Add Rosary Builder — custom prayer-sequence sessions

Superuser+ can now build a custom prayer sequence from scratch:
- Two-panel builder UI: step sequence (left) + searchable prayer library (right)
- 16 standard prayers seeded globally; users can create private custom prayers
- Admin can promote private prayers to global and manage the library
- Four attribution modes per step: Leader/All, Leader only, All together, None
- Optional subject name/pronoun for variable substitution in prayers
- Custom sessions fully presented via the existing presenter (auto-split works)
- migrate_v4.php creates custom_prayers + builder_steps tables

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/builder_session.php

@@ -0,0 +1,139 @@
+<?php
+/**
+ * api/builder_session.php — Save or update a custom builder session.
+ * Requires superuser+.
+ *
+ * POST — create or update session + steps
+ * Body JSON: {
+ *   id?           : int          (existing session ID for update)
+ *   name          : string
+ *   is_public     : bool
+ *   subject_name? : string
+ *   subject_pronoun? : 'he'|'she'
+ *   subject_dates? : string
+ *   steps         : [{prayer_id, attribution}, ...]
+ * }
+ */
+require_once __DIR__ . '/../config/db.php';
+require_once __DIR__ . '/../includes/auth.php';
+
+header('Content-Type: application/json');
+
+function json_err(string $msg, int $code = 400): never {
+    http_response_code($code);
+    echo json_encode(['error' => $msg]);
+    exit;
+}
+
+require_auth();
+if (!has_role('superuser')) json_err('Access denied', 403);
+
+$pdo  = get_pdo();
+$user = current_user();
+$uid  = (int)$user['id'];
+
+if ($_SERVER['REQUEST_METHOD'] !== 'POST') json_err('Method not allowed', 405);
+
+$body = json_decode(file_get_contents('php://input'), true);
+if (!$body) json_err('Invalid JSON');
+
+$name           = trim($body['name'] ?? '');
+$is_public      = (int)!empty($body['is_public']);
+$subject_name   = trim($body['subject_name'] ?? '');
+$subject_pronoun = in_array($body['subject_pronoun'] ?? '', ['he','she']) ? $body['subject_pronoun'] : 'he';
+$subject_dates  = trim($body['subject_dates'] ?? '');
+$steps          = $body['steps'] ?? [];
+$session_id     = (int)($body['id'] ?? 0);
+
+if ($name === '') json_err('Session name is required');
+if (empty($steps)) json_err('Add at least one prayer to your sequence');
+
+$valid_attributions = ['leader_all', 'leader_only', 'all_only', 'none'];
+
+// Validate steps
+foreach ($steps as $i => $step) {
+    $pid = (int)($step['prayer_id'] ?? 0);
+    $att = $step['attribution'] ?? 'leader_all';
+    if (!$pid) json_err("Step " . ($i + 1) . " is missing a prayer");
+    if (!in_array($att, $valid_attributions)) json_err("Invalid attribution on step " . ($i + 1));
+}
+
+// Verify all prayer_ids exist and are accessible
+$prayer_ids = array_unique(array_column($steps, 'prayer_id'));
+$in_placeholders = implode(',', array_fill(0, count($prayer_ids), '?'));
+$valid_stmt = $pdo->prepare("
+    SELECT id FROM custom_prayers
+    WHERE id IN ($in_placeholders)
+      AND (is_global = 1 OR created_by = ?)
+");
+$valid_stmt->execute([...$prayer_ids, $uid]);
+$valid_ids = array_column($valid_stmt->fetchAll(), 'id');
+foreach ($prayer_ids as $pid) {
+    if (!in_array((string)$pid, array_map('strval', $valid_ids))) {
+        json_err("Prayer ID {$pid} not found or not accessible");
+    }
+}
+
+$pdo->beginTransaction();
+try {
+    if ($session_id > 0) {
+        // Update existing session — verify ownership
+        $owner_stmt = $pdo->prepare("SELECT user_id FROM sessions WHERE id = ? AND occasion = 'custom'");
+        $owner_stmt->execute([$session_id]);
+        $existing = $owner_stmt->fetch();
+        if (!$existing) json_err('Session not found', 404);
+        if (!has_role('admin') && (int)$existing['user_id'] !== $uid) json_err('Access denied', 403);
+
+        $slug = unique_slug($name, $uid, 'sessions', $session_id);
+        $pdo->prepare("
+            UPDATE sessions
+            SET name=?, is_public=?, subject_name=?, subject_pronoun=?, subject_dates=?,
+                slug=?, updated_at=NOW()
+            WHERE id=?
+        ")->execute([$name, $is_public, $subject_name ?: null, $subject_pronoun, $subject_dates ?: null, $slug, $session_id]);
+
+        // Replace all steps
+        $pdo->prepare("DELETE FROM builder_steps WHERE session_id = ?")->execute([$session_id]);
+    } else {
+        // Check rosary limit
+        if (!can_create_rosary($uid, (int)$user['rosary_limit'])) {
+            json_err('You have reached your rosary limit. Contact an administrator.');
+        }
+        $slug = unique_slug($name, $uid);
+        $pdo->prepare("
+            INSERT INTO sessions
+                (user_id, is_public, slug, name, occasion, mystery_set,
+                 subject_name, subject_pronoun, subject_dates)
+            VALUES (?, ?, ?, ?, 'custom', 'custom', ?, ?, ?)
+        ")->execute([$uid, $is_public, $slug, $name, $subject_name ?: null, $subject_pronoun, $subject_dates ?: null]);
+        $session_id = (int)$pdo->lastInsertId();
+    }
+
+    // Insert steps
+    $step_stmt = $pdo->prepare(
+        "INSERT INTO builder_steps (session_id, step_order, prayer_id, attribution)
+         VALUES (?, ?, ?, ?)"
+    );
+    foreach ($steps as $order => $step) {
+        $step_stmt->execute([$session_id, $order, (int)$step['prayer_id'], $step['attribution']]);
+    }
+
+    $pdo->commit();
+
+    // Return session URL
+    $user_row = $pdo->prepare("SELECT username FROM users WHERE id = ?");
+    $user_row->execute([$uid]);
+    $username = $user_row->fetchColumn();
+    $present_url = BASE_URL . '/' . rawurlencode($username) . '/' . rawurlencode($slug);
+
+    echo json_encode([
+        'saved'       => true,
+        'session_id'  => $session_id,
+        'slug'        => $slug,
+        'present_url' => $present_url,
+        'edit_url'    => BASE_URL . '/admin/builder.php?id=' . $session_id,
+    ]);
+} catch (Throwable $e) {
+    $pdo->rollBack();
+    json_err('Save failed: ' . $e->getMessage());
+}