Feature/application First Step E2E

[blebelo]

Summary by CodeRabbit

• New Features

  • Multi-step course application (form, review) with document upload and S3 presigned support.
  • Course list UI with icons and feature lists; student lookup by ID.
  • New providers/components: application, address, student flows, loaders, file upload, status banner.

• Bug Fixes

  • Document fields made optional for student submissions.

• Improvements

  • Stronger input validation, standardized error handling, and added province/country address fields.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
moipone	Ready	Preview, Comment	Mar 5, 2026 8:46pm

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

Walkthrough

Adds backend error-handling and student-related APIs, extends domain models (Address, ShortCourse, Student), adds EF migrations, and implements a multi-step frontend application flow with file uploads, provider/reducer state, S3 presigned uploads, UI components, and related utilities.

Changes

Cohort / File(s)	Summary
Generated AppService template aspnet-core/Generate-AppService.ps1	Wrapped generated CRUD operations in try/catch, added input validation hooks and standardized UserFriendlyException logging/rewrap.
Domain model & DTOs aspnet-core/src/.../Address.cs, .../ShortCourse.cs, .../Student.cs, .../Addresses/Dto/AddressDto.cs, .../ShortCourses/Dto/ShortCourseDto.cs, .../Students/Dto/StudentDto.cs	Added Province/Country to Address and DTO; added DisplayIcon and Features to ShortCourse entity/DTO; changed Student DTO (DateOfBirth, RefListGender, IdNumber) and removed [Required] on several Student document properties.
Migrations & EF model aspnet-core/src/.../Migrations/*, PublicSiteDbContextModelSnapshot.cs	Added migrations for Features/DisplayIcon and nullable student documents; updated model snapshot (primitive collection text[] for Features, discriminator changes).
Backend services & APIs aspnet-core/src/.../Students/StudentAppService.cs, IStudentAppService.cs, CourseApplicationAppService.cs, ShortCourseAppService.cs	Added GetByIdNumberAsync and RegisterStudentDocumentsAsync; injected IConfigurationRoot; revised query loading patterns; added ShortCourse/Student repos and enrollment logic in CourseApplicationAppService; removed GetCurrentCapacityAsync.
Configuration & startup aspnet-core/src/.../Web.Host/Startup.cs, appsettings*.json, PublicSiteDbContextFactory.cs, Moipone.PublicSite.EntityFrameworkCore.csproj, .gitignore	Registered IConfigurationRoot in DI, read DB connection from env in factory, removed staging/app connection strings, added dotenv.net package, and ignored .env files.
Frontend - application flow & pages next-ts/app/(public)/apply/*, next-ts/app/(public)/page.tsx, layout.tsx, globals.css, style.ts	Added Apply page; wrapped app with providers; fetch courses on mount; UI/style updates and theme variables.
Frontend - components next-ts/src/components/ApplicationForm/*, Courses/*, FileUpload/*, Loader/*, StatusBanner/*, Header/style.ts, Footer/index.tsx	New ApplicationForm multi-step wizard, FileUpload with presigned S3 flow, Courses display, Loader and StatusBanner components, and minor header/footer navigation changes.
Frontend - providers / state next-ts/src/providers/{address,application,student,course}-provider/*	Added address and application providers (context/actions/reducer), extended student provider with registerStudentDocuments/getStudentByIdNumber, course provider now includes displayIcon/features; consistent RequestState action patterns.
Frontend - helpers & server actions next-ts/src/lib/common/{constants,helper-methods,server-actions}.ts, next-ts/package.json	Added constants (steps, MAX_SIZE), helper utilities (renameFile, handleUpload, format/parsing helpers, calculateAge), server action getPresignedPost (S3 presigned POST), and new frontend dependencies (@ant-design/icons, @aws-sdk/*, dayjs).

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant User as User (Browser)
    participant Apply as Apply Page / Form
    participant Providers as Course/Student/Address Providers
    participant NextServer as Next.js Server (getPresignedPost)
    participant API as Backend API
    participant S3 as AWS S3
    participant DB as Database

    User->>Apply: Open /apply, enters data
    Apply->>Providers: getAllCourses()
    Providers->>API: GET /courses
    API->>DB: Query ShortCourses
    DB-->>API: Courses
    API-->>Providers: Courses (with displayIcon, features)
    Providers-->>Apply: course list

    User->>Apply: Enter ID number -> lookup
    Apply->>Providers: getStudentByIdNumber(id)
    Providers->>API: GET /students/by-id-number
    API->>DB: Query Student
    DB-->>API: Student or null
    API-->>Providers: StudentDto
    Providers-->>Apply: Populate or allow create

    User->>Apply: Upload document
    Apply->>NextServer: getPresignedPost(studentId, filename)
    NextServer->>S3: Request presigned POST
    S3-->>NextServer: Presigned post fields/URL
    NextServer-->>Apply: Presigned post
    Apply->>S3: POST file to presigned URL
    S3-->>Apply: Upload success
    Apply->>API: POST /students/{id}/register-documents
    API->>DB: Update Student document fields
    DB-->>API: Updated Student
    API-->>Apply: Confirmation

    User->>Apply: Submit application
    Apply->>Providers: submitApplication(payload)
    Providers->>API: POST /applications
    API->>DB: Create CourseApplication (and enroll if approved flow)
    DB-->>API: Application created
    API-->>Providers: ApplicationDto
    Providers-->>Apply: Success
    Apply->>User: Show success

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Implemented Capacity Calculation Endpoint #10 — Conflicts/overlap: GetCurrentCapacityAsync and ShortCourse capacity API changes.
• Implemented Short Course APIs #7 — Overlaps ShortCourse domain/DTO changes (DisplayIcon, Features).
• Added Domain Entities & Implemented Address APIs #4 — Overlaps Address entity and AddressDto changes.

Suggested reviewers

• codespace-cloudmaindesk
• mblebelo

Poem

🐰 I hopped through models, pages, and lines,
Mapped DTOs, stitched configs, and S3 signs,
Students and courses, files in a queue,
Providers dispatch — the app blossoms anew.
A tiny rabbit cheers: "Merge on through!"

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 28.13% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'Feature/application First Step E2E' refers to a real part of the changeset (application form and end-to-end flow), but is vague and doesn't clearly convey the primary objective of the extensive changes.	Revise the title to be more descriptive of the main changes, such as 'Implement end-to-end course application workflow with document uploads' or 'Add student application form with multi-step enrollment process'.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/application

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 16

Note

Due to the large number of review comments, Critical, Major severity comments were prioritized as inline comments.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (5)

next-ts/src/providers/course-provider/index.tsx (2)

221-227: ⚠️ Potential issue | 🟡 Minor

Error message still references the old hook name.

The hook was renamed to useCourseActions but the error message on Line 224 still reads "useCourseAction must be used within a CourseProvider". Update it for consistency.

Proposed fix

 export const useCourseActions = () => {
     const context = useContext(CourseActionContext);
     if (!context) {
-        throw new Error("useCourseAction must be used within a CourseProvider");
+        throw new Error("useCourseActions must be used within a CourseProvider");
     }
     return context;
 }

---

143-158: ⚠️ Potential issue | 🔴 Critical

openApplications accepts id but never sends it to the server.

The id parameter is unused — the POST to ShortCourse/OpenApplications is sent without any body or query param, so the backend has no way to know which course to target. Compare with closeApplications on Line 162, which correctly includes id in the query string.

Proposed fix

     const openApplications = async (id: string) => {
         dispatch(openApplicationsPending());
-        const endpoint = `ShortCourse/OpenApplications`;
+        const endpoint = `ShortCourse/OpenApplications?id=${id}`;
 
         await instance.post(endpoint)

next-ts/app/(public)/layout.tsx (1)

19-22: ⚠️ Potential issue | 🟡 Minor

Update the default metadata.

The title and description are still the create-next-app scaffolding defaults. These will appear in browser tabs and search results for all public pages under this layout.

next-ts/src/providers/student-provider/index.tsx (2)

64-76: ⚠️ Potential issue | 🟠 Major

id can be undefined, resulting in a request to Student/Get?Id=undefined.

Making id optional but interpolating it directly into the URL means callers can trigger an API request with the literal string "undefined" as the ID parameter. Either add an early return/guard or keep the parameter required.

🛡️ Proposed guard

  const getStudentById = async (id?: string) => {
+   if (!id) return;
    dispatch(getStudentByIdPending());
    const endpoint = `Student/Get?Id=${id}`;

The same issue applies to deleteStudent at Line 92 (Student/Delete?Id=${id}).

---

78-90: ⚠️ Potential issue | 🟠 Major

updateStudent will send { id: undefined } to the API when called without arguments.

Both id and student are optional, so the PUT request body could contain { ...undefined, id: undefined }. Consider adding a guard or keeping required params.

🤖 Fix all issues with AI agents

In `@aspnet-core/Generate-AppService.ps1`:
- Around line 108-115: The catch blocks currently log the full exception via
Logger.Error(..., ex) but then construct UserFriendlyException messages that
include ex.Message (e.g., throw new UserFriendlyException($"Could not create
$EntityName. Error: {ex.Message}", ...)), which leaks internal details; update
each catch (Exception ex) in all generated CRUD methods so the Logger retains
the full exception (no change there) but the UserFriendlyException uses a
generic message (e.g., "Could not create $EntityName." / "Could not update
$EntityName." / "Could not delete $EntityName." / "Could not retrieve
$EntityName(s).") and the same Abp.Logging.LogSeverity.Error, removing
ex.Message from the thrown UserFriendlyException; apply this pattern to every
similar throw site across create/update/delete/get/list handlers.

In `@aspnet-core/src/Moipone.PublicSite.Web.Host/.env`:
- Line 1: The committed .env contains active DB credentials; immediately rotate
the PostgreSQL password on Render for user "benny", then remove the secret file
from the repo history and prevent future leaks by adding ".env" to
aspnet-core/.gitignore and deleting the tracked .env (git rm --cached .env)
before committing; after history removal (use BFG or git filter-branch) commit a
safe template file (e.g., .env.example or .env.template) with placeholder values
and instructions for setting environment variables instead of storing secrets in
source control.

In
`@aspnet-core/src/Moipone.PublicSite.Web.Host/Moipone.PublicSite.Web.Host.csproj`:
- Around line 35-36: Remove the unused DotNetEnv package reference from the
project file: delete the <PackageReference Include="DotNetEnv" Version="3.1.1"
/> entry in Moipone.PublicSite.Web.Host.csproj because the codebase only uses
dotenv.net (DotEnv.Load() in Startup.cs and PublicSiteDbContextFactory.cs);
ensure only dotenv.net remains to reduce dependency surface and then
restore/build to verify no references to DotNetEnv exist.

In `@aspnet-core/src/Moipone.PublicSite.Web.Host/Startup/Startup.cs`:
- Around line 37-41: The DotEnv.Load call in Startup (DotEnv.Load with
DotEnvOptions) uses unsafe defaults; change it to only load in non-production
scenarios (e.g., when EnvironmentName is Development) or flip the options to
safe defaults: set ignoreExceptions to true and overwriteExistingVars to false
so missing .env won't crash startup and platform-injected environment variables
keep precedence; update the Startup class logic around the DotEnv.Load
invocation to conditionally call it based on the environment or adjust the
DotEnvOptions accordingly.

In `@next-ts/app/`(public)/apply/page.tsx:
- Around line 33-54: In createStudent, the address is stripped of id but never
persisted; call addressActions.createAddress(address) and await its result, then
set student.residentialAddress (or the correct student field used to link
addresses) to the newly created address's id before calling
studentActions.createStudent(student); ensure you handle the createdAddress
response (e.g., createdAddress.id) and only call studentActions.createStudent
after address creation completes, preserving existing dateOfBirth/age logic and
error handling in the createStudent function.
- Around line 39-49: The code mutates the incoming student object and leaves a
debug console.log; instead create a sanitized shallow copy (e.g., const
sanitizedStudent = { ...student }) before deleting sensitive keys (remove id,
proofOfResidence, certifiedHighestQualification, certifiedId, curriculumVitae)
and set sanitizedStudent.dateOfBirth =
dayjs(student.dateOfBirth).format('YYYY-MM-DD') and sanitizedStudent.age =
calculateAge(sanitizedStudent.dateOfBirth) (or use the original dob if needed),
then call await studentActions.createStudent(sanitizedStudent); also remove the
leftover console.log(student).

