Fix CSP error for Pylon chat widget inline script (#9248)

Add the SHA-256 hash of the inline script injected by the Pylon widget
at runtime to the `script-src` CSP directive. SvelteKit's hash mode only
covers build-time inline scripts; Pylon's runtime-injected script needs
its hash listed explicitly.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: 2 people

web-admin/svelte.config.js

@@ -42,6 +42,9 @@ const config = {
           "https://*.app-us1.com/",
           "https://*.usepylon.com",
           "https://*.pusher.com",
+          // Hash of the inline script injected by the Pylon chat widget at runtime.
+          // If Pylon updates their widget, this hash may need to be refreshed.
+          "sha256-q7DzCTpmdcQlqCarsIE22KTL5subp7TPBUdWqrL6HJw=",
         ],
         // style-src keeps 'unsafe-inline': runtime style injection from
         // CodeMirror and other libraries cannot be hash-attributed.