Fix workflow crashes, auth guards, security issues, and logo switching

CIS Guru · CIS Guru · commit 5dece452531e · 2026-03-11T11:47:51.000-05:00
- UserContextService: catch InvalidOperationException outside Blazor circuit
- BaseWorkflowService: optional organizationId param in LogTransitionAsync
- LeaseWorkflowService: pass organizationId to LogTransitionAsync in ExpireOverdueLeaseAsync
- ApplicationWorkflowService: bypass user-context when organizationId provided in ExpireLeaseOfferAsync
- ScheduledTaskService: pass offer.OrganizationId to ExpireLeaseOfferAsync
- DatabaseService: add OrderBy to fix EF non-deterministic FirstOrDefault warning
- NotificationService: explicit senderUserId param; require auth or SystemUser.Id; set CreatedBy/LastModifiedBy
- BaseService: explicit opt-in system user guard in CreateAsync/UpdateAsync; no silent auth escalation
- LinuxKeychainService: remove plaintext password from console output (security fix)
- WindowsKeychainService: remove plaintext credential from console output (security fix)
- NavMenu: switch logo based on brand theme + light/dark mode (Obsidian=always inverted; Bootstrap/Teal=inverted in dark only)
- ThemeService/theme.js: related theme handling consistency fixes
diff --git a/1-Nine.Infrastructure/Services/LinuxKeychainService.cs b/1-Nine.Infrastructure/Services/LinuxKeychainService.cs
@@ -102,7 +102,7 @@ public bool StoreKey(string keyHex, string label = "Nine Database Encryption Key
             process.WaitForExit(5000);
             
             Console.WriteLine($"[LinuxKeychainService] secret-tool exit code: {process.ExitCode}");
-            Console.WriteLine($"[LinuxKeychainService] secret-tool output: '{output}'");
+            Console.WriteLine($"[LinuxKeychainService] secret-tool output: [{(string.IsNullOrWhiteSpace(output) ? "empty" : "received")}]");
             if (!string.IsNullOrWhiteSpace(error))
             {
                 Console.WriteLine($"[LinuxKeychainService] secret-tool error: {error}");
diff --git a/1-Nine.Infrastructure/Services/WindowsKeychainService.cs b/1-Nine.Infrastructure/Services/WindowsKeychainService.cs
@@ -23,12 +23,12 @@ public class WindowsKeychainService : IKeychainService
     public WindowsKeychainService(string appName = "Nine-Electron")
     {
         var appDataPath = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);
-        var aquiisDir = Path.Combine(appDataPath, "Nine");
-        Directory.CreateDirectory(aquiisDir);
+        var nineDir = Path.Combine(appDataPath, "Nine");
+        Directory.CreateDirectory(nineDir);
 
         // Sanitize appName for use as a filename component
         var safeAppName = new string(appName.Where(c => char.IsLetterOrDigit(c) || c == '-' || c == '_').ToArray());
-        _keyFilePath = Path.Combine(aquiisDir, $"aquiis_{safeAppName}.key");
+        _keyFilePath = Path.Combine(nineDir, $"aquiis_{safeAppName}.key");
 
         Console.WriteLine($"[WindowsKeychainService] Initialized with key file: {_keyFilePath}");
     }
@@ -73,7 +73,7 @@ public bool StoreKey(string password, string label = "Nine Database Encryption K
             var encryptedBytes = File.ReadAllBytes(_keyFilePath);
             var plainBytes = ProtectedData.Unprotect(encryptedBytes, null, DataProtectionScope.CurrentUser);
             var password = Encoding.UTF8.GetString(plainBytes);
-            Console.WriteLine($"[WindowsKeychainService] Password retrieved successfully using DPAPI (length: {password.Length})");
+            Console.WriteLine($"[WindowsKeychainService] Password retrieved successfully using DPAPI. Password status: {(string.IsNullOrEmpty(password) ? "empty" : "received")}");
             return password;
         }
         catch (CryptographicException ex)
diff --git a/2-Nine.Application/Services/BaseService.cs b/2-Nine.Application/Services/BaseService.cs
@@ -133,7 +133,10 @@ public virtual async Task<TEntity> CreateAsync(TEntity entity)
                 var userId = await _userContext.GetUserIdAsync();
                 if (string.IsNullOrEmpty(userId))
                 {
-                    throw new UnauthorizedAccessException("User is not authenticated.");
+                    if (entity.CreatedBy == ApplicationConstants.SystemUser.Id)
+                        userId = entity.CreatedBy; // Allow system-created records to specify "System" as creator
+                    else
+                        throw new UnauthorizedAccessException("User is not authenticated.");
                 }
 
