986c3acea1
Caught while reviewing the previous port-correction commit on this branch. The CORS section still pointed to "Add :4201 once portal-admin grows its own dev server" — but portal-admin has its dev server (on :4300, not :4201), and the SPA will hit the BFF with credentials as soon as the admin auth flow lands. Without the origin in the allowlist the browser blocks the call and the developer chases a CORS error instead of getting to work. Updates the example to list both dev origins and points at `apps/<app>/project.json` `serve.options.port` as the source of truth so future readers don't have to grep for it. Local `.env` is on the developer to update — this only touches `.env.example`. Behaviour change is opt-in.