At some point /_tiddlywiki stopped working, so will need to figure that out before making much more progress on TiddlyWikiNeeds.
Turns out this is the result of the recent changes to fat in TiddlyWeb.
Similar changes also needed (and done) in the TiddlySpaceFollowingPlugin
I extracted the csrf protection code that bengillies wrote into its own plugin: tiddlywebplugins.csrf. The rationale is that TiddlyWeb is perfectly capable of supporting other apps that might want to do form POSTs, not just TiddlySpace.
Both of the above changes are now in a new tiddlyspace 1.0.91, deployed on tiddlyspace.com.