In `@next-ts/src/components/ApplicationForm/index.tsx`:
- Around line 103-116: The code reads currentStudent?.id immediately after
awaiting createStudent, but currentStudent is stale because the reducer update
hasn't re-rendered yet; fix by making createStudent return the created student
(or its id) and then use that returned value to call setFormData(prev => ({
...prev, studentId: returnedStudent.id })) instead of reading currentStudent, or
alternatively implement a useEffect that watches currentStudent?.id and updates
formData.studentId when it changes; update the call site in the block that
currently awaits createStudent and the setFormData logic accordingly (refer to
createStudent, currentStudent, setFormData, studentId, and useEffect).
- Around line 491-524: The FileUpload components are falling back to the
hardcoded "dummy-id" because formData?.student?.id is not populated due to a
stale-closure/state update issue; remove the "dummy-id" fallback and ensure the
real student ID from the updated state is used (e.g., read the latest student id
from the same updated state/update function that creates the student or a ref
that is set once creation completes), and only render the upload step (or
FileUpload) when that student id exists; update the logic around formData (and
the code referenced by the stale-closure bug) so that the student id is set
before rendering FileUpload and pass that live id into the studentId prop of
FileUpload.
- Around line 118-125: The component's step flow leaves currentStep === 2 empty
causing a blank page; either render the missing step-2 UI or change the
navigation to skip it. Locate the ApplicationForm component and update the
rendering logic where currentStep is checked (references: currentStep,
setCurrentStep, submitApplication, setSubmitted, merged) — either add the
JSX/fields for the step when currentStep === 2 or modify the "next" transition
(the place that currently does setCurrentStep(s => s + 1)) so advancing from
step 1 goes directly to step 3 (e.g., increment by 2 or conditional-branch to
setCurrentStep(3)). Apply the same fix to the other step-navigation blocks found
in the file (other handlers rendering based on currentStep).
- Around line 266-285: The ID Number input is formatting the value with
formatSaIdNumber (adding spaces) but the Form validation rule uses len: 13 which
checks the formatted value and will fail; also mutating e.target.value does not
update the antd Form state. In the Input.Password onChange handler (the handler
that calls formatSaIdNumber) stop mutating e.target.value and instead call the
form instance to update the field (e.g., form.setFieldsValue({ student: {
idNumber: formatted } })), and replace the static { len: 13 } rule on the
Form.Item (name ["student","idNumber"]) with a custom validator that strips
spaces (or otherwise normalizes with formatSaIdNumber) and asserts the
unformatted length is 13. Ensure you reference formatSaIdNumber for
normalization and update the validator logic accordingly.

In `@next-ts/src/components/FileUpload/index.tsx`:
- Around line 25-36: The beforeUpload handler currently creates uploadedFile
with status "done" and calls setFile(uploadedFile) unconditionally even when
handleUpload fails; modify beforeUpload to only setFile and return
Upload.LIST_IGNORE when handleUpload succeeds (e.g., await handleUpload(...) and
check its resolved value or try/catch the call), and update handleUpload in
helper-methods.ts to re-throw the error after showing the error message (or
return a falsy failure value) so beforeUpload can detect failure and avoid
marking the file as done; references: beforeUpload, handleUpload, setFile,
uploadedFile, Upload.LIST_IGNORE.

In `@next-ts/src/lib/common/helper-methods.ts`:
- Around line 22-42: uploadFile duplicates handleUpload's S3 presigned POST flow
and omits size validation and user messaging; refactor by extracting the shared
S3-upload core into a single helper (e.g., a private function used by both) or
remove uploadFile and invoke handleUpload everywhere. Update the chosen upload
core to accept (file, studentId, filename), call getPresignedPost, build
FormData from returned fields, perform the fetch and throw on non-ok, and ensure
size validation and user-facing messages executed by handleUpload still run (or
move that logic into the shared helper) so uploadFile's missing behaviors are
preserved.
- Around line 49-84: handleUpload currently catches errors, logs to console and
shows a toast but doesn't propagate failure, causing callers like
FileUpload/index.tsx to treat uploads as successful; update handleUpload (and
its catch block) to propagate the failure—either re-throw the caught error
(throw error) or return Upload.LIST_IGNORE on error so the caller can detect and
mark the upload as failed; keep the existing logging/toast but ensure the error
is not swallowed.

In `@next-ts/src/lib/common/server-actions.ts`:
- Around line 6-22: The getPresignedPost function currently falls back to "test"
for empty studentId/filename and interpolates filename directly into the S3 Key,
enabling silent miswrites and path traversal; update getPresignedPost to
validate that studentId and filename are present (trim and throw a clear error
if missing or empty), canonicalize and sanitize filename (reject or strip path
separators like "/" and "\" and any ".." segments, enforce an allowed-character
regex and max length), and avoid any silent defaults when constructing the Key
passed to createPresignedPost; keep using S3Client and createPresignedPost but
ensure the Key is built only from the validated studentId and sanitized filename
(or URL-safe encoded filename) so no directory traversal or unintended bucket
paths are possible.

In `@next-ts/src/providers/application-provider/actions.ts`:
- Around line 33-36: The enum for the "get by course ID" actions mixes singular
and plural names—normalize to plural (since it returns a list) by renaming
getApplicationByCourseIdPending -> getApplicationsByCourseIdPending,
getApplicationByCourseIdError -> getApplicationsByCourseIdError (and update
their string values to
"GET_APPLICATIONS_BY_COURSE_ID_PENDING"/"GET_APPLICATIONS_BY_COURSE_ID_ERROR"),
keep getApplicationsByCourseIdSuccess as-is, and then update the corresponding
action creator function names that reference these enum members (the action
creators currently referenced around the other usages) so all usages and reducer
handleActions keys use the plural enum names consistently.

In `@next-ts/src/providers/application-provider/index.tsx`:
- Around line 110-122: The getApplicationsByCourseId function currently
dispatches the wrong error action (approveApplicationError) on failure; update
the catch to dispatch getApplicationByCourseIdError(err.message) instead and add
the missing import for getApplicationByCourseIdError at the top of the file so
the action creator is available; specifically, in the getApplicationsByCourseId
function replace approveApplicationError with getApplicationByCourseIdError and
import getApplicationByCourseIdError alongside the other action creators.

🟡 Minor comments (15)

aspnet-core/src/Moipone.PublicSite.EntityFrameworkCore/EntityFrameworkCore/PublicSiteDbContextFactory.cs-26-30 (1)

26-30: ⚠️ Potential issue | 🟡 Minor

Add a null/empty guard on connectionString.

Environment.GetEnvironmentVariable("ConnectionStrings__Default") returns null if the variable isn't set (e.g., .env file missing or misconfigured). Passing null to the DB configurer will produce a confusing provider-level exception. A clear fail-fast message here improves the developer experience when running EF CLI commands.

Also consider removing the commented-out line 29 — it's dead code now.

🛡️ Proposed fix

         DotEnv.Load();
         var connectionString = Environment.GetEnvironmentVariable("ConnectionStrings__Default");
 
-        //PublicSiteDbContextConfigurer.Configure(builder, configuration.GetConnectionString(PublicSiteConsts.ConnectionStringName));
+        if (string.IsNullOrWhiteSpace(connectionString))
+        {
+            throw new InvalidOperationException(
+                "ConnectionStrings__Default environment variable is not set. " +
+                "Ensure a .env file exists in the Web.Host project directory with this variable defined.");
+        }
+
         PublicSiteDbContextConfigurer.Configure(builder, connectionString);

aspnet-core/src/Moipone.PublicSite.Core/Domain/ShortCourses/ShortCourse.cs-50-51 (1)

50-51: ⚠️ Potential issue | 🟡 Minor

Features should be initialized to prevent NullReferenceException.

Navigation collections (EnrolledStudents, Applications) are initialized to new List<>() on lines 56 and 58, but Features is left uninitialized. Accessing Features on a newly constructed ShortCourse before assignment will throw an NRE.

🐛 Proposed fix

         [Required]
-        public ICollection<string> Features { get; set; }
+        public ICollection<string> Features { get; set; } = new List<string>();

aspnet-core/src/Moipone.PublicSite.EntityFrameworkCore/Migrations/20260206152522_Added_Features_To_ShortCourse.Designer.cs-1597-1600 (1)

1597-1600: ⚠️ Potential issue | 🟡 Minor

Country max length of 20 may be too restrictive for international users.

This application supports 10+ languages (Spanish, Farsi, French, Italian, Japanese, Lithuanian, Dutch, Portuguese, Turkish, Chinese), indicating international scope. Many country names exceed 20 characters (e.g., "United States of America" at 27 chars, "Democratic Republic of the Congo" at 33 chars). If storing full country names, data will be silently truncated or rejected. Consider increasing the limit (e.g., to 60) or documenting that only short codes/abbreviations are stored.

Note: Update the Country property in Address.cs (not this auto-generated designer file).

next-ts/src/providers/course-provider/context.ts-20-20 (1)

20-20: ⚠️ Potential issue | 🟡 Minor

Typo: applicaions → applications.

This misspelling will propagate to every consumer of ICourse and make the field harder to discover and refactor later.

Proposed fix

-  applicaions: ICourseApplication[];
+  applications: ICourseApplication[];

next-ts/app/(public)/page.tsx-21-26 (1)

21-26: ⚠️ Potential issue | 🟡 Minor

isPending, isError, isSuccess are destructured but unused — no loading/error UI.

The course state flags are extracted but the template doesn't conditionally render loading or error states. Users will see an empty courses section until the fetch completes.

next-ts/src/providers/application-provider/reducer.ts-38-41 (1)

38-41: ⚠️ Potential issue | 🟡 Minor

Inconsistent enum naming in ApplicationActionEnums for CourseId operations.

Lines 34-36 in actions.ts show the enum has inconsistent naming: getApplicationByCourseIdPending and getApplicationByCourseIdError (singular "Application"), but getApplicationsByCourseIdSuccess (plural "Applications"). The reducer correctly references these enum keys, so actions are handled properly. However, standardize the naming across all three variants for consistency—either use singular throughout or plural for all three, matching the payload type.

next-ts/src/components/FileUpload/index.tsx-11-16 (1)

11-16: ⚠️ Potential issue | 🟡 Minor

disabled prop from IFileUploadProps is never used.

The interface declares an optional disabled prop, but it's not destructured here. The component only uses the internal !!file check. Either remove disabled from the interface or wire it into the component logic.

next-ts/app/(public)/apply/page.tsx-19-21 (1)

19-21: ⚠️ Potential issue | 🟡 Minor

addressActions (Line 20) is obtained but never used anywhere in the component.

This is consistent with the missing address creation noted above. Once the address creation call is added, this will become used. If address creation isn't needed here, remove the import and hook call.

next-ts/src/lib/common/helper-methods.ts-29-31 (1)

29-31: ⚠️ Potential issue | 🟡 Minor

Static analysis: forEach callback implicitly returns a value.

Biome flags the arrow functions in formData.append(key, value) on Lines 30 and 65 because the concise arrow body implicitly returns the result. Use a block body to suppress this:

-  Object.entries(fields).forEach(([key, value]) => formData.append(key, value));
+  Object.entries(fields).forEach(([key, value]) => { formData.append(key, value); });

Applies to both Line 30 and Lines 65-66.

Also applies to: 64-67

next-ts/src/lib/common/helper-methods.ts-44-47 (1)

44-47: ⚠️ Potential issue | 🟡 Minor

renameFile mishandles files without an extension.

