Cross-Tenant

A vulnerability in Paperclip allows any authenticated user to mint agent API tokens for other tenants, leading to unauthorized access and control due to missing company access checks.

A Paperclip API vulnerability allows a board user from one company to create, list, and revoke agent API keys in another company, leading to full cross-tenant compromise due to insufficient authorization checks on `/agents/:id/keys` routes.