Images are non-sensitive learning content; removing auth from /assets/:fileId so React app can use URLs directly in <img src>. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Thin proxy between React app and Directus. Admin token stays server-side; clients get own 30-day JWTs. Endpoints: /auth/* register/login/profile/me, /words, /questions, /qa-pairs, /pair, /progress, /assets/:fileId Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>