>I mean, you can do a very general audit of things like “is there CI” or “do they use horribly unsafe serialization everywhere” but I don’t see anything beyond this without a huge amount of effort.

Do we know what is or isn't being reviewed? Do we know how much effort is being applied in this process or if there's a defined upper and/or lower bound?

The upper limit is the point where it makes sense to bring in experts rather than random Tesla engineers.