_pk``, ``type``, ``notnull``, ``description``, ``column_type`` and ``column_type_config`` keys.
+
+``display_rows`` - ``list``
+    Rows formatted for the HTML table display. Each row is iterable and contains cell dictionaries with ``column``, ``value``, ``raw`` and ``value_type`` keys.
+
+``foreign_key_tables`` - ``list``
+    List of tables that link to this row using foreign keys. Each item includes the foreign key fields plus ``count`` for matching rows and ``link`` for the filtered table URL.
+
+``metadata`` - ``dict``
+    Metadata dictionary for the table, database or stored query. Table and row metadata include a ``columns`` dictionary mapping column names to descriptions; stored query metadata returns the stored query configuration.
+
+``ok`` - ``bool``
+    True if the data for this page was retrieved without errors
+
+``primary_key_values`` - ``list``
+    Values of the primary keys for this row, from the URL
+
+``primary_keys`` - ``list``
+    List of primary key column names for this table, or an empty list if the table has no explicit primary key.
+
+``private`` - ``bool``
+    Whether this resource is private to the current actor
+
+``query_ms`` - ``float``
+    Time taken by the SQL queries for this page, in milliseconds
+
+``renderers`` - ``dict``
+    Dictionary mapping output format names such as ``json`` to URLs for this row in that format.
+
+``row_actions`` - ``list``
+    Row actions made available by core and plugin hooks. Each item is either a link with ``href``, ``label`` and optional ``description`` keys, or a button with ``type: "button"``, ``label``, optional ``description`` and optional ``attrs``. See :ref:`plugin_actions` and :ref:`plugin_hook_row_actions`.
+
+``row_mutation_ui`` - ``bool``
+    True if the row edit/delete JavaScript UI should be enabled
+
+``rows`` - ``list``
+    A single-item list containing this row as a dictionary mapping column name to raw value.
+
+``select_templates`` - ``list``
+    List of template names that were considered for this page, with the selected template prefixed by ``*``.
+
+``settings`` - ``dict``
+    Dictionary of Datasette's current settings, keyed by setting name.
+
+``table`` - ``str``
+    Table name
+
+``table_page_data`` - ``dict``
+    JSON data used by JavaScript on the row page. Includes ``database``, ``table`` and ``tableUrl``, plus optional ``foreignKeys`` mapping column names to autocomplete URLs.
+
+``top_row`` - ``callable``
+    Async callable that renders the ``top_row`` plugin slot for this row and returns HTML.
+
+``url_csv`` - ``str``
+    URL for the CSV export of this page
+
+``url_csv_hidden_args`` - ``list``
+    List of ``(name, value)`` pairs for hidden form fields used by the CSV export form, preserving current options while forcing ``_size=max``.
+
+``url_csv_path`` - ``str``
+    Path portion of the CSV export URL
+
+.. [[[end]]]
diff --git a/docs/template_context_doc.py b/docs/template_context_doc.py
new file mode 100644
index 00000000..a5f4fb6f
--- /dev/null
+++ b/docs/template_context_doc.py
@@ -0,0 +1,45 @@
+"""
+Cog helpers for generating docs/template_context.rst from the Context
+dataclasses and TEMPLATE_BASE_CONTEXT - same pattern as json_api_doc.py.
+"""
+
+
+def template_context(cog):
+    from datasette.app import TEMPLATE_BASE_CONTEXT
+    from datasette.template_contexts import PAGES
+
+    cog.out("\n")
+    _section(
+        cog,
+        "Base context",
+        (
+            "These variables are available on every page rendered by "
+            "Datasette, including pages rendered by plugins that use "
+            ":ref:`datasette.render_template() <datasette_render_template>`. "
+            "Plugins can add additional variables using the "
+            ":ref:`plugin_hook_extra_template_vars` hook."
+        ),
+    )
+    for name, doc in TEMPLATE_BASE_CONTEXT.items():
+        cog.out("``{}``\n".format(name))
+        cog.out("    {}\n\n".format(doc))
+
+    for klass in PAGES.values():
+        title = "{} page".format(klass.__name__.removesuffix("Context"))
+        intro = "{} Rendered using the ``{}`` template.".format(
+            klass.__doc__, klass.documented_template
+        )
+        _section(cog, title, intro)
+        if klass.extras_scope is not None:
+            cog.out(
+                "Many of these keys are shared with the :ref:`JSON API "
+                "<json_api>` for this page.\n\n"
+            )
+        for f in sorted(klass.documented_fields(), key=lambda f: f.name):
+            cog.out("``{}`` - ``{}``\n".format(f.name, f.type_name))
+            cog.out("    {}\n\n".format(f.help))
+
+
+def _section(cog, title, intro):
+    cog.out("{}\n{}\n\n".format(title, "-" * len(title)))
+    cog.out("{}\n\n".format(intro))
diff --git a/docs/testing_plugins.rst b/docs/testing_plugins.rst
index b0713e7c..15891963 100644
--- a/docs/testing_plugins.rst
+++ b/docs/testing_plugins.rst
@@ -82,6 +82,73 @@ This method registers any :ref:`plugin_hook_startup` or :ref:`plugin_hook_prepar
 
 If you are using ``await datasette.client.get()`` and similar methods then you don't need to worry about this - Datasette automatically calls ``invoke_startup()`` the first time it handles a request.
 
+.. _testing_plugins_datasette_fixtures_database:
+
+Using Datasette's fixtures database
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Datasette's own test suite uses a SQLite database with tables that exercise features such as compound primary keys, foreign keys, sortable columns, facets, full-text search and binary data.
+
+You can use those same tables in your plugin tests using the ``populate_fixture_database(conn)`` helper in ``datasette.fixtures``:
+
+Be aware that future Datasette releases may change details of these tables, so try not to rely on their exact structure in your own tests.
+
+.. _datasette_fixtures_populate_fixture_database:
+
+``populate_fixture_database(conn)``
+    Populates an existing SQLite connection with the fixture tables.
+
+For an in-memory test database:
+
+.. code-block:: python
+
+    from datasette.app import Datasette
+    from datasette.fixtures import populate_fixture_database
+    import pytest
+    import pytest_asyncio
+
+
+    @pytest_asyncio.fixture
+    async def datasette():
+        datasette = Datasette()
+        db = datasette.add_memory_database("fixtures")
+        await db.execute_write_fn(populate_fixture_database)
+        await datasette.invoke_startup()
+        return datasette
+
+
+    @pytest.mark.asyncio
+    async def test_facetable(datasette):
+        response = await datasette.client.get(
+            "/fixtures/facetable.json?_shape=array"
+        )
+        assert response.status_code == 200
+
+.. _testing_plugins_autoclose:
+
+Automatic cleanup of Datasette instances
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Installing Datasette also installs a small pytest plugin that automatically calls :ref:`datasette_close` on any ``Datasette()`` instance constructed during a test. This helps prevent large test suites from running out of file descriptors or leaking background threads from the hundreds of instances they may build up across a session.
+
+The plugin closes:
+
+- Instances created in the body of a test function.
+- Instances created inside **function-scoped** pytest fixtures (the default scope — ``@pytest.fixture`` with no ``scope=`` argument, or ``scope="function"``).
+
+The plugin deliberately does **not** close:
+
+- Instances created inside higher-scoped fixtures (``scope="session"``, ``"module"``, ``"class"`` or ``"package"``). Those fixtures are typically designed to produce a single ``Datasette`` that is shared across many tests, and closing it automatically would break the tests that run after the first.
+
+In practice this means downstream projects rarely need to call ``ds.close()`` themselves — function-scoped fixtures and inline test code are both covered automatically, while long-lived shared fixtures keep working as before.
+
+If you need to opt out of this behavior, add the following to your ``pytest.ini`` (or equivalent):
+
+.. code-block:: ini
+
+    [pytest]
+    datasette_autoclose = false
+
 .. _testing_datasette_client:
 
 Using datasette.client in tests
@@ -235,9 +302,8 @@ As an example, here's a very simple plugin which executes an HTTP response and r
         if request.method == "GET":
             return Response.html("""
                 <form action="/-/fetch-url" method="post">
-                <input type="hidden" name="csrftoken" value="{}">
                 <input name="url"><input type="submit">
-            </form>""".format(request.scope["csrftoken"]()))
+            </form>""")
         vars = await request.post_vars()
         url = vars["url"]
         return Response.text(httpx.get(url).text)
diff --git a/docs/upgrade-1.0a20.md b/docs/upgrade-1.0a20.md
index fbc3f4a8..b27d8bd5 100644
--- a/docs/upgrade-1.0a20.md
+++ b/docs/upgrade-1.0a20.md
@@ -244,7 +244,7 @@ except (KeyError, TypeError):
 New code:
 ```python
 try:
-    query_info = await datasette.get_canned_query(database, query_name, request.actor)
+    query_info = await datasette.get_query(database, query_name)
     if query_info and "title" in query_info:
         title = query_info["title"]
 except (KeyError, TypeError):
@@ -253,7 +253,7 @@ except (KeyError, TypeError):
 
 ### Update render functions to async
 
-If your plugin's render function needs to call `datasette.get_canned_query()` or other async Datasette methods, it must be declared as async:
+If your plugin's render function needs to call `datasette.get_query()` or other async Datasette methods, it must be declared as async:
 
 Old code:
 ```python
@@ -268,7 +268,7 @@ New code:
 async def render_atom(datasette, request, sql, columns, rows, database, table, query_name, view_name, data):
     # ...
     if query_name:
-        query_info = await datasette.get_canned_query(database, query_name, request.actor)
+        query_info = await datasette.get_query(database, query_name)
         if query_info and "title" in query_info:
             title = query_info["title"]
 ```
diff --git a/docs/upgrade_guide.md b/docs/upgrade_guide.md
index b67eb054..33a8343b 100644
--- a/docs/upgrade_guide.md
+++ b/docs/upgrade_guide.md
@@ -155,3 +155,63 @@ token = await datasette.create_token(
 ```
 
 The `datasette create-token` CLI command is unchanged.
+
+(upgrade_guide_csrf)=
+### CSRF protection is now header-based
+
+Datasette's Cross-Site Request Forgery protection no longer uses tokens. The previous `asgi-csrf` mechanism - which set a `ds_csrftoken` cookie and required a matching `<input type="hidden" name="csrftoken">` in every form - has been replaced with an ASGI middleware that inspects the browser-set `Sec-Fetch-Site` and `Origin` headers, following the approach described in [Filippo Valsorda's research](https://words.filippo.io/csrf/) and implemented in Go 1.25's `http.CrossOriginProtection`.
+
+This works identically on HTTPS, HTTP, and localhost. Non-browser clients (curl, Python `requests`, server-to-server scripts) do not send `Sec-Fetch-Site` or `Origin` and are passed through unchanged - CSRF is a browser-only attack.
+
+Requests that carry an explicit `Authorization: Bearer ...` header are also exempt from the CSRF check, because bearer tokens are not ambient browser credentials: a malicious cross-origin page cannot cause the browser to attach a target site's bearer token unless the attacker's JavaScript already possesses it. This exemption is narrow - it covers the `Bearer` scheme only, not `Basic` or `Digest` - and it does not depend on the `--cors` setting. The exemption is about CSRF classification, not browser read access; CORS still controls the latter.
+
+#### What you can remove
+
+You can now delete any of the following from your plugins and custom templates:
+
+- Hidden CSRF form fields:
+
+  ```html
+  <input type="hidden" name="csrftoken" value="{{ csrftoken() }}">
+  ```
+
+  The `csrftoken()` template helper (and `request.scope["csrftoken"]()` for plugins that call it from Python) still exists as a compatibility shim. It now returns a per-request random string rather than a cookie-bound signed value. Datasette no longer validates this token, and no `ds_csrftoken` cookie is set.
+
+  **Important for plugin authors:** if your plugin previously used `request.scope["csrftoken"]()` or the `ds_csrftoken` cookie as a security primitive (for example, signing a URL and later comparing it to the cookie), the invariant that the token equals `request.cookies["ds_csrftoken"]` no longer holds. Replace those flows with signed, short-lived action URLs or explicit non-ambient credentials.
+
+- Manual CSRF token extraction in tests, e.g.:
+
+  ```python
+  # No longer needed
+  csrftoken = response.cookies["ds_csrftoken"]
+  cookies["ds_csrftoken"] = csrftoken
+  post_data["csrftoken"] = csrftoken
+  ```
+
+  The `ds_csrftoken` cookie is no longer set at all. The `csrftoken_from=` argument of the Datasette test client's `.post()` method is now a no-op and can be removed from your test code.
+
+#### Breaking changes
+
+- **The `skip_csrf` plugin hook has been removed.** Existing plugins that still declare a `skip_csrf` hookimpl will continue to load - pluggy silently ignores unknown hook names - but the hook is no longer consulted by core, so the flows it previously unlocked will now be blocked (or allowed) purely on the basis of the new header check.
+
+  The new middleware already covers the common cases that `skip_csrf` was written for:
+
+  - Browser-initiated JSON POSTs automatically get `Sec-Fetch-Site: same-origin` and pass the check.
+  - Non-browser API clients (curl, `requests`, server-to-server scripts) do not send browser security headers and are passed through.
+  - Requests with an explicit `Authorization: Bearer ...` header are exempt from the CSRF check (see above).
+
+  If your plugin previously used `skip_csrf` to accept cross-origin browser POSTs, replace that flow with an authentication mechanism that does **not** rely on ambient browser credentials. Safe patterns include:
+
+  - Requiring an `Authorization: Bearer ...` API token on the endpoint.
+  - Requiring a non-ambient credential in the request body (a webhook secret, HMAC signature, signed capability URL, OAuth client credential, or similar).
+  - Issuing a short-lived signed URL that encodes the actor, the action, and an expiry, and verifying the signature on request.
+
+  Do not rely on the `ds_csrftoken` cookie for your own plugin's security checks - Datasette no longer sets or validates it, and the `request.scope["csrftoken"]()` compatibility shim now returns a fresh random value each request rather than the signed cookie-bound value it used to.
+
+- **The `asgi-csrf` dependency has been dropped.** Any plugin that imported from `asgi_csrf` directly will need to be updated.
+
+- **The `csrf_error.html` template now receives a `reason` context variable** instead of `message_id` and `message_name`. Custom overrides of this template should be updated.
+
+#### Security properties
+
+For defense-in-depth the `ds_actor` and `ds_messages` cookies continue to be set with `SameSite=Lax` (Datasette's long-standing default). This means a genuine cross-site POST from an attacker's page would arrive without the user's authentication cookie even if the header check somehow failed.
diff --git a/docs/writing_plugins.rst b/docs/writing_plugins.rst
index cd165a3f..d1e5e75a 100644
--- a/docs/writing_plugins.rst
+++ b/docs/writing_plugins.rst
@@ -145,7 +145,16 @@ If your plugin has a ``static/`` directory, Datasette will automatically configu
 
     /-/static-plugins/NAME_OF_PLUGIN_PACKAGE/yourfile.js
 
-Use the ``datasette.urls.static_plugins(plugin_name, path)`` method to generate URLs to that asset that take the ``base_url`` setting into account, see :ref:`internals_datasette_urls`.
+Use the ``datasette.static(path, plugin=plugin_name)`` method to generate
+cache-busting URLs to those assets that take the ``base_url`` setting into
+account, see :ref:`datasette_static`.
+
+This can also be used from plugin templates as the ``static()`` template
+function:
+
+.. code-block:: html+jinja
+
+    <script src="{{ static('plugin.js', plugin='datasette_plugin_name') }}" defer></script>
 
 To bundle the static assets for a plugin in the package that you publish to PyPI, add the following to the plugin's ``setup.py``:
 
diff --git a/package-lock.json b/package-lock.json
index 35709001..213999c1 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -10,7 +10,7 @@
         "@rollup/plugin-node-resolve": "^15.0.1",
         "@rollup/plugin-terser": "^0.1.0",
         "codemirror": "^6.0.1",
-        "rollup": "^3.29.5"
+        "rollup": "^3.30.0"
       },
       "devDependencies": {
         "prettier": "^3.0.0"
@@ -380,9 +380,9 @@
       "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw=="
     },
     "node_modules/picomatch": {
-      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
       "engines": {
         "node": ">=8.6"
       },
@@ -423,9 +423,9 @@
       }
     },
     "node_modules/rollup": {
-      "version": "3.29.5",
-      "resolved": "https://registry.npmjs.org/rollup/-/rollup-3.29.5.tgz",
-      "integrity": "sha512-GVsDdsbJzzy4S/v3dqWPJ7EfvZJfCHiDqe80IyrF59LYuP+e6U1LJoUqeuqRbwAWoMNoXivMNeNAOf5E22VA1w==",
+      "version": "3.30.0",
+      "resolved": "https://registry.npmjs.org/rollup/-/rollup-3.30.0.tgz",
+      "integrity": "sha512-kQvGasUgN+AlWGliFn2POSajRQEsULVYFGTvOZmK06d7vCD+YhZztt70kGk3qaeAXeWYL5eO7zx+rAubBc55eA==",
       "bin": {
         "rollup": "dist/bin/rollup"
       },
@@ -776,9 +776,9 @@
       "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw=="
     },
     "picomatch": {
-      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA=="
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA=="
     },
     "prettier": {
       "version": "3.6.2",
@@ -797,9 +797,9 @@
       }
     },
     "rollup": {
-      "version": "3.29.5",
-      "resolved": "https://registry.npmjs.org/rollup/-/rollup-3.29.5.tgz",
-      "integrity": "sha512-GVsDdsbJzzy4S/v3dqWPJ7EfvZJfCHiDqe80IyrF59LYuP+e6U1LJoUqeuqRbwAWoMNoXivMNeNAOf5E22VA1w==",
+      "version": "3.30.0",
+      "resolved": "https://registry.npmjs.org/rollup/-/rollup-3.30.0.tgz",
+      "integrity": "sha512-kQvGasUgN+AlWGliFn2POSajRQEsULVYFGTvOZmK06d7vCD+YhZztt70kGk3qaeAXeWYL5eO7zx+rAubBc55eA==",
       "requires": {
         "fsevents": "~2.3.2"
       }
diff --git a/package.json b/package.json
index 16453896..27abd0cd 100644
--- a/package.json
+++ b/package.json
@@ -13,6 +13,6 @@
     "@rollup/plugin-node-resolve": "^15.0.1",
     "@rollup/plugin-terser": "^0.1.0",
     "codemirror": "^6.0.1",
-    "rollup": "^3.29.5"
+    "rollup": "^3.30.0"
   }
 }
diff --git a/pyproject.toml b/pyproject.toml
index 2ab2ce10..215b2cca 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -32,15 +32,14 @@ dependencies = [
     "pluggy>=1.0",
     "uvicorn>=0.11",
     "aiofiles>=0.4",
-    "janus>=0.6.2",
-    "asgi-csrf>=0.10",
     "PyYAML>=5.3",
     "mergedeep>=1.1.1",
     "itsdangerous>=1.1",
-    "sqlite-utils>=3.30",
-    "asyncinject>=0.6.1",
+    "sqlite-utils>=3.30,<4.0",
+    "asyncinject>=0.7",
     "setuptools",
     "pip",
+    "pydantic>=2",
 ]
 
 [project.urls]
@@ -55,13 +54,16 @@ CI = "https://github.com/simonw/datasette/actions?query=workflow%3ATest"
 [project.scripts]
 datasette = "datasette.cli:cli"
 
+[project.entry-points.pytest11]
+datasette = "datasette._pytest_plugin"
+
 [dependency-groups]
 dev = [
     "pytest>=9",
     "pytest-xdist>=2.2.1",
     "pytest-asyncio>=1.2.0",
     "beautifulsoup4>=4.8.1",
-    "black==26.1.0",
+    "black==26.3.1",
     "blacken-docs==1.20.0",
     "pytest-timeout>=1.4.2",
     "trustme>=0.7",
@@ -78,6 +80,10 @@ dev = [
     "myst-parser",
     "sphinx-markdown-builder",
     "ruamel.yaml",
+    "psutil>=5.9",
+]
+playwright = [
+    "pytest-playwright>=0.8.0",
 ]
 
 [project.optional-dependencies]
diff --git a/pytest.ini b/pytest.ini
index 29b84ea5..75de6925 100644
--- a/pytest.ini
+++ b/pytest.ini
@@ -6,4 +6,5 @@ filterwarnings=
     ignore:Using or importing the ABCs::bs4.element
 markers =
     serial: tests to avoid using with pytest-xdist
-asyncio_mode = strict
\ No newline at end of file
+    playwright: browser automation tests, skipped unless --playwright is passed
+asyncio_mode = strict
diff --git a/test-in-pyodide-with-shot-scraper.sh b/test-in-pyodide-with-shot-scraper.sh
index 4d1c4968..8d7fa08e 100755
--- a/test-in-pyodide-with-shot-scraper.sh
+++ b/test-in-pyodide-with-shot-scraper.sh
@@ -1,40 +1,37 @@
 #!/bin/bash
-set -e
-# So the script fails if there are any errors
+set -euo pipefail
+
+read -r -a PYTHON_CMD <<< "${PYTHON:-python3}"
+read -r -a SHOT_SCRAPER_CMD <<< "${SHOT_SCRAPER:-shot-scraper}"
 
 # Build the wheel
-python3 -m build
+"${PYTHON_CMD[@]}" -m build
 
-# Find name of wheel, strip off the dist/
-wheel=$(basename $(ls dist/*.whl) | head -n 1)
+# Find name of most recently built wheel, strip off the dist/
+wheel=$(basename "$(ls -t dist/*.whl | head -n 1)")
 
 # Create a blank index page
 echo '
-<script src="https://cdn.jsdelivr.net/pyodide/v0.20.0/full/pyodide.js"></script>
+<script src="https://cdn.jsdelivr.net/pyodide/v314.0.0/full/pyodide.js"></script>
 ' > dist/index.html
 
 # Run a server for that dist/ folder
-cd dist
-python3 -m http.server 8529 &
-cd ..
+"${PYTHON_CMD[@]}" -m http.server 8529 --directory dist &
+server_pid=$!
 
 # Register the kill_server function to be called on script exit
 kill_server() {
-  pkill -f 'http.server 8529'
+  kill "$server_pid" 2>/dev/null || true
 }
 trap kill_server EXIT
 
 
-shot-scraper javascript http://localhost:8529/ "
+"${SHOT_SCRAPER_CMD[@]}" javascript http://localhost:8529/ "
 async () => {
   let pyodide = await loadPyodide();
-  await pyodide.loadPackage(['micropip', 'ssl', 'setuptools']);
+  await pyodide.loadPackage(['micropip', 'setuptools']);
   let output = await pyodide.runPythonAsync(\`
     import micropip
-    await micropip.install('h11==0.12.0')
-    await micropip.install('httpx==0.23')
-    # To avoid 'from typing_extensions import deprecated' error:
-    await micropip.install('typing-extensions>=4.12.2')
     await micropip.install('http://localhost:8529/$wheel')
     import ssl
     import setuptools
diff --git a/tests/conftest.py b/tests/conftest.py
index efa02c0a..7ec03146 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -1,4 +1,5 @@
 import httpx
+import importlib.metadata
 import os
 import pathlib
 import pytest
@@ -28,8 +29,6 @@ UNDOCUMENTED_PERMISSIONS = {
     "view_document",
 }
 
-_ds_client = None
-
 
 def wait_until_responds(url, timeout=5.0, client=httpx, **kwargs):
     start = time.time()
@@ -42,17 +41,24 @@ def wait_until_responds(url, timeout=5.0, client=httpx, **kwargs):
     raise AssertionError("Timed out waiting for {} to respond".format(url))
 
 
-@pytest_asyncio.fixture
+@pytest.fixture
+def bare_ds():
+    """
+    Minimal Datasette with no plugins, data, metadata, or config - for tests
+    that want to exercise core behavior (e.g. middleware) in isolation.
+    """
+    from datasette.app import Datasette
+
+    return Datasette(memory=True)
+
+
+@pytest_asyncio.fixture(scope="session")
 async def ds_client():
     from datasette.app import Datasette
     from datasette.database import Database
     from .fixtures import CONFIG, METADATA, PLUGINS_DIR
     import secrets
 
-    global _ds_client
-    if _ds_client is not None:
-        return _ds_client
-
     ds = Datasette(
         metadata=METADATA,
         config=CONFIG,
@@ -67,7 +73,7 @@ async def ds_client():
             "num_sql_threads": 1,
         },
     )
-    from .fixtures import TABLES, TABLE_PARAMETERIZED_SQL
+    from datasette.fixtures import populate_fixture_database
 
     # Use a unique memory_name to avoid collisions between different
     # Datasette instances in the same process, but use "fixtures" for routing
@@ -77,20 +83,40 @@ async def ds_client():
 
     def prepare(conn):
         if not conn.execute("select count(*) from sqlite_master").fetchone()[0]:
-            conn.executescript(TABLES)
-            for sql, params in TABLE_PARAMETERIZED_SQL:
-                with conn:
-                    conn.execute(sql, params)
+            populate_fixture_database(conn)
 
     await db.execute_write_fn(prepare)
     await ds.invoke_startup()
-    _ds_client = ds.client
-    return _ds_client
+    return ds.client
 
 
 def pytest_report_header(config):
-    return "SQLite: {}".format(
-        sqlite3.connect(":memory:").execute("select sqlite_version()").fetchone()[0]
+    conn = sqlite3.connect(":memory:")
+    version = conn.execute("select sqlite_version()").fetchone()[0]
+    conn.close()
+    sqlite_utils_version = importlib.metadata.version("sqlite-utils")
+    headers = [
+        "SQLite: {}".format(version),
+        "sqlite-utils: {}".format(sqlite_utils_version),
+    ]
+    if config.getoption("--playwright"):
+        try:
+            browsers = config.getoption("--browser")
+        except ValueError:
+            browsers = None
+        if isinstance(browsers, str):
+            browsers = [browsers]
+        if browsers:
+            headers.append("Playwright browsers: {}".format(", ".join(browsers)))
+    return headers
+
+
+def pytest_addoption(parser):
+    parser.addoption(
+        "--playwright",
+        action="store_true",
+        default=False,
+        help="run Playwright browser automation tests",
     )
 
 
@@ -106,7 +132,13 @@ def pytest_unconfigure(config):
     del sys._called_from_test
 
 
-def pytest_collection_modifyitems(items):
+def pytest_collection_modifyitems(config, items):
+    if not config.getoption("--playwright"):
+        skip_playwright = pytest.mark.skip(reason="need --playwright option to run")
+        for item in items:
+            if "playwright" in item.keywords:
+                item.add_marker(skip_playwright)
+
     # Ensure test_cli.py and test_black.py and test_inspect.py run first before any asyncio code kicks in
     move_to_front(items, "test_cli")
     move_to_front(items, "test_black")
@@ -144,6 +176,7 @@ def restore_working_directory(tmpdir, request):
 @pytest.fixture(scope="session", autouse=True)
 def check_actions_are_documented():
     from datasette.plugins import pm
+    from datasette.default_actions import register_actions as default_register_actions
 
     content = (
         pathlib.Path(__file__).parent.parent / "docs" / "authentication.rst"
@@ -152,6 +185,9 @@ def check_actions_are_documented():
     documented_actions = set(permissions_re.findall(content)).union(
         UNDOCUMENTED_PERMISSIONS
     )
+    # Only Datasette core actions need to be documented - actions registered
+    # by (test) plugins are checked for registration but not documentation
+    core_actions = {action.name for action in default_register_actions()}
 
     def before(hook_name, hook_impls, kwargs):
         if hook_name == "permission_resources_sql":
@@ -163,9 +199,10 @@ def check_actions_are_documented():
                 + " (or maybe a test forgot to do await ds.invoke_startup())"
             )
             action = kwargs.get("action").replace("-", "_")
-            assert (
-                action in documented_actions
-            ), "Undocumented permission action: {}".format(action)
+            if kwargs["action"] in core_actions:
+                assert (
+                    action in documented_actions
+                ), "Undocumented permission action: {}".format(action)
 
     pm.add_hookcall_monitoring(
         before=before, after=lambda outcome, hook_name, hook_impls, kwargs: None
@@ -223,8 +260,12 @@ def ds_unix_domain_socket_server(tmp_path_factory):
     # This used to use tmp_path_factory.mktemp("uds") but that turned out to
     # produce paths that were too long to use as UDS on macOS, see
     # https://github.com/simonw/datasette/issues/1407 - so I switched to
-    # using tempfile.gettempdir()
-    uds = str(pathlib.Path(tempfile.gettempdir()) / "datasette.sock")
+    # using tempfile.gettempdir() with a per-process filename.
+    uds = str(pathlib.Path(tempfile.gettempdir()) / f"datasette-{os.getpid()}.sock")
+    try:
+        os.unlink(uds)
+    except FileNotFoundError:
+        pass
     ds_proc = subprocess.Popen(
         [sys.executable, "-m", "datasette", "--memory", "--uds", uds],
         stdout=subprocess.PIPE,
@@ -234,12 +275,26 @@ def ds_unix_domain_socket_server(tmp_path_factory):
     # Poll until available
     transport = httpx.HTTPTransport(uds=uds)
     client = httpx.Client(transport=transport)
-    wait_until_responds("http://localhost/_memory.json", client=client)
-    # Check it started successfully
-    assert not ds_proc.poll(), ds_proc.stdout.read().decode("utf-8")
-    yield ds_proc, uds
-    # Shut it down at the end of the pytest session
-    ds_proc.terminate()
+    try:
+        wait_until_responds(
+            "http://localhost/_memory.json", timeout=30.0, client=client
+        )
+        # Check it started successfully
+        assert not ds_proc.poll(), ds_proc.stdout.read().decode("utf-8")
+        yield ds_proc, uds
+    finally:
+        client.close()
+        # Shut it down at the end of the pytest session
+        ds_proc.terminate()
+        try:
+            ds_proc.wait(timeout=5)
+        except subprocess.TimeoutExpired:
+            ds_proc.kill()
+            ds_proc.wait()
+        try:
+            os.unlink(uds)
+        except FileNotFoundError:
+            pass
 
 
 # Import fixtures from fixtures.py to make them available
@@ -259,8 +314,6 @@ from .fixtures import (  # noqa: E402, F401
     app_client_with_cors,
     app_client_with_dot,
     app_client_with_trace,
-    generate_compound_rows,
-    generate_sortable_rows,
     make_app_client,
     TEMP_PLUGIN_SECRET_FILE,
 )
diff --git a/tests/fixtures.py b/tests/fixtures.py
index 1f6c491d..8ab3633f 100644
--- a/tests/fixtures.py
+++ b/tests/fixtures.py
@@ -1,15 +1,16 @@
 from datasette.app import Datasette
-from datasette.utils.sqlite import sqlite3
+from datasette.fixtures import (
+    EXTRA_DATABASE_SQL,
+    write_extra_database,
+    write_fixture_database,
+)
 from datasette.utils.testing import TestClient
 import click
 import contextlib
-import itertools
 import json
 import os
 import pathlib
 import pytest
-import random
-import string
 import tempfile
 import textwrap
 
@@ -34,7 +35,6 @@ EXPECTED_PLUGINS = [
         "hooks": [
             "actor_from_request",
             "asgi_wrapper",
-            "canned_queries",
             "database_actions",
             "extra_body_script",
             "extra_css_urls",
@@ -54,7 +54,6 @@ EXPECTED_PLUGINS = [
             "register_token_handler",
             "render_cell",
             "row_actions",
-            "skip_csrf",
             "startup",
             "table_actions",
             "view_actions",
@@ -68,7 +67,6 @@ EXPECTED_PLUGINS = [
         "hooks": [
             "actor_from_request",
             "asgi_wrapper",
-            "canned_queries",
             "extra_js_urls",
             "extra_template_vars",
             "handle_exception",
@@ -129,19 +127,18 @@ def make_app_client(
         else:
             files = [filepath]
             immutables = []
-        conn = sqlite3.connect(filepath)
-        conn.executescript(TABLES)
-        for sql, params in TABLE_PARAMETERIZED_SQL:
-            with conn:
-                conn.execute(sql, params)
-        # Close the connection to avoid "too many open files" errors
-        conn.close()
+        write_fixture_database(filepath)
         if extra_databases is not None:
             for extra_filename, extra_sql in extra_databases.items():
                 extra_filepath = os.path.join(tmpdir, extra_filename)
-                c2 = sqlite3.connect(extra_filepath)
-                c2.executescript(extra_sql)
-                c2.close()
+                if extra_sql == EXTRA_DATABASE_SQL:
+                    write_extra_database(extra_filepath)
+                else:
+                    from datasette.utils.sqlite import sqlite3
+
+                    c2 = sqlite3.connect(extra_filepath)
+                    c2.executescript(extra_sql)
+                    c2.close()
                 # Insert at start to help test /-/databases ordering:
                 files.insert(0, extra_filepath)
         os.chdir(os.path.dirname(filepath))
@@ -188,6 +185,8 @@ def app_client():
 def app_client_no_files():
     ds = Datasette([])
     yield TestClient(ds)
+    for db in ds.databases.values():
+        db.close()
 
 
 @pytest.fixture(scope="session")
@@ -278,29 +277,6 @@ def app_client_immutable_and_inspect_file():
         yield client
 
 
-def generate_compound_rows(num):
-    for a, b, c in itertools.islice(
-        itertools.product(string.ascii_lowercase, repeat=3), num
-    ):
-        yield a, b, c, f"{a}-{b}-{c}"
-
-
-def generate_sortable_rows(num):
-    rand = random.Random(42)
-    for a, b in itertools.islice(
-        itertools.product(string.ascii_lowercase, repeat=2), num
-    ):
-        yield {
-            "pk1": a,
-            "pk2": b,
-            "content": f"{a}-{b}",
-            "sortable": rand.randint(-100, 100),
-            "sortable_with_nulls": rand.choice([None, rand.random(), rand.random()]),
-            "sortable_with_nulls_2": rand.choice([None, rand.random(), rand.random()]),
-            "text": rand.choice(["$null", "$blah"]),
-        }
-
-
 CONFIG = {
     "plugins": {
         "name-of-plugin": {"depth": "root"},
@@ -398,345 +374,6 @@ METADATA = {
     },
 }
 
-TABLES = (
-    """
-CREATE TABLE simple_primary_key (
-  id integer primary key,
-  content text
-);
-
-CREATE TABLE primary_key_multiple_columns (
-  id varchar(30) primary key,
-  content text,
-  content2 text
-);
-
-CREATE TABLE primary_key_multiple_columns_explicit_label (
-  id varchar(30) primary key,
-  content text,
-  content2 text
-);
-
-CREATE TABLE compound_primary_key (
-  pk1 varchar(30),
-  pk2 varchar(30),
-  content text,
-  PRIMARY KEY (pk1, pk2)
-);
-
-INSERT INTO compound_primary_key VALUES ('a', 'b', 'c');
-INSERT INTO compound_primary_key VALUES ('a/b', '.c-d', 'c');
-INSERT INTO compound_primary_key VALUES ('d', 'e', 'RENDER_CELL_DEMO');
-
-CREATE TABLE compound_three_primary_keys (
-  pk1 varchar(30),
-  pk2 varchar(30),
-  pk3 varchar(30),
-  content text,
-  PRIMARY KEY (pk1, pk2, pk3)
-);
-CREATE INDEX idx_compound_three_primary_keys_content ON compound_three_primary_keys(content);
-
-CREATE TABLE foreign_key_references (
-  pk varchar(30) primary key,
-  foreign_key_with_label integer,
-  foreign_key_with_blank_label integer,
-  foreign_key_with_no_label varchar(30),
-  foreign_key_compound_pk1 varchar(30),
-  foreign_key_compound_pk2 varchar(30),
-  FOREIGN KEY (foreign_key_with_label) REFERENCES simple_primary_key(id),
-  FOREIGN KEY (foreign_key_with_blank_label) REFERENCES simple_primary_key(id),
-  FOREIGN KEY (foreign_key_with_no_label) REFERENCES primary_key_multiple_columns(id)
-  FOREIGN KEY (foreign_key_compound_pk1, foreign_key_compound_pk2) REFERENCES compound_primary_key(pk1, pk2)
-);
-
-CREATE TABLE sortable (
-  pk1 varchar(30),
-  pk2 varchar(30),
-  content text,
-  sortable integer,
-  sortable_with_nulls real,
-  sortable_with_nulls_2 real,
-  text text,
-  PRIMARY KEY (pk1, pk2)
-);
-
-CREATE TABLE no_primary_key (
-  content text,
-  a text,
-  b text,
-  c text
-);
-
-CREATE TABLE [123_starts_with_digits] (
-  content text
-);
-
-CREATE VIEW paginated_view AS
-    SELECT
-        content,
-        '- ' || content || ' -' AS content_extra
-    FROM no_primary_key;
-
-CREATE TABLE "Table With Space In Name" (
-  pk varchar(30) primary key,
-  content text
-);
-
-CREATE TABLE "table/with/slashes.csv" (
-  pk varchar(30) primary key,
-  content text
-);
-
-CREATE TABLE "complex_foreign_keys" (
-  pk varchar(30) primary key,
-  f1 integer,
-  f2 integer,
-  f3 integer,
-  FOREIGN KEY ("f1") REFERENCES [simple_primary_key](id),
-  FOREIGN KEY ("f2") REFERENCES [simple_primary_key](id),
-  FOREIGN KEY ("f3") REFERENCES [simple_primary_key](id)
-);
-
-CREATE TABLE "custom_foreign_key_label" (
-  pk varchar(30) primary key,
-  foreign_key_with_custom_label text,
-  FOREIGN KEY ("foreign_key_with_custom_label") REFERENCES [primary_key_multiple_columns_explicit_label](id)
-);
-
-CREATE TABLE tags (
-    tag TEXT PRIMARY KEY
-);
-
-CREATE TABLE searchable (
-  pk integer primary key,
-  text1 text,
-  text2 text,
-  [name with . and spaces] text
-);
-
-CREATE TABLE searchable_tags (
-    searchable_id integer,
-    tag text,
-    PRIMARY KEY (searchable_id, tag),
-    FOREIGN KEY (searchable_id) REFERENCES searchable(pk),
-    FOREIGN KEY (tag) REFERENCES tags(tag)
-);
-
-INSERT INTO searchable VALUES (1, 'barry cat', 'terry dog', 'panther');
-INSERT INTO searchable VALUES (2, 'terry dog', 'sara weasel', 'puma');
-
-INSERT INTO tags VALUES ("canine");
-INSERT INTO tags VALUES ("feline");
-
-INSERT INTO searchable_tags (searchable_id, tag) VALUES
-    (1, "feline"),
-    (2, "canine")
-;
-
-CREATE VIRTUAL TABLE "searchable_fts"
-    USING FTS5 (text1, text2, [name with . and spaces], content="searchable", content_rowid="pk");
-INSERT INTO "searchable_fts" (searchable_fts) VALUES ('rebuild');
-
-CREATE TABLE [select] (
-  [group] text,
-  [having] text,
-  [and] text,
-  [json] text
-);
-INSERT INTO [select] VALUES ('group', 'having', 'and',
-    '{"href": "http://example.com/", "label":"Example"}'
-);
-
-CREATE TABLE infinity (
-    value REAL
-);
-INSERT INTO infinity VALUES
-    (1e999),
-    (-1e999),
-    (1.5)
-;
-
-CREATE TABLE facet_cities (
-    id integer primary key,
-    name text
-);
-INSERT INTO facet_cities (id, name) VALUES
-    (1, 'San Francisco'),
-    (2, 'Los Angeles'),
-    (3, 'Detroit'),
-    (4, 'Memnonia')
-;
-
-CREATE TABLE facetable (
-    pk integer primary key,
-    created text,
-    planet_int integer,
-    on_earth integer,
-    state text,
-    _city_id integer,
-    _neighborhood text,
-    tags text,
-    complex_array text,
-    distinct_some_null,
-    n text,
-    FOREIGN KEY ("_city_id") REFERENCES [facet_cities](id)
-);
-INSERT INTO facetable
-    (created, planet_int, on_earth, state, _city_id, _neighborhood, tags, complex_array, distinct_some_null, n)
-VALUES
-    ("2019-01-14 08:00:00", 1, 1, 'CA', 1, 'Mission', '["tag1", "tag2"]', '[{"foo": "bar"}]', 'one', 'n1'),
-    ("2019-01-14 08:00:00", 1, 1, 'CA', 1, 'Dogpatch', '["tag1", "tag3"]', '[]', 'two', 'n2'),
-    ("2019-01-14 08:00:00", 1, 1, 'CA', 1, 'SOMA', '[]', '[]', null, null),
-    ("2019-01-14 08:00:00", 1, 1, 'CA', 1, 'Tenderloin', '[]', '[]', null, null),
-    ("2019-01-15 08:00:00", 1, 1, 'CA', 1, 'Bernal Heights', '[]', '[]', null, null),
-    ("2019-01-15 08:00:00", 1, 1, 'CA', 1, 'Hayes Valley', '[]', '[]', null, null),
-    ("2019-01-15 08:00:00", 1, 1, 'CA', 2, 'Hollywood', '[]', '[]', null, null),
-    ("2019-01-15 08:00:00", 1, 1, 'CA', 2, 'Downtown', '[]', '[]', null, null),
-    ("2019-01-16 08:00:00", 1, 1, 'CA', 2, 'Los Feliz', '[]', '[]', null, null),
-    ("2019-01-16 08:00:00", 1, 1, 'CA', 2, 'Koreatown', '[]', '[]', null, null),
-    ("2019-01-16 08:00:00", 1, 1, 'MI', 3, 'Downtown', '[]', '[]', null, null),
-    ("2019-01-17 08:00:00", 1, 1, 'MI', 3, 'Greektown', '[]', '[]', null, null),
-    ("2019-01-17 08:00:00", 1, 1, 'MI', 3, 'Corktown', '[]', '[]', null, null),
-    ("2019-01-17 08:00:00", 1, 1, 'MI', 3, 'Mexicantown', '[]', '[]', null, null),
-    ("2019-01-17 08:00:00", 2, 0, 'MC', 4, 'Arcadia Planitia', '[]', '[]', null, null)
-;
-
-CREATE TABLE binary_data (
-    data BLOB
-);
-
--- Many 2 Many demo: roadside attractions!
-
-CREATE TABLE roadside_attractions (
-    pk integer primary key,
-    name text,
-    address text,
-    url text,
-    latitude real,
-    longitude real
-);
-INSERT INTO roadside_attractions VALUES (
-    1, "The Mystery Spot", "465 Mystery Spot Road, Santa Cruz, CA 95065", "https://www.mysteryspot.com/",
-    37.0167, -122.0024
-);
-INSERT INTO roadside_attractions VALUES (
-    2, "Winchester Mystery House", "525 South Winchester Boulevard, San Jose, CA 95128", "https://winchestermysteryhouse.com/",
-    37.3184, -121.9511
-);
-INSERT INTO roadside_attractions VALUES (
-    3, "Burlingame Museum of PEZ Memorabilia", "214 California Drive, Burlingame, CA 94010", null,
-    37.5793, -122.3442
-);
-INSERT INTO roadside_attractions VALUES (
-    4, "Bigfoot Discovery Museum", "5497 Highway 9, Felton, CA 95018", "https://www.bigfootdiscoveryproject.com/",
-    37.0414, -122.0725
-);
-
-CREATE TABLE attraction_characteristic (
-    pk integer primary key,
-    name text
-);
-INSERT INTO attraction_characteristic VALUES (
-    1, "Museum"
-);
-INSERT INTO attraction_characteristic VALUES (
-    2, "Paranormal"
-);
-
-CREATE TABLE roadside_attraction_characteristics (
-    attraction_id INTEGER REFERENCES roadside_attractions(pk),
-    characteristic_id INTEGER REFERENCES attraction_characteristic(pk)
-);
-INSERT INTO roadside_attraction_characteristics VALUES (
-    1, 2
-);
-INSERT INTO roadside_attraction_characteristics VALUES (
-    2, 2
-);
-INSERT INTO roadside_attraction_characteristics VALUES (
-    4, 2
-);
-INSERT INTO roadside_attraction_characteristics VALUES (
-    3, 1
-);
-INSERT INTO roadside_attraction_characteristics VALUES (
-    4, 1
-);
-
-INSERT INTO simple_primary_key VALUES (1, 'hello');
-INSERT INTO simple_primary_key VALUES (2, 'world');
-INSERT INTO simple_primary_key VALUES (3, '');
-INSERT INTO simple_primary_key VALUES (4, 'RENDER_CELL_DEMO');
-INSERT INTO simple_primary_key VALUES (5, 'RENDER_CELL_ASYNC');
-
-INSERT INTO primary_key_multiple_columns VALUES (1, 'hey', 'world');
-INSERT INTO primary_key_multiple_columns_explicit_label VALUES (1, 'hey', 'world2');
-
-INSERT INTO foreign_key_references VALUES (1, 1, 3, 1, 'a', 'b');
-INSERT INTO foreign_key_references VALUES (2, null, null, null, null, null);
-
-INSERT INTO complex_foreign_keys VALUES (1, 1, 2, 1);
-INSERT INTO custom_foreign_key_label VALUES (1, 1);
-
-INSERT INTO [table/with/slashes.csv] VALUES (3, 'hey');
-
-CREATE VIEW simple_view AS
-    SELECT content, upper(content) AS upper_content FROM simple_primary_key;
-
-CREATE VIEW searchable_view AS
-    SELECT * from searchable;
-
-CREATE VIEW searchable_view_configured_by_metadata AS
-    SELECT * from searchable;
-
-"""
-    + "\n".join(
-        [
-            'INSERT INTO no_primary_key VALUES ({i}, "a{i}", "b{i}", "c{i}");'.format(
-                i=i + 1
-            )
-            for i in range(201)
-        ]
-    )
-    + '\nINSERT INTO no_primary_key VALUES ("RENDER_CELL_DEMO", "a202", "b202", "c202");\n'
-    + "\n".join(
-        [
-            'INSERT INTO compound_three_primary_keys VALUES ("{a}", "{b}", "{c}", "{content}");'.format(
-                a=a, b=b, c=c, content=content
-            )
-            for a, b, c, content in generate_compound_rows(1001)
-        ]
-    )
-    + "\n".join(["""INSERT INTO sortable VALUES (
-        "{pk1}", "{pk2}", "{content}", {sortable},
-        {sortable_with_nulls}, {sortable_with_nulls_2}, "{text}");
-    """.format(**row).replace("None", "null") for row in generate_sortable_rows(201)])
-)
-TABLE_PARAMETERIZED_SQL = [
-    ("insert into binary_data (data) values (?);", [b"\x15\x1c\x02\xc7\xad\x05\xfe"]),
-    ("insert into binary_data (data) values (?);", [b"\x15\x1c\x03\xc7\xad\x05\xfe"]),
-    ("insert into binary_data (data) values (null);", []),
-]
-
-EXTRA_DATABASE_SQL = """
-CREATE TABLE searchable (
-  pk integer primary key,
-  text1 text,
-  text2 text
-);
-
-CREATE VIEW searchable_view AS SELECT * FROM searchable;
-
-INSERT INTO searchable VALUES (1, 'barry cat', 'terry dog');
-INSERT INTO searchable VALUES (2, 'terry dog', 'sara weasel');
-
-CREATE VIRTUAL TABLE "searchable_fts"
-    USING FTS3 (text1, text2, content="searchable");
-INSERT INTO "searchable_fts" (rowid, text1, text2)
-    SELECT rowid, text1, text2 FROM searchable;
-"""
-
 
 def assert_permissions_checked(datasette, actions):
     # actions is a list of "action" or (action, resource) tuples
@@ -818,11 +455,7 @@ def cli(db_filename, config, metadata, plugins_path, recreate, extra_db_filename
             )
         else:
             pathlib.Path(db_filename).unlink()
-    conn = sqlite3.connect(db_filename)
-    conn.executescript(TABLES)
-    for sql, params in TABLE_PARAMETERIZED_SQL:
-        with conn:
-            conn.execute(sql, params)
+    write_fixture_database(db_filename)
     print(f"Test tables written to {db_filename}")
     if metadata:
         with open(metadata, "w") as fp:
@@ -849,8 +482,7 @@ def cli(db_filename, config, metadata, plugins_path, recreate, extra_db_filename
                 )
             else:
                 pathlib.Path(extra_db_filename).unlink()
-        conn = sqlite3.connect(extra_db_filename)
-        conn.executescript(EXTRA_DATABASE_SQL)
+        write_extra_database(extra_db_filename)
         print(f"Test tables written to {extra_db_filename}")
 
 
diff --git a/tests/plugins/my_plugin.py b/tests/plugins/my_plugin.py
index 77079557..c89ad0a3 100644
--- a/tests/plugins/my_plugin.py
+++ b/tests/plugins/my_plugin.py
@@ -314,11 +314,6 @@ def startup(datasette):
     _ = (Response, Forbidden, NotFound, hookimpl, actor_matches_allow)
 
 
-@hookimpl
-def canned_queries(datasette, database, actor):
-    return {"from_hook": f"select 1, '{actor['id'] if actor else 'null'}' as actor_id"}
-
-
 @hookimpl
 def register_magic_parameters():
     from uuid import uuid4
@@ -362,15 +357,30 @@ def menu_links(datasette, actor, request):
 
 
 @hookimpl
-def table_actions(datasette, database, table, actor):
+def table_actions(datasette, database, table, actor, request):
     if actor:
-        return [
+        actions = [
             {
                 "href": datasette.urls.instance(),
                 "label": f"Database: {database}",
             },
             {"href": datasette.urls.instance(), "label": f"Table: {table}"},
         ]
+        if request.args.get("_button"):
+            actions.append(
+                {
+                    "type": "button",
+                    "label": "Plugin button",
+                    "description": "Runs JavaScript from a plugin",
+                    "attrs": {
+                        "aria-label": "Plugin button for {}".format(table),
+                        "data-plugin-action": "plugin-button",
+                        "data-database": database,
+                        "data-table": table,
+                    },
+                }
+            )
+        return actions
 
 
 @hookimpl
@@ -387,8 +397,8 @@ def view_actions(datasette, database, view, actor):
 
 @hookimpl
 def query_actions(datasette, database, query_name, sql):
-    # Don't explain an explain
-    if sql.lower().startswith("explain"):
+    # Don't explain an explain (or a missing query)
+    if not sql or sql.lower().startswith("explain"):
         return
     return [
         {
@@ -444,11 +454,6 @@ def homepage_actions(datasette, actor, request):
         ]
 
 
-@hookimpl
-def skip_csrf(scope):
-    return scope["path"] == "/skip-csrf"
-
-
 @hookimpl
 def register_actions(datasette):
     extras_old = datasette.plugin_config("datasette-register-permissions") or {}
diff --git a/tests/plugins/my_plugin_2.py b/tests/plugins/my_plugin_2.py
index 35775ef9..864637a6 100644
--- a/tests/plugins/my_plugin_2.py
+++ b/tests/plugins/my_plugin_2.py
@@ -127,20 +127,18 @@ def startup(datasette):
         internal_db = datasette.get_internal_database()
         result = await internal_db.execute("select 1 + 1")
         datasette._startup_hook_calculation = result.first()[0]
-
-    return inner
-
-
-@hookimpl
-def canned_queries(datasette, database):
-    async def inner():
-        return {
-            "from_async_hook": "select {}".format(
-                (
-                    await datasette.get_database(database).execute("select 1 + 1")
-                ).first()[0]
-            )
-        }
+        # Check that metadata tables have been populated before startup fires
+        metadata_rows = await internal_db.execute(
+            "select key, value from metadata_instance"
+        )
+        datasette._startup_metadata_keys = [row["key"] for row in metadata_rows]
+        # Check that catalog/schema tables have been populated before startup fires
+        catalog_rows = await internal_db.execute(
+            "select database_name from catalog_databases"
+        )
+        datasette._startup_catalog_databases = [
+            row["database_name"] for row in catalog_rows
+        ]
 
     return inner
 
diff --git a/tests/test_actions_sql.py b/tests/test_actions_sql.py
index 863d2529..a1fca971 100644
--- a/tests/test_actions_sql.py
+++ b/tests/test_actions_sql.py
@@ -12,10 +12,22 @@ import pytest
 import pytest_asyncio
 from datasette.app import Datasette
 from datasette.permissions import PermissionSQL
-from datasette.resources import TableResource
+from datasette.resources import DatabaseResource, QueryResource, TableResource
 from datasette import hookimpl
 
 
+def test_resource_string_representations():
+    assert str(DatabaseResource("content")) == "content"
+    assert repr(DatabaseResource("content")) == (
+        "DatabaseResource(parent='content', child=None)"
+    )
+    assert str(TableResource("content", "dogs")) == "content/dogs"
+    assert repr(TableResource("content", "dogs")) == (
+        "TableResource(parent='content', child='dogs')"
+    )
+    assert str(QueryResource("content", "insert-a-dog")) == "content/insert-a-dog"
+
+
 # Test plugin that provides permission rules
 class PermissionRulesPlugin:
     def __init__(self, rules_callback):
diff --git a/tests/test_allowed_many.py b/tests/test_allowed_many.py
new file mode 100644
index 00000000..08b952fb
--- /dev/null
+++ b/tests/test_allowed_many.py
@@ -0,0 +1,707 @@
+"""
+Tests for request-scoped permission check memoization and the
+datasette.allowed_many() batch permission API.
+
+Layer 1: per-request cache consulted by datasette.allowed()
+Layer 2: allowed_many() resolves multiple actions in one internal-DB query
+Layer 3: table/database views precompute all registered actions before
+         invoking table_actions/database_actions plugin hooks
+"""
+
+import pytest
+import pytest_asyncio
+from datasette.app import Datasette
+from datasette.permissions import (
+    Action,
+    PermissionSQL,
+    SkipPermissions,
+    _permission_check_cache,
+)
+from datasette.resources import DatabaseResource, TableResource
+from datasette import hookimpl
+
+
+class CountingRulesPlugin:
+    """Counts permission_resources_sql gathers and grants rules for alice."""
+
+    def __init__(self):
+        self.calls = []
+
+    @hookimpl
+    def permission_resources_sql(self, datasette, actor, action):
+        actor_id = actor.get("id") if actor else None
+        self.calls.append((actor_id, action))
+        if actor_id == "alice":
+            return PermissionSQL(
+                sql="SELECT NULL AS parent, NULL AS child, 1 AS allow, 'alice allowed' AS reason"
+            )
+        return None
+
+    def count(self, actor_id=None, action=None):
+        return len(
+            [
+                (a, c)
+                for a, c in self.calls
+                if (actor_id is None or a == actor_id)
+                and (action is None or c == action)
+            ]
+        )
+
+
+@pytest_asyncio.fixture
+async def ds():
+    ds = Datasette()
+    await ds.invoke_startup()
+    db = ds.add_memory_database("analytics")
+    await db.execute_write("CREATE TABLE IF NOT EXISTS users (id INTEGER PRIMARY KEY)")
+    await db.execute_write("CREATE TABLE IF NOT EXISTS events (id INTEGER PRIMARY KEY)")
+    await ds._refresh_schemas()
+    return ds
+
+
+@pytest_asyncio.fixture
+async def counting_ds(ds):
+    plugin = CountingRulesPlugin()
+    ds.pm.register(plugin, name="counting")
+    try:
+        yield ds, plugin
+    finally:
+        ds.pm.unregister(name="counting")
+
+
+# ----------------------------------------------------------------------
+# Layer 1: request-scoped memoization
+# ----------------------------------------------------------------------
+
+
+@pytest.mark.asyncio
+async def test_allowed_memoized_when_cache_active(counting_ds):
+    ds, plugin = counting_ds
+    resource = TableResource("analytics", "users")
+    token = _permission_check_cache.set({})
+    try:
+        first = await ds.allowed(
+            action="view-table", resource=resource, actor={"id": "alice"}
+        )
+        gathers_after_first = plugin.count(actor_id="alice", action="view-table")
+        assert gathers_after_first > 0
+        second = await ds.allowed(
+            action="view-table", resource=resource, actor={"id": "alice"}
+        )
+        assert first is True
+        assert second is True
+        # The second identical check must not gather hooks again
+        assert plugin.count(actor_id="alice", action="view-table") == (
+            gathers_after_first
+        )
+    finally:
+        _permission_check_cache.reset(token)
+
+
+@pytest.mark.asyncio
+async def test_allowed_not_memoized_without_cache(counting_ds):
+    ds, plugin = counting_ds
+    resource = TableResource("analytics", "users")
+    assert _permission_check_cache.get() is None
+    await ds.allowed(action="view-table", resource=resource, actor={"id": "alice"})
+    first_count = plugin.count(actor_id="alice", action="view-table")
+    await ds.allowed(action="view-table", resource=resource, actor={"id": "alice"})
+    # No request cache active - hooks gathered again
+    assert plugin.count(actor_id="alice", action="view-table") == first_count * 2
+
+
+@pytest.mark.asyncio
+async def test_cache_keyed_on_full_actor_identity(counting_ds):
+    """Interleaved checks for different actors never share cache entries."""
+    # Uses drop-table because default permissions deny it to non-root actors
+    ds, plugin = counting_ds
+    resource = TableResource("analytics", "users")
+    token = _permission_check_cache.set({})
+    try:
+        assert (
+            await ds.allowed(
+                action="drop-table", resource=resource, actor={"id": "alice"}
+            )
+            is True
+        )
+        assert (
+            await ds.allowed(
+                action="drop-table", resource=resource, actor={"id": "bob"}
+            )
+            is False
+        )
+        # Repeat interleaved - cached results must stay correct per actor
+        assert (
+            await ds.allowed(
+                action="drop-table", resource=resource, actor={"id": "alice"}
+            )
+            is True
+        )
+        assert (
+            await ds.allowed(
+                action="drop-table", resource=resource, actor={"id": "bob"}
+            )
+            is False
+        )
+        # Actors differing in fields beyond id must not collide either
+        assert (
+            await ds.allowed(
+                action="drop-table",
+                resource=resource,
+                actor={"id": "alice", "_r": {"a": []}},
+            )
+            is False
+        )
+    finally:
+        _permission_check_cache.reset(token)
+
+
+@pytest.mark.asyncio
+async def test_cache_keyed_on_resource(counting_ds):
+    ds, plugin = counting_ds
+    token = _permission_check_cache.set({})
+    try:
+        await ds.allowed(
+            action="view-table",
+            resource=TableResource("analytics", "users"),
+            actor={"id": "alice"},
+        )
+        count = plugin.count(actor_id="alice", action="view-table")
+        # Different resource - must not be served from cache
+        await ds.allowed(
+            action="view-table",
+            resource=TableResource("analytics", "events"),
+            actor={"id": "alice"},
+        )
+        assert plugin.count(actor_id="alice", action="view-table") == count * 2
+    finally:
+        _permission_check_cache.reset(token)
+
+
+@pytest.mark.asyncio
+async def test_skip_permission_checks_bypasses_cache(counting_ds):
+    ds, plugin = counting_ds
+    resource = TableResource("analytics", "users")
+    token = _permission_check_cache.set({})
+    try:
+        with SkipPermissions():
+            assert (
+                await ds.allowed(
+                    action="drop-table", resource=resource, actor={"id": "bob"}
+                )
+                is True
+            )
+        # The skip-mode True must not have been cached
+        assert (
+            await ds.allowed(
+                action="drop-table", resource=resource, actor={"id": "bob"}
+            )
+            is False
+        )
+    finally:
+        _permission_check_cache.reset(token)
+
+
+# ----------------------------------------------------------------------
+# Layer 2: allowed_many()
+# ----------------------------------------------------------------------
+
+
+class MatrixRulesPlugin:
+    """Different rules per action for actor carol, to exercise resolution."""
+
+    @hookimpl
+    def permission_resources_sql(self, datasette, actor, action):
+        if not actor or actor.get("id") != "carol":
+            return None
+        if action == "view-table":
+            return PermissionSQL(sql="""
+                SELECT NULL AS parent, NULL AS child, 1 AS allow, 'global allow' AS reason
+                UNION ALL
+                SELECT 'analytics' AS parent, 'sensitive' AS child, 0 AS allow, 'deny sensitive' AS reason
+                """)
+        if action == "insert-row":
+            return PermissionSQL(
+                sql="SELECT 'analytics' AS parent, NULL AS child, 1 AS allow, 'analytics writes' AS reason"
+            )
+        # Everything else: no opinion (implicit deny unless defaults allow)
+        return None
+
+
+@pytest.mark.asyncio
+async def test_allowed_many_basic(ds):
+    plugin = MatrixRulesPlugin()
+    ds.pm.register(plugin, name="matrix")
+    try:
+        results = await ds.allowed_many(
+            actions=["view-table", "insert-row", "drop-table"],
+            resource=TableResource("analytics", "users"),
+            actor={"id": "carol"},
+        )
+        assert results == {
+            "view-table": True,
+            "insert-row": True,
+            "drop-table": False,
+        }
+        # Child-level deny beats global allow
+        sensitive = await ds.allowed_many(
+            actions=["view-table"],
+            resource=TableResource("analytics", "sensitive"),
+            actor={"id": "carol"},
+        )
+        assert sensitive == {"view-table": False}
+    finally:
+        ds.pm.unregister(name="matrix")
+
+
+@pytest.mark.asyncio
+async def test_allowed_many_matches_allowed(ds):
+    """Every action resolved by allowed_many() must match allowed()."""
+    plugin = MatrixRulesPlugin()
+    ds.pm.register(plugin, name="matrix")
+    try:
+        all_actions = list(ds.actions)
+        for resource in (
+            TableResource("analytics", "users"),
+            TableResource("analytics", "sensitive"),
+            DatabaseResource("analytics"),
+        ):
+            batched = await ds.allowed_many(
+                actions=all_actions, resource=resource, actor={"id": "carol"}
+            )
+            assert set(batched) == set(all_actions)
+            for action in all_actions:
+                individual = await ds.allowed(
+                    action=action, resource=resource, actor={"id": "carol"}
+                )
+                assert (
+                    batched[action] == individual
+                ), f"Mismatch for {action} on {resource}"
+    finally:
+        ds.pm.unregister(name="matrix")
+
+
+@pytest.mark.asyncio
+async def test_allowed_many_unknown_action_raises(ds):
+    with pytest.raises(ValueError, match="Unknown action"):
+        await ds.allowed_many(
+            actions=["view-table", "no-such-action"],
+            resource=TableResource("analytics", "users"),
+            actor=None,
+        )
+
+
+@pytest.mark.asyncio
+async def test_allowed_many_empty_actions(ds):
+    assert (
+        await ds.allowed_many(
+            actions=[], resource=TableResource("analytics", "users"), actor=None
+        )
+        == {}
+    )
+
+
+class AlsoRequiresRulesPlugin:
+    """dave: store-query allowed but execute-sql explicitly denied.
+    erin: store-query allowed (execute-sql stays default-allowed)."""
+
+    @hookimpl
+    def permission_resources_sql(self, datasette, actor, action):
+        actor_id = actor.get("id") if actor else None
+        if actor_id == "dave":
+            if action == "store-query":
+                return PermissionSQL(
+                    sql="SELECT NULL AS parent, NULL AS child, 1 AS allow, 'dave can store' AS reason"
+                )
+            if action == "execute-sql":
+                return PermissionSQL(
+                    sql="SELECT NULL AS parent, NULL AS child, 0 AS allow, 'dave no sql' AS reason"
+                )
+        if actor_id == "erin" and action == "store-query":
+            return PermissionSQL(
+                sql="SELECT NULL AS parent, NULL AS child, 1 AS allow, 'erin can store' AS reason"
+            )
+        return None
+
+
+@pytest.mark.asyncio
+async def test_allowed_many_also_requires(ds):
+    # store-query also_requires execute-sql, which also_requires view-database
+    plugin = AlsoRequiresRulesPlugin()
+    ds.pm.register(plugin, name="also_requires")
+    try:
+        resource = DatabaseResource("analytics")
+        dave = await ds.allowed_many(
+            actions=["store-query", "execute-sql", "view-database"],
+            resource=resource,
+            actor={"id": "dave"},
+        )
+        # execute-sql denied, so store-query must be denied too
+        assert dave == {
+            "store-query": False,
+            "execute-sql": False,
+            "view-database": True,
+        }
+        erin = await ds.allowed_many(
+            actions=["store-query"], resource=resource, actor={"id": "erin"}
+        )
+        assert erin == {"store-query": True}
+        # Must match the single-check path
+        assert (
+            await ds.allowed(
+                action="store-query", resource=resource, actor={"id": "dave"}
+            )
+            is False
+        )
+        assert (
+            await ds.allowed(
+                action="store-query", resource=resource, actor={"id": "erin"}
+            )
+            is True
+        )
+    finally:
+        ds.pm.unregister(name="also_requires")
+
+
+@pytest.mark.asyncio
+async def test_allowed_many_respects_restrictions(ds):
+    """Token-style _r restrictions are enforced within the batch."""
+    actor = {"id": "root", "_r": {"d": {"analytics": ["vt"]}}}
+    results = await ds.allowed_many(
+        actions=["view-table", "drop-table"],
+        resource=TableResource("analytics", "users"),
+        actor=actor,
+    )
+    # root could normally do both, but the token only allows view-table
+    # on the analytics database
+    assert results == {"view-table": True, "drop-table": False}
+    other_db = await ds.allowed_many(
+        actions=["view-table"],
+        resource=TableResource("production", "stuff"),
+        actor=actor,
+    )
+    assert other_db == {"view-table": False}
+    # Equivalence with allowed()
+    assert (
+        await ds.allowed(
+            action="view-table",
+            resource=TableResource("analytics", "users"),
+            actor=actor,
+        )
+        is True
+    )
+    assert (
+        await ds.allowed(
+            action="drop-table",
+            resource=TableResource("analytics", "users"),
+            actor=actor,
+        )
+        is False
+    )
+
+
+class ParamCollisionPlugin:
+    """Same parameter name with a different value for every action."""
+
+    @hookimpl
+    def permission_resources_sql(self, datasette, actor, action):
+        if not actor or actor.get("id") != "paula":
+            return None
+        flag = 1 if action in ("drop-table", "insert-row") else 0
+        return PermissionSQL(
+            sql="SELECT NULL AS parent, NULL AS child, :flag AS allow, 'flagged' AS reason",
+            params={"flag": flag},
+        )
+
+
+@pytest.mark.asyncio
+async def test_allowed_many_namespaces_params_across_actions(ds):
+    """40+ actions whose rules use identical param names must not collide."""
+    plugin = ParamCollisionPlugin()
+    ds.pm.register(plugin, name="collision")
+    try:
+        all_actions = list(ds.actions)
+        assert len(all_actions) >= 15
+        resource = TableResource("analytics", "users")
+        results = await ds.allowed_many(
+            actions=all_actions, resource=resource, actor={"id": "paula"}
+        )
+        # Spot-check: only the flagged actions resolve True
+        assert results["drop-table"] is True
+        assert results["create-table"] is False
+        # Full equivalence against single checks
+        for action in all_actions:
+            assert results[action] == await ds.allowed(
+                action=action, resource=resource, actor={"id": "paula"}
+            ), f"Mismatch for {action}"
+    finally:
+        ds.pm.unregister(name="collision")
+
+
+@pytest.mark.asyncio
+async def test_allowed_many_single_internal_db_query(ds):
+    internal_db = ds.get_internal_database()
+    calls = []
+    original_execute = internal_db.execute
+
+    async def counting_execute(sql, params=None, **kwargs):
+        calls.append(sql)
+        return await original_execute(sql, params, **kwargs)
+
+    internal_db.execute = counting_execute
+    try:
+        results = await ds.allowed_many(
+            actions=["view-table", "insert-row", "delete-row", "drop-table"],
+            resource=TableResource("analytics", "users"),
+            actor={"id": "root", "_r": {"d": {"analytics": ["vt"]}}},
+        )
+        assert len(results) == 4
+        assert len(calls) == 1
+    finally:
+        internal_db.execute = original_execute
+
+
+@pytest.mark.asyncio
+async def test_allowed_many_no_query_when_no_rules(ds):
+    """Actions with no rules from any plugin are denied without SQL.
+
+    Restrictions can only restrict, never grant, so an action with no
+    rule rows is always False - it should not contribute to the query,
+    and if no action has rules there should be no query at all."""
+    internal_db = ds.get_internal_database()
+    calls = []
+    original_execute = internal_db.execute
+
+    async def counting_execute(sql, params=None, **kwargs):
+        calls.append(sql)
+        return await original_execute(sql, params, **kwargs)
+
+    internal_db.execute = counting_execute
+    try:
+        # bob gets no rules at all for these write actions
+        results = await ds.allowed_many(
+            actions=["drop-table", "delete-row"],
+            resource=TableResource("analytics", "users"),
+            actor={"id": "bob"},
+        )
+        assert results == {"drop-table": False, "delete-row": False}
+        assert len(calls) == 0
+        # A mixed batch still needs exactly one query
+        calls.clear()
+        results = await ds.allowed_many(
+            actions=["view-table", "drop-table"],
+            resource=TableResource("analytics", "users"),
+            actor={"id": "bob"},
+        )
+        assert results == {"view-table": True, "drop-table": False}
+        assert len(calls) == 1
+    finally:
+        internal_db.execute = original_execute
+
+
+@pytest.mark.asyncio
+async def test_allowed_many_global_actions_without_resource(ds):
+    results = await ds.allowed_many(
+        actions=["view-instance", "permissions-debug"],
+        actor={"id": "root"},
+    )
+    assert results["view-instance"] is True
+    # Equivalence with single checks for global actions
+    for action in ("view-instance", "permissions-debug"):
+        assert results[action] == await ds.allowed(action=action, actor={"id": "root"})
+    anon = await ds.allowed_many(actions=["permissions-debug"], actor=None)
+    assert anon == {"permissions-debug": False}
+
+
+@pytest.mark.asyncio
+async def test_allowed_many_seeds_request_cache(counting_ds):
+    ds, plugin = counting_ds
+    resource = TableResource("analytics", "users")
+    actions = ["view-table", "insert-row", "drop-table"]
+    token = _permission_check_cache.set({})
+    try:
+        await ds.allowed_many(actions=actions, resource=resource, actor={"id": "alice"})
+        gathers = plugin.count(actor_id="alice")
+        assert gathers > 0
+        for action in actions:
+            await ds.allowed(action=action, resource=resource, actor={"id": "alice"})
+        # Every allowed() call must have been served from the seeded cache
+        assert plugin.count(actor_id="alice") == gathers
+    finally:
+        _permission_check_cache.reset(token)
+
+
+@pytest.mark.asyncio
+async def test_allowed_many_skip_permission_checks(ds):
+    with SkipPermissions():
+        results = await ds.allowed_many(
+            actions=["view-table", "drop-table"],
+            resource=TableResource("analytics", "users"),
+            actor=None,
+        )
+    assert results == {"view-table": True, "drop-table": True}
+
+
+class ManyActionsPlugin:
+    """Registers enough actions to exceed SQLite's compound SELECT limit."""
+
+    def __init__(self, count):
+        self.action_names = [f"bulk-action-{i}" for i in range(count)]
+        self.action_names_set = set(self.action_names)
+
+    @hookimpl
+    def register_actions(self, datasette):
+        return [
+            Action(name=name, abbr=None, description="Bulk test action")
+            for name in self.action_names
+        ]
+
+    @hookimpl
+    def permission_resources_sql(self, datasette, actor, action):
+        if action in self.action_names_set:
+            return PermissionSQL(
+                sql="SELECT NULL AS parent, NULL AS child, 1 AS allow, 'bulk allow' AS reason",
+                params={},
+            )
+
+
+@pytest.mark.asyncio
+async def test_allowed_many_more_than_sqlite_compound_select_limit():
+    plugin = ManyActionsPlugin(600)
+    ds = Datasette()
+    ds.pm.register(plugin, name="many_actions")
+    try:
+        await ds.invoke_startup()
+        results = await ds.allowed_many(actions=plugin.action_names, actor=None)
+        assert len(results) == 600
+        assert all(results.values())
+    finally:
+        ds.pm.unregister(name="many_actions")
+
+
+# ----------------------------------------------------------------------
+# Layer 3: precompute before table_actions / database_actions hooks
+# ----------------------------------------------------------------------
+
+
+class ActionHooksPlugin:
+    """Plugin hooks that make allowed() checks, like real action plugins do."""
+
+    @hookimpl
+    def table_actions(self, datasette, actor, database, table):
+        async def inner():
+            links = []
+            if await datasette.allowed(
+                action="drop-table",
+                resource=TableResource(database, table),
+                actor=actor,
+            ):
+                links.append(
+                    {"href": "/drop", "label": "Drop this table (test-plugin)"}
+                )
+            if await datasette.allowed(
+                action="create-table",
+                resource=DatabaseResource(database),
+                actor=actor,
+            ):
+                links.append(
+                    {"href": "/create", "label": "Create a table (test-plugin)"}
+                )
+            return links
+
+        return inner
+
+    @hookimpl
+    def database_actions(self, datasette, actor, database):
+        async def inner():
+            if await datasette.allowed(
+                action="create-table",
+                resource=DatabaseResource(database),
+                actor=actor,
+            ):
+                return [{"href": "/create", "label": "Create a table (test-plugin)"}]
+            return []
+
+        return inner
+
+
+@pytest_asyncio.fixture
+async def spying_ds(ds, monkeypatch):
+    """ds with the ActionHooksPlugin plus a spy recording every batch of
+    actions sent to check_permissions_for_actions."""
+    from datasette.utils import actions_sql
+
+    plugin = ActionHooksPlugin()
+    ds.pm.register(plugin, name="action_hooks")
+    ds.root_enabled = True
+    recorded = []
+    original = actions_sql.check_permissions_for_actions
+
+    async def spy(**kwargs):
+        recorded.append(kwargs["actions"])
+        return await original(**kwargs)
+
+    monkeypatch.setattr(actions_sql, "check_permissions_for_actions", spy)
+    try:
+        yield ds, recorded
+    finally:
+        ds.pm.unregister(name="action_hooks")
+
+
+@pytest.mark.asyncio
+async def test_table_page_precomputes_action_permissions(spying_ds):
+    ds, recorded = spying_ds
+    cookies = {"ds_actor": ds.client.actor_cookie({"id": "root"})}
+    response = await ds.client.get("/analytics/users", cookies=cookies)
+    assert response.status_code == 200
+    # The plugin's permission checks were served from the precomputed batch
+    assert "Drop this table (test-plugin)" in response.text
+    assert "Create a table (test-plugin)" in response.text
+    # One batch covered the table-level actions for the table resource,
+    # and one covered the database-level actions for the database resource
+    batches = [batch for batch in recorded if len(batch) > 1]
+    assert any("drop-table" in batch for batch in batches)
+    assert any("create-table" in batch for batch in batches)
+    # The precompute is scoped to actions relevant to each resource:
+    # no global or query-level actions in any batch, and no mixing of
+    # table-level and database-level actions
+    for batch in batches:
+        assert "view-instance" not in batch
+        assert "view-query" not in batch
+        assert not ("drop-table" in batch and "create-table" in batch)
+    # The hook's own allowed() calls hit the cache - no single-action
+    # fallback queries for the actions it checked
+    assert ["drop-table"] not in recorded
+    assert ["create-table"] not in recorded
+
+
+@pytest.mark.asyncio
+async def test_database_page_precomputes_action_permissions(spying_ds):
+    ds, recorded = spying_ds
+    cookies = {"ds_actor": ds.client.actor_cookie({"id": "root"})}
+    response = await ds.client.get("/analytics", cookies=cookies)
+    assert response.status_code == 200
+    assert "Create a table (test-plugin)" in response.text
+    batches = [batch for batch in recorded if len(batch) > 1]
+    assert any("create-table" in batch for batch in batches)
+    # Scoped to database-level actions only
+    for batch in batches:
+        assert "view-instance" not in batch
+        assert "drop-table" not in batch
+    assert ["create-table"] not in recorded
+
+
+@pytest.mark.asyncio
+async def test_cache_does_not_leak_across_requests(counting_ds):
+    ds, plugin = counting_ds
+    cookies = {"ds_actor": ds.client.actor_cookie({"id": "alice"})}
+    response = await ds.client.get("/analytics/users.json", cookies=cookies)
+    assert response.status_code == 200
+    first_request_gathers = plugin.count(actor_id="alice", action="view-table")
+    assert first_request_gathers > 0
+    response = await ds.client.get("/analytics/users.json", cookies=cookies)
+    assert response.status_code == 200
+    # Second request must re-gather (fresh cache), not reuse the first one
+    assert (
+        plugin.count(actor_id="alice", action="view-table") == first_request_gathers * 2
+    )
diff --git a/tests/test_allowed_resources.py b/tests/test_allowed_resources.py
index 08adbe48..e247aa78 100644
--- a/tests/test_allowed_resources.py
+++ b/tests/test_allowed_resources.py
@@ -51,8 +51,8 @@ async def test_ds():
 
