From 71604c6e414c1da421780462d32c67b71ce68c28 Mon Sep 17 00:00:00 2001
From: Codex Agent <codex-agent@example.com>
Date: Sat, 24 Jan 2026 20:54:23 +0100
Subject: [PATCH] Fix CSP nonce timing for admin styles

---
 app/Http/Middleware/ContentSecurityPolicy.php |  1 +
 resources/js/admin/main.tsx                   | 10 +---------
 resources/js/admin/nonce.ts                   |  9 +++++++++
 3 files changed, 11 insertions(+), 9 deletions(-)
 create mode 100644 resources/js/admin/nonce.ts

diff --git a/app/Http/Middleware/ContentSecurityPolicy.php b/app/Http/Middleware/ContentSecurityPolicy.php
index 81f21fb..8009ef5 100644
--- a/app/Http/Middleware/ContentSecurityPolicy.php
+++ b/app/Http/Middleware/ContentSecurityPolicy.php
@@ -123,6 +123,7 @@ class ContentSecurityPolicy
             'default-src' => ["'self'"],
             'script-src' => array_unique($scriptSources),
             'style-src' => array_unique($styleSources),
+            'style-src-attr' => ["'unsafe-inline'"],
             'img-src' => array_unique($imgSources),
             'font-src' => array_unique($fontSources),
             'connect-src' => array_unique($connectSources),
diff --git a/resources/js/admin/main.tsx b/resources/js/admin/main.tsx
index fcad95a..a574aa0 100644
--- a/resources/js/admin/main.tsx
+++ b/resources/js/admin/main.tsx
@@ -1,10 +1,10 @@
+import './nonce';
 import React, { Suspense } from 'react';
 import { createRoot } from 'react-dom/client';
 import { RouterProvider } from 'react-router-dom';
 import { Toaster } from 'react-hot-toast';
 import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
 import { TamaguiProvider, Theme } from '@tamagui/core';
-import { setNonce } from '@tamagui/web';
 import '@tamagui/core/reset.css';
 import tamaguiConfig from '../../../tamagui.config';
 import { AuthProvider } from './auth/context';
@@ -24,14 +24,6 @@ const DevTenantSwitcher = React.lazy(() => import('./DevTenantSwitcher'));
 
 const enableDevSwitcher = import.meta.env.DEV || import.meta.env.VITE_ENABLE_TENANT_SWITCHER === 'true';
 
-const styleNonce = document
-  .querySelector('meta[name="csp-style-nonce"]')
-  ?.getAttribute('content');
-
-if (styleNonce) {
-  setNonce(styleNonce);
-}
-
 initializeTheme();
 initSentry('admin');
 const rootEl = document.getElementById('root')!;
diff --git a/resources/js/admin/nonce.ts b/resources/js/admin/nonce.ts
new file mode 100644
index 0000000..4e66e58
--- /dev/null
+++ b/resources/js/admin/nonce.ts
@@ -0,0 +1,9 @@
+import { setNonce } from '@tamagui/web';
+
+const styleNonce = document
+  .querySelector('meta[name="csp-style-nonce"]')
+  ?.getAttribute('content');
+
+if (styleNonce) {
+  setNonce(styleNonce);
+}