All pages: manifest link, apple-mobile-web-app meta tags, theme-color, viewport-fit=cover, overscroll-behavior:none, safe-area padding, 16px input font-size to prevent iOS zoom, SW registration. admin.html: card-per-entry layout on small screens (d-md-none) with name, location, timestamp, newsletter status, email, comment, and delete button. Desktop table unchanged (d-none d-md-block).
Installs Flask-WTF and enables CSRFProtect globally. Adds csrf_token hidden fields to all four POST forms (login, delete entry, add user, delete user, and the public guestbook form). Exempts the API endpoint which uses header-based key auth instead.
steve