For a file named "README" (no dot), split(".").pop() returns "README" — a truthy non-empty string — so the function returns baseName.README instead of just baseName. Given the upload accept filter restricts to .pdf/.jpg/.jpeg/.png, this is unlikely to trigger in practice, but the logic is still incorrect.

Proposed fix

 export const renameFile = (userFile: File, baseName: string): string => {
-  const extension = userFile.name.split(".").pop()?.toLowerCase() || "";
-  return extension ? `${baseName}.${extension}` : baseName;
+  const parts = userFile.name.split(".");
+  const extension = parts.length > 1 ? parts.pop()?.toLowerCase() : "";
+  return extension ? `${baseName}.${extension}` : baseName;
 };

next-ts/src/providers/address-provider/index.tsx-61-73 (1)

61-73: ⚠️ Potential issue | 🟡 Minor

Optional id parameter can produce an invalid endpoint (Address/Get?Id=undefined).

getAddressById, updateAddress, and deleteAddress all accept optional id?: string. If called with undefined, the interpolated URL becomes Address/Get?Id=undefined, which will likely fail silently or return unexpected results. Either make id required or add an early guard.

Proposed fix (example for getAddressById)

-  const getAddressById = async (id?: string) => {
+  const getAddressById = async (id: string) => {
     dispatch(getAddressByIdPending());
     const endpoint = `Address/Get?Id=${id}`;

Same applies to updateAddress (Line 75) and deleteAddress (Line 89).

next-ts/src/components/Courses/index.tsx-26-32 (1)

26-32: ⚠️ Potential issue | 🟡 Minor

undefined courseList silently renders nothing — likely unintended.

When courseList is undefined (e.g., before data loads), courseList?.length == 0 evaluates to undefined == 0 → false, so the else branch runs and courseList?.map(...) returns undefined — nothing renders at all. If the intent is to show the empty-state icon when there are no courses, guard for both cases:

Proposed fix

-        {courseList?.length == 0  
+        {!courseList?.length

Also, the commented-out heading on Line 31 should either be restored or removed before merge.

next-ts/src/components/ApplicationForm/index.tsx-111-113 (1)

111-113: ⚠️ Potential issue | 🟡 Minor

Remove console.log statements before merging.

Debug logging of currentStudent, form, and formData should not ship to production.

next-ts/src/providers/application-provider/context.ts-25-25 (1)

25-25: ⚠️ Potential issue | 🟡 Minor

Copy-paste error in section comment.

The comment reads ADDRESS CONTEXT but this is the application provider context file. Should be APPLICATION CONTEXT.

✏️ Proposed fix

-// ==================== ADDRESS CONTEXT ====================
+// ==================== APPLICATION CONTEXT ====================

next-ts/src/providers/application-provider/actions.ts-5-5 (1)

5-5: ⚠️ Potential issue | 🟡 Minor

Unused import: IStudentStateContext.

IStudentStateContext is imported but never referenced in this file.

✏️ Proposed fix

-import { IStudentStateContext } from "../student-provider/context";

🧹 Nitpick comments (23)

aspnet-core/src/Moipone.PublicSite.Application/Students/StudentAppService.cs (2)

96-100: Inconsistent repository reference: _studentRepository vs Repository.

Line 60 uses the base class Repository property, while line 96 uses the injected _studentRepository field. Both resolve to the same instance, but mixing them reduces readability. Pick one consistently — preferably the base class Repository since this class extends AsyncCrudAppService.

♻️ Suggested fix

-                var query = await _studentRepository.GetAllIncludingAsync(s => s.ResidentialAddress);
+                var query = await Repository.GetAllIncludingAsync(s => s.ResidentialAddress);

---

218-222: GetStudentByEmailAsync doesn't include ResidentialAddress.

Now that GetAllAsync and GetAsync eagerly load ResidentialAddress, this method is inconsistent — it returns a student without the address populated. If callers expect the same shape, this will surface as null address data.

♻️ Suggested fix

-                var student = await AsyncQueryableExecuter.FirstOrDefaultAsync(
-                    _studentRepository
-                        .GetAll()
-                        .Where(s => s.EmailAddress == emailAddress)
-                );
+                var query = await Repository.GetAllIncludingAsync(s => s.ResidentialAddress);
+                var student = await AsyncQueryableExecuter.FirstOrDefaultAsync(
+                    query.Where(s => s.EmailAddress == emailAddress)
+                );

aspnet-core/Generate-AppService.ps1 (1)

33-33: Naive pluralization will produce incorrect names for some entities.

"$EntityNames"simply appends an "s", so entities like "Address" → "Addresss", "Category" → "Categorys", "Status" → "Statuss". Consider adding a-PluralName` parameter to allow overriding, or handling common English suffixes (e.g., -s, -x, -sh, -ch → -es; -y → -ies).

♻️ Proposed parameter addition

 param(
     [Parameter(Mandatory = $true)]
     [string]$EntityName,
 
+    [Parameter(Mandatory = $false)]
+    [string]$PluralEntityName,
+
     [Parameter(Mandatory = $false)]
     [string]$Namespace = "Moipone.PublicSite"
 )
 
 # ...
 
-$PluralEntityName = "$EntityName`s"
+if (-not $PluralEntityName) {
+    $PluralEntityName = "$EntityName`s"
+}

aspnet-core/src/Moipone.PublicSite.Core/Domain/Addresses/Address.cs (1)

24-31: MaxLength(20) for Country may be too restrictive for international addresses.

If addresses outside South Africa are ever expected, country names like "United States of America" (24 chars) or "Bosnia and Herzegovina" (22 chars) would be truncated. Consider increasing to MaxLength(60) or using ISO country codes instead if you want to keep the column small. The same consideration applies to Province depending on scope.

If this is intentionally limited to South African addresses only, this is fine as-is.

aspnet-core/src/Moipone.PublicSite.Core/Domain/ShortCourses/ShortCourse.cs (1)

47-48: Consider adding a MaxLength constraint to DisplayIcon.

All other string properties on ShortCourse have length constraints, but DisplayIcon maps to unbounded text. If this stores an icon name or CSS class, a reasonable limit (e.g., [MaxLength(200)]) would be consistent and prevent oversized data.

aspnet-core/src/Moipone.PublicSite.EntityFrameworkCore/Migrations/20260206152522_Added_Features_To_ShortCourse.cs (1)

8-8: Migration name is misleading — it also adds Country and Province to Addresses.

Added_Features_To_ShortCourse only describes part of this migration's scope. Consider using a more descriptive name (e.g., Added_Features_And_Address_Fields) for future clarity when debugging migration history. Not critical since renaming an already-applied migration is risky, but worth noting for future migrations.

aspnet-core/src/Moipone.PublicSite.EntityFrameworkCore/Migrations/PublicSiteDbContextModelSnapshot.cs (1)

1873-1876: DisplayIcon is required with unbounded text type — consider adding a max length.

Unlike other string properties in the model that have explicit HasMaxLength(...) constraints, DisplayIcon is mapped to unbounded text. If this stores a URL or CSS class name, adding a reasonable max length (e.g., 500) would provide a safety net against excessively large values.

next-ts/.vscode/launch.json (1)

1-12: Consider whether .vscode/launch.json should be committed.

IDE-specific configuration files are often added to .gitignore to avoid imposing personal tooling preferences on other contributors. If this is a shared team config, this is fine — otherwise consider adding .vscode/ to .gitignore.

next-ts/src/components/FileUpload/style.ts (1)

21-36: Hardcoded hex colors bypass theming.

Several colors are hardcoded (#f7931e, #1a1a2e, #4a4a68, #ff4d4f, #d9363e) while other styles in this file correctly use token.* values. This inconsistency means the component won't adapt to theme changes (e.g., dark mode). Consider using theme tokens or CSS variables (as done in Header/style.ts) for consistency.

next-ts/src/providers/address-provider/actions.ts (1)

1-124: Highly repetitive boilerplate across providers.

This file and the application-provider actions file follow an identical pattern. Consider a generic factory function to reduce duplication, e.g.:

function makeCrudActions<TEntity, TStateContext>(prefix: string) {
  return {
    createPending: createAction<TStateContext>(`CREATE_${prefix}_PENDING`, () => RequestState.Pending),
    createSuccess: createAction<TStateContext, TEntity>(`CREATE_${prefix}_SUCCESS`, (entity: TEntity) => ({ ...RequestState.Success, /* ... */ })),
    // ... etc
  };
}

This is entirely optional — the current approach is clear and consistent, just verbose.

next-ts/src/providers/course-provider/context.ts (1)

4-4: Circular module import between course-provider and application-provider contexts.

Confirmed: course-provider/context.ts imports ICourseApplication from application-provider/context.ts (line 4), and application-provider/context.ts imports ICourse from course-provider/context.ts. This creates bidirectional dependencies where ICourse.applicaions references ICourseApplication and ICourseApplication.shortCourse references ICourse. While TypeScript and modern bundlers handle type-level circular references without runtime issues, this tight coupling between two provider domains increases interdependency and can complicate future refactoring or optimization efforts.

next-ts/src/components/Loader/index.tsx (1)

1-1: Unused Spin import.

Spin is imported from antd but never used in this component.

Proposed fix

-import { Spin } from "antd";

next-ts/src/lib/common/server-actions.ts (1)

10-16: Consider reusing the S3 client across invocations.

A new S3Client is instantiated on every call. Since this is a server action running in a long-lived Node.js process, you can hoist the client to module scope for connection reuse and reduced overhead.

Proposed fix

+"use server";
+
+import { S3Client } from "@aws-sdk/client-s3";
+import { createPresignedPost } from "@aws-sdk/s3-presigned-post";
+
+const client = new S3Client({
+  region: process.env.AWS_REGION!,
+  credentials: {
+    accessKeyId: process.env.AWS_ACCESS_KEY_ID!,
+    secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY!,
+  },
+});
+
 export async function getPresignedPost(

next-ts/src/providers/student-provider/context.ts (1)

42-49: Making action parameters optional weakens type safety for destructive operations.

deleteStudent(id?: string), updateStudent(id?: string, ...), and getStudentById(id?: string) with optional parameters allow callers to invoke these without providing required identifiers, which would produce runtime errors or unintended API calls. Consider keeping action signatures strict and handling optionality at the call site instead.

Suggested approach

 export interface IStudentActionContext {
-  createStudent: (student?: IStudent) => Promise<void>;
+  createStudent: (student: IStudent) => Promise<void>;
   getAllStudents: () => Promise<void>;
-  getStudentById: (id?: string) => Promise<void>;
-  updateStudent: (id?: string, student?: IStudent) => Promise<void>;
-  deleteStudent: (id?: string) => Promise<void>;
-  getStudentByEmail: (email?: string) => Promise<void>;
+  getStudentById: (id: string) => Promise<void>;
+  updateStudent: (id: string, student: IStudent) => Promise<void>;
+  deleteStudent: (id: string) => Promise<void>;
+  getStudentByEmail: (email: string) => Promise<void>;
 }

next-ts/src/components/ApplicationForm/style.ts (1)

3-163: Hardcoded color values throughout instead of using theme tokens.

Colors like #1a1a2e, #4a4a68, #f7931e are repeated across this file and other style files (FileUpload/style.ts). Consider extracting them into shared theme tokens or constants for consistency and easier theming. This is not blocking but would improve maintainability as the style surface grows.

next-ts/src/components/Courses/index.tsx (1)

36-37: Prefer course.id over array index as the React key.

ICourse has an id field. Using it as the key gives React a stable identity for each card, avoiding unnecessary re-renders if the list order changes.

-          {courseList?.map((course, index) => (
-            <div key={index} className={styles.card}>
+          {courseList?.map((course) => (
+            <div key={course.id} className={styles.card}>

next-ts/src/providers/address-provider/index.tsx (2)

31-32: axiosInstance() is called on every render, creating a new Axios instance each time.

Since the factory reads sessionStorage for the token, this works functionally, but it's wasteful. Consider memoizing with useMemo or moving the instance creation into each action function where the token is actually needed.

---

38-46: Mixing await with .then()/.catch() is redundant and confusing.