 
 @pytest.mark.asyncio
-async def test_tables_endpoint_global_access(test_ds):
-    """Test /-/tables with global access permissions"""
+async def test_tables_allowed_resources_global_access(test_ds):
+    """Test allowed_resources() with global access permissions"""
 
     def rules_callback(datasette, actor, action):
         if actor and actor.get("id") == "alice":
@@ -91,7 +91,7 @@ async def test_tables_endpoint_global_access(test_ds):
 
 @pytest.mark.asyncio
 async def test_tables_endpoint_database_restriction(test_ds):
-    """Test /-/tables with database-level restriction"""
+    """Test allowed_resources() with database-level restriction"""
 
     def rules_callback(datasette, actor, action):
         if actor and actor.get("role") == "analyst":
@@ -133,7 +133,7 @@ async def test_tables_endpoint_database_restriction(test_ds):
 
 @pytest.mark.asyncio
 async def test_tables_endpoint_table_exception(test_ds):
-    """Test /-/tables with table-level exception (deny database, allow specific table)"""
+    """Test allowed_resources() with table-level exception (deny database, allow specific table)"""
 
     def rules_callback(datasette, actor, action):
         if actor and actor.get("id") == "carol":
@@ -217,7 +217,7 @@ async def test_tables_endpoint_deny_overrides_allow(test_ds):
 
 @pytest.mark.asyncio
 async def test_tables_endpoint_no_permissions():
-    """Test /-/tables when user has no custom permissions (only defaults)"""
+    """Test allowed_resources() when user has no custom permissions (only defaults)"""
 
     ds = Datasette()
     await ds.invoke_startup()
@@ -241,7 +241,7 @@ async def test_tables_endpoint_no_permissions():
 
 @pytest.mark.asyncio
 async def test_tables_endpoint_specific_table_only(test_ds):
-    """Test /-/tables when only specific tables are allowed (no parent/global rules)"""
+    """Test allowed_resources() when only specific tables are allowed (no parent/global rules)"""
 
     def rules_callback(datasette, actor, action):
         if actor and actor.get("id") == "dave":
@@ -283,7 +283,7 @@ async def test_tables_endpoint_specific_table_only(test_ds):
 
 @pytest.mark.asyncio
 async def test_tables_endpoint_empty_result(test_ds):
-    """Test /-/tables when all tables are explicitly denied"""
+    """Test allowed_resources() when all tables are explicitly denied"""
 
     def rules_callback(datasette, actor, action):
         if actor and actor.get("id") == "blocked":
@@ -314,7 +314,7 @@ async def test_tables_endpoint_empty_result(test_ds):
 
 @pytest.mark.asyncio
 async def test_tables_endpoint_no_query_returns_all():
-    """Test /-/tables without query parameter returns all tables"""
+    """Test allowed_resources() without query parameter returns all tables"""
     ds = Datasette()
     await ds.invoke_startup()
 
@@ -338,7 +338,7 @@ async def test_tables_endpoint_no_query_returns_all():
 
 @pytest.mark.asyncio
 async def test_tables_endpoint_truncation():
-    """Test /-/tables truncates at 100 tables and sets truncated flag"""
+    """Test allowed_resources() truncates at 100 tables and sets truncated flag"""
     ds = Datasette()
     await ds.invoke_startup()
 
@@ -359,7 +359,7 @@ async def test_tables_endpoint_truncation():
 
 @pytest.mark.asyncio
 async def test_tables_endpoint_search_single_term():
-    """Test /-/tables?q=user to filter tables matching 'user'"""
+    """Test allowed_resources()?q=user to filter tables matching 'user'"""
 
     ds = Datasette()
     await ds.invoke_startup()
@@ -396,7 +396,7 @@ async def test_tables_endpoint_search_single_term():
 
 @pytest.mark.asyncio
 async def test_tables_endpoint_search_multiple_terms():
-    """Test /-/tables?q=user+profile to filter tables matching .*user.*profile.*"""
+    """Test allowed_resources()?q=user+profile to filter tables matching .*user.*profile.*"""
 
     ds = Datasette()
     await ds.invoke_startup()
diff --git a/tests/test_api.py b/tests/test_api.py
index 95958a72..f57d0206 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -59,6 +59,7 @@ async def test_database_page(ds_client):
     response = await ds_client.get("/fixtures.json")
     assert response.status_code == 200
     data = response.json()
+    assert data["ok"] is True
     assert data["database"] == "fixtures"
 
     # Build lookup for easier assertions
@@ -382,7 +383,7 @@ async def test_row_strange_table_name(ds_client):
 @pytest.mark.asyncio
 async def test_row_foreign_key_tables(ds_client):
     response = await ds_client.get(
-        "/fixtures/simple_primary_key/1.json?_extras=foreign_key_tables"
+        "/fixtures/simple_primary_key/1.json?_extra=foreign_key_tables"
     )
     assert response.status_code == 200
     # Foreign keys are sorted by (other_table, column, other_column)
@@ -425,6 +426,28 @@ async def test_row_foreign_key_tables(ds_client):
     ]
 
 
+@pytest.mark.asyncio
+async def test_row_extras(ds_client):
+    response = await ds_client.get(
+        "/fixtures/simple_primary_key/1.json?_extra=database,table,primary_keys,query,request,debug,foreign_key_tables"
+    )
+    assert response.status_code == 200
+    data = response.json()
+    assert data["database"] == "fixtures"
+    assert data["table"] == "simple_primary_key"
+    assert data["primary_keys"] == ["id"]
+    assert data["query"]["sql"] == 'select * from simple_primary_key where "id"=:p0'
+    assert data["query"]["params"] == {"p0": "1"}
+    assert data["request"]["path"] == "/fixtures/simple_primary_key/1.json"
+    assert data["debug"]["url_vars"] == {
+        "database": "fixtures",
+        "table": "simple_primary_key",
+        "pks": "1",
+        "format": "json",
+    }
+    assert len(data["foreign_key_tables"]) == 5
+
+
 @pytest.mark.asyncio
 async def test_row_extra_render_cell():
     """Test that _extra=render_cell returns rendered HTML from render_cell plugin hook on row pages"""
@@ -553,8 +576,7 @@ async def test_actions_json(ds_client):
     original_root_enabled = ds_client.ds.root_enabled
     try:
         ds_client.ds.root_enabled = True
-        cookies = {"ds_actor": ds_client.actor_cookie({"id": "root"})}
-        response = await ds_client.get("/-/actions.json", cookies=cookies)
+        response = await ds_client.get("/-/actions.json", actor={"id": "root"})
         data = response.json()
     finally:
         ds_client.ds.root_enabled = original_root_enabled
@@ -717,6 +739,17 @@ def test_cors(
     assert "Access-Control-Max-Age" not in response.headers
 
 
+def test_cors_query_redirect(app_client_with_cors):
+    # /db?sql= redirects to /db/-/query - the redirect itself needs CORS
+    # headers, otherwise browsers refuse to follow it cross-origin
+    response = app_client_with_cors.get(
+        "/fixtures?sql=select+1", follow_redirects=False
+    )
+    assert response.status == 302
+    assert response.headers["Location"] == "/fixtures/-/query?sql=select+1"
+    assert response.headers["Access-Control-Allow-Origin"] == "*"
+
+
 @pytest.mark.parametrize(
     "path",
     (
diff --git a/tests/test_api_write.py b/tests/test_api_write.py
index e59c4295..76797742 100644
--- a/tests/test_api_write.py
+++ b/tests/test_api_write.py
@@ -1,5 +1,6 @@
 from datasette.app import Datasette
-from datasette.utils import sqlite3
+from datasette.events import RenameTableEvent
+from datasette.utils import escape_sqlite, sqlite3
 from .utils import last_event
 import pytest
 import time
@@ -17,15 +18,12 @@ def ds_write(tmp_path_factory):
         db.execute(
             "create table docs (id integer primary key, title text, score float, age integer)"
         )
+    db1.close()
+    db2.close()
     ds = Datasette([db_path], immutables=[db_path_immutable])
     ds.root_enabled = True
     yield ds
-    # Close both setup connections plus any Datasette-managed connections.
-    db1.close()
-    db2.close()
-    for database in ds.databases.values():
-        if not database.is_memory:
-            database.close()
+    ds.close()
 
 
 def write_token(ds, actor_id="root", permissions=None):
@@ -42,6 +40,51 @@ def _headers(token):
     }
 
 
+def _insert_and_fetch_created(conn, table, insert_sql):
+    cursor = conn.execute(insert_sql)
+    return conn.execute(
+        "select created, typeof(created) from {} where rowid = ?".format(
+            escape_sqlite(table)
+        ),
+        (cursor.lastrowid,),
+    ).fetchone()
+
+
+@pytest.mark.asyncio
+async def test_api_explorer_upsert_example_json(ds_write):
+    response = await ds_write.client.get("/-/api", actor={"id": "root"})
+    assert response.status_code == 200
+    import urllib.parse
+
+    text = urllib.parse.unquote_plus(response.text)
+    upsert_idx = text.index("/data/docs/-/upsert")
+    upsert_chunk = text[upsert_idx : upsert_idx + 500]
+    assert '"id": "<id (primary key)>"' in upsert_chunk
+    assert '"title": "<title>"' in upsert_chunk
+    assert '"score": "<score>"' in upsert_chunk
+    assert '"age": "<age>"' in upsert_chunk
+
+
+@pytest.mark.asyncio
+async def test_api_explorer_upsert_example_json_rowid_table(tmp_path_factory):
+    db_path = str(tmp_path_factory.mktemp("dbs") / "data.db")
+    conn = sqlite3.connect(db_path)
+    conn.execute("create table things (title text, score float)")
+    conn.close()
+    ds = Datasette([db_path])
+    ds.root_enabled = True
+    response = await ds.client.get("/-/api", actor={"id": "root"})
+    assert response.status_code == 200
+    import urllib.parse
+
+    text = urllib.parse.unquote_plus(response.text)
+    upsert_idx = text.index("/data/things/-/upsert")
+    upsert_chunk = text[upsert_idx : upsert_idx + 500]
+    assert '"rowid": "<rowid (primary key)>"' in upsert_chunk
+    assert '"title": "<title>"' in upsert_chunk
+    assert '"score": "<score>"' in upsert_chunk
+
+
 @pytest.mark.asyncio
 @pytest.mark.parametrize(
     "content_type",
@@ -297,6 +340,14 @@ async def test_insert_rows(ds_write, return_rows):
             400,
             ['Row 0 is missing primary key column(s): "id"'],
         ),
+        # null primary key
+        (
+            "/data/docs/-/upsert",
+            {"rows": [{"id": None, "title": "Null PK"}]},
+            None,
+            400,
+            ['Row 0 has null primary key column(s): "id"'],
+        ),
         # Upsert does not support ignore or replace
         (
             "/data/docs/-/upsert",
@@ -754,6 +805,651 @@ async def test_update_row_alter(ds_write):
     assert response.json() == {"ok": True}
 
 
+@pytest.mark.asyncio
+async def test_alter_table_operations(ds_write):
+    token = write_token(ds_write, permissions=["at"])
+    db = ds_write.get_database("data")
+    before_schema = await db.execute_fn(
+        lambda conn: conn.execute(
+            "select sql from sqlite_master where type = 'table' and name = 'docs'"
+        ).fetchone()[0]
+    )
+
+    response = await ds_write.client.post(
+        "/data/docs/-/alter",
+        json={
+            "operations": [
+                {
+                    "op": "add_column",
+                    "args": {
+                        "name": "slug",
+                        "type": "text",
+                        "not_null": True,
+                        "default": "",
+                    },
+                },
+                {
+                    "op": "add_column",
+                    "args": {
+                        "name": "created",
+                        "type": "text",
+                        "default_expr": "current_timestamp",
+                    },
+                },
+                {
+                    "op": "add_column",
+                    "args": {
+                        "name": "literal_default",
+                        "type": "text",
+                        "default": "hello)",
+                    },
+                },
+                {"op": "rename_column", "args": {"name": "title", "to": "headline"}},
+                {
+                    "op": "alter_column",
+                    "args": {"name": "age", "type": "text", "default": "0"},
+                },
+                {"op": "drop_column", "args": {"name": "score"}},
+                {
+                    "op": "reorder_columns",
+                    "args": {
+                        "columns": [
+                            "id",
+                            "headline",
+                            "slug",
+                            "created",
+                            "literal_default",
+                            "age",
+                        ]
+                    },
+                },
+                {"op": "set_primary_key", "args": {"columns": ["id"]}},
+            ]
+        },
+        headers=_headers(token),
+    )
+
+    assert response.status_code == 200, response.text
+    data = response.json()
+    assert data["ok"] is True
+    assert data["database"] == "data"
+    assert data["table"] == "docs"
+    assert data["altered"] is True
+    assert data["operations_applied"] == 8
+    assert data["before_schema"] == before_schema
+    assert "headline" in data["schema"]
+    assert "score" not in data["schema"]
+    assert "DEFAULT CURRENT_TIMESTAMP" in data["schema"]
+    assert "DEFAULT 'hello)'" in data["schema"]
+
+    columns = (
+        await db.execute("select * from pragma_table_info('docs') order by cid")
+    ).dicts()
+    assert [column["name"] for column in columns] == [
+        "id",
+        "headline",
+        "slug",
+        "created",
+        "literal_default",
+        "age",
+    ]
+    assert columns[0]["pk"] == 1
+    assert columns[2]["notnull"] == 1
+    assert columns[2]["dflt_value"] == "''"
+    assert columns[3]["dflt_value"] == "CURRENT_TIMESTAMP"
+    assert columns[4]["dflt_value"] == "'hello)'"
+    assert columns[5]["type"] == "TEXT"
+    assert columns[5]["dflt_value"] == "'0'"
+
+    event = last_event(ds_write)
+    assert event.name == "alter-table"
+    assert event.database == "data"
+    assert event.table == "docs"
+    assert event.before_schema == before_schema
+    assert event.after_schema == data["schema"]
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize(
+    "default_expr,minimum_value,expected_schema",
+    (
+        (
+            "current_unixtime",
+            1_600_000_000,
+            "strftime('%s', 'now')",
+        ),
+        (
+            "current_unixtime_ms",
+            1_600_000_000_000,
+            "julianday('now')",
+        ),
+    ),
+)
+async def test_alter_table_integer_default_expr(
+    ds_write, default_expr, minimum_value, expected_schema
+):
+    token = write_token(ds_write, permissions=["at"])
+    db = ds_write.get_database("data")
+    response = await ds_write.client.post(
+        "/data/docs/-/alter",
+        json={
+            "operations": [
+                {
+                    "op": "add_column",
+                    "args": {
+                        "name": "created",
+                        "type": "integer",
+                        "default_expr": default_expr,
+                    },
+                }
+            ]
+        },
+        headers=_headers(token),
+    )
+    assert response.status_code == 200, response.text
+    data = response.json()
+    assert expected_schema in data["schema"]
+
+    columns = await db.execute("select * from pragma_table_info('docs')")
+    created_column = [
+        column for column in columns.dicts() if column["name"] == "created"
+    ][0]
+    assert created_column["type"] == "INTEGER"
+    assert expected_schema in created_column["dflt_value"]
+
+    row = await db.execute_write_fn(
+        lambda conn: _insert_and_fetch_created(
+            conn, "docs", "insert into docs (title) values ('with default')"
+        )
+    )
+    assert row[0] > minimum_value
+    assert row[1] == "integer"
+
+
+@pytest.mark.asyncio
+async def test_alter_table_rename_table(ds_write):
+    token = write_token(ds_write, permissions=["at"])
+    db = ds_write.get_database("data")
+    before_schema = await db.execute_fn(
+        lambda conn: conn.execute(
+            "select sql from sqlite_master where type = 'table' and name = 'docs'"
+        ).fetchone()[0]
+    )
+
+    response = await ds_write.client.post(
+        "/data/docs/-/alter",
+        json={
+            "operations": [
+                {"op": "rename_table", "args": {"to": "documents"}},
+            ]
+        },
+        headers=_headers(token),
+    )
+
+    assert response.status_code == 200, response.text
+    data = response.json()
+    assert data["ok"] is True
+    assert data["database"] == "data"
+    assert data["table"] == "documents"
+    assert data["table_url"].endswith("/data/documents")
+    assert data["table_api_url"].endswith("/data/documents.json")
+    assert data["altered"] is True
+    assert data["operations_applied"] == 1
+    assert data["before_schema"] == before_schema
+    assert 'CREATE TABLE "documents"' in data["schema"]
+
+    tables = (
+        await db.execute(
+            "select name from sqlite_master where type = 'table' order by name"
+        )
+    ).dicts()
+    table_names = [table["name"] for table in tables]
+    assert "docs" not in table_names
+    assert "documents" in table_names
+
+    rename_events = [
+        event
+        for event in ds_write._tracked_events
+        if isinstance(event, RenameTableEvent)
+    ]
+    assert len(rename_events) == 1
+    assert rename_events[0].database == "data"
+    assert rename_events[0].old_table == "docs"
+    assert rename_events[0].new_table == "documents"
+
+
+@pytest.mark.asyncio
+async def test_alter_table_foreign_key_operations(ds_write):
+    token = write_token(ds_write, permissions=["at"])
+    db = ds_write.get_database("data")
+    await db.execute_write("create table owners (id integer primary key)")
+    await db.execute_write("create table categories (id integer primary key)")
+
+    response = await ds_write.client.post(
+        "/data/docs/-/alter",
+        json={
+            "operations": [
+                {"op": "add_column", "args": {"name": "owner_id", "type": "integer"}},
+                {
+                    "op": "add_foreign_key",
+                    "args": {"column": "owner_id", "fk_table": "owners"},
+                },
+            ]
+        },
+        headers=_headers(token),
+    )
+    assert response.status_code == 200, response.text
+    data = response.json()
+    assert data["operations_applied"] == 2
+    assert "[owner_id] INTEGER REFERENCES [owners]([id])" in data["schema"]
+
+    response = await ds_write.client.post(
+        "/data/docs/-/alter",
+        json={
+            "operations": [{"op": "drop_foreign_key", "args": {"column": "owner_id"}}]
+        },
+        headers=_headers(token),
+    )
+    assert response.status_code == 200, response.text
+    data = response.json()
+    assert "[owner_id] INTEGER REFERENCES" not in data["schema"]
+
+    response = await ds_write.client.post(
+        "/data/docs/-/alter",
+        json={
+            "operations": [
+                {
+                    "op": "set_foreign_keys",
+                    "args": {
+                        "foreign_keys": [
+                            {
+                                "column": "owner_id",
+                                "fk_table": "categories",
+                                "fk_column": "id",
+                            }
+                        ]
+                    },
+                }
+            ]
+        },
+        headers=_headers(token),
+    )
+    assert response.status_code == 200, response.text
+    data = response.json()
+    assert "[owner_id] INTEGER REFERENCES [categories]([id])" in data["schema"]
+
+    response = await ds_write.client.post(
+        "/data/docs/-/alter",
+        json={"operations": [{"op": "set_foreign_keys", "args": {"foreign_keys": []}}]},
+        headers=_headers(token),
+    )
+    assert response.status_code == 200, response.text
+    data = response.json()
+    assert "[owner_id] INTEGER REFERENCES" not in data["schema"]
+
+
+@pytest.mark.asyncio
+async def test_alter_table_foreign_key_requires_fk_table_for_fk_column(ds_write):
+    response = await ds_write.client.post(
+        "/data/docs/-/alter",
+        json={
+            "operations": [
+                {
+                    "op": "add_foreign_key",
+                    "args": {"column": "age", "fk_column": "id"},
+                }
+            ]
+        },
+        headers=_headers(write_token(ds_write, permissions=["at"])),
+    )
+    assert response.status_code == 400
+    assert response.json() == {
+        "ok": False,
+        "errors": ["operations.0.add_foreign_key.args: fk_column requires fk_table"],
+    }
+
+
+@pytest.mark.asyncio
+async def test_alter_table_foreign_key_without_fk_column_requires_single_pk(ds_write):
+    token = write_token(ds_write, permissions=["at"])
+    db = ds_write.get_database("data")
+    await db.execute_write(
+        "create table accounts (tenant_id integer, id integer, primary key (tenant_id, id))"
+    )
+
+    response = await ds_write.client.post(
+        "/data/docs/-/alter",
+        json={
+            "operations": [
+                {
+                    "op": "add_foreign_key",
+                    "args": {"column": "age", "fk_table": "accounts"},
+                }
+            ]
+        },
+        headers=_headers(token),
+    )
+    assert response.status_code == 400
+    assert response.json() == {
+        "ok": False,
+        "errors": ["Could not detect single primary key for table 'accounts'"],
+    }
+
+
+@pytest.mark.asyncio
+async def test_foreign_key_suggestions(ds_write):
+    token = write_token(ds_write, permissions=["at"])
+    db = ds_write.get_database("data")
+    await db.execute_write("create table owners (id integer primary key)")
+    await db.execute_write("insert into owners (id) values (1), (2), (3)")
+    await db.execute_write("create table categories (slug text primary key)")
+    await db.execute_write("insert into categories (slug) values ('one'), ('two')")
+    await db.execute_write("create table numbers (id integer primary key)")
+    await db.execute_write("insert into numbers (id) values (10), (20)")
+    await db.execute_write("create table weights (id real primary key)")
+    await db.execute_write("insert into weights (id) values (1.5), (2.5)")
+    await db.execute_write(
+        "insert into docs (id, title, score, age) values "
+        "(1, 'one', 1.5, 1), (2, 'two', 999.5, 2), (3, null, null, null)"
+    )
+
+    response = await ds_write.client.get(
+        "/data/docs/-/foreign-key-suggestions",
+        headers=_headers(token),
+    )
+    assert response.status_code == 200, response.text
+    data = response.json()
+    assert data["ok"] is True
+    assert data["database"] == "data"
+    assert data["table"] == "docs"
+    assert data["row_check"]["attempted"] is True
+    assert data["row_check"]["status"] == "completed"
+    assert data["row_check"]["row_limit"] == 500
+    assert data["row_check"]["sampled_rows"] == 3
+
+    columns = {column["column"]: column for column in data["columns"]}
+    assert columns["age"]["options"] == [
+        {"fk_table": "numbers", "fk_column": "id", "type": "INTEGER"},
+        {"fk_table": "owners", "fk_column": "id", "type": "INTEGER"},
+    ]
+    assert columns["age"]["suggestions"] == [
+        {
+            "fk_table": "owners",
+            "fk_column": "id",
+            "confidence": "sampled",
+            "sampled_values": 2,
+            "reasons": ["type_match", "sample_values_exist"],
+        }
+    ]
+    assert columns["title"]["options"] == [
+        {"fk_table": "categories", "fk_column": "slug", "type": "TEXT"}
+    ]
+    assert columns["title"]["suggestions"][0]["fk_table"] == "categories"
+    assert columns["score"]["options"] == [
+        {"fk_table": "weights", "fk_column": "id", "type": "REAL"}
+    ]
+    assert columns["score"]["suggestions"] == []
+
+
+@pytest.mark.asyncio
+async def test_foreign_key_suggestions_permission_denied(ds_write):
+    token = write_token(ds_write, permissions=["ir"])
+    response = await ds_write.client.get(
+        "/data/docs/-/foreign-key-suggestions",
+        headers=_headers(token),
+    )
+    assert response.status_code == 403
+    assert response.json() == {
+        "ok": False,
+        "errors": ["Permission denied: need alter-table"],
+    }
+
+
+@pytest.mark.asyncio
+async def test_foreign_key_suggestions_fail_open(ds_write, monkeypatch):
+    token = write_token(ds_write, permissions=["at"])
+    db = ds_write.get_database("data")
+    await db.execute_write("create table owners (id integer primary key)")
+
+    async def raise_timeout(*args, **kwargs):
+        raise table_create_alter.ForeignKeySuggestionTimedOut
+
+    from datasette.views import table_create_alter
+
+    monkeypatch.setattr(
+        table_create_alter,
+        "_foreign_key_suggestion_samples",
+        raise_timeout,
+    )
+
+    response = await ds_write.client.get(
+        "/data/docs/-/foreign-key-suggestions",
+        headers=_headers(token),
+    )
+    assert response.status_code == 200, response.text
+    data = response.json()
+    assert data["row_check"]["status"] == "timed_out"
+    columns = {column["column"]: column for column in data["columns"]}
+    assert columns["age"]["options"] == [
+        {"fk_table": "owners", "fk_column": "id", "type": "INTEGER"}
+    ]
+    assert columns["age"]["suggestions"] == []
+
+
+@pytest.mark.asyncio
+async def test_foreign_key_targets(ds_write):
+    token = write_token(ds_write, permissions=["ct"])
+    db = ds_write.get_database("data")
+    await db.execute_write("create table owners (id integer primary key)")
+    await db.execute_write("create table categories (slug varchar(30) primary key)")
+    await db.execute_write("create table blob_things (hash blob primary key)")
+    await db.execute_write(
+        "create table numeric_codes (code decimal(10,5) primary key)"
+    )
+    await db.execute_write(
+        'create table floating_point (value "FLOATING POINT" primary key)'
+    )
+    await db.execute_write(
+        "create table compound (a integer, b integer, primary key (a, b))"
+    )
+    await db.execute_write("create table no_pk (name text)")
+    try:
+        await db.execute_write("create virtual table search_docs using fts5(body)")
+    except Exception:
+        pass
+
+    response = await ds_write.client.get(
+        "/data/-/foreign-key-targets",
+        headers=_headers(token),
+    )
+    assert response.status_code == 200, response.text
+    assert response.json() == {
+        "ok": True,
+        "database": "data",
+        "targets": [
+            {
+                "fk_table": "blob_things",
+                "fk_column": "hash",
+                "type": "blob",
+            },
+            {
+                "fk_table": "categories",
+                "fk_column": "slug",
+                "type": "text",
+            },
+            {
+                "fk_table": "docs",
+                "fk_column": "id",
+                "type": "integer",
+            },
+            {
+                "fk_table": "floating_point",
+                "fk_column": "value",
+                "type": "integer",
+            },
+            {
+                "fk_table": "numeric_codes",
+                "fk_column": "code",
+                "type": "numeric",
+            },
+            {
+                "fk_table": "owners",
+                "fk_column": "id",
+                "type": "integer",
+            },
+        ],
+    }
+    assert not any(
+        target["fk_table"].startswith("search_docs_")
+        for target in response.json()["targets"]
+    )
+
+
+@pytest.mark.asyncio
+async def test_foreign_key_targets_permission_denied(ds_write):
+    token = write_token(ds_write, permissions=["ir"])
+    response = await ds_write.client.get(
+        "/data/-/foreign-key-targets",
+        headers=_headers(token),
+    )
+    assert response.status_code == 403
+    assert response.json() == {
+        "ok": False,
+        "errors": ["Permission denied: need create-table"],
+    }
+
+
+@pytest.mark.asyncio
+async def test_foreign_key_targets_allowed_for_alter_table(ds_write):
+    token = write_token(ds_write, permissions=["at"])
+    response = await ds_write.client.get(
+        "/data/-/foreign-key-targets?table=docs",
+        headers=_headers(token),
+    )
+    assert response.status_code == 200, response.text
+    assert response.json()["ok"] is True
+
+
+@pytest.mark.asyncio
+async def test_alter_table_permission_denied(ds_write):
+    token = write_token(ds_write, permissions=["ir"])
+    response = await ds_write.client.post(
+        "/data/docs/-/alter",
+        json={"operations": [{"op": "add_column", "args": {"name": "slug"}}]},
+        headers=_headers(token),
+    )
+    assert response.status_code == 403
+    assert response.json() == {
+        "ok": False,
+        "errors": ["Permission denied: need alter-table"],
+    }
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize(
+    "body,expected_error",
+    (
+        (
+            {
+                "dry_run": True,
+                "operations": [
+                    {"op": "add_column", "args": {"name": "slug", "type": "text"}}
+                ],
+            },
+            "dry_run: Extra inputs are not permitted",
+        ),
+        (
+            {"operations": [{"op": "add_column", "args": {"type": "text"}}]},
+            "operations.0.add_column.args.name: Field required",
+        ),
+        (
+            {
+                "operations": [
+                    {"op": "add_column", "args": {"name": "x", "type": "bad"}}
+                ]
+            },
+            "operations.0.add_column.args.type: Input should be 'text', 'integer', 'float' or 'blob'",
+        ),
+        (
+            {
+                "operations": [
+                    {
+                        "op": "add_column",
+                        "args": {
+                            "name": "x",
+                            "default_expr": "datetime('now')",
+                        },
+                    }
+                ]
+            },
+            "operations.0.add_column.args.default_expr: Input should be 'current_timestamp', 'current_date', 'current_time', 'current_unixtime' or 'current_unixtime_ms'",
+        ),
+        (
+            {
+                "operations": [
+                    {
+                        "op": "add_column",
+                        "args": {
+                            "name": "x",
+                            "default": "x",
+                            "default_expr": "current_timestamp",
+                        },
+                    }
+                ]
+            },
+            "operations.0.add_column.args: Value error, default and default_expr cannot both be provided",
+        ),
+    ),
+)
+async def test_alter_table_validation_errors(ds_write, body, expected_error):
+    response = await ds_write.client.post(
+        "/data/docs/-/alter",
+        json=body,
+        headers=_headers(write_token(ds_write, permissions=["at"])),
+    )
+    assert response.status_code == 400
+    assert response.json()["ok"] is False
+    assert response.json()["errors"] == [expected_error]
+
+
+@pytest.mark.asyncio
+async def test_execute_write_form_parameter_called_sql():
+    ds = Datasette(memory=True, default_deny=True)
+    ds.root_enabled = True
+    db = ds.add_memory_database("execute_write_parameter_sql", name="data")
+    await db.execute_write("create table docs (id integer primary key, title text)")
+    await db.execute_write("insert into docs (id, title) values (1, 'Initial')")
+    await ds.invoke_startup()
+
+    form_response = await ds.client.get(
+        "/data/-/execute-write",
+        actor={"id": "root"},
+        params={"sql": "update docs set title = :sql where id = :id"},
+    )
+    assert form_response.status_code == 200
+    assert 'data-parameter-name-prefix="_sql_param_"' in form_response.text
+    assert '<label for="qp1">sql</label>' in form_response.text
+    assert 'name="_sql_param_sql"' in form_response.text
+    assert 'data-parameter-name="sql"' in form_response.text
+    assert 'name="_sql_param_id"' in form_response.text
+
+    response = await ds.client.post(
+        "/data/-/execute-write",
+        actor={"id": "root"},
+        data={
+            "sql": "update docs set title = :sql where id = :id",
+            "_sql_param_sql": "Updated",
+            "_sql_param_id": "1",
+        },
+    )
+
+    assert response.status_code == 200
+    assert "Query executed, 1 row affected" in response.text
+    assert (await db.execute("select title from docs where id = 1")).first()[
+        0
+    ] == "Updated"
+
+
 @pytest.mark.asyncio
 @pytest.mark.parametrize(
     "input,expected_errors",
@@ -1331,6 +2027,247 @@ async def test_create_table(
     assert [e.name for e in events] == expected_events
 
 
+@pytest.mark.asyncio
+async def test_create_table_with_foreign_key(ds_write):
+    token = write_token(ds_write)
+    response = await ds_write.client.post(
+        "/data/-/create",
+        json={
+            "table": "owners",
+            "columns": [
+                {"name": "id", "type": "integer"},
+                {"name": "name", "type": "text"},
+            ],
+            "pk": "id",
+        },
+        headers=_headers(token),
+    )
+    assert response.status_code == 201
+
+    response = await ds_write.client.post(
+        "/data/-/create",
+        json={
+            "table": "projects",
+            "columns": [
+                {"name": "id", "type": "integer"},
+                {
+                    "name": "owner_id",
+                    "type": "integer",
+                    "fk_table": "owners",
+                },
+                {"name": "title", "type": "text"},
+            ],
+            "pk": "id",
+        },
+        headers=_headers(token),
+    )
+    assert response.status_code == 201
+    data = response.json()
+    assert "[owner_id] INTEGER REFERENCES [owners]([id])" in data["schema"]
+
+
+@pytest.mark.asyncio
+async def test_create_table_with_column_constraints(ds_write):
+    token = write_token(ds_write)
+    response = await ds_write.client.post(
+        "/data/-/create",
+        json={
+            "table": "constrained",
+            "columns": [
+                {"name": "id", "type": "integer"},
+                {
+                    "name": "title",
+                    "type": "text",
+                    "not_null": True,
+                    "default": "Untitled",
+                },
+                {
+                    "name": "created",
+                    "type": "text",
+                    "default_expr": "current_timestamp",
+                },
+                {"name": "score", "type": "integer", "default": 0},
+                {"name": "literal_default", "type": "text", "default": "hello)"},
+            ],
+            "pk": "id",
+        },
+        headers=_headers(token),
+    )
+    assert response.status_code == 201, response.text
+    data = response.json()
+    assert data["ok"] is True
+    assert "NOT NULL DEFAULT 'Untitled'" in data["schema"]
+    assert "DEFAULT CURRENT_TIMESTAMP" in data["schema"]
+    assert "DEFAULT 0" in data["schema"]
+    assert "DEFAULT 'hello)'" in data["schema"]
+
+    db = ds_write.get_database("data")
+    columns = (
+        await db.execute("select * from pragma_table_info('constrained') order by cid")
+    ).dicts()
+    assert [column["name"] for column in columns] == [
+        "id",
+        "title",
+        "created",
+        "score",
+        "literal_default",
+    ]
+    assert columns[0]["pk"] == 1
+    assert columns[1]["notnull"] == 1
+    assert columns[1]["dflt_value"] == "'Untitled'"
+    assert columns[2]["dflt_value"] == "CURRENT_TIMESTAMP"
+    assert columns[3]["dflt_value"] == "0"
+    assert columns[4]["dflt_value"] == "'hello)'"
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize(
+    "default_expr,minimum_value,expected_schema",
+    (
+        (
+            "current_unixtime",
+            1_600_000_000,
+            "strftime('%s', 'now')",
+        ),
+        (
+            "current_unixtime_ms",
+            1_600_000_000_000,
+            "julianday('now')",
+        ),
+    ),
+)
+async def test_create_table_integer_default_expr(
+    ds_write, default_expr, minimum_value, expected_schema
+):
+    token = write_token(ds_write)
+    table = "default_{}".format(default_expr)
+    response = await ds_write.client.post(
+        "/data/-/create",
+        json={
+            "table": table,
+            "columns": [
+                {"name": "id", "type": "integer"},
+                {
+                    "name": "created",
+                    "type": "integer",
+                    "default_expr": default_expr,
+                },
+            ],
+            "pk": "id",
+        },
+        headers=_headers(token),
+    )
+    assert response.status_code == 201, response.text
+    data = response.json()
+    assert expected_schema in data["schema"]
+
+    db = ds_write.get_database("data")
+    columns = (await db.execute("select * from pragma_table_info(?)", [table])).dicts()
+    assert columns[1]["type"] == "INTEGER"
+    assert expected_schema in columns[1]["dflt_value"]
+
+    row = await db.execute_write_fn(
+        lambda conn: _insert_and_fetch_created(
+            conn, table, "insert into {} default values".format(escape_sqlite(table))
+        )
+    )
+    assert row[0] > minimum_value
+    assert row[1] == "integer"
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize(
+    "column,expected_error",
+    (
+        (
+            {"name": "owner_id", "type": "integer", "fk_table": "owners"},
+            None,
+        ),
+        (
+            {"name": "owner_id", "type": "integer", "fk_column": "id"},
+            "columns.0: fk_column requires fk_table",
+        ),
+        (
+            {
+                "name": "created",
+                "type": "text",
+                "default_expr": "datetime('now')",
+            },
+            "columns.0.default_expr: Input should be 'current_timestamp', 'current_date', 'current_time', 'current_unixtime' or 'current_unixtime_ms'",
+        ),
+        (
+            {
+                "name": "created",
+                "type": "text",
+                "default": "x",
+                "default_expr": "current_timestamp",
+            },
+            "columns.0: Value error, default and default_expr cannot both be provided",
+        ),
+    ),
+)
+async def test_create_table_column_validation(ds_write, column, expected_error):
+    token = write_token(ds_write)
+    response = await ds_write.client.post(
+        "/data/-/create",
+        json={
+            "table": "projects",
+            "columns": [column],
+        },
+        headers=_headers(token),
+    )
+    if expected_error:
+        assert response.status_code == 400
+        assert response.json() == {"ok": False, "errors": [expected_error]}
+    else:
+        assert response.status_code == 400
+        assert response.json() == {
+            "ok": False,
+            "errors": ["Could not detect single primary key for table 'owners'"],
+        }
+
+
+@pytest.mark.asyncio
+async def test_create_table_foreign_key_without_fk_column_requires_single_pk(ds_write):
+    token = write_token(ds_write)
+    response = await ds_write.client.post(
+        "/data/-/create",
+        json={
+            "table": "accounts",
+            "columns": [
+                {"name": "tenant_id", "type": "integer"},
+                {"name": "id", "type": "integer"},
+                {"name": "name", "type": "text"},
+            ],
+            "pks": ["tenant_id", "id"],
+        },
+        headers=_headers(token),
+    )
+    assert response.status_code == 201
+
+    response = await ds_write.client.post(
+        "/data/-/create",
+        json={
+            "table": "projects",
+            "columns": [
+                {"name": "id", "type": "integer"},
+                {
+                    "name": "account_id",
+                    "type": "integer",
+                    "fk_table": "accounts",
+                },
+            ],
+            "pk": "id",
+        },
+        headers=_headers(token),
+    )
+    assert response.status_code == 400
+    assert response.json() == {
+        "ok": False,
+        "errors": ["Could not detect single primary key for table 'accounts'"],
+    }
+
+
 @pytest.mark.asyncio
 @pytest.mark.parametrize(
     "permissions,body,expected_status,expected_errors",
diff --git a/tests/test_auth.py b/tests/test_auth.py
index 1e1cd622..5868a21c 100644
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -191,6 +191,7 @@ def test_auth_create_token(
             "all:view-query",
             "database:fixtures:drop-table",
             "resource:fixtures:foreign_key_references:insert-row",
+            "resource:fixtures:facetable:set-column-type",
         }
     )
     # Now try actually creating one
@@ -427,6 +428,15 @@ async def test_root_with_root_enabled_gets_all_permissions(ds_client):
         is True
     )
 
+    assert (
+        await ds_client.ds.allowed(
+            action="set-column-type",
+            resource=TableResource("fixtures", "facetable"),
+            actor=root_actor,
+        )
+        is True
+    )
+
     assert (
         await ds_client.ds.allowed(
             action="drop-table",
@@ -491,3 +501,12 @@ async def test_root_without_root_enabled_no_special_permissions(ds_client):
         )
         is not True
     ), "Root without root_enabled should not automatically get drop-table"
+
+    assert (
+        await ds_client.ds.allowed(
+            action="set-column-type",
+            resource=TableResource("fixtures", "facetable"),
+            actor=root_actor,
+        )
+        is not True
+    ), "Root without root_enabled should not automatically get set-column-type"
diff --git a/tests/test_autocomplete.py b/tests/test_autocomplete.py
new file mode 100644
index 00000000..76b9c902
--- /dev/null
+++ b/tests/test_autocomplete.py
@@ -0,0 +1,253 @@
+import pytest
+
+from datasette.app import Datasette
+from datasette.database import QueryInterrupted
+
+
+@pytest.mark.asyncio
+async def test_autocomplete_single_pk_exact_match_and_label_order():
+    ds = Datasette(memory=True)
+    db = ds.add_memory_database("autocomplete_single")
+    await db.execute_write_script("""
+        create table people (
+            id integer primary key,
+            name text
+        );
+        insert into people (id, name) values
+            (2, 'Longer non-label pk match'),
+            (20, '2'),
+            (21, '22'),
+            (200, 'A'),
+            (3, 'A label containing 2');
+        """)
+
+    response = await ds.client.get("/autocomplete_single/people/-/autocomplete?q=2")
+
+    assert response.status_code == 200
+    assert response.json() == {
+        "rows": [
+            {"pks": {"id": 2}, "label": "Longer non-label pk match"},
+            {"pks": {"id": 20}, "label": "2"},
+            {"pks": {"id": 21}, "label": "22"},
+            {"pks": {"id": 3}, "label": "A label containing 2"},
+            {"pks": {"id": 200}, "label": "A"},
+        ]
+    }
+
+
+@pytest.mark.asyncio
+async def test_autocomplete_blank_q_returns_no_results():
+    ds = Datasette(memory=True)
+    db = ds.add_memory_database("autocomplete_blank")
+    await db.execute_write_script("""
+        create table people (
+            id integer primary key,
+            name text
+        );
+        insert into people (id, name) values
+            (1, 'Alice'),
+            (2, 'Bob');
+        """)
+
+    response = await ds.client.get("/autocomplete_blank/people/-/autocomplete?q=")
+
+    assert response.status_code == 200
+    assert response.json() == {"rows": []}
+
+    response = await ds.client.get("/autocomplete_blank/people/-/autocomplete")
+
+    assert response.status_code == 200
+    assert response.json() == {"rows": []}
+
+
+@pytest.mark.asyncio
+async def test_autocomplete_initial_returns_latest_rows():
+    ds = Datasette(memory=True)
+    db = ds.add_memory_database("autocomplete_initial")
+    await db.execute_write_script("""
+        create table people (
+            id integer primary key,
+            name text
+        );
+        insert into people (id, name) values
+            (1, 'Alice'),
+            (2, 'Bob'),
+            (3, 'Cleo');
+        """)
+
+    response = await ds.client.get(
+        "/autocomplete_initial/people/-/autocomplete?_initial=1"
+    )
+
+    assert response.status_code == 200
+    assert response.json() == {
+        "rows": [
+            {"pks": {"id": 3}, "label": "Cleo"},
+            {"pks": {"id": 2}, "label": "Bob"},
+            {"pks": {"id": 1}, "label": "Alice"},
+        ]
+    }
+
+    response = await ds.client.get(
+        "/autocomplete_initial/people/-/autocomplete?q=&_initial=1"
+    )
+
+    assert response.status_code == 200
+    assert response.json() == {
+        "rows": [
+            {"pks": {"id": 3}, "label": "Cleo"},
+            {"pks": {"id": 2}, "label": "Bob"},
+            {"pks": {"id": 1}, "label": "Alice"},
+        ]
+    }
+
+
+@pytest.mark.asyncio
+async def test_autocomplete_escapes_like_characters():
+    ds = Datasette(memory=True)
+    db = ds.add_memory_database("autocomplete_escape")
+    await db.execute_write_script("""
+        create table tags (
+            id integer primary key,
+            name text
+        );
+        insert into tags (id, name) values
+            (1, '100% real'),
+            (2, '100X real'),
+            (3, '100 percent real');
+        """)
+
+    response = await ds.client.get("/autocomplete_escape/tags/-/autocomplete?q=100%25")
+
+    assert response.status_code == 200
+    assert response.json() == {
+        "rows": [
+            {"pks": {"id": 1}, "label": "100% real"},
+        ]
+    }
+
+
+@pytest.mark.asyncio
+async def test_autocomplete_compound_pk_searches_all_pk_columns():
+    ds = Datasette(memory=True)
+    db = ds.add_memory_database("autocomplete_compound")
+    await db.execute_write_script("""
+        create table places (
+            country text,
+            code text,
+            name text,
+            primary key (country, code)
+        );
+        insert into places (country, code, name) values
+            ('us', 'ca', 'California'),
+            ('ca', 'bc', 'British Columbia'),
+            ('mx', 'ca', 'Campeche'),
+            ('zz', 'zz', 'Nothing');
+        """)
+
+    response = await ds.client.get("/autocomplete_compound/places/-/autocomplete?q=ca")
+
+    assert response.status_code == 200
+    assert response.json() == {
+        "rows": [
+            {"pks": {"country": "mx", "code": "ca"}, "label": "Campeche"},
+            {"pks": {"country": "us", "code": "ca"}, "label": "California"},
+            {"pks": {"country": "ca", "code": "bc"}, "label": "British Columbia"},
+        ]
+    }
+
+
+@pytest.mark.asyncio
+async def test_autocomplete_primary_key_called_label():
+    ds = Datasette(
+        memory=True,
+        config={
+            "databases": {
+                "autocomplete_label_pk": {
+                    "tables": {"things": {"label_column": "name"}}
+                }
+            }
+        },
+    )
+    db = ds.add_memory_database("autocomplete_label_pk")
+    await db.execute_write_script("""
+        create table things (
+            label text primary key,
+            name text
+        );
+        insert into things (label, name) values
+            ('abc', 'Display value'),
+            ('def', 'Other value');
+        """)
+
+    response = await ds.client.get("/autocomplete_label_pk/things/-/autocomplete?q=abc")
+
+    assert response.status_code == 200
+    assert response.json() == {
+        "rows": [
+            {"pks": {"label": "abc"}, "label": "Display value"},
+        ]
+    }
+
+
+@pytest.mark.asyncio
+async def test_autocomplete_timeout_uses_prefix_fallback(monkeypatch):
+    ds = Datasette(
+        memory=True,
+        config={
+            "databases": {
+                "autocomplete_timeout": {"tables": {"things": {"label_column": "name"}}}
+            }
+        },
+        settings={
+            "num_sql_threads": 1,
+        },
+    )
+    db = ds.add_memory_database("autocomplete_timeout")
+    await db.execute_write_script("""
+        create table things (
+            id text primary key,
+            name text
+        );
+        insert into things (id, name) values
+            ('other-000001', 'item-1999 label-only match');
+        """)
+
+    def insert_rows(conn):
+        conn.executemany(
+            "insert into things (id, name) values (?, ?)",
+            ((f"item-1999{i:02d}", f"name 1999{i:02d}") for i in range(12)),
+        )
+
+    await db.execute_write_fn(insert_rows)
+
+    original_execute = db.execute
+    timeout_was_simulated = False
+
+    async def execute_with_simulated_timeout(sql, params=None, *args, **kwargs):
+        nonlocal timeout_was_simulated
+        if (
+            not timeout_was_simulated
+            and isinstance(params, dict)
+            and params.get("q") == "item-1999"
+            and "prefix_end" not in params
+        ):
+            timeout_was_simulated = True
+            raise QueryInterrupted(Exception("interrupted"), sql, params)
+        return await original_execute(sql, params, *args, **kwargs)
+
+    monkeypatch.setattr(db, "execute", execute_with_simulated_timeout)
+
+    response = await ds.client.get(
+        "/autocomplete_timeout/things/-/autocomplete?q=item-1999"
+    )
+
+    assert response.status_code == 200
+    assert timeout_was_simulated
+    data = response.json()
+    assert data == {
+        "rows": [
+            {"pks": {"id": f"item-1999{i:02d}"}, "label": f"name 1999{i:02d}"}
+            for i in range(10)
+        ]
+    }
diff --git a/tests/test_cli.py b/tests/test_cli.py
index 7673c3f3..f86d6909 100644
--- a/tests/test_cli.py
+++ b/tests/test_cli.py
@@ -35,12 +35,28 @@ def test_inspect_cli(app_client):
         assert expected_count == database["tables"][table_name]["count"]
 
 
+def test_inspect_cli_counts_all_rows(tmp_path):
+    db_path = tmp_path / "big.db"
+    conn = sqlite3.connect(db_path)
+    with conn:
+        conn.execute("create table t (id integer primary key)")
+        conn.executemany("insert into t (id) values (?)", ((i,) for i in range(10002)))
+    conn.close()
+
+    runner = CliRunner()
+    result = runner.invoke(cli, ["inspect", str(db_path)])
+    assert result.exit_code == 0, result.output
+    data = json.loads(result.output)
+
+    assert data["big"]["tables"]["t"]["count"] == 10002
+
+
 def test_inspect_cli_writes_to_file(app_client):
     runner = CliRunner()
     result = runner.invoke(
         cli, ["inspect", "fixtures.db", "--inspect-file", "foo.json"]
     )
-    assert 0 == result.exit_code, result.output
+    assert result.exit_code == 0, result.output
     with open("foo.json") as fp:
         data = json.load(fp)
     assert ["fixtures"] == list(data.keys())
@@ -472,7 +488,9 @@ def test_serve_duplicate_database_names(tmpdir):
     nested.mkdir()
     db_2_path = str(tmpdir / "nested" / "db.db")
     for path in (db_1_path, db_2_path):
-        sqlite3.connect(path).execute("vacuum")
+        conn = sqlite3.connect(path)
+        conn.execute("vacuum")
+        conn.close()
     result = runner.invoke(cli, [db_1_path, db_2_path, "--get", "/-/databases.json"])
     assert result.exit_code == 0, result.output
     databases = json.loads(result.output)
@@ -486,7 +504,9 @@ def test_weird_database_names(tmpdir, filename):
     # https://github.com/simonw/datasette/issues/1181
     runner = CliRunner()
     db_path = str(tmpdir / filename)
-    sqlite3.connect(db_path).execute("vacuum")
+    conn = sqlite3.connect(db_path)
+    conn.execute("vacuum")
+    conn.close()
     result1 = runner.invoke(cli, [db_path, "--get", "/"])
     assert result1.exit_code == 0, result1.output
     filename_no_stem = filename.rsplit(".", 1)[0]
@@ -523,7 +543,9 @@ def test_duplicate_database_files_error(tmpdir):
     """Test that passing the same database file multiple times raises an error"""
     runner = CliRunner()
     db_path = str(tmpdir / "test.db")
-    sqlite3.connect(db_path).execute("vacuum")
+    conn = sqlite3.connect(db_path)
+    conn.execute("vacuum")
+    conn.close()
 
     # Test with exact duplicate
     result = runner.invoke(cli, ["serve", db_path, db_path, "--get", "/"])
@@ -542,7 +564,9 @@ def test_duplicate_database_files_error(tmpdir):
     config_dir = tmpdir / "config"
     config_dir.mkdir()
     config_db_path = str(config_dir / "data.db")
-    sqlite3.connect(config_db_path).execute("vacuum")
+    conn = sqlite3.connect(config_db_path)
+    conn.execute("vacuum")
+    conn.close()
 
     result3 = runner.invoke(
         cli, ["serve", config_db_path, str(config_dir), "--get", "/"]
@@ -553,7 +577,9 @@ def test_duplicate_database_files_error(tmpdir):
 
     # Test that mixing a file NOT in the directory with a directory works fine
     other_db_path = str(tmpdir / "other.db")
-    sqlite3.connect(other_db_path).execute("vacuum")
+    conn = sqlite3.connect(other_db_path)
+    conn.execute("vacuum")
+    conn.close()
 