                 var organizationId = await _userContext.GetActiveOrganizationIdAsync();
@@ -188,7 +191,10 @@ public virtual async Task<TEntity> UpdateAsync(TEntity entity)
                 var userId = await _userContext.GetUserIdAsync();
                 if (string.IsNullOrEmpty(userId))
                 {
-                    throw new UnauthorizedAccessException("User is not authenticated.");
+                    if (entity.LastModifiedBy == ApplicationConstants.SystemUser.Id)
+                        userId = ApplicationConstants.SystemUser.Id;
+                    else
+                        throw new UnauthorizedAccessException("User is not authenticated.");
                 }
 
                 var organizationId = await _userContext.GetActiveOrganizationIdAsync();
diff --git a/2-Nine.Application/Services/DatabaseService.cs b/2-Nine.Application/Services/DatabaseService.cs
@@ -93,7 +93,7 @@ public async Task<int> GetIdentityPendingMigrationsCountAsync()
     /// </summary>
     public async Task<Nine.Core.Entities.DatabaseSettings> GetDatabaseSettingsAsync()
     {
-        var settings = await _businessContext.DatabaseSettings.FirstOrDefaultAsync();
+        var settings = await _businessContext.DatabaseSettings.OrderBy(s => s.Id).FirstOrDefaultAsync();
 
         if (settings == null)
         {
diff --git a/2-Nine.Application/Services/NotificationService.cs b/2-Nine.Application/Services/NotificationService.cs
@@ -40,12 +40,29 @@ public async Task<Notification> SendNotificationAsync(
         string type,
         string category,
         Guid? relatedEntityId = null,
-        string? relatedEntityType = null)
+        string? relatedEntityType = null,
+        Guid? organizationId = null,
+        string? senderUserId = null)
     {
-        var organizationId = await _userContext.GetActiveOrganizationIdAsync();
+        organizationId ??= await _userContext.GetActiveOrganizationIdAsync();
 
         // Get user preferences
-        var preferences = await GetNotificationPreferencesAsync(recipientUserId);
+        var preferences = await GetNotificationPreferencesAsync(recipientUserId, organizationId);
+
+        // Resolve the sender: explicit caller-provided ID (e.g. SystemUser for background jobs),
+        // otherwise require an authenticated user.
+        string resolvedSenderUserId;
+        if (!string.IsNullOrEmpty(senderUserId))
+        {
+            resolvedSenderUserId = senderUserId;
+        }
+        else
+        {
+            var authenticatedUserId = await _userContext.GetUserIdAsync();
+            if (string.IsNullOrEmpty(authenticatedUserId))
+                throw new UnauthorizedAccessException("User is not authenticated.");
+            resolvedSenderUserId = authenticatedUserId;
+        }
 
         var notification = new Notification
         {
@@ -62,7 +79,8 @@ public async Task<Notification> SendNotificationAsync(
             IsRead = false,
             SendInApp = preferences.EnableInAppNotifications,
             SendEmail = preferences.EnableEmailNotifications && ShouldSendEmail(category, preferences),
-            SendSMS = preferences.EnableSMSNotifications && ShouldSendSMS(category, preferences)
+            SendSMS = preferences.EnableSMSNotifications && ShouldSendSMS(category, preferences),
+            CreatedBy = resolvedSenderUserId
         };
 
         // Save in-app notification
@@ -107,6 +125,7 @@ await _smsService.SendSMSAsync(
             }
         }
 
+        notification.LastModifiedBy = resolvedSenderUserId;
         await UpdateAsync(notification);
 
