docs(admin): fold admin-origin CORS into phase 3a Task 1

docs/superpowers/specs/2026-06-17-phase-3a-admin-panel-design.md

@@ -48,12 +48,16 @@ The admin app is a **client only** — it talks to the existing backend over HTT
 bearer token. No DB access. It mirrors `apps/worker`'s toolchain and conventions exactly
 so the build can copy proven patterns.
 
-### Backend change (the only one in 3a)
+### Backend changes (minimal, in 3a)
 
 - `packages/shared/src/index.ts`: add `role: Role` to `PublicUser` (so `MeResponse.user`
   carries it).
 - `apps/api/src/routes/me.ts`: include `role` in the response (read from the session user,
   default `'worker'`). The worker app ignores the extra field — no worker change needed.
+- `apps/api/src/env.ts` + `.env.example`: add `http://localhost:5174` (the admin dev
+  origin) to the default `WEB_ORIGINS` / `CORS_ORIGINS`. Required because `WEB_ORIGINS`
+  drives both `hono/cors` and better-auth `trustedOrigins`; the admin app at :5174 calls
+  the API at :3000 cross-origin and would otherwise be blocked.
 
 ## Components