Unauthenticated path traversal via /api/browse endpoint

Found via code audit. backend/main.py:305 + utils/directory_browser.py:12. /api/browse?path=... accepts any path. No sanitization, no containment, no auth. Full filesystem enumeration.