Testing and qualification

Trust is earned before a component is reused

Components are tested, validated and integrity-checked before they are trusted elsewhere on the canvas or published for others — described honestly, at the level the platform actually implements today.

What qualification checks

Test

Automated tests run against the component before it is trusted anywhere else on the canvas.

Validate

Compatibility and configuration are checked against the component's declared contract.

Integrity-check

A cryptographic hash is attached to the package so a later copy can be verified against the original build. This is integrity hashing — Devory does not describe this as cryptographic signing.

Version

A qualified result is recorded against one specific, addressable version — never a moving target.

What qualification does not claim

  • Package integrity checking is a cryptographic hash, not a signature — Devory never calls it “signed”
  • Security scanning of components is not a live capability today
  • Execution of qualified components is currently limited to trusted, known components — there is no sandbox for untrusted code yet

Where qualified components go next

A qualified component can stay private, move to a team library, or reach the Marketplace.