         // Broadcast new notification via SignalR
@@ -141,7 +160,9 @@ public async Task<Notification> NotifyAllUsersAsync(
                 type,
                 category,
                 relatedEntityId,
-                relatedEntityType);
+                relatedEntityType,
+                organizationId,
+                senderUserId: ApplicationConstants.SystemUser.Id);
         }
 
         return lastNotification!;
@@ -281,9 +302,9 @@ public async Task<NotificationPreferences> UpdateUserPreferencesAsync(Notificati
     /// <summary>
     /// Get or create notification preferences for user
     /// </summary>
-    private async Task<NotificationPreferences> GetNotificationPreferencesAsync(string userId)
+    private async Task<NotificationPreferences> GetNotificationPreferencesAsync(string userId, Guid? organizationId = null)
     {
-        var organizationId = await _userContext.GetActiveOrganizationIdAsync();
+        organizationId ??= await _userContext.GetActiveOrganizationIdAsync();
 
         var preferences = await _context.NotificationPreferences
             .FirstOrDefaultAsync(p => p.OrganizationId == organizationId
diff --git a/2-Nine.Application/Services/ScheduledTaskService.cs b/2-Nine.Application/Services/ScheduledTaskService.cs
@@ -79,7 +79,7 @@ protected override async Task ExecuteAsync(CancellationToken stoppingToken)
                 timeUntilMonday,
                 TimeSpan.FromDays(7));
 
-            _logger.LogInformation("Scheduled Task Service started. Daily tasks will run at midnight, hourly tasks every hour, weekly tasks every Monday at 6 AM.");
+            _logger.LogInformation("Scheduled Task Service started. Daily tasks will on each application start-up or when explicityly triggered in Application");
 
             // Keep the service running
             while (!stoppingToken.IsCancellationRequested)
@@ -568,7 +568,7 @@ private async Task<int> ExpireOldLeaseOffers(IServiceScope scope)
                 {
                     try
                     {
-                        var result = await workflowService.ExpireLeaseOfferAsync(offer.Id);
+                        var result = await workflowService.ExpireLeaseOfferAsync(offer.Id, offer.OrganizationId);
                         
                         if (result.Success)
                         {
diff --git a/2-Nine.Application/Services/Workflows/ApplicationWorkflowService.cs b/2-Nine.Application/Services/Workflows/ApplicationWorkflowService.cs
@@ -1059,12 +1059,13 @@ await _notificationService.NotifyAllUsersAsync(
         /// Expires a lease offer (called by scheduled task).
         /// Similar to decline but automated.
         /// </summary>
-        public async Task<WorkflowResult> ExpireLeaseOfferAsync(Guid leaseOfferId)
+        public async Task<WorkflowResult> ExpireLeaseOfferAsync(Guid leaseOfferId, Guid? organizationId = null)
         {
             return await ExecuteWorkflowAsync(async () =>
             {
-                var orgId = await GetActiveOrganizationIdAsync();
+                var orgId = organizationId ?? await GetActiveOrganizationIdAsync();
                 var userId = await GetCurrentUserIdAsync();
+                if (string.IsNullOrEmpty(userId)) userId = "System";
 
                 var leaseOffer = await _context.LeaseOffers
                     .Include(lo => lo.RentalApplication)
@@ -1118,7 +1119,8 @@ await LogTransitionAsync(
                     "Pending",
                     "Expired",
                     "ExpireLeaseOffer",
-                    "Offer expired after 30 days");
+                    "Offer expired after 30 days",
+                    organizationId: orgId);
 
                 // send notification to leasing agents
                 await _notificationService.SendNotificationAsync(
diff --git a/2-Nine.Application/Services/Workflows/BaseWorkflowService.cs b/2-Nine.Application/Services/Workflows/BaseWorkflowService.cs
@@ -119,6 +119,8 @@ protected async Task<WorkflowResult> ExecuteWorkflowAsync(
 
         /// <summary>
         /// Logs a workflow state transition to the audit log.
+        /// Pass <paramref name="organizationId"/> when calling from background services where the
+        /// user context has no Blazor circuit (e.g., ScheduledTaskService).
         /// </summary>
         protected async Task LogTransitionAsync(
             string entityType,
@@ -127,10 +129,11 @@ protected async Task LogTransitionAsync(
             string toStatus,
             string action,
             string? reason = null,
-            Dictionary<string, object>? metadata = null)
+            Dictionary<string, object>? metadata = null,
+            Guid? organizationId = null)
         {
             var userId = await _userContext.GetUserIdAsync() ?? string.Empty;
-            var activeOrgId = await _userContext.GetActiveOrganizationIdAsync();
+            var activeOrgId = organizationId ?? await _userContext.GetActiveOrganizationIdAsync();
             
             var auditLog = new WorkflowAuditLog
             {
@@ -141,12 +144,12 @@ protected async Task LogTransitionAsync(
                 ToStatus = toStatus,
                 Action = action,
                 Reason = reason,
-                PerformedBy = userId,
+                PerformedBy = string.IsNullOrEmpty(userId) ? "System" : userId,
                 PerformedOn = DateTime.UtcNow,
                 OrganizationId = activeOrgId.HasValue ? activeOrgId.Value : Guid.Empty,
                 Metadata = metadata != null ? JsonSerializer.Serialize(metadata) : null,
                 CreatedOn = DateTime.UtcNow,
-                CreatedBy = userId
+                CreatedBy = string.IsNullOrEmpty(userId) ? "System" : userId
             };
 
