drop gateway + oauth exports · correlate token abuse to api calls · runs locally
drop gateway + oauth exports · local only
heuristic screener · vendor schema varies · not definitive proof