Add course waitlist functionality with position tracking and notifications

[Copilot]

Implements waitlist management for courses at max enrollment. Students join waitlists with position tracking and receive notifications when spots open.

Domain Changes

• Added MaxEnrollment (default 30) and IsFull computed property to Course
• New WaitlistEntry entity with Position, NotificationPreference, and NotifiedAt tracking
• New NotificationType enum: Email, InApp, Both

Application Layer

• WaitlistService: Join/leave waitlist, position management, admin reordering
• NotificationService: Email/in-app notification abstraction (currently logs)
• Modified RegistrationService.CancelRegistrationAsync() to trigger NotifyNextStudentAsync() on confirmed cancellations
• Registration validation now checks course.IsFull and throws with waitlist suggestion

Infrastructure

• WaitlistRepository: Active waitlist queries, position calculation, auto-reordering on removal
• Updated CourseRepository.GetByIdAsync() and GetPagedAsync() to eager-load Registrations and WaitlistEntries for computed properties

API

Nine new endpoints on /api/waitlist:

• POST / - Join waitlist
• GET /{id}, /course/{courseId}, /student/{studentId} - Read operations
• DELETE /{id} - Leave waitlist (auto-reorders positions)
• PATCH /{id} - Update preferences/notes
• Admin: DELETE /course/{courseId}/clear, PUT /course/{courseId}/reorder, POST /course/{courseId}/notify-next

Example Usage

// Registration attempt on full course
var course = await _courseService.GetCourseAsync(courseId);
if (course.IsFull)
    throw new InvalidOperationException(
        $"Course is full (max enrollment: {course.MaxEnrollment}). " +
        "Please join the waitlist instead.");

// Join waitlist
var entry = await _waitlistService.JoinWaitlistAsync(new CreateWaitlistEntryDto 
{
    StudentId = studentId,
    CourseId = courseId,
    NotificationPreference = NotificationType.Email
});
// Returns position in waitlist

// When registration cancelled
await _registrationService.CancelRegistrationAsync(regId);
// Automatically notifies position 1 on waitlist

Validations

• One active waitlist entry per student per course (service-level check)
• Cannot join waitlist if already registered
• Reorder operations validate all entries included with sequential positions

Original prompt

---

This section details on the original issue you should resolve

<issue_title>User Story: Join Course Waitlist When Full</issue_title>
<issue_description>## User Story
As a student, I want to join a course waitlist when the course is full, so that I can be notified when a spot becomes available.

Acceptance Criteria

• When a course reaches max enrollment, student is prompted to join the waitlist.
• Student can join the waitlist and see their position.
• When a spot opens, notify the next student on the waitlist (via email or in-app notification).
• Student can view and leave the waitlist anytime.
• Only one active waitlist registration/candidate per student per course.
• Admin can review/reorder/clear the waitlist.

Additional Details

• Waitlist feature should be integrated into standard course registration flow.
• Use Python for server-side logic, prefer pip for dependencies.
• Notification logic and new database models/tables required.
• Should NOT enroll students directly from waitlist unless explicitly specified.
• Notification preference: prompt user for notification type (email, app, etc).

Open Questions

• Should students be auto-enrolled when a spot opens, or only notified?
• What notification mechanism do users prefer?

---

• Story template used: User Story
• Labels: feature, enhancement
  </issue_description>

<agent_instructions>create a new branch called waitlist
</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes User Story: Join Course Waitlist When Full #11

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull request overview

This PR implements a comprehensive waitlist feature for course registration, allowing students to join waitlists when courses reach maximum enrollment. The implementation adds position tracking, notification preferences, and admin management capabilities. However, several critical concurrency issues, security vulnerabilities, and design concerns need to be addressed before merging.

Key Changes:

• New WaitlistEntry domain entity with position tracking and notification preferences
• Service layer with WaitlistService for waitlist operations and NotificationService for student notifications
• Nine new REST API endpoints for waitlist management (join, leave, query, admin operations)

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 21 comments.