             _context.WorkflowAuditLogs.Add(auditLog);
diff --git a/2-Nine.Application/Services/Workflows/LeaseWorkflowService.cs b/2-Nine.Application/Services/Workflows/LeaseWorkflowService.cs
@@ -588,6 +588,7 @@ public async Task<WorkflowResult<int>> ExpireOverdueLeaseAsync(Guid organization
         {
             return await ExecuteWorkflowAsync<int>(async () =>
             {
+                // Called from background service — no Blazor circuit, use "System" as the actor.
                 var userId = await _userContext.GetUserIdAsync() ?? "System";
                 
                 // Find active leases past their end date
@@ -615,7 +616,8 @@ await LogTransitionAsync(
                         oldStatus,
                         lease.Status,
                         "AutoExpire",
-                        "Lease end date passed without renewal");
+                        "Lease end date passed without renewal",
+                        organizationId: organizationId);
 
                     addresses += $"- {lease.Property?.Address} (Tenant: {lease.Tenant?.FullName})\n";
 
diff --git a/3-Nine.Shared.UI/wwwroot/js/theme.js b/3-Nine.Shared.UI/wwwroot/js/theme.js
@@ -47,15 +47,15 @@ window.themeManager = {
   },
 
   getBrandTheme: function () {
-    const brandTheme = localStorage.getItem("brandTheme") || "bootstrap";
+    const brandTheme = localStorage.getItem("brandTheme") || "obsidian";
     return brandTheme;
   },
 };
 
 // Initialize theme IMMEDIATELY (before DOMContentLoaded) to prevent flash
 if (typeof localStorage !== "undefined") {
   const savedTheme = localStorage.getItem("theme") || "light";
-  const savedBrandTheme = localStorage.getItem("brandTheme") || "bootstrap";
+  const savedBrandTheme = localStorage.getItem("brandTheme") || "obsidian";
   console.log("Initial theme load:", savedTheme, "Brand:", savedBrandTheme);
   document.documentElement.setAttribute("data-bs-theme", savedTheme);
   document.documentElement.setAttribute("data-brand-theme", savedBrandTheme);
@@ -98,7 +98,7 @@ if (typeof localStorage !== "undefined") {
     }
 
     if (!currentBrandTheme) {
-      currentBrandTheme = localStorage.getItem("brandTheme") || "bootstrap";
+      currentBrandTheme = localStorage.getItem("brandTheme") || "obsidian";
       document.documentElement.setAttribute(
         "data-brand-theme",
         currentBrandTheme,
@@ -131,7 +131,7 @@ if (typeof localStorage !== "undefined") {
       const currentBrandTheme =
         document.documentElement.getAttribute("data-brand-theme") ||
         localStorage.getItem("brandTheme") ||
-        "bootstrap";
+        "obsidian";
 
       document.documentElement.setAttribute("data-bs-theme", currentTheme);
       document.documentElement.setAttribute(
diff --git a/4-Nine/Shared/Layout/NavMenu.razor b/4-Nine/Shared/Layout/NavMenu.razor
@@ -8,12 +8,12 @@
 
 <div class="top-row ps-3 navbar navbar-dark">
     <div class="container-fluid d-flex align-items-center justify-content-center">
-        <a class="navbar-brand" href=""><img src="/assets/nine-logo-inverted.svg" width="90" alt="Nine." /></a>
-        @* <div class="d-flex gap-2">
+        <a class="navbar-brand" href=""><img src="@LogoSrc" width="90" alt="Nine." /></a>
+        <div class="d-flex gap-2">
             <button class="btn btn-link p-0" @onclick="ToggleTheme" title="Toggle theme">
                 <i class="bi @GetThemeIcon()" style="font-size: 1.4rem;"></i>
             </button>
-        </div> *@
+        </div>
     </div>
 </div>
 
