The prod CSP emitted script-src 'strict-dynamic' with no nonce seed, blocking every Payload admin script (A8). Reuse the shared nonce-based withSecurityHeaders: Payload admin pages are always dynamically rendered, so Next propagates the nonce read from the forwarded request's CSP header onto the admin's scripts. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>