     result4 = runner.invoke(
         cli, ["serve", other_db_path, str(config_dir), "--get", "/-/databases.json"]
diff --git a/tests/test_column_types.py b/tests/test_column_types.py
new file mode 100644
index 00000000..45a9e7d1
--- /dev/null
+++ b/tests/test_column_types.py
@@ -0,0 +1,1125 @@
+import json
+import logging
+
+from bs4 import BeautifulSoup as Soup
+from datasette.app import Datasette
+from datasette.column_types import (
+    ColumnType,
+    SQLiteType,
+)
+from datasette.hookspecs import hookimpl
+from datasette.plugins import pm
+from datasette.utils import sqlite3
+from datasette.utils import StartupError
+import markupsafe
+import pytest
+import time
+
+
+@pytest.fixture
+def ds_ct(tmp_path_factory):
+    db_directory = tmp_path_factory.mktemp("dbs")
+    db_path = str(db_directory / "data.db")
+    db = sqlite3.connect(str(db_path))
+    db.execute("vacuum")
+    db.execute(
+        "create table posts (id integer primary key, title text, body text, "
+        "author_email text, website text, metadata text)"
+    )
+    db.execute(
+        "insert into posts values (1, 'Hello', '# World', 'test@example.com', "
+        "'https://example.com', '{\"key\": \"value\"}')"
+    )
+    db.commit()
+    ds = Datasette(
+        [db_path],
+        config={
+            "databases": {
+                "data": {
+                    "tables": {
+                        "posts": {
+                            "column_types": {
+                                "body": "markdown",
+                                "author_email": "email",
+                                "website": "url",
+                                "metadata": "json",
+                            }
+                        }
+                    }
+                }
+            }
+        },
+    )
+    ds.root_enabled = True
+    yield ds
+    ds.close()
+
+
+@pytest.fixture
+def ds_ct_editor_permission(tmp_path_factory):
+    db_directory = tmp_path_factory.mktemp("dbs")
+    db_path = str(db_directory / "data.db")
+    db = sqlite3.connect(str(db_path))
+    db.execute("vacuum")
+    db.execute(
+        "create table posts (id integer primary key, title text, body text, "
+        "author_email text, website text, metadata text)"
+    )
+    db.execute(
+        "insert into posts values (1, 'Hello', '# World', 'test@example.com', "
+        "'https://example.com', '{\"key\": \"value\"}')"
+    )
+    db.commit()
+    ds = Datasette(
+        [db_path],
+        config={
+            "databases": {
+                "data": {
+                    "tables": {
+                        "posts": {
+                            "permissions": {"set-column-type": {"id": "editor"}},
+                            "column_types": {
+                                "body": "markdown",
+                                "author_email": "email",
+                                "website": "url",
+                                "metadata": "json",
+                            },
+                        }
+                    }
+                }
+            }
+        },
+    )
+    ds.root_enabled = True
+    yield ds
+    ds.close()
+
+
+def write_token(ds, actor_id="root", permissions=None):
+    to_sign = {"a": actor_id, "token": "dstok", "t": int(time.time())}
+    if permissions:
+        to_sign["_r"] = {"a": permissions}
+    return "dstok_{}".format(ds.sign(to_sign, namespace="token"))
+
+
+def _headers(token):
+    return {
+        "Authorization": "Bearer {}".format(token),
+        "Content-Type": "application/json",
+    }
+
+
+def _window_data_from_html(html, variable_name):
+    soup = Soup(html, "html.parser")
+    scripts = soup.find_all("script")
+    matching_scripts = [
+        script for script in scripts if variable_name in (script.string or "")
+    ]
+    assert len(matching_scripts) == 1
+    script_text = matching_scripts[0].string.strip()
+    prefix = f"window.{variable_name} = "
+    assert script_text.startswith(prefix)
+    return json.loads(script_text[len(prefix) :].rstrip(";"))
+
+
+# --- Internal DB and config loading ---
+
+
+@pytest.mark.asyncio
+async def test_column_types_table_created(ds_ct):
+    await ds_ct.invoke_startup()
+    internal = ds_ct.get_internal_database()
+    result = await internal.execute(
+        "SELECT name FROM sqlite_master WHERE type='table' AND name='column_types'"
+    )
+    assert len(result.rows) == 1
+
+
+@pytest.mark.asyncio
+async def test_config_loaded_into_internal_db(ds_ct):
+    await ds_ct.invoke_startup()
+    ct_map = await ds_ct.get_column_types("data", "posts")
+    # "markdown" is not a registered type, so it won't appear
+    assert "body" not in ct_map
+    assert ct_map["author_email"].name == "email"
+    assert ct_map["author_email"].config is None
+    assert ct_map["website"].name == "url"
+    assert ct_map["metadata"].name == "json"
+
+
+@pytest.mark.asyncio
+async def test_config_with_type_and_config(tmp_path_factory):
+    class PointColumnType(ColumnType):
+        name = "point"
+        description = "Geographic point"
+
+    class _Plugin:
+        @hookimpl
+        def register_column_types(self, datasette):
+            return [PointColumnType]
+
+    plugin = _Plugin()
+    pm.register(plugin, name="test_point_ct")
+    try:
+        db_directory = tmp_path_factory.mktemp("dbs")
+        db_path = str(db_directory / "data.db")
+        db = sqlite3.connect(str(db_path))
+        db.execute("vacuum")
+        db.execute("create table geo (id integer primary key, location text)")
+        ds = Datasette(
+            [db_path],
+            config={
+                "databases": {
+                    "data": {
+                        "tables": {
+                            "geo": {
+                                "column_types": {
+                                    "location": {
+                                        "type": "point",
+                                        "config": {"srid": 4326},
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            },
+        )
+        await ds.invoke_startup()
+        ct = await ds.get_column_type("data", "geo", "location")
+        assert ct.name == "point"
+        assert ct.config == {"srid": 4326}
+        db.close()
+        for database in ds.databases.values():
+            if not database.is_memory:
+                database.close()
+    finally:
+        pm.unregister(plugin, name="test_point_ct")
+
+
+# --- Datasette API methods ---
+
+
+@pytest.mark.asyncio
+async def test_get_column_type(ds_ct):
+    await ds_ct.invoke_startup()
+    ct = await ds_ct.get_column_type("data", "posts", "author_email")
+    assert isinstance(ct, ColumnType)
+    assert ct.name == "email"
+    assert ct.config is None
+
+
+@pytest.mark.asyncio
+async def test_get_column_type_missing(ds_ct):
+    await ds_ct.invoke_startup()
+    ct = await ds_ct.get_column_type("data", "posts", "title")
+    assert ct is None
+
+
+@pytest.mark.asyncio
+async def test_set_and_remove_column_type(ds_ct):
+    await ds_ct.invoke_startup()
+    await ds_ct.set_column_type("data", "posts", "title", "email")
+    ct = await ds_ct.get_column_type("data", "posts", "title")
+    assert ct.name == "email"
+    assert ct.config is None
+
+    await ds_ct.remove_column_type("data", "posts", "title")
+    ct = await ds_ct.get_column_type("data", "posts", "title")
+    assert ct is None
+
+
+@pytest.mark.asyncio
+async def test_set_column_type_with_config(ds_ct):
+    await ds_ct.invoke_startup()
+    await ds_ct.set_column_type("data", "posts", "title", "url", {"max_length": 200})
+    ct = await ds_ct.get_column_type("data", "posts", "title")
+    assert ct.name == "url"
+    assert ct.config == {"max_length": 200}
+
+
+@pytest.mark.asyncio
+async def test_set_column_type_api(ds_ct):
+    await ds_ct.invoke_startup()
+    token = write_token(ds_ct, permissions=["sct"])
+    response = await ds_ct.client.post(
+        "/data/posts/-/set-column-type",
+        json={"column": "title", "column_type": {"type": "email"}},
+        headers=_headers(token),
+    )
+    assert response.status_code == 200
+    assert response.json() == {
+        "ok": True,
+        "database": "data",
+        "table": "posts",
+        "column": "title",
+        "column_type": {"type": "email", "config": None},
+    }
+    ct = await ds_ct.get_column_type("data", "posts", "title")
+    assert ct.name == "email"
+    assert ct.config is None
+
+
+@pytest.mark.asyncio
+async def test_set_column_type_api_with_config(ds_ct):
+    await ds_ct.invoke_startup()
+    token = write_token(ds_ct, permissions=["sct"])
+    response = await ds_ct.client.post(
+        "/data/posts/-/set-column-type",
+        json={
+            "column": "title",
+            "column_type": {"type": "url", "config": {"max_length": 200}},
+        },
+        headers=_headers(token),
+    )
+    assert response.status_code == 200
+    assert response.json()["column_type"] == {
+        "type": "url",
+        "config": {"max_length": 200},
+    }
+    ct = await ds_ct.get_column_type("data", "posts", "title")
+    assert ct.name == "url"
+    assert ct.config == {"max_length": 200}
+
+
+@pytest.mark.asyncio
+async def test_clear_column_type_api(ds_ct):
+    await ds_ct.invoke_startup()
+    await ds_ct.set_column_type("data", "posts", "title", "email")
+    token = write_token(ds_ct, permissions=["sct"])
+    response = await ds_ct.client.post(
+        "/data/posts/-/set-column-type",
+        json={"column": "title", "column_type": None},
+        headers=_headers(token),
+    )
+    assert response.status_code == 200
+    assert response.json() == {
+        "ok": True,
+        "database": "data",
+        "table": "posts",
+        "column": "title",
+        "column_type": None,
+    }
+    ct = await ds_ct.get_column_type("data", "posts", "title")
+    assert ct is None
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize(
+    "body,special_case,expected_status,expected_errors",
+    (
+        (
+            {"column": "title", "column_type": {"type": "email"}},
+            "no_permission",
+            403,
+            ["Permission denied"],
+        ),
+        (
+            None,
+            "invalid_json",
+            400,
+            [
+                "Invalid JSON: Expecting property name enclosed in double quotes: line 1 column 2 (char 1)"
+            ],
+        ),
+        (
+            {"column": "title", "column_type": {"type": "email"}},
+            "invalid_content_type",
+            400,
+            ["Invalid content-type, must be application/json"],
+        ),
+        (
+            [],
+            None,
+            400,
+            ["JSON must be a dictionary"],
+        ),
+        (
+            {"column_type": {"type": "email"}},
+            None,
+            400,
+            ['"column" is required'],
+        ),
+        (
+            {"column": 1, "column_type": {"type": "email"}},
+            None,
+            400,
+            ['"column" must be a string'],
+        ),
+        (
+            {"column": "not_a_column", "column_type": {"type": "email"}},
+            None,
+            400,
+            ["Column not found: not_a_column"],
+        ),
+        (
+            {"column": "title", "column_type": "email"},
+            None,
+            400,
+            ['"column_type" must be an object or null'],
+        ),
+        (
+            {"column": "title", "column_type": {}},
+            None,
+            400,
+            ['"column_type.type" is required'],
+        ),
+        (
+            {"column": "title", "column_type": {"type": 1}},
+            None,
+            400,
+            ['"column_type.type" must be a string'],
+        ),
+        (
+            {"column": "title", "column_type": {"type": "url", "config": []}},
+            None,
+            400,
+            ['"column_type.config" must be a dictionary'],
+        ),
+        (
+            {"column": "title", "column_type": {"type": "markdown"}},
+            None,
+            400,
+            ["Unknown column type: markdown"],
+        ),
+        (
+            {"column": "id", "column_type": {"type": "json"}},
+            None,
+            400,
+            [
+                "Column type 'json' is only applicable to SQLite types TEXT but data.posts.id has SQLite type INTEGER"
+            ],
+        ),
+        (
+            {
+                "column": "title",
+                "column_type": {"type": "email"},
+                "extra": True,
+            },
+            None,
+            400,
+            ['Invalid parameter: "extra"'],
+        ),
+    ),
+)
+async def test_set_column_type_api_errors(
+    ds_ct, body, special_case, expected_status, expected_errors
+):
+    await ds_ct.invoke_startup()
+    token = write_token(
+        ds_ct,
+        permissions=(["sct"] if special_case != "no_permission" else ["vi"]),
+    )
+    kwargs = {
+        "headers": {
+            "Authorization": f"Bearer {token}",
+            "Content-Type": (
+                "text/plain"
+                if special_case == "invalid_content_type"
+                else "application/json"
+            ),
+        }
+    }
+    if special_case == "invalid_json":
+        kwargs["content"] = "{bad json"
+    else:
+        kwargs["json"] = body
+    response = await ds_ct.client.post("/data/posts/-/set-column-type", **kwargs)
+    assert response.status_code == expected_status
+    assert response.json() == {"ok": False, "errors": expected_errors}
+
+
+@pytest.mark.asyncio
+async def test_set_column_type_api_works_for_immutable_database(tmp_path_factory):
+    db_directory = tmp_path_factory.mktemp("dbs")
+    db_path = str(db_directory / "immutable.db")
+    db = sqlite3.connect(str(db_path))
+    db.execute("vacuum")
+    db.execute("create table posts (id integer primary key, title text)")
+    db.commit()
+    ds = Datasette([], immutables=[db_path])
+    ds.root_enabled = True
+    try:
+        await ds.invoke_startup()
+        token = write_token(ds, permissions=["sct"])
+        response = await ds.client.post(
+            "/immutable/posts/-/set-column-type",
+            json={"column": "title", "column_type": {"type": "email"}},
+            headers=_headers(token),
+        )
+        assert response.status_code == 200
+        assert response.json()["column_type"] == {"type": "email", "config": None}
+        ct = await ds.get_column_type("immutable", "posts", "title")
+        assert ct.name == "email"
+    finally:
+        db.close()
+        for database in ds.databases.values():
+            if not database.is_memory:
+                database.close()
+
+
+@pytest.mark.asyncio
+async def test_set_column_type_rejects_incompatible_sqlite_type(ds_ct):
+    await ds_ct.invoke_startup()
+    with pytest.raises(ValueError, match="only applicable to SQLite types TEXT"):
+        await ds_ct.set_column_type("data", "posts", "id", "json")
+
+
+@pytest.mark.asyncio
+async def test_set_column_type_allows_varchar_for_text_only_type(tmp_path_factory):
+    db_directory = tmp_path_factory.mktemp("dbs")
+    db_path = str(db_directory / "data.db")
+    db = sqlite3.connect(str(db_path))
+    db.execute("vacuum")
+    db.execute("create table links (id integer primary key, url varchar(255))")
+    db.commit()
+    ds = Datasette([db_path])
+    await ds.invoke_startup()
+    await ds.set_column_type("data", "links", "url", "url")
+    ct = await ds.get_column_type("data", "links", "url")
+    assert ct.name == "url"
+    db.close()
+    for database in ds.databases.values():
+        if not database.is_memory:
+            database.close()
+
+
+# --- Plugin registration ---
+
+
+@pytest.mark.asyncio
+async def test_builtin_column_types_registered(ds_ct):
+    """register_column_types returns classes; _column_types stores them by name."""
+    await ds_ct.invoke_startup()
+    assert "url" in ds_ct._column_types
+    assert "email" in ds_ct._column_types
+    assert "json" in ds_ct._column_types
+    assert "textarea" in ds_ct._column_types
+    assert "nonexistent" not in ds_ct._column_types
+
+
+@pytest.mark.asyncio
+async def test_column_type_class_attributes(ds_ct):
+    await ds_ct.invoke_startup()
+    url_cls = ds_ct._column_types["url"]
+    assert url_cls.name == "url"
+    assert url_cls.description == "URL"
+    assert url_cls.sqlite_types == (SQLiteType.TEXT,)
+    email_cls = ds_ct._column_types["email"]
+    assert email_cls.name == "email"
+    assert email_cls.description == "Email address"
+    assert email_cls.sqlite_types == (SQLiteType.TEXT,)
+    json_cls = ds_ct._column_types["json"]
+    assert json_cls.sqlite_types == (SQLiteType.TEXT,)
+    textarea_cls = ds_ct._column_types["textarea"]
+    assert textarea_cls.name == "textarea"
+    assert textarea_cls.description == "Multiline text"
+    assert textarea_cls.sqlite_types == (SQLiteType.TEXT,)
+
+
+def test_sqlite_type_from_declared_type():
+    assert SQLiteType.from_declared_type(None) == SQLiteType.BLOB
+    assert SQLiteType.from_declared_type("text") == SQLiteType.TEXT
+    assert SQLiteType.from_declared_type("varchar(255)") == SQLiteType.TEXT
+    assert SQLiteType.from_declared_type("integer") == SQLiteType.INTEGER
+    assert SQLiteType.from_declared_type("float") == SQLiteType.REAL
+    assert SQLiteType.from_declared_type("blob") == SQLiteType.BLOB
+    assert SQLiteType.from_declared_type("") == SQLiteType.BLOB
+    assert SQLiteType.from_declared_type("numeric") == SQLiteType.NUMERIC
+    assert SQLiteType.from_declared_type("decimal(10,5)") == SQLiteType.NUMERIC
+    assert SQLiteType.from_declared_type("boolean") == SQLiteType.NUMERIC
+    assert SQLiteType.from_declared_type("date") == SQLiteType.NUMERIC
+    assert SQLiteType.from_declared_type("null") == SQLiteType.NUMERIC
+
+
+# --- JSON API ---
+
+
+@pytest.mark.asyncio
+async def test_column_types_extra(ds_ct):
+    await ds_ct.invoke_startup()
+    response = await ds_ct.client.get("/data/posts.json?_extra=column_types")
+    assert response.status_code == 200
+    data = response.json()
+    assert "column_types" in data
+    assert data["column_types"]["author_email"] == {"type": "email", "config": None}
+    assert data["column_types"]["website"] == {"type": "url", "config": None}
+    assert data["column_types"]["metadata"] == {"type": "json", "config": None}
+    # "markdown" is not a registered type, so body should not appear
+    assert "body" not in data["column_types"]
+    # title has no column type, should not appear
+    assert "title" not in data["column_types"]
+
+
+@pytest.mark.asyncio
+async def test_display_columns_include_column_type(ds_ct):
+    await ds_ct.invoke_startup()
+    response = await ds_ct.client.get("/data/posts.json?_extra=display_columns")
+    assert response.status_code == 200
+    data = response.json()
+    cols = {c["name"]: c for c in data["display_columns"]}
+    assert cols["author_email"]["column_type"] == "email"
+    assert cols["author_email"]["column_type_config"] is None
+    assert cols["website"]["column_type"] == "url"
+    assert cols["title"]["column_type"] is None
+
+
+# --- Rendering ---
+
+
+@pytest.mark.asyncio
+async def test_url_render_cell(ds_ct):
+    await ds_ct.invoke_startup()
+    response = await ds_ct.client.get("/data/posts.json?_extra=render_cell")
+    assert response.status_code == 200
+    data = response.json()
+    rendered = data["render_cell"][0]
+    assert "href" in rendered["website"]
+    assert "https://example.com" in rendered["website"]
+
+
+@pytest.mark.asyncio
+async def test_email_render_cell(ds_ct):
+    await ds_ct.invoke_startup()
+    response = await ds_ct.client.get("/data/posts.json?_extra=render_cell")
+    assert response.status_code == 200
+    data = response.json()
+    rendered = data["render_cell"][0]
+    assert "mailto:" in rendered["author_email"]
+    assert "test@example.com" in rendered["author_email"]
+
+
+@pytest.mark.asyncio
+async def test_json_render_cell(ds_ct):
+    await ds_ct.invoke_startup()
+    response = await ds_ct.client.get("/data/posts.json?_extra=render_cell")
+    assert response.status_code == 200
+    data = response.json()
+    rendered = data["render_cell"][0]
+    assert "<pre>" in rendered["metadata"]
+
+
+# --- Validation ---
+
+
+@pytest.mark.asyncio
+async def test_email_validation_on_insert(ds_ct):
+    await ds_ct.invoke_startup()
+    token = write_token(ds_ct)
+    response = await ds_ct.client.post(
+        "/data/posts/-/insert",
+        json={"row": {"title": "Test", "author_email": "not-an-email"}},
+        headers=_headers(token),
+    )
+    assert response.status_code == 400
+    assert "author_email" in response.json()["errors"][0]
+
+
+@pytest.mark.asyncio
+async def test_email_validation_passes_valid(ds_ct):
+    await ds_ct.invoke_startup()
+    token = write_token(ds_ct)
+    response = await ds_ct.client.post(
+        "/data/posts/-/insert",
+        json={"row": {"title": "Test", "author_email": "valid@example.com"}},
+        headers=_headers(token),
+    )
+    assert response.status_code == 201
+
+
+@pytest.mark.asyncio
+async def test_url_validation_on_insert(ds_ct):
+    await ds_ct.invoke_startup()
+    token = write_token(ds_ct)
+    response = await ds_ct.client.post(
+        "/data/posts/-/insert",
+        json={"row": {"title": "Test", "website": "not-a-url"}},
+        headers=_headers(token),
+    )
+    assert response.status_code == 400
+    assert "website" in response.json()["errors"][0]
+
+
+@pytest.mark.asyncio
+async def test_json_validation_on_insert(ds_ct):
+    await ds_ct.invoke_startup()
+    token = write_token(ds_ct)
+    response = await ds_ct.client.post(
+        "/data/posts/-/insert",
+        json={"row": {"title": "Test", "metadata": "not-json{"}},
+        headers=_headers(token),
+    )
+    assert response.status_code == 400
+    assert "metadata" in response.json()["errors"][0]
+
+
+@pytest.mark.asyncio
+async def test_validation_on_update(ds_ct):
+    await ds_ct.invoke_startup()
+    token = write_token(ds_ct)
+    response = await ds_ct.client.post(
+        "/data/posts/1/-/update",
+        json={"update": {"author_email": "invalid"}},
+        headers=_headers(token),
+    )
+    assert response.status_code == 400
+    assert "author_email" in response.json()["errors"][0]
+
+
+@pytest.mark.asyncio
+async def test_validation_allows_null(ds_ct):
+    await ds_ct.invoke_startup()
+    token = write_token(ds_ct)
+    response = await ds_ct.client.post(
+        "/data/posts/-/insert",
+        json={"row": {"title": "Test", "author_email": None}},
+        headers=_headers(token),
+    )
+    assert response.status_code == 201
+
+
+@pytest.mark.asyncio
+async def test_validation_allows_empty_string(ds_ct):
+    await ds_ct.invoke_startup()
+    token = write_token(ds_ct)
+    response = await ds_ct.client.post(
+        "/data/posts/-/insert",
+        json={"row": {"title": "Test", "author_email": ""}},
+        headers=_headers(token),
+    )
+    assert response.status_code == 201
+
+
+# --- ColumnType base class ---
+
+
+@pytest.mark.asyncio
+async def test_column_type_base_defaults():
+    class TestType(ColumnType):
+        name = "test"
+        description = "Test type"
+
+    ct = TestType()
+    assert ct.config is None
+    assert await ct.render_cell("val", "col", "tbl", "db", None, None) is None
+    assert await ct.validate("val", None) is None
+    assert await ct.transform_value("val", None) == "val"
+
+
+# --- render_cell extra with column types ---
+
+
+@pytest.mark.asyncio
+async def test_render_cell_extra_with_column_types(ds_ct):
+    await ds_ct.invoke_startup()
+    response = await ds_ct.client.get("/data/posts.json?_extra=render_cell")
+    assert response.status_code == 200
+    data = response.json()
+    rendered = data["render_cell"][0]
+    assert "mailto:" in rendered["author_email"]
+    assert "href" in rendered["website"]
+
+
+# --- Duplicate column type name ---
+
+
+@pytest.mark.asyncio
+async def test_duplicate_column_type_name_raises_error():
+    class DuplicateUrlType(ColumnType):
+        name = "url"
+        description = "Duplicate URL"
+
+        async def render_cell(self, value, column, table, database, datasette, request):
+            return None
+
+    class _Plugin:
+        @hookimpl
+        def register_column_types(self, datasette):
+            return [DuplicateUrlType]
+
+    plugin = _Plugin()
+    pm.register(plugin, name="test_duplicate_ct")
+    try:
+        ds = Datasette()
+        with pytest.raises(StartupError, match="Duplicate column type name: url"):
+            await ds.invoke_startup()
+    finally:
+        pm.unregister(plugin, name="test_duplicate_ct")
+
+
+# --- Row endpoint ---
+
+
+@pytest.mark.asyncio
+async def test_row_endpoint_render_cell_with_column_types(ds_ct):
+    await ds_ct.invoke_startup()
+    response = await ds_ct.client.get("/data/posts/1.json?_extra=render_cell")
+    assert response.status_code == 200
+    data = response.json()
+    rendered = data["render_cell"][0]
+    assert "mailto:" in rendered["author_email"]
+    assert "href" in rendered["website"]
+
+
+# --- transform_value in JSON output ---
+
+
+@pytest.mark.asyncio
+async def test_transform_value_in_json_output(tmp_path_factory):
+    """A column type with transform_value should modify rows in JSON API."""
+
+    class UpperColumnType(ColumnType):
+        name = "upper"
+        description = "Uppercase"
+
+        async def transform_value(self, value, datasette):
+            if isinstance(value, str):
+                return value.upper()
+            return value
+
+    class _Plugin:
+        @hookimpl
+        def register_column_types(self, datasette):
+            return [UpperColumnType]
+
+    plugin = _Plugin()
+    pm.register(plugin, name="test_transform_ct")
+    try:
+        db_directory = tmp_path_factory.mktemp("dbs")
+        db_path = str(db_directory / "data.db")
+        db = sqlite3.connect(str(db_path))
+        db.execute("vacuum")
+        db.execute("create table t (id integer primary key, name text)")
+        db.execute("insert into t values (1, 'hello')")
+        db.commit()
+        ds = Datasette(
+            [db_path],
+            config={
+                "databases": {
+                    "data": {"tables": {"t": {"column_types": {"name": "upper"}}}}
+                }
+            },
+        )
+        await ds.invoke_startup()
+        response = await ds.client.get("/data/t.json")
+        assert response.status_code == 200
+        data = response.json()
+        assert data["rows"][0]["name"] == "HELLO"
+        db.close()
+        for database in ds.databases.values():
+            if not database.is_memory:
+                database.close()
+    finally:
+        pm.unregister(plugin, name="test_transform_ct")
+
+
+# --- Column type priority over plugins ---
+
+
+@pytest.mark.asyncio
+async def test_column_type_render_cell_has_priority_over_plugins(tmp_path_factory):
+    """Column type render_cell should take priority over render_cell plugin hook."""
+
+    class PriorityColumnType(ColumnType):
+        name = "priority_test"
+        description = "Priority test"
+
+        async def render_cell(self, value, column, table, database, datasette, request):
+            if value is not None:
+                return markupsafe.Markup(
+                    f"<b>COLUMN_TYPE:{markupsafe.escape(value)}</b>"
+                )
+            return None
+
+    class _ColumnTypePlugin:
+        @hookimpl
+        def register_column_types(self, datasette):
+            return [PriorityColumnType]
+
+    class _RenderCellPlugin:
+        @hookimpl
+        def render_cell(
+            self,
+            row,
+            value,
+            column,
+            table,
+            pks,
+            database,
+            datasette,
+            request,
+            column_type,
+        ):
+            if column == "name":
+                return markupsafe.Markup(f"<i>PLUGIN:{markupsafe.escape(value)}</i>")
+
+    ct_plugin = _ColumnTypePlugin()
+    rc_plugin = _RenderCellPlugin()
+    pm.register(ct_plugin, name="test_priority_ct")
+    pm.register(rc_plugin, name="test_priority_render")
+    try:
+        db_directory = tmp_path_factory.mktemp("dbs")
+        db_path = str(db_directory / "data.db")
+        db = sqlite3.connect(str(db_path))
+        db.execute("vacuum")
+        db.execute("create table t (id integer primary key, name text)")
+        db.execute("insert into t values (1, 'hello')")
+        db.commit()
+        ds = Datasette(
+            [db_path],
+            config={
+                "databases": {
+                    "data": {
+                        "tables": {"t": {"column_types": {"name": "priority_test"}}}
+                    }
+                }
+            },
+        )
+        await ds.invoke_startup()
+        response = await ds.client.get("/data/t.json?_extra=render_cell")
+        assert response.status_code == 200
+        data = response.json()
+        rendered = data["render_cell"][0]
+        # Column type should win over the plugin
+        assert "COLUMN_TYPE:" in rendered["name"]
+        assert "PLUGIN:" not in rendered["name"]
+        db.close()
+        for database in ds.databases.values():
+            if not database.is_memory:
+                database.close()
+    finally:
+        pm.unregister(ct_plugin, name="test_priority_ct")
+        pm.unregister(rc_plugin, name="test_priority_render")
+
+
+# --- Row detail page rendering ---
+
+
+@pytest.mark.asyncio
+async def test_row_detail_page_html_rendering(ds_ct):
+    """Row detail HTML page should use column type rendering."""
+    await ds_ct.invoke_startup()
+    response = await ds_ct.client.get("/data/posts/1")
+    assert response.status_code == 200
+    html = response.text
+    # The email column should be rendered with mailto: link
+    assert "mailto:test@example.com" in html
+    # The url column should be rendered with href
+    assert 'href="https://example.com"' in html
+
+
+# --- HTML table page rendering ---
+
+
+@pytest.mark.asyncio
+async def test_html_table_page_rendering(ds_ct):
+    """HTML table page should use column type rendering."""
+    await ds_ct.invoke_startup()
+    response = await ds_ct.client.get("/data/posts")
+    assert response.status_code == 200
+    html = response.text
+    assert "mailto:test@example.com" in html
+    assert 'href="https://example.com"' in html
+
+
+@pytest.mark.asyncio
+async def test_set_column_type_ui_data_hidden_without_permission(ds_ct):
+    await ds_ct.invoke_startup()
+    response = await ds_ct.client.get("/data/posts")
+    assert response.status_code == 200
+    assert "window._setColumnTypeData" not in response.text
+
+
+@pytest.mark.asyncio
+async def test_set_column_type_ui_data_includes_applicable_types(
+    ds_ct_editor_permission,
+):
+    await ds_ct_editor_permission.invoke_startup()
+    response = await ds_ct_editor_permission.client.get(
+        "/data/posts",
+        actor={"id": "editor"},
+    )
+    assert response.status_code == 200
+    data = _window_data_from_html(response.text, "_setColumnTypeData")
+    assert data["path"] == "/data/posts/-/set-column-type"
+    assert data["columns"]["id"] == {
+        "current": None,
+        "options": [],
+    }
+    assert data["columns"]["title"] == {
+        "current": None,
+        "options": [
+            {"name": "email", "description": "Email address"},
+            {"name": "json", "description": "JSON data"},
+            {"name": "textarea", "description": "Multiline text"},
+            {"name": "url", "description": "URL"},
+        ],
+    }
+    assert data["columns"]["author_email"] == {
+        "current": {"type": "email", "config": None},
+        "options": [
+            {"name": "email", "description": "Email address"},
+            {"name": "json", "description": "JSON data"},
+            {"name": "textarea", "description": "Multiline text"},
+            {"name": "url", "description": "URL"},
+        ],
+    }
+
+
+# --- Validation on upsert ---
+
+
+@pytest.mark.asyncio
+async def test_validation_on_upsert(ds_ct):
+    await ds_ct.invoke_startup()
+    token = write_token(ds_ct)
+    response = await ds_ct.client.post(
+        "/data/posts/-/upsert",
+        json={
+            "rows": [{"id": 1, "title": "Updated", "author_email": "invalid"}],
+        },
+        headers=_headers(token),
+    )
+    assert response.status_code == 400
+    assert "author_email" in response.json()["errors"][0]
+
+
+@pytest.mark.asyncio
+async def test_validation_on_upsert_passes_valid(ds_ct):
+    await ds_ct.invoke_startup()
+    token = write_token(ds_ct)
+    response = await ds_ct.client.post(
+        "/data/posts/-/upsert",
+        json={
+            "rows": [{"id": 1, "title": "Updated", "author_email": "valid@test.com"}],
+        },
+        headers=_headers(token),
+    )
+    assert response.status_code == 200
+
+
+# --- Unknown type warning logged ---
+
+
+@pytest.mark.asyncio
+async def test_unknown_type_warning_logged(tmp_path_factory, caplog):
+    db_directory = tmp_path_factory.mktemp("dbs")
+    db_path = str(db_directory / "data.db")
+    db = sqlite3.connect(str(db_path))
+    db.execute("vacuum")
+    db.execute("create table t (id integer primary key, col text)")
+    db.commit()
+    ds = Datasette(
+        [db_path],
+        config={
+            "databases": {
+                "data": {"tables": {"t": {"column_types": {"col": "nonexistent_type"}}}}
+            }
+        },
+    )
+    with caplog.at_level(logging.WARNING):
+        await ds.invoke_startup()
+    assert "unknown type" in caplog.text.lower()
+    assert "nonexistent_type" in caplog.text
+    db.close()
+    for database in ds.databases.values():
+        if not database.is_memory:
+            database.close()
+
+
+@pytest.mark.asyncio
+async def test_incompatible_sqlite_type_warning_logged(tmp_path_factory, caplog):
+    db_directory = tmp_path_factory.mktemp("dbs")
+    db_path = str(db_directory / "data.db")
+    db = sqlite3.connect(str(db_path))
+    db.execute("vacuum")
+    db.execute("create table t (id integer primary key, col integer)")
+    db.commit()
+    ds = Datasette(
+        [db_path],
+        config={
+            "databases": {"data": {"tables": {"t": {"column_types": {"col": "json"}}}}}
+        },
+    )
+    with caplog.at_level(logging.WARNING):
+        await ds.invoke_startup()
+    assert "only applicable to sqlite types text" in caplog.text.lower()
+    assert await ds.get_column_type("data", "t", "col") is None
+    db.close()
+    for database in ds.databases.values():
+        if not database.is_memory:
+            database.close()
+
+
+# --- Config overwrites on restart ---
+
+
+@pytest.mark.asyncio
+async def test_config_overwrites_on_restart(tmp_path_factory):
+    """Config values should overwrite any existing column types in internal DB on startup."""
+    db_directory = tmp_path_factory.mktemp("dbs")
+    db_path = str(db_directory / "data.db")
+    db = sqlite3.connect(str(db_path))
+    db.execute("vacuum")
+    db.execute("create table t (id integer primary key, col text)")
+    db.commit()
+    ds = Datasette(
+        [db_path],
+        config={
+            "databases": {"data": {"tables": {"t": {"column_types": {"col": "email"}}}}}
+        },
+    )
+    await ds.invoke_startup()
+    ct = await ds.get_column_type("data", "t", "col")
+    assert ct.name == "email"
+
+    # Manually change the column type in the internal DB
+    await ds.set_column_type("data", "t", "col", "url")
+    ct = await ds.get_column_type("data", "t", "col")
+    assert ct.name == "url"
+
+    # Re-apply config (simulating what happens on restart)
+    await ds._apply_column_types_config()
+    ct = await ds.get_column_type("data", "t", "col")
+    assert ct.name == "email"  # Config wins
+
+    db.close()
+    for database in ds.databases.values():
+        if not database.is_memory:
+            database.close()
+
+
+# --- No column_types in config ---
+
+
+@pytest.mark.asyncio
+async def test_no_column_types_in_config(tmp_path_factory):
+    """Datasette should work fine without any column_types configuration."""
+    db_directory = tmp_path_factory.mktemp("dbs")
+    db_path = str(db_directory / "data.db")
+    db = sqlite3.connect(str(db_path))
+    db.execute("vacuum")
+    db.execute("create table t (id integer primary key, col text)")
+    db.execute("insert into t values (1, 'hello')")
+    db.commit()
+    ds = Datasette([db_path])
+    await ds.invoke_startup()
+
+    # No column types assigned
+    ct_map = await ds.get_column_types("data", "t")
+    assert ct_map == {}
+
+    # JSON endpoint should work without column_types extra
+    response = await ds.client.get("/data/t.json")
+    assert response.status_code == 200
+    assert response.json()["rows"][0]["col"] == "hello"
+
+    # column_types extra should return empty
+    response = await ds.client.get("/data/t.json?_extra=column_types")
+    assert response.status_code == 200
+    assert response.json()["column_types"] == {}
+
+    db.close()
+    for database in ds.databases.values():
+        if not database.is_memory:
+            database.close()
diff --git a/tests/test_config_dir.py b/tests/test_config_dir.py
index ae7fe500..0a9b30d8 100644
--- a/tests/test_config_dir.py
+++ b/tests/test_config_dir.py
@@ -60,6 +60,7 @@ def config_dir(tmp_path_factory):
             (1, 'San Francisco')
         ;
         """)
+        db.close()
 
     # Mark "immutable.db" as immutable
     (config_dir / "inspect-data.json").write_text(
@@ -95,6 +96,8 @@ def test_invalid_settings(config_dir):
 def config_dir_client(config_dir):
     ds = Datasette([], config_dir=config_dir)
     yield _TestClient(ds)
+    for db in ds.databases.values():
+        db.close()
 
 
 def test_settings(config_dir_client):
diff --git a/tests/test_crossdb.py b/tests/test_crossdb.py
index 7807cd5d..11e53224 100644
--- a/tests/test_crossdb.py
+++ b/tests/test_crossdb.py
@@ -43,6 +43,7 @@ def test_crossdb_warning_if_too_many_databases(tmp_path_factory):
         path = str(db_dir / "db_{}.db".format(i))
         conn = sqlite3.connect(path)
         conn.execute("vacuum")
+        conn.close()
         dbs.append(path)
     runner = CliRunner()
     result = runner.invoke(
diff --git a/tests/test_csrf_middleware.py b/tests/test_csrf_middleware.py
new file mode 100644
index 00000000..2fcfb216
--- /dev/null
+++ b/tests/test_csrf_middleware.py
@@ -0,0 +1,334 @@
+"""
+Tests for the header-based CSRF (Cross-Origin) protection middleware.
+
+Datasette uses the Sec-Fetch-Site + Origin header approach described in
+Filippo Valsorda's article (https://words.filippo.io/csrf/) and implemented
+in Go 1.25's http.CrossOriginProtection. This replaces the previous
+token-based asgi-csrf mechanism.
+"""
+
+import pluggy
+import pytest
+
+from datasette import hookimpl
+from datasette.csrf import CrossOriginProtectionMiddleware, _install_legacy_csrftoken
+
+
+async def _post(bare_ds, **kwargs):
+    kwargs.setdefault("data", {"message": "hello", "message_class": "info"})
+    return await bare_ds.client.post("/-/messages", **kwargs)
+
+
+async def _run_middleware(scope):
+    """
+    Run CrossOriginProtectionMiddleware against a scope and return
+    ("allowed",) if the inner app was called, or ("blocked", status)
+    if the middleware sent a response itself.
+    """
+
+    class FakeDs:
+        async def render_template(self, name, ctx):
+            return "BLOCKED"
+
+    inner_called = []
+
+    async def app(scope, receive, send):
+        inner_called.append(True)
+
+    sent = []
+
+    async def send(msg):
+        sent.append(msg)
+
+    mw = CrossOriginProtectionMiddleware(app, FakeDs())
+    await mw(scope, None, send)
+    if inner_called:
+        return ("allowed",)
+    start = [m for m in sent if m["type"] == "http.response.start"][0]
+    return ("blocked", start["status"])
+
+
+def _http_scope(headers, method="POST"):
+    return {
+        "type": "http",
+        "method": method,
+        "headers": [(k.encode(), v.encode()) for k, v in headers.items()],
+    }
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize("method", ["GET", "HEAD", "OPTIONS"])
+async def test_safe_methods_always_pass(bare_ds, method):
+    # Safe methods bypass CSRF entirely, even with hostile headers
+    response = await bare_ds.client.request(
+        method,
+        "/-/messages",
+        headers={"sec-fetch-site": "cross-site", "origin": "http://evil.example"},
+    )
+    assert response.status_code != 403 or "origin" not in response.text.lower()
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize("sec_fetch_site", ["same-origin", "none"])
+async def test_post_with_trusted_sec_fetch_site_allowed(bare_ds, sec_fetch_site):
+    # "same-origin" = first-party; "none" = user-initiated direct navigation
+    response = await _post(bare_ds, headers={"sec-fetch-site": sec_fetch_site})
+    assert response.status_code != 403
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize("sec_fetch_site", ["cross-site", "same-site", "cross-origin"])
+async def test_post_with_untrusted_sec_fetch_site_blocked(bare_ds, sec_fetch_site):
+    # same-site is blocked too: different subdomains must not bypass CSRF
+    response = await _post(
+        bare_ds, data={"message": "hi"}, headers={"sec-fetch-site": sec_fetch_site}
+    )
+    assert response.status_code == 403
+    assert response.headers["content-type"].startswith("text/html")
+
+
+@pytest.mark.asyncio
+async def test_post_with_no_browser_headers_allowed(bare_ds):
+    # curl / requests / server-to-server: no Sec-Fetch-Site, no Origin.
+    # CSRF is browser-specific so these pass through.
+    response = await _post(bare_ds)
+    assert response.status_code != 403
+
+
+@pytest.mark.asyncio
+async def test_post_with_matching_origin_allowed(bare_ds):
+    # Fallback for older browsers without Sec-Fetch-Site: Origin must match Host
+    response = await _post(bare_ds, headers={"origin": "http://localhost"})
+    assert response.status_code != 403
+
+
+@pytest.mark.asyncio
+async def test_post_with_mismatched_origin_blocked(bare_ds):
+    response = await _post(
+        bare_ds, data={"message": "hi"}, headers={"origin": "http://evil.example.com"}
+    )
+    assert response.status_code == 403
+
+
+@pytest.mark.asyncio
+async def test_csrf_error_page_renders(bare_ds):
+    response = await _post(
+        bare_ds, data={"message": "hi"}, headers={"sec-fetch-site": "cross-site"}
+    )
+    assert response.status_code == 403
+    assert "origin" in response.text.lower()
+
+
+@pytest.mark.asyncio
+async def test_csrf_error_page_title_has_no_typo(bare_ds):
+    response = await _post(
+        bare_ds, data={"message": "hi"}, headers={"sec-fetch-site": "cross-site"}
+    )
+    assert "<title>CSRF check failed</title>" in response.text
+    assert "CSRF check failed)" not in response.text
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize("scope_type", ["websocket", "lifespan"])
+async def test_non_http_scope_passes_through(scope_type):
+    called = []
+
+    async def app(scope, receive, send):
+        called.append(scope["type"])
+
+    mw = CrossOriginProtectionMiddleware(app, datasette=None)
+    await mw({"type": scope_type}, None, None)
+    assert called == [scope_type]
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize(
+    "label,headers,expected",
+    [
+        (
+            "plain cross-site blocked",
+            {"sec-fetch-site": "cross-site", "host": "example.com"},
+            ("blocked", 403),
+        ),
+        (
+            "basic auth does not bypass",
+            {
+                "sec-fetch-site": "cross-site",
+                "host": "example.com",
+                "authorization": "Basic dXNlcjpwYXNz",
+            },
+            ("blocked", 403),
+        ),
+        (
+            "bearer auth bypasses",
+            {
+                "sec-fetch-site": "cross-site",
+                "origin": "https://evil.example",
+                "host": "example.com",
+                "authorization": "Bearer dstok_abc",
+            },
+            ("allowed",),
+        ),
+        (
+            "bearer scheme case-insensitive",
+            {
+                "sec-fetch-site": "cross-site",
+                "host": "example.com",
+                "authorization": "bearer dstok_abc",
+            },
+            ("allowed",),
+        ),
+        (
+            "non-browser (no Sec-Fetch-Site, no Origin) allowed",
+            {"host": "example.com"},
+            ("allowed",),
+        ),
+    ],
+)
+async def test_middleware_unit(label, headers, expected):
+    assert await _run_middleware(_http_scope(headers)) == expected
+
+
+def test_legacy_csrftoken_scope_value_nonempty(app_client):
+    # GET /post/ calls request.scope["csrftoken"]() - must not 500
+    response = app_client.get("/post/")
+    assert response.status == 200
+    assert response.text.strip() != ""
+    assert len(response.text.strip()) >= 20
+
+
+def test_legacy_csrftoken_no_ds_csrftoken_cookie(app_client):
+    response = app_client.get("/post/")
+    assert "ds_csrftoken" not in response.cookies
+
+
+def test_legacy_csrftoken_varies_across_requests(app_client):
+    r1 = app_client.get("/post/").text.strip()
+    r2 = app_client.get("/post/").text.strip()
+    assert r1 != r2
+
+
+def test_legacy_csrftoken_stable_within_request():
+    # Two calls in the same request return the same value
+    scope = {}
+    _install_legacy_csrftoken(scope)
+    assert scope["csrftoken"]() == scope["csrftoken"]()
+
+
+@pytest.mark.asyncio
+async def test_cross_site_post_blocked_even_with_ds_csrftoken_cookie(bare_ds):
+    # A stale ds_csrftoken cookie + csrftoken body field must NOT bypass
+    # the header-based CSRF check.
+    response = await _post(
+        bare_ds,
+        data={"message": "hi", "message_class": "info", "csrftoken": "abc"},
+        headers={"sec-fetch-site": "cross-site"},
+        cookies={"ds_csrftoken": "abc"},
+    )
+    assert response.status_code == 403
+
+
+@pytest.mark.asyncio
+async def test_bearer_invalid_token_not_csrf_error(bare_ds):
+    # Cross-site POST with bogus bearer must pass CSRF and be rejected
+    # by auth/permission handling, not by the CSRF middleware.
+    response = await _post(
+        bare_ds,
+        headers={
+            "sec-fetch-site": "cross-site",
+            "authorization": "Bearer totally-invalid-token",
+        },
+    )
+    if response.status_code == 403:
+        assert "origin" not in response.text.lower()
+        assert "sec-fetch-site" not in response.text.lower()
+
+
+@pytest.mark.asyncio
+async def test_cross_site_post_without_auth_still_blocked(bare_ds):
+    response = await _post(
+        bare_ds, data={"message": "hi"}, headers={"sec-fetch-site": "cross-site"}
+    )
+    assert response.status_code == 403
+
+
+@pytest.mark.asyncio
+async def test_bearer_with_cookie_does_not_bypass():
+    # Bearer + Cookie => ambient cookie auth is in play, not exempt.
+    scope = _http_scope(
+        {
+            "sec-fetch-site": "cross-site",
+            "host": "example.com",
+            "authorization": "Bearer dstok_abc",
+            "cookie": "ds_actor=anything",
+        }
+    )
+    assert await _run_middleware(scope) == ("blocked", 403)
+
+
+@pytest.mark.asyncio
+async def test_origin_scheme_must_match():
+    # http Origin against an https request must be blocked even when host matches.
+    scope = _http_scope({"origin": "http://example.com", "host": "example.com"})
+    scope["scheme"] = "https"
+    assert await _run_middleware(scope) == ("blocked", 403)
+
+
+@pytest.mark.asyncio
+async def test_origin_port_must_match():
+    scope = _http_scope({"origin": "http://example.com:8001", "host": "example.com"})
+    scope["scheme"] = "http"
+    assert await _run_middleware(scope) == ("blocked", 403)
+
+
+@pytest.mark.asyncio
+async def test_origin_default_port_normalized():
+    # http://example.com:80 == http://example.com
+    scope = _http_scope({"origin": "http://example.com:80", "host": "example.com"})
+    scope["scheme"] = "http"
+    assert await _run_middleware(scope) == ("allowed",)
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize(
+    "headers",
+    [
+        {"authorization": "   ", "host": "example.com", "origin": "http://evil"},
+        {"origin": "http://example.com:notaport", "host": "example.com"},
+        {"origin": "not-a-url", "host": "example.com"},
+    ],
+)
+async def test_malformed_headers_do_not_500(headers):
+    # Should be a clean 403, not an unhandled exception.
+    result = await _run_middleware(_http_scope(headers))
+    assert result[0] == "blocked"
+    assert result[1] == 403
+
+
+@pytest.mark.asyncio
+async def test_uppercase_header_names_normalized():
+    # ASGI servers should lowercase, but middleware normalizes defensively.
+    scope = {
+        "type": "http",
+        "method": "POST",
+        "headers": [(b"Sec-Fetch-Site", b"same-origin")],
+    }
+    assert await _run_middleware(scope) == ("allowed",)
+
+
+def test_legacy_skip_csrf_hookimpl_does_not_break_loading():
+    # Plugins that still define skip_csrf must load cleanly - pluggy ignores
+    # unknown hook implementations - even though the hook is no longer
+    # consulted by core. Use a throwaway PluginManager so that registering
+    # this hookimpl does not leak a _HookCaller onto the real datasette.pm.
+    class LegacyPlugin:
+        __name__ = "legacy-skip-csrf-plugin"
+
+        @hookimpl
+        def skip_csrf(self, datasette, scope):
+            return True
+
+    throwaway = pluggy.PluginManager("datasette")
+    plugin = LegacyPlugin()
+    throwaway.register(plugin, name=LegacyPlugin.__name__)
+    assert throwaway.is_registered(plugin)
diff --git a/tests/test_custom_pages.py b/tests/test_custom_pages.py
index 39a4c06b..86cdcc6b 100644
--- a/tests/test_custom_pages.py
+++ b/tests/test_custom_pages.py
@@ -104,3 +104,24 @@ def test_custom_route_pattern_with_slash_slash_302(custom_pages_client):
     response = custom_pages_client.get("//example.com/")
     assert response.status == 302
     assert response.headers["location"] == "/example.com"
+
+
+@pytest.mark.parametrize(
+    "path",
+    (
+        "/\\example.com/",
+        "/\\\\example.com/",
+        "/\\/example.com/",
+    ),
+)
+def test_redirect_does_not_allow_backslash_open_redirect(custom_pages_client, path):
+    # https://github.com/simonw/datasette/issues/2680
+    # Browsers normalise backslashes to forward slashes, so a Location of
+    # /\example.com would be treated as the protocol-relative //example.com
+    response = custom_pages_client.get(path)
+    assert response.status == 302
+    location = response.headers["location"]
+    assert location == "/example.com"
+    # Must not start with anything a browser reads as protocol-relative
+    assert not location.startswith("//")
+    assert not location.startswith("/\\")
diff --git a/tests/test_datasette_https_server.sh b/tests/test_datasette_https_server.sh
index aee262cc..a544b9a8 100755
--- a/tests/test_datasette_https_server.sh
+++ b/tests/test_datasette_https_server.sh
@@ -40,22 +40,23 @@ curl -f --cacert client.pem $test_url
 curl_exit_code=$?
 
 # Shut down the server
-kill $server_pid
-waiting=0
-#         show all pids
-#         |       find just the $server_pid
-#         |       |                  don’t match on the previous grep
-#         |       |                  |            we don’t need the output
-#         |       |                  |            |
-until ( ! ps ax | grep $server_pid | grep -v grep > /dev/null ); do
-    if [ $waiting -eq 4 ]; then
-        echo "$server_pid does still exist, server failed to stop"
-        cleanup
-        exit 1
+kill $server_pid 2>/dev/null || true
+(
+    sleep 5
+    if kill -0 $server_pid 2>/dev/null; then
+        kill -9 $server_pid 2>/dev/null || true
     fi
-    let waiting=waiting+1
-    sleep 1
-done
+) &
+killer_pid=$!
+wait_status=0
+wait $server_pid 2>/dev/null || wait_status=$?
+kill $killer_pid 2>/dev/null || true
+wait $killer_pid 2>/dev/null || true
+if [ $wait_status -eq 137 ]; then
+    echo "$server_pid did not stop after SIGTERM, server failed to stop"
+    cleanup
+    exit 1
+fi
 
 # Clean up the certificates
 cleanup
diff --git a/tests/test_debug_autocomplete.py b/tests/test_debug_autocomplete.py
new file mode 100644
index 00000000..f438ace5
--- /dev/null
+++ b/tests/test_debug_autocomplete.py
@@ -0,0 +1,91 @@
+import pytest
+from bs4 import BeautifulSoup as Soup
+
+from datasette.app import Datasette
+from datasette.database import Database
+
+
+@pytest.mark.asyncio
+async def test_debug_autocomplete_for_table():
+    ds = Datasette(memory=True)
+    db = ds.add_database(
+        Database(ds, memory_name="test_debug_autocomplete_for_table"), name="data"
+    )
+    await db.execute_write_script("""
+        create table authors (
+            id integer primary key,
+            name text
+        );
+        insert into authors (id, name) values
+            (1, 'Ada Lovelace'),
+            (2, 'Grace Hopper');
+    """)
+
+    response = await ds.client.get("/-/debug/autocomplete?database=data&table=authors")
+
+    assert response.status_code == 200
+    soup = Soup(response.text, "html.parser")
+    assert soup.select_one("h1").text == "Debug autocomplete"
+    assert any(
+        "autocomplete.js" in (script.get("src") or "")
+        for script in soup.find_all("script")
+    )
+    autocomplete = soup.select_one("datasette-autocomplete")
+    assert autocomplete is not None
+    assert autocomplete["src"] == "/data/authors/-/autocomplete"
+    assert soup.select_one("input#debug-autocomplete-input") is not None
+    assert "Label column:" in response.text
+    assert "<code>name</code>" in response.text
+
+
+@pytest.mark.asyncio
+async def test_debug_autocomplete_suggests_label_column_tables():
+    ds = Datasette(memory=True)
+    db = ds.add_database(
+        Database(ds, memory_name="test_debug_autocomplete_suggests"), name="data"
+    )
+    await db.execute_write_script("""
+        create table authors (
+            id integer primary key,
+            name text
+        );
+        create table releases (
+            id integer primary key,
+            title text
+        );
+    """)
+
+    response = await ds.client.get("/-/debug/autocomplete")
+
+    assert response.status_code == 200
+    soup = Soup(response.text, "html.parser")
+    links = {a.text: a["href"] for a in soup.select("table.rows-and-columns a")}
+    assert links == {
+        "authors": "/-/debug/autocomplete?database=data&table=authors",
+        "releases": "/-/debug/autocomplete?database=data&table=releases",
+    }
+    assert [code.text for code in soup.select("table.rows-and-columns code")] == [
+        "name",
+        "title",
+    ]
+
+
+@pytest.mark.asyncio
+async def test_debug_autocomplete_scan_limit():
+    ds = Datasette(memory=True)
+    db = ds.add_database(
+        Database(ds, memory_name="test_debug_autocomplete_scan_limit"), name="data"
+    )
+    await db.execute_write_script(
+        "\n".join(
+            f"create table t{i:03d} (id integer primary key);" for i in range(100)
+        )
+        + "\ncreate table z_has_label (id integer primary key, name text);"
+    )
+
+    response = await ds.client.get("/-/debug/autocomplete")
+
+    assert response.status_code == 200
+    assert "No tables with detected label columns found." in response.text
+    assert "Scanned 100 tables; stopped at the 100 table scan limit." in response.text
+    assert "z_has_label" not in response.text
diff --git a/tests/test_default_deny.py b/tests/test_default_deny.py
index 81e95b84..f1e43064 100644
--- a/tests/test_default_deny.py
+++ b/tests/test_default_deny.py
@@ -127,3 +127,23 @@ async def test_default_deny_basic_permissions():
 
     # Authenticated user without explicit permission should also be denied
     assert await ds.allowed(action="view-instance", actor={"id": "user"}) is False
+
+
+@pytest.mark.asyncio
+async def test_default_deny_root_no_config_index_does_not_500():
+    # https://github.com/simonw/datasette/issues/2644
+    # --default-deny --root with no config file must not 500 on the index
+    # pages. Rendering those pages computes is_private (include_is_private),
+    # which references the anon_rules CTE - that CTE must still be defined
+    # even when there are no anonymous permission rules at all.
+    ds = Datasette(default_deny=True)
+    ds.root_enabled = True
+    await ds.invoke_startup()
+    db = ds.add_memory_database("test_db_2644")
+    await db.execute_write("create table test_table (id integer primary key)")
+    await ds._refresh_schemas()
+
+    cookie = ds.sign({"a": {"id": "root"}}, "actor")
+    for path in ("/", "/test_db_2644", "/test_db_2644/test_table"):
+        response = await ds.client.get(path, cookies={"ds_actor": cookie})
+        assert response.status_code == 200, f"{path} returned {response.status_code}"
diff --git a/tests/test_docs.py b/tests/test_docs.py
index b94a6f23..13b3a549 100644
--- a/tests/test_docs.py
+++ b/tests/test_docs.py
@@ -3,6 +3,7 @@ Tests to ensure certain things are documented.
 """
 
 from datasette import app, utils
+import datasette.fixtures  # noqa: F401
 from datasette.app import Datasette
 from datasette.filters import Filters
 from pathlib import Path
@@ -65,7 +66,24 @@ def documented_views():
             if first_word.endswith("View"):
                 view_labels.add(first_word)
     # We deliberately don't document these:
-    view_labels.update(("PatternPortfolioView", "AuthTokenView", "ApiExplorerView"))
+    view_labels.update(
+        (
+            "PatternPortfolioView",
+            "AuthTokenView",
+            "ApiExplorerView",
+            "ExecuteWriteAnalyzeView",
+            "ExecuteWriteView",
+            "GlobalQueryListView",
+            "QueryCreateAnalyzeView",
+            "QueryDeleteView",
+            "QueryDefinitionView",
+            "QueryEditView",
+            "QueryListView",
+            "QueryParametersView",
+            "QueryStoreView",
+            "QueryUpdateView",
+        )
+    )
     return view_labels
 
 
@@ -94,21 +112,63 @@ def test_table_filters_are_documented(documented_table_filters, subtests):
             assert f.key in documented_table_filters
 
 
+def test_table_extra_examples_are_documented():
+    from datasette.views.table_extras import CountExtra
+
+    assert CountExtra.example.path == "/fixtures/facetable.json?_extra=count"
+    content = (docs_path / "json_api.rst").read_text()
+    section = content.split(".. _json_api_extra:")[-1].split(".. _table_arguments:")[0]
+    assert "GET /fixtures/facetable.json?_extra=count" in section
+    assert ".. code-block:: json" in section
+
+
+def test_render_cell_extra_example_explains_row_and_column_mapping():
+    content = (docs_path / "json_api.rst").read_text()
+    section = content.split("``render_cell``")[-1].split("``query``")[0]
+    assert "same order as the ``rows`` array" in section
+    assert '"rows": [' in section
+    assert '"render_cell": [' in section
+
+
+def test_debug_and_request_extra_examples_are_documented():
+    content = (docs_path / "json_api.rst").read_text()
+    section = content.split("Table JSON responses")[-1].split("Row JSON responses")[0]
+
+    debug_section = section.split("``debug``")[-1].split("``request``")[0]
+    assert "GET /fixtures/facetable.json?_extra=debug" in debug_section
+    assert '"url_vars": {' in debug_section
+
+    request_section = section.split("``request``")[-1].split("``query``")[0]
+    assert "GET /fixtures/facetable.json?_extra=request" in request_section
+    assert '"full_path":' in request_section
+
+
+def test_row_and_query_extra_sections_are_documented():
+    content = (docs_path / "json_api.rst").read_text()
+    assert "Row JSON responses" in content
+    assert (
+        "``GET /fixtures/simple_primary_key/1.json?_extra=foreign_key_tables``"
+        in content
+    )
+    assert "Query JSON responses" in content
+    assert "``GET /fixtures/-/query.json?sql=select+1+as+one&_extra=query``" in content
+    assert (
+        "``GET /fixtures/neighborhood_search.json?text=town&_extra=query``" in content
+    )
+
+
 @pytest.fixture(scope="session")
-def documented_fns():
-    internals_rst = (docs_path / "internals.rst").read_text()
-    # Any line that starts .. _internals_utils_X
-    lines = internals_rst.split("\n")
-    prefix = ".. _internals_utils_"
-    return {
-        line.split(prefix)[1].split(":")[0] for line in lines if line.startswith(prefix)
-    }
+def documented_labels():
+    labels = set()
+    for filename in docs_path.glob("*.rst"):
+        labels.update(get_labels(filename.name))
+    return labels
 
 
-def test_functions_marked_with_documented_are_documented(documented_fns, subtests):
+def test_functions_marked_with_documented_are_documented(documented_labels, subtests):
     for fn in utils.functions_marked_as_documented:
         with subtests.test(fn=fn.__name__):
-            assert fn.__name__ in documented_fns
+            assert fn._datasette_docs_label in documented_labels
 
 
 def test_rst_heading_underlines_match_title_length():
diff --git a/tests/test_docs_plugins.py b/tests/test_docs_plugins.py
index c51858d3..613160ac 100644
--- a/tests/test_docs_plugins.py
+++ b/tests/test_docs_plugins.py
@@ -23,6 +23,7 @@ async def datasette_with_plugin():
         yield datasette
     finally:
         datasette.pm.unregister(name="undo")
+        datasette.close()
 # -- end datasette_with_plugin_fixture --
 
 
diff --git a/tests/test_extras.py b/tests/test_extras.py
new file mode 100644
index 00000000..73b4965e
--- /dev/null
+++ b/tests/test_extras.py
@@ -0,0 +1,97 @@
+import asyncio
+
+import pytest
+
+from datasette.extras import Extra, ExtraRegistry, ExtraScope
+
+
+class SlowValueExtra(Extra):
+    description = "Returns context['value'], optionally slowly"
+    scopes = {ExtraScope.TABLE}
+
+    async def resolve(self, context):
+        if context["slow"]:
+            await asyncio.sleep(0.05)
+        return context["value"]
+
+
+class DependentExtra(Extra):
+    description = "Depends on slow_value"
+    scopes = {ExtraScope.TABLE}
+
+    async def resolve(self, context, slow_value):
+        return slow_value + 1
+
+
+class InternalOnlyExtra(Extra):
+    description = "Internal extra for HTML templates only"
+    scopes = {ExtraScope.TABLE}
+    public = False
+
+    async def resolve(self, context):
+        return "internal"
+
+
+def test_internal_classes_for_scope():
+    registry = ExtraRegistry([SlowValueExtra, DependentExtra, InternalOnlyExtra])
+    assert registry.internal_classes_for_scope(ExtraScope.TABLE) == [InternalOnlyExtra]
+    assert registry.public_classes_for_scope(ExtraScope.TABLE) == [
+        SlowValueExtra,
+        DependentExtra,
+    ]
+
+
+def _registered_extra_classes():
+    # Plain Providers are internal dependency plumbing, only Extra
+    # subclasses surface as documented JSON/template keys
+    from datasette.views.table_extras import table_extra_registry
+
+    return [cls for cls in table_extra_registry.classes if issubclass(cls, Extra)]
+
+
+@pytest.mark.parametrize("cls", _registered_extra_classes(), ids=lambda cls: cls.key())
+def test_registered_extras_have_descriptions(cls):
+    # Every registered extra is part of the documented template/JSON contract
+    assert cls.description, "{} is missing a description".format(cls.__name__)
+
+
+def test_registry_is_built_once_per_scope():
+    registry = ExtraRegistry([SlowValueExtra, DependentExtra])
+    first = registry._registry_for_scope(ExtraScope.TABLE)
+    second = registry._registry_for_scope(ExtraScope.TABLE)
+    assert first is second
+
+
+@pytest.mark.asyncio
+async def test_concurrent_resolves_do_not_share_state():
+    # The asyncinject registry is shared across requests - resolved values
+    # must not leak between concurrent resolve() calls with different contexts
+    registry = ExtraRegistry([SlowValueExtra, DependentExtra])
+    slow, fast = await asyncio.gather(
+        registry.resolve(
+            {"slow_value", "dependent"},
+            {"value": 100, "slow": True},
+            ExtraScope.TABLE,
+        ),
+        registry.resolve(
+            {"slow_value", "dependent"},
+            {"value": 200, "slow": False},
+            ExtraScope.TABLE,
+        ),
+    )
+    assert slow == {"slow_value": 100, "dependent": 101}
+    assert fast == {"slow_value": 200, "dependent": 201}
+
+
+@pytest.mark.asyncio
+async def test_table_row_and_query_scopes_use_separate_registries():
+    from datasette.views.table_extras import table_extra_registry
+
+    registries = {
+        scope: table_extra_registry._registry_for_scope(scope) for scope in ExtraScope
+    }
+    assert len(set(map(id, registries.values()))) == 3
+    # Scope-specific extras only registered where they belong
+    assert "count" in registries[ExtraScope.TABLE]._registry
+    assert "count" not in registries[ExtraScope.QUERY]._registry
+    assert "foreign_key_tables" in registries[ExtraScope.ROW]._registry
diff --git a/tests/test_fd_leak.py b/tests/test_fd_leak.py
new file mode 100644
index 00000000..926722a1
--- /dev/null
+++ b/tests/test_fd_leak.py
@@ -0,0 +1,56 @@
+"""
+Regression test for https://github.com/simonw/datasette/issues/2692 —
+confirm that creating and closing Datasette instances in a loop does not
+leak open file descriptors.
+
+Each Datasette() with is_temp_disk internal DB opens a temp file and a
+write thread with its own SQLite connection. Without Datasette.close()
+nothing unwinds this state, and a large pytest run exhausts the process
+FD limit.
+"""
+
+import asyncio
+import threading
+
+import pytest
+
+try:
+    import psutil
+except ImportError:  # pragma: no cover
+    psutil = None
+
+from datasette.app import Datasette
+
+
+def _count_open_files():
+    return len(psutil.Process().open_files())
+
+
+def _count_threads():
+    return threading.active_count()
+
+
+@pytest.mark.skipif(psutil is None, reason="psutil not installed")
+def test_close_releases_file_descriptors():
+    # Warm-up so Python/library caches don't skew the baseline
+    ds = Datasette(memory=True)
+    asyncio.run(ds.invoke_startup())
+    ds.close()
+
+    baseline_fds = _count_open_files()
+    baseline_threads = _count_threads()
+
+    for _ in range(50):
+        ds = Datasette(memory=True)
+        asyncio.run(ds.invoke_startup())
+        ds.close()
+
+    after_fds = _count_open_files()
+    after_threads = _count_threads()
+
+    assert (
+        after_fds - baseline_fds <= 2
+    ), f"Leaked FDs: baseline={baseline_fds}, after=50 iterations={after_fds}"
+    assert (
+        after_threads - baseline_threads <= 2
+    ), f"Leaked threads: baseline={baseline_threads}, after={after_threads}"
diff --git a/tests/test_fixtures.py b/tests/test_fixtures.py
new file mode 100644
index 00000000..45f9854b
--- /dev/null
+++ b/tests/test_fixtures.py
@@ -0,0 +1,49 @@
+from datasette.fixtures import (
+    populate_extra_database,
+    populate_fixture_database,
+    write_extra_database,
+    write_fixture_database,
+)
+from datasette.utils.sqlite import sqlite3
+
+
+def count(conn, table):
+    return conn.execute(f"select count(*) from [{table}]").fetchone()[0]
+
+
+def test_populate_fixture_database():
+    conn = sqlite3.connect(":memory:")
+    try:
+        populate_fixture_database(conn)
+        assert count(conn, "facetable") == 15
+        assert count(conn, "compound_three_primary_keys") == 1001
+        assert count(conn, "binary_data") == 3
+    finally:
+        conn.close()
+
+
+def test_write_fixture_database(tmp_path):
+    db_path = tmp_path / "fixtures.db"
+    write_fixture_database(db_path)
+    conn = sqlite3.connect(db_path)
+    try:
+        assert count(conn, "sortable") == 201
+    finally:
+        conn.close()
+
+
+def test_extra_database_helpers(tmp_path):
+    conn = sqlite3.connect(":memory:")
+    try:
+        populate_extra_database(conn)
+        assert count(conn, "searchable") == 2
+    finally:
+        conn.close()
+
+    db_path = tmp_path / "extra.db"
+    write_extra_database(db_path)
+    conn = sqlite3.connect(db_path)
+    try:
+        assert count(conn, "searchable") == 2
+    finally:
+        conn.close()
diff --git a/tests/test_html.py b/tests/test_html.py
index 757f3e6e..22943300 100644
--- a/tests/test_html.py
+++ b/tests/test_html.py
@@ -4,6 +4,7 @@ from datasette.utils import allowed_pragmas
 from .fixtures import make_app_client
 from .utils import assert_footer_links, inner_html
 import copy
+import hashlib
 import json
 import pathlib
 import pytest
@@ -83,7 +84,7 @@ async def test_homepage_options(ds_client):
 async def test_favicon(ds_client):
     response = await ds_client.get("/favicon.ico")
     assert response.status_code == 200
-    assert response.headers["cache-control"] == "max-age=3600, immutable, public"
+    assert response.headers["cache-control"] == "max-age=3600, public"
     assert int(response.headers["content-length"]) > 100
     assert response.headers["content-type"] == "image/png"
 
@@ -101,6 +102,24 @@ async def test_static(ds_client):
     assert response.status_code == 304
 
 
+@pytest.mark.asyncio
+async def test_static_hash_cache_control(ds_client):
+    hashed_url = ds_client.ds.static("app.css")
+    response = await ds_client.get(hashed_url)
+    assert response.status_code == 200
+    assert response.headers["cache-control"] == "max-age=31536000, immutable, public"
+
+    response = await ds_client.get(
+        hashed_url, headers={"if-none-match": response.headers["etag"]}
+    )
+    assert response.status_code == 304
+    assert response.headers["cache-control"] == "max-age=31536000, immutable, public"
+
+    response = await ds_client.get("/-/static/app.css?_hash=incorrect")
+    assert response.status_code == 200
+    assert "cache-control" not in response.headers
+
+
 def test_static_mounts():
     with make_app_client(
         static_mounts=[("custom-static", str(pathlib.Path(__file__).parent))]
@@ -113,6 +132,23 @@ def test_static_mounts():
         assert response.status_code == 404
 
 
+def test_static_mounts_hash_cache_control():
+    mount_path = pathlib.Path(__file__).parent
+    with make_app_client(static_mounts=[("custom-static", str(mount_path))]) as client:
+        response = client.get(client.ds.static("test_html.py", mount="custom-static"))
+        assert response.status_code == 200
+        assert (
+            response.headers["cache-control"] == "max-age=31536000, immutable, public"
+        )
+
+        incorrect_hash = hashlib.sha256(b"incorrect").hexdigest()[:12]
+        response = client.get(
+            "/custom-static/test_html.py?_hash={}".format(incorrect_hash)
+        )
+        assert response.status_code == 200
+        assert "cache-control" not in response.headers
+
+
 def test_memory_database_page():
     with make_app_client(memory=True) as client:
         response = client.get("/_memory")
@@ -154,12 +190,10 @@ async def test_database_page(ds_client):
         ("/fixtures/simple_view", "simple_view"),
     ] == sorted([(a["href"], a.text) for a in views_ul.find_all("a")])
 
-    # And a list of canned queries
+    # And a list of stored queries
     queries_ul = soup.find("h2", string="Queries").find_next_sibling("ul")
     assert queries_ul is not None
     assert [
-        ("/fixtures/from_async_hook", "from_async_hook"),
-        ("/fixtures/from_hook", "from_hook"),
         ("/fixtures/magic_parameters", "magic_parameters"),
         ("/fixtures/neighborhood_search#fragment-goes-here", "Search neighborhoods"),
         ("/fixtures/pragma_cache_size", "pragma_cache_size"),
@@ -241,6 +275,22 @@ def test_query_page_truncates():
         ]
 
 
+@pytest.mark.asyncio
+async def test_query_page_with_no_sql(ds_client):
+    # https://github.com/simonw/datasette/issues/2743
+    response = await ds_client.get("/fixtures/-/query")
+    assert response.status_code == 200
+    assert '<textarea id="sql-editor" name="sql"' in response.text
+    assert 'class="rows-and-columns"' not in response.text
+
+
+@pytest.mark.asyncio
+async def test_query_csv_with_no_sql_is_400(ds_client):
+    # https://github.com/simonw/datasette/issues/2743
+    response = await ds_client.get("/fixtures/-/query.csv")
+    assert response.status_code == 400
+
+
 @pytest.mark.asyncio
 @pytest.mark.parametrize(
     "path,expected_classes",
@@ -328,17 +378,29 @@ async def test_query_parameter_form_fields(ds_client):
     response = await ds_client.get("/fixtures/-/query?sql=select+:name")
     assert response.status_code == 200
     assert (
-        '<label for="qp1">name</label> <input type="text" id="qp1" name="name" value="">'
+        '<label for="qp1">name</label> <input type="text" id="qp1" name="name" value="" data-parameter-control data-parameter-name="name">'
         in response.text
     )
+    assert 'data-parameters-url="/fixtures/-/query/parameters"' in response.text
+    assert 'id="sql-parameters-section"' in response.text
+    assert "setupSqlParameterRefresh" in response.text
     response2 = await ds_client.get("/fixtures/-/query?sql=select+:name&name=hello")
     assert response2.status_code == 200
     assert (
-        '<label for="qp1">name</label> <input type="text" id="qp1" name="name" value="hello">'
+        '<label for="qp1">name</label> <input type="text" id="qp1" name="name" value="hello" data-parameter-control data-parameter-name="name">'
         in response2.text
     )
 
 
+@pytest.mark.asyncio
+async def test_database_page_sql_parameter_refresh_markup(ds_client):
+    response = await ds_client.get("/fixtures")
+    assert response.status_code == 200
+    assert 'data-parameters-url="/fixtures/-/query/parameters"' in response.text
+    assert 'id="sql-parameters-section"' in response.text
+    assert "setupSqlParameterRefresh" in response.text
+
+
 @pytest.mark.asyncio
 async def test_row_html_simple_primary_key(ds_client):
     response = await ds_client.get("/fixtures/simple_primary_key/1")
@@ -347,7 +409,7 @@ async def test_row_html_simple_primary_key(ds_client):
     assert ["id", "content"] == [th.string.strip() for th in table.select("thead th")]
     assert [
         [
-            '<td class="col-id type-int">1</td>',
+            '<td class="col-id type-int"><strong>1</strong></td>',
             '<td class="col-content type-str">hello</td>',
         ]
     ] == [[str(td) for td in tr.select("td")] for tr in table.select("tbody tr")]
@@ -363,7 +425,7 @@ async def test_row_html_no_primary_key(ds_client):
     ]
     expected = [
         [
-            '<td class="col-rowid type-int">1</td>',
+            '<td class="col-rowid type-int"><strong>1</strong></td>',
             '<td class="col-content type-str">1</td>',
             '<td class="col-a type-str">a1</td>',
             '<td class="col-b type-str">b1</td>',
@@ -406,6 +468,26 @@ async def test_row_links_from_other_tables(
     assert link == expected_link
 
 
+@pytest.mark.asyncio
+async def test_row_foreign_key_links(ds_client):
+    # Row detail page should render foreign key values as hyperlinks
+    response = await ds_client.get("/fixtures/foreign_key_references/1")
+    assert response.status_code == 200
+    soup = Soup(response.text, "html.parser")
+    # foreign_key_with_label=1 references simple_primary_key(id=1, content="hello")
+    td = soup.find("td", {"class": "col-foreign_key_with_label"})
+    a = td.find("a")
+    assert a is not None, "Expected foreign key value to be a hyperlink"
+    assert a["href"] == "/fixtures/simple_primary_key/1"
+    assert a.text == "hello"
+    # Primary key column should be first and bold
+    table = soup.find("table")
+    headers = [th.text.strip() for th in table.select("thead th")]
+    assert headers[0] == "pk"
+    first_td = table.select("tbody tr td")[0]
+    assert first_td.find("strong") is not None, "PK value should be bold"
+
+
 @pytest.mark.asyncio
 @pytest.mark.parametrize(
     "path,expected",
@@ -414,8 +496,8 @@ async def test_row_links_from_other_tables(
             "/fixtures/compound_primary_key/a,b",
             [
                 [
-                    '<td class="col-pk1 type-str">a</td>',
-                    '<td class="col-pk2 type-str">b</td>',
+                    '<td class="col-pk1 type-str"><strong>a</strong></td>',
+                    '<td class="col-pk2 type-str"><strong>b</strong></td>',
                     '<td class="col-content type-str">c</td>',
                 ]
             ],
@@ -424,8 +506,8 @@ async def test_row_links_from_other_tables(
             "/fixtures/compound_primary_key/a~2Fb,~2Ec~2Dd",
             [
                 [
-                    '<td class="col-pk1 type-str">a/b</td>',
-                    '<td class="col-pk2 type-str">.c-d</td>',
+                    '<td class="col-pk1 type-str"><strong>a/b</strong></td>',
+                    '<td class="col-pk2 type-str"><strong>.c-d</strong></td>',
                     '<td class="col-content type-str">c</td>',
                 ]
             ],
@@ -563,7 +645,7 @@ async def test_404(ds_client, path):
     response = await ds_client.get(path)
     assert response.status_code == 404
     assert (
-        f'<link rel="stylesheet" href="/-/static/app.css?{ds_client.ds.app_css_hash()}'
+        '<link rel="stylesheet" href="{}"'.format(ds_client.ds.static("app.css"))
         in response.text
     )
 
@@ -587,7 +669,7 @@ async def test_404_content_type(ds_client):
 
 
 @pytest.mark.asyncio
-async def test_canned_query_default_title(ds_client):
+async def test_stored_query_default_title(ds_client):
     response = await ds_client.get("/fixtures/magic_parameters")
     assert response.status_code == 200
     soup = Soup(response.content, "html.parser")
@@ -595,7 +677,7 @@ async def test_canned_query_default_title(ds_client):
 
 
 @pytest.mark.asyncio
-async def test_canned_query_with_custom_metadata(ds_client):
+async def test_stored_query_with_custom_metadata(ds_client):
     response = await ds_client.get("/fixtures/neighborhood_search?text=town")
     assert response.status_code == 200
     soup = Soup(response.content, "html.parser")
@@ -654,8 +736,8 @@ async def test_show_hide_sql_query(ds_client):
 
 
 @pytest.mark.asyncio
-async def test_canned_query_with_hide_has_no_hidden_sql(ds_client):
-    # For a canned query the show/hide should NOT have a hidden SQL field
+async def test_stored_query_with_hide_has_no_hidden_sql(ds_client):
+    # For a stored query the show/hide should NOT have a hidden SQL field
     # https://github.com/simonw/datasette/issues/1411
     response = await ds_client.get("/fixtures/pragma_cache_size?_hide_sql=1")
     soup = Soup(response.content, "html.parser")
@@ -674,7 +756,7 @@ async def test_canned_query_with_hide_has_no_hidden_sql(ds_client):
         (True, "?_show_sql=1", "_show_sql", "/_memory/one", "hide"),
     ),
 )
-def test_canned_query_show_hide_metadata_option(
+def test_stored_query_show_hide_metadata_option(
     hide_sql,
     querystring,
     expected_hidden,
@@ -785,7 +867,7 @@ async def test_blob_download_invalid_messages(ds_client, path, expected_message)
 async def test_zero_results(ds_client, path):
     response = await ds_client.get(path)
     soup = Soup(response.text, "html.parser")
-    assert 0 == len(soup.select("table"))
+    assert 0 == len(soup.select("table tbody tr"))
     assert 1 == len(soup.select("p.zero-results"))
 
 
@@ -832,6 +914,8 @@ def test_debug_context_includes_extra_template_vars():
         "/fixtures/facetable",
         "/fixtures/facetable?_facet=state",
         "/fixtures/-/query?sql=select+1",
+        "/-/api",
+        "/-/patterns",
     ],
 )
 @pytest.mark.parametrize("use_prefix", (True, False))
@@ -843,7 +927,28 @@ def test_base_url_config(app_client_base_url_prefix, path, use_prefix):
     response = client.get(path_to_get)
     soup = Soup(response.content, "html.parser")
     for form in soup.select("form"):
-        assert form["action"].startswith("/prefix")
+        action = form.get("action")
+        if action is None:
+            assert form.get("method") == "dialog", json.dumps(
+                {
+                    "path": path,
+                    "path_to_get": path_to_get,
+                    "form": str(form),
+                },
+                indent=4,
+                default=repr,
+            )
+            continue
+        assert action.startswith("/prefix"), json.dumps(
+            {
+                "path": path,
+                "path_to_get": path_to_get,
+                "action": action,
+                "form": str(form),
+            },
+            indent=4,
+            default=repr,
+        )
     for el in soup.find_all(["a", "link", "script"]):
         if "href" in el.attrs:
             href = el["href"]
@@ -865,7 +970,9 @@ def test_base_url_config(app_client_base_url_prefix, path, use_prefix):
         ):
             # If this has been made absolute it may start http://localhost/
             if href.startswith("http://localhost/"):
-                href = href[len("http://localost/") :]
+                href = href[len("http://localhost") :]
+            elif href.startswith(("http://", "https://")):
+                continue
             assert href.startswith("/prefix/"), json.dumps(
                 {
                     "path": path,
@@ -876,6 +983,17 @@ def test_base_url_config(app_client_base_url_prefix, path, use_prefix):
                 indent=4,
                 default=repr,
             )
+    for el in soup.find_all("navigation-search"):
+        assert el["url"] == "/prefix/-/jump", json.dumps(
+            {
+                "path": path,
+                "path_to_get": path_to_get,
+                "url": el["url"],
+                "element": str(el),
+            },
+            indent=4,
+            default=repr,
+        )
 
 
 def test_base_url_affects_filter_redirects(app_client_base_url_prefix):
@@ -888,6 +1006,25 @@ def test_base_url_affects_filter_redirects(app_client_base_url_prefix):
     )
 
