fix(dev): point TENANT_REGISTRY_URL at :8090

Unblock local dev: Keycloak owns :8080, so tenant-registry shifts to :8090. Prod is functionally unchanged.

Refs: M5.1

.env.example

@@ -0,0 +1,19 @@
+# portal — local dev environment.
+# Copy to .env.local (gitignored).
+
+# Tenant Registry — see platform/tenant-registry. Run `make dev` there.
+TENANT_REGISTRY_URL=http://localhost:8090
+
+# Keycloak (dev stack from platform/orca-platform/dev).
+KEYCLOAK_ISSUER=http://localhost:8080/realms/breakpilot-dev
+KEYCLOAK_CLIENT_ID=dev-portal
+# Public PKCE client — secret is structurally required by Auth.js but unused
+# at the OAuth code-exchange step. Any non-empty placeholder works in dev.
+KEYCLOAK_CLIENT_SECRET=unused-public-client
+
+# Auth.js v5 — required for JWT signing.
+# Generate with: openssl rand -base64 32
+AUTH_SECRET=dev-secret-change-me-do-not-ship-replace-with-32-byte-random
+AUTH_URL=http://localhost:3000
+
+# In prod we'd set AUTH_TRUST_HOST=true behind orca-proxy; dev is loopback so leave unset.

src/lib/tenant-registry.test.ts

@@ -48,7 +48,7 @@ describe("fetchTenantBySlug", () => {
     globalThis.fetch = fetchSpy;
     await fetchTenantBySlug("acme");
     expect(fetchSpy).toHaveBeenCalledWith(
-      "http://localhost:8080/v1/tenants/by-slug/acme",
+      "http://localhost:8090/v1/tenants/by-slug/acme",
       expect.any(Object),
     );
   });

src/lib/tenant-registry.ts

@@ -13,7 +13,7 @@ export type Tenant = {
 };
 
 function baseUrl(): string {
-  return process.env.TENANT_REGISTRY_URL ?? "http://localhost:8080";
+  return process.env.TENANT_REGISTRY_URL ?? "http://localhost:8090";
 }
 
 export async function fetchTenantBySlug(slug: string): Promise<Tenant | null> {