Either use await + try/catch or use .then()/.catch() — not both. The await on the .then/.catch chain is a no-op since errors are already handled by .catch. This pattern is repeated across all actions in both providers.

Proposed fix (example for createAddress)

   const createAddress = async (address?: IAddress) => {
     dispatch(createAddressPending());
     const endpoint = "Address/Create";
 
-    await instance
-      .post(endpoint, address)
-      .then((response) => {
-        dispatch(createAddressSuccess(response.data.result));
-      })
-      .catch((err) => {
-        dispatch(createAddressError(err.message));
-      });
+    try {
+      const response = await instance.post(endpoint, address);
+      dispatch(createAddressSuccess(response.data.result));
+    } catch (err: any) {
+      dispatch(createAddressError(err.message));
+    }
   };

next-ts/src/lib/common/constants.tsx (1)

92-113: Hardcoded programmesList may drift from API-sourced course data.

Courses are fetched dynamically via courseActions.getAllCourses() for the Courses component, but this static list is used in the application form. If courses are added/removed on the backend, this list won't reflect those changes. Consider deriving the programme options from the same dynamic source passed as courseList to the ApplicationForm.

next-ts/app/(public)/apply/page.tsx (1)

56-66: Remove debug console.log on Line 62.

       await applicationActions.createApplication(application);
-
-      console.log("Application submitted successfully");

next-ts/src/lib/common/helper-methods.ts (1)

86-91: capitalizeWords doesn't lowercase the rest of each word.

Input like "hELLO wORLD" would produce "HELLO WORLD" rather than "Hello World". If that's intentional, fine — just noting the behavior.

next-ts/src/providers/address-provider/context.ts (1)

26-32: Action method parameters are all optional, weakening the contract.

createAddress(address?), getAddressById(id?), updateAddress(id?, address?), and deleteAddress(id?) allow callers to invoke mutations/queries with undefined. This pushes validation responsibility to the implementation, risking silent API calls with missing data (e.g., ?Id=undefined in URLs). Consider making params required in the action context and keeping optionality only where truly needed (e.g., in the entity interface).

next-ts/src/components/ApplicationForm/index.tsx (1)

342-342: Remove commented-out code.

The disabledDate prop is commented out. Either implement it or remove the dead comment to keep the code clean.

[blebelo]

@coderabbitai resolve

[coderabbitai]

Actionable comments posted: 5

🤖 Fix all issues with AI agents

In `@next-ts/src/components/ApplicationForm/index.tsx`:
- Line 510: Fix the label typo in the ApplicationForm component: change the
label string used where you set label='Curriculum VItae (CV)' to use proper
capitalization 'Curriculum Vitae (CV)' so the field label in the JSX (in the
ApplicationForm component) reads correctly.
- Around line 111-113: Remove the three development console.log statements that
print currentStudent, form, and formData in the ApplicationForm component;
either delete them or replace them with a proper logger guarded by a
development-only check (e.g., NODE_ENV !== 'production') or use the app's
centralized logging utility so internal state isn't leaked to the browser
console in production.

In `@next-ts/src/components/FileUpload/index.tsx`:
- Around line 25-41: The beforeUpload handler currently re-throws inside its
catch, preventing the final return Upload.LIST_IGNORE and letting Ant Design
perform a default HTTP upload; modify beforeUpload so that inside the catch you
do not re-throw—log the error, update UI/error state (e.g., call setFile with an
error status or trigger a user notification), and then let the function continue
to return Upload.LIST_IGNORE; reference beforeUpload, handleUpload, setFile, and
Upload.LIST_IGNORE to locate and change the behavior.
- Around line 11-16: The FileUpload component currently ignores the optional
disabled prop from IFileUploadProps; update the FileUpload function signature to
destructure disabled alongside studentId, filename, label, and accept, then use
that disabled value wherever the component currently checks !!file (and where
the upload button/input becomes interactive) so the UI (e.g., the file input and
upload button/handlers inside FileUpload) respects disabled={true} by preventing
selection/submission and rendering the controls as disabled.

In `@next-ts/src/lib/common/helper-methods.ts`:
- Around line 28-64: In handleUpload, preserve the original caught error when
re-throwing by using the Error constructor's cause option (i.e., throw a new
Error('File Upload Failed', { cause: error })) so the original stack is
retained; also change the forEach callback that appends fields to FormData to
use a block body (e.g., ([key, value]) => { formData.append(key, value); }) to
avoid an implicit return. Locate these changes in the handleUpload function
around the getPresignedPost usage and the Object.entries(fields).forEach call.

🧹 Nitpick comments (1)

next-ts/src/providers/application-provider/reducer.ts (1)

8-54: Shallow-merge handler can leak stale state across action phases.

Since every action variant (Pending/Success/Error) uses the same mergePayloadHandler ({ ...state, ...action.payload }), any field not explicitly reset in a payload persists from the previous state. For example, if an error action sets error: "..." but the subsequent pending action's payload omits error, the stale error string remains in state.

Ensure each action creator payload explicitly resets all relevant fields (e.g., error: undefined in pending/success payloads, application: undefined in error payloads). Alternatively, consider resetting to a known base before merging:

♻️ Optional: reset-then-merge handler

+const BASE_FLAGS = { isPending: false, isSuccess: false, isError: false, error: undefined };
+
+export const resetAndMergeHandler = (
+  state: IApplicationStateContext,
+  action: { payload: IApplicationStateContext },
+) => ({
+  ...state,
+  ...BASE_FLAGS,
+  ...action.payload,
+});

[coderabbitai]

✅ Actions performed

Comments resolved.

[mblebelo]

All checks passed and conversations resolved ✅

[mblebelo]

All checks passed and conversations resolved ✅

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@next-ts/package.json`:
- Around line 12-14: The package version for "@aws-sdk/s3-presigned-post" in
package.json is invalid (3.983.0); update the dependency to a valid published
version or replace it with the correct package: either change
"@aws-sdk/s3-presigned-post" to "^3.883.0" (latest published) or replace the
entry with "@aws-sdk/s3-request-presigner@^3.983.0" if your code uses the
request presigner API; after editing, run npm install and verify any
imports/usages referencing "s3-presigned-post" in the codebase (import paths,
function calls) are updated to the chosen package name (or kept the same if you
only changed the version).

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (4)

next-ts/app/(public)/page.tsx (1)

24-26: getAllCourses is missing from the useEffect dependency array.

react-hooks/exhaustive-deps will flag this, and if getAllCourses is not memoized inside the provider it could silently close over a stale reference.

♻️ Proposed fix

  useEffect(() => {
    getAllCourses()
- }, []);
+ }, [getAllCourses]);

If getAllCourses is already stable (e.g., wrapped in useCallback or derived from a dispatch) this change is a no-op at runtime but keeps linting clean. If it is not stable, also memoize it in the provider with useCallback.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@next-ts/app/`(public)/page.tsx around lines 24 - 26, The useEffect currently
calls getAllCourses but omits it from the dependency array which trips
react-hooks/exhaustive-deps and can close over stale references; update the
effect to include getAllCourses in the dependency array (useEffect(() => {
getAllCourses() }, [getAllCourses])) and if getAllCourses is not already stable,
memoize it where it's defined (e.g., in your provider) using useCallback or by
deriving it from a stable dispatch so the reference doesn't change on each
render.

next-ts/src/providers/application-provider/index.tsx (1)

40-40: axiosInstance() is re-created on every render — memoize it.

If axiosInstance() instantiates a new Axios instance (with interceptors or config), a fresh instance is created every time the provider re-renders, wasting allocations and potentially abandoning in-flight requests tied to the previous instance.

♻️ Proposed fix

-  const instance = axiosInstance();
+  const instance = useMemo(() => axiosInstance(), []);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@next-ts/src/providers/application-provider/index.tsx` at line 40, The
provider currently calls axiosInstance() on every render (creating a new Axios
instance and losing interceptors/in-flight requests); change the code to memoize
the result — e.g., use React.useMemo or a React.useRef pattern to call
axiosInstance() only once or when its real dependencies change, assigning the
memoized value to the instance variable used in the provider; ensure you
reference the axiosInstance() factory and the instance variable so
interceptors/config persist and include any relevant deps array for useMemo.

next-ts/src/providers/student-provider/index.tsx (2)

123-135: LGTM — registerStudentDocuments implementation is correct and consistent.

The dispatch sequence (pending → success/error), POST with studentId as a query parameter, and no body are all correct. The pattern matches the rest of the provider. One minor nit: studentId is not wrapped in encodeURIComponent, unlike email on line 111. GUIDs are URL-safe so this is harmless in practice, but worth applying for consistency.

🔧 Optional consistency fix

- const endpoint = `Student/RegisterStudentDocuments?studentId=${studentId}`;
+ const endpoint = `Student/RegisterStudentDocuments?studentId=${encodeURIComponent(studentId)}`;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@next-ts/src/providers/student-provider/index.tsx` around lines 123 - 135, In
registerStudentDocuments update the endpoint construction to URL-encode the
studentId (use encodeURIComponent(studentId)) before interpolating into the
querystring so it matches the existing pattern used for email; modify the
endpoint variable inside the registerStudentDocuments function to use
encodeURIComponent to ensure consistency with the codebase.

---

67-67: Opt-out of required parameters diverges from the context interface contract.

getStudentById, updateStudent, deleteStudent, and getStudentByEmail all have id/email as required (string) in IStudentActionContext, but the implementations accept id?: string / email?: string (optional). TypeScript accepts this (a function handling string | undefined is assignable to one requiring string), so no compile error today. The risk is that if the interface is later tightened or the functions are called directly (outside of the context), undefined can silently flow into URL construction — e.g., `Student/Get?Id=${undefined}` produces the literal string "Student/Get?Id=undefined".

Consider aligning the implementation signatures with the interface to keep the contract explicit:

♻️ Proposed alignment

- const getStudentById = async (id?: string) => {
+ const getStudentById = async (id: string) => {

- const updateStudent = async (id?: string, student?: IStudent) => {
+ const updateStudent = async (id: string, student?: IStudent) => {

- const deleteStudent = async (id?: string) => {
+ const deleteStudent = async (id: string) => {

- const getStudentByEmail = async (email?: string) => {
+ const getStudentByEmail = async (email: string) => {

Also applies to: 81-81, 95-95, 109-109

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@next-ts/src/providers/student-provider/index.tsx` at line 67, The
implementations for getStudentById, updateStudent, deleteStudent, and
getStudentByEmail currently accept optional parameters (id?: string / email?:
string) which diverges from the IStudentActionContext contract and can produce
URLs like "Id=undefined"; update each function signature to require the
parameter (id: string / email: string) to match IStudentActionContext and add a
short defensive check that throws or returns early if an empty string is passed
(e.g., validate param and throw new Error or return a rejected Promise) before
constructing URLs or performing fetches so undefined/empty values cannot be
interpolated into request URLs.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@aspnet-core/src/Moipone.PublicSite.Application/Students/StudentAppService.cs`:
- Around line 257-264: The null-check around the result of
_studentRepository.GetAsync in StudentAppService is dead code because
IRepository.GetAsync(id) throws EntityNotFoundException when absent; remove the
if (student == null) block and its UserFriendlyException so the method relies on
the repository's exception flow (or, if you prefer consistent UX, catch
EntityNotFoundException around the _studentRepository.GetAsync call and rethrow
a UserFriendlyException there). Ensure you update any references to the removed
"student == null" branch (the local variable student and exception creation)
accordingly.
- Around line 246-286: RegisterStudentDocumentsAsync currently writes hardcoded
placeholder strings (student.CertifiedId, student.ProofOfResidence,
student.CurriculumVitae, student.CertifiedHighestQualification) and accepts no
inputs; change the method signature (RegisterStudentDocumentsAsync) to accept
the actual document path/URL parameters (e.g., certifiedIdPath,
proofOfResidencePath, curriculumVitaePath, certifiedHighestQualificationPath),
validate that none are null/empty (throw UserFriendlyException with
LogSeverity.Warn for invalid inputs), assign those incoming values to the
corresponding student properties instead of the literal strings, persist via
_studentRepository.UpdateAsync(student) and return the mapped StudentDto as
before; also update any callers/tests to pass the new parameters.