 
+def test_base_url_affects_database_sql_redirect(app_client_base_url_prefix):
+    response = app_client_base_url_prefix.get(
+        "/prefix/fixtures?sql=select+1", follow_redirects=False
+    )
+    assert response.status_code == 302
+    assert response.headers["location"] == "/prefix/fixtures/-/query?sql=select+1"
+
+
+def test_base_url_affects_permanent_redirects():
+    with make_app_client(memory=True, settings={"base_url": "/prefix/"}) as client:
+        response = client.get("/prefix/-", follow_redirects=False)
+        assert response.status_code == 301
+        assert response.headers["location"] == "/prefix/-/"
+
+        response2 = client.get("/prefix/:memory:", follow_redirects=False)
+        assert response2.status_code == 301
+        assert response2.headers["location"] == "/prefix/_memory"
+
+
 def test_base_url_affects_metadata_extra_css_urls(app_client_base_url_prefix):
     html = app_client_base_url_prefix.get("/").text
     assert '<link rel="stylesheet" href="/prefix/static/extra-css-urls.css">' in html
@@ -914,10 +1051,10 @@ def test_base_url_affects_metadata_extra_css_urls(app_client_base_url_prefix):
         ("/fixtures/magic_parameters", None),
     ],
 )
-async def test_edit_sql_link_on_canned_queries(ds_client, path, expected):
+async def test_edit_sql_link_on_stored_queries(ds_client, path, expected):
     response = await ds_client.get(path)
     assert response.status_code == 200
-    expected_link = f'<a href="{expected}" class="canned-query-edit-sql">Edit SQL</a>'
+    expected_link = f'<a href="{expected}" class="stored-query-edit-sql">Edit SQL</a>'
     if expected:
         assert expected_link in response.text
     else:
@@ -953,7 +1090,7 @@ def test_edit_sql_link_not_shown_if_user_lacks_permission(has_permission):
     [
         (None, None, None),
         ("test", None, ["/-/permissions"]),
-        ("root", ["/-/permissions", "/-/allow-debug"], None),
+        ("root", None, ["/-/permissions", "/-/allow-debug"]),
     ],
 )
 async def test_navigation_menu_links(
@@ -962,15 +1099,33 @@ async def test_navigation_menu_links(
     # Enable root user if testing with root actor
     if actor_id == "root":
         ds_client.ds.root_enabled = True
-    cookies = {}
+    kwargs = {}
     if actor_id:
-        cookies = {"ds_actor": ds_client.actor_cookie({"id": actor_id})}
-    html = (await ds_client.get("/", cookies=cookies)).text
+        kwargs["actor"] = {"id": actor_id}
+    html = (await ds_client.get("/", **kwargs)).text
     soup = Soup(html, "html.parser")
-    details = soup.find("nav").find("details")
+    details = soup.find("nav").find("details", {"class": "nav-menu"})
+    assert details is not None
+    search_button = details.find("button", {"data-navigation-search-open": True})
+    assert search_button is not None
+    assert search_button.text.strip() == "Jump to... /"
+    assert search_button.find("kbd", {"class": "keyboard-shortcut"}).text == "/"
+    assert search_button.find("kbd")["aria-hidden"] == "true"
+    assert (
+        search_button.find("kbd")["title"]
+        == "Keyboard shortcut: press / to open Jump to"
+    )
+    navigation_search_script = soup.find(
+        "script", {"src": re.compile(r"navigation-search\.js")}
+    )
+    assert navigation_search_script["src"] == ds_client.ds.static(
+        "navigation-search.js"
+    )
+    assert details.find("li").find("button") == search_button
     if not actor_id:
-        # Should not show a menu
-        assert details is None
+        # The app menu is always visible, but anonymous users do not see logout
+        # or debug links.
+        assert details.find("form") is None
         return
     # They are logged in: should show a menu
     assert details is not None
@@ -1023,7 +1178,7 @@ async def test_trace_correctly_escaped(ds_client):
             "/fixtures/-/query?sql=select+*+from+facetable",
             "http://localhost/fixtures/-/query.json?sql=select+*+from+facetable",
         ),
-        # Canned query page
+        # Stored query page
         (
             "/fixtures/neighborhood_search?text=town",
             "http://localhost/fixtures/neighborhood_search.json?text=town",
@@ -1161,11 +1316,12 @@ async def test_custom_csrf_error(ds_client):
         data={
             "message": "A message",
         },
-        cookies={"csrftoken": "x"},
+        headers={"sec-fetch-site": "cross-site"},
     )
     assert response.status_code == 403
     assert response.headers["content-type"] == "text/html; charset=utf-8"
-    assert "Error code is FORM_URLENCODED_MISMATCH." in response.text
+    assert "Reason:" in response.text
+    assert "cross-site" in response.text
 
 
 @pytest.mark.asyncio
@@ -1173,8 +1329,7 @@ async def test_actions_page(ds_client):
     original_root_enabled = ds_client.ds.root_enabled
     try:
         ds_client.ds.root_enabled = True
-        cookies = {"ds_actor": ds_client.actor_cookie({"id": "root"})}
-        response = await ds_client.get("/-/actions", cookies=cookies)
+        response = await ds_client.get("/-/actions", actor={"id": "root"})
         assert response.status_code == 200
         assert "Registered actions" in response.text
         assert "<th>Name</th>" in response.text
@@ -1191,8 +1346,7 @@ async def test_actions_page_does_not_display_none_string(ds_client):
     original_root_enabled = ds_client.ds.root_enabled
     try:
         ds_client.ds.root_enabled = True
-        cookies = {"ds_actor": ds_client.actor_cookie({"id": "root"})}
-        response = await ds_client.get("/-/actions", cookies=cookies)
+        response = await ds_client.get("/-/actions", actor={"id": "root"})
         assert response.status_code == 200
         assert "<code>None</code>" not in response.text
     finally:
@@ -1205,11 +1359,11 @@ async def test_permission_debug_tabs_with_query_string(ds_client):
     original_root_enabled = ds_client.ds.root_enabled
     try:
         ds_client.ds.root_enabled = True
-        cookies = {"ds_actor": ds_client.actor_cookie({"id": "root"})}
+        actor = {"id": "root"}
 
         # Test /-/allowed with query string
         response = await ds_client.get(
-            "/-/allowed?action=view-table&page_size=50", cookies=cookies
+            "/-/allowed?action=view-table&page_size=50", actor=actor
         )
         assert response.status_code == 200
         # Check that Rules and Check tabs have the query string
@@ -1221,7 +1375,7 @@ async def test_permission_debug_tabs_with_query_string(ds_client):
 
         # Test /-/rules with query string
         response = await ds_client.get(
-            "/-/rules?action=view-database&parent=test", cookies=cookies
+            "/-/rules?action=view-database&parent=test", actor=actor
         )
         assert response.status_code == 200
         # Check that Allowed and Check tabs have the query string
@@ -1229,7 +1383,7 @@ async def test_permission_debug_tabs_with_query_string(ds_client):
         assert 'href="/-/check?action=view-database&amp;parent=test"' in response.text
 
         # Test /-/check with query string
-        response = await ds_client.get("/-/check?action=execute-sql", cookies=cookies)
+        response = await ds_client.get("/-/check?action=execute-sql", actor=actor)
         assert response.status_code == 200
         # Check that Allowed and Rules tabs have the query string
         assert 'href="/-/allowed?action=execute-sql"' in response.text
diff --git a/tests/test_internal_db.py b/tests/test_internal_db.py
index 7a0d1630..26d63a92 100644
--- a/tests/test_internal_db.py
+++ b/tests/test_internal_db.py
@@ -139,3 +139,96 @@ async def test_stale_catalog_entry_database_fix(tmp_path):
         f"Index page should return 200, not {response.status_code}. "
         "This fails due to stale catalog entries causing KeyError."
     )
+
+
+@pytest.mark.asyncio
+async def test_stale_catalog_child_entries_removed_for_missing_database(tmp_path):
+    from datasette.app import Datasette
+
+    import sqlite3
+
+    internal_db_path = str(tmp_path / "internal.db")
+    alpha_db_path = str(tmp_path / "alpha.db")
+    bravo_db_path = str(tmp_path / "bravo.db")
+
+    for db_path, table_name in (
+        (alpha_db_path, "alpha_table"),
+        (bravo_db_path, "bravo_table"),
+        (bravo_db_path, "bravo_table_2"),
+    ):
+        conn = sqlite3.connect(db_path)
+        conn.execute(f"CREATE TABLE {table_name} (id INTEGER PRIMARY KEY)")
+        conn.close()
+
+    ds1 = Datasette(files=[alpha_db_path, bravo_db_path], internal=internal_db_path)
+    await ds1.invoke_startup()
+
+    catalog_tables = await ds1.get_internal_database().execute("""
+        SELECT database_name, table_name
+        FROM catalog_tables
+        ORDER BY database_name, table_name
+        """)
+    assert [tuple(row) for row in catalog_tables.rows] == [
+        ("alpha", "alpha_table"),
+        ("bravo", "bravo_table"),
+        ("bravo", "bravo_table_2"),
+    ]
+
+    ds1.close()
+
+    ds2 = Datasette(files=[alpha_db_path], internal=internal_db_path)
+    await ds2.invoke_startup()
+
+    catalog_tables = await ds2.get_internal_database().execute("""
+        SELECT database_name, table_name
+        FROM catalog_tables
+        ORDER BY database_name, table_name
+        """)
+    assert [tuple(row) for row in catalog_tables.rows] == [("alpha", "alpha_table")]
+
+    ds2.close()
+
+
+@pytest.mark.asyncio
+async def test_orphan_stale_catalog_child_entries_removed(tmp_path):
+    from datasette.app import Datasette
+
+    import sqlite3
+
+    internal_db_path = str(tmp_path / "internal.db")
+    alpha_db_path = str(tmp_path / "alpha.db")
+
+    conn = sqlite3.connect(alpha_db_path)
+    conn.execute("CREATE TABLE alpha_table (id INTEGER PRIMARY KEY)")
+    conn.close()
+
+    ds1 = Datasette(files=[alpha_db_path], internal=internal_db_path)
+    await ds1.invoke_startup()
+    ds1.close()
+
+    # Simulate the state left behind by old cleanup code: the parent database
+    # row was deleted, but child catalog rows survived because foreign key
+    # enforcement is not enabled for these internal catalog writes.
+    conn = sqlite3.connect(internal_db_path)
+    conn.execute("DELETE FROM catalog_databases WHERE database_name = 'fixtures'")
+    conn.execute("""
+        INSERT INTO catalog_tables (database_name, table_name, rootpage, sql)
+        VALUES ('fixtures', 'stale_table', 1, 'CREATE TABLE stale_table (id INTEGER)')
+    """)
+    conn.commit()
+    conn.close()
+
+    ds2 = Datasette(files=[alpha_db_path], internal=internal_db_path)
+    await ds2.invoke_startup()
+
+    catalog_tables = await ds2.get_internal_database().execute("""
+        SELECT database_name, table_name
+        FROM catalog_tables
+        ORDER BY database_name, table_name
+        """)
+    assert [tuple(row) for row in catalog_tables.rows] == [("alpha", "alpha_table")]
+
+    response = await ds2.client.get("/-/jump.json")
+    assert response.status_code == 200
+
+    ds2.close()
diff --git a/tests/test_internals_database.py b/tests/test_internals_database.py
index 5e3459cd..bad4e8ca 100644
--- a/tests/test_internals_database.py
+++ b/tests/test_internals_database.py
@@ -2,14 +2,22 @@
 Tests for the datasette.database.Database class
 """
 
+import asyncio
+from types import SimpleNamespace
 from datasette.app import Datasette
-from datasette.database import Database, Results, MultipleValues
-from datasette.utils.sqlite import sqlite3, sqlite_version
+from datasette.database import Database, ExecuteWriteResult, Results, MultipleValues
+from datasette.database import DatasetteClosedError
+from datasette.database import _deliver_write_result
+from datasette.utils.sqlite import sqlite3, supports_returning
 from datasette.utils import Column
 import pytest
 import time
 import uuid
 
+requires_sqlite_returning = pytest.mark.skipif(
+    not supports_returning(), reason="SQLite does not support RETURNING"
+)
+
 
 @pytest.fixture
 def db(app_client):
@@ -465,13 +473,142 @@ async def test_view_names(db):
 
 @pytest.mark.asyncio
 async def test_execute_write_block_true(db):
-    await db.execute_write(
+    result = await db.execute_write(
         "update roadside_attractions set name = ? where pk = ?", ["Mystery!", 1]
     )
     rows = await db.execute("select name from roadside_attractions where pk = 1")
+    assert result.rowcount == 1
+    assert result.description is None
+    assert result.truncated is False
+    assert result.fetchall() == []
     assert "Mystery!" == rows.rows[0][0]
 
 
+@pytest.mark.asyncio
+@requires_sqlite_returning
+async def test_execute_write_with_returning(db):
+    await db.execute_write(
+        "create table write_returning (id integer primary key, name text)"
+    )
+    result = await db.execute_write(
+        "insert into write_returning (name) values (?) returning id, name",
+        ["Cleo"],
+    )
+
+    assert result.rowcount == 1
+    assert result.lastrowid == 1
+    assert [column[0] for column in result.description] == ["id", "name"]
+    assert result.truncated is False
+    assert [dict(row) for row in result.fetchall()] == [{"id": 1, "name": "Cleo"}]
+    assert result.fetchall() == []
+    assert (await db.execute("select id, name from write_returning")).dicts() == [
+        {"id": 1, "name": "Cleo"}
+    ]
+
+
+@pytest.mark.asyncio
+@requires_sqlite_returning
+async def test_execute_write_with_returning_default_limit(db):
+    await db.execute_write(
+        "create table write_returning_limit (id integer primary key)"
+    )
+    await db.execute_write_many(
+        "insert into write_returning_limit (id) values (?)",
+        [(i,) for i in range(1, 21)],
+    )
+
+    result = await db.execute_write(
+        "update write_returning_limit set id = id returning id"
+    )
+
+    assert result.rowcount == -1
+    assert result.truncated is True
+    assert len(result.fetchall()) == 10
+    assert (
+        await db.execute("select count(*) from write_returning_limit")
+    ).single_value() == 20
+
+
+@pytest.mark.asyncio
+@requires_sqlite_returning
+async def test_execute_write_with_returning_custom_limit(db):
+    await db.execute_write(
+        "create table write_returning_custom (id integer primary key)"
+    )
+    await db.execute_write_many(
+        "insert into write_returning_custom (id) values (?)",
+        [(i,) for i in range(1, 6)],
+    )
+
+    result = await db.execute_write(
+        "update write_returning_custom set id = id returning id",
+        returning_limit=2,
+    )
+
+    assert result.rowcount == -1
+    assert result.truncated is True
+    assert [row["id"] for row in result.fetchall()] == [1, 2]
+
+
+@pytest.mark.asyncio
+@requires_sqlite_returning
+async def test_execute_write_with_returning_exact_default_limit(db):
+    await db.execute_write(
+        "create table write_returning_exact_limit (id integer primary key)"
+    )
+    await db.execute_write_many(
+        "insert into write_returning_exact_limit (id) values (?)",
+        [(i,) for i in range(1, 11)],
+    )
+
+    result = await db.execute_write(
+        "update write_returning_exact_limit set id = id returning id"
+    )
+
+    assert result.rowcount == 10
+    assert result.truncated is False
+    assert len(result.fetchall()) == 10
+
+
+@pytest.mark.asyncio
+@requires_sqlite_returning
+async def test_execute_write_with_returning_one_more_than_default_limit(db):
+    await db.execute_write(
+        "create table write_returning_one_more (id integer primary key)"
+    )
+    await db.execute_write_many(
+        "insert into write_returning_one_more (id) values (?)",
+        [(i,) for i in range(1, 12)],
+    )
+
+    result = await db.execute_write(
+        "update write_returning_one_more set id = id returning id"
+    )
+
+    assert result.rowcount == -1
+    assert result.truncated is True
+    assert len(result.fetchall()) == 10
+
+
+@pytest.mark.asyncio
+@requires_sqlite_returning
+async def test_execute_write_with_returning_return_all(db):
+    await db.execute_write("create table write_returning_all (id integer primary key)")
+    await db.execute_write_many(
+        "insert into write_returning_all (id) values (?)",
+        [(i,) for i in range(1, 21)],
+    )
+
+    result = await db.execute_write(
+        "update write_returning_all set id = id returning id",
+        return_all=True,
+    )
+
+    assert result.rowcount == 20
+    assert result.truncated is False
+    assert [row["id"] for row in result.fetchall()] == list(range(1, 21))
+
+
 @pytest.mark.asyncio
 async def test_execute_write_block_false(db):
     await db.execute_write(
@@ -483,6 +620,48 @@ async def test_execute_write_block_false(db):
     assert "Mystery!" == rows.rows[0][0]
 
 
+@pytest.mark.asyncio
+@requires_sqlite_returning
+async def test_execute_write_with_returning_block_false(db):
+    await db.execute_write(
+        "create table write_returning_block_false (id integer primary key, name text)"
+    )
+    task_id = await db.execute_write(
+        "insert into write_returning_block_false (name) values (?) returning id",
+        ["Cleo"],
+        block=False,
+    )
+
+    assert isinstance(task_id, uuid.UUID)
+    time.sleep(0.1)
+    assert (
+        await db.execute("select name from write_returning_block_false")
+    ).single_value() == "Cleo"
+
+
+def test_execute_write_result_closes_cursor_on_fetch_error():
+    class Cursor:
+        description = (("id", None, None, None, None, None, None),)
+        lastrowid = 1
+        rowcount = 0
+
+        def __init__(self):
+            self.closed = False
+
+        def fetchmany(self, size):
+            raise sqlite3.DatabaseError("fetch failed")
+
+        def close(self):
+            self.closed = True
+
+    cursor = Cursor()
+
+    with pytest.raises(sqlite3.DatabaseError):
+        ExecuteWriteResult.from_cursor(cursor)
+
+    assert cursor.closed is True
+
+
 @pytest.mark.asyncio
 async def test_execute_write_script(db):
     await db.execute_write_script(
@@ -539,11 +718,44 @@ async def test_execute_write_fn_exception(db):
         await db.execute_write_fn(write_fn)
 
 
+@pytest.mark.asyncio
+@pytest.mark.parametrize("param_name", ["conn", "connection", "db", "c"])
+async def test_execute_write_fn_accepts_any_single_param_name(db, param_name):
+    # Plugins historically relied on the fact that the callback was invoked
+    # positionally, so any parameter name worked. Preserve that contract.
+    scope = {}
+    exec(
+        "def write_fn({0}):\n"
+        "    return {0}.execute('select 1 + 1').fetchone()[0]".format(param_name),
+        scope,
+    )
+    write_fn = scope["write_fn"]
+    result = await db.execute_write_fn(write_fn)
+    assert result == 2
+
+
+@pytest.mark.asyncio
+async def test_execute_write_fn_with_track_event(db):
+    # When the callback declares track_event it still receives both args
+    # via dependency injection.
+    seen = []
+
+    def write_fn(conn, track_event):
+        seen.append(track_event)
+        return conn.execute("select 1 + 1").fetchone()[0]
+
+    result = await db.execute_write_fn(write_fn)
+    assert result == 2
+    assert len(seen) == 1 and callable(seen[0])
+
+
 @pytest.mark.asyncio
 @pytest.mark.timeout(1)
 async def test_execute_write_fn_connection_exception(tmpdir, app_client):
     path = str(tmpdir / "immutable.db")
-    sqlite3.connect(path).execute("vacuum")
+    conn = sqlite3.connect(path)
+    conn.execute("vacuum")
+    conn.close()
     db = Database(app_client.ds, path=path, is_mutable=False)
     app_client.ds.add_database(db, name="immutable-db")
 
@@ -556,6 +768,37 @@ async def test_execute_write_fn_connection_exception(tmpdir, app_client):
     app_client.ds.remove_database("immutable-db")
 
 
+@pytest.mark.asyncio
+async def test_deliver_write_result_leaves_done_future_alone():
+    loop = asyncio.get_running_loop()
+    reply_future = loop.create_future()
+    reply_future.set_result("original")
+    task = SimpleNamespace(loop=loop, reply_future=reply_future)
+
+    # The write thread can finish after the caller has stopped waiting for the
+    # result. Delivery should notice that the future is already resolved and
+    # leave the caller's outcome alone instead of raising InvalidStateError.
+    _deliver_write_result(task, "replacement", None)
+    await asyncio.sleep(0)
+
+    assert reply_future.result() == "original"
+
+
+@pytest.mark.asyncio
+async def test_deliver_write_result_ignores_closed_loop():
+    closed_loop = asyncio.new_event_loop()
+    closed_loop.close()
+    reply_future = asyncio.get_running_loop().create_future()
+    task = SimpleNamespace(loop=closed_loop, reply_future=reply_future)
+
+    # If the event loop that submitted the write has gone away, the write
+    # thread should drop the result rather than crash while reporting back to
+    # that closed loop.
+    _deliver_write_result(task, "result", None)
+
+    assert not reply_future.done()
+
+
 def table_exists(conn, name):
     return bool(
         conn.execute(
@@ -620,6 +863,93 @@ async def test_execute_isolated(db, disable_threads):
     assert not await db.execute_isolated_fn(table_exists_checker("created_by_isolated"))
 
 
+@pytest.mark.asyncio
+async def test_execute_isolated_connect_failure_does_not_kill_write_thread():
+    # A connect() failure for an isolated task should be returned to the
+    # caller as an exception, not crash the write thread
+    class ConnectError(Exception):
+        pass
+
+    ds = Datasette(memory=True)
+    db = ds.add_memory_database("test_isolated_connect_failure")
+    # Start the write thread with a healthy dedicated write connection
+    await db.execute_write("create table dogs (id integer primary key)")
+
+    original_connect = db.connect
+
+    def broken_connect(write=False):
+        raise ConnectError("Could not connect")
+
+    db.connect = broken_connect
+    try:
+        with pytest.raises(ConnectError):
+            await asyncio.wait_for(db.execute_isolated_fn(lambda conn: None), timeout=2)
+    finally:
+        db.connect = original_connect
+
+    # Write thread should still be alive and processing tasks
+    assert db._write_thread.is_alive()
+    await db.execute_write("insert into dogs (id) values (1)")
+    count = await db.execute_isolated_fn(
+        lambda conn: conn.execute("select count(*) from dogs").fetchone()[0]
+    )
+    assert count == 1
+
+
+@pytest.mark.asyncio
+async def test_analyze_sql():
+    ds = Datasette(memory=True)
+    db = ds.add_memory_database("test_analyze_sql", name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+
+    analysis = await db.analyze_sql("select name from dogs where id = ?", (1,))
+
+    assert [
+        (
+            operation.operation,
+            operation.database,
+            operation.sqlite_schema,
+            operation.table,
+            operation.columns,
+            operation.source,
+        )
+        for operation in analysis.operations
+        if operation.target_type == "table"
+        and operation.operation in {"read", "insert", "update", "delete"}
+        and not operation.internal
+    ] == [
+        ("read", "data", "main", "dogs", ("id", "name"), None),
+    ]
+
+
+@pytest.mark.asyncio
+async def test_analyze_sql_insert_select():
+    ds = Datasette(memory=True)
+    db = ds.add_memory_database("test_analyze_sql_insert_select", name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+    await db.execute_write("create table cats (id integer primary key, name text)")
+
+    analysis = await db.analyze_sql("insert into dogs (name) select name from cats")
+
+    assert {
+        (
+            operation.operation,
+            operation.database,
+            operation.sqlite_schema,
+            operation.table,
+            operation.columns,
+            operation.source,
+        )
+        for operation in analysis.operations
+        if operation.target_type == "table"
+        and operation.operation in {"read", "insert", "update", "delete"}
+        and not operation.internal
+    } == {
+        ("insert", "data", "main", "dogs", (), None),
+        ("read", "data", "main", "cats", ("name",), None),
+    }
+
+
 @pytest.mark.asyncio
 async def test_mtime_ns(db):
     assert isinstance(db.mtime_ns, int)
@@ -676,14 +1006,7 @@ async def test_in_memory_databases_forbid_writes(app_client):
     assert await db.table_names() == ["foo"]
 
 
-def pragma_table_list_supported():
-    return sqlite_version()[1] >= 37
-
-
 @pytest.mark.asyncio
-@pytest.mark.skipif(
-    not pragma_table_list_supported(), reason="Requires PRAGMA table_list support"
-)
 async def test_hidden_tables(app_client):
     ds = app_client.ds
     db = ds.add_database(Database(ds, is_memory=True, is_mutable=True))
@@ -747,15 +1070,19 @@ async def test_replace_database(tmpdir):
     path1 = str(tmpdir / "data1.db")
     (tmpdir / "two").mkdir()
     path2 = str(tmpdir / "two" / "data1.db")
-    sqlite3.connect(path1).executescript("""
+    conn1 = sqlite3.connect(path1)
+    conn1.executescript("""
         create table t (id integer primary key);
         insert into t (id) values (1);
         insert into t (id) values (2);
     """)
-    sqlite3.connect(path2).executescript("""
+    conn1.close()
+    conn2 = sqlite3.connect(path2)
+    conn2.executescript("""
         create table t (id integer primary key);
         insert into t (id) values (1);
     """)
+    conn2.close()
     datasette = Datasette([path1])
     db = datasette.get_database("data1")
     count = (await db.execute("select count(*) from t")).first()[0]
@@ -767,3 +1094,87 @@ async def test_replace_database(tmpdir):
     db2 = datasette.get_database("data1")
     count = (await db2.execute("select count(*) from t")).first()[0]
     assert count == 1
+
+
+@pytest.mark.parametrize(
+    "kwargs,expected_repr",
+    [
+        ({"is_memory": True}, "<Database: test_db (mutable, memory, size=0)>"),
+        ({"memory_name": "my_mem"}, "<Database: test_db (mutable, memory, size=0)>"),
+        (
+            {"is_memory": True, "is_mutable": False},
+            "<Database: test_db (memory, size=0)>",
+        ),
+    ],
+    ids=["memory", "named_memory", "immutable_memory"],
+)
+def test_repr(app_client, kwargs, expected_repr):
+    db = Database(app_client.ds, **kwargs)
+    db.name = "test_db"
+    assert repr(db) == expected_repr
+
+
+def test_repr_temp_disk(app_client):
+    db = Database(app_client.ds, is_temp_disk=True)
+    db.name = "test_db"
+    r = repr(db)
+    assert r.startswith("<Database: test_db (mutable, temp_disk, size=")
+    assert r.endswith(")>")
+    assert isinstance(db.size, int)
+    assert isinstance(db.mtime_ns, int)
+    db.close()
+
+
+@pytest.mark.asyncio
+async def test_database_close_shuts_down_write_thread(tmpdir):
+    path = str(tmpdir / "dbclose.db")
+    conn = sqlite3.connect(path)
+    conn.execute("create table t (id integer primary key)")
+    conn.close()
+    ds = Datasette([path])
+    db = ds.get_database("dbclose")
+    # Trigger write thread creation
+    await db.execute_write("insert into t (id) values (1)")
+    assert db._write_thread is not None
+    assert db._write_thread.is_alive()
+    db.close()
+    # Wait briefly for the thread to exit — the sentinel should cause it to return.
+    db._write_thread.join(timeout=5)
+    assert not db._write_thread.is_alive()
+    ds._internal_database.close()
+
+
+@pytest.mark.asyncio
+async def test_database_close_raises_on_further_use(tmpdir):
+    path = str(tmpdir / "closed.db")
+    conn = sqlite3.connect(path)
+    conn.execute("create table t (id integer primary key)")
+    conn.close()
+    ds = Datasette([path])
+    db = ds.get_database("closed")
+    await db.execute("select 1")
+    db.close()
+    with pytest.raises(DatasetteClosedError):
+        await db.execute("select 1")
+    with pytest.raises(DatasetteClosedError):
+        await db.execute_write("insert into t (id) values (1)")
+    with pytest.raises(DatasetteClosedError):
+        await db.execute_fn(lambda conn: conn.execute("select 1").fetchone())
+    with pytest.raises(DatasetteClosedError):
+        await db.execute_write_fn(lambda conn: conn.execute("select 1"))
+    ds._internal_database.close()
+
+
+@pytest.mark.asyncio
+async def test_database_close_is_idempotent(tmpdir):
+    path = str(tmpdir / "idemp.db")
+    conn = sqlite3.connect(path)
+    conn.execute("create table t (id integer primary key)")
+    conn.close()
+    ds = Datasette([path])
+    db = ds.get_database("idemp")
+    await db.execute_write("insert into t (id) values (1)")
+    db.close()
+    # Second call should be a no-op, not raise
+    db.close()
+    ds._internal_database.close()
diff --git a/tests/test_internals_datasette.py b/tests/test_internals_datasette.py
index b378a158..2eaee3f9 100644
--- a/tests/test_internals_datasette.py
+++ b/tests/test_internals_datasette.py
@@ -2,10 +2,18 @@
 Tests for the datasette.app.Datasette class
 """
 
+import asyncio
 import dataclasses
+import hashlib
+import importlib
+import os
+import sqlite3
+import time
 from datasette import Context
 from datasette.app import Datasette, Database, ResourcesSQL
+from datasette.database import DatasetteClosedError
 from datasette.resources import DatabaseResource
+from datasette.utils import PrefixedUrlString
 from itsdangerous import BadSignature
 import pytest
 
@@ -51,6 +59,111 @@ def test_datasette_setting(datasette, setting, expected):
     assert datasette.setting(setting) == expected
 
 
+def _setup_static_app_root(tmp_path, monkeypatch, filename, content):
+    app_module = importlib.import_module("datasette.app")
+    app_root = tmp_path / "app-root"
+    static_path = app_root / "datasette" / "static"
+    static_path.mkdir(parents=True)
+    asset_path = static_path / filename
+    asset_path.write_bytes(content)
+    monkeypatch.setattr(app_module, "app_root", app_root)
+    return asset_path
+
+
+@pytest.mark.asyncio
+async def test_static_template_function_hashes_core_asset(tmp_path, monkeypatch):
+    _setup_static_app_root(tmp_path, monkeypatch, "demo.js", b"const demo = true;")
+    ds = Datasette()
+    template = ds.get_jinja_environment().from_string("{{ static('demo.js') }}")
+    expected_hash = hashlib.sha256(b"const demo = true;").hexdigest()[:12]
+
+    assert await template.render_async() == "/-/static/demo.js?_hash={}".format(
+        expected_hash
+    )
+    assert isinstance(ds.static("demo.js"), PrefixedUrlString)
+
+
+def test_static_hash_cached_when_cache_headers_enabled(tmp_path, monkeypatch):
+    asset_path = _setup_static_app_root(tmp_path, monkeypatch, "demo.js", b"let a = 1;")
+    ds = Datasette(cache_headers=True)
+    first_url = ds.static("demo.js")
+
+    asset_path.write_bytes(b"let a = 2;")
+
+    assert ds.static("demo.js") == first_url
+
+
+def test_static_hash_recalculated_when_cache_headers_disabled(tmp_path, monkeypatch):
+    asset_path = _setup_static_app_root(tmp_path, monkeypatch, "demo.js", b"let a = 1;")
+    ds = Datasette(cache_headers=False)
+    first_url = ds.static("demo.js")
+
+    asset_path.write_bytes(b"let a = 2;")
+
+    expected_hash = hashlib.sha256(b"let a = 2;").hexdigest()[:12]
+    assert ds.static("demo.js") == "/-/static/demo.js?_hash={}".format(expected_hash)
+    assert ds.static("demo.js") != first_url
+
+
+def test_static_hashes_mounted_static_file(tmp_path):
+    static_path = tmp_path / "static-files"
+    static_path.mkdir()
+    asset_path = static_path / "styles.css"
+    asset_path.write_bytes(b"body { color: black; }")
+    ds = Datasette(static_mounts=[("assets", str(static_path))])
+    expected_hash = hashlib.sha256(b"body { color: black; }").hexdigest()[:12]
+
+    assert ds.static("styles.css", mount="assets") == (
+        "/assets/styles.css?_hash={}".format(expected_hash)
+    )
+
+    ds._settings["base_url"] = "/prefix/"
+    assert ds.static("styles.css", mount="assets") == (
+        "/prefix/assets/styles.css?_hash={}".format(expected_hash)
+    )
+
+
+def test_static_hashes_plugin_static_file(tmp_path, monkeypatch):
+    plugin_static_path = tmp_path / "plugin-static"
+    plugin_static_path.mkdir()
+    asset_path = plugin_static_path / "plugin.js"
+    asset_path.write_bytes(b"console.log('plugin');")
+    app_module = importlib.import_module("datasette.app")
+    monkeypatch.setattr(
+        app_module,
+        "get_plugins",
+        lambda: [
+            {
+                "name": "datasette-cluster-map",
+                "static_path": str(plugin_static_path),
+                "templates_path": None,
+            }
+        ],
+    )
+    ds = Datasette()
+    expected_hash = hashlib.sha256(b"console.log('plugin');").hexdigest()[:12]
+
+    assert ds.static("plugin.js", plugin="datasette_cluster_map") == (
+        "/-/static-plugins/datasette_cluster_map/plugin.js?_hash={}".format(
+            expected_hash
+        )
+    )
+
+
+def test_static_rejects_plugin_and_mount():
+    ds = Datasette()
+    with pytest.raises(ValueError):
+        ds.static("styles.css", plugin="datasette_cluster_map", mount="assets")
+
+
+def test_static_rejects_path_traversal(tmp_path, monkeypatch):
+    _setup_static_app_root(tmp_path, monkeypatch, "demo.js", b"")
+    ds = Datasette()
+
+    with pytest.raises(ValueError, match="cannot escape static root"):
+        ds.static("../secret.js")
+
+
 @pytest.mark.asyncio
 async def test_datasette_constructor():
     ds = Datasette()
@@ -164,7 +277,14 @@ def test_datasette_error_if_string_not_list(tmpdir):
 @pytest.mark.asyncio
 async def test_get_action(ds_client):
     ds = ds_client.ds
-    for name_or_abbr in ("vi", "view-instance", "vt", "view-table"):
+    for name_or_abbr in (
+        "vi",
+        "view-instance",
+        "vt",
+        "view-table",
+        "sct",
+        "set-column-type",
+    ):
         action = ds.get_action(name_or_abbr)
         if "-" in name_or_abbr:
             assert action.name == name_or_abbr
@@ -206,3 +326,154 @@ async def test_allowed_resources_sql(datasette):
     assert isinstance(result, ResourcesSQL)
     assert "all_rules AS" in result.sql
     assert result.params["action"] == "view-table"
+
+
+@pytest.mark.asyncio
+async def test_datasette_close_closes_all_databases_and_executor():
+    ds = Datasette(memory=True)
+    await ds.invoke_startup()
+    # Confirm internal DB has write machinery running
+    assert ds._internal_database._write_thread is not None
+    assert ds._internal_database._write_thread.is_alive()
+    temp_path = ds._internal_database.path
+    assert os.path.exists(temp_path)
+    executor = ds.executor
+    ds.close()
+    # Executor is shut down
+    assert executor._shutdown
+    # All attached Database instances are closed
+    for db in ds.databases.values():
+        assert db._closed
+    assert ds._internal_database._closed
+    # Temp internal DB file is unlinked
+    assert not os.path.exists(temp_path)
+
+
+@pytest.mark.asyncio
+async def test_datasette_close_is_idempotent():
+    ds = Datasette(memory=True)
+    await ds.invoke_startup()
+    ds.close()
+    # Second call should be a no-op
+    ds.close()
+
+
+@pytest.mark.asyncio
+async def test_datasette_close_raises_on_use():
+    ds = Datasette(memory=True)
+    await ds.invoke_startup()
+    ds.close()
+    with pytest.raises(DatasetteClosedError):
+        await ds.get_internal_database().execute("select 1")
+
+
+async def _datasette_with_sleeping_execute(tmp_path, sleep_ms=200):
+    db_path = tmp_path / "data.db"
+    internal_path = tmp_path / "internal.db"
+    sqlite3.connect(db_path).close()
+    ds = Datasette([str(db_path)], internal=str(internal_path))
+    loop = asyncio.get_running_loop()
+    sql_started = asyncio.Event()
+    original_prepare_connection = ds._prepare_connection
+
+    def prepare_connection(conn, name):
+        original_prepare_connection(conn, name)
+
+        def sleep_ms(ms):
+            loop.call_soon_threadsafe(sql_started.set)
+            time.sleep(ms / 1000)
+            return ms
+
+        conn.create_function("sleep_ms", 1, sleep_ms)
+
+    ds._prepare_connection = prepare_connection
+    task = asyncio.create_task(
+        ds.get_database().execute(
+            f"select sleep_ms({sleep_ms})", custom_time_limit=1000
+        )
+    )
+    await asyncio.wait_for(sql_started.wait(), timeout=5)
+    return ds, task
+
+
+@pytest.mark.asyncio
+async def test_datasette_close_waits_for_in_flight_execute(tmp_path):
+    ds, task = await _datasette_with_sleeping_execute(tmp_path)
+    ds.close()
+    results = await task
+    assert [tuple(row) for row in results.rows] == [(200,)]
+
+
+@pytest.mark.asyncio
+async def test_datasette_close_waits_for_cancelled_in_flight_execute(tmp_path):
+    ds, task = await _datasette_with_sleeping_execute(tmp_path)
+    task.cancel()
+    with pytest.raises(asyncio.CancelledError):
+        await task
+    ds.close()
+
+
+@pytest.mark.asyncio
+async def test_asgi_lifespan_shutdown_closes_datasette():
+    ds = Datasette(memory=True)
+    app = ds.app()
+    # Drive an ASGI lifespan: startup, then shutdown.
+    messages_sent = []
+    inbox = [
+        {"type": "lifespan.startup"},
+        {"type": "lifespan.shutdown"},
+    ]
+
+    async def receive():
+        return inbox.pop(0)
+
+    async def send(message):
+        messages_sent.append(message)
+
+    await app({"type": "lifespan"}, receive, send)
+    assert {"type": "lifespan.startup.complete"} in messages_sent
+    assert {"type": "lifespan.shutdown.complete"} in messages_sent
+    assert ds._closed
+
+
+@pytest.mark.asyncio
+async def test_datasette_close_continues_past_db_error():
+    # If one Database raises during close(), the others still get closed.
+    ds = Datasette(memory=True)
+    await ds.invoke_startup()
+
+    class Boom(Database):
+        def close(self):
+            raise RuntimeError("boom")
+
+    ds.add_database(Boom(ds, is_memory=True), name="bad")
+    good = ds.add_database(Database(ds, is_memory=True), name="good")
+    with pytest.raises(RuntimeError, match="boom"):
+        ds.close()
+    assert good._closed
+    assert ds._internal_database._closed
+
+
+@pytest.mark.asyncio
+async def test_datasette_render_template_dataclass_values_not_deep_copied():
+    # display_rows can contain values like sqlite3.Row that cannot be
+    # deep-copied, so render_template must convert Context dataclasses
+    # shallowly - https://github.com/simonw/datasette/issues/2127
+    class RefusesDeepCopy:
+        def __deepcopy__(self, memo):
+            raise RuntimeError("deepcopy not supported")
+
+        def __str__(self):
+            return "shallow-copied-value"
+
+    @dataclasses.dataclass
+    class ExampleContext(Context):
+        title: str
+        status: int
+        error: RefusesDeepCopy
+
+    context = ExampleContext(title="Hello", status=200, error=RefusesDeepCopy())
+    ds = Datasette(memory=True)
+    await ds.invoke_startup()
+    rendered = await ds.render_template("error.html", context)
+    assert "shallow-copied-value" in rendered
diff --git a/tests/test_internals_datasette_client.py b/tests/test_internals_datasette_client.py
index 326fcdc0..543077a5 100644
--- a/tests/test_internals_datasette_client.py
+++ b/tests/test_internals_datasette_client.py
@@ -195,7 +195,7 @@ async def test_skip_permission_checks_with_admin_actor(datasette_with_permission
 
 @pytest.mark.asyncio
 async def test_skip_permission_checks_shows_denied_tables():
-    """Test that skip_permission_checks=True shows tables from denied databases in /-/tables.json"""
+    """Test that skip_permission_checks=True shows tables from denied databases in /-/jump.json"""
     ds = Datasette(
         config={
             "databases": {
@@ -211,8 +211,8 @@ async def test_skip_permission_checks_shows_denied_tables():
     await db.execute_write("INSERT INTO test_table (id, name) VALUES (1, 'Alice')")
     await ds._refresh_schemas()
 
-    # Without skip_permission_checks, tables from denied database should not appear in /-/tables.json
-    response = await ds.client.get("/-/tables.json")
+    # Without skip_permission_checks, tables from denied database should not appear in /-/jump.json
+    response = await ds.client.get("/-/jump.json")
     assert response.status_code == 200
     data = response.json()
     table_names = [match["name"] for match in data["matches"]]
@@ -221,7 +221,7 @@ async def test_skip_permission_checks_shows_denied_tables():
     assert len(fixtures_tables) == 0
 
     # With skip_permission_checks=True, tables from denied database SHOULD appear
-    response = await ds.client.get("/-/tables.json", skip_permission_checks=True)
+    response = await ds.client.get("/-/jump.json", skip_permission_checks=True)
     assert response.status_code == 200
     data = response.json()
     table_names = [match["name"] for match in data["matches"]]
@@ -311,3 +311,76 @@ async def test_in_client_with_skip_permission_checks():
         assert all(in_client_values), f"Expected all True, got {in_client_values}"
     finally:
         ds.pm.unregister(name="test_in_client_skip_plugin")
+
+
+@pytest.mark.asyncio
+async def test_actor_parameter_sets_cookie(datasette):
+    """Passing actor= should sign a ds_actor cookie and authenticate the request."""
+    response = await datasette.client.get("/-/actor.json", actor={"id": "root"})
+    assert response.status_code == 200
+    assert response.json() == {"actor": {"id": "root"}}
+
+
+@pytest.mark.asyncio
+async def test_actor_parameter_works_with_request_method(datasette):
+    response = await datasette.client.request(
+        "GET", "/-/actor.json", actor={"id": "root"}
+    )
+    assert response.status_code == 200
+    assert response.json() == {"actor": {"id": "root"}}
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize(
+    "method", ["get", "post", "options", "head", "put", "patch", "delete"]
+)
+async def test_actor_parameter_all_http_methods(datasette, method):
+    """actor= should not cause errors on any HTTP verb wrapper."""
+    client_method = getattr(datasette.client, method)
+    # Just verify no TypeError about unexpected 'actor' kwarg
+    response = await client_method("/", actor={"id": "root"})
+    assert isinstance(response, httpx.Response)
+
+
+@pytest.mark.asyncio
+async def test_actor_parameter_conflicts_with_ds_actor_cookie(datasette):
+    """Passing both actor= and a ds_actor cookie should raise TypeError."""
+    with pytest.raises(TypeError, match="actor"):
+        await datasette.client.get(
+            "/-/actor.json",
+            actor={"id": "root"},
+            cookies={"ds_actor": datasette.client.actor_cookie({"id": "other"})},
+        )
+
+
+@pytest.mark.asyncio
+async def test_actor_parameter_merges_with_other_cookies(datasette):
+    """actor= should coexist with unrelated cookies."""
+    response = await datasette.client.get(
+        "/-/actor.json",
+        actor={"id": "root"},
+        cookies={"unrelated": "value"},
+    )
+    assert response.status_code == 200
+    assert response.json() == {"actor": {"id": "root"}}
+
+
+@pytest.mark.asyncio
+async def test_actor_parameter_with_skip_permission_checks(
+    datasette_with_permissions,
+):
+    """actor= should be compatible with skip_permission_checks."""
+    ds = datasette_with_permissions
+    # Non-admin actor with skip_permission_checks=True should get 200
+    response = await ds.client.get(
+        "/test_db.json",
+        actor={"id": "user"},
+        skip_permission_checks=True,
+    )
+    assert response.status_code == 200
+    # Admin actor on its own should also get 200
+    response = await ds.client.get("/test_db.json", actor={"id": "admin"})
+    assert response.status_code == 200
+    # Non-admin actor should get 403
+    response = await ds.client.get("/test_db.json", actor={"id": "user"})
+    assert response.status_code == 403
diff --git a/tests/test_internals_request.py b/tests/test_internals_request.py
index d1ca1f46..9c448186 100644
--- a/tests/test_internals_request.py
+++ b/tests/test_internals_request.py
@@ -55,6 +55,57 @@ async def test_request_post_body():
     assert data == json.loads(body)
 
 
+@pytest.mark.asyncio
+async def test_request_json():
+    scope = {
+        "http_version": "1.1",
+        "method": "POST",
+        "path": "/",
+        "raw_path": b"/",
+        "query_string": b"",
+        "scheme": "http",
+        "type": "http",
+        "headers": [[b"content-type", b"application/json"]],
+    }
+
+    data = {"hello": "world", "items": [1, 2, 3]}
+
+    async def receive():
+        return {
+            "type": "http.request",
+            "body": json.dumps(data).encode("utf-8"),
+            "more_body": False,
+        }
+
+    request = Request(scope, receive)
+    assert data == await request.json()
+
+
+@pytest.mark.asyncio
+async def test_request_json_invalid():
+    scope = {
+        "http_version": "1.1",
+        "method": "POST",
+        "path": "/",
+        "raw_path": b"/",
+        "query_string": b"",
+        "scheme": "http",
+        "type": "http",
+        "headers": [[b"content-type", b"application/json"]],
+    }
+
+    async def receive():
+        return {
+            "type": "http.request",
+            "body": b"this is not JSON",
+            "more_body": False,
+        }
+
+    request = Request(scope, receive)
+    with pytest.raises(json.JSONDecodeError):
+        await request.json()
+
+
 def test_request_args():
     request = Request.fake("/foo?multi=1&multi=2&single=3")
     assert "1" == request.args.get("multi")
diff --git a/tests/test_internals_urls.py b/tests/test_internals_urls.py
index d60aafcf..24fa745d 100644
--- a/tests/test_internals_urls.py
+++ b/tests/test_internals_urls.py
@@ -9,17 +9,19 @@ def ds():
 
 
 @pytest.mark.parametrize(
-    "base_url,path,expected",
+    "ds_base_url,path,expected",
     [
         ("/", "/", "/"),
         ("/", "/foo", "/foo"),
         ("/prefix/", "/", "/prefix/"),
         ("/prefix/", "/foo", "/prefix/foo"),
         ("/prefix/", "foo", "/prefix/foo"),
+        ("/data/", "/data", "/data/data"),
+        ("/data/", "/data/foo", "/data/data/foo"),
     ],
 )
-def test_path(ds, base_url, path, expected):
-    ds._settings["base_url"] = base_url
+def test_path(ds, ds_base_url, path, expected):
+    ds._settings["base_url"] = ds_base_url
     actual = ds.urls.path(path)
     assert actual == expected
     assert isinstance(actual, PrefixedUrlString)
@@ -34,35 +36,35 @@ def test_path_applied_twice_does_not_double_prefix(ds):
 
 
 @pytest.mark.parametrize(
-    "base_url,expected",
+    "ds_base_url,expected",
     [
         ("/", "/"),
         ("/prefix/", "/prefix/"),
     ],
 )
-def test_instance(ds, base_url, expected):
-    ds._settings["base_url"] = base_url
+def test_instance(ds, ds_base_url, expected):
+    ds._settings["base_url"] = ds_base_url
     actual = ds.urls.instance()
     assert actual == expected
     assert isinstance(actual, PrefixedUrlString)
 
 
 @pytest.mark.parametrize(
-    "base_url,file,expected",
+    "ds_base_url,file,expected",
     [
         ("/", "foo.js", "/-/static/foo.js"),
         ("/prefix/", "foo.js", "/prefix/-/static/foo.js"),
     ],
 )
-def test_static(ds, base_url, file, expected):
-    ds._settings["base_url"] = base_url
+def test_static(ds, ds_base_url, file, expected):
+    ds._settings["base_url"] = ds_base_url
     actual = ds.urls.static(file)
     assert actual == expected
     assert isinstance(actual, PrefixedUrlString)
 
 
 @pytest.mark.parametrize(
-    "base_url,plugin,file,expected",
+    "ds_base_url,plugin,file,expected",
     [
         (
             "/",
@@ -78,44 +80,44 @@ def test_static(ds, base_url, file, expected):
         ),
     ],
 )
-def test_static_plugins(ds, base_url, plugin, file, expected):
-    ds._settings["base_url"] = base_url
+def test_static_plugins(ds, ds_base_url, plugin, file, expected):
+    ds._settings["base_url"] = ds_base_url
     actual = ds.urls.static_plugins(plugin, file)
     assert actual == expected
     assert isinstance(actual, PrefixedUrlString)
 
 
 @pytest.mark.parametrize(
-    "base_url,expected",
+    "ds_base_url,expected",
     [
         ("/", "/-/logout"),
         ("/prefix/", "/prefix/-/logout"),
     ],
 )
-def test_logout(ds, base_url, expected):
-    ds._settings["base_url"] = base_url
+def test_logout(ds, ds_base_url, expected):
+    ds._settings["base_url"] = ds_base_url
     actual = ds.urls.logout()
     assert actual == expected
     assert isinstance(actual, PrefixedUrlString)
 
 
 @pytest.mark.parametrize(
-    "base_url,format,expected",
+    "ds_base_url,format,expected",
     [
         ("/", None, "/_memory"),
         ("/prefix/", None, "/prefix/_memory"),
         ("/", "json", "/_memory.json"),
     ],
 )
-def test_database(ds, base_url, format, expected):
-    ds._settings["base_url"] = base_url
+def test_database(ds, ds_base_url, format, expected):
+    ds._settings["base_url"] = ds_base_url
     actual = ds.urls.database("_memory", format=format)
     assert actual == expected
     assert isinstance(actual, PrefixedUrlString)
 
 
 @pytest.mark.parametrize(
-    "base_url,name,format,expected",
+    "ds_base_url,name,format,expected",
     [
         ("/", "name", None, "/_memory/name"),
         ("/prefix/", "name", None, "/prefix/_memory/name"),
@@ -123,8 +125,8 @@ def test_database(ds, base_url, format, expected):
         ("/", "name.json", "json", "/_memory/name~2Ejson.json"),
     ],
 )
-def test_table_and_query(ds, base_url, name, format, expected):
-    ds._settings["base_url"] = base_url
+def test_table_and_query(ds, ds_base_url, name, format, expected):
+    ds._settings["base_url"] = ds_base_url
     actual1 = ds.urls.table("_memory", name, format=format)
     assert actual1 == expected
     assert isinstance(actual1, PrefixedUrlString)
@@ -134,15 +136,15 @@ def test_table_and_query(ds, base_url, name, format, expected):
 
 
 @pytest.mark.parametrize(
-    "base_url,format,expected",
+    "ds_base_url,format,expected",
     [
         ("/", None, "/_memory/facetable/1"),
         ("/prefix/", None, "/prefix/_memory/facetable/1"),
         ("/", "json", "/_memory/facetable/1.json"),
     ],
 )
-def test_row(ds, base_url, format, expected):
-    ds._settings["base_url"] = base_url
+def test_row(ds, ds_base_url, format, expected):
+    ds._settings["base_url"] = ds_base_url
     actual = ds.urls.row("_memory", "facetable", "1", format=format)
     assert actual == expected
     assert isinstance(actual, PrefixedUrlString)
diff --git a/tests/test_jump.py b/tests/test_jump.py
new file mode 100644
index 00000000..0fb6a552
--- /dev/null
+++ b/tests/test_jump.py
@@ -0,0 +1,466 @@
+import pytest
+import pytest_asyncio
+
+from datasette import hookimpl
+from datasette.app import Datasette
+from datasette.jump import JumpSQL
+from datasette.plugins import pm
+from datasette.views.special import JumpView
+
+
+@pytest_asyncio.fixture
+async def ds_for_jump():
+    ds = Datasette(
+        config={
+            "databases": {
+                "content": {
+                    "allow": {"id": "*"},
+                    "tables": {
+                        "articles": {"allow": {"id": "editor"}},
+                        "comments": {"allow": True},
+                    },
+                    "queries": {
+                        "recent_comments": {
+                            "sql": "select * from comments",
+                            "allow": {"id": "*"},
+                            "title": "Recent comments",
+                        },
+                        "release_notes": {
+                            "sql": "select 1",
+                            "allow": {"id": "*"},
+                            "title": "Recent Datasette releases",
+                        },
+                        "editor_report": {
+                            "sql": "select * from articles",
+                            "allow": {"id": "editor"},
+                        },
+                    },
+                },
+                "private": {
+                    "allow": False,
+                    "queries": {
+                        "private_report": "select 1",
+                    },
+                },
+            }
+        }
+    )
+    await ds.invoke_startup()
+
+    content_db = ds.add_memory_database("jump_test_content", name="content")
+    await content_db.execute_write(
+        "CREATE TABLE IF NOT EXISTS articles (id INTEGER PRIMARY KEY, title TEXT)"
+    )
+    await content_db.execute_write(
+        "CREATE TABLE IF NOT EXISTS comments (id INTEGER PRIMARY KEY, body TEXT)"
+    )
+    await content_db.execute_write(
+        "CREATE TABLE IF NOT EXISTS users (id INTEGER PRIMARY KEY, name TEXT)"
+    )
+    await content_db.execute_write(
+        "CREATE VIEW IF NOT EXISTS comment_summary AS SELECT body FROM comments"
+    )
+
+    private_db = ds.add_memory_database("jump_test_private", name="private")
+    await private_db.execute_write(
+        "CREATE TABLE IF NOT EXISTS secrets (id INTEGER PRIMARY KEY, data TEXT)"
+    )
+
+    public_db = ds.add_memory_database("jump_test_public", name="public")
+    await public_db.execute_write(
+        "CREATE TABLE IF NOT EXISTS articles (id INTEGER PRIMARY KEY, content TEXT)"
+    )
+
+    await ds._refresh_schemas()
+    return ds
+
+
+@pytest.mark.asyncio
+async def test_jump_searches_tables_databases_views_and_stored_queries(ds_for_jump):
+    response = await ds_for_jump.client.get(
+        "/-/jump.json?q=content", actor={"id": "user"}
+    )
+    assert response.status_code == 200
+    data = response.json()
+
+    matches_by_type_and_name = {
+        (match["type"], match["name"]): match for match in data["matches"]
+    }
+    assert ("database", "content") in matches_by_type_and_name
+    assert ("table", "content: comments") in matches_by_type_and_name
+    assert ("view", "content: comment_summary") in matches_by_type_and_name
+    assert ("query", "content: recent_comments") in matches_by_type_and_name
+    assert matches_by_type_and_name[("database", "content")]["url"] == "/content"
+    assert (
+        matches_by_type_and_name[("query", "content: recent_comments")]["url"]
+        == "/content/recent_comments"
+    )
+
+
+@pytest.mark.asyncio
+async def test_jump_uses_stored_query_names_not_titles(ds_for_jump):
+    response = await ds_for_jump.client.get(
+        "/-/jump.json?q=datasette", actor={"id": "user"}
+    )
+    assert response.status_code == 200
+    assert response.json()["matches"] == []
+
+    response = await ds_for_jump.client.get(
+        "/-/jump.json?q=release", actor={"id": "user"}
+    )
+    assert response.status_code == 200
+    assert response.json()["matches"] == [
+        {
+            "name": "content: release_notes",
+            "url": "/content/release_notes",
+            "type": "query",
+            "description": None,
+        }
+    ]
+
+
+@pytest.mark.asyncio
+async def test_jump_respects_resource_permissions(ds_for_jump):
+    regular = await ds_for_jump.client.get(
+        "/-/jump.json?q=articles", actor={"id": "regular"}
+    )
+    editor = await ds_for_jump.client.get(
+        "/-/jump.json?q=articles", actor={"id": "editor"}
+    )
+    private = await ds_for_jump.client.get(
+        "/-/jump.json?q=secrets", actor={"id": "editor"}
+    )
+
+    assert {match["name"] for match in regular.json()["matches"]} == {
+        "public: articles"
+    }
+    assert {match["name"] for match in editor.json()["matches"]} == {
+        "content: articles",
+        "public: articles",
+    }
+    assert private.json()["matches"] == []
+
+
+@pytest.mark.asyncio
+async def test_jump_sql_menu_item_helper(ds_for_jump):
+    assert JumpSQL("SELECT 1").database is None
+    assert JumpSQL("SELECT 1", database="content").database == "content"
+    assert JumpSQL("SELECT 1", None, "content").database == "content"
+
+    fragment = JumpSQL.menu_item(
+        label="Plugin dashboard",
+        url="/-/plugin-dashboard",
+        description="Plugin tool",
+        search_text="dashboard plugin",
+        display_name="Plugin Dashboard",
+        item_type="plugin",
+    )
+    result = await ds_for_jump.get_internal_database().execute(
+        fragment.sql, fragment.params
+    )
+    assert dict(result.first()) == {
+        "type": "plugin",
+        "label": "Plugin dashboard",
+        "description": "Plugin tool",
+        "url": "/-/plugin-dashboard",
+        "search_text": "dashboard plugin",
+        "display_name": "Plugin Dashboard",
+    }
+
+
+@pytest.mark.asyncio
+async def test_debug_menu_items_are_in_jump_for_debug_menu_permission():
+    ds = Datasette(
+        config={
+            "permissions": {
+                "debug-menu": {"id": "debugger"},
+            }
+        }
+    )
+    await ds.invoke_startup()
+    response = await ds.client.get("/-/jump.json?q=debug", actor={"id": "debugger"})
+    assert response.status_code == 200
+    debug_matches = [
+        match for match in response.json()["matches"] if match["type"] == "debug"
+    ]
+    assert {match["name"]: match["url"] for match in debug_matches} == {
+        "Databases": "/-/databases",
+        "Installed plugins": "/-/plugins",
+        "Version info": "/-/versions",
+        "Settings": "/-/settings",
+        "Debug permissions": "/-/permissions",
+        "Debug messages": "/-/messages",
+        "Debug allow rules": "/-/allow-debug",
+        "Debug autocomplete": "/-/debug/autocomplete",
+        "Debug threads": "/-/threads",
+        "Debug actor": "/-/actor",
+        "Pattern portfolio": "/-/patterns",
+    }
+    descriptions_by_name = {
+        match["name"]: match["description"] for match in debug_matches
+    }
+    assert all(descriptions_by_name.values())
+    assert descriptions_by_name["Databases"] == (
+        "List of databases known to this Datasette instance."
+    )
+
+
+@pytest.mark.asyncio
+async def test_debug_menu_items_are_hidden_without_debug_menu_permission():
+    ds = Datasette()
+    await ds.invoke_startup()
+    response = await ds.client.get("/-/jump.json?q=debug", actor={"id": "regular"})
+    assert response.status_code == 200
+    assert [
+        match for match in response.json()["matches"] if match["type"] == "debug"
+    ] == []
+
+
+@pytest.mark.asyncio
+async def test_jump_uses_plugin_sql_with_namespaced_parameters(ds_for_jump):
+    class JumpPlugin:
+        @hookimpl
+        def jump_items_sql(self, datasette, actor, request):
+            return JumpSQL(
+                sql="""
+                SELECT
+                    'plugin' AS type,
+                    'plugin-dashboard: ' || :actor_id AS label,
+                    'Plugin supplied item' AS description,
+                    '/-/plugin-dashboard' AS url,
+                    'plugin dashboard ' || :actor_id AS search_text,
+                    'Plugin dashboard for ' || :actor_id AS display_name
+                """,
+                params={"actor_id": actor["id"] if actor else "anonymous"},
+            )
+
+    plugin = JumpPlugin()
+    pm.register(plugin, name="test-jump-plugin")
+    try:
+        response = await ds_for_jump.client.get(
+            "/-/jump.json?q=dashboard", actor={"id": "alice"}
+        )
+    finally:
+        pm.unregister(name="test-jump-plugin")
+
+    assert response.status_code == 200
+    plugin_matches = [
+        match for match in response.json()["matches"] if match["type"] == "plugin"
+    ]
+    assert plugin_matches == [
+        {
+            "name": "plugin-dashboard: alice",
+            "display_name": "Plugin dashboard for alice",
+            "url": "/-/plugin-dashboard",
+            "type": "plugin",
+            "description": "Plugin supplied item",
+        }
+    ]
+
+
+@pytest.mark.asyncio
+async def test_jump_sql_unions_fragments_by_database(ds_for_jump, monkeypatch):
+    class JumpPlugin:
+        @hookimpl
+        def jump_items_sql(self, datasette, actor, request):
+            return [
+                JumpSQL(sql="""
+                    SELECT
+                        'plugin' AS type,
+                        'first-unioned-item' AS label,
+                        NULL AS description,
+                        '/-/first-unioned-item' AS url,
+                        'unioned item' AS search_text,
+                        NULL AS display_name
+                    """),
+                JumpSQL(sql="""
+                    SELECT
+                        'plugin' AS type,
+                        'second-unioned-item' AS label,
+                        NULL AS description,
+                        '/-/second-unioned-item' AS url,
+                        'unioned item' AS search_text,
+                        NULL AS display_name
+                    """),
+                JumpSQL(
+                    """
+                    SELECT
+                        'plugin' AS type,
+                        'content-first-unioned-item' AS label,
+                        NULL AS description,
+                        '/-/content-first-unioned-item' AS url,
+                        'unioned item' AS search_text,
+                        NULL AS display_name
+                    """,
+                    None,
+                    "content",
+                ),
+                JumpSQL(
+                    database="content",
+                    sql="""
+                    SELECT
+                        'plugin' AS type,
+                        'content-second-unioned-item' AS label,
+                        NULL AS description,
+                        '/-/content-second-unioned-item' AS url,
+                        'unioned item' AS search_text,
+                        NULL AS display_name
+                    """,
+                ),
+            ]
+
+    internal_db = ds_for_jump.get_internal_database()
+    original_execute = internal_db.execute
+    internal_jump_query_sql = []
+
+    async def internal_execute_with_recording(sql, *args, **kwargs):
+        if "unioned-item" in sql:
+            internal_jump_query_sql.append(sql)
+        return await original_execute(sql, *args, **kwargs)
+
+    monkeypatch.setattr(internal_db, "execute", internal_execute_with_recording)
+
+    content_db = ds_for_jump.get_database("content")
+    original_content_execute = content_db.execute
+    content_jump_query_sql = []
+
+    async def content_execute_with_recording(sql, *args, **kwargs):
+        if "unioned-item" in sql:
+            content_jump_query_sql.append(sql)
+        return await original_content_execute(sql, *args, **kwargs)
+
+    monkeypatch.setattr(content_db, "execute", content_execute_with_recording)
+
+    plugin = JumpPlugin()
+    pm.register(plugin, name="test-jump-union-plugin")
+    try:
+        response = await ds_for_jump.client.get(
+            "/-/jump.json?q=unioned", actor={"id": "alice"}
+        )
+    finally:
+        pm.unregister(name="test-jump-union-plugin")
+
+    assert response.status_code == 200
+    assert len(internal_jump_query_sql) == 1
+    assert " UNION ALL " in internal_jump_query_sql[0]
+    assert len(content_jump_query_sql) == 1
+    assert " UNION ALL " in content_jump_query_sql[0]
+    assert {match["name"] for match in response.json()["matches"]} == {
+        "content-first-unioned-item",
+        "content-second-unioned-item",
+        "first-unioned-item",
+        "second-unioned-item",
+    }
+
+
+@pytest.mark.asyncio
+async def test_jump_sql_can_query_named_database(ds_for_jump):
+    content_db = ds_for_jump.get_database("content")
+    await content_db.execute_write(
+        "INSERT INTO comments (id, body) VALUES (1001, 'Named database jump target')"
+    )
+
+    class JumpPlugin:
+        @hookimpl
+        def jump_items_sql(self, datasette, actor, request):
+            return JumpSQL(
+                database="content",
+                sql="""
+                SELECT
+                    'comment' AS type,
+                    body AS label,
+                    'Comment from content database' AS description,
+                    json_object(
+                        'method', 'table',
+                        'database', 'content',
+                        'table', 'comments'
+                    ) AS url,
+                    body AS search_text,
+                    body AS display_name
+                FROM comments
+                WHERE id = :comment_id
+                """,
+                params={"comment_id": 1001},
+            )
+
+    plugin = JumpPlugin()
+    pm.register(plugin, name="test-jump-content-db-plugin")
+    try:
+        response = await ds_for_jump.client.get(
+            "/-/jump.json?q=named+database", actor={"id": "alice"}
+        )
+    finally:
+        pm.unregister(name="test-jump-content-db-plugin")
+
+    assert response.status_code == 200
+    plugin_matches = [
+        match for match in response.json()["matches"] if match["type"] == "comment"
+    ]
+    assert plugin_matches == [
+        {
+            "name": "Named database jump target",
+            "display_name": "Named database jump target",
+            "url": "/content/comments",
+            "type": "comment",
+            "description": "Comment from content database",
+        }
+    ]
+
+
+@pytest.mark.asyncio
+async def test_jump_resolves_url_descriptors_from_sql(ds_for_jump):
+    class JumpPlugin:
+        @hookimpl
+        def jump_items_sql(self, datasette, actor, request):
+            return JumpSQL(sql="""
+                SELECT
+                    'plugin' AS type,
+                    'Table descriptor' AS label,
+                    NULL AS description,
+                    json_object(
+                        'method', 'table',
+                        'database', 'content',
+                        'table', 'comments'
+                    ) AS url,
+                    'table descriptor comments' AS search_text,
+                    NULL AS display_name
+                """)
+
+    plugin = JumpPlugin()
+    pm.register(plugin, name="test-jump-url-descriptor-plugin")
+    try:
+        response = await ds_for_jump.client.get(
+            "/-/jump.json?q=descriptor", actor={"id": "alice"}
+        )
+    finally:
+        pm.unregister(name="test-jump-url-descriptor-plugin")
+
+    assert response.status_code == 200
+    plugin_matches = [
+        match for match in response.json()["matches"] if match["type"] == "plugin"
+    ]
+    assert plugin_matches == [
+        {
+            "name": "Table descriptor",
+            "url": "/content/comments",
+            "type": "plugin",
+            "description": None,
+        }
+    ]
+
+
+@pytest.mark.asyncio
+async def test_jump_url_descriptor_errors(ds_for_jump):
+    view = JumpView(ds_for_jump)
+    with pytest.raises(AttributeError):
+        view._resolve_url('{"method": "not_a_url_method"}')
+    with pytest.raises(TypeError):
+        view._resolve_url(
+            '{"method": "table", "database_name": "content", "table_name": "comments"}'
+        )
+
+
+@pytest.mark.asyncio
+async def test_tables_endpoint_removed(ds_for_jump):
+    response = await ds_for_jump.client.get("/-/tables.json")
+    assert response.status_code == 404
diff --git a/tests/test_permission_endpoints.py b/tests/test_permission_endpoints.py
index 84f3370f..e25be23e 100644
--- a/tests/test_permission_endpoints.py
+++ b/tests/test_permission_endpoints.py
@@ -117,9 +117,7 @@ async def test_allowed_json_with_actor(ds_with_permissions):
     """Test /-/allowed.json includes actor information."""
     response = await ds_with_permissions.client.get(
         "/-/allowed.json?action=view-table",
-        cookies={
-            "ds_actor": ds_with_permissions.client.actor_cookie({"id": "test_user"})
-        },
+        actor={"id": "test_user"},
     )
     assert response.status_code == 200
     data = response.json()
@@ -252,7 +250,7 @@ async def test_rules_json_basic(
     # Use root actor for rules endpoint (requires permissions-debug)
     response = await ds_with_permissions.client.get(
         path,
-        cookies={"ds_actor": ds_with_permissions.client.actor_cookie({"id": "root"})},
+        actor={"id": "root"},
     )
     assert response.status_code == expected_status
     data = response.json()
@@ -264,7 +262,7 @@ async def test_rules_json_response_structure(ds_with_permissions):
     """Test that /-/rules.json returns the expected structure."""
     response = await ds_with_permissions.client.get(
         "/-/rules.json?action=view-instance",
-        cookies={"ds_actor": ds_with_permissions.client.actor_cookie({"id": "root"})},
+        actor={"id": "root"},
     )
     assert response.status_code == 200
     data = response.json()
@@ -294,7 +292,7 @@ async def test_rules_json_includes_all_rules(ds_with_permissions):
     # Root user should see rules for everything
     response = await ds_with_permissions.client.get(
         "/-/rules.json?action=view-table",
-        cookies={"ds_actor": ds_with_permissions.client.actor_cookie({"id": "root"})},
+        actor={"id": "root"},
     )
     assert response.status_code == 200
     data = response.json()
@@ -326,7 +324,7 @@ async def test_rules_json_pagination():
     # Test basic pagination structure - just verify it returns paginated results
     response = await ds.client.get(
         "/-/rules.json?action=view-table&page_size=2&page=1",
-        cookies={"ds_actor": ds.client.actor_cookie({"id": "root"})},
+        actor={"id": "root"},
     )
     assert response.status_code == 200
     data = response.json()
@@ -343,7 +341,7 @@ async def test_rules_json_with_actor(ds_with_permissions):
     # Use root actor (rules endpoint requires permissions-debug)
     response = await ds_with_permissions.client.get(
         "/-/rules.json?action=view-table",
-        cookies={"ds_actor": ds_with_permissions.client.actor_cookie({"id": "root"})},
+        actor={"id": "root"},
     )
     assert response.status_code == 200
     data = response.json()
@@ -374,7 +372,7 @@ async def test_root_user_respects_settings_deny():
     # Root user should NOT see the denied database
     response = await ds.client.get(
         "/-/allowed.json?action=view-database",
-        cookies={"ds_actor": ds.client.actor_cookie({"id": "root"})},
+        actor={"id": "root"},
     )
     assert response.status_code == 200
     data = response.json()
@@ -415,7 +413,7 @@ async def test_root_user_respects_settings_deny_tables():
     # Root user should NOT see tables from the content database
     response = await ds.client.get(
         "/-/allowed.json?action=view-table",
-        cookies={"ds_actor": ds.client.actor_cookie({"id": "root"})},
+        actor={"id": "root"},
     )
     assert response.status_code == 200
     data = response.json()
@@ -475,7 +473,7 @@ async def test_execute_sql_requires_view_database():
         # User should NOT have execute-sql permission because view-database is denied
         response = await ds.client.get(
             "/-/allowed.json?action=execute-sql",
-            cookies={"ds_actor": ds.client.actor_cookie({"id": "test_user"})},
+            actor={"id": "test_user"},
         )
         assert response.status_code == 200
         data = response.json()
@@ -491,7 +489,7 @@ async def test_execute_sql_requires_view_database():
         # (may be 403 or 302 redirect to login/error page depending on middleware)
         response = await ds.client.get(
             "/secret?sql=SELECT+1",
-            cookies={"ds_actor": ds.client.actor_cookie({"id": "test_user"})},
+            actor={"id": "test_user"},
         )
         assert response.status_code in (302, 403), (
             f"Expected 302 or 403 when trying to execute SQL without view-database permission, "
diff --git a/tests/test_permissions.py b/tests/test_permissions.py
index 42a19ca4..8323fe92 100644
--- a/tests/test_permissions.py
+++ b/tests/test_permissions.py
@@ -1,4 +1,5 @@
 import collections
+from asgiref.sync import async_to_sync
 from datasette.app import Datasette
 from datasette.cli import cli
 from datasette.default_permissions import restrictions_allow_action
@@ -430,7 +431,6 @@ async def test_permissions_debug(ds_client, filter_):
             "result": True,
             "actor": {"id": "root"},
         },
-        {"action": "debug-menu", "result": False, "actor": None},
         {
             "action": "view-instance",
             "result": True,
@@ -610,6 +610,10 @@ def test_padlocks_on_database_page(cascade_app_client):
     previous_config = cascade_app_client.ds.config
     try:
         cascade_app_client.ds.config = config
+        async_to_sync(cascade_app_client.ds.invoke_startup)()
+        async_to_sync(cascade_app_client.ds.add_query)(
+            "fixtures", "query_two", "select 2", source="config"
+        )
         response = cascade_app_client.get(
             "/fixtures",
             cookies={"ds_actor": cascade_app_client.actor_cookie({"id": "test"})},
@@ -618,13 +622,13 @@ def test_padlocks_on_database_page(cascade_app_client):
         assert ">123_starts_with_digits</a></h3>" in response.text
         assert ">Table With Space In Name</a> 🔒</h3>" in response.text
         # Queries
-        assert ">from_async_hook</a> 🔒</li>" in response.text
         assert ">query_two</a></li>" in response.text
         # Views
         assert ">paginated_view</a> 🔒</li>" in response.text
         assert ">simple_view</a></li>" in response.text
     finally:
         cascade_app_client.ds.config = previous_config
+        async_to_sync(cascade_app_client.ds.remove_query)("fixtures", "query_two")
 