@@ -171,6 +171,11 @@
     private string currentTheme = "light";
     private bool showBrandThemeDropdown = false;
 
+    // Obsidian always uses the inverted logo. Bootstrap and Teal use inverted in dark mode only.
+    private string LogoSrc => (ThemeService.CurrentBrandTheme == "obsidian" || ThemeService.CurrentTheme == "dark")
+        ? "/assets/nine-logo-inverted.svg"
+        : "/assets/nine-logo.svg";
+
     private string OrganizationId = string.Empty;
 
     // Available brand themes - add new themes here
diff --git a/4-Nine/Shared/Services/ThemeService.cs b/4-Nine/Shared/Services/ThemeService.cs
@@ -3,7 +3,7 @@ namespace Nine.Shared.Services;
 public class ThemeService
 {
     private string _currentTheme = "light";
-    private string _currentBrandTheme = "bootstrap";
+    private string _currentBrandTheme = "obsidian";
     
     public event Action? OnThemeChanged;
     public event Action? OnBrandThemeChanged;
@@ -35,8 +35,8 @@ public string GetNextTheme()
     // Valid brand themes - add new themes here when implementing them
     private readonly HashSet<string> _validBrandThemes = new()
     {
-        "bootstrap",
         "obsidian",
+        "bootstrap",
         "teal"
     };
 
diff --git a/4-Nine/Shared/Services/UserContextService.cs b/4-Nine/Shared/Services/UserContextService.cs
@@ -114,11 +114,20 @@ public UserContextService(
 
         /// <summary>
         /// Checks if a user is authenticated.
+        /// Returns false when called from a non-Blazor context such as background services.
         /// </summary>
         public async Task<bool> IsAuthenticatedAsync()
         {
-            var authState = await _authenticationStateProvider.GetAuthenticationStateAsync();
-            return authState.User.Identity?.IsAuthenticated ?? false;
+            try
+            {
+                var authState = await _authenticationStateProvider.GetAuthenticationStateAsync();
+                return authState.User.Identity?.IsAuthenticated ?? false;
+            }
+            catch (InvalidOperationException)
+            {
+                // Called outside a Blazor circuit (e.g., background/scheduled services).
+                return false;
+            }
         }
 
         /// <summary>
@@ -339,7 +348,19 @@ private async Task EnsureInitializedAsync()
             if (_isInitialized)
                 return;
 
-            var authState = await _authenticationStateProvider.GetAuthenticationStateAsync();
+            AuthenticationState? authState;
+            try
+            {
+                authState = await _authenticationStateProvider.GetAuthenticationStateAsync();
+            }
+            catch (InvalidOperationException)
+            {
+                // Called outside a Blazor circuit (e.g., background/scheduled services).
+                // Treat as unauthenticated — userId and organizationId will be null.
+                _isInitialized = true;
+                return;
+            }
+
             var user = authState.User;
 
             if (user.Identity?.IsAuthenticated == true)
diff --git a/4-Nine/wwwroot/assets/nine-logo.svg b/4-Nine/wwwroot/assets/nine-logo.svg