In `@next-ts/app/`(public)/apply/page.tsx:
- Around line 50-51: The createStudent and createApplication calls are not
awaited and the debug console.log statements (referencing
studentActions.createStudent, applicationActions.createApplication and
studentState.student) can log stale state; change the calls to await
studentActions.createStudent(student) and await
applicationActions.createApplication(application) so the async work completes
before proceeding, remove the debug console.log lines that print premature
success/state, and ensure the surrounding try/catch (or caller) properly
handles/rethrows any errors from those awaited calls so unexpected exceptions
are not lost.

In `@next-ts/app/`(public)/page.tsx:
- Line 21: The flags isPending, isError, and isSuccess returned by
useCourseState are currently unused; update page.tsx to handle loading/error
states by either (A) adding conditional rendering in the component that shows a
loading indicator when isPending is true and an error message when isError is
true (and only render Courses when isSuccess is true or courses exists), or (B)
pass the three flags as props into the Courses component (e.g., <Courses
courses={courses} isPending={isPending} isError={isError}
isSuccess={isSuccess}>) and implement the corresponding UI inside Courses to
show a loader and an error UI. Ensure you reference useCourseState and Courses
when making the change so the state flags are actually used.

---

Duplicate comments:
In `@aspnet-core/src/Moipone.PublicSite.Web.Host/.env`:
- Line 1: The repo contains live DB credentials (moipone_user) in a tracked .env
— rotate the moipone_user password immediately in your hosting provider, then
remove the tracked .env from Git with git rm --cached .env and commit that
change, purge the secret from history using BFG or git filter-repo (or git
filter-branch if necessary) and force-push the cleaned history, and add a
committed .env.example with placeholder values so no real secrets are stored
going forward.

In `@next-ts/app/`(public)/apply/page.tsx:
- Around line 33-57: In createStudent, the prepared address is never attached to
the student object so the residential address is dropped; before calling
studentActions.createStudent(student) assign the cleaned address to
student.residentialAddress (e.g., after deleting address.id set
student.residentialAddress = address) and ensure this assignment occurs only
when both address and student are present so the backend receives the nested
address in the student DTO.
- Around line 35-44: The current code mutates the incoming address and student
objects via delete (e.g., delete address.id and delete student.id /
student.proofOfResidence / student.certifiedHighestQualification /
student.certifiedId / student.curriculumVitae); instead create sanitized copies
instead of mutating originals—use object spread or object rest to omit those
keys (build sanitizedAddress and sanitizedStudent from address and student) and
pass those copies onward (referencing the student and address variables in this
block inside page.tsx / ApplicationForm submission logic) so the caller/state
objects are not mutated.

In `@next-ts/src/lib/common/helper-methods.ts`:
- Around line 44-46: The forEach callback currently returns the result of
formData.append (via Object.entries(fields).forEach(([key, value]) =>
formData.append(key, value))), which triggers a Biome lint error; change this to
a non-returning loop such as using a for...of over Object.entries(fields) (e.g.,
for (const [key, value] of Object.entries(fields)) { formData.append(key, value)
}) or make the forEach callback a block that does not return (e.g., ([key,
value]) => { formData.append(key, value) }); refer to Object.entries, fields,
and formData.append to locate the code.
- Around line 59-63: The catch block in next-ts/src/lib/common/helper-methods.ts
currently does "throw new Error('File Upload Failed')" which discards the
original stack; replace that rethrow with one that preserves the original error
— either rethrow the caught error (change to "throw error") or, if you need a
custom message and your runtime supports Error cause, use "throw new Error('File
Upload Failed', { cause: error })" so the original stack and details are
retained (update the catch block that logs "File Upload Failed" / calls
message.error).

---

Nitpick comments:
In `@next-ts/app/`(public)/page.tsx:
- Around line 24-26: The useEffect currently calls getAllCourses but omits it
from the dependency array which trips react-hooks/exhaustive-deps and can close
over stale references; update the effect to include getAllCourses in the
dependency array (useEffect(() => { getAllCourses() }, [getAllCourses])) and if
getAllCourses is not already stable, memoize it where it's defined (e.g., in
your provider) using useCallback or by deriving it from a stable dispatch so the
reference doesn't change on each render.

In `@next-ts/src/providers/application-provider/index.tsx`:
- Line 40: The provider currently calls axiosInstance() on every render
(creating a new Axios instance and losing interceptors/in-flight requests);
change the code to memoize the result — e.g., use React.useMemo or a
React.useRef pattern to call axiosInstance() only once or when its real
dependencies change, assigning the memoized value to the instance variable used
in the provider; ensure you reference the axiosInstance() factory and the
instance variable so interceptors/config persist and include any relevant deps
array for useMemo.

In `@next-ts/src/providers/student-provider/index.tsx`:
- Around line 123-135: In registerStudentDocuments update the endpoint
construction to URL-encode the studentId (use encodeURIComponent(studentId))
before interpolating into the querystring so it matches the existing pattern
used for email; modify the endpoint variable inside the registerStudentDocuments
function to use encodeURIComponent to ensure consistency with the codebase.
- Line 67: The implementations for getStudentById, updateStudent, deleteStudent,
and getStudentByEmail currently accept optional parameters (id?: string /
email?: string) which diverges from the IStudentActionContext contract and can
produce URLs like "Id=undefined"; update each function signature to require the
parameter (id: string / email: string) to match IStudentActionContext and add a
short defensive check that throws or returns early if an empty string is passed
(e.g., validate param and throw new Error or return a rejected Promise) before
constructing URLs or performing fetches so undefined/empty values cannot be
interpolated into request URLs.

[coderabbitai]

Actionable comments posted: 8

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

next-ts/src/providers/student-provider/index.tsx (2)

73-85: ⚠️ Potential issue | 🟡 Minor

Missing early-return guards for optional id/email before dispatching requests.

getStudentById, deleteStudent, and getStudentByEmail all dispatch a *Pending action and fire an HTTP request even when their optional argument is undefined/falsy, producing URLs like ?Id=undefined or ?email=.

🛡️ Suggested guards

 const getStudentById = async (id?: string) => {
+  if (!id) return;
   dispatch(getStudentByIdPending());

 const deleteStudent = async (id?: string) => {
+  if (!id) return;
   dispatch(deleteStudentPending());

 const getStudentByEmail = async (email?: string) => {
+  if (!email) return;
   dispatch(getStudentByEmailPending());
-  const endpoint = `Student/GetByEmail?email=${encodeURIComponent(email || "")}`;
+  const endpoint = `Student/GetByEmail?email=${encodeURIComponent(email)}`;

Also applies to: 101-113, 115-127

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@next-ts/src/providers/student-provider/index.tsx` around lines 73 - 85,
getStudentById, deleteStudent and getStudentByEmail dispatch their "*Pending"
actions and perform HTTP calls even when their optional id/email args are falsy,
producing invalid endpoints (e.g. ?Id=undefined). Add an early-return guard at
the start of each function (getStudentById, deleteStudent, getStudentByEmail) to
check for a truthy id/email before dispatching the Pending action or calling
instance.get/delete; if the param is missing return immediately or dispatch an
appropriate error action (e.g.,
getStudentByIdError/getStudentByEmailError/deleteStudentError) with a clear
message instead of making the request.

---

73-85: ⚠️ Potential issue | 🟡 Minor

Missing early-return guards for optional id / email before dispatching and making requests.

If id is undefined, getStudentById and deleteStudent silently send requests to ?Id=undefined. Similarly, getStudentByEmail dispatches getStudentByEmailPending() and fires a request with an empty query parameter when email is falsy.

🛡️ Suggested guards

 const getStudentById = async (id?: string) => {
+  if (!id) return;
   dispatch(getStudentByIdPending());

 const deleteStudent = async (id?: string) => {
+  if (!id) return;
   dispatch(deleteStudentPending());

 const getStudentByEmail = async (email?: string) => {
+  if (!email) return;
   dispatch(getStudentByEmailPending());
-  const endpoint = `Student/GetByEmail?email=${encodeURIComponent(email || "")}`;
+  const endpoint = `Student/GetByEmail?email=${encodeURIComponent(email)}`;

Also applies to: 101-113, 115-127

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@next-ts/src/providers/student-provider/index.tsx` around lines 73 - 85, Add
early-return input guards to prevent dispatching and making HTTP requests when
required params are missing: in getStudentById (and similarly in deleteStudent
and getStudentByEmail) check for a falsy id/email at the top and return
immediately before calling dispatch or instance.get/delete; do not dispatch
pending actions or build endpoints like `?Id=${id}` or `?Email=${email}` when
id/email is undefined/empty. Locate functions getStudentById, deleteStudent, and
getStudentByEmail and put the guard at the start of each (before
getStudentByIdPending/getStudentByEmailPending or deleteStudentPending) to
short-circuit and avoid sending requests with `undefined`/empty query params.

♻️ Duplicate comments (4)

next-ts/app/(public)/page.tsx (1)

30-32: ⚠️ Potential issue | 🟡 Minor

Surface an error state and gate Courses on success.
If loading fails, the UI is silent and still renders the Courses list (often empty), which is a confusing UX. Consider showing an error message and only rendering Courses when isSuccess is true.

💡 Suggested change

-      {isPending && <p>Loading...</p>}
+      {isPending && <p>Loading...</p>}
+      {isError && <p>Failed to load courses. Please try again.</p>}
...
-      <Courses 
-        courseList={courses} 
-      />
+      {isSuccess && (
+        <Courses courseList={courses} />
+      )}

Also applies to: 74-76

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@next-ts/app/`(public)/page.tsx around lines 30 - 32, The UI currently shows a
loading state via isPending but still renders <Courses> even when the load
failed; update the render logic to gate rendering of the Courses component on
isSuccess and render an explicit error state when isError (or when the error
object exists). Specifically, in the component that uses the
isPending/isSuccess/isError flags and renders <Courses>, replace the
unconditional <Courses /> render with conditional rendering: show the loading
paragraph when isPending, show an error message (using the error message from
the query/error object) when isError, and only render <Courses> when isSuccess
is true; apply the same change to the other similar block around the symbols
mentioned for lines 74–76.

next-ts/app/(public)/apply/page.tsx (1)

30-36: ⚠️ Potential issue | 🟡 Minor

Remove debug console.log in submitApplication.

Line 35 logs in production. Prefer UI feedback or remove.

Proposed fix

-      console.log("Application submitted successfully");

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@next-ts/app/`(public)/apply/page.tsx around lines 30 - 36, In
submitApplication, remove the debug console.log("Application submitted
successfully") (inside the try block after calling
applicationActions.createApplication) and instead surface success via existing
UI feedback or state—e.g., trigger a toast, set a success state, or call the
success handler used elsewhere—so no console logging remains in production.

next-ts/src/lib/common/helper-methods.ts (1)

40-63: ⚠️ Potential issue | 🟡 Minor

Fix Biome forEach lint + preserve original upload error.

Line 44 triggers the Biome lint about iterable callbacks returning a value, and Line 62 discards the original error context.

Proposed fix

-    Object.entries(fields).forEach(([key, value]) =>
-      formData.append(key, value),
-    );
+    Object.entries(fields).forEach(([key, value]) => {
+      formData.append(key, value);
+    });
@@
-    throw new Error('File Upload Failed')
+    throw new Error('File Upload Failed', { cause: error });

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@next-ts/src/lib/common/helper-methods.ts` around lines 40 - 63, The Biome
lint is triggered by using Object.entries(...).forEach with an iterable callback
and the catch block drops original error detail; replace the forEach in the
upload routine (the code that calls Object.entries(fields) and appends into
formData) with an explicit loop (e.g., for (const [key, value] of
Object.entries(fields)) formData.append(key, value)) to avoid returning from an
iterable callback, and in the catch block preserve and rethrow the original
error (or include its message) instead of throwing a new generic Error('File
Upload Failed') so the original error context from the upload path is not lost;
update any user-facing message.error to include a concise error message (e.g.,
error.message) as needed.

next-ts/src/components/FileUpload/index.tsx (1)

25-40: ⚠️ Potential issue | 🟠 Major

Don't mark oversized files as uploaded.

handleUpload returns Upload.LIST_IGNORE when a file exceeds the size limit, but this return value is ignored in the beforeUpload handler. The code still calls setFile(uploadedFile) regardless, marking the file as "done" and disabling further uploads despite the size validation failure. The error message is shown, but the UI displays a false success state.

