Capgo - Scope Escalation via API Key Creation in /functions/v1/apikey

**attack_vector_md:** An attacker who possesses an app-limited API key (one with `limited_to_apps` set) can call `POST /functions/v1/apikey` and supply empty `limited_to_apps` and `limited_to_orgs` arrays in the JSON body [ref_id=1]. The server only blocks key creation when the caller's key has `limited_to_orgs` set, so an app-only key passes the existing check [ref_id=1]. The resulting unrestricted key can then be used against org-wide endpoints such as `GET /app` to list all applications, escalating from a single-app scope to full org access [ref_id=1].

**fix_explanation_md:** The advisory's remediation guidance requires that keys with either `limited_to_orgs` or `limited_to_apps` be treated as 'limited' for key-creation purposes, meaning the denial check must fire when either field is populated [ref_id=1]. Additionally, new key limits must be validated as a subset of the caller's limits, preventing the creation of keys with broader (including empty) scopes [ref_id=1]. The patch in version 12.128.2 implements these checks so that an app-limited key can no longer mint an unrestricted key.