 
 @pytest.mark.asyncio
@@ -711,10 +715,6 @@ async def test_actor_restricted_permissions(
     perms_ds.pdb = True
     perms_ds.root_enabled = True  # Allow root actor to access /-/permissions
     cookies = {"ds_actor": perms_ds.sign({"a": {"id": "root"}}, "actor")}
-    csrftoken = (await perms_ds.client.get("/-/permissions", cookies=cookies)).cookies[
-        "ds_csrftoken"
-    ]
-    cookies["ds_csrftoken"] = csrftoken
     response = await perms_ds.client.post(
         "/-/permissions",
         data={
@@ -722,7 +722,6 @@ async def test_actor_restricted_permissions(
             "permission": permission,
             "resource_1": resource_1,
             "resource_2": resource_2,
-            "csrftoken": csrftoken,
         },
         cookies=cookies,
     )
@@ -831,6 +830,22 @@ PermConfigTestCase = collections.namedtuple(
             resource=("perms_ds_one", "t1"),
             expected_result=True,
         ),
+        # set-column-type on specific table
+        PermConfigTestCase(
+            config={
+                "databases": {
+                    "perms_ds_one": {
+                        "tables": {
+                            "t1": {"permissions": {"set-column-type": {"id": "user"}}}
+                        }
+                    }
+                }
+            },
+            actor={"id": "user"},
+            action="set-column-type",
+            resource=("perms_ds_one", "t1"),
+            expected_result=True,
+        ),
         # insert-row on database
         PermConfigTestCase(
             config={
@@ -875,7 +890,7 @@ PermConfigTestCase = collections.namedtuple(
             resource=("perms_ds_one", "t1"),
             expected_result=True,
         ),
-        # view-query on canned query, wrong actor
+        # view-query on stored query, wrong actor
         PermConfigTestCase(
             config={
                 "databases": {
@@ -894,7 +909,7 @@ PermConfigTestCase = collections.namedtuple(
             resource=("perms_ds_one", "q1"),
             expected_result=False,
         ),
-        # view-query on canned query, right actor
+        # view-query on stored query, right actor
         PermConfigTestCase(
             config={
                 "databases": {
@@ -922,16 +937,24 @@ async def test_permissions_in_config(
     updated_config = copy.deepcopy(previous_config)
     updated_config.update(config)
     perms_ds.config = updated_config
+    await perms_ds._save_queries_from_config()
     try:
         # Convert old-style resource to Resource object
-        from datasette.resources import DatabaseResource, TableResource
+        from datasette.resources import DatabaseResource, QueryResource, TableResource
 
         resource_obj = None
         if resource:
             if isinstance(resource, str):
                 resource_obj = DatabaseResource(database=resource)
             elif isinstance(resource, tuple) and len(resource) == 2:
-                resource_obj = TableResource(database=resource[0], table=resource[1])
+                if action == "view-query":
+                    resource_obj = QueryResource(
+                        database=resource[0], query=resource[1]
+                    )
+                else:
+                    resource_obj = TableResource(
+                        database=resource[0], table=resource[1]
+                    )
 
         result = await perms_ds.allowed(
             action=action, resource=resource_obj, actor=actor
@@ -941,6 +964,51 @@ async def test_permissions_in_config(
             assert result == expected_result
     finally:
         perms_ds.config = previous_config
+        await perms_ds._save_queries_from_config()
+
+
+@pytest.mark.asyncio
+async def test_allowed_resources_view_query_includes_actor_specific_query_permissions():
+    from datasette import hookimpl
+    from datasette.permissions import PermissionSQL
+    from datasette.resources import QueryResource
+
+    class ActorSpecificQueryPermissionPlugin:
+        __name__ = "ActorSpecificQueryPermissionPlugin"
+
+        @hookimpl
+        def permission_resources_sql(self, datasette, actor, action):
+            if action == "view-query" and actor and actor.get("id") == "alice":
+                return PermissionSQL(sql="""
+                        SELECT 'testdb' AS parent, 'user_only' AS child, 1 AS allow,
+                               'alice can view this query' AS reason
+                    """)
+            return None
+
+    ds = Datasette(default_deny=True)
+    await ds.invoke_startup()
+    ds.add_memory_database("testdb")
+    await ds._refresh_schemas()
+    await ds.add_query("testdb", "user_only", "select 1 as n")
+
+    plugin = ActorSpecificQueryPermissionPlugin()
+    ds.pm.register(plugin, name="actor_specific_query_permission_plugin")
+
+    try:
+        actor = {"id": "alice"}
+
+        assert await ds.allowed(
+            action="view-query",
+            resource=QueryResource("testdb", "user_only"),
+            actor=actor,
+        )
+
+        page = await ds.allowed_resources("view-query", actor)
+        assert [(resource.parent, resource.child) for resource in page.resources] == [
+            ("testdb", "user_only")
+        ]
+    finally:
+        ds.pm.unregister(name="actor_specific_query_permission_plugin")
 
 
 @pytest.mark.asyncio
@@ -1098,10 +1166,10 @@ async def test_api_explorer_visibility(
     try:
         prev_config = perms_ds.config
         perms_ds.config = config or {}
-        cookies = {}
+        kwargs = {}
         if is_logged_in:
-            cookies = {"ds_actor": perms_ds.client.actor_cookie({"id": "user"})}
-        response = await perms_ds.client.get("/-/api", cookies=cookies)
+            kwargs["actor"] = {"id": "user"}
+        response = await perms_ds.client.get("/-/api", **kwargs)
         if expected_visible_tables:
             assert response.status_code == 200
             # Search HTML for stuff matching:
@@ -1135,8 +1203,7 @@ async def test_view_table_token_cannot_gain_access_without_base_permission(perms
             # Restricted token claims access to perms_ds_two/t1 only
             "_r": {"r": {"perms_ds_two": {"t1": ["vt"]}}},
         }
-        cookies = {"ds_actor": perms_ds.client.actor_cookie(actor)}
-        response = await perms_ds.client.get("/perms_ds_two/t1.json", cookies=cookies)
+        response = await perms_ds.client.get("/perms_ds_two/t1.json", actor=actor)
         assert response.status_code == 403
     finally:
         perms_ds.config = previous_config
@@ -1255,7 +1322,7 @@ async def test_actor_restrictions(
     if restrictions:
         actor["_r"] = restrictions
     method = getattr(perms_ds.client, verb)
-    kwargs = {"cookies": {"ds_actor": perms_ds.client.actor_cookie(actor)}}
+    kwargs = {"actor": actor}
     if body:
         kwargs["json"] = body
     perms_ds._permission_checks.clear()
@@ -1386,7 +1453,7 @@ async def test_actor_restrictions_do_not_expand_allowed_resources(perms_ds):
         # And explicit permission checks should still deny
         response = await perms_ds.client.get(
             "/perms_ds_one/t1.json",
-            cookies={"ds_actor": perms_ds.client.actor_cookie(actor)},
+            actor=actor,
         )
         assert response.status_code == 403
     finally:
@@ -1454,18 +1521,17 @@ async def test_actor_restrictions_json_endpoints_show_filtered_listings(perms_ds
     """Test that /.json and /db.json show correct filtered listings - issue #2534"""
 
     actor = {"id": "user", "_r": {"r": {"perms_ds_one": {"t1": ["vt"]}}}}
-    cookies = {"ds_actor": perms_ds.client.actor_cookie(actor)}
 
     # /.json should be 403 (no view-instance permission)
-    response = await perms_ds.client.get("/.json", cookies=cookies)
+    response = await perms_ds.client.get("/.json", actor=actor)
     assert response.status_code == 403
 
     # /perms_ds_one.json should be 403 (no view-database permission)
-    response = await perms_ds.client.get("/perms_ds_one.json", cookies=cookies)
+    response = await perms_ds.client.get("/perms_ds_one.json", actor=actor)
     assert response.status_code == 403
 
     # /perms_ds_one/t1.json should be 200
-    response = await perms_ds.client.get("/perms_ds_one/t1.json", cookies=cookies)
+    response = await perms_ds.client.get("/perms_ds_one/t1.json", actor=actor)
     assert response.status_code == 200
 
 
@@ -1474,10 +1540,9 @@ async def test_actor_restrictions_view_instance_only(perms_ds):
     """Test actor restricted to view-instance only - issue #2534"""
 
     actor = {"id": "user", "_r": {"a": ["vi"]}}
-    cookies = {"ds_actor": perms_ds.client.actor_cookie(actor)}
 
     # /.json should be 200 (has view-instance permission)
-    response = await perms_ds.client.get("/.json", cookies=cookies)
+    response = await perms_ds.client.get("/.json", actor=actor)
     assert response.status_code == 200
 
     # But no databases should be visible (no view-database permission)
@@ -1668,6 +1733,29 @@ async def test_permission_check_view_requires_debug_permission():
     assert data["allowed"] is True
 
 
+@pytest.mark.asyncio
+@pytest.mark.parametrize("action", ("view-query", "update-query", "delete-query"))
+async def test_permission_check_view_query_actions(action):
+    # https://github.com/simonw/datasette/issues/2756
+    # QueryResource takes a "query" argument, not "table", so /-/check must
+    # not assume every child resource class accepts table=
+    ds = Datasette()
+    ds.root_enabled = True
+    root_token = await ds.create_token("root", handler="signed")
+    response = await ds.client.get(
+        f"/-/check.json?action={action}&parent=mydb&child=myquery",
+        headers={"Authorization": f"Bearer {root_token}"},
+    )
+    assert response.status_code == 200
+    data = response.json()
+    assert data["action"] == action
+    assert data["resource"] == {
+        "parent": "mydb",
+        "child": "myquery",
+        "path": "/mydb/myquery",
+    }
+
+
 @pytest.mark.asyncio
 async def test_root_allow_block_with_table_restricted_actor():
     """
diff --git a/tests/test_playwright.py b/tests/test_playwright.py
new file mode 100644
index 00000000..ee396de5
--- /dev/null
+++ b/tests/test_playwright.py
@@ -0,0 +1,892 @@
+import json
+import socket
+import subprocess
+import sys
+import time
+
+import httpx
+import pytest
+
+from datasette.fixtures import write_fixture_database
+from datasette.utils.sqlite import sqlite3
+
+
+def find_free_port():
+    with socket.socket() as sock:
+        sock.bind(("127.0.0.1", 0))
+        return sock.getsockname()[1]
+
+
+def wait_for_server(process, url, timeout=10):
+    deadline = time.monotonic() + timeout
+    last_error = None
+    while time.monotonic() < deadline:
+        if process.poll() is not None:
+            stdout, stderr = process.communicate()
+            raise AssertionError(
+                "Datasette server exited early\n"
+                f"stdout:\n{stdout}\n"
+                f"stderr:\n{stderr}"
+            )
+        try:
+            response = httpx.get(url, timeout=1.0)
+            if response.status_code < 500:
+                return
+            last_error = f"HTTP {response.status_code}: {response.text[:200]}"
+        except httpx.HTTPError as ex:
+            last_error = repr(ex)
+        time.sleep(0.1)
+    raise AssertionError(f"Timed out waiting for {url}: {last_error}")
+
+
+@pytest.fixture
+def datasette_server(tmp_path):
+    fixtures_db_path = tmp_path / "fixtures.db"
+    write_fixture_database(str(fixtures_db_path))
+    data_db_path = tmp_path / "data.db"
+    write_playwright_database(str(data_db_path))
+    config_path = tmp_path / "datasette.json"
+    write_playwright_config(config_path)
+    plugins_dir = tmp_path / "plugins"
+    write_playwright_plugin(plugins_dir)
+    port = find_free_port()
+    process = subprocess.Popen(
+        [
+            sys.executable,
+            "-m",
+            "datasette",
+            str(fixtures_db_path),
+            str(data_db_path),
+            "--config",
+            str(config_path),
+            "--plugins-dir",
+            str(plugins_dir),
+            "--host",
+            "127.0.0.1",
+            "--port",
+            str(port),
+            "--setting",
+            "num_sql_threads",
+            "1",
+        ],
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE,
+        text=True,
+    )
+    url = f"http://127.0.0.1:{port}/"
+    try:
+        wait_for_server(process, url)
+        yield url
+    finally:
+        process.terminate()
+        try:
+            process.wait(timeout=5)
+        except subprocess.TimeoutExpired:
+            process.kill()
+            process.wait()
+
+
+def write_playwright_database(db_path):
+    conn = sqlite3.connect(db_path)
+    try:
+        conn.executescript("""
+        create table projects (
+            id integer primary key,
+            title text not null,
+            metadata text,
+            logo text,
+            notes text,
+            score integer default 5
+        );
+        create table defaults_demo (
+            id integer primary key,
+            created_ms integer default (CAST((julianday('now') - 2440587.5) * 86400000 AS INTEGER))
+        );
+        insert into projects (title, metadata, logo, notes, score) values
+            (
+                'Build Datasette',
+                '{"ok": true}',
+                'asset-original',
+                'Initial notes',
+                5
+            );
+        """)
+    finally:
+        conn.close()
+
+
+def write_playwright_config(config_path):
+    config_path.write_text(
+        json.dumps(
+            {
+                "databases": {
+                    "data": {
+                        "permissions": {
+                            "create-table": True,
+                            "set-column-type": True,
+                        },
+                        "tables": {
+                            "projects": {
+                                "label_column": "title",
+                                "column_types": {
+                                    "metadata": "json",
+                                    "logo": "asset",
+                                    "notes": "textarea",
+                                },
+                                "permissions": {
+                                    "alter-table": True,
+                                    "insert-row": True,
+                                    "update-row": True,
+                                    "delete-row": True,
+                                },
+                            },
+                            "defaults_demo": {
+                                "permissions": {
+                                    "alter-table": True,
+                                },
+                            },
+                        },
+                    },
+                },
+            }
+        ),
+        "utf-8",
+    )
+
+
+def write_playwright_plugin(plugins_dir):
+    plugins_dir.mkdir()
+    (plugins_dir / "playwright_plugin.py").write_text(
+        '''
+from datasette import hookimpl
+from datasette.column_types import ColumnType, SQLiteType
+
+
+class AssetColumnType(ColumnType):
+    name = "asset"
+    description = "Demo asset picker"
+    sqlite_types = (SQLiteType.TEXT,)
+
+
+@hookimpl
+def register_column_types(datasette):
+    return [AssetColumnType]
+
+
+@hookimpl
+def extra_body_script():
+    return {
+        "module": True,
+        "script": """
+document.addEventListener("datasette_init", function (event) {
+  event.detail.registerPlugin("playwright-jump-section", {
+    version: "0.1",
+    makeJumpSections() {
+      return [
+        {
+          id: "agent-chat",
+          render(node, context) {
+            if (!context.navigationSearch || !context.input) {
+              throw new Error("Expected navigation search context");
+            }
+            node.innerHTML = [
+              '<section class="agent-jump-start">',
+              '<button type="button" data-playwright-agent-chat>',
+              'Start a new agent chat',
+              '</button>',
+              '</section>',
+            ].join("");
+            node.querySelector("button").addEventListener("click", function () {
+              window.location.href = "/-/playwright-agent";
+            });
+          },
+        },
+      ];
+    },
+  });
+
+  event.detail.registerPlugin("playwright-asset-field", {
+    version: "0.1",
+    makeColumnField(context) {
+      if (!context.columnType || context.columnType.type !== "asset") {
+        return;
+      }
+      return {
+        render(field) {
+          const wrapper = document.createElement("div");
+          wrapper.className = "playwright-asset-picker";
+          wrapper.dataset.column = field.context.column;
+          wrapper.dataset.database = field.context.database || "";
+          wrapper.dataset.table = field.context.table || "";
+          wrapper.dataset.tableUrl = field.context.tableUrl || "";
+          wrapper.dataset.mode = field.context.mode || "";
+          wrapper.dataset.columnType = field.context.columnType.type;
+
+          field.input.type = "hidden";
+          const value = document.createElement("span");
+          value.className = "playwright-asset-value";
+          const button = document.createElement("button");
+          button.type = "button";
+          button.className = "playwright-asset-select";
+          button.textContent = "Use demo asset";
+
+          function sync() {
+            value.textContent = field.getValue() || "No asset selected";
+          }
+
+          button.addEventListener("click", function () {
+            field.setValue("asset-from-plugin");
+            sync();
+          });
+
+          wrapper.appendChild(field.input);
+          wrapper.appendChild(value);
+          wrapper.appendChild(button);
+          sync();
+          return wrapper;
+        },
+        focus(field) {
+          const button = field.root.querySelector(".playwright-asset-select");
+          if (button) {
+            button.focus();
+          }
+        },
+      };
+    },
+  });
+});
+""",
+    }
+''',
+        "utf-8",
+    )
+
+
+def project_rows(datasette_server, **filters):
+    params = {
+        "_shape": "objects",
+        **{key: str(value) for key, value in filters.items()},
+    }
+    response = httpx.get(f"{datasette_server}data/projects.json", params=params)
+    response.raise_for_status()
+    return response.json()["rows"]
+
+
+def project_row(datasette_server, pk):
+    rows = project_rows(datasette_server, id=pk)
+    assert len(rows) == 1
+    return rows[0]
+
+
+def open_jump_menu(page):
+    page.keyboard.press("/")
+    page.locator("navigation-search .search-input").wait_for()
+
+
+@pytest.mark.playwright
+def test_datasette_homepage_contains_datasette(page, datasette_server):
+    page.goto(datasette_server)
+    assert "Datasette" in page.locator("body").inner_text()
+
+
+@pytest.mark.playwright
+def test_create_table_flow(page, datasette_server):
+    page.goto(f"{datasette_server}data")
+    page.locator("details.actions-menu-links summary").click()
+    page.locator('button[data-database-action="create-table"]').click()
+
+    dialog = page.locator("#table-create-dialog")
+    dialog.wait_for()
+    assert dialog.locator(".modal-title").inner_text() == "Create a table in data"
+    placeholder_select = dialog.locator(".table-create-custom-column-type").nth(0)
+    assert placeholder_select.input_value() == ""
+    assert (
+        placeholder_select.locator("option:checked").inner_text() == "- custom type -"
+    )
+    assert "table-create-input-placeholder" in placeholder_select.get_attribute("class")
+    assert (
+        dialog.locator(".table-create-column-name").nth(0).get_attribute("placeholder")
+        == "column name"
+    )
+    assert dialog.locator(".table-create-column-main").first.evaluate("""node => {
+            const inputHeight = node.querySelector(
+                ".table-create-column-name"
+            ).getBoundingClientRect().height;
+            const selectHeight = node.querySelector(
+                ".table-create-column-type"
+            ).getBoundingClientRect().height;
+            return Math.abs(inputHeight - selectHeight) <= 1;
+        }""")
+    dialog.locator('input[name="table"]').fill("playwright_created")
+    dialog.locator(".table-create-column-name").nth(1).fill("title")
+    dialog.locator(".table-create-more-options").nth(1).click()
+    dialog.locator(".table-create-not-null-input").nth(1).check()
+    title_defaults = dialog.locator(".table-create-default-options").nth(1)
+    assert title_defaults.locator("summary").inner_text() == "Set a default value"
+    title_defaults.locator("summary").click()
+    assert "or default to a specific value" in title_defaults.inner_text()
+    title_default_expr = title_defaults.locator(".table-create-default-expr")
+    title_default_input = title_defaults.locator(".table-create-default")
+    assert (
+        "Current timestamp in UTC, e.g. 2026-05-01 13:34:00"
+        in title_default_expr.locator("option").nth(1).inner_text()
+    )
+    title_default_expr.select_option("current_timestamp")
+    assert title_default_input.is_enabled()
+    title_default_input.fill("Untitled")
+    assert title_default_expr.input_value() == ""
+    dialog.locator(".table-create-add-column").click()
+    dialog.locator(".table-create-column-name").nth(2).fill("score")
+    dialog.locator(".table-create-column-type").nth(2).select_option("integer")
+    dialog.locator(".table-create-add-column").click()
+    dialog.locator(".table-create-column-name").nth(3).fill("metadata")
+    dialog.locator(".table-create-column-type").nth(3).select_option("integer")
+    dialog.locator(".table-create-more-options").nth(3).click()
+    dialog.locator(".table-create-custom-column-type").nth(3).select_option("json")
+    assert dialog.locator(".table-create-column-type").nth(3).input_value() == "text"
+    assert "table-create-input-placeholder" not in dialog.locator(
+        ".table-create-custom-column-type"
+    ).nth(3).get_attribute("class")
+
+    dialog.locator(".table-create-save").click()
+    page.wait_for_url("**/data/playwright_created")
+    assert "playwright_created" in page.locator("h1").inner_text()
+
+    response = httpx.get(
+        f"{datasette_server}data/playwright_created.json?_extra=columns,column_types"
+    )
+    response.raise_for_status()
+    data = response.json()
+    assert data["columns"] == [
+        "id",
+        "title",
+        "score",
+        "metadata",
+    ]
+    assert data["column_types"] == {
+        "metadata": {"type": "json", "config": None},
+    }
+    schema_response = httpx.get(
+        f"{datasette_server}data/-/query.json",
+        params={
+            "sql": (
+                "select sql from sqlite_master where type = 'table' "
+                "and name = 'playwright_created'"
+            )
+        },
+    )
+    schema_response.raise_for_status()
+    schema = schema_response.json()["rows"][0]["sql"]
+    assert "title" in schema
+    assert "NOT NULL DEFAULT 'Untitled'" in schema
+
+
+@pytest.mark.playwright
+def test_create_table_foreign_key_selection_updates_column_type(page, datasette_server):
+    page.goto(f"{datasette_server}data")
+    page.locator("details.actions-menu-links summary").click()
+    page.locator('button[data-database-action="create-table"]').click()
+
+    dialog = page.locator("#table-create-dialog")
+    dialog.wait_for()
+    dialog.locator(".table-create-more-options").nth(1).click()
+
+    column_name = dialog.locator(".table-create-column-name").nth(1)
+    type_select = dialog.locator(".table-create-column-type").nth(1)
+    foreign_key_select = dialog.locator(".table-create-foreign-key-target").nth(1)
+    assert column_name.input_value() == ""
+    assert type_select.input_value() == "text"
+
+    foreign_key_select.select_option("projects\u001fid")
+    assert column_name.input_value() == "projects_id"
+    assert type_select.input_value() == "integer"
+    assert foreign_key_select.input_value() == "projects\u001fid"
+
+
+@pytest.mark.playwright
+def test_create_table_unix_default_expression_updates_column_type(
+    page, datasette_server
+):
+    page.goto(f"{datasette_server}data")
+    page.locator("details.actions-menu-links summary").click()
+    page.locator('button[data-database-action="create-table"]').click()
+
+    dialog = page.locator("#table-create-dialog")
+    dialog.wait_for()
+    row = dialog.locator(".table-create-column-row").nth(1)
+    row.locator(".table-create-more-options").click()
+    row.locator(".table-create-default-options summary").click()
+
+    type_select = row.locator(".table-create-column-type")
+    default_expr = row.locator(".table-create-default-expr")
+    assert type_select.input_value() == "text"
+    assert (
+        "Current Unix time, integer milliseconds since the epoch"
+        in default_expr.locator("option").last.inner_text()
+    )
+
+    default_expr.select_option("current_unixtime_ms")
+    assert type_select.input_value() == "integer"
+
+
+@pytest.mark.playwright
+def test_alter_table_foreign_key_selection_updates_blank_column(page, datasette_server):
+    page.goto(f"{datasette_server}data/projects")
+    page.locator("details.actions-menu-links summary").click()
+    page.locator('button[data-table-action="alter-table"]').click()
+
+    dialog = page.locator("#table-alter-dialog")
+    dialog.wait_for()
+    dialog.locator(".table-alter-add-column").click()
+
+    column_name = dialog.locator(".table-alter-column-name").last
+    type_select = dialog.locator(".table-alter-column-type").last
+    foreign_key_select = dialog.locator(".table-alter-foreign-key-target").last
+    assert column_name.input_value() == ""
+    assert type_select.input_value() == "text"
+
+    foreign_key_select.select_option("projects\u001fid")
+    assert column_name.input_value() == "projects_id"
+    assert type_select.input_value() == "integer"
+    assert foreign_key_select.input_value() == "projects\u001fid"
+
+
+@pytest.mark.playwright
+def test_alter_table_unix_default_expression_updates_column_type(
+    page, datasette_server
+):
+    page.goto(f"{datasette_server}data/projects")
+    page.locator("details.actions-menu-links summary").click()
+    page.locator('button[data-table-action="alter-table"]').click()
+
+    dialog = page.locator("#table-alter-dialog")
+    dialog.wait_for()
+    dialog.locator(".table-alter-add-column").click()
+    row = dialog.locator(".table-alter-column-row").last
+    row.locator(".table-alter-default-options summary").click()
+
+    type_select = row.locator(".table-alter-column-type")
+    default_expr = row.locator(".table-alter-default-expr")
+    assert type_select.input_value() == "text"
+    assert (
+        "Current Unix time, integer seconds since the epoch"
+        in default_expr.locator("option").all_inner_texts()
+    )
+
+    default_expr.select_option("current_unixtime")
+    assert type_select.input_value() == "integer"
+
+
+@pytest.mark.playwright
+def test_alter_table_existing_default_expression_populates_select(
+    page, datasette_server
+):
+    page.goto(f"{datasette_server}data/defaults_demo")
+    page.locator("details.actions-menu-links summary").click()
+    page.locator('button[data-table-action="alter-table"]').click()
+
+    dialog = page.locator("#table-alter-dialog")
+    dialog.wait_for()
+    row = dialog.locator(".table-alter-column-row").nth(1)
+    row.locator(".table-alter-more-options").click()
+    row.locator(".table-alter-default-options summary").click()
+
+    assert row.locator(".table-alter-default-expr").input_value() == (
+        "current_unixtime_ms"
+    )
+    assert row.locator(".table-alter-default").input_value() == ""
+
+
+@pytest.mark.playwright
+def test_alter_table_flow(page, datasette_server):
+    page.goto(f"{datasette_server}data/projects")
+    page.locator("details.actions-menu-links summary").click()
+    page.locator('button[data-table-action="alter-table"]').click()
+
+    dialog = page.locator("#table-alter-dialog")
+    dialog.wait_for()
+    assert dialog.locator(".modal-title").inner_text() == "Alter table projects"
+    assert dialog.locator(".table-alter-save").is_disabled()
+    assert (
+        dialog.locator(".table-alter-column-name").first.get_attribute("placeholder")
+        == "column name"
+    )
+    assert dialog.locator(".table-alter-column-main").first.evaluate("""node => {
+            const inputHeight = node.querySelector(
+                ".table-alter-column-name"
+            ).getBoundingClientRect().height;
+            const selectHeight = node.querySelector(
+                ".table-alter-column-type"
+            ).getBoundingClientRect().height;
+            return Math.abs(inputHeight - selectHeight) <= 1;
+        }""")
+    type_options = dialog.locator(".table-alter-column-type").first.locator("option")
+    assert type_options.all_inner_texts() == [
+        "text",
+        "integer",
+        "floating point number",
+        "blob - binary data",
+    ]
+    first_more_options = dialog.locator(".table-alter-more-options").first
+    assert first_more_options.inner_text() == "> Advanced options"
+    first_more_options.click()
+    assert first_more_options.inner_text() == "v Hide options"
+    expanded_options_text = dialog.locator(
+        ".table-alter-column-details"
+    ).first.inner_text()
+    assert dialog.locator(".table-alter-fields").evaluate(
+        "node => node.scrollWidth <= node.clientWidth + 1"
+    )
+    assert "Not null" in expanded_options_text
+    assert "This value cannot be left unset" in expanded_options_text
+    assert "Set a default value" in expanded_options_text
+    assert "Primary key" in expanded_options_text
+    assert "This ID uniquely identifies the record" in expanded_options_text
+    assert "Foreign key" in expanded_options_text
+    first_defaults = dialog.locator(".table-alter-default-options").first
+    first_defaults.locator("summary").click()
+    assert "or default to a specific value" in first_defaults.inner_text()
+    first_default_expr = first_defaults.locator(".table-alter-default-expr")
+    first_default_input = first_defaults.locator(".table-alter-default")
+    assert (
+        "Current timestamp in UTC, e.g. 2026-05-01 13:34:00"
+        in first_default_expr.locator("option").nth(1).inner_text()
+    )
+    first_default_expr.select_option("current_timestamp")
+    assert first_default_input.is_enabled()
+    first_default_input.fill("manual")
+    assert first_default_expr.input_value() == ""
+
+    dialog.locator(".table-alter-add-column").click()
+    assert dialog.locator(".table-alter-save").is_enabled()
+    dialog.locator(".table-alter-column-name").last.fill("status")
+    dialog.locator(".table-alter-column-type").last.select_option("text")
+    dialog.locator(".table-alter-default-options").last.locator("summary").click()
+    dialog.locator(".table-alter-default").last.fill("planned")
+    dialog.locator(".table-alter-save").click()
+    review = dialog.locator(".table-alter-review")
+    review.wait_for()
+    assert not dialog.locator(".table-alter-column-list").is_visible()
+    review_text = review.inner_text()
+    assert "Add column status as text, with default value planned." in review_text
+    assert "Set column order to" not in review_text
+    assert dialog.locator(".table-alter-back").is_visible()
+    assert dialog.locator(".table-alter-save").inner_text() == "Apply changes"
+    dialog.locator(".table-alter-save").click()
+
+    columns = []
+    for _ in range(20):
+        response = httpx.get(f"{datasette_server}data/projects.json?_extra=columns")
+        response.raise_for_status()
+        columns = response.json()["columns"]
+        if "status" in columns:
+            break
+        time.sleep(0.1)
+    assert "status" in columns
+
+
+@pytest.mark.playwright
+def test_alter_table_primary_key_columns_stay_at_top(page, datasette_server):
+    page.goto(f"{datasette_server}data/projects")
+    page.locator("details.actions-menu-links summary").click()
+    page.locator('button[data-table-action="alter-table"]').click()
+
+    dialog = page.locator("#table-alter-dialog")
+    dialog.wait_for()
+    rows = dialog.locator(".table-alter-column-row")
+    assert rows.nth(0).locator(".table-alter-column-name").input_value() == "id"
+    first_row_move_buttons = rows.nth(0).locator(".table-alter-move-controls button")
+    for i in range(first_row_move_buttons.count()):
+        assert first_row_move_buttons.nth(i).is_disabled()
+        assert (
+            first_row_move_buttons.nth(i).get_attribute("title")
+            == "Primary key columns are always listed first"
+        )
+
+    assert rows.nth(1).locator(".table-alter-move-up").is_disabled()
+    assert rows.nth(1).locator(".table-alter-move-top").get_attribute("title") == (
+        "Primary key columns are always listed first"
+    )
+    assert rows.nth(1).locator(".table-alter-move-up").get_attribute("title") == (
+        "Primary key columns are always listed first"
+    )
+    last_row = rows.nth(rows.count() - 1)
+    assert last_row.locator(".table-alter-column-name").input_value() == "score"
+    last_row.locator(".table-alter-move-top").click()
+    assert rows.nth(0).locator(".table-alter-column-name").input_value() == "id"
+    assert rows.nth(1).locator(".table-alter-column-name").input_value() == "score"
+
+
+@pytest.mark.playwright
+def test_alter_table_review_rename_primary_key_column(page, datasette_server):
+    page.goto(f"{datasette_server}data/projects")
+    page.locator("details.actions-menu-links summary").click()
+    page.locator('button[data-table-action="alter-table"]').click()
+
+    dialog = page.locator("#table-alter-dialog")
+    dialog.wait_for()
+    save = dialog.locator(".table-alter-save")
+    assert save.is_disabled()
+    dialog.locator(".table-alter-column-name").first.fill("id3")
+    assert save.is_enabled()
+    save.click()
+
+    review = dialog.locator(".table-alter-review")
+    review.wait_for()
+    review_text = review.inner_text()
+    assert "Rename column id to id3." in review_text
+    assert "Set primary key to" not in review_text
+    assert dialog.locator(".table-alter-review-name").all_inner_texts() == [
+        "id",
+        "id3",
+    ]
+
+
+@pytest.mark.playwright
+def test_alter_table_review_rename_table(page, datasette_server):
+    page.goto(f"{datasette_server}data/projects")
+    page.locator("details.actions-menu-links summary").click()
+    page.locator('button[data-table-action="alter-table"]').click()
+
+    dialog = page.locator("#table-alter-dialog")
+    dialog.wait_for()
+    save = dialog.locator(".table-alter-save")
+    rename_details = dialog.locator(".table-alter-table-options")
+    assert rename_details.locator("summary").inner_text() == "Rename table"
+    assert not dialog.locator(".table-alter-table-name").is_visible()
+    assert save.is_disabled()
+
+    rename_details.locator("summary").click()
+    table_name = dialog.locator(".table-alter-table-name")
+    assert table_name.input_value() == "projects"
+    assert table_name.get_attribute("placeholder") == "table name"
+    table_name.fill("projects_archive")
+    assert save.is_enabled()
+    save.click()
+
+    review = dialog.locator(".table-alter-review")
+    review.wait_for()
+    assert "Rename table to projects_archive." in review.inner_text()
+    assert dialog.locator(".table-alter-review-name").all_inner_texts() == [
+        "projects_archive",
+    ]
+
+
+@pytest.mark.playwright
+def test_alter_table_review_not_null_wording(page, datasette_server):
+    page.goto(f"{datasette_server}data/projects")
+    page.locator("details.actions-menu-links summary").click()
+    page.locator('button[data-table-action="alter-table"]').click()
+
+    dialog = page.locator("#table-alter-dialog")
+    dialog.wait_for()
+    dialog.locator(".table-alter-more-options").first.click()
+    dialog.locator(".table-alter-not-null-input").first.check()
+    dialog.locator(".table-alter-save").click()
+
+    review = dialog.locator(".table-alter-review")
+    review.wait_for()
+    assert "Change column id: not null (require values)." in review.inner_text()
+
+
+@pytest.mark.playwright
+def test_alter_table_review_warns_when_dropping_column(page, datasette_server):
+    page.goto(f"{datasette_server}data/projects")
+    page.locator("details.actions-menu-links summary").click()
+    page.locator('button[data-table-action="alter-table"]').click()
+
+    dialog = page.locator("#table-alter-dialog")
+    dialog.wait_for()
+    remove_buttons = dialog.locator(".table-alter-remove-column")
+    remove_buttons.nth(remove_buttons.count() - 1).click()
+    dialog.locator(".table-alter-save").click()
+
+    review = dialog.locator(".table-alter-review")
+    review.wait_for()
+    assert not dialog.locator(".table-alter-column-list").is_visible()
+    review_text = review.inner_text()
+    assert "Warning: data in dropped columns will be permanently lost." in review_text
+    assert "Drop column score." in review_text
+    assert "Set column order to" not in review_text
+    assert dialog.locator(".table-alter-review-damaging").inner_text() == (
+        "Drop column score."
+    )
+
+    dialog.locator(".table-alter-back").click()
+    assert dialog.locator(".table-alter-column-list").is_visible()
+    assert dialog.locator(".table-alter-save").inner_text() == "Review changes"
+
+
+@pytest.mark.playwright
+def test_alter_table_cancel_skips_discard_prompt(page, datasette_server):
+    def open_alter_dialog():
+        page.locator("details.actions-menu-links").evaluate("node => node.open = true")
+        page.locator('button[data-table-action="alter-table"]').click()
+        dialog = page.locator("#table-alter-dialog")
+        dialog.wait_for()
+        return dialog
+
+    page.goto(f"{datasette_server}data/projects")
+    page.evaluate("""
+        () => {
+            window.__discardConfirmMessages = [];
+            window.confirm = (message) => {
+                window.__discardConfirmMessages.push(message);
+                return false;
+            };
+        }
+        """)
+
+    dialog = open_alter_dialog()
+    dialog.locator(".table-alter-add-column").click()
+    dialog.locator(".table-alter-column-name").last.fill("cancel_me")
+    dialog.locator(".table-alter-cancel").click()
+    assert dialog.evaluate("node => node.open") is False
+    assert page.evaluate("() => window.__discardConfirmMessages") == []
+
+    dialog = open_alter_dialog()
+    dialog.locator(".table-alter-add-column").click()
+    dialog.locator(".table-alter-column-name").last.fill("escape_me")
+    page.keyboard.press("Escape")
+    assert page.evaluate("() => window.__discardConfirmMessages") == [
+        "Discard table changes?"
+    ]
+    assert dialog.evaluate("node => node.open") is True
+
+    page.evaluate("() => window.__discardConfirmMessages = []")
+    dialog.evaluate(
+        """node => node.dispatchEvent(new MouseEvent("click", {bubbles: true}))"""
+    )
+    assert page.evaluate("() => window.__discardConfirmMessages") == [
+        "Discard table changes?"
+    ]
+    assert dialog.evaluate("node => node.open") is True
+
+
+@pytest.mark.playwright
+def test_navigation_search_tracks_and_renders_recent_items(page, datasette_server):
+    page.goto(datasette_server)
+    open_jump_menu(page)
+    search = page.locator("navigation-search .search-input")
+    search.fill("projects")
+    result = page.locator("navigation-search .result-item", has_text="projects").first
+    result.wait_for()
+    result.click()
+    page.wait_for_url("**/data/projects")
+
+    page.goto(datasette_server)
+    open_jump_menu(page)
+    results = page.locator("navigation-search .results-container")
+    results.locator(".results-heading", has_text="Recent").wait_for()
+    assert "projects" in results.inner_text()
+
+    page.locator("navigation-search [data-clear-recent-items]").click()
+    page.locator("navigation-search .results-container", has_text="Recent").wait_for(
+        state="detached"
+    )
+
+
+@pytest.mark.playwright
+def test_navigation_search_renders_jump_sections_from_javascript_plugins(
+    page, datasette_server
+):
+    page.goto(datasette_server)
+    open_jump_menu(page)
+    button = page.locator("navigation-search [data-playwright-agent-chat]")
+    button.wait_for()
+    assert button.inner_text() == "Start a new agent chat"
+    button.click()
+    page.wait_for_url("**/-/playwright-agent")
+
+
+@pytest.mark.playwright
+def test_insert_row_flow_uses_custom_column_field(page, datasette_server):
+    page.goto(f"{datasette_server}data/projects")
+    page.locator('button[data-table-action="insert-row"]').click()
+
+    dialog = page.locator("#row-edit-dialog")
+    dialog.wait_for()
+    dialog.locator('input[name="title"]').fill("Launch Datasette Cloud")
+    dialog.locator('textarea[name="metadata"]').fill(
+        '{"ok": false, "source": "playwright"}'
+    )
+    dialog.locator('textarea[name="notes"]').fill("Inserted from Playwright")
+
+    asset = dialog.locator(".playwright-asset-picker")
+    asset.wait_for()
+    assert asset.get_attribute("data-column") == "logo"
+    assert asset.get_attribute("data-database") == "data"
+    assert asset.get_attribute("data-table") == "projects"
+    assert asset.get_attribute("data-mode") == "insert"
+    asset.locator(".playwright-asset-select").click()
+    assert asset.locator(".playwright-asset-value").inner_text() == "asset-from-plugin"
+
+    dialog.locator(".row-edit-save").click()
+    page.locator(".row-mutation-status", has_text="Inserted row 2").wait_for()
+    row = page.locator('tr[data-row="2"]')
+    row.wait_for()
+    assert "Launch Datasette Cloud" in row.inner_text()
+
+    data = project_row(datasette_server, 2)
+    assert data["title"] == "Launch Datasette Cloud"
+    assert data["metadata"] == '{"ok": false, "source": "playwright"}'
+    assert data["logo"] == "asset-from-plugin"
+    assert data["notes"] == "Inserted from Playwright"
+    assert data["score"] == 5
+
+
+@pytest.mark.playwright
+def test_edit_row_flow_validates_json_and_saves_changes(page, datasette_server):
+    page.goto(f"{datasette_server}data/projects")
+    page.locator('tr[data-row="1"] button[data-row-action="edit"]').click()
+
+    dialog = page.locator("#row-edit-dialog")
+    dialog.wait_for()
+    title = dialog.locator('input[name="title"]')
+    title.wait_for()
+    title.fill("Build Datasette, edited")
+
+    metadata = dialog.locator('textarea[name="metadata"]')
+    metadata.fill("{")
+    dialog.locator(
+        ".row-edit-field-validation-error", has_text="Invalid JSON"
+    ).wait_for()
+    dialog.locator(".row-edit-save").click()
+    assert dialog.evaluate("node => node.open")
+    assert project_row(datasette_server, 1)["title"] == "Build Datasette"
+
+    metadata.fill('{"ok": true, "edited": true}')
+    dialog.locator(
+        ".row-edit-field-validation-error", has_text="Invalid JSON"
+    ).wait_for(state="hidden")
+    dialog.locator('textarea[name="notes"]').fill("Edited from Playwright")
+    asset = dialog.locator(".playwright-asset-picker")
+    asset.wait_for()
+    assert asset.get_attribute("data-mode") == "edit"
+    asset.locator(".playwright-asset-select").click()
+
+    dialog.locator(".row-edit-save").click()
+    page.locator(".row-mutation-status", has_text="Updated row 1").wait_for()
+    row = page.locator('tr[data-row="1"]')
+    assert "Build Datasette, edited" in row.inner_text()
+
+    data = project_row(datasette_server, 1)
+    assert data["title"] == "Build Datasette, edited"
+    assert data["metadata"] == '{"ok": true, "edited": true}'
+    assert data["logo"] == "asset-from-plugin"
+    assert data["notes"] == "Edited from Playwright"
+
+
+@pytest.mark.playwright
+def test_delete_row_flow_removes_row(page, datasette_server):
+    page.goto(f"{datasette_server}data/projects")
+    page.locator('tr[data-row="1"] button[data-row-action="delete"]').click()
+
+    dialog = page.locator("#row-delete-dialog")
+    dialog.wait_for()
+    assert "Delete row 1" in dialog.inner_text()
+    dialog.locator(".row-delete-confirm").click()
+
+    page.locator(".row-mutation-status", has_text="Deleted row 1").wait_for()
+    page.locator('tr[data-row="1"]').wait_for(state="detached")
+    assert project_rows(datasette_server, id=1) == []
diff --git a/tests/test_plugins.py b/tests/test_plugins.py
index fa9d1a1f..da14c714 100644
--- a/tests/test_plugins.py
+++ b/tests/test_plugins.py
@@ -1,7 +1,6 @@
 from bs4 import BeautifulSoup as Soup
 from .fixtures import (
     make_app_client,
-    TABLES,
     TEMP_PLUGIN_SECRET_FILE,
     PLUGINS_DIR,
     TestClient as _TestClient,
@@ -9,6 +8,7 @@ from .fixtures import (
 from click.testing import CliRunner
 from datasette.app import Datasette
 from datasette import cli, hookimpl
+from datasette.fixtures import TABLES
 from datasette.filters import FilterArguments
 from datasette.plugins import get_plugins, DEFAULT_PLUGINS, pm
 from datasette.permissions import PermissionSQL, Action
@@ -43,6 +43,11 @@ def test_plugin_hooks_have_tests(plugin_hook):
     assert ok, f"Plugin hook is missing tests: {plugin_hook}"
 
 
+def test_hook_jump_items_sql():
+    # Detailed behavior is covered in tests/test_jump.py.
+    assert "jump_items_sql" in dir(pm.hook)
+
+
 @pytest.mark.asyncio
 async def test_hook_plugins_dir_plugin_prepare_connection(ds_client):
     response = await ds_client.get(
@@ -422,9 +427,9 @@ def test_plugins_async_template_function(restore_working_directory):
             .select("pre.extra_from_awaitable_function")[0]
             .text
         )
-        expected = (
-            sqlite3.connect(":memory:").execute("select sqlite_version()").fetchone()[0]
-        )
+        conn = sqlite3.connect(":memory:")
+        expected = conn.execute("select sqlite_version()").fetchone()[0]
+        conn.close()
         assert expected == extra_from_awaitable_function
 
 
@@ -466,6 +471,7 @@ def view_names_client(tmp_path_factory):
     db_path = str(tmpdir / "fixtures.db")
     conn = sqlite3.connect(db_path)
     conn.executescript(TABLES)
+    conn.close()
     return _TestClient(
         Datasette([db_path], template_dir=str(templates), plugins_dir=str(plugins))
     )
@@ -620,6 +626,31 @@ async def test_hook_register_output_renderer_can_render(ds_client):
     }.items() <= ds_client.ds._can_render_saw.items()
 
 
+@pytest.mark.asyncio
+async def test_hook_register_output_renderer_can_render_canned_query(ds_client):
+    # https://github.com/simonw/datasette/issues/2711
+    # can_render for a canned query must be passed the query's columns, rows
+    # and SQL - previously it received an empty data dict, so renderers that
+    # depend on the columns (datasette-atom, datasette-ics) never showed up.
+    response = await ds_client.get("/fixtures/pragma_cache_size")
+    assert response.status_code == 200
+    saw = ds_client.ds._can_render_saw
+    assert saw["columns"] == ["cache_size"]
+    assert len(saw["rows"]) == 1
+    assert saw["sql"] == "PRAGMA cache_size;"
+    assert saw["query_name"] == "pragma_cache_size"
+    # The renderer's export link should therefore be offered
+    links = (
+        Soup(response.text, "html.parser")
+        .find("p", {"class": "export-links"})
+        .find_all("a")
+    )
+    actual = [link["href"] for link in links]
+    assert any(
+        href.startswith("/fixtures/pragma_cache_size.testall") for href in actual
+    )
+
+
 @pytest.mark.asyncio
 async def test_hook_prepare_jinja2_environment(ds_client):
     ds_client.ds._HELLO = "HI"
@@ -812,21 +843,25 @@ def test_hook_register_routes_override():
 
 
 def test_hook_register_routes_post(app_client):
-    response = app_client.post("/post/", {"this is": "post data"}, csrftoken_from=True)
+    response = app_client.post("/post/", {"this is": "post data"})
     assert response.status_code == 200
-    assert "csrftoken" in response.json
     assert response.json["this is"] == "post data"
 
 
 def test_hook_register_routes_csrftoken(restore_working_directory, tmpdir_factory):
+    # csrftoken() is a legacy compatibility shim that returns a
+    # per-request random value - it is no longer used for CSRF enforcement.
     templates = tmpdir_factory.mktemp("templates")
     (templates / "csrftoken_form.html").write_text(
-        "CSRFTOKEN: {{ csrftoken() }}", "utf-8"
+        "CSRFTOKEN:{{ csrftoken() }}:END", "utf-8"
     )
     with make_app_client(template_dir=templates) as client:
         response = client.get("/csrftoken-form/")
-        expected_token = client.ds._last_request.scope["csrftoken"]()
-        assert f"CSRFTOKEN: {expected_token}" == response.text
+        assert response.text.startswith("CSRFTOKEN:")
+        assert response.text.endswith(":END")
+        token = response.text[len("CSRFTOKEN:") : -len(":END")]
+        assert len(token) >= 20
+        assert "ds_csrftoken" not in response.cookies
 
 
 @pytest.mark.asyncio
@@ -863,40 +898,76 @@ async def test_hook_startup(ds_client):
 
 
 @pytest.mark.asyncio
-async def test_hook_canned_queries(ds_client):
-    queries = (await ds_client.get("/fixtures.json")).json()["queries"]
+async def test_hook_startup_metadata_available(ds_client):
+    # Metadata from metadata.yaml should be populated before startup() fires
+    assert "title" in ds_client.ds._startup_metadata_keys
+
+
+@pytest.mark.asyncio
+async def test_hook_startup_catalog_populated(ds_client):
+    # Internal catalog tables should be populated before startup() fires
+    assert "fixtures" in ds_client.ds._startup_catalog_databases
+
+
+@pytest.mark.asyncio
+async def test_plugin_startup_can_add_queries():
+    ds = Datasette(memory=True)
+    ds.add_memory_database("plugin_startup_queries", name="data")
+
+    class AddQueriesPlugin:
+        __name__ = "AddQueriesPlugin"
+
+        @hookimpl
+        def startup(self, datasette):
+            async def inner():
+                result = await datasette.get_database("data").execute("select 1 + 1")
+                await datasette.add_query(
+                    "data",
+                    "from_startup",
+                    "select {}".format(result.first()[0]),
+                    source="plugin",
+                )
+
+            return inner
+
+    ds.pm.register(AddQueriesPlugin(), name="add_queries_plugin")
+    try:
+        response = await ds.client.get("/data.json")
+    finally:
+        ds.pm.unregister(name="add_queries_plugin")
+
+    queries = response.json()["queries"]
     queries_by_name = {q["name"]: q for q in queries}
-    assert {
-        "sql": "select 2",
-        "name": "from_async_hook",
-        "private": False,
-    } == queries_by_name["from_async_hook"]
-    assert {
-        "sql": "select 1, 'null' as actor_id",
-        "name": "from_hook",
-        "private": False,
-    } == queries_by_name["from_hook"]
+    assert queries_by_name["from_startup"]["sql"] == "select 2"
+    assert queries_by_name["from_startup"]["private"] is False
 
 
 @pytest.mark.asyncio
-async def test_hook_canned_queries_non_async(ds_client):
-    response = await ds_client.get("/fixtures/from_hook.json?_shape=array")
-    assert [{"1": 1, "actor_id": "null"}] == response.json()
+async def test_plugin_startup_query_can_execute():
+    ds = Datasette(memory=True)
+    ds.add_memory_database("plugin_startup_query_execute", name="data")
 
+    class AddQueryPlugin:
+        __name__ = "AddQueryPlugin"
+
+        @hookimpl
+        def startup(self, datasette):
+            async def inner():
+                await datasette.add_query(
+                    "data", "from_startup", "select 2", source="plugin"
+                )
+
+            return inner
+
+    ds.pm.register(AddQueryPlugin(), name="add_query_plugin")
+    try:
+        response = await ds.client.get("/data/from_startup.json?_shape=array")
+    finally:
+        ds.pm.unregister(name="add_query_plugin")
 
-@pytest.mark.asyncio
-async def test_hook_canned_queries_async(ds_client):
-    response = await ds_client.get("/fixtures/from_async_hook.json?_shape=array")
     assert [{"2": 2}] == response.json()
 
 
-@pytest.mark.asyncio
-async def test_hook_canned_queries_actor(ds_client):
-    assert (
-        await ds_client.get("/fixtures/from_hook.json?_bot=1&_shape=array")
-    ).json() == [{"1": 1, "actor_id": "bot"}]
-
-
 def test_hook_register_magic_parameters(restore_working_directory):
     with make_app_client(
         extra_databases={"data.db": "create table logs (line text)"},
@@ -991,6 +1062,7 @@ async def test_hook_menu_links(ds_client):
 async def test_hook_table_actions(ds_client):
     response = await ds_client.get("/fixtures/facetable")
     assert get_actions_links(response.text) == []
+    assert get_actions_buttons(response.text) == []
     response_2 = await ds_client.get("/fixtures/facetable?_bot=1&_hello=BOB")
     assert ">Table actions<" in response_2.text
     assert sorted(
@@ -1000,6 +1072,23 @@ async def test_hook_table_actions(ds_client):
         {"label": "From async BOB", "href": "/", "description": None},
         {"label": "Table: facetable", "href": "/", "description": None},
     ]
+    response_3 = await ds_client.get("/fixtures/facetable?_bot=1&_button=1")
+    assert get_actions_buttons(response_3.text) == [
+        {
+            "label": "Plugin button",
+            "description": "Runs JavaScript from a plugin",
+            "attrs": {
+                "aria-label": "Plugin button for facetable",
+                "class": ["button-as-link", "action-menu-button"],
+                "data-database": "fixtures",
+                "data-plugin-action": "plugin-button",
+                "data-table": "facetable",
+                "role": "menuitem",
+                "tabindex": "-1",
+                "type": "button",
+            },
+        }
+    ]
 
 
 @pytest.mark.asyncio
@@ -1008,7 +1097,7 @@ async def test_hook_view_actions(ds_client):
     assert get_actions_links(response.text) == []
     response_2 = await ds_client.get(
         "/fixtures/simple_view",
-        cookies={"ds_actor": ds_client.actor_cookie({"id": "bob"})},
+        actor={"id": "bob"},
     )
     assert ">View actions<" in response_2.text
     assert sorted(
@@ -1027,15 +1116,38 @@ def get_actions_links(html):
     links = []
     for a_el in details.select("a"):
         description = None
-        if a_el.find("p") is not None:
-            description = a_el.find("p").text.strip()
-            a_el.find("p").extract()
+        description_el = a_el.find(class_="dropdown-description")
+        if description_el is not None:
+            description = description_el.text.strip()
+            description_el.extract()
         label = a_el.text.strip()
         href = a_el["href"]
         links.append({"label": label, "href": href, "description": description})
     return links
 
 
+def get_actions_buttons(html):
+    soup = Soup(html, "html.parser")
+    details = soup.find("details", {"class": "actions-menu-links"})
+    if details is None:
+        return []
+    buttons = []
+    for button_el in details.select("button.action-menu-button"):
+        description = None
+        description_el = button_el.find(class_="dropdown-description")
+        if description_el is not None:
+            description = description_el.text.strip()
+            description_el.extract()
+        buttons.append(
+            {
+                "label": button_el.text.strip(),
+                "description": description,
+                "attrs": dict(button_el.attrs),
+            }
+        )
+    return buttons
+
+
 @pytest.mark.asyncio
 @pytest.mark.parametrize(
     "path,expected_url",
@@ -1072,7 +1184,7 @@ async def test_hook_row_actions(ds_client):
 
     response_2 = await ds_client.get(
         "/fixtures/facet_cities/1",
-        cookies={"ds_actor": ds_client.actor_cookie({"id": "sam"})},
+        actor={"id": "sam"},
     )
     assert get_actions_links(response_2.text) == [
         {
@@ -1100,9 +1212,7 @@ async def test_hook_homepage_actions(ds_client):
     # No button for anonymous users
     assert "<span>Homepage actions</span>" not in response.text
     # Signed in user gets an action
-    response2 = await ds_client.get(
-        "/", cookies={"ds_actor": ds_client.actor_cookie({"id": "troy"})}
-    )
+    response2 = await ds_client.get("/", actor={"id": "troy"})
     assert "<span>Homepage actions</span>" in response2.text
     assert get_actions_links(response2.text) == [
         {
@@ -1113,31 +1223,6 @@ async def test_hook_homepage_actions(ds_client):
     ]
 
 
-def test_hook_skip_csrf(app_client):
-    cookie = app_client.actor_cookie({"id": "test"})
-    csrf_response = app_client.post(
-        "/post/",
-        post_data={"this is": "post data"},
-        csrftoken_from=True,
-        cookies={"ds_actor": cookie},
-    )
-    assert csrf_response.status_code == 200
-    missing_csrf_response = app_client.post(
-        "/post/", post_data={"this is": "post data"}, cookies={"ds_actor": cookie}
-    )
-    assert missing_csrf_response.status_code == 403
-    # But "/skip-csrf" should allow
-    allow_csrf_response = app_client.post(
-        "/skip-csrf", post_data={"this is": "post data"}, cookies={"ds_actor": cookie}
-    )
-    assert allow_csrf_response.status_code == 405  # Method not allowed
-    # /skip-csrf-2 should not
-    second_missing_csrf_response = app_client.post(
-        "/skip-csrf-2", post_data={"this is": "post data"}, cookies={"ds_actor": cookie}
-    )
-    assert second_missing_csrf_response.status_code == 403
-
-
 def _extract_commands(output):
     lines = output.split("Commands:\n", 1)[1].split("\n")
     return {line.split()[0].replace("*", "") for line in lines if line.strip()}
@@ -1467,8 +1552,10 @@ class SlotPlugin:
         return "Xtop_query:{}:{}:{}".format(database, sql, request.args["z"])
 
     @hookimpl
-    def top_canned_query(self, request, database, query_name):
-        return "Xtop_query:{}:{}:{}".format(database, query_name, request.args["z"])
+    def top_stored_query(self, request, database, query_name):
+        return "Xtop_stored_query:{}:{}:{}".format(
+            database, query_name, request.args["z"]
+        )
 
 
 @pytest.mark.asyncio
@@ -1529,12 +1616,12 @@ async def test_hook_top_query(ds_client):
 
 
 @pytest.mark.asyncio
-async def test_hook_top_canned_query(ds_client):
+async def test_hook_top_stored_query(ds_client):
     try:
         pm.register(SlotPlugin(), name="SlotPlugin")
-        response = await ds_client.get("/fixtures/from_hook?z=xyz")
+        response = await ds_client.get("/fixtures/magic_parameters?z=xyz")
         assert response.status_code == 200
-        assert "Xtop_query:fixtures:from_hook:xyz" in response.text
+        assert "Xtop_stored_query:fixtures:magic_parameters:xyz" in response.text
     finally:
         pm.unregister(name="SlotPlugin")
 
@@ -1660,7 +1747,7 @@ async def test_hook_register_actions_with_custom_resources():
             super().__init__(parent=collection, child=None)
 
         @classmethod
-        async def resources_sql(cls, datasette) -> str:
+        async def resources_sql(cls, datasette, actor=None) -> str:
             return """
                 SELECT 'collection1' AS parent, NULL AS child
                 UNION ALL
@@ -1677,7 +1764,7 @@ async def test_hook_register_actions_with_custom_resources():
             super().__init__(parent=collection, child=document)
 
