Hotfix for strict Content-Security-Policy breaking the web UI

Hotfix for a regression introduced in v1.9.0. The strict Content-Security-Policy added during the security audit refused every framework script the web tier emitted for hydration, theme, and branding pre-paint, leaving the UI broken with a console full of policy-violation errors.

The web tier now stamps a per-request nonce into the CSP header and applies it to every script tag, preserving the strict policy while allowing the framework’s own scripts to execute. A new browser-based regression suite asserts that every authenticated and unauthenticated page boots without CSP or hydration errors, so a future tightening that forgets to wire nonces fails the build before shipping.

Customers who upgraded to v1.9.0 should upgrade directly to v1.9.1.1.