Original file line number	Diff line number	Diff line change
`@@ -102,7 +102,7 @@ public bool StoreKey(string keyHex, string label = "Nine Database Encryption Key`
`102`	`102`	`process.WaitForExit(5000);`
`103`	`103`
`104`	`104`	`Console.WriteLine($"[LinuxKeychainService] secret-tool exit code: {process.ExitCode}");`
`105`		`- Console.WriteLine($"[LinuxKeychainService] secret-tool output: '{output}'");`
	`105`	`+ Console.WriteLine($"[LinuxKeychainService] secret-tool output: [{(string.IsNullOrWhiteSpace(output) ? "empty" : "received")}]");`
`106`	`106`	`if (!string.IsNullOrWhiteSpace(error))`
`107`	`107`	`{`
`108`	`108`	`Console.WriteLine($"[LinuxKeychainService] secret-tool error: {error}");`
Original file line number	Diff line number	Diff line change
`@@ -133,7 +133,10 @@ public virtual async Task<TEntity> CreateAsync(TEntity entity)`
`133`	`133`	`var userId = await _userContext.GetUserIdAsync();`
`134`	`134`	`if (string.IsNullOrEmpty(userId))`
`135`	`135`	`{`
`136`		`- throw new UnauthorizedAccessException("User is not authenticated.");`
	`136`	`+ if (entity.CreatedBy == ApplicationConstants.SystemUser.Id)`
	`137`	`+ userId = entity.CreatedBy; // Allow system-created records to specify "System" as creator`
	`138`	`+ else`
	`139`	`+ throw new UnauthorizedAccessException("User is not authenticated.");`
`137`	`140`	`}`
`138`	`141`
`139`	`142`	`var organizationId = await _userContext.GetActiveOrganizationIdAsync();`
`@@ -188,7 +191,10 @@ public virtual async Task<TEntity> UpdateAsync(TEntity entity)`
`188`	`191`	`var userId = await _userContext.GetUserIdAsync();`
`189`	`192`	`if (string.IsNullOrEmpty(userId))`
`190`	`193`	`{`
`191`		`- throw new UnauthorizedAccessException("User is not authenticated.");`
	`194`	`+ if (entity.LastModifiedBy == ApplicationConstants.SystemUser.Id)`
	`195`	`+ userId = ApplicationConstants.SystemUser.Id;`
	`196`	`+ else`
	`197`	`+ throw new UnauthorizedAccessException("User is not authenticated.");`
`192`	`198`	`}`
`193`	`199`
`194`	`200`	`var organizationId = await _userContext.GetActiveOrganizationIdAsync();`
Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,7 @@ public async Task<int> GetIdentityPendingMigrationsCountAsync()`
`93`	`93`	`/// </summary>`
`94`	`94`	`public async Task<Nine.Core.Entities.DatabaseSettings> GetDatabaseSettingsAsync()`
`95`	`95`	`{`
`96`		`- var settings = await _businessContext.DatabaseSettings.FirstOrDefaultAsync();`
	`96`	`+ var settings = await _businessContext.DatabaseSettings.OrderBy(s => s.Id).FirstOrDefaultAsync();`
`97`	`97`
`98`	`98`	`if (settings == null)`
`99`	`99`	`{`
Original file line number	Diff line number	Diff line change
`@@ -79,7 +79,7 @@ protected override async Task ExecuteAsync(CancellationToken stoppingToken)`
`79`	`79`	`timeUntilMonday,`
`80`	`80`	`TimeSpan.FromDays(7));`
`81`	`81`
`82`		`- _logger.LogInformation("Scheduled Task Service started. Daily tasks will run at midnight, hourly tasks every hour, weekly tasks every Monday at 6 AM.");`
	`82`	`+ _logger.LogInformation("Scheduled Task Service started. Daily tasks will on each application start-up or when explicityly triggered in Application");`
`83`	`83`
`84`	`84`	`// Keep the service running`
`85`	`85`	`while (!stoppingToken.IsCancellationRequested)`
`@@ -568,7 +568,7 @@ private async Task<int> ExpireOldLeaseOffers(IServiceScope scope)`
`568`	`568`	`{`
`569`	`569`	`try`
`570`	`570`	`{`
`571`		`- var result = await workflowService.ExpireLeaseOfferAsync(offer.Id);`
	`571`	`+ var result = await workflowService.ExpireLeaseOfferAsync(offer.Id, offer.OrganizationId);`
`572`	`572`
`573`	`573`	`if (result.Success)`
`574`	`574`	`{`
Original file line number	Diff line number	Diff line change
`@@ -588,6 +588,7 @@ public async Task<WorkflowResult<int>> ExpireOverdueLeaseAsync(Guid organization`
`588`	`588`	`{`
`589`	`589`	`return await ExecuteWorkflowAsync<int>(async () =>`
`590`	`590`	`{`
	`591`	`+ // Called from background service — no Blazor circuit, use "System" as the actor.`
`591`	`592`	`var userId = await _userContext.GetUserIdAsync() ?? "System";`
`592`	`593`
`593`	`594`	`// Find active leases past their end date`
`@@ -615,7 +616,8 @@ await LogTransitionAsync(`
`615`	`616`	`oldStatus,`
`616`	`617`	`lease.Status,`
`617`	`618`	`"AutoExpire",`
`618`		`- "Lease end date passed without renewal");`
	`619`	`+ "Lease end date passed without renewal",`
	`620`	`+ organizationId: organizationId);`
`619`	`621`
`620`	`622`	`addresses += $"- {lease.Property?.Address} (Tenant: {lease.Tenant?.FullName})\n";`
`621`	`623`