Show a summary per file

File	Description
WaitlistEntry.cs	New domain entity with student/course relationships and notification tracking
NotificationType.cs	Enum defining notification channels (Email, InApp, Both)
Course.cs	Added MaxEnrollment property (default 30) and IsFull computed property
Student.cs	Added WaitlistEntries navigation collection
IWaitlistRepository.cs	Repository interface for waitlist queries and position management
WaitlistRepository.cs	Implementation with active waitlist queries and auto-reordering
CourseRepository.cs	Added eager loading of Registrations and WaitlistEntries for computed properties
CourseRegistrationDbContext.cs	Configuration for WaitlistEntry entity with indexes and relationships
IUnitOfWork.cs & UnitOfWork.cs	Added Waitlists repository property
WaitlistService.cs	Core business logic for joining, leaving, and managing waitlists
NotificationService.cs	Abstraction for email/in-app notifications (currently logs only)
RegistrationService.cs	Modified to check course capacity and trigger waitlist notifications on cancellation
WaitlistDtos.cs	DTOs for creating, updating, and returning waitlist entries
CourseDtos.cs	Added MaxEnrollment, IsFull, and WaitlistCount properties
MappingProfile.cs	AutoMapper configurations for waitlist entities and updated course mappings
IWaitlistService.cs & INotificationService.cs	Service interfaces for waitlist and notification operations
WaitlistController.cs	Nine REST endpoints for waitlist CRUD and admin operations
Program.cs	DI registration for new repositories and services

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.

[Copilot]

Circular dependency detected: RegistrationService depends on IWaitlistService, but WaitlistService (through its operations) may need to check registration status through the repository. This creates a potential circular dependency pattern. Consider:

1. Moving the NotifyNextStudentAsync() call to a domain event pattern where RegistrationService publishes a RegistrationCancelled event
2. Having a separate orchestration service that coordinates between registrations and waitlists
3. Using the repository directly in RegistrationService instead of injecting IWaitlistService

The current implementation works because WaitlistService doesn't depend on IRegistrationService, but this tight coupling makes the services harder to maintain and test independently.

[Copilot]

Race condition risk: Between checking course.IsFull (line 119) and creating the registration (lines 126-131), another concurrent request could register for the same course, causing enrollment to exceed MaxEnrollment. The IsFull check relies on a computed property that queries the Registrations collection loaded earlier, but doesn't use database-level constraints or locking.

Consider:

1. Adding a unique constraint at the database level that enforces max enrollment
2. Using optimistic concurrency with a version field on Course
3. Wrapping the check and insert in a transaction with appropriate isolation level
4. Using a database-level check constraint or trigger to enforce the limit

[Copilot]

Race condition in position assignment: Between calling GetNextPositionAsync() (line 73) and saving the entry (line 82), concurrent requests could receive the same position number. The repository method queries active entries and calculates Max(Position) + 1, but without locking or a database sequence, multiple simultaneous requests will get identical positions.

Solutions:

1. Use a database sequence or identity column for position
2. Implement row-level locking when reading the max position
3. Use optimistic concurrency and retry logic
4. Assign positions in a database transaction with serializable isolation

[Copilot]

Eager loading added unconditionally: These changes force eager loading of Registrations and WaitlistEntries for every course query, even when the caller doesn't need enrollment information. This can significantly impact performance, especially for list operations.

Consider:

1. Creating separate methods like GetByIdWithEnrollmentAsync() for when this data is needed
2. Using projection (.Select()) to load only required fields
3. Allowing callers to specify includes via a parameter
4. Loading these collections only when specifically needed by business logic

[Copilot]

Unsafe admin reordering operation: The single-entry position update (lines 163-198) doesn't prevent creating duplicate positions or gaps in the sequence. While it attempts to shift other entries, if the update fails partway through (e.g., exception after updating some entries), the waitlist will be in an inconsistent state.