Proposed fix

       try {
-        await handleUpload(f, studentId, uploadedFile.name);
-        setFile(uploadedFile);
+        const result = await handleUpload(f, studentId, uploadedFile.name);
+        if (result === Upload.LIST_IGNORE) {
+          return Upload.LIST_IGNORE;
+        }
+        setFile(uploadedFile);
       } catch (err) {
         console.error('Could Not Upload Document: ', err)
         throw new Error('Could Not Upload Document')
       }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@next-ts/src/components/FileUpload/index.tsx` around lines 25 - 40, The
beforeUpload handler prematurely marks files as uploaded and calls setFile even
when handleUpload signals oversized files by returning Upload.LIST_IGNORE;
modify beforeUpload to first call handleUpload(f, studentId, uploadedFile.name),
check its return value and if it equals Upload.LIST_IGNORE then return
Upload.LIST_IGNORE immediately without calling setFile or setting
uploadedFile.status to "done", otherwise proceed to setFile with a successful
status; ensure you also don't create/mark uploadedFile as "done" before the size
check (use renameFile and uploadedFile only after confirming handleUpload
succeeded).

🧹 Nitpick comments (4)

aspnet-core/src/Moipone.PublicSite.Application/Students/IStudentAppService.cs (1)

12-12: RegisterStudentDocumentsAsync — ambiguous command name and missing payload

The signature accepts only a studentId with no document data. As a write/command operation the name Register… is opaque: it doesn't communicate what state change occurs (e.g., marking uploaded S3 files as confirmed, updating a status flag, triggering a workflow). Callers reading the interface contract alone cannot infer what "registering documents" entails.

Consider a more expressive name that reflects the intent, e.g. ConfirmDocumentUploadAsync or FinalizeDocumentSubmissionAsync, and if the behaviour really is "mark the student's documents as submitted after S3 upload", document that contract (or encode it in the name).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@aspnet-core/src/Moipone.PublicSite.Application/Students/IStudentAppService.cs`
at line 12, The interface method Task<StudentDto>
RegisterStudentDocumentsAsync(Guid studentId) is ambiguous and lacks any
document payload; rename it to a purpose-revealing command (for example
ConfirmDocumentUploadAsync or FinalizeDocumentSubmissionAsync) and update its
signature to accept an explicit payload that describes the state change (e.g., a
DocumentConfirmationDto or FinalizeDocumentsRequest containing document
identifiers, confirmation flag, or S3 keys and optional metadata) so callers
understand what is being changed; update references to the method name
(RegisterStudentDocumentsAsync ->
ConfirmDocumentUploadAsync/FinalizeDocumentSubmissionAsync) and adjust consuming
code and DTOs (StudentDto consumers) accordingly to pass the new payload and
reflect the clarified contract.

next-ts/src/components/StatusBanner/index.tsx (1)

12-21: Use variant-appropriate ARIA role for non-error banners.

Line 19 uses role="alert" for all variants, which is assertive. Consider role="status" for success/info/warning and reserve alert for errors.

Suggested adjustment

 const StatusBanner: React.FC<StatusMessageProps> = ({
   message,
   variant = 'info',
 }) => {
   const { styles } = useStyles();
+  const ariaRole = variant === "error" ? "alert" : "status";
+  const ariaLive = variant === "error" ? "assertive" : "polite";

   return (
-    <p className={styles[variant]} role="alert" aria-live="polite">
+    <p className={styles[variant]} role={ariaRole} aria-live={ariaLive}>
       {MESSAGE_ICONS[variant]}
       {message}
     </p>
   );
 };

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@next-ts/src/components/StatusBanner/index.tsx` around lines 12 - 21,
StatusBanner currently sets role="alert" for all variants; change the component
(StatusBanner) to use role="alert" only when variant === 'error' and use
role="status" for success/info/warning, and adjust aria-live if desired (e.g.,
keep aria-live="polite" for non-error and use "assertive" for error) so
MESSAGE_ICONS rendering and message prop remain unchanged.

next-ts/src/providers/student-provider/context.ts (2)

42-51: getStudentById and deleteStudent interface signatures diverge from their implementations.

Both are still declared as (id: string) here while the implementations in index.tsx accept id?: string. TypeScript won't error (a wider parameter type is assignable in the contravariant position), but the interface documents a stricter contract than the impl enforces, which is misleading.

♻️ Align interface with implementation

-  getStudentById: (id: string) => Promise<void>;
+  getStudentById: (id?: string) => Promise<void>;
   updateStudent: (id: string, student?: IStudent) => Promise<void>;
-  deleteStudent: (id: string) => Promise<void>;
+  deleteStudent: (id?: string) => Promise<void>;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@next-ts/src/providers/student-provider/context.ts` around lines 42 - 51, The
interface IStudentActionContext currently declares getStudentById(id: string)
and deleteStudent(id: string) but their implementations in index.tsx accept
optional ids (id?: string); update the IStudentActionContext signatures for
getStudentById and deleteStudent to accept an optional string (id?: string) to
match the implementation and keep the contract consistent with the functions in
index.tsx.

---

42-51: getStudentById and deleteStudent interface signatures are inconsistent with their implementations.

Both are still declared as (id: string) here, but the implementations in index.tsx accept id?: string. TypeScript won't surface this as an error, but the interface is documenting a stricter contract than the implementation actually enforces. If a caller somehow provides undefined, the request URLs become ?Id=undefined.

♻️ Align interface with implementation

-  getStudentById: (id: string) => Promise<void>;
+  getStudentById: (id?: string) => Promise<void>;
   updateStudent: (id: string, student?: IStudent) => Promise<void>;
-  deleteStudent: (id: string) => Promise<void>;
+  deleteStudent: (id?: string) => Promise<void>;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@next-ts/src/providers/student-provider/context.ts` around lines 42 - 51,
IStudentActionContext's getStudentById and deleteStudent are declared with (id:
string) but their implementations in index.tsx accept id?: string; update the
interface signatures for getStudentById and deleteStudent to accept an optional
id (id?: string) to match the implementation (or alternatively change the
implementations to require string), ensuring consistency between
IStudentActionContext and the functions implemented in index.tsx.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@aspnet-core/src/Moipone.PublicSite.Application/Students/IStudentAppService.cs`:
- Line 11: Rename the method GetByIdNumberAsync to GetStudentByIdNumberAsync to
match the existing GetStudentByEmailAsync naming convention, and then protect
access to sensitive PII: either add an authorization attribute (e.g., decorate
the method in IStudentAppService and its controller/implementation with
[Authorize] and require a defined permission in PublicSiteAuthorizationProvider)
or change the return to a minimal projection (not StudentDto) that excludes
address/PII; update any callers to use the new method name and ensure the
required permission is registered and enforced.

In `@next-ts/app/`(public)/page.tsx:
- Around line 20-26: The effect in page.tsx calls getAllCourses from
useCourseActions but doesn't include it in the dependency array; either add
getAllCourses to the useEffect dependency array or, preferably, memoize
getAllCourses in the provider with useCallback so its reference is stable.
Locate the provider that defines getAllCourses (the function returned by
useCourseActions) and wrap its implementation with React.useCallback so
consumers like page.tsx can safely call getAllCourses inside useEffect without
triggering exhaustive-deps warnings.

In `@next-ts/src/components/ApplicationForm/index.tsx`:
- Around line 720-726: The submit button label check uses currentStep === 3 but
the component only uses steps 0–2; update the condition to detect the final step
dynamically (e.g. compare currentStep to steps.length - 1 or use an isLastStep
boolean) so the Button rendered in the ApplicationForm shows "Submit
Application" on the actual final step; adjust any related logic around
currentStep/handleNext if you add an isLastStep helper.

In `@next-ts/src/lib/common/helper-methods.ts`:
- Around line 110-122: sanitizeStudentData currently mutates the incoming
student object (deleting fields and modifying properties) which can leak into
React state; instead create a new sanitized object and return it. Copy the
student (e.g., via object spread) into a new variable inside
sanitizeStudentData, shallow-copy nested residentialAddress if present, remove
or set to undefined the sensitive fields (id, proofOfResidence,
certifiedHighestQualification, certifiedId, curriculumVitae,
residentialAddress.id) on the new object, then normalize idNumber, format
dateOfBirth with dayjs, compute age using calculateAge on the formatted date,
and return the new object without mutating the original IStudent input.

In `@next-ts/src/providers/student-provider/index.tsx`:
- Around line 129-141: The registerStudentDocuments function currently
dispatches registerStudentDocumentsError(err.message) in its catch but does not
rethrow, causing callers to be unaware of failures; update
registerStudentDocuments to rethrow the caught error after dispatching the error
action so callers can handle it (same pattern used in createStudent and
getStudentByIdNumber), locating the logic inside registerStudentDocuments and
ensuring both the dispatch(registerStudentDocumentsError(...)) call and a
subsequent throw err are present.
- Around line 129-141: The registerStudentDocuments function currently
dispatches registerStudentDocumentsError(err.message) in its catch but does not
rethrow, causing callers to be unaware of failures; update
registerStudentDocuments to rethrow the caught error after dispatching the error
action (same pattern used in createStudent and getStudentByIdNumber) so calling
code can handle UI/flow rollback. Locate registerStudentDocuments and ensure the
catch block both dispatches registerStudentDocumentsError with the error message
and then throw the original error (or rethrow err) so the promise rejects for
callers.
- Around line 156-162: The 404 handler currently dispatches
getStudentByIdNumberError which sets isError:true; instead dispatch the success
action with an explicit undefined/null student (e.g.,
dispatch(getStudentByIdNumberSuccess(undefined))) to represent a completed
search with no record, or add a new action like getStudentByIdNumberNotFound
that sets isSuccess:true, isError:false and student:undefined; update the .catch
block around dispatch(...) where getStudentByIdNumberError is called to use the
success/NotFound action so UI consumers don't treat "not found" as an error.
- Around line 156-162: The catch block that handles a 404 currently dispatches
getStudentByIdNumberError("NOT_FOUND"), which incorrectly sets isError: true;
update the 404 branch in the .catch handler so it does not dispatch the error
action—either dispatch getStudentByIdNumberSuccess(undefined) (or the existing
success action with a null/undefined student) to represent "no student found",
or add and dispatch a new action getStudentByIdNumberNotFound that sets {
isSuccess: true, isError: false, student: undefined }; modify the code around
the dispatch call in the catch block that references getStudentByIdNumberError
to use the chosen non-error action instead.

---

Outside diff comments:
In `@next-ts/src/providers/student-provider/index.tsx`:
- Around line 73-85: getStudentById, deleteStudent and getStudentByEmail
dispatch their "*Pending" actions and perform HTTP calls even when their
optional id/email args are falsy, producing invalid endpoints (e.g.
?Id=undefined). Add an early-return guard at the start of each function
(getStudentById, deleteStudent, getStudentByEmail) to check for a truthy
id/email before dispatching the Pending action or calling instance.get/delete;
if the param is missing return immediately or dispatch an appropriate error
action (e.g., getStudentByIdError/getStudentByEmailError/deleteStudentError)
with a clear message instead of making the request.
- Around line 73-85: Add early-return input guards to prevent dispatching and
making HTTP requests when required params are missing: in getStudentById (and
similarly in deleteStudent and getStudentByEmail) check for a falsy id/email at
the top and return immediately before calling dispatch or instance.get/delete;
do not dispatch pending actions or build endpoints like `?Id=${id}` or
`?Email=${email}` when id/email is undefined/empty. Locate functions
getStudentById, deleteStudent, and getStudentByEmail and put the guard at the
start of each (before getStudentByIdPending/getStudentByEmailPending or
deleteStudentPending) to short-circuit and avoid sending requests with
`undefined`/empty query params.

