Shelf

🔒 Security release — upgrade strongly recommended

This release remediates a HIGH-severity cross-organization IDOR affecting
multi-tenant data isolation: authenticated users could reference another
workspace's assets, tags, custodians, bookings, QR codes, audit and location
data via user-supplied IDs. Fixed by enforcing organization ownership on all
user-supplied IDs across create/update/bulk paths, plus lint-time enforcement

• Advisory: GHSA-r46p-gfrp-xxgq
• Action: All self-hosted instances should upgrade to [email protected] as soon as possible. Shelf Cloud (app.shelf.nu) is already patched.

Security

• fix(security): cross-org IDOR remediation + org-scope enforcement by @DonKoko in #2556
• fix(security): validate location before asset write; fail-safe checkout on legacy cross-org assets by @DonKoko in #2557
• fix(events): close ASSET_KIT_CHANGED + custody/location/category gaps in bulk and cascade paths by @DonKoko in #2535
• fix(audit): guard AuditScan asset FK with a clean 404 by @DonKoko in #2550
• feat(security): add Claude security review subagent with pre-commit hook by @DonKoko in #2546

What's Changed

Features

• feat(activity): reporting by @DonKoko in #2495
• feat(assets): inline editing on asset detail page by @carlosvirreira in #2486
• feat(audit): duplicate completed/cancelled/archived audits by @carlosvirreira in #2522

Mobile companion app

• Mobile companion app by @carlosvirreira in #2412
• feat(mobile): support required custom fields on asset create by @carlosvirreira in #2534
• feat(companion): assigned-to-me + smart-sort + urgency tiers on audits by @carlosvirreira in #2539
• feat(companion): per-scanned-asset audit evidence API (notes + photos) by @carlosvirreira in #2552
• fix(companion): pass orgId to mobile asset endpoints (detail + add-note) by @carlosvirreira in #2530
• fix(companion): declare collected data types in iOS privacy manifest by @carlosvirreira in #2536
• fix(companion): native date picker + complete custom fields on asset edit by @carlosvirreira in #2537
• fix(companion): send raw primitive customField values on asset edit (P0) by @carlosvirreira in #2547
• fix(companion): 1.0 launch hardening — nav, role gating, audit evidence API + add-on enforcement by @carlosvirreira in #2551
• fix(mobile): emit activity events on mobile mutation routes by @carlosvirreira in #2533
• fix(server): use v8 wildcard syntax for mobile API public path by @DonKoko in #2521
• chore(companion): app-store-submission hardening by @carlosvirreira in #2531

Reports

• feat-adjacent reporting fixes & polish by @DonKoko & @carlosvirreira in #2508, #2510, #2511, #2513, #2514, #2515, #2516, #2526, #2529, #2540
• refactor(reports): split route into per-report content components by @DonKoko in #2516

Fixes

• fix(audit): let admins/owners cancel audits they did not create by @carlosvirreira in #2523
• fix(webapp): mobile dialog footer + Radix Select selection on iOS Safari by @carlosvirreira in #2512
• fix(booking): preserve kit/asset selection on manage-kits and manage-assets revisit by @DonKoko in #2518
• refactor(edit-asset): match new.tsx — raw strings, server coerces by @carlosvirreira in #2548
• Fix: sentry p0 weekly 2026-05-14 by @DonKoko in #2545

Tooling, docs & dependencies

• chore(tooling): integrate react-doctor + ship Claude Code skill by @DonKoko in #2499
• fix(ci): re-attach HEAD before react-doctor scan by @DonKoko in #2505
• chore: add ask permission rules for destructive commands by @DonKoko in #2509
• docs(rules): add React render stability guidelines by @carlosvirreira in #2517
• chore: remove unnecessary file by @DonKoko in #2507
• chore(deps): bump postcss, hono, brace-expansion, ws by @dependabot in #2504, #2524, #2554, #2555

Full Changelog: https://github.com/Shelf-nu/shelf.nu/compare/[email protected]@1.20.2