refactor(api): descriptive closure params; exhaustive FieldError match; field-endpoint auth tests

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

crates/api/tests/admin_objects.rs

@@ -454,3 +454,41 @@ async fn create_requires_auth(pool: PgPool) {
         .unwrap();
     assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
 }
+
+#[sqlx::test(migrations = "../db/migrations")]
+async fn field_endpoints_require_auth(pool: PgPool) {
+    migrate_sessions(&db::Db::from_pool(pool.clone()))
+        .await
+        .unwrap();
+
+    let app = build_app(state(pool));
+
+    let defs = app
+        .clone()
+        .oneshot(
+            Request::builder()
+                .uri("/api/admin/field-definitions")
+                .body(Body::empty())
+                .unwrap(),
+        )
+        .await
+        .unwrap();
+
+    let set = app
+        .oneshot(
+            Request::builder()
+                .method("PUT")
+                .uri(format!(
+                    "/api/admin/objects/{}/fields",
+                    domain::ObjectId::new()
+                ))
+                .header(header::CONTENT_TYPE, "application/json")
+                .body(Body::from(r#"{"k":"v"}"#))
+                .unwrap(),
+        )
+        .await
+        .unwrap();
+
+    assert_eq!(defs.status(), StatusCode::UNAUTHORIZED);
+    assert_eq!(set.status(), StatusCode::UNAUTHORIZED);
+}