---

Duplicate comments:
In `@next-ts/app/`(public)/apply/page.tsx:
- Around line 30-36: In submitApplication, remove the debug
console.log("Application submitted successfully") (inside the try block after
calling applicationActions.createApplication) and instead surface success via
existing UI feedback or state—e.g., trigger a toast, set a success state, or
call the success handler used elsewhere—so no console logging remains in
production.

In `@next-ts/app/`(public)/page.tsx:
- Around line 30-32: The UI currently shows a loading state via isPending but
still renders <Courses> even when the load failed; update the render logic to
gate rendering of the Courses component on isSuccess and render an explicit
error state when isError (or when the error object exists). Specifically, in the
component that uses the isPending/isSuccess/isError flags and renders <Courses>,
replace the unconditional <Courses /> render with conditional rendering: show
the loading paragraph when isPending, show an error message (using the error
message from the query/error object) when isError, and only render <Courses>
when isSuccess is true; apply the same change to the other similar block around
the symbols mentioned for lines 74–76.

In `@next-ts/src/components/FileUpload/index.tsx`:
- Around line 25-40: The beforeUpload handler prematurely marks files as
uploaded and calls setFile even when handleUpload signals oversized files by
returning Upload.LIST_IGNORE; modify beforeUpload to first call handleUpload(f,
studentId, uploadedFile.name), check its return value and if it equals
Upload.LIST_IGNORE then return Upload.LIST_IGNORE immediately without calling
setFile or setting uploadedFile.status to "done", otherwise proceed to setFile
with a successful status; ensure you also don't create/mark uploadedFile as
"done" before the size check (use renameFile and uploadedFile only after
confirming handleUpload succeeded).

In `@next-ts/src/lib/common/helper-methods.ts`:
- Around line 40-63: The Biome lint is triggered by using
Object.entries(...).forEach with an iterable callback and the catch block drops
original error detail; replace the forEach in the upload routine (the code that
calls Object.entries(fields) and appends into formData) with an explicit loop
(e.g., for (const [key, value] of Object.entries(fields)) formData.append(key,
value)) to avoid returning from an iterable callback, and in the catch block
preserve and rethrow the original error (or include its message) instead of
throwing a new generic Error('File Upload Failed') so the original error context
from the upload path is not lost; update any user-facing message.error to
include a concise error message (e.g., error.message) as needed.

---

Nitpick comments:
In
`@aspnet-core/src/Moipone.PublicSite.Application/Students/IStudentAppService.cs`:
- Line 12: The interface method Task<StudentDto>
RegisterStudentDocumentsAsync(Guid studentId) is ambiguous and lacks any
document payload; rename it to a purpose-revealing command (for example
ConfirmDocumentUploadAsync or FinalizeDocumentSubmissionAsync) and update its
signature to accept an explicit payload that describes the state change (e.g., a
DocumentConfirmationDto or FinalizeDocumentsRequest containing document
identifiers, confirmation flag, or S3 keys and optional metadata) so callers
understand what is being changed; update references to the method name
(RegisterStudentDocumentsAsync ->
ConfirmDocumentUploadAsync/FinalizeDocumentSubmissionAsync) and adjust consuming
code and DTOs (StudentDto consumers) accordingly to pass the new payload and
reflect the clarified contract.

In `@next-ts/src/components/StatusBanner/index.tsx`:
- Around line 12-21: StatusBanner currently sets role="alert" for all variants;
change the component (StatusBanner) to use role="alert" only when variant ===
'error' and use role="status" for success/info/warning, and adjust aria-live if
desired (e.g., keep aria-live="polite" for non-error and use "assertive" for
error) so MESSAGE_ICONS rendering and message prop remain unchanged.

In `@next-ts/src/providers/student-provider/context.ts`:
- Around line 42-51: The interface IStudentActionContext currently declares
getStudentById(id: string) and deleteStudent(id: string) but their
implementations in index.tsx accept optional ids (id?: string); update the
IStudentActionContext signatures for getStudentById and deleteStudent to accept
an optional string (id?: string) to match the implementation and keep the
contract consistent with the functions in index.tsx.
- Around line 42-51: IStudentActionContext's getStudentById and deleteStudent
are declared with (id: string) but their implementations in index.tsx accept
id?: string; update the interface signatures for getStudentById and
deleteStudent to accept an optional id (id?: string) to match the implementation
(or alternatively change the implementations to require string), ensuring
consistency between IStudentActionContext and the functions implemented in
index.tsx.

---

ℹ️ Review info

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 330b79e and 4c02fe5.

📒 Files selected for processing (15)

• aspnet-core/src/Moipone.PublicSite.Application/Students/IStudentAppService.cs
• aspnet-core/src/Moipone.PublicSite.Application/Students/StudentAppService.cs
• aspnet-core/src/Moipone.PublicSite.Web.Host/App_Data/Logs/Logs.txt
• next-ts/app/(public)/apply/page.tsx
• next-ts/app/(public)/page.tsx
• next-ts/src/components/ApplicationForm/index.tsx
• next-ts/src/components/FileUpload/index.tsx
• next-ts/src/components/StatusBanner/index.tsx
• next-ts/src/components/StatusBanner/style.ts
• next-ts/src/lib/common/constants.tsx
• next-ts/src/lib/common/helper-methods.ts
• next-ts/src/providers/student-provider/actions.ts
• next-ts/src/providers/student-provider/context.ts
• next-ts/src/providers/student-provider/index.tsx
• next-ts/src/providers/student-provider/reducer.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• aspnet-core/src/Moipone.PublicSite.Application/Students/StudentAppService.cs

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

aspnet-core/src/Moipone.PublicSite.Application/Students/StudentAppService.cs (1)

252-280: ⚠️ Potential issue | 🟠 Major

RegisterStudentDocumentsAsync still doesn’t use actual uploaded document keys.

The method persists fixed key patterns (id.pdf, por.pdf, etc.) without accepting file keys/URLs from the upload flow. If upload names/extensions differ, stored references will be wrong.

🔧 Suggested contract update

-public async Task<StudentDto> RegisterStudentDocumentsAsync(Guid studentId)
+public async Task<StudentDto> RegisterStudentDocumentsAsync(Guid studentId, RegisterStudentDocumentsDto input)
 {
     ...
-    student.CertifiedId = $"{s3Prefix}/{studentId}/id.pdf";
-    student.ProofOfResidence = $"{s3Prefix}/{studentId}/por.pdf";
-    student.CurriculumVitae = $"{s3Prefix}/{studentId}/cv.pdf";
-    student.CertifiedHighestQualification = $"{s3Prefix}/{studentId}/chq.pdf";
+    student.CertifiedId = input.CertifiedIdPath;
+    student.ProofOfResidence = input.ProofOfResidencePath;
+    student.CurriculumVitae = input.CurriculumVitaePath;
+    student.CertifiedHighestQualification = input.CertifiedHighestQualificationPath;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@aspnet-core/src/Moipone.PublicSite.Application/Students/StudentAppService.cs`
around lines 252 - 280, RegisterStudentDocumentsAsync currently writes
hard-coded filenames (id.pdf, por.pdf, cv.pdf, chq.pdf) which breaks if uploaded
keys differ; change the method to accept or obtain actual uploaded keys (e.g., a
StudentDocumentsDto parameter with IdKey, ProofOfResidenceKey,
CurriculumVitaeKey, CertifiedHighestQualificationKey or call an upload service
like _uploadService.GetKeysForStudent(studentId)), validate each returned key
(not null/empty), assign those keys to student.CertifiedId /
student.ProofOfResidence / student.CurriculumVitae /
student.CertifiedHighestQualification instead of composing fixed names, then
call _studentRepository.UpdateAsync(student) and map the result as before; also
keep the existing checks for Guid.Empty and student not found and throw the same
UserFriendlyException when validation fails.

🧹 Nitpick comments (1)

aspnet-core/src/Moipone.PublicSite.EntityFrameworkCore/EntityFrameworkCore/PublicSiteDbContextFactory.cs (1)

6-6: using Abp.Data appears unused.

This import was added but nothing in the file references any type from Abp.Data. If it's not needed, remove it to keep the file clean.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@aspnet-core/src/Moipone.PublicSite.EntityFrameworkCore/EntityFrameworkCore/PublicSiteDbContextFactory.cs`
at line 6, The using directive "using Abp.Data" in PublicSiteDbContextFactory.cs
is unused; remove that import line from the file (in the
PublicSiteDbContextFactory class/namespace) and ensure the project still
compiles (run a build or IDE cleanup) so no unused usings remain.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@aspnet-core/src/Moipone.PublicSite.Application/Students/StudentAppService.cs`:
- Around line 272-277: Validate and normalize the S3 prefix before composing
document paths: read _config["App:S3Prefix"] into s3Prefix, guard against
null/empty (log or default to empty string), trim whitespace and remove any
leading or trailing slashes so it cannot produce double or leading slashes, then
build the fields student.CertifiedId, student.ProofOfResidence,
student.CurriculumVitae and student.CertifiedHighestQualification using the
normalized s3Prefix; encapsulate this logic in a small helper (e.g.,
NormalizeS3Prefix) inside StudentAppService and replace the inline usage so all
four assignments use the cleaned value.

In
`@aspnet-core/src/Moipone.PublicSite.EntityFrameworkCore/EntityFrameworkCore/PublicSiteDbContextFactory.cs`:
- Around line 24-27: Remove the dead configuration retrieval and add a
null-check for the environment variable: delete the unused configuration =
AppConfigurations.Get(WebContentDirectoryFinder.CalculateContentRootFolder())
and related usings/comments, then read the connection string via
Environment.GetEnvironmentVariable("ConnectionStrings__Default") into
connectionString and immediately guard it (e.g., if null or empty throw new
InvalidOperationException with a clear message like "ConnectionStrings__Default
environment variable is not set") before calling
PublicSiteDbContextConfigurer.Configure(builder, connectionString) in
PublicSiteDbContextFactory; ensure the exception type and message make
design-time failures (dotnet ef) self-explanatory.

---

Duplicate comments:
In
`@aspnet-core/src/Moipone.PublicSite.Application/Students/StudentAppService.cs`:
- Around line 252-280: RegisterStudentDocumentsAsync currently writes hard-coded
filenames (id.pdf, por.pdf, cv.pdf, chq.pdf) which breaks if uploaded keys
differ; change the method to accept or obtain actual uploaded keys (e.g., a
StudentDocumentsDto parameter with IdKey, ProofOfResidenceKey,
CurriculumVitaeKey, CertifiedHighestQualificationKey or call an upload service
like _uploadService.GetKeysForStudent(studentId)), validate each returned key
(not null/empty), assign those keys to student.CertifiedId /
student.ProofOfResidence / student.CurriculumVitae /
student.CertifiedHighestQualification instead of composing fixed names, then
call _studentRepository.UpdateAsync(student) and map the result as before; also
keep the existing checks for Guid.Empty and student not found and throw the same
UserFriendlyException when validation fails.

---

Nitpick comments:
In
`@aspnet-core/src/Moipone.PublicSite.EntityFrameworkCore/EntityFrameworkCore/PublicSiteDbContextFactory.cs`:
- Line 6: The using directive "using Abp.Data" in PublicSiteDbContextFactory.cs
is unused; remove that import line from the file (in the
PublicSiteDbContextFactory class/namespace) and ensure the project still
compiles (run a build or IDE cleanup) so no unused usings remain.

---

ℹ️ Review info

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4c02fe5 and 74c640e.