         @classmethod
-        async def resources_sql(cls, datasette) -> str:
+        async def resources_sql(cls, datasette, actor=None) -> str:
             return """
                 SELECT 'collection1' AS parent, 'doc1' AS child
                 UNION ALL
@@ -1936,3 +2023,14 @@ def test_metadata_plugin_config_treated_as_config(
     assert "plugins" not in actual_metadata
     assert actual_metadata == expected_metadata
     assert ds.config == expected_config
+
+
+@pytest.mark.asyncio
+async def test_hook_register_column_types():
+    ds = Datasette()
+    await ds.invoke_startup()
+    # Built-in column types should be registered
+    assert "url" in ds._column_types
+    assert "email" in ds._column_types
+    assert "json" in ds._column_types
+    assert "nonexistent" not in ds._column_types
diff --git a/tests/test_pytest_autoclose_plugin.py b/tests/test_pytest_autoclose_plugin.py
new file mode 100644
index 00000000..3af1aace
--- /dev/null
+++ b/tests/test_pytest_autoclose_plugin.py
@@ -0,0 +1,91 @@
+"""
+Tests for datasette._pytest_plugin — the pytest plugin that auto-closes
+Datasette instances constructed inside test bodies.
+
+These tests drive a real pytest session in a subprocess so the plugin
+operates exactly as it would for a downstream consumer.
+"""
+
+import subprocess
+import sys
+import textwrap
+from pathlib import Path
+
+REPO_ROOT = Path(__file__).parent.parent
+
+
+def _run_pytest(tmp_path: Path) -> subprocess.CompletedProcess:
+    return subprocess.run(
+        [sys.executable, "-m", "pytest", "-v", str(tmp_path)],
+        cwd=str(tmp_path),
+        capture_output=True,
+        text=True,
+    )
+
+
+def test_auto_close_of_instances_made_in_test_body(tmp_path):
+    # Two ordered tests:
+    #   test_a makes a Datasette() and stashes a hard reference
+    #   test_b asserts that the hard-reffed instance was closed by the plugin
+    (tmp_path / "test_sample.py").write_text(textwrap.dedent("""
+            from datasette.app import Datasette
+
+            _stash = {}
+
+            def test_a():
+                ds = Datasette(memory=True)
+                _stash["ds"] = ds
+                assert ds._closed is False
+
+            def test_b():
+                assert _stash["ds"]._closed is True
+            """))
+    result = _run_pytest(tmp_path)
+    assert result.returncode == 0, result.stdout + result.stderr
+
+
+def test_fixture_scoped_instance_is_not_closed(tmp_path):
+    # A module-scoped fixture instance must survive across tests in the module.
+    (tmp_path / "test_fixture.py").write_text(textwrap.dedent("""
+            import pytest
+            from datasette.app import Datasette
+
+            @pytest.fixture(scope="module")
+            def ds():
+                return Datasette(memory=True)
+
+            def test_first(ds):
+                assert ds._closed is False
+
+            def test_second(ds):
+                # Still alive because the plugin only tracks instances
+                # constructed during pytest_runtest_call, not during fixture
+                # setup.
+                assert ds._closed is False
+            """))
+    result = _run_pytest(tmp_path)
+    assert result.returncode == 0, result.stdout + result.stderr
+
+
+def test_opt_out_via_ini(tmp_path):
+    # datasette_autoclose = false should leave instances untouched.
+    (tmp_path / "pytest.ini").write_text(textwrap.dedent("""
+            [pytest]
+            datasette_autoclose = false
+            """).strip())
+    (tmp_path / "test_optout.py").write_text(textwrap.dedent("""
+            from datasette.app import Datasette
+
+            _stash = {}
+
+            def test_a():
+                ds = Datasette(memory=True)
+                _stash["ds"] = ds
+
+            def test_b():
+                # Opt-out: plugin must not have closed it.
+                assert _stash["ds"]._closed is False
+                _stash["ds"].close()
+            """))
+    result = _run_pytest(tmp_path)
+    assert result.returncode == 0, result.stdout + result.stderr
diff --git a/tests/test_queries.py b/tests/test_queries.py
new file mode 100644
index 00000000..b757f221
--- /dev/null
+++ b/tests/test_queries.py
@@ -0,0 +1,3596 @@
+import json
+import re
+from html import unescape
+
+import pytest
+from bs4 import BeautifulSoup as Soup
+
+from datasette.app import Datasette
+from datasette.resources import DatabaseResource, QueryResource
+from datasette.stored_queries import StoredQuery, StoredQueryPage
+from datasette.utils.asgi import Forbidden
+from datasette.utils.sqlite import sqlite3, supports_returning
+
+requires_sqlite_returning = pytest.mark.skipif(
+    not supports_returning(), reason="SQLite does not support RETURNING"
+)
+EXPECTED_CREATE_TABLE_TEMPLATE_SQL = "\n".join(
+    (
+        "create table new_table (",
+        "  id integer primary key,",
+        "  name text",
+        "  -- created text default (datetime('now'))",
+        ")",
+    )
+)
+
+
+def _template_option_attributes(html, table):
+    match = re.search(r'<option value="{}"([^>]*)>'.format(table), html)
+    assert match, "Could not find template option for {}".format(table)
+    return match.group(1)
+
+
+def _template_sql(html, table, operation):
+    attrs = _template_option_attributes(html, table)
+    match = re.search(r'data-template-{}-sql="([^"]*)"'.format(operation), attrs)
+    assert match, "Could not find {} template for {}".format(operation, table)
+    return unescape(match.group(1))
+
+
+def _template_button_sql(html, operation):
+    soup = Soup(html, "html.parser")
+    button = soup.select_one('button[data-sql-template="{}"]'.format(operation))
+    assert button, "Could not find {} template button".format(operation)
+    assert button.get(
+        "data-template-sql"
+    ), "Could not find SQL for {} template button".format(operation)
+    return button["data-template-sql"]
+
+
+async def add_numbered_queries(ds, database, count):
+    for i in range(1, count + 1):
+        await ds.add_query(
+            database,
+            "demo_query_{:02d}".format(i),
+            "select {} as query_number".format(i),
+            title="Demo query {:02d}".format(i),
+            description="Seeded demo query number {:02d}".format(i),
+            source="user",
+            owner_id="root",
+        )
+
+
+@pytest.mark.asyncio
+async def test_queries_internal_table_schema():
+    ds = Datasette(memory=True)
+    await ds.invoke_startup()
+    internal_db = ds.get_internal_database()
+
+    columns = [
+        row["name"]
+        for row in (
+            await internal_db.execute("select name from pragma_table_info('queries')")
+        )
+    ]
+
+    assert columns == [
+        "database_name",
+        "name",
+        "sql",
+        "title",
+        "description",
+        "description_html",
+        "options",
+        "parameters",
+        "is_write",
+        "is_private",
+        "is_trusted",
+        "source",
+        "owner_id",
+        "created_at",
+        "updated_at",
+    ]
+
+
+@pytest.mark.asyncio
+async def test_add_get_and_remove_query():
+    ds = Datasette(memory=True)
+    ds.add_memory_database("query_api", name="data")
+    await ds.invoke_startup()
+
+    await ds.add_query(
+        "data",
+        "top_customers",
+        "select * from customers where region = :region",
+        title="Top customers",
+        description="Customers by region",
+        hide_sql=True,
+        fragment="chart",
+        parameters=["region"],
+        is_trusted=True,
+        source="user",
+        owner_id="alice",
+    )
+
+    options_row = (
+        await ds.get_internal_database().execute(
+            """
+            SELECT options FROM queries
+            WHERE database_name = ? AND name = ?
+            """,
+            ["data", "top_customers"],
+        )
+    ).first()
+    assert json.loads(options_row["options"]) == {
+        "fragment": "chart",
+        "hide_sql": True,
+    }
+
+    query = await ds.get_query("data", "top_customers")
+    assert query == StoredQuery(
+        database="data",
+        name="top_customers",
+        sql="select * from customers where region = :region",
+        title="Top customers",
+        description="Customers by region",
+        description_html=None,
+        hide_sql=True,
+        fragment="chart",
+        parameters=["region"],
+        is_write=False,
+        is_private=False,
+        is_trusted=True,
+        source="user",
+        owner_id="alice",
+        on_success_message=None,
+        on_success_message_sql=None,
+        on_success_redirect=None,
+        on_error_message=None,
+        on_error_redirect=None,
+    )
+
+    queries_page = await ds.list_queries("data", actor=None)
+    assert queries_page == StoredQueryPage(
+        queries=[query],
+        next=None,
+        has_more=False,
+        limit=50,
+    )
+
+    await ds.remove_query("data", "top_customers")
+    assert await ds.get_query("data", "top_customers") is None
+    queries_page = await ds.list_queries("data", actor=None)
+    assert queries_page.queries == []
+    assert queries_page.next is None
+
+
+@pytest.mark.asyncio
+async def test_update_query_only_updates_provided_fields():
+    ds = Datasette(memory=True)
+    ds.add_memory_database("query_api_update", name="data")
+    await ds.invoke_startup()
+
+    await ds.add_query(
+        "data",
+        "redirect",
+        "select 1",
+        title="Original",
+        on_success_redirect="/original",
+        parameters=["one"],
+    )
+
+    options_row = (
+        await ds.get_internal_database().execute(
+            """
+            SELECT options FROM queries
+            WHERE database_name = ? AND name = ?
+            """,
+            ["data", "redirect"],
+        )
+    ).first()
+    assert json.loads(options_row["options"]) == {"on_success_redirect": "/original"}
+
+    await ds.update_query(
+        "data",
+        "redirect",
+        title="Updated",
+        parameters=[],
+        on_success_redirect=None,
+    )
+
+    query = await ds.get_query("data", "redirect")
+    assert query.title == "Updated"
+    assert query.parameters == []
+    assert query.on_success_redirect is None
+    assert query.sql == "select 1"
+    assert query.is_private is False
+    assert query.is_trusted is False
+    options_row = (
+        await ds.get_internal_database().execute(
+            """
+            SELECT options FROM queries
+            WHERE database_name = ? AND name = ?
+            """,
+            ["data", "redirect"],
+        )
+    ).first()
+    assert json.loads(options_row["options"]) == {}
+
+
+@pytest.mark.asyncio
+async def test_config_queries_imported_to_internal_table():
+    ds = Datasette(
+        memory=True,
+        config={
+            "databases": {
+                "data": {
+                    "queries": {
+                        "configured": {
+                            "sql": "select :name as name",
+                            "title": "Configured query",
+                            "description_html": "<p>Configured HTML</p>",
+                            "params": ["name"],
+                            # Configured queries are always public; this is ignored.
+                            "is_private": True,
+                            "on_success_message_sql": "select 'Hello ' || :name",
+                        }
+                    }
+                }
+            }
+        },
+    )
+    ds.add_memory_database("query_config", name="data")
+    await ds.invoke_startup()
+
+    assert await ds.get_query("data", "configured") == StoredQuery(
+        database="data",
+        name="configured",
+        sql="select :name as name",
+        title="Configured query",
+        description=None,
+        description_html="<p>Configured HTML</p>",
+        hide_sql=False,
+        fragment=None,
+        parameters=["name"],
+        is_write=False,
+        is_private=False,
+        is_trusted=True,
+        source="config",
+        owner_id=None,
+        on_success_message=None,
+        on_success_message_sql="select 'Hello ' || :name",
+        on_success_redirect=None,
+        on_error_message=None,
+        on_error_redirect=None,
+    )
+
+
+@pytest.mark.asyncio
+async def test_query_resources_come_from_internal_table():
+    ds = Datasette(memory=True)
+    ds.add_memory_database("query_resources", name="data")
+    await ds.invoke_startup()
+    await ds.add_query("data", "internal_query", "select 1", source="user")
+
+    page = await ds.allowed_resources("view-query", actor=None)
+
+    assert [(r.parent, r.child) for r in page.resources] == [("data", "internal_query")]
+
+
+@pytest.mark.asyncio
+async def test_default_deny_blocks_view_query_even_for_trusted_query():
+    ds = Datasette(memory=True, default_deny=True)
+    ds.add_memory_database("query_permissions", name="data")
+    await ds.invoke_startup()
+    await ds.add_query("data", "trusted", "select 1", is_trusted=True)
+
+    assert not await ds.allowed(
+        action="view-query",
+        resource=QueryResource("data", "trusted"),
+        actor=None,
+    )
+
+
+@pytest.mark.asyncio
+async def test_view_query_default_allow_still_respects_private_restriction():
+    ds = Datasette(memory=True)
+    ds.add_memory_database("default_view_query_permissions", name="data")
+    await ds.invoke_startup()
+    await ds.add_query(
+        "data",
+        "private_report",
+        "select 1",
+        is_private=True,
+        source="user",
+        owner_id="alice",
+    )
+    await ds.add_query(
+        "data",
+        "shared_report",
+        "select 2",
+        is_private=False,
+        source="user",
+        owner_id="alice",
+    )
+
+    assert await ds.allowed(
+        action="view-query",
+        resource=QueryResource("data", "shared_report"),
+        actor=None,
+    )
+    assert await ds.allowed(
+        action="view-query",
+        resource=QueryResource("data", "private_report"),
+        actor={"id": "alice"},
+    )
+    assert not await ds.allowed(
+        action="view-query",
+        resource=QueryResource("data", "private_report"),
+        actor={"id": "bob"},
+    )
+
+
+@pytest.mark.asyncio
+async def test_private_query_restriction_blocks_broad_view_query_permission():
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "view-query": {"id": "*"},
+                    }
+                }
+            }
+        },
+    )
+    ds.add_memory_database("private_query_permissions", name="data")
+    await ds.invoke_startup()
+    await ds.add_query(
+        "data",
+        "private_report",
+        "select 1",
+        is_private=True,
+        source="user",
+        owner_id="alice",
+    )
+    await ds.add_query(
+        "data",
+        "shared_report",
+        "select 2",
+        is_private=False,
+        source="user",
+        owner_id="alice",
+    )
+
+    assert await ds.allowed(
+        action="view-query",
+        resource=QueryResource("data", "private_report"),
+        actor={"id": "alice"},
+    )
+    assert not await ds.allowed(
+        action="view-query",
+        resource=QueryResource("data", "private_report"),
+        actor={"id": "bob"},
+    )
+    assert await ds.allowed(
+        action="view-query",
+        resource=QueryResource("data", "shared_report"),
+        actor={"id": "bob"},
+    )
+
+
+@pytest.mark.asyncio
+async def test_config_query_restriction_does_not_override_private_internal_query():
+    ds = Datasette(memory=True, default_deny=True)
+    ds.add_memory_database("private_query_with_config_name", name="data")
+    await ds.invoke_startup()
+    await ds.add_query(
+        "data",
+        "private_report",
+        "select 1",
+        is_private=True,
+        source="user",
+        owner_id="alice",
+    )
+    ds.config = {
+        "databases": {
+            "data": {
+                "permissions": {"view-query": {"id": "*"}},
+                "queries": {"private_report": {"sql": "select 2"}},
+            }
+        }
+    }
+
+    assert not await ds.allowed(
+        action="view-query",
+        resource=QueryResource("data", "private_report"),
+        actor={"id": "bob"},
+    )
+
+
+@pytest.mark.asyncio
+async def test_untrusted_shared_query_execution_requires_execute_sql():
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "view-database": {"id": "viewer"},
+                        "view-query": {"id": "viewer"},
+                    }
+                }
+            }
+        },
+    )
+    ds.add_memory_database("untrusted_query_execution", name="data")
+    await ds.invoke_startup()
+    await ds.add_query(
+        "data",
+        "shared_report",
+        "select 1 as one",
+        is_private=False,
+        is_trusted=False,
+        source="user",
+        owner_id="alice",
+    )
+
+    denied_get = await ds.client.get("/data/shared_report.json", actor={"id": "viewer"})
+    denied_post = await ds.client.post(
+        "/data/shared_report",
+        actor={"id": "viewer"},
+        data={},
+    )
+    assert denied_get.status_code == 403
+    assert denied_post.status_code == 403
+
+    ds.config["databases"]["data"]["permissions"]["execute-sql"] = {"id": "viewer"}
+    allowed = await ds.client.get("/data/shared_report.json", actor={"id": "viewer"})
+    assert allowed.status_code == 200
+    assert allowed.json()["rows"] == [{"one": 1}]
+
+
+@pytest.mark.asyncio
+async def test_config_queries_are_trusted_by_default_but_can_opt_out():
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "view-query": {"id": "viewer"},
+                    },
+                    "queries": {
+                        "trusted_report": {"sql": "select 1 as one"},
+                        "untrusted_report": {
+                            "sql": "select 2 as two",
+                            "is_trusted": False,
+                        },
+                    },
+                }
+            }
+        },
+    )
+    ds.add_memory_database("trusted_query_config", name="data")
+    await ds.invoke_startup()
+
+    trusted = await ds.client.get("/data/trusted_report.json", actor={"id": "viewer"})
+    untrusted = await ds.client.get(
+        "/data/untrusted_report.json", actor={"id": "viewer"}
+    )
+
+    assert trusted.status_code == 200
+    assert trusted.json()["rows"] == [{"one": 1}]
+    assert untrusted.status_code == 403
+
+
+@pytest.mark.asyncio
+async def test_database_page_query_preview_is_limited():
+    ds = Datasette(memory=True)
+    ds.add_memory_database("query_preview", name="data")
+    await ds.invoke_startup()
+    await add_numbered_queries(ds, "data", 25)
+
+    html_response = await ds.client.get("/data")
+    json_response = await ds.client.get("/data.json")
+
+    assert html_response.status_code == 200
+    assert "Demo query 05" in html_response.text
+    assert "Demo query 06" not in html_response.text
+    assert '<a href="/data/-/queries">View 25 queries</a>' in html_response.text
+    assert len(json_response.json()["queries"]) == 5
+    assert json_response.json()["queries_more"] is True
+    assert json_response.json()["queries_count"] == 25
+
+
+@pytest.mark.asyncio
+async def test_query_actions_are_registered():
+    ds = Datasette()
+    await ds.invoke_startup()
+
+    assert ds.get_action("execute-write-sql").resource_class is DatabaseResource
+    assert ds.get_action("store-query").resource_class is DatabaseResource
+    assert ds.get_action("update-query").resource_class is QueryResource
+    assert ds.get_action("delete-query").resource_class is QueryResource
+
+
+@pytest.mark.asyncio
+async def test_analyze_write_query_requires_table_permissions():
+    ds = Datasette(memory=True, default_deny=True)
+    db = ds.add_memory_database("query_write_permissions", name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+    await ds.invoke_startup()
+
+    actor = {"id": "writer"}
+    await ds.add_query(
+        "data",
+        "write_dog",
+        "insert into dogs (name) values (:name)",
+        is_write=True,
+        source="user",
+        owner_id="writer",
+    )
+
+    with pytest.raises(Forbidden):
+        await ds.ensure_query_write_permissions(
+            "data",
+            "insert into dogs (name) values (:name)",
+            actor=actor,
+        )
+
+    ds.config = {
+        "databases": {
+            "data": {
+                "tables": {
+                    "dogs": {
+                        "permissions": {
+                            "insert-row": {"id": "writer"},
+                            "update-row": {"id": "writer"},
+                            "delete-row": {"id": "writer"},
+                        }
+                    }
+                }
+            }
+        }
+    }
+
+    await ds.ensure_query_write_permissions(
+        "data",
+        "insert into dogs (name) values (:name)",
+        actor=actor,
+    )
+
+
+@pytest.mark.asyncio
+async def test_analyze_write_query_rejects_writes_to_attached_databases():
+    ds = Datasette(memory=True, default_deny=True)
+    db = ds.add_memory_database("query_attached_writes", name="data")
+    await db.execute_write("attach database ':memory:' as extra")
+    await db.execute_write("create table extra.cats (id integer primary key)")
+    await ds.invoke_startup()
+
+    with pytest.raises(Forbidden):
+        await ds.ensure_query_write_permissions(
+            "data",
+            "insert into extra.cats (id) values (1)",
+            actor={"id": "writer"},
+        )
+
+
+@pytest.mark.asyncio
+async def test_query_store_api_creates_read_only_query():
+    ds = Datasette(memory=True, default_deny=True)
+    ds.root_enabled = True
+    db = ds.add_memory_database("query_store_api", name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+    await ds.invoke_startup()
+
+    response = await ds.client.post(
+        "/data/-/queries/store",
+        actor={"id": "root"},
+        json={
+            "query": {
+                "name": "by_name",
+                "sql": "select * from dogs where name = :name",
+                "title": "By name",
+            }
+        },
+    )
+
+    assert response.status_code == 201
+    data = response.json()
+    assert data["ok"] is True
+    assert data["query"]["name"] == "by_name"
+    assert data["query"]["parameters"] == ["name"]
+    assert data["query"]["is_write"] is False
+    assert data["query"]["source"] == "user"
+    assert data["query"]["owner_id"] == "root"
+
+
+@pytest.mark.asyncio
+async def test_query_store_api_creates_query_for_immutable_database(tmp_path):
+    db_path = tmp_path / "immutable.db"
+    conn = sqlite3.connect(str(db_path))
+    conn.execute("create table dogs (id integer primary key, name text)")
+    conn.commit()
+    conn.close()
+
+    ds = Datasette([], immutables=[str(db_path)], default_deny=True)
+    ds.root_enabled = True
+    await ds.invoke_startup()
+
+    response = await ds.client.post(
+        "/immutable/-/queries/store",
+        actor={"id": "root"},
+        json={
+            "query": {
+                "name": "by_name",
+                "sql": "select * from dogs where name = :name",
+            }
+        },
+    )
+
+    ds.close()
+    assert response.status_code == 201
+    data = response.json()
+    assert data["ok"] is True
+    assert data["query"]["name"] == "by_name"
+    assert data["query"]["parameters"] == ["name"]
+    assert data["query"]["is_write"] is False
+
+
+@pytest.mark.asyncio
+async def test_query_list_and_definition_api():
+    ds = Datasette(memory=True)
+    ds.root_enabled = True
+    ds.add_memory_database("query_list_api", name="data")
+    await ds.invoke_startup()
+    await add_numbered_queries(ds, "data", 12)
+
+    list_response = await ds.client.get(
+        "/data/-/queries.json?_size=5",
+        actor={"id": "root"},
+    )
+    next_response = await ds.client.get(
+        "/data/-/queries.json?_size=5&_next={}".format(list_response.json()["next"]),
+        actor={"id": "root"},
+    )
+    definition_response = await ds.client.get(
+        "/data/demo_query_01/-/definition",
+        actor={"id": "root"},
+    )
+
+    assert list_response.status_code == 200
+    assert [query["name"] for query in list_response.json()["queries"]] == [
+        "demo_query_01",
+        "demo_query_02",
+        "demo_query_03",
+        "demo_query_04",
+        "demo_query_05",
+    ]
+    assert list_response.json()["next"]
+    assert [query["name"] for query in next_response.json()["queries"]] == [
+        "demo_query_06",
+        "demo_query_07",
+        "demo_query_08",
+        "demo_query_09",
+        "demo_query_10",
+    ]
+    assert definition_response.status_code == 200
+    assert definition_response.json()["query"]["title"] == "Demo query 01"
+
+
+@pytest.mark.asyncio
+async def test_query_page_does_not_show_internal_source():
+    ds = Datasette(memory=True)
+    ds.add_memory_database("query_page_source", name="data")
+    await ds.invoke_startup()
+    await ds.add_query(
+        "data",
+        "stored_report",
+        "select 1 as one",
+        title="Stored report",
+        source="user",
+        owner_id="root",
+    )
+
+    response = await ds.client.get("/data/stored_report", actor={"id": "root"})
+
+    assert response.status_code == 200
+    assert "Stored report" in response.text
+    assert "Data source:" not in response.text
+
+
+@pytest.mark.asyncio
+async def test_query_list_search_filter_and_html():
+    ds = Datasette(memory=True)
+    ds.root_enabled = True
+    ds.add_memory_database("query_list_html", name="data")
+    await ds.invoke_startup()
+    await add_numbered_queries(ds, "data", 3)
+    await ds.add_query(
+        "data",
+        "private_query",
+        "select 'private'",
+        title="Private query",
+        is_private=True,
+        source="user",
+        owner_id="root",
+    )
+    await ds.add_query(
+        "data",
+        "trusted_query",
+        "select 'trusted'",
+        title="Trusted query",
+        is_trusted=True,
+        source="config",
+    )
+    await ds.add_query(
+        "data",
+        "writable_query",
+        "insert into dogs (name) values (:name)",
+        title="Writable query",
+        is_write=True,
+        source="user",
+        owner_id="root",
+    )
+
+    html_response = await ds.client.get(
+        "/data/-/queries?q=02",
+        actor={"id": "root"},
+    )
+    flags_response = await ds.client.get(
+        "/data/-/queries",
+        actor={"id": "root"},
+    )
+    json_response = await ds.client.get(
+        "/data/-/queries.json?q=02",
+        actor={"id": "root"},
+    )
+    filtered_response = await ds.client.get(
+        "/data/-/queries.json?is_private=1",
+        actor={"id": "root"},
+    )
+    filtered_write_response = await ds.client.get(
+        "/data/-/queries?is_write=1",
+        actor={"id": "root"},
+    )
+    filtered_private_response = await ds.client.get(
+        "/data/-/queries?is_private=1",
+        actor={"id": "root"},
+    )
+    no_results_response = await ds.client.get(
+        "/data/-/queries?q=nope",
+        actor={"id": "root"},
+    )
+
+    assert html_response.status_code == 200
+    assert "Demo query 02" in html_response.text
+    assert "Demo query 01" not in html_response.text
+    assert 'class="query-list-results"' in html_response.text
+    assert 'class="query-list-facets"' in html_response.text
+    assert 'type="radio"' not in html_response.text
+    assert "Only the owning actor can view this query." not in html_response.text
+    assert (
+        "Execution skips the usual SQL and write permission checks"
+        not in html_response.text
+    )
+    assert flags_response.status_code == 200
+    assert '<th scope="col">Owner</th>' in flags_response.text
+    assert '<th scope="col">Flags</th>' in flags_response.text
+    assert '<th scope="col">Mode</th>' not in flags_response.text
+    assert 'class="query-list-owner">root</td>' in flags_response.text
+    assert 'class="query-list-pill">Read-only</span>' in flags_response.text
+    assert (
+        'class="query-list-pill query-list-pill-write">Writable</span>'
+        in flags_response.text
+    )
+    assert (
+        'class="query-list-pill query-list-pill-private">Private</span>'
+        in flags_response.text
+    )
+    assert (
+        'class="query-list-pill query-list-pill-trusted">Trusted</span>'
+        in flags_response.text
+    )
+    assert (
+        'href="/data/-/queries?is_write=0"><span>Read-only</span><span class="query-list-facet-count">5</span>'
+        in flags_response.text
+    )
+    assert (
+        'href="/data/-/queries?is_write=1"><span>Writable</span><span class="query-list-facet-count">1</span>'
+        in flags_response.text
+    )
+    assert (
+        'href="/data/-/queries?is_private=0"><span>Not private</span><span class="query-list-facet-count">5</span>'
+        in flags_response.text
+    )
+    assert (
+        'href="/data/-/queries?is_private=1"><span>Private</span><span class="query-list-facet-count">1</span>'
+        in flags_response.text
+    )
+    assert "Only the owning actor can view this query." in flags_response.text
+    assert (
+        "Execution skips the usual SQL and write permission checks"
+        in flags_response.text
+    )
+    assert json_response.json()["queries"][0]["name"] == "demo_query_02"
+    assert [query["name"] for query in filtered_response.json()["queries"]] == [
+        "private_query"
+    ]
+    assert "Writable query" in filtered_write_response.text
+    assert "Demo query 01" not in filtered_write_response.text
+    assert (
+        'query-list-facet-link query-list-facet-link-active" href="/data/-/queries"'
+        in filtered_write_response.text
+    )
+    assert (
+        '<span class="query-list-facet-link query-list-facet-disabled"><span>Read-only</span><span class="query-list-facet-count">0</span></span>'
+        not in filtered_write_response.text
+    )
+    assert (
+        'href="/data/-/queries?is_write=1&amp;is_private=0"><span>Not private</span><span class="query-list-facet-count">1</span>'
+        in filtered_write_response.text
+    )
+    assert (
+        '<span class="query-list-facet-link query-list-facet-disabled"><span>Private</span><span class="query-list-facet-count">0</span></span>'
+        not in filtered_write_response.text
+    )
+    assert "Private query" in filtered_private_response.text
+    assert "Demo query 01" not in filtered_private_response.text
+    assert (
+        'href="/data/-/queries?is_private=1&amp;is_write=0"><span>Read-only</span><span class="query-list-facet-count">1</span>'
+        in filtered_private_response.text
+    )
+    assert (
+        '<span class="query-list-facet-link query-list-facet-disabled"><span>Writable</span><span class="query-list-facet-count">0</span></span>'
+        not in filtered_private_response.text
+    )
+    assert (
+        '<span class="query-list-facet-link query-list-facet-disabled"><span>Not private</span><span class="query-list-facet-count">0</span></span>'
+        not in filtered_private_response.text
+    )
+    assert no_results_response.status_code == 200
+    assert "No queries found." in no_results_response.text
+    assert 'class="query-list-filters core"' not in no_results_response.text
+    assert 'id="query-search"' not in no_results_response.text
+    assert 'class="query-list-facets"' not in no_results_response.text
+    assert "<h2>Mode</h2>" not in no_results_response.text
+    assert "<h2>Visibility</h2>" not in no_results_response.text
+
+
+@pytest.mark.asyncio
+async def test_query_list_html_defaults_to_twenty_and_shows_pagination():
+    ds = Datasette(memory=True)
+    ds.root_enabled = True
+    ds.add_memory_database("query_list_html_pagination", name="data")
+    await ds.invoke_startup()
+    await add_numbered_queries(ds, "data", 25)
+
+    response = await ds.client.get("/data/-/queries", actor={"id": "root"})
+    json_response = await ds.client.get("/data/-/queries.json", actor={"id": "root"})
+
+    assert response.status_code == 200
+    assert response.text.count('aria-label="Query pagination"') == 1
+    assert "Demo query 20" in response.text
+    assert "Demo query 21" not in response.text
+    assert 'href="/data/-/queries?_next=' in response.text
+    assert len(json_response.json()["queries"]) == 25
+
+
+@pytest.mark.asyncio
+async def test_global_query_list_api_and_html():
+    ds = Datasette(memory=True)
+    ds.root_enabled = True
+    ds.add_memory_database("query_list_global_alpha", name="alpha")
+    ds.add_memory_database("query_list_global_beta", name="beta")
+    await ds.invoke_startup()
+    await ds.add_query(
+        "alpha",
+        "alpha_first",
+        "select 1",
+        title="Alpha first",
+        source="user",
+        owner_id="root",
+    )
+    await ds.add_query(
+        "alpha",
+        "alpha_second",
+        "select 2",
+        title="Alpha second",
+        source="user",
+        owner_id="root",
+    )
+    await ds.add_query(
+        "beta",
+        "beta_first",
+        "select 3",
+        title="Beta first",
+        source="user",
+        owner_id="root",
+    )
+
+    list_response = await ds.client.get(
+        "/-/queries.json?_size=2",
+        actor={"id": "root"},
+    )
+    next_response = await ds.client.get(
+        "/-/queries.json?_size=2&_next={}".format(list_response.json()["next"]),
+        actor={"id": "root"},
+    )
+    html_response = await ds.client.get(
+        "/-/queries?q=Beta",
+        actor={"id": "root"},
+    )
+
+    assert list_response.status_code == 200
+    assert [
+        (query["database"], query["name"]) for query in list_response.json()["queries"]
+    ] == [
+        ("alpha", "alpha_first"),
+        ("alpha", "alpha_second"),
+    ]
+    assert list_response.json()["next"]
+    assert [
+        (query["database"], query["name"]) for query in next_response.json()["queries"]
+    ] == [
+        ("beta", "beta_first"),
+    ]
+    assert html_response.status_code == 200
+    assert '<th scope="col">Database</th>' in html_response.text
+    assert 'class="query-list-database" href="/beta">beta</a>' in html_response.text
+    assert "Beta first" in html_response.text
+    assert "Alpha first" not in html_response.text
+
+
+@pytest.mark.asyncio
+async def test_query_store_api_rejects_is_trusted():
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "view-database": {"id": "writer"},
+                        "execute-sql": {"id": "writer"},
+                        "store-query": {"id": "writer"},
+                    }
+                }
+            }
+        },
+    )
+    ds.add_memory_database("query_trusted_api", name="data")
+    await ds.invoke_startup()
+
+    response = await ds.client.post(
+        "/data/-/queries/store",
+        actor={"id": "writer"},
+        json={"query": {"name": "trusted", "sql": "select 1", "is_trusted": True}},
+    )
+
+    assert response.status_code == 400
+    assert response.json()["errors"] == ["Invalid keys: is_trusted"]
+
+
+@pytest.mark.asyncio
+async def test_query_store_rejects_config_only_fields():
+    ds = Datasette(memory=True, default_deny=True)
+    ds.root_enabled = True
+    ds.add_memory_database("query_config_only_fields_api", name="data")
+    await ds.invoke_startup()
+
+    response = await ds.client.post(
+        "/data/-/queries/store",
+        actor={"id": "root"},
+        json={
+            "query": {
+                "name": "unsafe",
+                "sql": "select 1",
+                "description_html": "<script>window.XSS=1</script>",
+                "on_success_message_sql": "select 'secret'",
+            }
+        },
+    )
+    form_response = await ds.client.post(
+        "/data/-/queries/store",
+        actor={"id": "root"},
+        data={
+            "name": "unsafe_form",
+            "sql": "select 1",
+            "description_html": "<script>window.XSS=1</script>",
+        },
+    )
+
+    assert response.status_code == 400
+    assert response.json()["errors"] == [
+        "Invalid keys: description_html, on_success_message_sql"
+    ]
+    assert form_response.status_code == 400
+    assert "Invalid keys: description_html" in form_response.text
+    assert await ds.get_query("data", "unsafe") is None
+    assert await ds.get_query("data", "unsafe_form") is None
+
+
+@pytest.mark.asyncio
+async def test_query_store_api_creates_writable_query():
+    ds = Datasette(memory=True, default_deny=True)
+    ds.root_enabled = True
+    db = ds.add_memory_database("query_write_api", name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+    await ds.invoke_startup()
+
+    response = await ds.client.post(
+        "/data/-/queries/store",
+        actor={"id": "root"},
+        json={
+            "query": {
+                "name": "insert_dog",
+                "sql": "insert into dogs (name) values (:name)",
+            }
+        },
+    )
+
+    assert response.status_code == 201
+    query = response.json()["query"]
+    assert query["is_write"] is True
+    assert query["is_private"] is True
+    assert query["is_trusted"] is False
+    assert query["parameters"] == ["name"]
+
+
+@pytest.mark.asyncio
+async def test_query_update_and_delete_api():
+    ds = Datasette(memory=True, default_deny=True)
+    ds.root_enabled = True
+    ds.add_memory_database("query_update_api", name="data")
+    await ds.invoke_startup()
+    await ds.add_query(
+        "data",
+        "editable",
+        "select 1",
+        title="Original",
+        source="user",
+        owner_id="root",
+    )
+
+    update_response = await ds.client.post(
+        "/data/editable/-/update",
+        actor={"id": "root"},
+        json={
+            "update": {
+                "title": "Updated",
+                "description": "Fresh",
+                "on_success_redirect": None,
+            },
+            "return": True,
+        },
+    )
+
+    assert update_response.status_code == 200
+    updated = update_response.json()["query"]
+    assert updated["title"] == "Updated"
+    assert updated["description"] == "Fresh"
+    assert updated["on_success_redirect"] is None
+
+    delete_response = await ds.client.post(
+        "/data/editable/-/delete",
+        actor={"id": "root"},
+        json={},
+    )
+
+    assert delete_response.status_code == 200
+    assert delete_response.json() == {"ok": True}
+    assert await ds.get_query("data", "editable") is None
+
+
+@pytest.mark.asyncio
+async def test_query_update_api_rejects_config_only_fields():
+    ds = Datasette(memory=True, default_deny=True)
+    ds.root_enabled = True
+    db = ds.add_memory_database("query_update_config_only_fields", name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+    await ds.invoke_startup()
+    await ds.add_query(
+        "data",
+        "editable",
+        "insert into dogs (name) values (:name)",
+        is_write=True,
+        source="user",
+        owner_id="root",
+    )
+
+    response = await ds.client.post(
+        "/data/editable/-/update",
+        actor={"id": "root"},
+        json={
+            "update": {
+                "description_html": "<script>window.XSS=1</script>",
+                "on_success_message_sql": "select 'secret'",
+            }
+        },
+    )
+
+    assert response.status_code == 400
+    assert response.json()["errors"] == [
+        "Invalid keys: description_html, on_success_message_sql"
+    ]
+    query = await ds.get_query("data", "editable")
+    assert query.description_html is None
+    assert query.on_success_message_sql is None
+
+
+@pytest.mark.asyncio
+async def test_query_update_api_rejects_trusted_queries_but_internal_update_allowed():
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "execute-sql": {"id": "editor"},
+                        "update-query": {"id": "editor"},
+                    },
+                    "queries": {
+                        "trusted_report": {
+                            "sql": "select 1 as one",
+                            "title": "Original",
+                        },
+                    },
+                }
+            }
+        },
+    )
+    ds.add_memory_database("query_update_trusted_api", name="data")
+    await ds.invoke_startup()
+
+    response = await ds.client.post(
+        "/data/trusted_report/-/update",
+        actor={"id": "editor"},
+        json={"update": {"sql": "select 2 as two", "title": "Edited"}},
+    )
+
+    assert response.status_code == 403
+    assert response.json()["errors"] == [
+        "Trusted queries cannot be updated using the API"
+    ]
+    query = await ds.get_query("data", "trusted_report")
+    assert query.is_trusted is True
+    assert query.sql == "select 1 as one"
+    assert query.title == "Original"
+
+    await ds.update_query(
+        "data",
+        "trusted_report",
+        sql="select 3 as three",
+        title="Internal",
+    )
+    query = await ds.get_query("data", "trusted_report")
+    assert query.is_trusted is True
+    assert query.sql == "select 3 as three"
+    assert query.title == "Internal"
+
+
+async def _make_ds_with_user_query(name, *, is_private=False, owner_id="owner"):
+    ds = Datasette(memory=True, settings={"default_allow_sql": True})
+    db = ds.add_memory_database(name, name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+    await ds.invoke_startup()
+    await ds.add_query(
+        "data",
+        "saved",
+        "select * from dogs",
+        title="Saved query",
+        description="A saved query",
+        source="user",
+        owner_id=owner_id,
+        is_private=is_private,
+    )
+    return ds
+
+
+@pytest.mark.asyncio
+async def test_query_edit_form_renders_and_updates_for_owner():
+    ds = await _make_ds_with_user_query("query_edit_owner")
+    actor = {"id": "owner"}
+
+    # GET renders the form pre-filled with existing values
+    get_response = await ds.client.get("/data/saved/-/edit", actor=actor)
+    assert get_response.status_code == 200
+    assert 'value="Saved query"' in get_response.text
+    assert ">A saved query</textarea>" in get_response.text
+    assert "select * from dogs" in get_response.text
+    # URL slug is shown but not editable
+    assert 'name="name"' not in get_response.text
+
+    # POST updates the query and redirects back to the query page
+    post_response = await ds.client.post(
+        "/data/saved/-/edit",
+        actor=actor,
+        data={
+            "title": "Updated title",
+            "description": "Updated description",
+            "sql": "select id from dogs",
+            "is_private": "1",
+        },
+    )
+    assert post_response.status_code == 302
+    assert post_response.headers["location"] == "/data/saved"
+
+    query = await ds.get_query("data", "saved")
+    assert query.title == "Updated title"
+    assert query.description == "Updated description"
+    assert query.sql == "select id from dogs"
+    assert query.is_private is True
+
+
+@pytest.mark.asyncio
+async def test_query_edit_metadata_only_does_not_require_execute_sql():
+    # An owner who can no longer execute SQL can still edit title/description
+    ds = await _make_ds_with_user_query("query_edit_metadata_only")
+    actor = {"id": "owner"}
+
+    post_response = await ds.client.post(
+        "/data/saved/-/edit",
+        actor=actor,
+        data={
+            "title": "Renamed",
+            "description": "A saved query",
+            "sql": "select * from dogs",
+        },
+    )
+    assert post_response.status_code == 302
+    query = await ds.get_query("data", "saved")
+    assert query.title == "Renamed"
+
+
+@pytest.mark.asyncio
+async def test_private_query_edit_delete_restricted_to_owner():
+    ds = await _make_ds_with_user_query(
+        "query_edit_private", is_private=True, owner_id="owner"
+    )
+
+    # A different actor cannot view, edit or delete the private query
+    other = {"id": "intruder"}
+    assert (await ds.client.get("/data/saved/-/edit", actor=other)).status_code == 403
+    assert (await ds.client.get("/data/saved/-/delete", actor=other)).status_code == 403
+    delete_attempt = await ds.client.post(
+        "/data/saved/-/delete",
+        actor=other,
+        data={},
+    )
+    assert delete_attempt.status_code == 403
+    assert await ds.get_query("data", "saved") is not None
+
+    # The owner can edit and delete
+    owner = {"id": "owner"}
+    assert (await ds.client.get("/data/saved/-/edit", actor=owner)).status_code == 200
+
+
+@pytest.mark.asyncio
+async def test_non_private_query_editable_by_permitted_non_owner():
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "execute-sql": {"id": "editor"},
+                        "update-query": {"id": "editor"},
+                        "delete-query": {"id": "editor"},
+                    }
+                }
+            }
+        },
+    )
+    db = ds.add_memory_database("query_non_private_editor", name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+    await ds.invoke_startup()
+    await ds.add_query(
+        "data",
+        "saved",
+        "select * from dogs",
+        title="Shared",
+        source="user",
+        owner_id="owner",
+        is_private=False,
+    )
+
+    editor = {"id": "editor"}
+    # Editor (not the owner) can edit because the query is not private
+    post_response = await ds.client.post(
+        "/data/saved/-/edit",
+        actor=editor,
+        data={
+            "title": "Edited by editor",
+            "description": "",
+            "sql": "select * from dogs",
+        },
+    )
+    assert post_response.status_code == 302
+    query = await ds.get_query("data", "saved")
+    assert query.title == "Edited by editor"
+
+    # Editor can also delete it
+    delete_response = await ds.client.post(
+        "/data/saved/-/delete",
+        actor=editor,
+        data={},
+    )
+    assert delete_response.status_code == 302
+    assert await ds.get_query("data", "saved") is None
+
+
+@pytest.mark.asyncio
+async def test_query_delete_confirmation_and_form_delete():
+    ds = await _make_ds_with_user_query("query_delete_form")
+    actor = {"id": "owner"}
+
+    get_response = await ds.client.get("/data/saved/-/delete", actor=actor)
+    assert get_response.status_code == 200
+    assert "Are you sure" in get_response.text
+    assert "select * from dogs" in get_response.text
+    soup = Soup(get_response.text, "html.parser")
+    form = soup.select_one("form.query-delete-form")
+    assert form is not None
+    assert "core" in form["class"]
+    assert form.select_one('input[type="submit"][value="Delete query"]') is not None
+
+    post_response = await ds.client.post(
+        "/data/saved/-/delete",
+        actor=actor,
+        data={},
+    )
+    assert post_response.status_code == 302
+    assert post_response.headers["location"] == "/data"
+    assert await ds.get_query("data", "saved") is None
+
+
+@pytest.mark.asyncio
+async def test_query_action_menu_shows_edit_and_delete_for_owner():
+    ds = await _make_ds_with_user_query("query_action_menu")
+
+    owner_response = await ds.client.get("/data/saved", actor={"id": "owner"})
+    assert owner_response.status_code == 200
+    assert "/data/saved/-/edit" in owner_response.text
+    assert "/data/saved/-/delete" in owner_response.text
+
+    # A different actor (the query is public) cannot edit/delete by default
+    other_response = await ds.client.get("/data/saved", actor={"id": "stranger"})
+    assert other_response.status_code == 200
+    assert "/data/saved/-/edit" not in other_response.text
+    assert "/data/saved/-/delete" not in other_response.text
+
+
+@pytest.mark.asyncio
+async def test_query_edit_rejected_for_trusted_query():
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "execute-sql": {"id": "editor"},
+                        "update-query": {"id": "editor"},
+                    },
+                    "queries": {"trusted_report": {"sql": "select 1 as one"}},
+                }
+            }
+        },
+    )
+    ds.add_memory_database("query_edit_trusted", name="data")
+    await ds.invoke_startup()
+
+    response = await ds.client.get(
+        "/data/trusted_report/-/edit", actor={"id": "editor"}
+    )
+    assert response.status_code == 403
+    # Edit/delete links should not appear on a trusted/config query page
+    page = await ds.client.get("/data/trusted_report", actor={"id": "editor"})
+    assert "/data/trusted_report/-/edit" not in page.text
+
+
+@pytest.mark.asyncio
+async def test_query_store_api_rejects_magic_parameters():
+    ds = Datasette(memory=True, default_deny=True)
+    ds.root_enabled = True
+    ds.add_memory_database("query_magic_api", name="data")
+    await ds.invoke_startup()
+
+    response = await ds.client.post(
+        "/data/-/queries/store",
+        actor={"id": "root"},
+        json={"query": {"name": "magic", "sql": "select :_actor_id"}},
+    )
+
+    assert response.status_code == 400
+    assert response.json()["errors"] == ["Magic parameters are not allowed"]
+
+
+@pytest.mark.asyncio
+async def test_create_query_ui_and_arbitrary_sql_save_link():
+    ds = Datasette(memory=True, default_deny=True)
+    ds.root_enabled = True
+    db = ds.add_memory_database("query_create_ui", name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+    await ds.invoke_startup()
+
+    create_response = await ds.client.get(
+        "/data/-/queries/store?sql=select+*+from+dogs",
+        actor={"id": "root"},
+    )
+    write_create_response = await ds.client.get(
+        "/data/-/queries/store?sql=insert+into+dogs+(name)+values+('Cleo')",
+        actor={"id": "root"},
+    )
+    blank_create_response = await ds.client.get(
+        "/data/-/queries/store",
+        actor={"id": "root"},
+    )
+    old_insert_response = await ds.client.get(
+        "/data/-/queries/insert?sql=select+*+from+dogs",
+        actor={"id": "root"},
+    )
+    old_create_response = await ds.client.get(
+        "/data/-/queries/-/create?sql=select+*+from+dogs",
+        actor={"id": "root"},
+    )
+    query_response = await ds.client.get(
+        "/data/-/query?sql=select+*+from+dogs",
+        actor={"id": "root"},
+    )
+
+    assert create_response.status_code == 200
+    assert "Create query" in create_response.text
+    assert 'type="radio"' not in create_response.text
+    assert 'name="parameters"' not in create_response.text
+    assert 'id="query-parameters"' not in create_response.text
+    assert 'class="query-create-field"' in create_response.text
+    assert '<label for="query-name">Name</label>' not in create_response.text
+    assert '<label for="query-title">Title</label>' in create_response.text
+    assert '<label for="query-url-slug">URL</label>' in create_response.text
+    assert '<span class="query-create-url-prefix">/data/</span>' in create_response.text
+    assert (
+        '<input id="query-url-slug" name="name" type="text" value="">'
+        in create_response.text
+    )
+    assert "function slugify(value)" in create_response.text
+    assert 'data-analyze-url="/data/-/queries/analyze"' in create_response.text
+    assert "setupSqlParameterRefresh" in create_response.text
+    assert "renderParameters: false" in create_response.text
+    assert "datasetteSqlAnalysis.renderAnalysis" in create_response.text
+    assert "data-query-create-submit" in create_response.text
+    assert "data-query-create-writable" not in create_response.text
+    assert "data-query-create-sql-type" not in create_response.text
+    assert "data-query-create-analysis-note" in create_response.text
+    assert "SQL type:" not in create_response.text
+    assert (
+        '<span class="query-create-analysis-note" data-query-create-analysis-note aria-live="polite">This is a read-only query.</span>'
+        in create_response.text
+    )
+    assert "disabled> Writable</label>" not in create_response.text
+    assert (
+        "Queries marked private can only be seen by you, their creator."
+        in create_response.text
+    )
+    assert create_response.text.index(
+        "This is a read-only query."
+    ) < create_response.text.index('<input type="hidden" name="is_private" value="0">')
+    assert "<h2>Query operations</h2>" in create_response.text
+    assert '<table class="execute-write-analysis">' in create_response.text
+    assert '<th scope="col">Required permission</th>' in create_response.text
+    assert '<th scope="col">Source</th>' not in create_response.text
+    assert "<td><code>read</code></td>" in create_response.text
+    assert "<td><code>view-table</code></td>" in create_response.text
+    assert (
+        '<td><span class="execute-write-analysis-na">n/a</span></td>'
+        not in create_response.text
+    )
+    assert create_response.text.index(
+        'value="Save query"'
+    ) < create_response.text.index("<h2>Query operations</h2>")
+    assert blank_create_response.status_code == 200
+    assert (
+        '<div class="query-create-analysis" id="query-create-analysis-section" hidden>'
+        in blank_create_response.text
+    )
+    assert "<h2>Query operations</h2>" not in blank_create_response.text
+    assert (
+        "<p>Analysis will show each affected table and required permission.</p>"
+        not in blank_create_response.text
+    )
+    assert "Enter SQL to analyze this query." in blank_create_response.text
+    assert write_create_response.status_code == 200
+    assert (
+        '<span class="query-create-analysis-note" data-query-create-analysis-note aria-live="polite">This query updates data in the database.</span>'
+        in write_create_response.text
+    )
+    assert query_response.status_code == 200
+    assert "Save this query" in query_response.text
+    assert "/data/-/queries/store?sql=select+%2A+from+dogs" in query_response.text
+    assert old_insert_response.status_code == 404
+    assert old_create_response.status_code == 404
+
+
+@pytest.mark.asyncio
+async def test_create_query_analyze_endpoint_uses_sql_only():
+    ds = Datasette(memory=True, default_deny=True)
+    ds.root_enabled = True
+    db = ds.add_memory_database("query_create_analyze", name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+    await ds.invoke_startup()
+
+    response = await ds.client.get(
+        "/data/-/queries/analyze",
+        actor={"id": "root"},
+        params={"sql": "select * from dogs where name = :name"},
+    )
+    write_response = await ds.client.get(
+        "/data/-/queries/analyze",
+        actor={"id": "root"},
+        params={"sql": "insert into dogs (name) values (:name)"},
+    )
+    blank_response = await ds.client.get(
+        "/data/-/queries/analyze",
+        actor={"id": "root"},
+        params={"sql": ""},
+    )
+    old_analyze_response = await ds.client.get(
+        "/data/-/queries/-/create/analyze",
+        actor={"id": "root"},
+        params={"sql": "select * from dogs"},
+    )
+
+    assert response.status_code == 200
+    data = response.json()
+    assert data["ok"] is True
+    assert data["parameters"] == ["name"]
+    assert data["analysis_error"] is None
+    assert data["has_sql"] is True
+    assert data["analysis_is_write"] is False
+    assert data["save_disabled"] is False
+    assert data["analysis_rows"] == [
+        {
+            "operation": "read",
+            "database": "data",
+            "table": "dogs",
+            "required_permission": "view-table",
+            "source": None,
+            "allowed": True,
+        }
+    ]
+
+    assert write_response.status_code == 200
+    write_data = write_response.json()
+    assert write_data["parameters"] == ["name"]
+    assert write_data["has_sql"] is True
+    assert write_data["analysis_is_write"] is True
+    assert write_data["save_disabled"] is False
+    assert write_data["analysis_rows"][0]["operation"] == "insert"
+
+    assert blank_response.status_code == 200
+    blank_data = blank_response.json()
+    assert blank_data["has_sql"] is False
+    assert blank_data["parameters"] == []
+    assert blank_data["analysis_rows"] == []
+    assert blank_data["save_disabled"] is True
+    assert old_analyze_response.status_code == 404
+
+
+@pytest.mark.asyncio
+async def test_create_query_form_error_redisplays_form_with_values():
+    ds = Datasette(memory=True, default_deny=True)
+    ds.root_enabled = True
+    db = ds.add_memory_database("query_create_form_error", name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+    await ds.invoke_startup()
+
+    response = await ds.client.post(
+        "/data/-/queries/store",
+        actor={"id": "root"},
+        data={
+            "name": "dogs",
+            "title": "Dog lookup",
+            "description": "Find dogs by name",
+            "sql": "select * from dogs where name = :name",
+            "is_private": "1",
+        },
+    )
+
+    assert response.status_code == 400
+    assert response.headers["content-type"].startswith("text/html")
+    assert "URL conflicts with an existing table or view" in response.text
+    assert "Query name conflicts with a table or view" not in response.text
+    assert '{"ok": false' not in response.text
+    assert 'value="Dog lookup"' in response.text
+    assert 'value="dogs"' in response.text
+    assert ">Find dogs by name</textarea>" in response.text
+    assert "select * from dogs where name = :name" in response.text
+    assert 'name="is_private" value="1" checked' in response.text
+
+    public_response = await ds.client.post(
+        "/data/-/queries/store",
+        actor={"id": "root"},
+        data={
+            "name": "dogs",
+            "title": "Public dog lookup",
+            "description": "Keep this public setting",
+            "sql": "select * from dogs",
+            "is_private": "0",
+        },
+    )
+
+    assert public_response.status_code == 400
+    assert 'name="is_private" value="1" checked' not in public_response.text
+    assert 'name="is_private" value="0"' in public_response.text
+
+
+@pytest.mark.asyncio
+async def test_execute_write_get_prepopulates_without_executing():
+    ds = Datasette(memory=True, default_deny=True)
+    ds.root_enabled = True
+    db = ds.add_memory_database("execute_write_get", name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+    await db.execute_write("create table cats (id integer primary key, name text)")
+    await db.execute_write("create table log (message text)")
+    await db.execute_write("""
+        create trigger dogs_after_insert after insert on dogs begin
+            update cats set name = new.name where id = new.id;
+            insert into log (message) values (new.name);
+        end
+    """)
+    await ds.invoke_startup()
+
+    response = await ds.client.get(
+        "/data/-/execute-write?sql=insert+into+dogs+(name)+values+('Cleo')",
+        actor={"id": "root"},
+    )
+
+    assert response.status_code == 200
+    assert response.headers["content-security-policy"] == "frame-ancestors 'none'"
+    assert response.headers["x-frame-options"] == "DENY"
+    assert "Write to this database" in response.text
+    assert (
+        "Execute SQL to insert, update or delete rows in this database."
+        in response.text
+    )
+    assert "<h2>Query operations</h2>" in response.text
+    assert "<summary>Start with a template</summary>" in response.text
+    assert 'data-sql-template="create"' in response.text
+    assert _template_button_sql(response.text, "create") == (
+        EXPECTED_CREATE_TABLE_TEMPLATE_SQL
+    )
+    assert ">Create table</button>" in response.text
+    assert '<label for="execute-write-template-table">or table:</label>' in (
+        response.text
+    )
+    assert '<option value="dogs"' in response.text
+    assert "data-template-insert-sql=" in response.text
+    assert 'data-sql-template="insert"' in response.text
+    assert 'data-sql-template="update"' in response.text
+    assert 'data-sql-template="delete"' in response.text
+    assert 'data-analyze-url="/data/-/execute-write/analyze"' in response.text
+    assert 'data-save-query-base-url="/data/-/queries/store"' in response.text
+    assert "Save this query" in response.text
+    assert (
+        "/data/-/queries/store?sql=insert+into+dogs+%28name%29+values+%28%27Cleo%27%29"
+        in response.text
+    )
+    assert 'addEventListener("paste"' in response.text
+    assert "setupSqlParameterRefresh" in response.text
+    assert "datasetteSqlAnalysis.renderAnalysis" in response.text
+    assert "window.editor.dispatch" in response.text
+    assert "window.history.replaceState" in response.text
+    assert "window.location.href = url.toString();" not in response.text
+    assert "input[data-execute-write-submit]:disabled" in response.text
+    assert (
+        'data-execute-write-disabled-reason aria-live="polite" hidden' in response.text
+    )
+    assert '<table class="execute-write-analysis">' in response.text
+    assert '<th scope="col">Required permission</th>' in response.text
+    assert "<td><code>insert</code></td>" in response.text
+    assert "<td><code>update</code></td>" in response.text
+    assert "<td><code>read</code></td>" in response.text
+    assert "<td><code>view-table</code></td>" in response.text
+    assert 'action="/data/-/execute-write"' in response.text
+    assert "insert into dogs (name) values (&#39;Cleo&#39;)" in response.text
+    assert (await db.execute("select count(*) from dogs")).first()[0] == 0
+
+    empty_response = await ds.client.get(
+        "/data/-/execute-write",
+        actor={"id": "root"},
+    )
+    assert '<p class="sql-editor sql-editor-min-lines">' in empty_response.text
+    assert '<textarea id="sql-editor" name="sql"></textarea>' in empty_response.text
+    assert "min-height: calc(5.6em + 8px);" in empty_response.text
+    assert 'executeWriteSqlInput.value = "\\n\\n\\n";' not in empty_response.text
+    assert "Enter writable SQL before executing." in empty_response.text
+    assert 'data-save-query-base-url="/data/-/queries/store"' in empty_response.text
+    assert '<a href="/data/-/queries/store' not in empty_response.text
+
+    read_only_response = await ds.client.get(
+        "/data/-/execute-write?sql=select+*+from+dogs",
+        actor={"id": "root"},
+    )
+    assert (
+        "Use /-/query for read-only SQL; this endpoint only executes writes"
+        in read_only_response.text
+    )
+    assert (
+        '<input type="submit" value="Execute" data-execute-write-submit '
+        'aria-describedby="execute-write-disabled-reason" disabled>'
+    ) in read_only_response.text
+    assert 'data-save-query-base-url="/data/-/queries/store"' in read_only_response.text
+    assert '<a href="/data/-/queries/store' not in read_only_response.text
+
+
+@pytest.mark.asyncio
+async def test_execute_write_disabled_submit_explains_denied_operations():
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "view-database": {"id": "writer"},
+                        "execute-sql": {"id": "writer"},
+                        "execute-write-sql": {"id": "writer"},
+                        "store-query": {"id": "writer"},
+                    }
+                }
+            }
+        },
+    )
+    db = ds.add_memory_database("execute_write_denied_submit", name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+    await ds.invoke_startup()
+
+    response = await ds.client.get(
+        "/data/-/execute-write?sql=insert+into+dogs+(name)+values+('Cleo')",
+        actor={"id": "writer"},
+    )
+    analysis_response = await ds.client.get(
+        "/data/-/execute-write/analyze",
+        actor={"id": "writer"},
+        params={"sql": "insert into dogs (name) values ('Cleo')"},
+    )
+
+    assert response.status_code == 200
+    assert (
+        '<input type="submit" value="Execute" data-execute-write-submit '
+        'aria-describedby="execute-write-disabled-reason" disabled>'
+    ) in response.text
+    assert (
+        '<span id="execute-write-disabled-reason" '
+        'class="execute-write-disabled-reason" '
+        'data-execute-write-disabled-reason aria-live="polite">'
+        "You do not have permission for every operation listed above.</span>"
+    ) in response.text
+    assert '<span class="execute-write-analysis-denied">no</span>' in response.text
+    assert 'data-save-query-base-url="/data/-/queries/store"' in response.text
+    assert '<a href="/data/-/queries/store' not in response.text
+
+    assert analysis_response.status_code == 200
+    data = analysis_response.json()
+    assert data["execute_disabled"] is True
+    assert data["execute_disabled_reason"] == (
+        "You do not have permission for every operation listed above."
+    )
+
+
+@pytest.mark.asyncio
+async def test_execute_write_templates_are_filtered_by_permission_and_server_generated():
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "view-database": {"id": ["writer", "deleter", "viewer"]},
+                        "execute-write-sql": {"id": ["writer", "deleter", "viewer"]},
+                    },
+                    "tables": {
+                        "dogs": {
+                            "permissions": {
+                                "view-table": {"id": ["writer", "deleter"]},
+                                "insert-row": {"id": "writer"},
+                                "update-row": {"id": "writer"},
+                                "delete-row": {"id": ["writer", "deleter"]},
+                            }
+                        },
+                        "manual": {
+                            "permissions": {
+                                "view-table": {"id": "writer"},
+                                "insert-row": {"id": "writer"},
+                                "update-row": {"id": "writer"},
+                                "delete-row": {"id": "writer"},
+                            }
+                        },
+                    },
+                }
+            }
+        },
+    )
+    db = ds.add_memory_database("execute_write_templates", name="data")
+    await db.execute_write(
+        "create table dogs (id integer primary key, name text, age integer)"
+    )
+    await db.execute_write("create table manual (id text primary key, name text)")
+    await db.execute_write("create table cats (id integer primary key, name text)")
+    await ds.invoke_startup()
+
+    writer_response = await ds.client.get(
+        "/data/-/execute-write", actor={"id": "writer"}
+    )
+    deleter_response = await ds.client.get(
+        "/data/-/execute-write", actor={"id": "deleter"}
+    )
+    viewer_response = await ds.client.get(
+        "/data/-/execute-write", actor={"id": "viewer"}
+    )
+
+    assert writer_response.status_code == 200
+    assert "<summary>Start with a template</summary>" in writer_response.text
+    assert "You don't currently have permission" not in writer_response.text
+    assert '<option value="dogs"' in writer_response.text
+    assert '<option value="manual"' in writer_response.text
+    assert '<option value="cats"' not in writer_response.text
+    assert 'data-sql-template="create"' not in writer_response.text
+    assert "function insertSql(" not in writer_response.text
+    assert "function updateSql(" not in writer_response.text
+    assert "function deleteSql(" not in writer_response.text
+
+    dogs_insert_sql = _template_sql(writer_response.text, "dogs", "insert")
+    assert '"id"' not in dogs_insert_sql
+    assert '"name"' in dogs_insert_sql
+    assert '"age"' in dogs_insert_sql
+    assert ":name" in dogs_insert_sql
+    assert ":age" in dogs_insert_sql
+
+    dogs_update_sql = _template_sql(writer_response.text, "dogs", "update")
+    assert 'where "id" = :id' in dogs_update_sql
+    assert '"id" = :new_id' not in dogs_update_sql
+
+    manual_insert_sql = _template_sql(writer_response.text, "manual", "insert")
+    assert '"id"' in manual_insert_sql
+    assert ":id" in manual_insert_sql
+
+    assert deleter_response.status_code == 200
+    assert "<summary>Start with a template</summary>" in deleter_response.text
+    assert '<option value="dogs"' in deleter_response.text
+    dogs_attrs = _template_option_attributes(deleter_response.text, "dogs")
+    assert "data-template-delete-sql" in dogs_attrs
+    assert "data-template-insert-sql" not in dogs_attrs
+    assert "data-template-update-sql" not in dogs_attrs
+    assert 'data-sql-template="delete"' in deleter_response.text
+    assert 'data-sql-template="insert"' not in deleter_response.text
+    assert 'data-sql-template="update"' not in deleter_response.text
+    assert 'data-sql-template="create"' not in deleter_response.text
+
+    assert viewer_response.status_code == 200
+    assert "<summary>Start with a template</summary>" not in viewer_response.text
+    assert "There are no tables that you can currently edit." in viewer_response.text
+    assert "data-template-insert-sql" not in viewer_response.text
+    assert "data-template-update-sql" not in viewer_response.text
+    assert "data-template-delete-sql" not in viewer_response.text
+
+
+@pytest.mark.asyncio
+async def test_execute_write_create_table_template_is_filtered_by_permission():
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "view-database": {"id": ["creator", "editor", "both"]},
+                        "execute-write-sql": {"id": ["creator", "editor", "both"]},
+                        "create-table": {"id": ["creator", "both"]},
+                    },
+                    "tables": {
+                        "dogs": {
+                            "permissions": {
+                                "view-table": {"id": ["editor", "both"]},
+                                "insert-row": {"id": ["editor", "both"]},
+                                "update-row": {"id": ["editor", "both"]},
+                                "delete-row": {"id": ["editor", "both"]},
+                            }
+                        },
+                    },
+                }
+            }
+        },
+    )
+    db = ds.add_memory_database("execute_write_create_template", name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+    await ds.invoke_startup()
+
+    creator_response = await ds.client.get(
+        "/data/-/execute-write", actor={"id": "creator"}
+    )
+    editor_response = await ds.client.get(
+        "/data/-/execute-write", actor={"id": "editor"}
+    )
+    both_response = await ds.client.get("/data/-/execute-write", actor={"id": "both"})
+
+    assert creator_response.status_code == 200
+    assert "<summary>Start with a template</summary>" in creator_response.text
+    assert _template_button_sql(creator_response.text, "create") == (
+        EXPECTED_CREATE_TABLE_TEMPLATE_SQL
+    )
+    assert "There are no tables that you can currently edit." not in (
+        creator_response.text
+    )
+    assert 'id="execute-write-template-table"' not in creator_response.text
+    assert 'data-sql-template="insert"' not in creator_response.text
+    assert 'data-sql-template="update"' not in creator_response.text
+    assert 'data-sql-template="delete"' not in creator_response.text
+
+    assert editor_response.status_code == 200
+    assert 'data-sql-template="create"' not in editor_response.text
+    assert '<label for="execute-write-template-table">Table</label>' in (
+        editor_response.text
+    )
+    assert 'data-sql-template="insert"' in editor_response.text
+    assert 'data-sql-template="update"' in editor_response.text
+    assert 'data-sql-template="delete"' in editor_response.text
+
+    assert both_response.status_code == 200
+    assert _template_button_sql(both_response.text, "create") == (
+        EXPECTED_CREATE_TABLE_TEMPLATE_SQL
+    )
+    assert '<label for="execute-write-template-table">or table:</label>' in (
+        both_response.text
+    )
+    assert 'data-sql-template="insert"' in both_response.text
+    assert 'data-sql-template="update"' in both_response.text
+    assert 'data-sql-template="delete"' in both_response.text
+
+
+@pytest.mark.asyncio
+async def test_execute_write_create_table_refreshes_template_tables():
+    ds = Datasette(memory=True, default_deny=True)
+    ds.root_enabled = True
+    db = ds.add_memory_database("execute_write_create_template_refresh", name="data")
+    await ds.invoke_startup()
+
+    response = await ds.client.post(
+        "/data/-/execute-write",
+        actor={"id": "root"},
+        data={"sql": "create table selectable (id integer primary key, name text)"},
+    )
+
+    assert response.status_code == 200
+    assert "Query executed" in response.text
+    assert '<option value="selectable"' in response.text
+    assert _template_sql(response.text, "selectable", "insert") == (
+        'insert into "selectable" (\n' '  "name"\n' ")\n" "values (\n" "  :name\n" ")"
+    )
+    assert await db.table_exists("selectable")
+
+
+@pytest.mark.asyncio
+async def test_execute_write_analyze_endpoint_uses_sql_only():
+    ds = Datasette(memory=True, default_deny=True)
+    ds.root_enabled = True
+    db = ds.add_memory_database("execute_write_analyze", name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+    await ds.invoke_startup()
+
+    response = await ds.client.get(
+        "/data/-/execute-write/analyze",
+        actor={"id": "root"},
+        params={"sql": "insert into dogs (name) values (:name)"},
+    )
+    function_response = await ds.client.get(
+        "/data/-/execute-write/analyze",
+        actor={"id": "root"},
+        params={"sql": "insert into dogs (name) values (upper(:name))"},
+    )
+    read_only_response = await ds.client.get(
+        "/data/-/execute-write/analyze",
+        actor={"id": "root"},
+        params={"sql": "select * from dogs where name = :name"},
+    )
+
+    assert response.status_code == 200
+    data = response.json()
+    assert data["ok"] is True
+    assert data["parameters"] == ["name"]
+    assert data["analysis_error"] is None
+    assert data["execute_disabled"] is False
+    assert data["execute_disabled_reason"] is None
+    assert data["analysis_rows"] == [
+        {
+            "operation": "insert",
+            "database": "data",
+            "table": "dogs",
+            "required_permission": "insert-row, update-row, delete-row",
+            "source": None,
+            "allowed": True,
+        }
+    ]
+    assert "params" not in data
+
+    assert function_response.status_code == 200
+    function_data = function_response.json()
+    assert function_data["ok"] is True
+    assert function_data["parameters"] == ["name"]
+    assert function_data["execute_disabled"] is False
+    assert function_data["execute_disabled_reason"] is None
+    assert function_data["analysis_rows"] == [
+        {
+            "operation": "insert",
+            "database": "data",
+            "table": "dogs",
+            "required_permission": "insert-row, update-row, delete-row",
+            "source": None,
+            "allowed": True,
+        }
+    ]
+
+    assert read_only_response.status_code == 200
+    read_only_data = read_only_response.json()
+    assert read_only_data["ok"] is False
+    assert read_only_data["parameters"] == ["name"]
+    assert read_only_data["analysis_error"] == (
+        "Use /-/query for read-only SQL; this endpoint only executes writes"
+    )
+    assert read_only_data["execute_disabled"] is True
+    assert read_only_data["execute_disabled_reason"] == (
+        "Use /-/query for read-only SQL; this endpoint only executes writes"
+    )
+
+
+@pytest.mark.asyncio
+async def test_query_parameters_endpoint_uses_get_sql_only():
+    ds = Datasette(memory=True, default_deny=True)
+    ds.root_enabled = True
+    db = ds.add_memory_database("query_parameters", name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+    await ds.invoke_startup()
+
+    response = await ds.client.get(
+        "/data/-/query/parameters",
+        actor={"id": "root"},
+        params={
+            "sql": "select * from dogs where name = :name and id = :id",
+        },
+    )
+    permission_denied_response = await ds.client.get(
+        "/data/-/query/parameters",
+        actor={"id": "not-root"},
+        params={"sql": "select * from dogs where name = :name"},
+    )
+    magic_parameter_response = await ds.client.get(
+        "/data/-/query/parameters",
+        actor={"id": "root"},
+        params={"sql": "select :_actor_id"},
+    )
+
+    assert response.status_code == 200
+    assert response.json() == {"ok": True, "parameters": ["name", "id"]}
+    assert permission_denied_response.status_code == 403
+    assert permission_denied_response.json()["errors"] == [
+        "Permission denied: need execute-sql"
+    ]
+    assert magic_parameter_response.status_code == 400
+    assert magic_parameter_response.json()["errors"] == [
+        "Magic parameters are not allowed"
+    ]
+
+
+@pytest.mark.asyncio
+async def test_database_action_menu_links_to_execute_write_for_permitted_actor():
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "view-database": {
+                            "id": ["writer", "viewer"],
+                        },
+                        "execute-write-sql": {"id": "writer"},
+                    }
+                }
+            }
+        },
+    )
+    ds.add_memory_database("execute_write_menu", name="data")
+    await ds.invoke_startup()
+
+    anonymous_response = await ds.client.get("/data")
+    viewer_response = await ds.client.get("/data", actor={"id": "viewer"})
+    writer_response = await ds.client.get("/data", actor={"id": "writer"})
+
+    assert anonymous_response.status_code == 403
+    assert viewer_response.status_code == 200
+    assert "Execute write SQL" not in viewer_response.text
+    assert writer_response.status_code == 200
+    assert "Database actions" in writer_response.text
+    assert 'href="/data/-/execute-write"' in writer_response.text
+    assert "Execute write SQL" in writer_response.text
+
+
+@pytest.mark.asyncio
+async def test_database_action_menu_hides_execute_write_for_immutable_database():
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "view-database": {"id": "writer"},
+                        "execute-write-sql": {"id": "writer"},
+                    }
+                }
+            }
+        },
+    )
+    db = ds.add_memory_database("execute_write_menu_immutable", name="data")
+    db.is_mutable = False
+    await ds.invoke_startup()
+
+    response = await ds.client.get("/data", actor={"id": "writer"})
+
+    assert response.status_code == 200
+    assert "Execute write SQL" not in response.text
+    assert 'href="/data/-/execute-write"' not in response.text
+
+
+@pytest.mark.asyncio
+async def test_execute_write_get_rejects_immutable_database():
+    ds = Datasette(memory=True, default_deny=True)
+    ds.root_enabled = True
+    db = ds.add_memory_database("execute_write_get_immutable", name="data")
+    db.is_mutable = False
+    await ds.invoke_startup()
+
+    response = await ds.client.get(
+        "/data/-/execute-write?sql=insert+into+dogs+(name)+values+('Cleo')",
+        actor={"id": "root"},
+    )
+
+    assert response.status_code == 403
+    assert response.json()["errors"] == [
+        "Cannot execute write SQL because this database is immutable."
+    ]
+
+
+@pytest.mark.asyncio
+async def test_execute_write_post_requires_database_and_table_permissions():
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "view-database": {"id": "writer"},
+                        "execute-write-sql": {"id": "writer"},
+                    }
+                }
+            }
+        },
+    )
+    db = ds.add_memory_database("execute_write_permissions", name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+    await ds.invoke_startup()
+
+    no_database_permission = await ds.client.post(
+        "/data/-/execute-write",
+        actor={"id": "outsider"},
+        json={
+            "sql": "insert into dogs (name) values (:name)",
+            "params": {"name": "Cleo"},
+        },
+    )
+    no_table_permission = await ds.client.post(
+        "/data/-/execute-write",
+        actor={"id": "writer"},
+        json={
+            "sql": "insert into dogs (name) values (:name)",
+            "params": {"name": "Cleo"},
+        },
+    )
+
+    assert no_database_permission.status_code == 403
+    assert no_database_permission.json()["errors"] == [
+        "Permission denied: need execute-write-sql"
+    ]
+    assert no_table_permission.status_code == 403
+    assert no_table_permission.json()["errors"] == [
+        "Permission denied: need insert-row on data/dogs"
+    ]
+
+    ds.config = {
+        "databases": {
+            "data": {
+                "permissions": {
+                    "view-database": {"id": "writer"},
+                    "execute-write-sql": {"id": "writer"},
+                },
+                "tables": {
+                    "dogs": {
+                        "permissions": {
+                            "insert-row": {"id": "writer"},
+                        }
+                    }
+                },
+            }
+        }
+    }
+    missing_update_permission = await ds.client.post(
+        "/data/-/execute-write",
+        actor={"id": "writer"},
+        json={
+            "sql": "insert into dogs (name) values (:name)",
+            "params": {"name": "Cleo"},
+        },
+    )
+
+    assert missing_update_permission.status_code == 403
+    assert missing_update_permission.json()["errors"] == [
+        "Permission denied: need update-row on data/dogs"
+    ]
+
+    ds.config["databases"]["data"]["tables"]["dogs"]["permissions"]["update-row"] = {
+        "id": "writer"
+    }
+    missing_delete_permission = await ds.client.post(
+        "/data/-/execute-write",
+        actor={"id": "writer"},
+        json={
+            "sql": "insert into dogs (name) values (:name)",
+            "params": {"name": "Cleo"},
+        },
+    )
+
+    assert missing_delete_permission.status_code == 403
+    assert missing_delete_permission.json()["errors"] == [
+        "Permission denied: need delete-row on data/dogs"
+    ]
+
+    ds.config["databases"]["data"]["tables"]["dogs"]["permissions"]["delete-row"] = {
+        "id": "writer"
+    }
+    allowed = await ds.client.post(
+        "/data/-/execute-write",
+        actor={"id": "writer"},
+        json={
+            "sql": "insert into dogs (name) values (:name)",
+            "params": {"name": "Cleo"},
+        },
+    )
+
+    assert allowed.status_code == 200
+    assert allowed.json()["ok"] is True
+    assert allowed.json()["rowcount"] == 1
+    assert allowed.json()["rows"] == []
+    assert allowed.json()["truncated"] is False
+    assert allowed.json()["analysis"][0]["operation"] == "insert"
+    assert (await db.execute("select name from dogs")).first()[0] == "Cleo"
+
+
+@pytest.mark.asyncio
+@requires_sqlite_returning
+async def test_execute_write_json_includes_returning_rows():
+    ds = Datasette(memory=True, default_deny=True)
+    ds.root_enabled = True
+    db = ds.add_memory_database("execute_write_returning_json", name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+    await ds.invoke_startup()
+
+    response = await ds.client.post(
+        "/data/-/execute-write",
+        actor={"id": "root"},
+        json={
+            "sql": "insert into dogs (name) values (:name) returning id, name",
+            "params": {"name": "Cleo"},
+        },
+    )
+
+    assert response.status_code == 200
+    data = response.json()
+    assert data["ok"] is True
+    assert data["message"] == "Query executed, 1 row affected"
+    assert data["rowcount"] == 1
+    assert data["rows"] == [{"id": 1, "name": "Cleo"}]
+    assert data["truncated"] is False
+    assert [row["operation"] for row in data["analysis"]] == ["insert", "read"]
+    assert (await db.execute("select id, name from dogs")).dicts() == [
+        {"id": 1, "name": "Cleo"}
+    ]
+
+
+@pytest.mark.asyncio
+@requires_sqlite_returning
+async def test_execute_write_json_returning_rows_can_be_truncated():
+    ds = Datasette(memory=True, default_deny=True)
+    ds.root_enabled = True
+    db = ds.add_memory_database("execute_write_returning_json_truncated", name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+    for index in range(1, 12):
+        await db.execute_write(
+            "insert into dogs (name) values (?)", ["Dog {}".format(index)]
+        )
+    await ds.invoke_startup()
+
+    response = await ds.client.post(
+        "/data/-/execute-write",
+        actor={"id": "root"},
+        json={"sql": "update dogs set name = name || '!' returning id, name"},
+    )
+
+    assert response.status_code == 200
+    data = response.json()
+    assert data["ok"] is True
+    assert data["message"] == "Query executed"
+    assert data["rowcount"] == -1
+    assert data["rows"] == [
+        {"id": index, "name": "Dog {}!".format(index)} for index in range(1, 11)
+    ]
+    assert data["truncated"] is True
+    assert (await db.execute("select count(*) from dogs where name like '%!'")).first()[
+        0
+    ] == 11
+
+
+@pytest.mark.asyncio
+@requires_sqlite_returning
+async def test_execute_write_html_displays_returning_rows():
+    ds = Datasette(memory=True, default_deny=True)
+    ds.root_enabled = True
+    db = ds.add_memory_database("execute_write_returning_html", name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+    await ds.invoke_startup()
+
+    response = await ds.client.post(
+        "/data/-/execute-write",
+        actor={"id": "root"},
+        data={
+            "sql": "insert into dogs (name) values (:name) returning id, name",
+            "name": "Cleo",
+        },
+    )
+    non_returning_response = await ds.client.post(
+        "/data/-/execute-write",
+        actor={"id": "root"},
+        data={"sql": "insert into dogs (name) values ('Pancakes')"},
+    )
+
+    assert response.status_code == 200
+    assert "Query executed, 1 row affected" in response.text
+    assert "<h2>Returned rows</h2>" in response.text
+    assert '<table class="rows-and-columns">' in response.text
+    assert '<th class="col-id" scope="col">id</th>' in response.text
+    assert '<th class="col-name" scope="col">name</th>' in response.text
+    assert '<td class="col-id">1</td>' in response.text
+    assert '<td class="col-name">Cleo</td>' in response.text
+
+    assert non_returning_response.status_code == 200
+    assert "Query executed, 1 row affected" in non_returning_response.text
+    assert "<h2>Returned rows</h2>" not in non_returning_response.text
+    assert '<p class="zero-results">0 results</p>' not in non_returning_response.text
+
+
+@pytest.mark.asyncio
+@requires_sqlite_returning
+async def test_execute_write_html_returning_rows_can_be_truncated():
+    ds = Datasette(memory=True, default_deny=True)
+    ds.root_enabled = True
+    db = ds.add_memory_database("execute_write_returning_html_truncated", name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+    for index in range(1, 12):
+        await db.execute_write(
+            "insert into dogs (name) values (?)", ["Dog {}".format(index)]
+        )
+    await ds.invoke_startup()
+
+    response = await ds.client.post(
+        "/data/-/execute-write",
+        actor={"id": "root"},
+        data={"sql": "update dogs set name = name || '!' returning id, name"},
+    )
+
+    assert response.status_code == 200
+    assert "<h2>Returned rows</h2>" in response.text
+    assert "Only the first 10 returned rows are shown." in response.text
+    assert '<td class="col-id">1</td>' in response.text
+    assert '<td class="col-name">Dog 1!</td>' in response.text
+    assert '<td class="col-id">10</td>' in response.text
+    assert '<td class="col-name">Dog 10!</td>' in response.text
+    assert '<td class="col-id">11</td>' not in response.text
+    assert '<td class="col-name">Dog 11!</td>' not in response.text
+
+
+@pytest.mark.parametrize(
+    "database_name, sql",
+    (
+        (
+            "execute_write_insert_or_replace",
+            "insert or replace into users(id, email) values (3, 'b@example.com')",
+        ),
+        (
+            "execute_write_update_or_replace",
+            "update or replace users set email = 'b@example.com' where id = 1",
+        ),
+    ),
+    ids=("insert-or-replace", "update-or-replace"),
+)
+@pytest.mark.asyncio
+async def test_execute_write_replace_requires_delete_row_permission(database_name, sql):
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "view-database": {"id": "writer"},
+                        "execute-write-sql": {"id": "writer"},
+                    },
+                    "tables": {
+                        "users": {
+                            "permissions": {
+                                "insert-row": {"id": "writer"},
+                                "update-row": {"id": "writer"},
+                                "view-table": {"id": "writer"},
+                            }
+                        }
+                    },
+                }
+            }
+        },
+    )
+    db = ds.add_memory_database(database_name, name="data")
+    await db.execute_write(
+        "create table users (id integer primary key, email text unique)"
+    )
+    await db.execute_write(
+        "insert into users (id, email) values "
+        "(1, 'a@example.com'), (2, 'b@example.com')"
+    )
+    await ds.invoke_startup()
+
+    denied_response = await ds.client.post(
+        "/data/-/execute-write",
+        actor={"id": "writer"},
+        json={"sql": sql},
+    )
+
+    assert denied_response.status_code == 403
+    assert denied_response.json()["errors"] == [
+        "Permission denied: need delete-row on data/users"
+    ]
+    assert (await db.execute("select id, email from users order by id")).dicts() == [
+        {"id": 1, "email": "a@example.com"},
+        {"id": 2, "email": "b@example.com"},
+    ]
+
+
+@pytest.mark.asyncio
+async def test_execute_write_update_requires_insert_row_permission():
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "view-database": {"id": "writer"},
+                        "execute-write-sql": {"id": "writer"},
+                    },
+                    "tables": {
+                        "users": {
+                            "permissions": {
+                                "update-row": {"id": "writer"},
+                                "delete-row": {"id": "writer"},
+                                "view-table": {"id": "writer"},
+                            }
+                        }
+                    },
+                }
+            }
+        },
+    )
+    db = ds.add_memory_database("execute_write_update_requires_insert", name="data")
+    await db.execute_write("create table users (id integer primary key, name text)")
+    await db.execute_write("insert into users (id, name) values (1, 'Alice')")
+    await ds.invoke_startup()
+
+    denied_response = await ds.client.post(
+        "/data/-/execute-write",
+        actor={"id": "writer"},
+        json={"sql": "update users set name = 'Alicia' where id = 1"},
+    )
+
+    assert denied_response.status_code == 403
+    assert denied_response.json()["errors"] == [
+        "Permission denied: need insert-row on data/users"
+    ]
+    assert (await db.execute("select name from users where id = 1")).first()[
+        0
+    ] == "Alice"
+
+
+@pytest.mark.asyncio
+async def test_execute_write_insert_select_requires_view_table_on_source():
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "view-database": {"id": "writer"},
+                        "execute-write-sql": {"id": "writer"},
+                    },
+                    "tables": {
+                        "secret": {
+                            "permissions": {"view-table": {"id": "someone-else"}}
+                        },
+                        "public_log": {
+                            "permissions": {
+                                "insert-row": {"id": "writer"},
+                                "update-row": {"id": "writer"},
+                                "delete-row": {"id": "writer"},
+                            }
+                        },
+                    },
+                }
+            }
+        },
+    )
+    db = ds.add_memory_database("execute_write_insert_select_source", name="data")
+    await db.execute_write("create table secret (value text)")
+    await db.execute_write("create table public_log (value text)")
+    await db.execute_write("insert into secret values ('sensitive')")
+    await ds.invoke_startup()
+
+    denied_response = await ds.client.post(
+        "/data/-/execute-write",
+        actor={"id": "writer"},
+        json={"sql": "insert into public_log(value) select value from secret"},
+    )
+
+    assert denied_response.status_code == 403
+    assert denied_response.json()["errors"] == [
+        "Permission denied: need view-table on data/secret"
+    ]
+    assert (await db.execute("select value from public_log")).dicts() == []
+
+
+@pytest.mark.asyncio
+async def test_execute_write_rejects_sqlite_master_reads():
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "view-database": {"id": "writer"},
+                        "execute-write-sql": {"id": "writer"},
+                    },
+                    "tables": {
+                        "secret": {
+                            "permissions": {"view-table": {"id": "someone-else"}}
+                        },
+                        "log": {
+                            "permissions": {
+                                "insert-row": {"id": "writer"},
+                                "update-row": {"id": "writer"},
+                                "delete-row": {"id": "writer"},
+                            }
+                        },
+                    },
+                }
+            }
+        },
+    )
+    db = ds.add_memory_database("execute_write_sqlite_master_read", name="data")
+    await db.execute_write("create table secret (value text)")
+    await db.execute_write("create table log (value text)")
+    await ds.invoke_startup()
+
+    denied_response = await ds.client.post(
+        "/data/-/execute-write",
+        actor={"id": "writer"},
+        json={
+            "sql": (
+                "insert into log " "select sql from sqlite_master where name = 'secret'"
+            )
+        },
+    )
+
+    assert denied_response.status_code == 403
+    assert denied_response.json()["errors"] == [
+        "Unsupported SQL operation: read schema"
+    ]
+    assert (await db.execute("select value from log")).dicts() == []
+
+
+@pytest.mark.asyncio
+async def test_execute_write_create_table_as_select_requires_view_table_on_source():
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "view-database": {"id": "creator"},
+                        "execute-write-sql": {"id": "creator"},
+                        "create-table": {"id": "creator"},
+                    },
+                    "tables": {
+                        "secret": {
+                            "permissions": {"view-table": {"id": "someone-else"}}
+                        }
+                    },
+                }
+            }
+        },
+    )
+    db = ds.add_memory_database("execute_write_create_as_select_source", name="data")
+    await db.execute_write("create table secret (value text)")
+    await db.execute_write("insert into secret values ('sensitive')")
+    await ds.invoke_startup()
+
+    denied_response = await ds.client.post(
+        "/data/-/execute-write",
+        actor={"id": "creator"},
+        json={"sql": "create table copied_secret as select value from secret"},
+    )
+
+    assert denied_response.status_code == 403
+    assert denied_response.json()["errors"] == [
+        "Permission denied: need view-table on data/secret"
+    ]
+    assert not await db.table_exists("copied_secret")
+
+
+@pytest.mark.asyncio
+async def test_execute_write_allows_function_operations():
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "view-database": {"id": "writer"},
+                        "execute-write-sql": {"id": "writer"},
+                    },
+                    "tables": {
+                        "dogs": {
+                            "permissions": {
+                                "insert-row": {"id": "writer"},
+                                "update-row": {"id": "writer"},
+                                "delete-row": {"id": "writer"},
+                            }
+                        }
+                    },
+                }
+            }
+        },
+    )
+    db = ds.add_memory_database("execute_write_function_operation", name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+    await ds.invoke_startup()
+
+    response = await ds.client.post(
+        "/data/-/execute-write",
+        actor={"id": "writer"},
+        json={"sql": "insert into dogs (name) values (upper('cleo'))"},
+    )
+
+    assert response.status_code == 200
+    assert response.json()["ok"] is True
+    assert (await db.execute("select name from dogs")).dicts() == [{"name": "CLEO"}]
+
+
+@pytest.mark.asyncio
+async def test_untrusted_stored_write_query_allows_function_operations():
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "view-database": {"id": "writer"},
+                        "view-query": {"id": "writer"},
+                        "execute-write-sql": {"id": "writer"},
+                    },
+                    "tables": {
+                        "dogs": {
+                            "permissions": {
+                                "insert-row": {"id": "writer"},
+                                "update-row": {"id": "writer"},
+                                "delete-row": {"id": "writer"},
+                            }
+                        }
+                    },
+                }
+            }
+        },
+    )
+    db = ds.add_memory_database("stored_query_function_operation", name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+    await ds.invoke_startup()
+    await ds.add_query(
+        "data",
+        "insert_dog",
+        "insert into dogs (name) values (upper(:name))",
+        is_write=True,
+        is_trusted=False,
+        source="user",
+        owner_id="writer",
+    )
+
+    response = await ds.client.post(
+        "/data/insert_dog?_json=1",
+        actor={"id": "writer"},
+        data={"name": "cleo"},
+    )
+
+    assert response.status_code == 200
+    assert response.json()["ok"] is True
+    assert (await db.execute("select name from dogs")).dicts() == [{"name": "CLEO"}]
+
+
+@pytest.mark.asyncio
+async def test_execute_write_rejects_vacuum_operation():
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "view-database": {"id": "writer"},
+                        "execute-write-sql": {"id": "writer"},
+                    }
+                }
+            }
+        },
+    )
+    ds.add_memory_database("execute_write_vacuum_operation", name="data")
+    await ds.invoke_startup()
+
+    denied_response = await ds.client.post(
+        "/data/-/execute-write",
+        actor={"id": "writer"},
+        json={"sql": "vacuum"},
+    )
+
+    assert denied_response.status_code == 403
+    assert denied_response.json()["errors"] == [
+        "VACUUM is not allowed in user-supplied SQL"
+    ]
+
+
+@pytest.mark.asyncio
+async def test_execute_write_form_rejects_vacuum_operation_with_flash_error():
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "view-database": {"id": "writer"},
+                        "execute-write-sql": {"id": "writer"},
+                    }
+                }
+            }
+        },
+    )
+    ds.add_memory_database("execute_write_vacuum_operation_form", name="data")
+    await ds.invoke_startup()
+
+    denied_response = await ds.client.post(
+        "/data/-/execute-write",
+        actor={"id": "writer"},
+        data={"sql": "vacuum"},
+    )
+
+    assert denied_response.status_code == 403
+    assert (
+        '<p class="message-error">VACUUM is not allowed in user-supplied SQL</p>'
+        in denied_response.text
+    )
+    assert denied_response.text.count("VACUUM is not allowed in user-supplied SQL") == 1
+
+
+@pytest.mark.asyncio
+async def test_untrusted_stored_write_query_rejects_vacuum_operation():
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "view-database": {"id": "writer"},
+                        "view-query": {"id": "writer"},
+                        "execute-write-sql": {"id": "writer"},
+                    }
+                }
+            }
+        },
+    )
+    ds.add_memory_database("stored_query_vacuum_operation", name="data")
+    await ds.invoke_startup()
+    await ds.add_query(
+        "data",
+        "vacuum_db",
+        "vacuum",
+        is_write=True,
+        is_trusted=False,
+        source="user",
+        owner_id="writer",
+    )
+
+    denied_response = await ds.client.post(
+        "/data/vacuum_db?_json=1",
+        actor={"id": "writer"},
+        data={},
+    )
+
+    assert denied_response.status_code == 403
+    assert "VACUUM is not allowed in user-supplied SQL" in denied_response.text
+
+
+@pytest.mark.asyncio
+async def test_untrusted_stored_write_query_rejects_vacuum_operation_with_flash_error():
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "view-database": {"id": "writer"},
+                        "view-query": {"id": "writer"},
+                        "execute-write-sql": {"id": "writer"},
+                    }
+                }
+            }
+        },
+    )
+    ds.add_memory_database("stored_query_vacuum_operation_form", name="data")
+    await ds.invoke_startup()
+    await ds.add_query(
+        "data",
+        "vacuum_db",
+        "vacuum",
+        is_write=True,
+        is_trusted=False,
+        source="user",
+        owner_id="writer",
+    )
+
+    denied_response = await ds.client.post(
+        "/data/vacuum_db",
+        actor={"id": "writer"},
+        data={},
+    )
+
+    assert denied_response.status_code == 302
+    assert denied_response.headers["location"] == "/data/vacuum_db"
+    assert ds.unsign(denied_response.cookies["ds_messages"], "messages") == [
+        ["VACUUM is not allowed in user-supplied SQL", ds.ERROR]
+    ]
+
+
+@pytest.mark.asyncio
+async def test_trusted_stored_write_query_skips_vacuum_filtering():
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "view-database": {"id": "writer"},
+                        "view-query": {"id": "writer"},
+                    }
+                }
+            }
+        },
+    )
+    ds.add_memory_database("trusted_stored_query_vacuum", name="data")
+    await ds.invoke_startup()
+    await ds.add_query(
+        "data",
+        "trusted_vacuum",
+        "vacuum",
+        is_write=True,
+        is_trusted=True,
+        source="config",
+    )
+
+    response = await ds.client.post(
+        "/data/trusted_vacuum?_json=1",
+        actor={"id": "writer"},
+        data={},
+    )
+
+    assert response.status_code == 200
+    assert response.json()["ok"] is True
+
+
+@pytest.mark.parametrize(
+    (
+        "database_name",
+        "setup_sqls",
+        "write_sql",
+        "expected_error",
+        "verification_sql",
+        "expected_count",
+    ),
+    (
+        (
+            "execute_write_virtual_table_control",
+            (
+                "create virtual table docs using fts5(title, body, content='')",
+                "insert into docs(rowid, title, body) values (1, 'hello', 'world')",
+            ),
+            "insert into docs(docs) values('delete-all')",
+            "Writes to virtual tables are not allowed in user-supplied SQL",
+            "select count(*) from docs where docs match 'hello'",
+            1,
+        ),
+        (
+            "execute_write_virtual_table_insert",
+            ("create virtual table docs using fts5(title, body)",),
+            "insert into docs(rowid, title, body) values (1, 'a', 'b')",
+            "Writes to virtual tables are not allowed in user-supplied SQL",
+            "select count(*) from docs",
+            0,
+        ),
+        (
+            "execute_write_shadow_table_insert",
+            ("create virtual table docs using fts5(title, body)",),
+            "insert into docs_config(k, v) values ('x', 1)",
+            "Writes to shadow tables are not allowed in user-supplied SQL",
+            "select count(*) from docs_config",
+            1,
+        ),
+    ),
+    ids=("control-insert", "virtual-table", "shadow-table"),
+)
+@pytest.mark.asyncio
+async def test_execute_write_rejects_virtual_and_shadow_table_writes(
+    database_name,
+    setup_sqls,
+    write_sql,
+    expected_error,
+    verification_sql,
+    expected_count,
+):
+    ds = Datasette(memory=True, default_deny=True)
+    ds.root_enabled = True
+    db = ds.add_memory_database(database_name, name="data")
+    for setup_sql in setup_sqls:
+        await db.execute_write(setup_sql)
+    await ds.invoke_startup()
+
+    denied_response = await ds.client.post(
+        "/data/-/execute-write",
+        actor={"id": "root"},
+        json={"sql": write_sql},
+    )
+
+    assert denied_response.status_code == 403
+    assert denied_response.json()["errors"] == [expected_error]
+    assert (await db.execute(verification_sql)).first()[0] == expected_count
+
+
+@pytest.mark.asyncio
+async def test_untrusted_stored_write_query_rejects_virtual_table_control_insert():
+    ds = Datasette(memory=True, default_deny=True)
+    ds.root_enabled = True
+    db = ds.add_memory_database("stored_query_virtual_table_control", name="data")
+    await db.execute_write("""
+        create virtual table docs using fts5(title, body, content='')
+    """)
+    await db.execute_write("""
+        insert into docs(rowid, title, body) values (1, 'hello', 'world')
+    """)
+    await ds.invoke_startup()
+    await ds.add_query(
+        "data",
+        "delete_all_docs",
+        "insert into docs(docs) values('delete-all')",
+        is_write=True,
+        is_trusted=False,
+        source="user",
+        owner_id="root",
+    )
+
+    denied_response = await ds.client.post(
+        "/data/delete_all_docs?_json=1",
+        actor={"id": "root"},
+        data={},
+    )
+
+    assert denied_response.status_code == 403
+    assert denied_response.json()["message"] == (
+        "Writes to virtual tables are not allowed in user-supplied SQL"
+    )
+    assert (
+        await db.execute("select count(*) from docs where docs match 'hello'")
+    ).first()[0] == 1
+
+
+@pytest.mark.asyncio
+async def test_trusted_stored_write_query_can_write_virtual_table():
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "view-database": {"id": "writer"},
+                        "view-query": {"id": "writer"},
+                    }
+                }
+            }
+        },
+    )
+    db = ds.add_memory_database("trusted_stored_query_virtual_table", name="data")
+    await db.execute_write("""
+        create virtual table docs using fts5(title, body, content='')
+    """)
+    await db.execute_write("""
+        insert into docs(rowid, title, body) values (1, 'hello', 'world')
+    """)
+    await ds.invoke_startup()
+    await ds.add_query(
+        "data",
+        "trusted_delete_all",
+        "insert into docs(docs) values('delete-all')",
+        is_write=True,
+        is_trusted=True,
+        source="config",
+    )
+
+    response = await ds.client.post(
+        "/data/trusted_delete_all?_json=1",
+        actor={"id": "writer"},
+        data={},
+    )
+
+    assert response.status_code == 200
+    assert response.json()["ok"] is True
+    assert (
+        await db.execute("select count(*) from docs where docs match 'hello'")
+    ).first()[0] == 0
+
+
+@pytest.mark.asyncio
+async def test_execute_write_create_table_uses_create_table_permission():
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "permissions": {
+                "insert-row": {"id": "row-writer"},
+                "update-row": {"id": "row-writer"},
+            },
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "view-database": {"id": ["creator", "row-writer"]},
+                        "execute-write-sql": {"id": ["creator", "row-writer"]},
+                        "create-table": {"id": "creator"},
+                    }
+                }
+            },
+        },
+    )
+    db = ds.add_memory_database("execute_write_create_table", name="data")
+    await ds.invoke_startup()
+
+    analysis_response = await ds.client.get(
+        "/data/-/execute-write/analyze",
+        actor={"id": "creator"},
+        params={"sql": "create table foobar (id integer primary key, name text)"},
+    )
+    allowed_response = await ds.client.post(
+        "/data/-/execute-write",
+        actor={"id": "creator"},
+        json={"sql": "create table foobar (id integer primary key, name text)"},
+    )
+    row_permission_response = await ds.client.post(
+        "/data/-/execute-write",
+        actor={"id": "row-writer"},
+        json={"sql": "create table should_not_exist (id integer primary key)"},
+    )
+
+    assert analysis_response.status_code == 200
+    analysis_data = analysis_response.json()
+    assert analysis_data["ok"] is True
+    assert analysis_data["execute_disabled"] is False
+    assert analysis_data["analysis_rows"] == [
+        {
+            "operation": "create",
+            "database": "data",
+            "table": "foobar",
+            "required_permission": "create-table",
+            "source": None,
+            "allowed": True,
+        }
+    ]
+
+    assert allowed_response.status_code == 200
+    assert allowed_response.json()["ok"] is True
+    assert allowed_response.json()["message"] == "Query executed"
+    assert await db.table_exists("foobar")
+
+    assert row_permission_response.status_code == 403
+    assert row_permission_response.json()["errors"] == [
+        "Permission denied: need create-table on data"
+    ]
+    assert not await db.table_exists("should_not_exist")
+
+
+@pytest.mark.parametrize(
+    (
+        "database_name",
+        "allowed_actor",
+        "allowed_sql",
+        "denied_sql",
+        "expected_error",
+        "setup_sqls",
+        "expected_state",
+    ),
+    (
+        (
+            "execute_write_alter_table",
+            "alterer",
+            "alter table dogs add column age integer",
+            "alter table cats add column age integer",
+            "Permission denied: need alter-table on data/cats",
+            (),
+            "alter-table",
+        ),
+        (
+            "execute_write_create_index",
+            "alterer",
+            "create index idx_dogs_name on dogs(name)",
+            "create index idx_cats_name on cats(name)",
+            "Permission denied: need alter-table on data/cats",
+            (),
+            "create-index",
+        ),
+        (
+            "execute_write_drop_index",
+            "alterer",
+            "drop index idx_dogs_name",
+            "drop index idx_cats_name",
+            "Permission denied: need alter-table on data/cats",
+            (
+                "create index idx_dogs_name on dogs(name)",
+                "create index idx_cats_name on cats(name)",
+            ),
+            "drop-index",
+        ),
+        (
+            "execute_write_drop_table",
+            "dropper",
+            "drop table dogs",
+            "drop table cats",
+            "Permission denied: need drop-table on data/cats",
+            (),
+            "drop-table",
+        ),
+    ),
+    ids=("alter-table", "create-index", "drop-index", "drop-table"),
+)
+@pytest.mark.asyncio
+async def test_execute_write_schema_operations_use_schema_permissions(
+    database_name,
+    allowed_actor,
+    allowed_sql,
+    denied_sql,
+    expected_error,
+    setup_sqls,
+    expected_state,
+):
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "permissions": {
+                "delete-row": {"id": "row-writer"},
+                "update-row": {"id": "row-writer"},
+            },
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "view-database": {"id": ["alterer", "dropper", "row-writer"]},
+                        "execute-write-sql": {
+                            "id": ["alterer", "dropper", "row-writer"]
+                        },
+                    },
+                    "tables": {
+                        "dogs": {
+                            "permissions": {
+                                "alter-table": {"id": "alterer"},
+                                "drop-table": {"id": "dropper"},
+                                "view-table": {"id": "alterer"},
+                            }
+                        }
+                    },
+                }
+            },
+        },
+    )
+    db = ds.add_memory_database(database_name, name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+    await db.execute_write("create table cats (id integer primary key, name text)")
+    for setup_sql in setup_sqls:
+        await db.execute_write(setup_sql)
+    await ds.invoke_startup()
+
+    async def index_exists(index_name):
+        row = (
+            await db.execute(
+                "select 1 from sqlite_master where type = 'index' and name = ?",
+                [index_name],
+            )
+        ).first()
+        return row is not None
+
+    allowed_response = await ds.client.post(
+        "/data/-/execute-write",
+        actor={"id": allowed_actor},
+        json={"sql": allowed_sql},
+    )
+    denied_response = await ds.client.post(
+        "/data/-/execute-write",
+        actor={"id": "row-writer"},
+        json={"sql": denied_sql},
+    )
+
+    assert allowed_response.status_code == 200
+    assert denied_response.status_code == 403
+    assert denied_response.json()["errors"] == [expected_error]
+
+    if expected_state == "alter-table":
+        assert "age" in [
+            column.name for column in await db.table_column_details("dogs")
+        ]
+        assert "age" not in [
+            column.name for column in await db.table_column_details("cats")
+        ]
+    elif expected_state == "create-index":
+        assert await index_exists("idx_dogs_name")
+        assert not await index_exists("idx_cats_name")
+    elif expected_state == "drop-index":
+        assert not await index_exists("idx_dogs_name")
+        assert await index_exists("idx_cats_name")
+    elif expected_state == "drop-table":
+        assert not await db.table_exists("dogs")
+        assert await db.table_exists("cats")
+
+
+@pytest.mark.asyncio
+async def test_execute_write_insert_links_to_inserted_row():
+    ds = Datasette(memory=True, default_deny=True)
+    ds.root_enabled = True
+    db = ds.add_memory_database("execute_write_insert_link", name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+    await db.execute_write("create table log (id integer primary key, message text)")
+    await db.execute_write("insert into log (message) values ('existing')")
+    await db.execute_write("""
+        create trigger dogs_after_insert after insert on dogs begin
+            insert into log (message) values (new.name);
+        end
+    """)
+    await ds.invoke_startup()
+
+    insert_response = await ds.client.post(
+        "/data/-/execute-write",
+        actor={"id": "root"},
+        data={
+            "sql": "insert into dogs (name) values (:name)",
+            "name": "Cleo",
+        },
+    )
+    update_response = await ds.client.post(
+        "/data/-/execute-write",
+        actor={"id": "root"},
+        data={
+            "sql": "update dogs set name = :name where id = :id",
+            "name": "Cleo 2",
+            "id": "1",
+        },
+    )
+
+    assert insert_response.status_code == 200
+    assert "Query executed, 1 row affected" in insert_response.text
+    assert '<a href="/data/dogs/1">View row</a>' in insert_response.text
+    assert "/data/log/2" not in insert_response.text
+    assert update_response.status_code == 200
+    assert "Query executed, 1 row affected" in update_response.text
+    assert "View row" not in update_response.text
+
+
+@pytest.mark.asyncio
+async def test_execute_write_post_rejects_read_only_sql():
+    ds = Datasette(memory=True, default_deny=True)
+    ds.root_enabled = True
+    db = ds.add_memory_database("execute_write_read_only", name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+    await ds.invoke_startup()
+
+    response = await ds.client.post(
+        "/data/-/execute-write",
+        actor={"id": "root"},
+        json={"sql": "select * from dogs"},
+    )
+
+    assert response.status_code == 400
+    assert response.json()["errors"] == [
+        "Use /-/query for read-only SQL; this endpoint only executes writes"
+    ]
+
+
+@pytest.mark.parametrize("action", ("view-query", "update-query", "delete-query"))
+@pytest.mark.asyncio
+async def test_query_owner_gets_update_delete_and_writable_view_defaults(action):
+    ds = Datasette(memory=True, default_deny=True)
+    ds.add_memory_database("query_owner_defaults", name="data")
+    await ds.invoke_startup()
+    await ds.add_query(
+        "data",
+        "insert_dog",
+        "insert into dogs (name) values (:name)",
+        is_write=True,
+        source="user",
+        owner_id="alice",
+    )
+
+    assert await ds.allowed(
+        action=action,
+        resource=QueryResource("data", "insert_dog"),
+        actor={"id": "alice"},
+    )
+    assert not await ds.allowed(
+        action=action,
+        resource=QueryResource("data", "insert_dog"),
+        actor={"id": "bob"},
+    )
+
+
+@pytest.mark.parametrize(
+    "action, path_suffix, request_json, expected_public_title",
+    (
+        (
+            "update-query",
+            "-/update",
+            {"update": {"title": "Bob can edit public queries"}},
+            "Bob can edit public queries",
+        ),
+        ("delete-query", "-/delete", {}, None),
+    ),
+    ids=("update-query", "delete-query"),
+)
+@pytest.mark.asyncio
+async def test_private_query_restricts_broad_update_delete_permissions(
+    action, path_suffix, request_json, expected_public_title
+):
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "update-query": {"id": "bob"},
+                        "delete-query": {"id": "bob"},
+                    },
+                },
+            },
+        },
+    )
+    ds.add_memory_database("query_broad_update_delete", name="data")
+    await ds.invoke_startup()
+    await ds.add_query(
+        "data",
+        "alice_private",
+        "select 1",
+        is_private=True,
+        source="user",
+        owner_id="alice",
+    )
+    await ds.add_query(
+        "data",
+        "alice_public",
+        "select 2",
+        is_private=False,
+        source="user",
+        owner_id="alice",
+    )
+
+    assert await ds.allowed(
+        action=action,
+        resource=QueryResource("data", "alice_private"),
+        actor={"id": "alice"},
+    )
+    assert not await ds.allowed(
+        action=action,
+        resource=QueryResource("data", "alice_private"),
+        actor={"id": "bob"},
+    )
+    assert await ds.allowed(
+        action=action,
+        resource=QueryResource("data", "alice_public"),
+        actor={"id": "bob"},
+    )
+
+    private_response = await ds.client.post(
+        "/data/alice_private/{}".format(path_suffix),
+        actor={"id": "bob"},
+        json=request_json,
+    )
+    public_response = await ds.client.post(
+        "/data/alice_public/{}".format(path_suffix),
+        actor={"id": "bob"},
+        json=request_json,
+    )
+
+    assert private_response.status_code == 403
+    assert public_response.status_code == 200
+    assert await ds.get_query("data", "alice_private") is not None
+    public_query = await ds.get_query("data", "alice_public")
+    if expected_public_title is None:
+        assert public_query is None
+    else:
+        assert public_query.title == expected_public_title
+
+
+@pytest.mark.asyncio
+async def test_user_writable_query_execution_rechecks_table_permissions():
+    ds = Datasette(
+        memory=True,
+        default_deny=True,
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "view-database": {"id": ["alice", "bob"]},
+                        "execute-write-sql": {"id": ["alice", "bob"]},
+                    },
+                    "tables": {
+                        "dogs": {
+                            "permissions": {
+                                "insert-row": {"id": "alice"},
+                                "update-row": {"id": "alice"},
+                                "delete-row": {"id": "alice"},
+                            }
+                        }
+                    },
+                }
+            }
+        },
+    )
+    db = ds.add_memory_database("query_write_execution", name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+    await ds.invoke_startup()
+    await ds.add_query(
+        "data",
+        "insert_dog",
+        "insert into dogs (name) values (:name)",
+        is_write=True,
+        source="user",
+        owner_id="alice",
+    )
+    await ds.add_query(
+        "data",
+        "insert_cat",
+        "insert into dogs (name) values (:name)",
+        is_write=True,
+        source="user",
+        owner_id="bob",
+    )
+
+    allowed_response = await ds.client.post(
+        "/data/insert_dog?_json=1",
+        actor={"id": "alice"},
+        data={"name": "Cleo"},
+    )
+    denied_response = await ds.client.post(
+        "/data/insert_cat?_json=1",
+        actor={"id": "bob"},
+        data={"name": "Milo"},
+    )
+
+    assert allowed_response.status_code == 200
+    assert allowed_response.json()["ok"] is True
+    assert denied_response.status_code == 403
+    rows = (await db.execute("select name from dogs")).dicts()
+    assert rows == [{"name": "Cleo"}]
+
+
+@pytest.mark.asyncio
+@requires_sqlite_returning
+async def test_stored_write_query_with_returning():
+    ds = Datasette(memory=True, default_deny=True)
+    ds.root_enabled = True
+    db = ds.add_memory_database("query_write_returning", name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+    await ds.invoke_startup()
+    await ds.add_query(
+        "data",
+        "insert_dog",
+        "insert into dogs (name) values (:name) returning id, name",
+        is_write=True,
+        source="user",
+        owner_id="root",
+    )
+
+    response = await ds.client.post(
+        "/data/insert_dog?_json=1",
+        actor={"id": "root"},
+        data={"name": "Cleo"},
+    )
+
+    assert response.status_code == 200
+    assert response.json()["ok"] is True
+    assert (await db.execute("select id, name from dogs")).dicts() == [
+        {"id": 1, "name": "Cleo"}
+    ]
+
+
+@pytest.mark.asyncio
+@requires_sqlite_returning
+async def test_stored_write_query_with_truncated_returning_message():
+    ds = Datasette(memory=True, default_deny=True)
+    ds.root_enabled = True
+    db = ds.add_memory_database("query_write_truncated_returning", name="data")
+    await db.execute_write("create table dogs (id integer primary key, name text)")
+    await db.execute_write_many(
+        "insert into dogs (name) values (?)",
+        [("Cleo",) for _ in range(20)],
+    )
+    await ds.invoke_startup()
+    await ds.add_query(
+        "data",
+        "update_dogs",
+        "update dogs set name = name returning id",
+        is_write=True,
+        source="user",
+        owner_id="root",
+    )
+
+    response = await ds.client.post(
+        "/data/update_dogs?_json=1",
+        actor={"id": "root"},
+        data={},
+    )
+
+    assert response.status_code == 200
+    assert response.json()["ok"] is True
+    assert response.json()["message"] == "Query executed"
diff --git a/tests/test_schema_endpoints.py b/tests/test_schema_endpoints.py
index 50742df2..c95d8614 100644
--- a/tests/test_schema_endpoints.py
+++ b/tests/test_schema_endpoints.py
@@ -151,7 +151,7 @@ async def test_schema_permission_enforcement(schema_ds, url):
     # Authenticated user with permission should succeed
     response = await schema_ds.client.get(
         url,
-        cookies={"ds_actor": schema_ds.client.actor_cookie({"id": "root"})},
+        actor={"id": "root"},
     )
     assert response.status_code == 200
 
