- Notes IDOR (GHSA-85wc): NotePolicy::viewNotes/manageNotes now receive the
Note and require hasCompany($note->company_id); NotesController passes the
bound model to authorize() on show/update/destroy.
- Estimate->Invoice IDOR (GHSA-j2vg): ConvertEstimateController authorizes
'view' on the source estimate before creating the invoice.
- User bulk-delete (GHSA-wxrv): UsersController scopes candidate ids via
User::whereCompany() before deletion so cross-company accounts are protected.
Adds feature tests for cross-company 403s plus same-company happy paths.