Standards & Practices

Developer's Guide & Standards

Ensuring mission-critical security through standardized development practices.

Section 1 of 6

Git Workflow & Branching Strategy

Core Principles

  • All development occurs in forks (never direct pushes to main)
  • Atomic commits with cryptographic signing (GPG required)
  • Linear history enforced via rebase-only merging

Branch Naming Convention

git checkout -b {type}/JIRA-{id}-{description}
# Examples:
#   feat/DA-142-integrates-skyfi-sar
#   fix/DA-88-cve-db-sync-issue

Commit Message Standards

[DA-{ticket}] {type}({module}): {subject}

{body}
- Risk assessment: [Critical/High/Medium/Low]
- ATT&CK TTP mapping: [e.g., T1592.001]
- Affected components: [list]
Section 2 of 6

Security Development Lifecycle

Mandatory Practices

  • Threat Modeling: Use OWASP Threat Dragon for all features
  • Static Analysis: SonarQube with DefAgent Security Ruleset
  • Dynamic Testing:
    • 100% coverage of attack surface via Metasploit Pro
    • Hardware: JTAG/SWD penetration tests

Prohibited Patterns

REJECTED

# Unvalidated input in battlefield comms
def process_command(raw_input: str):
    execute(raw_input)  # CWE-78

APPROVED

# Zero-trust validation
def process_command(signed_input: VerifiedPayload):
    if not validate_dod_ecp(signed_input):
        return CodeRedResponse()
Section 3 of 6

Code Quality Standards

Language-Specific Rules

Language Linter Critical Rules
Go gosec G101, G402
Python bandit S506, S113
C++ clang-tidy CERT-MSC30-C

Testing Requirements

  • Unit Tests: 90% line coverage (verified by Codecov)
  • Hardware Integration: TAK-X Device Test Suite
  • AI Validation: Adversarial examples for all ML components (FGSM/PGD attacks)
Section 4 of 6

Documentation Standards

All Components Require

## Threat Model
![]({link-to-threat-dragon})

## MITRE ATT&CK Coverage
| Technique | Coverage |
|-----------|----------|
| T1592.001 | Full     |

## Hardware Security
- [ ] JTAG disabled
- [ ] Secure boot validated

API Documentation

  • OpenAPI 3.1 with Redocly extensions
  • Live examples using DefAgent Battlefield Simulator
Section 5 of 6

Patch Submission Process

Critical PR Requirements

  1. Signed Developer Certificate of Origin (DCO)
  2. Passing Hardware Test Bench results
  3. MITRE ATT&CK mapping for security features
  4. Evidence of adversarial testing

🚀 Submit Contribution

Section 6 of 6

Hardware Development Addendum

Physical Device Standards

  • Tamper Resistance: Epoxy encapsulation with FIPS 140-3 Level 3 sensors
  • Firmware Signing: Dual-key rotation (HSM-protected)
  • Reverse Engineering Protection:
    • Voltage glitch detection
    • Optical sensor mesh
    • Blackbird anti-debugging

Validation Tools

# Run hardware test suite
defagent-hwtest --profile=field-deployment
Support channels

Need help with the standards?

Discord

#code-standards channel for real-time discussion.

Email

dev-support@defagent.io for detailed assistance.

DefAgent Developer Standards v2.3 • Last updated: July 7, 2026

© 2026 DefAgent Technologies. All defense systems must comply with DFARS 252.204-7012

Contribute to DefAgent.

Ready to submit a contribution or have questions about our standards? Get in touch with our team.