Fix SMS settings JS: add CSP nonce to inline script, update tests for toggle-hidden behavior

The inline script lacked a nonce and was blocked by the enforced CSP
(application_controller#set_csp uses a nonce'd script-src), so the toggle
and provider-switching handlers never ran. Add the standard
content_security_policy_nonce attribute, matching other inline scripts
(e.g. scripts/_autosize_field). Update the two original tests that assumed
the provider section is always visible, since it is now correctly hidden
when SMS is disabled.

app/views/sms_settings/index.html.erb

@@ -198,7 +198,7 @@
   <div class="w-0 md:w-52"></div>
 </div>
 
-<script>
+<script nonce="<%= content_security_policy_nonce %>">
 (function() {
   function ready(fn) {
     if (document.readyState !== 'loading') {

spec/system/sms_settings_spec.rb

@@ -9,6 +9,16 @@ RSpec.describe 'SMS Settings' do
   end
 
   it 'shows the SMS settings page with provider form and all provider blocks' do
+    create(:encrypted_config,
+           account:,
+           key: EncryptedConfig::SMS_CONFIGS_KEY,
+           value: {
+             'enabled' => true,
+             'provider' => 'bulkvs',
+             'basic_auth_token' => 'tok',
+             'from_number' => '15551234567'
+           })
+
     visit settings_sms_path
 
     expect(page).to have_content('SMS')
@@ -21,7 +31,7 @@ RSpec.describe 'SMS Settings' do
     visit settings_sms_path
 
     expect(page).to have_css("input[type='checkbox'].toggle")
-    expect(page).to have_css('select.base-select')
+    expect(page).to have_css('select.base-select', visible: :all)
   end
 
   it 'shows the save button' do