Issues:

1. No transaction boundary wrapping the multi-entry update
2. The logic only shifts entries between old and new positions, but doesn't validate final state
3. If multiple admins reorder simultaneously, race conditions could corrupt positions

Consider:

1. Wrapping the entire operation in an explicit transaction
2. Using the bulk ReorderWaitlistAsync() method (line 250) instead
3. Adding validation after updates to ensure positions are sequential and unique

[Copilot]

N+1 query problem: The WaitlistCount mapping executes src.WaitlistEntries.Count(w => w.IsActive) on the already-loaded collection. However, if WaitlistEntries is not eagerly loaded (which could happen in some query paths), this will trigger a separate database query for each course when mapping multiple courses.

While lines 110-111 and 125-126 in CourseRepository.cs do add eager loading, this mapping should be defensive. Consider either:

1. Always ensuring WaitlistEntries is loaded before mapping
2. Using a database-level projection that counts in SQL
3. Adding a computed column or cached count field

[Copilot]

Missing validation: The MaxEnrollment field in UpdateCourseDto also lacks validation. Additionally, when updating MaxEnrollment on an existing course, there's no check to prevent setting it below the current enrollment count, which would create an inconsistent state where a course is "over capacity."

Add:

1. Range validation attribute as with CreateCourseDto
2. Business logic in CourseService.UpdateCourseAsync() to validate:

   if (updateDto.MaxEnrollment < course.CurrentEnrollment)
       throw new InvalidOperationException(
           $"Cannot set max enrollment below current enrollment ({course.CurrentEnrollment})");

[Copilot]

Misleading notification message: The notification sent to the waitlist student states "You are currently in position {position} on the waitlist" where position is their position before anyone registered. However, the message says "A spot has become available", implying they should be able to register immediately.

If position is 1, the message makes sense. But if position is 5, the message is confusing—a spot opened but they're still in position 5.

Consider:

1. Only notifying position 1 when a spot opens
2. Clarifying the message: "A spot may become available soon. You are currently in position {position}."
3. Sending different messages based on position

Suggested change

	var body = $"Dear {studentName},\n\n" +
	$"A spot has become available in the course '{courseName}'.\n" +
	$"You are currently in position {position} on the waitlist.\n\n" +
	$"Please log in to your account to register for the course.\n\n" +
	$"Best regards,\n" +
	$"Course Registration System";
	string body;
	if (position == 1)
	{
	body = $"Dear {studentName},\n\n" +
	$"A spot has become available in the course '{courseName}'.\n" +
	$"You are first in line on the waitlist and may now register for the course.\n\n" +
	$"Please log in to your account to register for the course.\n\n" +
	$"Best regards,\n" +
	$"Course Registration System";
	}
	else
	{
	body = $"Dear {studentName},\n\n" +
	$"A spot may become available soon in the course '{courseName}'.\n" +
	$"You are currently in position {position} on the waitlist.\n\n" +
	$"We will notify you when you are eligible to register.\n\n" +
	$"Best regards,\n" +
	$"Course Registration System";
	}

[Copilot]

Missing authorization: All waitlist endpoints lack authorization checks. Critical operations that should be restricted:

Admin-only operations (no authorization implemented):

• ClearWaitlist() - line 220: Any user can clear entire waitlists
• ReorderWaitlist() - line 262: Any user can manipulate positions
• NotifyNextStudent() - line 240: Could be abused to spam notifications
• UpdateWaitlistEntry() - line 176: Should only allow admins to change positions, or students to update their own preferences

Student-owned operations (no ownership verification):

• LeaveWaitlist() - line 144: A student could remove another student's entry
• UpdateWaitlistEntry() - line 176: Should verify the student owns the entry

Add role-based authorization attributes like [Authorize(Roles = "Admin")] and implement ownership checks in the service layer.

[Copilot]

Potential data exposure: The GetCourseWaitlist() endpoint returns all waitlist entries including student email addresses and personal information to any caller. This violates privacy principles—students on a waitlist shouldn't necessarily see other students' email addresses.

Consider:

1. Adding authorization to restrict this endpoint to admins only
2. Creating a separate public endpoint that returns only aggregated data (e.g., total count, student's own position)
3. Removing sensitive fields like email from the response for non-admin users
4. Having students query their own position via GetStudentWaitlists() instead