📒 Files selected for processing (7)

• aspnet-core/src/Moipone.PublicSite.Application/Students/StudentAppService.cs
• aspnet-core/src/Moipone.PublicSite.EntityFrameworkCore/EntityFrameworkCore/PublicSiteDbContextConfigurer.cs
• aspnet-core/src/Moipone.PublicSite.EntityFrameworkCore/EntityFrameworkCore/PublicSiteDbContextFactory.cs
• aspnet-core/src/Moipone.PublicSite.Web.Host/App_Data/Logs/Logs.txt
• aspnet-core/src/Moipone.PublicSite.Web.Host/Startup/Startup.cs
• aspnet-core/src/Moipone.PublicSite.Web.Host/appsettings.Staging.json
• aspnet-core/src/Moipone.PublicSite.Web.Host/appsettings.json

💤 Files with no reviewable changes (1)

• aspnet-core/src/Moipone.PublicSite.Web.Host/appsettings.Staging.json

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

aspnet-core/src/Moipone.PublicSite.EntityFrameworkCore/EntityFrameworkCore/PublicSiteDbContextFactory.cs (1)

18-23: ⚠️ Potential issue | 🟡 Minor

The design-time comment block is stale after the env-var refactor.

Lines 18-23 still describe AppConfigurations.Get(...), but the code now uses Environment.GetEnvironmentVariable(...) at Line 24, which is misleading.

Suggested fix

-        /*
-         You can provide an environmentName parameter to the AppConfigurations.Get method. 
-         In this case, AppConfigurations will try to read appsettings.{environmentName}.json.
-         Use Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") method or from string[] args to get environment if necessary.
-         https://docs.microsoft.com/en-us/ef/core/cli/dbcontext-creation?tabs=dotnet-core-cli#args
-         */
+        // Design-time DbContext uses environment variable:
+        // ConnectionStrings__Default
+        // Ensure it is set before running `dotnet ef ...` commands.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@aspnet-core/src/Moipone.PublicSite.EntityFrameworkCore/EntityFrameworkCore/PublicSiteDbContextFactory.cs`
around lines 18 - 23, The comment block referencing AppConfigurations.Get(...)
is outdated; update the design-time comment in PublicSiteDbContextFactory
(around the constructor or CreateDbContext method) to reflect that
Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") is used to obtain
the environment and that appsettings.{env}.json will be read accordingly,
removing or replacing mention of AppConfigurations.Get(...) and adjusting the
guidance/URL if needed to match the current env-var refactor.

🧹 Nitpick comments (1)

aspnet-core/src/Moipone.PublicSite.Application/Students/StudentAppService.cs (1)

272-277: Consider extracting document-key composition into a helper.

The repeated interpolation is maintainable now, but a tiny helper will reduce duplication and future drift.

♻️ Proposed refactor

-                string s3Prefix = _config["App:S3Prefix"];
-
-                student.CertifiedId = $"{s3Prefix}/{studentId}/id.pdf";
-                student.ProofOfResidence = $"{s3Prefix}/{studentId}/por.pdf";
-                student.CurriculumVitae = $"{s3Prefix}/{studentId}/cv.pdf";
-                student.CertifiedHighestQualification = $"{s3Prefix}/{studentId}/chq.pdf";
+                var s3Prefix = _config["App:S3Prefix"];
+
+                student.CertifiedId = BuildDocumentKey(s3Prefix, studentId, "id.pdf");
+                student.ProofOfResidence = BuildDocumentKey(s3Prefix, studentId, "por.pdf");
+                student.CurriculumVitae = BuildDocumentKey(s3Prefix, studentId, "cv.pdf");
+                student.CertifiedHighestQualification = BuildDocumentKey(s3Prefix, studentId, "chq.pdf");

private static string BuildDocumentKey(string prefix, Guid studentId, string fileName)
{
    return $"{prefix}/{studentId}/{fileName}";
}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@aspnet-core/src/Moipone.PublicSite.Application/Students/StudentAppService.cs`
around lines 272 - 277, Extract the repeated S3 key composition into a single
helper (e.g., BuildDocumentKey) and replace the four interpolations that set
student.CertifiedId, student.ProofOfResidence, student.CurriculumVitae, and
student.CertifiedHighestQualification with calls to that helper using the
existing s3Prefix and studentId; implement a signature like
BuildDocumentKey(string prefix, Guid studentId, string fileName) and use it to
return $"{prefix}/{studentId}/{fileName}" so the property assignments become
BuildDocumentKey(s3Prefix, studentId, "id.pdf") etc.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@aspnet-core/src/Moipone.PublicSite.Application/Students/StudentAppService.cs`:
- Around line 252-277: The RegisterStudentDocumentsAsync method currently builds
S3 keys using s3Prefix and abbreviated filenames (id.pdf, por.pdf, chq.pdf)
which do not match the frontend upload paths; update the backend to persist the
exact frontend keys instead: use the "student-documents" prefix and the frontend
filenames ("id-document.pdf", "proof-of-residence.pdf", "cv.pdf",
"highest-qualification.pdf") when assigning student.CertifiedId,
student.ProofOfResidence, student.CurriculumVitae, and
student.CertifiedHighestQualification (use the existing s3Prefix or replace it
with "student-documents" if s3Prefix is not that value), ensuring the pattern is
$"{prefix}/{studentId}/{filename}" so keys align with uploads in
RegisterStudentDocumentsAsync and the Student entity properties.

In `@aspnet-core/src/Moipone.PublicSite.Web.Host/Startup/Startup.cs`:
- Around line 133-137: The OpenApiContact metadata in Startup.cs is
inconsistent: the Contact object (new OpenApiContact with Name, Email, Url) uses
the Moipone email but still points to ASP Boilerplate’s Twitter URL; update the
Url property on the OpenApiContact to a correct Moipone contact URL (for example
the organization homepage or a dedicated contact page like
https://moiponeacademy.org or https://moiponeacademy.org/contact) so the Contact
(Name, Email, Url) fields are consistent and reflect Moipone’s official contact
information.

---

Duplicate comments:
In
`@aspnet-core/src/Moipone.PublicSite.EntityFrameworkCore/EntityFrameworkCore/PublicSiteDbContextFactory.cs`:
- Around line 18-23: The comment block referencing AppConfigurations.Get(...) is
outdated; update the design-time comment in PublicSiteDbContextFactory (around
the constructor or CreateDbContext method) to reflect that
Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") is used to obtain
the environment and that appsettings.{env}.json will be read accordingly,
removing or replacing mention of AppConfigurations.Get(...) and adjusting the
guidance/URL if needed to match the current env-var refactor.

---

Nitpick comments:
In
`@aspnet-core/src/Moipone.PublicSite.Application/Students/StudentAppService.cs`:
- Around line 272-277: Extract the repeated S3 key composition into a single
helper (e.g., BuildDocumentKey) and replace the four interpolations that set
student.CertifiedId, student.ProofOfResidence, student.CurriculumVitae, and
student.CertifiedHighestQualification with calls to that helper using the
existing s3Prefix and studentId; implement a signature like
BuildDocumentKey(string prefix, Guid studentId, string fileName) and use it to
return $"{prefix}/{studentId}/{fileName}" so the property assignments become
BuildDocumentKey(s3Prefix, studentId, "id.pdf") etc.

---

ℹ️ Review info

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4c02fe5 and 154bf7f.

📒 Files selected for processing (7)

• aspnet-core/src/Moipone.PublicSite.Application/Students/StudentAppService.cs
• aspnet-core/src/Moipone.PublicSite.EntityFrameworkCore/EntityFrameworkCore/PublicSiteDbContextConfigurer.cs
• aspnet-core/src/Moipone.PublicSite.EntityFrameworkCore/EntityFrameworkCore/PublicSiteDbContextFactory.cs
• aspnet-core/src/Moipone.PublicSite.Web.Host/App_Data/Logs/Logs.txt
• aspnet-core/src/Moipone.PublicSite.Web.Host/Startup/Startup.cs
• aspnet-core/src/Moipone.PublicSite.Web.Host/appsettings.Staging.json
• aspnet-core/src/Moipone.PublicSite.Web.Host/appsettings.json

💤 Files with no reviewable changes (1)

• aspnet-core/src/Moipone.PublicSite.Web.Host/appsettings.Staging.json

✅ Files skipped from review due to trivial changes (1)

• aspnet-core/src/Moipone.PublicSite.EntityFrameworkCore/EntityFrameworkCore/PublicSiteDbContextConfigurer.cs

🚧 Files skipped from review as they are similar to previous changes (1)

• aspnet-core/src/Moipone.PublicSite.Web.Host/appsettings.json

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

find . -type f -name "*.ts" -o -name "*.tsx" -o -name "*.js" -o -name "*.jsx" | head -20

Repository: blebelo/moipone

Length of output: 933

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Backend: document key pattern and registration contract =="
rg -n -C3 'RegisterStudentDocumentsAsync|App:S3Prefix|id\.pdf|por\.pdf|cv\.pdf|chq\.pdf' || true

echo "== Frontend: search for upload-related files and patterns =="
rg -n -C2 'registerStudentDocuments|RegisterStudentDocuments|id\.pdf|por\.pdf|cv\.pdf|chq\.pdf' --type=ts --type=tsx --type=js || true

echo "== Look for S3 upload utilities =="
fd -e ts -e tsx -e js | xargs rg -l 's3|upload|S3' 2>/dev/null | head -20 || true

echo "== Service/DTO definitions =="
rg -n 'RegisterStudentDocumentsAsync|StudentDto' --type=cs -A5 | head -50 || true

Repository: blebelo/moipone

Length of output: 10950

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== FileUpload Component =="
cat -n next-ts/src/components/FileUpload/index.tsx

echo ""
echo "== ApplicationForm Component (document upload section) =="
cat -n next-ts/src/components/ApplicationForm/index.tsx | head -100

echo ""
echo "== Server Actions =="
cat -n next-ts/src/lib/common/server-actions.ts

Repository: blebelo/moipone

Length of output: 7058

---

🏁 Script executed:

cat -n next-ts/src/lib/common/helper-methods.ts

Repository: blebelo/moipone

Length of output: 4444

---

🏁 Script executed:

rg -n 'FileUpload' next-ts/src/components/ApplicationForm/index.tsx -A2 -B2

Repository: blebelo/moipone

Length of output: 1144

---

🏁 Script executed:

rg -n 'FileUpload' next-ts/src/components/ApplicationForm/index.tsx -A5 | grep -A5 'FileUpload'

Repository: blebelo/moipone

Length of output: 1361

---

Fix critical mismatch between frontend upload keys and backend persisted paths.

The frontend uploads to student-documents/{studentId}/{filename} with filenames id-document.pdf, proof-of-residence.pdf, cv.pdf, highest-qualification.pdf, but the backend persists {s3Prefix}/{studentId}/id.pdf, por.pdf, cv.pdf, chq.pdf. The prefixes, filename mappings, and abbreviated names do not align. Only cv.pdf matches. Either align the frontend uploads to match the hardcoded backend keys (id.pdf, por.pdf, chq.pdf with backend's s3Prefix), or refactor the backend to use the frontend's filename scheme (id-document.pdf, proof-of-residence.pdf, highest-qualification.pdf with the student-documents prefix).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@aspnet-core/src/Moipone.PublicSite.Application/Students/StudentAppService.cs`
around lines 252 - 277, The RegisterStudentDocumentsAsync method currently
builds S3 keys using s3Prefix and abbreviated filenames (id.pdf, por.pdf,
chq.pdf) which do not match the frontend upload paths; update the backend to
persist the exact frontend keys instead: use the "student-documents" prefix and
the frontend filenames ("id-document.pdf", "proof-of-residence.pdf", "cv.pdf",
"highest-qualification.pdf") when assigning student.CertifiedId,
student.ProofOfResidence, student.CurriculumVitae, and
student.CertifiedHighestQualification (use the existing s3Prefix or replace it
with "student-documents" if s3Prefix is not that value), ensuring the pattern is
$"{prefix}/{studentId}/{filename}" so keys align with uploads in
RegisterStudentDocumentsAsync and the Student entity properties.