Why This PoC Exists

Orbit Device Trust is a proof of concept exploring what device security attestation looks like when it is not owned by a single platform vendor. Today, the dominant mechanism for establishing whether a mobile device can be trusted - Google's Play Integrity API - returns a binary pass or fail, with no reasoning, no audit trail, and no independent verification. For organisations running hardened or non-standard Android deployments, including GrapheneOS, that binary fails routinely on devices that are objectively more secure than a default consumer handset. The question Orbit asks is straightforward: what if the trust decision came with evidence?

The POC is aimed at security professionals and enterprise teams who already feel the friction - heads of information security managing non-standard device fleets, security operations teams who need auditable device posture records, and organisations in government-adjacent or regulated environments where \"Google said so\" is not a sufficient compliance answer. It demonstrates a cryptographically signed, hash-chain linked device trust report generated from real hardware signals - verified boot state, kernel hardening, SELinux posture, patch currency - that a security team can inspect, file, and present to an auditor. Not a bypass of existing attestation. A better alternative to it.

To explore: open Org Sandbox, seed data, post events, then inspect Timeline, Alerts, and Regulator View.