docs(shared): clarify previewClientIdScriptHtml no-nonce branch

The existing docstring claimed pds-core "doesn't set a CSP on preview
pages", which was misleading — pds-core's /preview/consent route does
set a CSP, it just uses 'unsafe-inline' rather than a nonce. Reword
so the no-nonce branch is explicitly described as for CSPs that allow
inline scripts without a nonce.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: aspiers

packages/shared/src/preview-ui.ts

@@ -487,8 +487,9 @@ const PREVIEW_CLIENT_ID_SCRIPT_BODY = `(function () {
 /**
  * Inline <script> tag that wires the preview index page. If `cspNonce` is
  * passed, the tag is stamped with `nonce="..."` so it passes a
- * `script-src 'nonce-...'` CSP; otherwise it's emitted bare (for services
- * like pds-core that don't set a CSP on preview pages).
+ * `script-src 'nonce-...'` CSP. Otherwise the tag is emitted bare, which
+ * only works for callers whose CSP permits this inline script without a
+ * nonce (e.g. a `script-src` that still includes `'unsafe-inline'`).
  */
 export function previewClientIdScriptHtml(cspNonce?: string): string {
   // escapeHtml defence-in-depth: callers currently pass a base64url