drop openshift audit log · parse api + project events
flags scc changes · oauth client grants · route exposure · privileged scc usage
heuristic screener · openshift audit format varies by version — oauth and api server exports differ · not definitive proof