The integrity of the Orbit codebase is first and foremost verified through git, which disallows any rewriting of versioning history without explicit consent. This means that any malicious changes to the codebase must be applied on top of the current history, making the likelihood of a reviewer discovering the change almost a certainty.
Orbit Online is using a code-signing scheme where every change is cryptographically signed with a key that resides on a physical YubiKey. This ensures a form of 2FA since said key is impossible to read from the YubiKey. Instead, the YubiKey itself performs the signing procedure.