a1d02051de
`bffUnauthorizedInterceptor` calls `AuthService.refresh()` on every 401 from a BFF route, and explicitly skips the `/me` endpoint to avoid an infinite loop (the bootstrap /me legitimately 401s when anonymous). The skip target was hardcoded to `/auth/me`, which matched portal-shell but missed portal-admin's `/admin/auth/me`. Symptom: opening portal-admin while anonymous fires the bootstrap /me → 401 → interceptor sees the URL is NOT `/auth/me` → calls refresh() → fires another /me → 401 → loop. Hits the 120/min general rate limiter in seconds; the user lands on a `rate_limited` error instead of the "Sign in" panel. Fix: derive the skip URL from `AUTH_PATH_PREFIX` so it matches the surface the host is on (`/auth/me` for portal-shell, `/admin/auth/me` for portal-admin). The token is already provided by both apps via `app.config.ts`. Tests: +1 regression spec exercising the admin path. The new spec asserts that no follow-up /me is issued after the bootstrap 401 when the prefix is `/admin/auth`.