feat(lessons): «Мои материалы» — ученик сохраняет материалы урока к себе

Ученик на странице «Мои уроки» может сохранить к себе страницу доски (PNG) и свою заметку
из прошлой онлайн-сессии. Копия хранится у ученика и переживает удаление сессии учителем.

- Миграция 060: student_materials (kind board/note/link/image, denormalized source_title,
  source_session_id ON DELETE SET NULL).
- API /api/materials (GET/POST/DELETE, авторизация + проверка владельца) + helpers в js/api.js.
- my-lessons.html: кнопки «К себе» на доске и заметке (Whiteboard.exportBlob → /api/files → saveMaterial).
- Новая страница /my-materials (просмотр/открыть/скачать/удалить) + пункт сайдбара (ученик).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

backend/src/controllers/studentMaterialsController.js

@@ -0,0 +1,57 @@
+'use strict';
+/* Student-owned personal materials ("Мои материалы").
+ * A user keeps copies of items saved from live lessons; the copies are
+ * independent of the session lifecycle. */
+const db = require('../db/db');
+
+const KINDS = ['board', 'note', 'link', 'image'];
+
+/* GET /api/materials — list the current user's saved materials */
+function list(req, res) {
+  const rows = db.prepare(`
+    SELECT id, kind, title, body, url, source_session_id, source_title, created_at
+      FROM student_materials
+     WHERE user_id = ?
+     ORDER BY created_at DESC, id DESC
+  `).all(req.user.id);
+  res.json({ materials: rows });
+}
+
+/* POST /api/materials — save a new item to the current user's collection.
+   Body: { kind, title?, body?, url?, sourceSessionId?, sourceTitle? } */
+function create(req, res) {
+  const b = req.body || {};
+  const kind = String(b.kind || '');
+  if (!KINDS.includes(kind)) return res.status(400).json({ error: 'invalid kind' });
+
+  const title = String(b.title || '').slice(0, 300);
+  const body  = b.body != null ? String(b.body).slice(0, 60000) : null;
+  const url   = b.url != null ? String(b.url).slice(0, 2000) : null;
+  if ((kind === 'note') && !body) return res.status(400).json({ error: 'body required for note' });
+  if ((kind === 'board' || kind === 'image' || kind === 'link') && !url)
+    return res.status(400).json({ error: 'url required' });
+
+  // Soft reference to the source session (kept readable via source_title even
+  // after the session is deleted). Only store the id if the session exists.
+  let sourceSessionId = Number(b.sourceSessionId);
+  if (!Number.isFinite(sourceSessionId)) sourceSessionId = null;
+  else if (!db.prepare('SELECT 1 FROM classroom_sessions WHERE id = ?').get(sourceSessionId)) sourceSessionId = null;
+  const sourceTitle = b.sourceTitle != null ? String(b.sourceTitle).slice(0, 300) : null;
+
+  const r = db.prepare(`
+    INSERT INTO student_materials (user_id, kind, title, body, url, source_session_id, source_title)
+    VALUES (?, ?, ?, ?, ?, ?, ?)
+  `).run(req.user.id, kind, title, body, url, sourceSessionId, sourceTitle);
+  res.status(201).json({ id: Number(r.lastInsertRowid) });
+}
+
+/* DELETE /api/materials/:id — remove one of the current user's items */
+function remove(req, res) {
+  const row = db.prepare('SELECT user_id FROM student_materials WHERE id = ?').get(req.params.id);
+  if (!row) return res.status(404).json({ error: 'not found' });
+  if (row.user_id !== req.user.id) return res.status(403).json({ error: 'forbidden' });
+  db.prepare('DELETE FROM student_materials WHERE id = ?').run(req.params.id);
+  res.json({ ok: true });
+}
+
+module.exports = { list, create, remove };

backend/src/db/migrations/060_student_materials.sql

@@ -0,0 +1,23 @@
+-- ═══════════════════════════════════════════════════════════════
+-- 060: Student-owned personal materials ("Мои материалы")
+--
+-- A student can save items from a live lesson (a board page image, their
+-- note, a chat attachment/link) into their OWN collection. The copy is
+-- independent of the session: it survives even if the teacher later deletes
+-- the session history. source_session_id is a soft reference (SET NULL on
+-- delete); source_title is denormalized so it stays readable afterwards.
+-- ═══════════════════════════════════════════════════════════════
+
+CREATE TABLE student_materials (
+  id                INTEGER PRIMARY KEY AUTOINCREMENT,
+  user_id           INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+  kind              TEXT NOT NULL CHECK (kind IN ('board','note','link','image')),
+  title             TEXT NOT NULL DEFAULT '',
+  body              TEXT,                       -- note text (kind='note')
+  url               TEXT,                       -- file/image/link url (board/image/link)
+  source_session_id INTEGER REFERENCES classroom_sessions(id) ON DELETE SET NULL,
+  source_title      TEXT,                       -- denormalized session title (survives deletion)
+  created_at        TEXT NOT NULL DEFAULT (datetime('now'))
+);
+
+CREATE INDEX idx_student_materials_user ON student_materials(user_id, created_at DESC);

backend/src/routes/materials.js

@@ -0,0 +1,14 @@
+'use strict';
+const express = require('express');
+const router  = express.Router();
+const { authMiddleware } = require('../middleware/auth');
+const c = require('../controllers/studentMaterialsController');
+
+router.use(authMiddleware);
+
+router.get('/',  c.list);
+router.post('/', c.create);
+// @public-by-design: router-level authMiddleware (above) + per-row ownership check in handler
+router.delete('/:id', c.remove);
+
+module.exports = router;

backend/src/server.js

@@ -193,6 +193,7 @@ app.use('/api/textbooks',    textbookRoutes);
 app.use('/api/access',       accessRoutes);
 app.use('/api/teacher-students', teacherStudentsRoutes);
 app.use('/api/lab',          labRoutes);
+app.use('/api/materials',    require('./routes/materials'));
 
 /* ── Public features endpoint (merges global + per-class for authenticated students) ── */
 const _featDb = require('./db/db');