`bffUnauthorizedInterceptor` calls `AuthService.refresh()` on every
401 from a BFF route, and explicitly skips the `/me` endpoint to
avoid an infinite loop (the bootstrap /me legitimately 401s when
anonymous). The skip target was hardcoded to `/auth/me`, which
matched portal-shell but missed portal-admin's `/admin/auth/me`.
Symptom: opening portal-admin while anonymous fires the bootstrap
/me → 401 → interceptor sees the URL is NOT `/auth/me` → calls
refresh() → fires another /me → 401 → loop. Hits the 120/min
general rate limiter in seconds; the user lands on a `rate_limited`
error instead of the "Sign in" panel.
Fix: derive the skip URL from `AUTH_PATH_PREFIX` so it matches the
surface the host is on (`/auth/me` for portal-shell, `/admin/auth/me`
for portal-admin). The token is already provided by both apps via
`app.config.ts`.
Tests: +1 regression spec exercising the admin path. The new spec
asserts that no follow-up /me is issued after the bootstrap 401
when the prefix is `/admin/auth`.