@@ -171,7 +171,7 @@ async def test_instance_schema_respects_database_permissions(schema_ds):
     # Authenticated user should see all databases
     response = await schema_ds.client.get(
         "/-/schema.json",
-        cookies={"ds_actor": schema_ds.client.actor_cookie({"id": "root"})},
+        actor={"id": "root"},
     )
     assert response.status_code == 200
     data = response.json()
diff --git a/tests/test_search_tables.py b/tests/test_search_tables.py
index 34b37706..ce774327 100644
--- a/tests/test_search_tables.py
+++ b/tests/test_search_tables.py
@@ -33,7 +33,7 @@ async def ds_with_tables():
     await ds.invoke_startup()
 
     # Add content database with some tables
-    content_db = ds.add_memory_database("content")
+    content_db = ds.add_memory_database("search_tables_content", name="content")
     await content_db.execute_write(
         "CREATE TABLE IF NOT EXISTS articles (id INTEGER PRIMARY KEY, title TEXT)"
     )
@@ -45,27 +45,28 @@ async def ds_with_tables():
     )
 
     # Add private database with a table
-    private_db = ds.add_memory_database("private")
+    private_db = ds.add_memory_database("search_tables_private", name="private")
     await private_db.execute_write(
         "CREATE TABLE IF NOT EXISTS secrets (id INTEGER PRIMARY KEY, data TEXT)"
     )
 
     # Add another public database
-    public_db = ds.add_memory_database("public")
+    public_db = ds.add_memory_database("search_tables_public", name="public")
     await public_db.execute_write(
         "CREATE TABLE IF NOT EXISTS articles (id INTEGER PRIMARY KEY, content TEXT)"
     )
+    await ds._refresh_schemas()
 
     return ds
 
 
-# /-/tables.json tests
+# /-/jump.json table search tests
 @pytest.mark.asyncio
 async def test_tables_basic_search(ds_with_tables):
     """Test basic table search functionality."""
     # Search for "articles" - should find it in both content and public databases
     # but only return public.articles for anonymous user (content.articles requires auth)
-    response = await ds_with_tables.client.get("/-/tables.json?q=articles")
+    response = await ds_with_tables.client.get("/-/jump.json?q=articles")
     assert response.status_code == 200
     data = response.json()
 
@@ -85,8 +86,8 @@ async def test_tables_search_with_auth(ds_with_tables):
     """Test that authenticated users see more tables."""
     # Editor user should see content.articles
     response = await ds_with_tables.client.get(
-        "/-/tables.json?q=articles",
-        cookies={"ds_actor": ds_with_tables.client.actor_cookie({"id": "editor"})},
+        "/-/jump.json?q=articles",
+        actor={"id": "editor"},
     )
     assert response.status_code == 200
     data = response.json()
@@ -103,8 +104,8 @@ async def test_tables_search_partial_match(ds_with_tables):
     """Test that search matches partial table names."""
     # Search for "com" should match "comments"
     response = await ds_with_tables.client.get(
-        "/-/tables.json?q=com",
-        cookies={"ds_actor": ds_with_tables.client.actor_cookie({"id": "user"})},
+        "/-/jump.json?q=com",
+        actor={"id": "user"},
     )
     assert response.status_code == 200
     data = response.json()
@@ -119,8 +120,8 @@ async def test_tables_search_respects_database_permissions(ds_with_tables):
     # Search for "secrets" which is in the private database
     # Even authenticated users shouldn't see it because database is denied
     response = await ds_with_tables.client.get(
-        "/-/tables.json?q=secrets",
-        cookies={"ds_actor": ds_with_tables.client.actor_cookie({"id": "user"})},
+        "/-/jump.json?q=secrets",
+        actor={"id": "user"},
     )
     assert response.status_code == 200
     data = response.json()
@@ -134,8 +135,8 @@ async def test_tables_search_respects_table_permissions(ds_with_tables):
     """Test that tables with specific permissions are filtered correctly."""
     # Regular authenticated user searching for "users"
     response = await ds_with_tables.client.get(
-        "/-/tables.json?q=users",
-        cookies={"ds_actor": ds_with_tables.client.actor_cookie({"id": "regular"})},
+        "/-/jump.json?q=users",
+        actor={"id": "regular"},
     )
     assert response.status_code == 200
     data = response.json()
@@ -149,8 +150,8 @@ async def test_tables_search_respects_table_permissions(ds_with_tables):
 async def test_tables_search_response_structure(ds_with_tables):
     """Test that response has correct structure."""
     response = await ds_with_tables.client.get(
-        "/-/tables.json?q=users",
-        cookies={"ds_actor": ds_with_tables.client.actor_cookie({"id": "user"})},
+        "/-/jump.json?q=users",
+        actor={"id": "user"},
     )
     assert response.status_code == 200
     data = response.json()
diff --git a/tests/test_canned_queries.py b/tests/test_stored_queries.py
similarity index 68%
rename from tests/test_canned_queries.py
rename to tests/test_stored_queries.py
index ed6202a4..46420749 100644
--- a/tests/test_canned_queries.py
+++ b/tests/test_stored_queries.py
@@ -1,13 +1,19 @@
 from bs4 import BeautifulSoup as Soup
+from asgiref.sync import async_to_sync
 import json
 import pytest
 import re
 from .fixtures import make_app_client
 
 
+def update_query(client, name, **kwargs):
+    async_to_sync(client.ds.invoke_startup)()
+    async_to_sync(client.ds.update_query)("data", name, **kwargs)
+
+
 @pytest.fixture
-def canned_write_client(tmpdir):
-    template_dir = tmpdir / "canned_write_templates"
+def stored_write_client(tmpdir):
+    template_dir = tmpdir / "stored_write_templates"
     template_dir.mkdir()
     (template_dir / "query-data-update_name.html").write_text(
         """
@@ -23,7 +29,7 @@ def canned_write_client(tmpdir):
             "databases": {
                 "data": {
                     "queries": {
-                        "canned_read": {"sql": "select * from names"},
+                        "stored_read": {"sql": "select * from names"},
                         "add_name": {
                             "sql": "insert into names (name) values (:name)",
                             "write": True,
@@ -60,7 +66,7 @@ def canned_write_client(tmpdir):
 
 
 @pytest.fixture
-def canned_write_immutable_client():
+def stored_write_immutable_client():
     with make_app_client(
         is_immutable=True,
         config={
@@ -80,7 +86,7 @@ def canned_write_immutable_client():
 
 
 @pytest.mark.asyncio
-async def test_canned_query_with_named_parameter(ds_client):
+async def test_stored_query_with_named_parameter(ds_client):
     response = await ds_client.get(
         "/fixtures/neighborhood_search.json?text=town&_shape=arrays"
     )
@@ -94,14 +100,14 @@ async def test_canned_query_with_named_parameter(ds_client):
     ]
 
 
-def test_insert(canned_write_client):
-    response = canned_write_client.post(
+def test_insert(stored_write_client):
+    response = stored_write_client.post(
         "/data/add_name",
         {"name": "Hello"},
         csrftoken_from=True,
         cookies={"foo": "bar"},
     )
-    messages = canned_write_client.ds.unsign(
+    messages = stored_write_client.ds.unsign(
         response.cookies["ds_messages"], "messages"
     )
     assert messages == [["Query executed, 1 row affected", 1]]
@@ -109,103 +115,82 @@ def test_insert(canned_write_client):
     assert response.headers["Location"] == "/data/add_name?success"
 
 
-@pytest.mark.parametrize(
-    "query_name,expect_csrf_hidden_field",
-    [
-        ("canned_read", False),
-        ("add_name_specify_id", True),
-        ("add_name", True),
-    ],
-)
-def test_canned_query_form_csrf_hidden_field(
-    canned_write_client, query_name, expect_csrf_hidden_field
-):
-    response = canned_write_client.get(f"/data/{query_name}")
-    html = response.text
-    fragment = '<input type="hidden" name="csrftoken" value="'
-    if expect_csrf_hidden_field:
-        assert fragment in html
-    else:
-        assert fragment not in html
-
-
-def test_insert_with_cookies_requires_csrf(canned_write_client):
-    response = canned_write_client.post(
+def test_insert_blocked_cross_site(stored_write_client):
+    # A cross-site POST (browser-originated) must be blocked
+    response = stored_write_client.post(
         "/data/add_name",
         {"name": "Hello"},
-        cookies={"foo": "bar"},
+        headers={"sec-fetch-site": "cross-site"},
     )
     assert 403 == response.status
 
 
-def test_insert_no_cookies_no_csrf(canned_write_client):
-    response = canned_write_client.post("/data/add_name", {"name": "Hello"})
+def test_insert_no_cookies_no_csrf(stored_write_client):
+    response = stored_write_client.post("/data/add_name", {"name": "Hello"})
     assert 302 == response.status
     assert "/data/add_name?success" == response.headers["Location"]
 
 
-def test_custom_success_message(canned_write_client):
-    response = canned_write_client.post(
+def test_custom_success_message(stored_write_client):
+    response = stored_write_client.post(
         "/data/delete_name",
         {"rowid": 1},
-        cookies={"ds_actor": canned_write_client.actor_cookie({"id": "root"})},
+        cookies={"ds_actor": stored_write_client.actor_cookie({"id": "root"})},
         csrftoken_from=True,
     )
     assert 302 == response.status
-    messages = canned_write_client.ds.unsign(
+    messages = stored_write_client.ds.unsign(
         response.cookies["ds_messages"], "messages"
     )
     assert [["Name deleted", 1]] == messages
 
 
-def test_insert_error(canned_write_client):
-    canned_write_client.post("/data/add_name", {"name": "Hello"}, csrftoken_from=True)
-    response = canned_write_client.post(
+def test_insert_error(stored_write_client):
+    stored_write_client.post("/data/add_name", {"name": "Hello"}, csrftoken_from=True)
+    response = stored_write_client.post(
         "/data/add_name_specify_id",
         {"rowid": 1, "name": "Should fail"},
         csrftoken_from=True,
     )
     assert 302 == response.status
     assert "/data/add_name_specify_id?error" == response.headers["Location"]
-    messages = canned_write_client.ds.unsign(
+    messages = stored_write_client.ds.unsign(
         response.cookies["ds_messages"], "messages"
     )
     assert [["UNIQUE constraint failed: names.rowid", 3]] == messages
     # How about with a custom error message?
-    canned_write_client.ds.config["databases"]["data"]["queries"][
-        "add_name_specify_id"
-    ]["on_error_message"] = "ERROR"
-    response = canned_write_client.post(
+    update_query(stored_write_client, "add_name_specify_id", on_error_message="ERROR")
+    response = stored_write_client.post(
         "/data/add_name_specify_id",
         {"rowid": 1, "name": "Should fail"},
         csrftoken_from=True,
     )
-    assert [["ERROR", 3]] == canned_write_client.ds.unsign(
+    assert [["ERROR", 3]] == stored_write_client.ds.unsign(
         response.cookies["ds_messages"], "messages"
     )
 
 
-def test_on_success_message_sql(canned_write_client):
-    response = canned_write_client.post(
+def test_on_success_message_sql(stored_write_client):
+    response = stored_write_client.post(
         "/data/add_name_specify_id",
         {"rowid": 5, "name": "Should be OK"},
         csrftoken_from=True,
     )
     assert response.status == 302
     assert response.headers["Location"] == "/data/add_name_specify_id"
-    messages = canned_write_client.ds.unsign(
+    messages = stored_write_client.ds.unsign(
         response.cookies["ds_messages"], "messages"
     )
     assert messages == [["Name added: Should be OK with rowid 5", 1]]
 
 
-def test_error_in_on_success_message_sql(canned_write_client):
-    response = canned_write_client.post(
+def test_error_in_on_success_message_sql(stored_write_client):
+    response = stored_write_client.post(
         "/data/add_name_specify_id_with_error_in_on_success_message_sql",
         {"rowid": 1, "name": "Should fail"},
         csrftoken_from=True,
     )
-    messages = canned_write_client.ds.unsign(
+    messages = stored_write_client.ds.unsign(
         response.cookies["ds_messages"], "messages"
     )
     assert messages == [
@@ -213,25 +198,29 @@ def test_error_in_on_success_message_sql(canned_write_client):
     ]
 
 
-def test_custom_params(canned_write_client):
-    response = canned_write_client.get("/data/update_name?extra=foo")
-    assert '<input type="text" id="qp3" name="extra" value="foo">' in response.text
+def test_custom_params(stored_write_client):
+    response = stored_write_client.get("/data/update_name?extra=foo")
+    assert (
+        '<input type="text" id="qp3" name="extra" value="foo" data-parameter-control data-parameter-name="extra">'
+        in response.text
+    )
 
 
-def test_vary_header(canned_write_client):
-    # These forms embed a csrftoken so they should be served with Vary: Cookie
-    assert "vary" not in canned_write_client.get("/data").headers
-    assert "Cookie" == canned_write_client.get("/data/update_name").headers["vary"]
+def test_stored_query_pages_no_vary_header(stored_write_client):
+    # These pages no longer embed per-cookie CSRF tokens, so they must not
+    # set Vary: Cookie - they should be cacheable across users.
+    assert "vary" not in stored_write_client.get("/data").headers
+    assert "vary" not in stored_write_client.get("/data/update_name").headers
 
 
-def test_json_post_body(canned_write_client):
-    response = canned_write_client.post(
+def test_json_post_body(stored_write_client):
+    response = stored_write_client.post(
         "/data/add_name",
         body=json.dumps({"name": ["Hello", "there"]}),
     )
     assert 302 == response.status
     assert "/data/add_name?success" == response.headers["Location"]
-    rows = canned_write_client.get("/data/names.json?_shape=array").json
+    rows = stored_write_client.get("/data/names.json?_shape=array").json
     assert rows == [{"rowid": 1, "name": "['Hello', 'there']"}]
 
 
@@ -244,8 +233,8 @@ def test_json_post_body(canned_write_client):
         (None, '{"name": "NameGoesHere", "_json": 1}', None),
     ),
 )
-def test_json_response(canned_write_client, headers, body, querystring):
-    response = canned_write_client.post(
+def test_json_response(stored_write_client, headers, body, querystring):
+    response = stored_write_client.post(
         "/data/add_name" + (querystring or ""),
         body=body,
         headers=headers,
@@ -257,29 +246,27 @@ def test_json_response(canned_write_client, headers, body, querystring):
         "message": "Query executed, 1 row affected",
         "redirect": "/data/add_name?success",
     }
-    rows = canned_write_client.get("/data/names.json?_shape=array").json
+    rows = stored_write_client.get("/data/names.json?_shape=array").json
     assert rows == [{"rowid": 1, "name": "NameGoesHere"}]
 
 
-def test_canned_query_permissions_on_database_page(canned_write_client):
-    # Without auth only shows three queries
-    query_names = {
-        q["name"] for q in canned_write_client.get("/data.json").json["queries"]
-    }
+def test_stored_query_permissions_on_database_page(stored_write_client):
+    # Without auth shows the five public queries
+    anon_response = stored_write_client.get("/data.json")
+    query_names = {q["name"] for q in anon_response.json["queries"]}
     assert query_names == {
         "add_name_specify_id_with_error_in_on_success_message_sql",
-        "from_hook",
         "update_name",
         "add_name_specify_id",
-        "from_async_hook",
-        "canned_read",
+        "stored_read",
         "add_name",
     }
+    assert anon_response.json["queries_more"] is False
 
-    # With auth shows four
-    response = canned_write_client.get(
+    # With auth the database page preview shows the first five queries
+    response = stored_write_client.get(
         "/data.json",
-        cookies={"ds_actor": canned_write_client.actor_cookie({"id": "root"})},
+        cookies={"ds_actor": stored_write_client.actor_cookie({"id": "root"})},
     )
     assert response.status == 200
     query_names_and_private = sorted(
@@ -296,20 +283,43 @@ def test_canned_query_permissions_on_database_page(canned_write_client):
             "name": "add_name_specify_id_with_error_in_on_success_message_sql",
             "private": False,
         },
-        {"name": "canned_read", "private": False},
         {"name": "delete_name", "private": True},
-        {"name": "from_async_hook", "private": False},
-        {"name": "from_hook", "private": False},
+        {"name": "stored_read", "private": False},
+    ]
+    assert response.json["queries_more"] is True
+
+    # The full query list endpoint includes the remaining query
+    response = stored_write_client.get(
+        "/data/-/queries.json?_size=10",
+        cookies={"ds_actor": stored_write_client.actor_cookie({"id": "root"})},
+    )
+    assert response.status == 200
+    query_names_and_private = sorted(
+        [
+            {"name": q["name"], "private": q["private"]}
+            for q in response.json["queries"]
+        ],
+        key=lambda q: q["name"],
+    )
+    assert query_names_and_private == [
+        {"name": "add_name", "private": False},
+        {"name": "add_name_specify_id", "private": False},
+        {
+            "name": "add_name_specify_id_with_error_in_on_success_message_sql",
+            "private": False,
+        },
+        {"name": "delete_name", "private": True},
+        {"name": "stored_read", "private": False},
         {"name": "update_name", "private": False},
     ]
 
 
-def test_canned_query_permissions(canned_write_client):
-    assert 403 == canned_write_client.get("/data/delete_name").status
-    assert 200 == canned_write_client.get("/data/update_name").status
-    cookies = {"ds_actor": canned_write_client.actor_cookie({"id": "root"})}
-    assert 200 == canned_write_client.get("/data/delete_name", cookies=cookies).status
-    assert 200 == canned_write_client.get("/data/update_name", cookies=cookies).status
+def test_stored_query_permissions(stored_write_client):
+    assert 403 == stored_write_client.get("/data/delete_name").status
+    assert 200 == stored_write_client.get("/data/update_name").status
+    cookies = {"ds_actor": stored_write_client.actor_cookie({"id": "root"})}
+    assert 200 == stored_write_client.get("/data/delete_name", cookies=cookies).status
+    assert 200 == stored_write_client.get("/data/update_name", cookies=cookies).status
 
 
 @pytest.fixture(scope="session")
@@ -345,12 +355,16 @@ def magic_parameters_client():
     ],
 )
 def test_magic_parameters(magic_parameters_client, magic_parameter, expected_re):
-    magic_parameters_client.ds.config["databases"]["data"]["queries"]["runme_post"][
-        "sql"
-    ] = f"insert into logs (line) values (:{magic_parameter})"
-    magic_parameters_client.ds.config["databases"]["data"]["queries"]["runme_get"][
-        "sql"
-    ] = f"select :{magic_parameter} as result"
+    update_query(
+        magic_parameters_client,
+        "runme_post",
+        sql=f"insert into logs (line) values (:{magic_parameter})",
+    )
+    update_query(
+        magic_parameters_client,
+        "runme_get",
+        sql=f"select :{magic_parameter} as result",
+    )
     cookies = {
         "ds_actor": magic_parameters_client.actor_cookie({"id": "root"}),
         "foo": "bar",
@@ -384,9 +398,11 @@ def test_magic_parameters(magic_parameters_client, magic_parameter, expected_re)
 @pytest.mark.parametrize("use_csrf", [True, False])
 @pytest.mark.parametrize("return_json", [True, False])
 def test_magic_parameters_csrf_json(magic_parameters_client, use_csrf, return_json):
-    magic_parameters_client.ds.config["databases"]["data"]["queries"]["runme_post"][
-        "sql"
-    ] = "insert into logs (line) values (:_header_host)"
+    update_query(
+        magic_parameters_client,
+        "runme_post",
+        sql="insert into logs (line) values (:_header_host)",
+    )
     qs = ""
     if return_json:
         qs = "?_json=1"
@@ -418,8 +434,8 @@ def test_magic_parameters_cannot_be_used_in_arbitrary_queries(magic_parameters_c
     assert response.json["error"].startswith("You did not supply a value for binding")
 
 
-def test_canned_write_custom_template(canned_write_client):
-    response = canned_write_client.get("/data/update_name")
+def test_stored_write_custom_template(stored_write_client):
+    response = stored_write_client.get("/data/update_name")
     assert response.status == 200
     assert "!!!CUSTOM_UPDATE_NAME_TEMPLATE!!!" in response.text
     assert (
@@ -437,10 +453,10 @@ def test_canned_write_custom_template(canned_write_client):
     )
 
 
-def test_canned_write_query_disabled_for_immutable_database(
-    canned_write_immutable_client,
+def test_stored_write_query_disabled_for_immutable_database(
+    stored_write_immutable_client,
 ):
-    response = canned_write_immutable_client.get("/fixtures/add")
+    response = stored_write_immutable_client.get("/fixtures/add")
     assert response.status == 200
     assert (
         "This query cannot be executed because the database is immutable."
@@ -448,7 +464,7 @@ def test_canned_write_query_disabled_for_immutable_database(
     )
     assert '<input type="submit" value="Run SQL" disabled>' in response.text
     # Submitting form should get a forbidden error
-    response = canned_write_immutable_client.post(
+    response = stored_write_immutable_client.post(
         "/fixtures/add",
         {"text": "text"},
         csrftoken_from=True,
diff --git a/tests/test_table_api.py b/tests/test_table_api.py
index 51e40ad1..272e39e3 100644
--- a/tests/test_table_api.py
+++ b/tests/test_table_api.py
@@ -1,6 +1,7 @@
 from datasette.utils import detect_json1
 from datasette.utils.sqlite import sqlite_version
-from .fixtures import generate_compound_rows, generate_sortable_rows, make_app_client
+from datasette.fixtures import generate_compound_rows, generate_sortable_rows
+from .fixtures import make_app_client
 import json
 import pytest
 import urllib
@@ -67,6 +68,134 @@ async def test_table_shape_arrayfirst(ds_client):
     ]
 
 
+@pytest.mark.asyncio
+async def test_query_extras_for_arbitrary_sql(ds_client):
+    response = await ds_client.get(
+        "/fixtures/-/query.json?"
+        + urllib.parse.urlencode(
+            {
+                "sql": "select 1 as one",
+                "_extra": "columns,database,query,request,debug",
+            }
+        )
+    )
+    assert response.status_code == 200
+    data = response.json()
+    assert data["rows"] == [{"one": 1}]
+    assert data["columns"] == ["one"]
+    assert data["database"] == "fixtures"
+    assert data["query"]["sql"] == "select 1 as one"
+    assert data["request"]["path"] == "/fixtures/-/query.json"
+    assert data["debug"]["url_vars"] == {
+        "database": "fixtures",
+        "format": "json",
+    }
+
+
+@pytest.mark.asyncio
+async def test_query_extras_for_stored_query(ds_client):
+    response = await ds_client.get(
+        "/fixtures/neighborhood_search.json?"
+        + urllib.parse.urlencode(
+            {
+                "text": "town",
+                "_extra": "columns,database,query,request,debug",
+            }
+        )
+    )
+    assert response.status_code == 200
+    data = response.json()
+    assert data["columns"] == ["_neighborhood", "name", "state"]
+    assert data["database"] == "fixtures"
+    assert data["query"]["sql"].strip().startswith("select _neighborhood")
+    assert data["query"]["params"]["text"] == "town"
+    assert data["request"]["path"] == "/fixtures/neighborhood_search.json"
+    assert data["debug"]["url_vars"] == {
+        "database": "fixtures",
+        "table": "neighborhood_search",
+        "format": "json",
+    }
+
+
+@pytest.mark.parametrize("extra", ["filters", "actions", "display_rows"])
+@pytest.mark.asyncio
+async def test_html_only_extras_are_not_available_via_json(ds_client, extra):
+    # These extras exist for the HTML view; their values are not JSON
+    # serializable so they are internal, not part of the JSON API
+    response = await ds_client.get(f"/fixtures/facetable.json?_extra={extra}")
+    assert response.status_code == 200
+    assert extra not in response.json()
+
+
+@pytest.mark.asyncio
+async def test_html_only_extras_are_not_advertised(ds_client):
+    response = await ds_client.get("/fixtures/facetable.json?_extra=extras")
+    assert response.status_code == 200
+    names = {e["name"] for e in response.json()["extras"]}
+    assert {"filters", "actions", "display_rows"}.isdisjoint(names)
+
+
+def test_query_extra_private_for_arbitrary_sql():
+    with make_app_client(config={"allow_sql": {"id": "root"}}) as client:
+        cookies = {"ds_actor": client.actor_cookie({"id": "root"})}
+        response = client.get(
+            "/fixtures/-/query.json?sql=select+1+as+one&_extra=private",
+            cookies=cookies,
+        )
+        assert response.status == 200
+        assert response.json["private"] is True
+        # Anonymous users cannot execute SQL at all here
+        anon = client.get("/fixtures/-/query.json?sql=select+1+as+one")
+        assert anon.status == 403
+
+
+def test_query_extra_query_reports_bound_params():
+    config = {
+        "databases": {
+            "fixtures": {
+                "queries": {
+                    "declared_params": {
+                        "sql": "select 1 as one",
+                        "params": ["foo"],
+                    },
+                    "magic_host": {
+                        "sql": "select :_header_host as h",
+                    },
+                }
+            }
+        }
+    }
+    with make_app_client(config=config) as client:
+        # Declared parameters are reported even when the regex cannot find them
+        response = client.get("/fixtures/declared_params.json?foo=bar&_extra=query")
+        assert response.status == 200
+        assert response.json["query"]["params"] == {"foo": "bar"}
+        # Magic parameters are bound internally and should not be reported,
+        # especially not as a value taken from the querystring
+        response = client.get(
+            "/fixtures/magic_host.json?_extra=query&_header_host=spoofed"
+        )
+        assert response.status == 200
+        assert response.json["rows"] == [{"h": "localhost"}]
+        assert response.json["query"]["params"] == {}
+
+
+def test_query_extra_query_does_not_echo_querystring_without_sql():
+    with make_app_client() as client:
+        response = client.get("/fixtures/-/query.json?_extra=query&foo=bar")
+        assert response.status == 200
+        assert response.json["query"]["params"] == {}
+
+
+def test_query_extra_private_false_when_sql_is_public():
+    with make_app_client() as client:
+        response = client.get(
+            "/fixtures/-/query.json?sql=select+1+as+one&_extra=private"
+        )
+        assert response.status == 200
+        assert response.json["private"] is False
+
+
 @pytest.mark.asyncio
 async def test_table_shape_objects(ds_client):
     response = await ds_client.get("/fixtures/simple_primary_key.json?_shape=objects")
@@ -1291,6 +1420,16 @@ def test_generated_columns_are_visible_in_datasette():
             "/fixtures/facetable.json?_col=state&_col=state",
             ["pk", "state"],
         ),
+        (
+            # https://github.com/simonw/datasette/issues/1975
+            "/fixtures/facetable.json?_col=pk&_col=state",
+            ["pk", "state"],
+        ),
+        (
+            # https://github.com/simonw/datasette/issues/1975
+            "/fixtures/facetable.json?_col=pk",
+            ["pk"],
+        ),
         (
             "/fixtures/facetable.json?_col=state&_col=created&_nocol=created",
             ["pk", "state"],
@@ -1375,6 +1514,17 @@ async def test_table_extras(ds_client, extra, expected_json):
     assert response.json() == expected_json
 
 
+@pytest.mark.asyncio
+async def test_table_extra_columns_can_be_comma_separated(ds_client):
+    response = await ds_client.get(
+        "/fixtures/primary_key_multiple_columns.json?_extra=columns,count"
+    )
+    assert response.status_code == 200
+    data = response.json()
+    assert data["columns"] == ["id", "content", "content2"]
+    assert data["count"] == 1
+
+
 @pytest.mark.asyncio
 async def test_extra_render_cell():
     """Test that _extra=render_cell returns rendered HTML from render_cell plugin hook"""
diff --git a/tests/test_table_html.py b/tests/test_table_html.py
index 00cf9e19..3af2bb08 100644
--- a/tests/test_table_html.py
+++ b/tests/test_table_html.py
@@ -1,4 +1,5 @@
 from datasette.app import Datasette
+from datasette.database import Database
 from bs4 import BeautifulSoup as Soup
 from .fixtures import make_app_client
 import pathlib
@@ -7,6 +8,67 @@ import urllib.parse
 from .utils import inner_html
 
 
+def table_data_from_soup(soup):
+    import json
+    import re
+
+    table_script = [
+        s for s in soup.find_all("script") if "_datasetteTableData" in (s.string or "")
+    ][0]
+    match = re.search(
+        r"window\._datasetteTableData\s*=\s*({.*?});",
+        table_script.string,
+        re.DOTALL,
+    )
+    return json.loads(match.group(1))
+
+
+def database_data_from_soup(soup):
+    import json
+    import re
+
+    database_script = [
+        s
+        for s in soup.find_all("script")
+        if "_datasetteDatabaseData" in (s.string or "")
+    ][0]
+    match = re.search(
+        r"window\._datasetteDatabaseData\s*=\s*({.*?});",
+        database_script.string,
+        re.DOTALL,
+    )
+    return json.loads(match.group(1))
+
+
+DEFAULT_EXPRESSION_OPTIONS = [
+    {
+        "value": "current_timestamp",
+        "label": "Current timestamp in UTC, e.g. 2026-05-01 13:34:00",
+        "sqliteType": "text",
+    },
+    {
+        "value": "current_date",
+        "label": "Current date in UTC, e.g. 2026-05-01",
+        "sqliteType": "text",
+    },
+    {
+        "value": "current_time",
+        "label": "Current time in UTC, e.g. 13:34:00",
+        "sqliteType": "text",
+    },
+    {
+        "value": "current_unixtime",
+        "label": "Current Unix time, integer seconds since the epoch",
+        "sqliteType": "integer",
+    },
+    {
+        "value": "current_unixtime_ms",
+        "label": "Current Unix time, integer milliseconds since the epoch",
+        "sqliteType": "integer",
+    },
+]
+
+
 @pytest.mark.asyncio
 @pytest.mark.parametrize(
     "path,expected_definition_sql",
@@ -248,6 +310,7 @@ async def test_sort_links(ds_client):
                 "data-column-type": "",
                 "data-column-not-null": "0",
                 "data-is-pk": "0",
+                "data-is-link-column": "1",
             },
             "a_href": None,
         },
@@ -348,7 +411,11 @@ async def test_facet_display(ds_client):
                     {
                         "name": a.text,
                         "qs": a["href"].split("?")[-1],
-                        "count": int(str(a.parent).split("</a>")[1].split("<")[0]),
+                        "count": int(
+                            a.parent.find(
+                                "span", {"class": "facet-count"}
+                            ).text.replace(",", "")
+                        ),
                     }
                     for a in div.find("ul").find_all("a")
                 ],
@@ -509,6 +576,57 @@ async def test_table_csv_json_export_interface(ds_client):
     ] == inputs
 
 
+def test_base_url_export_links_are_not_double_prefixed(app_client_base_url_prefix):
+    for path, expected_json, expected_csv in (
+        (
+            "/prefix/fixtures/simple_primary_key?id__gt=2",
+            "/prefix/fixtures/simple_primary_key.json?id__gt=2",
+            "/prefix/fixtures/simple_primary_key.csv?id__gt=2&_size=max",
+        ),
+        (
+            "/prefix/fixtures/simple_primary_key/1",
+            "/prefix/fixtures/simple_primary_key/1.json",
+            None,
+        ),
+        (
+            "/prefix/fixtures/-/query?sql=select+1",
+            "/prefix/fixtures/-/query.json?sql=select+1",
+            "/prefix/fixtures/-/query.csv?sql=select+1&_size=max",
+        ),
+    ):
+        response = app_client_base_url_prefix.get(path)
+        assert response.status_code == 200
+        soup = Soup(response.text, "html.parser")
+        export_links = soup.find("p", {"class": "export-links"}) or next(
+            p for p in soup.find_all("p") if "This data as" in p.get_text()
+        )
+        hrefs = [a["href"] for a in export_links.find_all("a", href=True)]
+        assert expected_json in hrefs
+        if expected_csv:
+            assert expected_csv in hrefs
+        assert not [href for href in hrefs if href.startswith("/prefix/prefix/")]
+        assert response.headers["link"] == (
+            f"<http://localhost{expected_json}>; "
+            'rel="alternate"; type="application/json+datasette"'
+        )
+
+
+def test_base_url_export_links_when_database_matches_prefix():
+    with make_app_client(settings={"base_url": "/data/"}, filename="data.db") as client:
+        response = client.get("/data/data/simple_primary_key?id__gt=2")
+        assert response.status_code == 200
+        export_links = Soup(response.text, "html.parser").find(
+            "p", {"class": "export-links"}
+        )
+        hrefs = [a["href"] for a in export_links.find_all("a", href=True)]
+        assert "/data/data/simple_primary_key.json?id__gt=2" in hrefs
+        assert "/data/data/simple_primary_key.csv?id__gt=2&_size=max" in hrefs
+        assert response.headers["link"] == (
+            "<http://localhost/data/data/simple_primary_key.json?id__gt=2>; "
+            'rel="alternate"; type="application/json+datasette"'
+        )
+
+
 @pytest.mark.asyncio
 async def test_csv_json_export_links_include_labels_if_foreign_keys(ds_client):
     response = await ds_client.get("/fixtures/facetable")
@@ -607,6 +725,13 @@ async def test_table_html_compound_primary_key(ds_client):
     assert [
         [str(td) for td in tr.select("td")] for tr in table.select("tbody tr")
     ] == expected
+    rows = table.select("tbody tr")
+    assert rows[0]["data-row"] == "a,b"
+    assert "data-row-pk-path" not in rows[0].attrs
+    assert "data-row-label" not in rows[0].attrs
+    assert rows[1]["data-row"] == "a~2Fb,~2Ec-d"
+    assert "data-row-pk-path" not in rows[1].attrs
+    assert "data-row-label" not in rows[1].attrs
 
 
 @pytest.mark.asyncio
@@ -643,7 +768,7 @@ async def test_table_html_foreign_key_facets(ds_client):
     assert response.status_code == 200
     assert (
         '<li><a href="http://localhost/fixtures/foreign_key_references?_facet=foreign_key_with_blank_label&amp;foreign_key_with_blank_label=3"'
-        ' data-facet-value="3">-</a> 1</li>'
+        ' data-facet-value="3">-</a> <span class="facet-count">1</span></li>'
     ) in response.text
 
 
@@ -730,6 +855,910 @@ async def test_table_html_filter_form_still_shows_nocol_columns(ds_client):
     ]
 
