Configuration-bound reference checks + attestations · the buyer flow
Check an agent before it gets production access.
Pick a scenario, describe your agent, and declare its policy. Origin runs it against the deterministic oracle and shows exactly where it’s over-granted — then issues a signed Origin Attestation carrying the Verified Readiness Level, the before/after lift, and the config hash, that you can re-verify offline and that voids the moment a tool or permission changes. The deterministic oracle is the only judge — never an LLM grading an LLM.
Everything runs client-side: your config is not uploaded. A verdict means "reproducible least-privilege behavior under this verifier + this config," never "safe." This is Origin’s synthetic battery — checking your real agent, against your own policy and environment, is the design-partner path (book below).