 
+@pytest.mark.asyncio
+async def test_column_chooser_present(ds_client):
+    response = await ds_client.get("/fixtures/facetable")
+    assert response.status_code == 200
+    soup = Soup(response.text, "html.parser")
+    # Web component should be present
+    chooser = soup.find("column-chooser")
+    assert chooser is not None
+    # Script block should contain column data as JSON
+
+    scripts = soup.find_all("script")
+    chooser_script = [s for s in scripts if "_columnChooserData" in (s.string or "")]
+    assert len(chooser_script) == 1
+    script_text = chooser_script[0].string
+    # Extract the JSON data
+    assert "allColumns" in script_text
+    assert "selectedColumns" in script_text
+    assert "primaryKeys" in script_text
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize(
+    "path", ["/fixtures/facetable", "/fixtures/123_starts_with_digits"]
+)
+async def test_mobile_column_actions_present(ds_client, path):
+    response = await ds_client.get(path)
+    assert response.status_code == 200
+    soup = Soup(response.text, "html.parser")
+    button = soup.select_one("button.column-actions-mobile.small-screen-only")
+    assert button is not None
+    assert button.text.strip() == "Column actions"
+    assert button.find("svg") is not None
+    assert any(
+        "mobile-column-actions.js" in (script.get("src") or "")
+        for script in soup.find_all("script")
+    )
+    # mobile-column-actions.js builds its dialog from <th data-column> elements,
+    # so the thead must render even when the table has no rows.
+    ths = soup.select("table.rows-and-columns thead th[data-column]")
+    assert len(ths) >= 1
+
+
+@pytest.mark.asyncio
+async def test_row_delete_action_data_attributes():
+    ds = Datasette(
+        [],
+        config={
+            "databases": {
+                "data": {
+                    "tables": {
+                        "items": {
+                            "permissions": {
+                                "update-row": {"id": "root"},
+                                "delete-row": {"id": "root"},
+                            },
+                        },
+                    },
+                },
+            },
+        },
+    )
+    try:
+        db = ds.add_database(
+            Database(ds, memory_name="test_row_delete_actions"), name="data"
+        )
+        await db.execute_write_script("""
+            create table items (id integer primary key, name text, score integer);
+            insert into items (id, name, score) values (1, 'One', 5);
+            """)
+        response = await ds.client.get("/data/items", actor={"id": "root"})
+        assert response.status_code == 200
+        soup = Soup(response.text, "html.parser")
+        assert table_data_from_soup(soup) == {
+            "database": "data",
+            "table": "items",
+            "tableUrl": "/data/items",
+        }
+        assert soup.select_one('button[data-table-action="insert-row"]') is None
+
+        row = soup.select_one("table.rows-and-columns tbody tr")
+        assert row["data-row"] == "1"
+        assert row["data-row-label"] == "One"
+        assert {key for key in row.attrs if key.startswith("data-row")} == {
+            "data-row",
+            "data-row-label",
+        }
+
+        edit_button = row.select_one(
+            'button.row-inline-action-edit[data-row-action="edit"]'
+        )
+        assert edit_button is not None
+        assert edit_button["aria-label"] == "Edit row 1 One"
+        assert edit_button["title"] == "Edit row"
+        assert edit_button.find("svg") is not None
+
+        button = row.select_one(
+            'button.row-inline-action-delete[data-row-action="delete"]'
+        )
+        assert button is not None
+        assert button["aria-label"] == "Delete row 1 One"
+        assert button["title"] == "Delete row"
+        assert button.find("svg") is not None
+
+        response = await ds.client.get("/data/items?_col=score", actor={"id": "root"})
+        assert response.status_code == 200
+        soup = Soup(response.text, "html.parser")
+        row = soup.select_one("table.rows-and-columns tbody tr")
+        assert row["data-row"] == "1"
+        assert "data-row-label" not in row.attrs
+
+        edit_button = row.select_one(
+            'button.row-inline-action-edit[data-row-action="edit"]'
+        )
+        assert edit_button is not None
+        assert edit_button["aria-label"] == "Edit row 1"
+
+        button = row.select_one(
+            'button.row-inline-action-delete[data-row-action="delete"]'
+        )
+        assert button is not None
+        assert button["aria-label"] == "Delete row 1"
+    finally:
+        ds.close()
+
+
+@pytest.mark.asyncio
+async def test_database_create_table_action_button_and_data():
+    ds = Datasette(
+        [],
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "create-table": {"id": "root"},
+                    },
+                },
+            },
+        },
+    )
+    try:
+        db = ds.add_database(
+            Database(ds, memory_name="test_database_create_table_action"), name="data"
+        )
+        await db.execute_write_script("""
+            create table items (id integer primary key, name text);
+            """)
+
+        response = await ds.client.get("/data", actor={"id": "root"})
+        assert response.status_code == 200
+        soup = Soup(response.text, "html.parser")
+
+        button = soup.select_one(
+            'button.action-menu-button[data-database-action="create-table"]'
+        )
+        assert button is not None
+        assert button["aria-label"] == "Create table in data"
+        assert button["role"] == "menuitem"
+        description = button.find("span", class_="dropdown-description")
+        assert description.text.strip() == "Create a new table in this database."
+        description.extract()
+        assert button.text.strip() == "Create table"
+        assert any(
+            "edit-tools.js" in script.get("src", "")
+            for script in soup.find_all("script")
+        )
+        assert database_data_from_soup(soup) == {
+            "createTable": {
+                "path": "/data/-/create",
+                "foreignKeyTargetsPath": "/data/-/foreign-key-targets",
+                "databaseName": "data",
+                "columnTypes": ["text", "integer", "float", "blob"],
+                "defaultExpressions": DEFAULT_EXPRESSION_OPTIONS,
+            },
+        }
+        assert "customColumnTypes" not in database_data_from_soup(soup)["createTable"]
+
+        response_without_permission = await ds.client.get(
+            "/data", actor={"id": "someone-else"}
+        )
+        assert response_without_permission.status_code == 200
+        soup_without_permission = Soup(response_without_permission.text, "html.parser")
+        assert (
+            soup_without_permission.select_one(
+                'button[data-database-action="create-table"]'
+            )
+            is None
+        )
+        assert not any(
+            "_datasetteDatabaseData" in (script.string or "")
+            for script in soup_without_permission.find_all("script")
+        )
+    finally:
+        ds.close()
+
+
+@pytest.mark.asyncio
+async def test_database_create_table_data_includes_custom_column_types():
+    ds = Datasette(
+        [],
+        config={
+            "databases": {
+                "data": {
+                    "permissions": {
+                        "create-table": {"id": "root"},
+                        "set-column-type": {"id": "root"},
+                    },
+                },
+            },
+        },
+    )
+    try:
+        db = ds.add_database(
+            Database(ds, memory_name="test_database_create_table_custom_types"),
+            name="data",
+        )
+        await db.execute_write_script("""
+            create table items (id integer primary key, name text);
+            """)
+
+        response = await ds.client.get("/data", actor={"id": "root"})
+        assert response.status_code == 200
+        create_table_data = database_data_from_soup(Soup(response.text, "html.parser"))[
+            "createTable"
+        ]
+        assert create_table_data["customColumnTypes"] == [
+            {
+                "name": "email",
+                "description": "Email address",
+                "sqliteTypes": ["text"],
+                "fixedSqliteType": "text",
+            },
+            {
+                "name": "json",
+                "description": "JSON data",
+                "sqliteTypes": ["text"],
+                "fixedSqliteType": "text",
+            },
+            {
+                "name": "textarea",
+                "description": "Multiline text",
+                "sqliteTypes": ["text"],
+                "fixedSqliteType": "text",
+            },
+            {
+                "name": "url",
+                "description": "URL",
+                "sqliteTypes": ["text"],
+                "fixedSqliteType": "text",
+            },
+        ]
+    finally:
+        ds.close()
+
+
+@pytest.mark.asyncio
+async def test_table_alter_action_button_and_data():
+    ds = Datasette(
+        [],
+        config={
+            "databases": {
+                "data": {
+                    "tables": {
+                        "items": {
+                            "permissions": {
+                                "alter-table": {"id": ["root", "alter-only"]},
+                                "set-column-type": {"id": "root"},
+                                "drop-table": {"id": "root"},
+                            },
+                            "column_types": {"name": "textarea"},
+                        },
+                    },
+                },
+            },
+        },
+    )
+    try:
+        db = ds.add_database(
+            Database(ds, memory_name="test_table_alter_action"), name="data"
+        )
+        await db.execute_write_script("""
+            create table items (
+                id integer primary key,
+                name text not null,
+                score integer default 5,
+                created text default current_timestamp,
+                created_ms integer default (CAST((julianday('now') - 2440587.5) * 86400000 AS INTEGER))
+            );
+            """)
+        response = await ds.client.get("/data/items", actor={"id": "root"})
+        assert response.status_code == 200
+        soup = Soup(response.text, "html.parser")
+
+        button = soup.select_one(
+            'button.action-menu-button[data-table-action="alter-table"]'
+        )
+        assert button is not None
+        assert button["aria-label"] == "Alter table items"
+        assert button["role"] == "menuitem"
+        description = button.find("span", class_="dropdown-description")
+        assert description.text.strip() == (
+            "Change columns and primary key for this table."
+        )
+        description.extract()
+        assert button.text.strip() == "Alter table"
+        assert any(
+            "edit-tools.js" in script.get("src", "")
+            for script in soup.find_all("script")
+        )
+
+        alter_data = table_data_from_soup(soup)["alterTable"]
+        assert alter_data["path"] == "/data/items/-/alter"
+        assert alter_data["tableName"] == "items"
+        assert alter_data["primaryKeys"] == ["id"]
+        assert alter_data["columnTypes"] == ["text", "integer", "float", "blob"]
+        assert alter_data["foreignKeyTargetsPath"] == (
+            "/data/-/foreign-key-targets?table=items"
+        )
+        assert alter_data["defaultExpressions"] == DEFAULT_EXPRESSION_OPTIONS
+        assert [option["name"] for option in alter_data["customColumnTypes"]] == [
+            "email",
+            "json",
+            "textarea",
+            "url",
+        ]
+        assert alter_data["dropPath"] == "/data/items/-/drop"
+        assert alter_data["columns"] == [
+            {
+                "name": "id",
+                "type": "integer",
+                "sqlite_type": "INTEGER",
+                "notnull": 0,
+                "default": None,
+                "has_default": False,
+                "is_pk": True,
+                "foreign_key": None,
+                "column_type": None,
+            },
+            {
+                "name": "name",
+                "type": "text",
+                "sqlite_type": "TEXT",
+                "notnull": 1,
+                "default": None,
+                "has_default": False,
+                "is_pk": False,
+                "foreign_key": None,
+                "column_type": {"type": "textarea", "config": None},
+            },
+            {
+                "name": "score",
+                "type": "integer",
+                "sqlite_type": "INTEGER",
+                "notnull": 0,
+                "default": "5",
+                "has_default": True,
+                "is_pk": False,
+                "foreign_key": None,
+                "column_type": None,
+            },
+            {
+                "name": "created",
+                "type": "text",
+                "sqlite_type": "TEXT",
+                "notnull": 0,
+                "default": None,
+                "default_expr": "current_timestamp",
+                "has_default": True,
+                "is_pk": False,
+                "foreign_key": None,
+                "column_type": None,
+            },
+            {
+                "name": "created_ms",
+                "type": "integer",
+                "sqlite_type": "INTEGER",
+                "notnull": 0,
+                "default": None,
+                "default_expr": "current_unixtime_ms",
+                "has_default": True,
+                "is_pk": False,
+                "foreign_key": None,
+                "column_type": None,
+            },
+        ]
+
+        response_without_permission = await ds.client.get(
+            "/data/items", actor={"id": "someone-else"}
+        )
+        assert response_without_permission.status_code == 200
+        soup_without_permission = Soup(response_without_permission.text, "html.parser")
+        assert (
+            soup_without_permission.select_one(
+                'button[data-table-action="alter-table"]'
+            )
+            is None
+        )
+        assert "alterTable" not in table_data_from_soup(soup_without_permission)
+
+        # An actor that can alter but not drop should not get a dropPath
+        response_alter_only = await ds.client.get(
+            "/data/items", actor={"id": "alter-only"}
+        )
+        assert response_alter_only.status_code == 200
+        alter_only_data = table_data_from_soup(
+            Soup(response_alter_only.text, "html.parser")
+        )["alterTable"]
+        assert "dropPath" not in alter_only_data
+    finally:
+        ds.close()
+
+
+@pytest.mark.asyncio
+async def test_table_insert_action_button_and_data():
+    ds = Datasette(
+        [],
+        config={
+            "databases": {
+                "data": {
+                    "tables": {
+                        "items": {
+                            "permissions": {
+                                "insert-row": {"id": "root"},
+                            },
+                            "column_types": {"body": "textarea"},
+                        },
+                    },
+                },
+            },
+        },
+    )
+    try:
+        db = ds.add_database(
+            Database(ds, memory_name="test_table_insert_action"), name="data"
+        )
+        await db.execute_write_script("""
+            create table items (
+                id integer primary key,
+                name text not null,
+                score integer default 5,
+                price numeric,
+                created text default (datetime('now')),
+                body text,
+                typeless
+            );
+            """)
+        response = await ds.client.get("/data/items", actor={"id": "root"})
+        assert response.status_code == 200
+        soup = Soup(response.text, "html.parser")
+
+        button = soup.select_one(
+            'button.table-insert-row[data-table-action="insert-row"]'
+        )
+        assert button is not None
+        assert button.text.strip() == "Insert row"
+        assert button.find("svg") is not None
+        assert button.find_parent("div", class_="table-row-toolbar") is not None
+
+        insert_data = table_data_from_soup(soup)["insertRow"]
+        assert insert_data["path"] == "/data/items/-/insert"
+        assert insert_data["tableName"] == "items"
+        assert insert_data["primaryKeys"] == ["id"]
+        assert [column["name"] for column in insert_data["columns"]] == [
+            "name",
+            "score",
+            "price",
+            "created",
+            "body",
+            "typeless",
+        ]
+        name, score, price, created, body, typeless = insert_data["columns"]
+        assert name["notnull"] == 1
+        assert name["sqlite_type"] == "TEXT"
+        assert name["value_kind"] == "string"
+        assert not name["has_default"]
+        assert score["default"] == "5"
+        assert score["has_default"]
+        assert score["sqlite_type"] == "INTEGER"
+        assert score["value_kind"] == "number"
+        assert price["sqlite_type"] == "NUMERIC"
+        assert price["value_kind"] == "string"
+        assert created["default"] == "datetime('now')"
+        assert created["has_default"]
+        assert created["sqlite_type"] == "TEXT"
+        assert body["sqlite_type"] == "TEXT"
+        assert body["value_kind"] == "string"
+        assert body["column_type"] == {"type": "textarea", "config": None}
+        assert typeless["sqlite_type"] == "BLOB"
+        assert typeless["value_kind"] == "string"
+    finally:
+        ds.close()
+
+
+@pytest.mark.asyncio
+async def test_table_insert_action_includes_compound_primary_keys():
+    ds = Datasette(
+        [],
+        config={
+            "databases": {
+                "data": {
+                    "tables": {
+                        "memberships": {
+                            "permissions": {
+                                "insert-row": {"id": "root"},
+                            },
+                        },
+                    },
+                },
+            },
+        },
+    )
+    try:
+        db = ds.add_database(
+            Database(ds, memory_name="test_table_insert_compound_pk"), name="data"
+        )
+        await db.execute_write_script("""
+            create table memberships (
+                account text,
+                username text,
+                role text,
+                primary key (account, username)
+            );
+            """)
+        response = await ds.client.get("/data/memberships", actor={"id": "root"})
+        assert response.status_code == 200
+        insert_data = table_data_from_soup(Soup(response.text, "html.parser"))[
+            "insertRow"
+        ]
+        assert insert_data["tableName"] == "memberships"
+        assert insert_data["primaryKeys"] == ["account", "username"]
+        assert [column["name"] for column in insert_data["columns"]] == [
+            "account",
+            "username",
+            "role",
+        ]
+        assert [column["is_pk"] for column in insert_data["columns"]] == [
+            True,
+            True,
+            False,
+        ]
+    finally:
+        ds.close()
+
+
+@pytest.mark.asyncio
+async def test_table_data_includes_foreign_key_autocomplete_urls():
+    ds = Datasette([])
+    try:
+        db = ds.add_database(
+            Database(ds, memory_name="test_table_foreign_key_autocomplete"), name="data"
+        )
+        await db.execute_write_script("""
+            create table authors (
+                id integer primary key,
+                name text
+            );
+            create table tags (
+                slug text unique,
+                name text
+            );
+            create table articles (
+                id integer primary key,
+                author_id integer references authors(id),
+                implicit_author_id integer references authors,
+                tag_slug text references tags(slug),
+                title text
+            );
+            insert into authors (id, name) values (1, 'Ada Lovelace');
+            insert into tags (slug, name) values ('science', 'Science');
+            insert into articles (
+                id,
+                author_id,
+                implicit_author_id,
+                tag_slug,
+                title
+            ) values (
+                1,
+                1,
+                1,
+                'science',
+                'Notes'
+            );
+            """)
+        response = await ds.client.get("/data/articles")
+        assert response.status_code == 200
+        soup = Soup(response.text, "html.parser")
+        table_data = table_data_from_soup(soup)
+        assert table_data["foreignKeys"] == {
+            "author_id": "/data/authors/-/autocomplete",
+            "implicit_author_id": "/data/authors/-/autocomplete",
+        }
+        assert any(
+            "autocomplete.js" in (script.get("src") or "")
+            for script in soup.find_all("script")
+        )
+    finally:
+        ds.close()
+
+
+@pytest.mark.asyncio
+async def test_table_fragment_endpoint(ds_client):
+    response = await ds_client.get("/fixtures/simple_primary_key/-/fragment?_row=1")
+    assert response.status_code == 200
+    assert response.headers["content-type"].startswith("text/html")
+    soup = Soup(response.text, "html.parser")
+    assert soup.find("html") is None
+    rows = soup.select("[data-row]")
+    assert len(rows) == 1
+    assert rows[0]["data-row"] == "1"
+    assert rows[0]["data-row-label"] == "hello"
+    assert {key for key in rows[0].attrs if key.startswith("data-row")} == {
+        "data-row",
+        "data-row-label",
+    }
+
+
+@pytest.mark.asyncio
+async def test_table_fragment_row_parameter_replaces_pk_filters(ds_client):
+    response = await ds_client.get(
+        "/fixtures/simple_primary_key/-/fragment?id=2&_row=1"
+    )
+    assert response.status_code == 200
+    soup = Soup(response.text, "html.parser")
+    rows = soup.select("[data-row]")
+    assert len(rows) == 1
+    assert rows[0]["data-row"] == "1"
+    assert rows[0]["data-row-label"] == "hello"
+
+
+@pytest.mark.asyncio
+async def test_row_page_edit_delete_action_menu_buttons():
+    ds = Datasette(
+        [],
+        config={
+            "databases": {
+                "data": {
+                    "tables": {
+                        "items": {
+                            "permissions": {
+                                "update-row": {"id": "root"},
+                                "delete-row": {"id": "root"},
+                            },
+                        },
+                    },
+                },
+            },
+        },
+    )
+    try:
+        db = ds.add_database(
+            Database(ds, memory_name="test_row_page_edit_delete_actions"), name="data"
+        )
+        await db.execute_write_script("""
+            create table items (id integer primary key, name text, score integer);
+            insert into items (id, name, score) values (1, 'One', 5);
+            """)
+        response = await ds.client.get("/data/items/1", actor={"id": "root"})
+        assert response.status_code == 200
+        soup = Soup(response.text, "html.parser")
+        assert table_data_from_soup(soup) == {
+            "database": "data",
+            "table": "items",
+            "tableUrl": "/data/items",
+        }
+        script_srcs = [script.get("src") or "" for script in soup.find_all("script")]
+        assert any("edit-tools.js" in src for src in script_srcs)
+        assert not any("table.js" in src for src in script_srcs)
+
+        row = soup.select_one("table.rows-and-columns tbody tr")
+        assert row["data-row"] == "1"
+        assert row["data-row-label"] == "One"
+
+        edit_button = soup.select_one(
+            'details.actions-menu-links button.action-menu-button[data-row-action="edit"]'
+        )
+        assert edit_button is not None
+        assert edit_button["aria-label"] == "Edit row 1 One"
+        assert edit_button["data-row"] == "1"
+        assert edit_button["data-row-label"] == "One"
+        assert edit_button["role"] == "menuitem"
+        assert edit_button.find("span", class_="dropdown-description").text.strip() == (
+            "Open a dialog to edit this row."
+        )
+        edit_button.find("span").extract()
+        assert edit_button.text.strip() == "Edit row"
+
+        delete_button = soup.select_one(
+            'details.actions-menu-links button.action-menu-button[data-row-action="delete"]'
+        )
+        assert delete_button is not None
+        assert delete_button["aria-label"] == "Delete row 1 One"
+        assert delete_button["data-row"] == "1"
+        assert delete_button["data-row-label"] == "One"
+        assert delete_button["role"] == "menuitem"
+        assert delete_button.find(
+            "span", class_="dropdown-description"
+        ).text.strip() == ("Open a confirmation dialog to delete this row.")
+        delete_button.find("span").extract()
+        assert delete_button.text.strip() == "Delete row"
+    finally:
+        ds.close()
+
+
+@pytest.mark.asyncio
+async def test_row_delete_redirect_to_table_sets_message():
+    ds = Datasette(
+        [],
+        config={
+            "databases": {
+                "data": {
+                    "tables": {
+                        "items": {
+                            "permissions": {
+                                "delete-row": {"id": "root"},
+                            },
+                        },
+                    },
+                },
+            },
+        },
+    )
+    try:
+        db = ds.add_database(
+            Database(ds, memory_name="test_row_delete_redirect"), name="data"
+        )
+        await db.execute_write_script("""
+            create table items (id integer primary key, name text);
+            insert into items (id, name) values (1, 'One');
+            """)
+        response = await ds.client.post(
+            "/data/items/1/-/delete?_redirect_to_table=1", actor={"id": "root"}
+        )
+        assert response.status_code == 200
+        assert response.json() == {"ok": True, "redirect": "/data/items"}
+        assert ds.unsign(response.cookies["ds_messages"], "messages") == [
+            ["Deleted row 1 (One)", ds.INFO]
+        ]
+    finally:
+        ds.close()
+
+
+@pytest.mark.asyncio
+async def test_row_update_sets_message():
+    ds = Datasette(
+        [],
+        config={
+            "databases": {
+                "data": {
+                    "tables": {
+                        "items": {
+                            "permissions": {
+                                "update-row": {"id": "root"},
+                            },
+                        },
+                    },
+                },
+            },
+        },
+    )
+    try:
+        db = ds.add_database(
+            Database(ds, memory_name="test_row_update_message"), name="data"
+        )
+        await db.execute_write_script("""
+            create table items (id integer primary key, name text);
+            insert into items (id, name) values (1, 'One');
+            """)
+        long_name = "Two " + ("long label " * 12)
+        truncated_name = long_name[:79] + "\u2026"
+        response = await ds.client.post(
+            "/data/items/1/-/update?_message=1",
+            actor={"id": "root"},
+            json={"update": {"name": long_name}, "return": True},
+        )
+        assert response.status_code == 200
+        assert response.json()["row"]["name"] == long_name
+        assert ds.unsign(response.cookies["ds_messages"], "messages") == [
+            ["Updated row 1 ({})".format(truncated_name), ds.INFO]
+        ]
+    finally:
+        ds.close()
+
+
+def test_table_data_uses_base_url(app_client_base_url_prefix):
+    response = app_client_base_url_prefix.get("/prefix/fixtures/simple_primary_key")
+    assert response.status_code == 200
+    import json
+    import re
+
+    soup = Soup(response.text, "html.parser")
+    table_script = [
+        s for s in soup.find_all("script") if "_datasetteTableData" in (s.string or "")
+    ][0]
+    match = re.search(
+        r"window\._datasetteTableData\s*=\s*({.*?});",
+        table_script.string,
+        re.DOTALL,
+    )
+    assert json.loads(match.group(1)) == {
+        "database": "fixtures",
+        "table": "simple_primary_key",
+        "tableUrl": "/prefix/fixtures/simple_primary_key",
+    }
+
+
+def test_table_fragment_custom_table_include():
+    with make_app_client(
+        template_dir=str(pathlib.Path(__file__).parent / "test_templates")
+    ) as client:
+        response = client.get("/fixtures/complex_foreign_keys/-/fragment?f1=1&f2=2")
+        assert response.status == 200
+        assert (
+            '<div class="custom-table-row">'
+            '1 - 2 - <a href="/fixtures/simple_primary_key/1">hello</a> <em>1</em>'
+            "</div>"
+        ) == str(Soup(response.text, "html.parser").select_one("div.custom-table-row"))
+
+
+@pytest.mark.asyncio
+async def test_table_fragment_uses_render_cell_hook():
+    from datasette import hookimpl
+    from markupsafe import Markup
+
+    class TestRenderCellPlugin:
+        __name__ = "TestRenderCellPlugin"
+
+        @hookimpl
+        def render_cell(self, value, column, table, database):
+            if database == "data" and table == "items" and column == "name":
+                return Markup("<strong>{}</strong>".format(value))
+            return None
+
+    ds = Datasette(memory=True)
+    await ds.invoke_startup()
+    db = ds.add_memory_database("data")
+    await db.execute_write("create table items (id integer primary key, name text)")
+    await db.execute_write("insert into items values (1, 'Alice')")
+    ds.pm.register(TestRenderCellPlugin(), name="TestRenderCellPlugin")
+    try:
+        response = await ds.client.get("/data/items/-/fragment?id=1")
+        assert response.status_code == 200
+        assert "<strong>Alice</strong>" in response.text
+    finally:
+        ds.pm.unregister(name="TestRenderCellPlugin")
+        ds.close()
+
+
+@pytest.mark.asyncio
+async def test_zero_row_table_renders_thead(ds_client):
+    response = await ds_client.get("/fixtures/123_starts_with_digits")
+    assert response.status_code == 200
+    soup = Soup(response.text, "html.parser")
+    table = soup.select_one("table.rows-and-columns")
+    assert table is not None
+    column_names = [
+        th.get("data-column") for th in table.select("thead th[data-column]")
+    ]
+    assert "content" in column_names
+    assert table.select_one("tbody tr") is None
+    assert soup.select_one("p.zero-results") is not None
+
+
+@pytest.mark.asyncio
+async def test_column_chooser_data_reflects_col_filtering(ds_client):
+    response = await ds_client.get("/fixtures/facetable?_col=state&_col=created")
+    assert response.status_code == 200
+    import json
+    import re
+
+    soup = Soup(response.text, "html.parser")
+    chooser = soup.find("column-chooser")
+    assert chooser is not None
+    scripts = soup.find_all("script")
+    chooser_script = [s for s in scripts if "_columnChooserData" in (s.string or "")]
+    script_text = chooser_script[0].string
+    # Parse the JSON object from the script
+    match = re.search(
+        r"window\._columnChooserData\s*=\s*({.*?});", script_text, re.DOTALL
+    )
+    data = json.loads(match.group(1))
+    # All non-PK columns should still be listed in allColumns
+    assert "state" in data["allColumns"]
+    assert "created" in data["allColumns"]
+    assert "planet_int" in data["allColumns"]
+    # Only state and created should be in selectedColumns (plus pk)
+    non_pk_selected = [
+        c for c in data["selectedColumns"] if c not in data["primaryKeys"]
+    ]
+    assert "state" in non_pk_selected
+    assert "created" in non_pk_selected
+    assert "planet_int" not in non_pk_selected
+
+
+@pytest.mark.asyncio
+async def test_column_chooser_shown_for_views(ds_client):
+    response = await ds_client.get("/fixtures/simple_view")
+    assert response.status_code == 200
+    soup = Soup(response.text, "html.parser")
+    chooser = soup.find("column-chooser")
+    assert chooser is not None
+    scripts = soup.find_all("script")
+    chooser_script = [s for s in scripts if "_columnChooserData" in (s.string or "")]
+    assert len(chooser_script) == 1
+
+
 @pytest.mark.asyncio
 async def test_compound_primary_key_with_foreign_key_references(ds_client):
     # e.g. a many-to-many table with a compound primary key on the two columns
diff --git a/tests/test_template_context.py b/tests/test_template_context.py
new file mode 100644
index 00000000..7923d0e7
--- /dev/null
+++ b/tests/test_template_context.py
@@ -0,0 +1,215 @@
+"""
+Tests for the documented template context - the contract that custom
+template authors can rely on for Datasette 1.0.
+"""
+
+import html
+import json
+import pathlib
+from dataclasses import dataclass, field
+
+import pytest
+
+from datasette.app import Datasette, TEMPLATE_BASE_CONTEXT
+from datasette.extras import ExtraScope
+from datasette.fixtures import write_fixture_database
+from datasette.template_contexts import PAGES, documented_context_keys
+from datasette.views import Context
+
+
+def test_documented_fields():
+    @dataclass
+    class DemoNested:
+        name: str
+
+    @dataclass
+    class DemoContext(Context):
+        name: str = field(metadata={"help": "The name"})
+        _internal: str = field()
+        count: int = field(metadata={"help": "How many there are"})
+        items: list[DemoNested] = field(metadata={"help": "Nested items"})
+
+    fields = DemoContext.documented_fields()
+    assert [(f.name, f.type_name, f.help) for f in fields] == [
+        ("name", "str", "The name"),
+        ("count", "int", "How many there are"),
+        ("items", "list[DemoNested]", "Nested items"),
+    ]
+
+
+@pytest.mark.parametrize("klass", PAGES.values(), ids=lambda klass: klass.__name__)
+def test_context_class_fields_all_have_help(klass):
+    for context_field in klass.documented_fields():
+        assert context_field.help, "{}.{} is missing documentation".format(
+            klass.__name__, context_field.name
+        )
+
+
+@pytest.mark.parametrize("klass", PAGES.values(), ids=lambda klass: klass.__name__)
+def test_context_class_has_docstring_and_documented_template(klass):
+    assert klass.__doc__, "{} is missing a docstring".format(klass.__name__)
+    assert klass.documented_template, "{} is missing a documented_template".format(
+        klass.__name__
+    )
+
+
+def test_from_extra_documentation_comes_from_the_extra_class():
+    from datasette.views import from_extra
+    from datasette.views.table_extras import CountExtra
+
+    @dataclass
+    class DemoContext(Context):
+        extras_scope = ExtraScope.TABLE
+
+        count: int = from_extra()
+        name: str = field(metadata={"help": "The name"})
+
+    fields = {f.name: f for f in DemoContext.documented_fields()}
+    assert fields["count"].help == CountExtra.description
+    assert fields["count"].from_extra
+    assert fields["name"].help == "The name"
+    assert not fields["name"].from_extra
+
+
+def test_from_extra_must_match_a_registered_extra():
+    from datasette.views import from_extra
+
+    @dataclass
+    class BadContext(Context):
+        extras_scope = ExtraScope.TABLE
+
+        not_a_real_extra: str = from_extra()
+
+    with pytest.raises(KeyError):
+        BadContext.documented_fields()
+
+
+def test_from_extra_must_be_available_for_the_scope():
+    from datasette.views import from_extra
+
+    @dataclass
+    class WrongScopeContext(Context):
+        extras_scope = ExtraScope.ROW
+
+        # count is a TABLE-scope extra, not available for ROW
+        count: int = from_extra()
+
+    with pytest.raises(ValueError):
+        WrongScopeContext.documented_fields()
+
+
+@pytest.fixture
+def isolate_extra_template_vars_plugins():
+    # Datasette instances created with plugins_dir (e.g. the session-scoped
+    # ds_client fixture) register their plugins on the global plugin manager
+    # for the rest of the process. The contract documents plugin-free
+    # Datasette core, so unregister any non-default plugin that adds
+    # template variables via the extra_template_vars hook
+    from datasette.plugins import pm, DEFAULT_PLUGINS
+
+    hook_plugins = {impl.plugin for impl in pm.hook.extra_template_vars.get_hookimpls()}
+    removed = []
+    for plugin in list(pm.get_plugins()):
+        name = pm.get_name(plugin)
+        if name not in DEFAULT_PLUGINS and plugin in hook_plugins:
+            pm.unregister(plugin)
+            removed.append((plugin, name))
+    yield
+    for plugin, name in removed:
+        pm.register(plugin, name)
+
+
+@pytest.fixture(scope="module")
+def context_ds(tmp_path_factory):
+    db_path = tmp_path_factory.mktemp("template-context") / "fixtures.db"
+    write_fixture_database(db_path)
+    ds = Datasette(
+        [str(db_path)],
+        settings={"num_sql_threads": 1, "template_debug": True},
+        config={
+            "databases": {
+                "fixtures": {
+                    "queries": {
+                        "neighborhood_search": {
+                            "sql": (
+                                "select _neighborhood from facetable "
+                                "where _neighborhood like '%' || :text || '%'"
+                            ),
+                            "title": "Search neighborhoods",
+                        }
+                    }
+                }
+            }
+        },
+    )
+    yield ds
+    for db in ds.databases.values():
+        if not db.is_memory:
+            db.close()
+
+
+async def get_template_context(ds, path):
+    sep = "&" if "?" in path else "?"
+    response = await ds.client.get(path + sep + "_context=1")
+    assert response.status_code == 200, path
+    body = html.unescape(response.text.removeprefix("<pre>").removesuffix("</pre>"))
+    return json.loads(body)
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize(
+    "page_name,path",
+    (
+        ("database", "/fixtures"),
+        ("table", "/fixtures/facetable"),
+        ("table", "/fixtures/facetable?_city_id__exact=1"),
+        ("row", "/fixtures/facetable/1"),
+        ("query", "/fixtures/-/query?sql=select+*+from+facetable"),
+        ("query", "/fixtures/neighborhood_search?text=cork"),
+    ),
+)
+async def test_template_context_matches_documented_contract(
+    context_ds, isolate_extra_template_vars_plugins, page_name, path
+):
+    # The full contract: every key in the rendered template context is
+    # documented, and every documented key is present in the context
+    documented = documented_context_keys(page_name)
+    actual = {
+        key
+        for key in await get_template_context(context_ds, path)
+        if not key.startswith("_")
+    }
+    undocumented = actual - documented
+    no_longer_present = documented - actual
+    assert not undocumented, (
+        "Undocumented keys in {} template context: {} - add them to the "
+        "page's Context class".format(page_name, sorted(undocumented))
+    )
+    assert not no_longer_present, (
+        "Documented keys missing from {} template context: {} - this would "
+        "break custom templates".format(page_name, sorted(no_longer_present))
+    )
+
+
+def test_base_context_keys_all_have_docs():
+    for name, doc in TEMPLATE_BASE_CONTEXT.items():
+        assert doc, "Base context key {} is missing docs".format(name)
+
+
+def test_template_context_docs_cover_every_documented_key():
+    docs_path = pathlib.Path(__file__).parent.parent / "docs" / "template_context.rst"
+    assert docs_path.exists(), "docs/template_context.rst is missing"
+    docs = docs_path.read_text()
+    for name in TEMPLATE_BASE_CONTEXT:
+        assert "``{}``".format(name) in docs, name
+    for page_name, klass in PAGES.items():
+        title = "{} page".format(klass.__name__.removesuffix("Context"))
+        assert title in docs, title
+        for context_field in klass.documented_fields():
+            assert "``{}``".format(context_field.name) in docs, "{} ({} page)".format(
+                context_field.name, page_name
+            )
+            assert (
+                "``{}`` - ``{}``".format(context_field.name, context_field.type_name)
+                in docs
+            ), "{} type ({} page)".format(context_field.name, page_name)
diff --git a/tests/test_token_handler.py b/tests/test_token_handler.py
index 83f09046..5c87f577 100644
--- a/tests/test_token_handler.py
+++ b/tests/test_token_handler.py
@@ -291,6 +291,43 @@ async def test_expires_after_round_trip(datasette):
     assert "token_expires" in actor
 
 
+@pytest.mark.asyncio
+@pytest.mark.parametrize(
+    "build_restrictions,expected",
+    [
+        (lambda r: r, None),
+        (lambda r: r.allow_all("view-instance"), {"a": ["vi"]}),
+        (
+            lambda r: r.allow_database("docs", "view-query"),
+            {"d": {"docs": ["vq"]}},
+        ),
+        (
+            lambda r: r.allow_resource("docs", "attachments", "insert-row"),
+            {"r": {"docs": {"attachments": ["ir"]}}},
+        ),
+        (
+            lambda r: r.allow_all("view-instance")
+            .allow_database("docs", "view-query")
+            .allow_resource("docs", "attachments", "insert-row"),
+            {
+                "a": ["vi"],
+                "d": {"docs": ["vq"]},
+                "r": {"docs": {"attachments": ["ir"]}},
+            },
+        ),
+        (
+            lambda r: r.allow_all("not-a-real-action"),
+            {"a": ["not-a-real-action"]},
+        ),
+    ],
+    ids=["empty", "all", "database", "resource", "combined", "unknown_action"],
+)
+async def test_token_restrictions_abbreviated(datasette, build_restrictions, expected):
+    await datasette.invoke_startup()
+    restrictions = build_restrictions(TokenRestrictions())
+    assert restrictions.abbreviated(datasette) == expected
+
+
 @pytest.mark.asyncio
 async def test_signed_tokens_disabled():
     """create_token and verify_token should fail/skip when signed tokens are disabled."""
diff --git a/tests/test_tracer.py b/tests/test_tracer.py
index 1e0d7001..9db211d3 100644
--- a/tests/test_tracer.py
+++ b/tests/test_tracer.py
@@ -32,25 +32,11 @@ def test_trace(trace_debug):
         assert isinstance(trace.get("params"), (list, dict, None.__class__))
 
     sqls = [trace["sql"] for trace in traces if "sql" in trace]
-    # There should be a mix of different types of SQL statement
-    expected = (
-        "CREATE TABLE ",
-        "PRAGMA ",
-        "INSERT OR REPLACE INTO ",
-        "INSERT INTO",
-        "select ",
-    )
-    for prefix in expected:
-        assert any(
-            sql.startswith(prefix) for sql in sqls
-        ), "No trace beginning with: {}".format(prefix)
-
-    # Should be at least one executescript
-    assert any(trace for trace in traces if trace.get("executescript"))
-    # And at least one executemany
-    execute_manys = [trace for trace in traces if trace.get("executemany")]
-    assert execute_manys
-    assert all(isinstance(trace["count"], int) for trace in execute_manys)
+    # There should be SQL statements from request handling in the trace.
+    # Note: CREATE TABLE, INSERT OR REPLACE, executescript, and executemany
+    # are not expected here because internal tables are now created and
+    # populated during invoke_startup(), before the request is traced.
+    assert any(sql.startswith("select ") for sql in sqls), "No select statements traced"
 
 
 def test_trace_silently_fails_for_large_page():
@@ -84,6 +70,19 @@ def test_trace_query_errors():
     assert trace_info["traces"][-1]["error"] == "no such table: non_existent_table"
 
 
+@pytest.mark.asyncio
+async def test_trace_child_tasks_resets_contextvar_on_exception():
+    from datasette import tracer
+
+    before = tracer.trace_task_id.get()
+    with pytest.raises(ValueError):
+        with tracer.trace_child_tasks():
+            assert tracer.trace_task_id.get() is not None
+            raise ValueError("simulated error")
+    # The contextvar must be reset even though the block raised
+    assert tracer.trace_task_id.get() == before
+
+
 def test_trace_parallel_queries():
     with make_app_client(settings={"trace_debug": True}) as client:
         response = client.get("/parallel-queries?_trace=1")
diff --git a/tests/test_utils.py b/tests/test_utils.py
index 85ab9e6b..38ebb51e 100644
--- a/tests/test_utils.py
+++ b/tests/test_utils.py
@@ -5,7 +5,13 @@ Tests for various datasette helper functions.
 from datasette.app import Datasette
 from datasette import utils
 from datasette.utils.asgi import Request
-from datasette.utils.sqlite import sqlite3
+from datasette.utils.sqlite import (
+    sqlite3,
+    sqlite_hidden_table_names,
+    sqlite_table_type,
+    supports_returning,
+)
+import hashlib
 import json
 import os
 import pathlib
@@ -208,6 +214,57 @@ def test_detect_fts(open_quote, close_quote):
     assert None is utils.detect_fts(conn, "Test_View")
     assert None is utils.detect_fts(conn, "r")
     assert "Street_Tree_List_fts" == utils.detect_fts(conn, "Street_Tree_List")
+    conn.close()
+
+
+@pytest.mark.parametrize(
+    "identifier,expected",
+    (
+        ("plain", "plain"),
+        ("select", '"select"'),
+        ("has space", '"has space"'),
+        ("has'quote", '"has\'quote"'),
+        ('has"dquote', '"has""dquote"'),
+        ("has]bracket", '"has]bracket"'),
+        ('has"dquote]', '"has""dquote]"'),
+    ),
+)
+def test_escape_sqlite(identifier, expected):
+    assert utils.escape_sqlite(identifier) == expected
+
+
+def test_escape_sqlite_double_quotes_work_in_query():
+    conn = utils.sqlite3.connect(":memory:")
+    table = 'table with "double quotes"'
+    column = "select"
+    escaped_table = utils.escape_sqlite(table)
+    escaped_column = utils.escape_sqlite(column)
+    conn.execute(f"CREATE TABLE {escaped_table} ({escaped_column} TEXT)")
+    create_sql = conn.execute(
+        "SELECT sql FROM sqlite_master WHERE type = 'table' AND name = ?", (table,)
+    ).fetchone()[0]
+    assert create_sql == 'CREATE TABLE "table with ""double quotes""" ("select" TEXT)'
+    conn.execute(
+        f"INSERT INTO {escaped_table} ({escaped_column}) VALUES (?)", ("hello",)
+    )
+    results = conn.execute(f"SELECT {escaped_column} FROM {escaped_table}").fetchall()
+    conn.close()
+    assert results == [("hello",)]
+
+
+def test_escape_sqlite_prevents_injection():
+    # https://github.com/simonw/datasette/issues/2677
+    conn = utils.sqlite3.connect(":memory:")
+    conn.execute("CREATE TABLE users (id INTEGER, password TEXT)")
+    conn.execute("INSERT INTO users VALUES (1, 'super_secret_password')")
+    malicious = "users] UNION SELECT password FROM users--"
+    conn.execute('CREATE TABLE "{}" (id INTEGER)'.format(malicious))
+    sql = "select count(*) from {}".format(utils.escape_sqlite(malicious))
+    results = conn.execute(sql).fetchall()
+    conn.close()
+    # The injected UNION must not execute - only the empty malicious table
+    # is queried, so we get a single count row and no leaked password
+    assert results == [(0,)]
 
 
 @pytest.mark.parametrize("table", ("regular", "has'single quote"))
@@ -222,6 +279,88 @@ def test_detect_fts_different_table_names(table):
     conn = utils.sqlite3.connect(":memory:")
     conn.executescript(sql)
     assert "{table}_fts".format(table=table) == utils.detect_fts(conn, table)
+    conn.close()
+
+
+def test_supports_returning():
+    conn = utils.sqlite3.connect(":memory:")
+    try:
+        conn.execute("create table t (id integer primary key)")
+        conn.execute("insert into t default values returning id").fetchone()
+        expected = True
+    except sqlite3.DatabaseError:
+        expected = False
+    finally:
+        conn.close()
+
+    assert supports_returning() is expected
+
+
+@pytest.mark.parametrize("use_fallback", (False, True))
+def test_sqlite_table_type_detects_virtual_and_shadow_tables(monkeypatch, use_fallback):
+    if use_fallback:
+        monkeypatch.setattr("datasette.utils.sqlite.sqlite_version", lambda: (3, 25, 0))
+    conn = utils.sqlite3.connect(":memory:")
+    try:
+        conn.executescript("""
+            create table dogs(id integer primary key, name text);
+            create view dog_names as select name from dogs;
+            create virtual table search_index using fts5(title, body);
+            create virtual table boxes using rtree(id, minx, maxx, miny, maxy);
+        """)
+
+        assert sqlite_table_type(conn, "dogs") == "table"
+        assert sqlite_table_type(conn, "dog_names") == "view"
+        assert sqlite_table_type(conn, "search_index") == "virtual"
+        assert sqlite_table_type(conn, "search_index_config") == "shadow"
+        assert sqlite_table_type(conn, "boxes") == "virtual"
+        assert sqlite_table_type(conn, "boxes_node") == "shadow"
+        assert sqlite_table_type(conn, "missing") is None
+        assert sqlite_hidden_table_names(conn) == [
+            "boxes_node",
+            "boxes_parent",
+            "boxes_rowid",
+            "search_index_config",
+            "search_index_content",
+            "search_index_data",
+            "search_index_docsize",
+            "search_index_idx",
+        ]
+    finally:
+        conn.close()
+
+
+@pytest.mark.parametrize("use_fallback", (False, True))
+def test_sqlite_table_type_detects_attached_database_tables(monkeypatch, use_fallback):
+    if use_fallback:
+        monkeypatch.setattr("datasette.utils.sqlite.sqlite_version", lambda: (3, 25, 0))
+    conn = utils.sqlite3.connect(":memory:")
+    try:
+        conn.executescript("""
+            attach database ':memory:' as extra;
+            create table extra.cats(id integer primary key, name text);
+            create virtual table extra.cat_search using fts5(name);
+        """)
+
+        assert sqlite_table_type(conn, "cats", schema="extra") == "table"
+        assert sqlite_table_type(conn, "cat_search", schema="extra") == "virtual"
+        assert sqlite_table_type(conn, "cat_search_data", schema="extra") == "shadow"
+    finally:
+        conn.close()
+
+
+def test_sqlite_hidden_table_names_hides_multiline_content_fts_table():
+    conn = utils.sqlite3.connect(":memory:")
+    try:
+        conn.executescript("""
+            create table searchable(id integer primary key, body text);
+            create virtual table searchable_fts
+                using fts5(body, content='searchable', content_rowid='id');
+        """)
+
+        assert "searchable_fts" in sqlite_hidden_table_names(conn)
+    finally:
+        conn.close()
 
 
 @pytest.mark.parametrize(
@@ -359,6 +498,7 @@ def test_table_columns():
     create table places (id integer primary key, name text, bob integer)
     """)
     assert ["id", "name", "bob"] == utils.table_columns(conn, "places")
+    conn.close()
 
 
 @pytest.mark.parametrize(
@@ -383,6 +523,12 @@ def test_path_with_format(path, format, extra_qs, expected):
     assert expected == actual
 
 
+def test_path_with_format_can_override_request_path():
+    request = Request.fake("/prefix/foo?x=1")
+    actual = utils.path_with_format(request=request, path="/foo", format="json")
+    assert "/foo.json?x=1" == actual
+
+
 @pytest.mark.parametrize(
     "bytes,expected",
     [
@@ -433,11 +579,13 @@ def test_check_connection_spatialite_raises():
     conn = sqlite3.connect(path)
     with pytest.raises(utils.SpatialiteConnectionProblem):
         utils.check_connection(conn)
+    conn.close()
 
 
 def test_check_connection_passes():
     conn = sqlite3.connect(":memory:")
     utils.check_connection(conn)
+    conn.close()
 
 
 def test_call_with_supported_arguments():
@@ -564,10 +712,14 @@ def test_display_actor(actor, expected):
 async def test_initial_path_for_datasette(tmp_path_factory, dbs, expected_path):
     db_dir = tmp_path_factory.mktemp("dbs")
     one_table = str(db_dir / "one.db")
-    sqlite3.connect(one_table).execute("create table one (id integer primary key)")
+    conn1 = sqlite3.connect(one_table)
+    conn1.execute("create table one (id integer primary key)")
+    conn1.close()
     two_tables = str(db_dir / "two.db")
-    sqlite3.connect(two_tables).execute("create table two (id integer primary key)")
-    sqlite3.connect(two_tables).execute("create table three (id integer primary key)")
+    conn2 = sqlite3.connect(two_tables)
+    conn2.execute("create table two (id integer primary key)")
+    conn2.execute("create table three (id integer primary key)")
+    conn2.close()
     datasette = Datasette(
         [{"one_table": one_table, "two_tables": two_tables}[db] for db in dbs]
     )
@@ -702,6 +854,12 @@ def test_pairs_to_nested_config(pairs, expected):
     assert actual == expected
 
 
+def test_sha256_file(tmp_path):
+    path = tmp_path / "test.txt"
+    path.write_text("hello")
+    assert utils.sha256_file(path, chunk_size=2) == hashlib.sha256(b"hello").hexdigest()
+
+
 @pytest.mark.asyncio
 async def test_calculate_etag(tmp_path):
     path = tmp_path / "test.txt"
diff --git a/tests/test_utils_sql_analysis.py b/tests/test_utils_sql_analysis.py
new file mode 100644
index 00000000..979ff9e1
--- /dev/null
+++ b/tests/test_utils_sql_analysis.py
@@ -0,0 +1,458 @@
+import pytest
+
+from datasette.utils.sqlite import sqlite3
+from datasette.utils.sql_analysis import analyze_sql_tables
+
+
+@pytest.fixture
+def conn():
+    conn = sqlite3.connect(":memory:")
+    conn.executescript("""
+        create table dogs (id integer primary key, name text, age integer);
+        create table cats (id integer primary key, name text);
+        create table log (message text);
+        create view dog_names as select id, name from dogs;
+        create trigger dogs_after_insert after insert on dogs begin
+            update cats set name = new.name where id = new.id;
+            insert into log (message) values (new.name);
+        end;
+        create trigger dog_names_instead_of_update instead of update on dog_names begin
+            update dogs set name = new.name where id = old.id;
+        end;
+        """)
+    try:
+        yield conn
+    finally:
+        conn.close()
+
+
+def table_operation_tuples(analysis):
+    return [
+        (
+            operation.operation,
+            operation.database,
+            operation.sqlite_schema,
+            operation.table,
+            operation.columns,
+            operation.source,
+        )
+        for operation in analysis.operations
+        if operation.target_type == "table"
+        and operation.operation in {"read", "insert", "update", "delete"}
+        and not operation.internal
+    ]
+
+
+def test_analyze_select_tables(conn):
+    analysis = analyze_sql_tables(
+        conn,
+        "select dogs.name, cats.name from dogs join cats on dogs.id = cats.id where dogs.age > ?",
+        (2,),
+        database_name="data",
+    )
+
+    assert set(table_operation_tuples(analysis)) == {
+        ("read", "data", "main", "cats", ("id", "name"), None),
+        ("read", "data", "main", "dogs", ("age", "id", "name"), None),
+    }
+
+
+def test_analyze_uses_sqlite_schema_as_default_database(conn):
+    analysis = analyze_sql_tables(conn, "select name from dogs")
+
+    assert set(table_operation_tuples(analysis)) == {
+        ("read", "main", "main", "dogs", ("name",), None),
+    }
+
+
+def test_analyze_user_schema_table_read_is_not_internal(conn):
+    analysis = analyze_sql_tables(
+        conn,
+        "insert into log select sql from sqlite_master where name = 'dogs'",
+        database_name="data",
+    )
+
+    assert {
+        "operation": "read",
+        "target_type": "schema",
+        "database": "data",
+        "sqlite_schema": "main",
+        "table": None,
+        "target": "sqlite_master",
+        "columns": ("name", "sql"),
+        "source": None,
+        "internal": False,
+    } in [operation_dict(operation) for operation in analysis.operations]
+
+
+def operation_dict(operation):
+    return {
+        "operation": operation.operation,
+        "target_type": operation.target_type,
+        "database": operation.database,
+        "sqlite_schema": operation.sqlite_schema,
+        "table": operation.table,
+        "target": operation.target,
+        "columns": operation.columns,
+        "source": operation.source,
+        "internal": operation.internal,
+    }
+
+
+def test_analyze_create_table_operation():
+    conn = sqlite3.connect(":memory:")
+    try:
+        analysis = analyze_sql_tables(
+            conn,
+            "create table foobar (id integer primary key, name text)",
+            database_name="data",
+        )
+    finally:
+        conn.close()
+
+    assert {
+        "operation": "create",
+        "target_type": "table",
+        "database": "data",
+        "sqlite_schema": "main",
+        "table": "foobar",
+        "target": "foobar",
+        "columns": (),
+        "source": None,
+        "internal": False,
+    } in [operation_dict(operation) for operation in analysis.operations]
+    assert not [
+        operation
+        for operation in analysis.operations
+        if operation.table in {"sqlite_master", "sqlite_schema"}
+        and not operation.internal
+    ]
+
+
+def test_analyze_vacuum_operation():
+    conn = sqlite3.connect(":memory:")
+    try:
+        analysis = analyze_sql_tables(conn, "vacuum", database_name="data")
+    finally:
+        conn.close()
+
+    assert [operation_dict(operation) for operation in analysis.operations] == [
+        {
+            "operation": "vacuum",
+            "target_type": "database",
+            "database": "data",
+            "sqlite_schema": "main",
+            "table": None,
+            "target": "data",
+            "columns": (),
+            "source": None,
+            "internal": False,
+        }
+    ]
+
+
+def test_analyze_statement_with_no_authorizer_callbacks_is_unknown():
+    conn = sqlite3.connect(":memory:")
+    try:
+        analysis = analyze_sql_tables(conn, "reindex", database_name="data")
+    finally:
+        conn.close()
+
+    assert [operation_dict(operation) for operation in analysis.operations] == [
+        {
+            "operation": "unknown",
+            "target_type": "statement",
+            "database": "data",
+            "sqlite_schema": None,
+            "table": None,
+            "target": None,
+            "columns": (),
+            "source": None,
+            "internal": False,
+        }
+    ]
+
+
+def test_analyze_transaction_operation(conn):
+    analysis = analyze_sql_tables(conn, "commit", database_name="data")
+
+    assert [operation_dict(operation) for operation in analysis.operations] == [
+        {
+            "operation": "commit",
+            "target_type": "transaction",
+            "database": None,
+            "sqlite_schema": None,
+            "table": None,
+            "target": "COMMIT",
+            "columns": (),
+            "source": None,
+            "internal": False,
+        }
+    ]
+
+
+def test_analyze_savepoint_operation(conn):
+    analysis = analyze_sql_tables(conn, "savepoint s", database_name="data")
+
+    assert [operation_dict(operation) for operation in analysis.operations] == [
+        {
+            "operation": "savepoint",
+            "target_type": "transaction",
+            "database": None,
+            "sqlite_schema": None,
+            "table": None,
+            "target": "BEGIN s",
+            "columns": (),
+            "source": None,
+            "internal": False,
+        }
+    ]
+
+
+def test_analyze_function_operation(conn):
+    analysis = analyze_sql_tables(
+        conn,
+        "insert into dogs (name) values (upper(:name))",
+        {"name": "Cleo"},
+        database_name="data",
+    )
+
+    assert {
+        (
+            operation.operation,
+            operation.target_type,
+            operation.target,
+            operation.database,
+            operation.table,
+        )
+        for operation in analysis.operations
+    } == {
+        ("insert", "table", "dogs", "data", "dogs"),
+        ("function", "function", "upper", None, None),
+        ("read", "table", "dogs", "data", "dogs"),
+        ("update", "table", "cats", "data", "cats"),
+        ("read", "table", "cats", "data", "cats"),
+        ("insert", "table", "log", "data", "log"),
+    }
+
+
+def test_analyze_create_virtual_table_operation():
+    conn = sqlite3.connect(":memory:")
+    try:
+        analysis = analyze_sql_tables(
+            conn,
+            "create virtual table docs using fts5(body)",
+            database_name="data",
+        )
+    finally:
+        conn.close()
+
+    assert {
+        "operation": "create",
+        "target_type": "virtual-table",
+        "database": "data",
+        "sqlite_schema": "main",
+        "table": "docs",
+        "target": "docs",
+        "columns": (),
+        "source": None,
+        "internal": False,
+    } in [operation_dict(operation) for operation in analysis.operations]
+
+
+def test_analyze_table_kind_for_regular_virtual_and_shadow_tables():
+    conn = sqlite3.connect(":memory:")
+    try:
+        conn.executescript("""
+            create table dogs (id integer primary key, name text);
+            create virtual table docs using fts5(title, body, content='');
+        """)
+
+        regular_analysis = analyze_sql_tables(
+            conn,
+            "insert into dogs (name) values ('Cleo')",
+            database_name="data",
+        )
+        virtual_analysis = analyze_sql_tables(
+            conn,
+            "insert into docs(docs) values('delete-all')",
+            database_name="data",
+        )
+        shadow_analysis = analyze_sql_tables(
+            conn,
+            "insert into docs_config(k, v) values ('x', 1)",
+            database_name="data",
+        )
+    finally:
+        conn.close()
+
+    regular_insert = next(
+        operation
+        for operation in regular_analysis.operations
+        if operation.operation == "insert" and operation.table == "dogs"
+    )
+    virtual_insert = next(
+        operation
+        for operation in virtual_analysis.operations
+        if operation.operation == "insert" and operation.table == "docs"
+    )
+    shadow_insert = next(
+        operation
+        for operation in shadow_analysis.operations
+        if operation.operation == "insert" and operation.table == "docs_config"
+    )
+
+    assert regular_insert.table_kind == "table"
+    assert virtual_insert.table_kind == "virtual"
+    assert shadow_insert.table_kind == "shadow"
+
+
+def test_analyze_create_table_as_select_function_is_not_internal():
+    conn = sqlite3.connect(":memory:")
+    try:
+        conn.execute("create table secret(value text)")
+        analysis = analyze_sql_tables(
+            conn,
+            "create table copied as select substr(value, 1, 1) from secret",
+            database_name="data",
+        )
+    finally:
+        conn.close()
+
+    assert {
+        "operation": "function",
+        "target_type": "function",
+        "database": None,
+        "sqlite_schema": None,
+        "table": None,
+        "target": "substr",
+        "columns": (),
+        "source": None,
+        "internal": False,
+    } in [operation_dict(operation) for operation in analysis.operations]
+
+
+def test_analyze_insert_tables(conn):
+    analysis = analyze_sql_tables(
+        conn,
+        "insert into dogs (name, age) values (:name, :age)",
+        {"name": "Cleo", "age": 4},
+        database_name="data",
+    )
+
+    assert set(table_operation_tuples(analysis)) == {
+        ("insert", "data", "main", "dogs", (), None),
+        ("read", "data", "main", "dogs", ("id", "name"), "dogs_after_insert"),
+        ("update", "data", "main", "cats", ("name",), "dogs_after_insert"),
+        ("read", "data", "main", "cats", ("id",), "dogs_after_insert"),
+        ("insert", "data", "main", "log", (), "dogs_after_insert"),
+    }
+
+
+def test_analyze_update_tables(conn):
+    analysis = analyze_sql_tables(
+        conn,
+        "update dogs set age = age + 1 where name = ?",
+        ("Cleo",),
+        database_name="data",
+    )
+
+    assert set(table_operation_tuples(analysis)) == {
+        ("update", "data", "main", "dogs", ("age",), None),
+        ("read", "data", "main", "dogs", ("age", "name"), None),
+    }
+
+
+def test_analyze_delete_tables(conn):
+    analysis = analyze_sql_tables(
+        conn,
+        "delete from dogs where name = ?",
+        ("Cleo",),
+        database_name="data",
+    )
+
+    assert set(table_operation_tuples(analysis)) == {
+        ("delete", "data", "main", "dogs", (), None),
+        ("read", "data", "main", "dogs", ("name",), None),
+    }
+
+
+def test_analyze_insert_select_with_cte(conn):
+    analysis = analyze_sql_tables(
+        conn,
+        """
+        with old_dogs as (
+            select name from dogs where age > :age
+        )
+        insert into cats (name)
+        select name from old_dogs
+        """,
+        {"age": 10},
+        database_name="data",
+    )
+
+    assert set(table_operation_tuples(analysis)) == {
+        ("insert", "data", "main", "cats", (), None),
+        ("read", "data", "main", "dogs", ("age", "name"), "old_dogs"),
+    }
+
+
+def test_analyze_view_with_instead_of_trigger(conn):
+    analysis = analyze_sql_tables(
+        conn,
+        "update dog_names set name = :name where id = :id",
+        {"name": "Zelda", "id": 1},
+        database_name="data",
+    )
+
+    assert set(table_operation_tuples(analysis)) == {
+        ("update", "data", "main", "dog_names", ("name",), None),
+        ("read", "data", "main", "dogs", ("id", "name"), "dog_names"),
+        ("read", "data", "main", "dog_names", ("id", "name"), "dog_names"),
+        (
+            "read",
+            "data",
+            "main",
+            "dog_names",
+            ("id", "name"),
+            "dog_names_instead_of_update",
+        ),
+        ("update", "data", "main", "dogs", ("name",), "dog_names_instead_of_update"),
+        ("read", "data", "main", "dogs", ("id",), "dog_names_instead_of_update"),
+    }
+
+
+def test_analyze_attached_database_tables(conn):
+    conn.execute("attach database ':memory:' as extra")
+    conn.execute("create table extra.people (id integer primary key, name text)")
+
+    analysis = analyze_sql_tables(
+        conn,
+        "insert into extra.people (name) select name from dogs",
+        database_name="data",
+        schema_to_database={"extra": "extra_db"},
+    )
+
+    assert set(table_operation_tuples(analysis)) == {
+        ("insert", "extra_db", "extra", "people", (), None),
+        ("read", "data", "main", "dogs", ("name",), None),
+    }
+
+
+def test_analyze_clears_authorizer_on_error():
+    class FakeConnection:
+        def __init__(self):
+            self.authorizers = []
+
+        def set_authorizer(self, authorizer):
+            self.authorizers.append(authorizer)
+
+        def execute(self, sql, params):
+            raise sqlite3.OperationalError("bad SQL")
+
+    conn = FakeConnection()
+
+    with pytest.raises(sqlite3.OperationalError):
+        analyze_sql_tables(conn, "bad SQL")
+
+    assert conn.authorizers[-1] is None
diff --git a/tests/test_write_sql_operation_decisions.py b/tests/test_write_sql_operation_decisions.py
new file mode 100644
index 00000000..cc19f701
--- /dev/null
+++ b/tests/test_write_sql_operation_decisions.py
@@ -0,0 +1,94 @@
+import pytest
+
+from datasette.utils.sql_analysis import Operation
+from datasette.write_sql import (
+    IgnoreWriteSqlOperation,
+    RejectWriteSqlOperation,
+    RequireWriteSqlPermissions,
+    UnsupportedWriteSqlOperation,
+    decision_for_write_sql_operation,
+)
+
+
+@pytest.mark.parametrize(
+    ("operation", "reason"),
+    (
+        pytest.param(
+            Operation("read", "schema", None, None, "main", internal=True),
+            "internal SQLite operation",
+            id="internal",
+        ),
+        pytest.param(
+            Operation("select", "statement", None, None, None),
+            "select statement",
+            id="select-statement",
+        ),
+        pytest.param(
+            Operation("function", "function", None, None, None, target="upper"),
+            "SQL function",
+            id="function",
+        ),
+    ),
+)
+def test_decision_for_write_sql_operation_ignores_operations(operation, reason):
+    decision = decision_for_write_sql_operation(operation)
+
+    assert isinstance(decision, IgnoreWriteSqlOperation)
+    assert decision.reason == reason
+
+
+@pytest.mark.parametrize("operation", ("insert", "update"))
+def test_decision_for_write_sql_operation_requires_table_write_permissions(operation):
+    decision = decision_for_write_sql_operation(
+        Operation(operation, "table", "data", "dogs", None)
+    )
+
+    assert isinstance(decision, RequireWriteSqlPermissions)
+    assert [permission.action for permission in decision.permissions] == [
+        "insert-row",
+        "update-row",
+        "delete-row",
+    ]
+    assert [str(permission.resource) for permission in decision.permissions] == [
+        "data/dogs",
+        "data/dogs",
+        "data/dogs",
+    ]
+
+
+@pytest.mark.parametrize(
+    ("operation", "message"),
+    (
+        pytest.param(
+            Operation("vacuum", "statement", None, None, None),
+            "VACUUM is not allowed in user-supplied SQL",
+            id="vacuum",
+        ),
+        pytest.param(
+            Operation("insert", "table", "data", "docs", None, table_kind="virtual"),
+            "Writes to virtual tables are not allowed in user-supplied SQL",
+            id="virtual-table",
+        ),
+        pytest.param(
+            Operation(
+                "insert", "table", "data", "docs_data", None, table_kind="shadow"
+            ),
+            "Writes to shadow tables are not allowed in user-supplied SQL",
+            id="shadow-table",
+        ),
+    ),
+)
+def test_decision_for_write_sql_operation_rejects_operations(operation, message):
+    decision = decision_for_write_sql_operation(operation)
+
+    assert isinstance(decision, RejectWriteSqlOperation)
+    assert decision.message == message
+
+
+def test_decision_for_write_sql_operation_reports_unsupported_operations():
+    decision = decision_for_write_sql_operation(
+        Operation("unknown", "unknown", None, None, None)
+    )
+
+    assert isinstance(decision, UnsupportedWriteSqlOperation)
+    assert decision.message == "Unsupported SQL operation: unknown unknown"
diff --git a/tests/test_write_wrapper.py b/tests/test_write_wrapper.py
index 55e0461e..88ce5520 100644
--- a/tests/test_write_wrapper.py
+++ b/tests/test_write_wrapper.py
@@ -2,7 +2,10 @@
 Tests for the write_wrapper plugin hook.
 """
 
+import asyncio
+from dataclasses import dataclass
 from datasette.app import Datasette
+from datasette.events import Event
 from datasette.hookspecs import hookimpl
 from datasette.plugins import pm
 import pytest
@@ -10,6 +13,12 @@ import sqlite3
 import time
 
 
+@dataclass
+class DummyEvent(Event):
+    name = "dummy"
+    message: str
+
+
 @pytest.fixture
 def datasette(tmp_path):
     db_path = str(tmp_path / "test.db")
@@ -477,3 +486,283 @@ async def test_write_wrapper_set_authorizer(datasette, actor, table, should_deny
             assert result.rows[0][0] == "test"
     finally:
         pm.unregister(name="test_set_authorizer")
+
+
+# --- Tests for track_event callback ---
+
+
+@pytest.fixture
+def ds_with_event_tracking(tmp_path):
+    """Datasette instance that records tracked events and registers DummyEvent."""
+    db_path = str(tmp_path / "test.db")
+    ds = Datasette([db_path])
+    ds._tracked_events = []
+    # Set event_classes directly to avoid needing invoke_startup
+    ds.event_classes = (DummyEvent,)
+
+    async def recording_track_event(event):
+        ds._tracked_events.append(event)
+
+    ds.track_event = recording_track_event
+
+    yield ds
+    ds.close()
+
+
+@pytest.mark.asyncio
+async def test_track_event_in_write_fn(ds_with_event_tracking):
+    """fn(conn, track_event) can queue events that are dispatched after commit."""
+    ds = ds_with_event_tracking
+    db = ds.get_database("test")
+
+    def my_write(conn, track_event):
+        conn.execute("create table if not exists te1 (id integer primary key)")
+        track_event(DummyEvent(actor=None, message="hello"))
+
+    await db.execute_write_fn(my_write)
+    assert len(ds._tracked_events) == 1
+    assert ds._tracked_events[0].message == "hello"
+
+
+@pytest.mark.asyncio
+async def test_track_event_discarded_on_exception(ds_with_event_tracking):
+    """Events are discarded if the write fn raises an exception."""
+    ds = ds_with_event_tracking
+    db = ds.get_database("test")
+
+    def my_write(conn, track_event):
+        track_event(DummyEvent(actor=None, message="should not fire"))
+        raise ValueError("deliberate error")
+
+    with pytest.raises(ValueError, match="deliberate"):
+        await db.execute_write_fn(my_write)
+    assert len(ds._tracked_events) == 0
+
+
+@pytest.mark.asyncio
+async def test_track_event_existing_fn_signature_still_works(ds_with_event_tracking):
+    """Existing fn(conn) signatures continue to work without track_event."""
+    ds = ds_with_event_tracking
+    db = ds.get_database("test")
+
+    await db.execute_write_fn(
+        lambda conn: conn.execute(
+            "create table if not exists te2 (id integer primary key)"
+        )
+    )
+    # No events, no errors
+    assert len(ds._tracked_events) == 0
+
+
+@pytest.mark.asyncio
+async def test_track_event_in_write_wrapper(ds_with_event_tracking):
+    """write_wrapper generator with (conn, track_event) can queue events."""
+    ds = ds_with_event_tracking
+    db = ds.get_database("test")
+
+    class Plugin:
+        __name__ = "Plugin"
+
+        @staticmethod
+        @hookimpl
+        def write_wrapper(datasette, database, request, transaction):
+            def wrapper(conn, track_event):
+                track_event(DummyEvent(actor=None, message="from wrapper before"))
+                yield
+                track_event(DummyEvent(actor=None, message="from wrapper after"))
+
+            return wrapper
+
+    pm.register(Plugin(), name="test_track_wrapper")
+    try:
+        await db.execute_write_fn(
+            lambda conn: conn.execute(
+                "create table if not exists te3 (id integer primary key)"
+            )
+        )
+        assert len(ds._tracked_events) == 2
+        assert ds._tracked_events[0].message == "from wrapper before"
+        assert ds._tracked_events[1].message == "from wrapper after"
+    finally:
+        pm.unregister(name="test_track_wrapper")
+
+
+@pytest.mark.asyncio
+async def test_track_event_shared_between_fn_and_wrapper(ds_with_event_tracking):
+    """Both fn and wrapper can queue events, all dispatched in order."""
+    ds = ds_with_event_tracking
+    db = ds.get_database("test")
+
+    class Plugin:
+        __name__ = "Plugin"
+
+        @staticmethod
+        @hookimpl
+        def write_wrapper(datasette, database, request, transaction):
+            def wrapper(conn, track_event):
+                track_event(DummyEvent(actor=None, message="wrapper-before"))
+                yield
+                track_event(DummyEvent(actor=None, message="wrapper-after"))
+
+            return wrapper
+
+    pm.register(Plugin(), name="test_track_shared")
+    try:
+
+        def my_write(conn, track_event):
+            conn.execute("create table if not exists te4 (id integer primary key)")
+            track_event(DummyEvent(actor=None, message="from-fn"))
+
+        await db.execute_write_fn(my_write)
+        messages = [e.message for e in ds._tracked_events]
+        assert messages == ["wrapper-before", "from-fn", "wrapper-after"]
+    finally:
+        pm.unregister(name="test_track_shared")
+
+
+@pytest.mark.asyncio
+async def test_track_event_with_block_false(ds_with_event_tracking):
+    """Events are dispatched even when block=False (non-blocking writes)."""
+    ds = ds_with_event_tracking
+    db = ds.get_database("test")
+
+    def my_write(conn, track_event):
+        conn.execute("create table if not exists te5 (id integer primary key)")
+        track_event(DummyEvent(actor=None, message="non-blocking"))
+
+    task_id = await db.execute_write_fn(my_write, block=False)
+    assert task_id is not None
+
+    # Give the background task time to complete
+    for _ in range(50):
+        if ds._tracked_events:
+            break
+        await asyncio.sleep(0.01)
+
+    assert len(ds._tracked_events) == 1
+    assert ds._tracked_events[0].message == "non-blocking"
+
+
+@pytest.mark.asyncio
+async def test_track_event_with_block_false_discarded_on_exception(
+    ds_with_event_tracking,
+):
+    """Events queued by a non-blocking write are discarded if the write fails."""
+    ds = ds_with_event_tracking
+    db = ds.get_database("test")
+
+    def my_write(conn, track_event):
+        track_event(DummyEvent(actor=None, message="should not fire"))
+        raise ValueError("deliberate error")
+
+    task_id = await db.execute_write_fn(my_write, block=False)
+    assert task_id is not None
+
+    # A following blocking write proves the failed non-blocking task has
+    # completed; one more loop turn lets its event-dispatch task observe the
+    # exception and exit.
+    await db.execute_write_fn(lambda conn: conn.execute("select 1"))
+    await asyncio.sleep(0)
+
+    assert ds._tracked_events == []
+
+
+# --- Tests for RenameTableEvent detection ---
+
+
+@pytest.fixture
+def ds_for_rename(tmp_path):
+    """Datasette instance that records tracked events for rename detection tests."""
+    from datasette.events import RenameTableEvent
+
+    db_path = str(tmp_path / "test.db")
+    ds = Datasette([db_path])
+    ds._tracked_events = []
+    ds.event_classes = (RenameTableEvent,)
+
+    async def recording_track_event(event):
+        ds._tracked_events.append(event)
+
+    ds.track_event = recording_track_event
+    return ds
+
+
+@pytest.mark.asyncio
+async def test_rename_table_fires_event(ds_for_rename):
+    """Renaming a table via ALTER TABLE fires a RenameTableEvent."""
+    from datasette.events import RenameTableEvent
+
+    ds = ds_for_rename
+    db = ds.get_database("test")
+
+    await db.execute_write("create table old_name (id integer primary key)")
+
+    def rename(conn):
+        conn.execute("alter table old_name rename to new_name")
+
+    await db.execute_write_fn(rename)
+
+    rename_events = [e for e in ds._tracked_events if isinstance(e, RenameTableEvent)]
+    assert len(rename_events) == 1
+    assert rename_events[0].old_table == "old_name"
+    assert rename_events[0].new_table == "new_name"
+    assert rename_events[0].database == "test"
+
+
+@pytest.mark.asyncio
+async def test_no_rename_event_for_regular_writes(ds_for_rename):
+    """Regular writes (CREATE, INSERT) do not fire RenameTableEvent."""
+    from datasette.events import RenameTableEvent
+
+    ds = ds_for_rename
+    db = ds.get_database("test")
+
+    await db.execute_write("create table t (id integer primary key)")
+    await db.execute_write_fn(lambda conn: conn.execute("insert into t values (1)"))
+
+    rename_events = [e for e in ds._tracked_events if isinstance(e, RenameTableEvent)]
+    assert len(rename_events) == 0
+
+
+@pytest.mark.asyncio
+async def test_no_rename_event_on_rollback(ds_for_rename):
+    """RenameTableEvent is not fired if the write raises an exception."""
+    from datasette.events import RenameTableEvent
+
+    ds = ds_for_rename
+    db = ds.get_database("test")
+
+    await db.execute_write("create table rollback_test (id integer primary key)")
+
+    def rename_then_fail(conn):
+        conn.execute("alter table rollback_test rename to renamed")
+        raise ValueError("deliberate error")
+
+    with pytest.raises(ValueError, match="deliberate"):
+        await db.execute_write_fn(rename_then_fail)
+
+    rename_events = [e for e in ds._tracked_events if isinstance(e, RenameTableEvent)]
+    assert len(rename_events) == 0
+
+
+@pytest.mark.asyncio
+async def test_multiple_renames_in_one_write(ds_for_rename):
+    """Multiple renames in a single write fire multiple RenameTableEvents."""
+    from datasette.events import RenameTableEvent
+
+    ds = ds_for_rename
+    db = ds.get_database("test")
+
+    await db.execute_write("create table alpha (id integer primary key)")
+    await db.execute_write("create table beta (id integer primary key)")
+
+    def rename_both(conn):
+        conn.execute("alter table alpha rename to alpha2")
+        conn.execute("alter table beta rename to beta2")
+
+    await db.execute_write_fn(rename_both)
+
+    rename_events = [e for e in ds._tracked_events if isinstance(e, RenameTableEvent)]
+    assert len(rename_events) == 2
+    names = {(e.old_table, e.new_table) for e in rename_events}
+    assert names == {("alpha", "alpha2"), ("beta", "beta2")}
diff --git a/tests/utils.py b/tests/utils.py
index e2d9339a..808feea7 100644
--- a/tests/utils.py
+++ b/tests/utils.py
@@ -34,7 +34,9 @@ def inner_html(soup):
 
 def has_load_extension():
     conn = sqlite3.connect(":memory:")
-    return hasattr(conn, "enable_load_extension")
+    result = hasattr(conn, "enable_load_extension")
+    conn.close()
+    return result
 
 
 def cookie_was_deleted(response, cookie):