Post-quantum defense for municipalities and critical infrastructure.
VGLF is a multi-tier network firewall that uses a local LLM to analyze traffic patterns and autonomously manage blocklist rules — with every decision cryptographically signed, every log segment hash-chained, and every rule change enforced through a hardened Rust trust boundary.
Built for OT/ICS environments where a compromised AI cannot be allowed to disable protection for SCADA gateways, PLCs, or management networks.
Internet
|
+-------+-------+
| Tier 0b | nftables rate-limit (kernel)
| tier0-ratelimit|
+-------+-------+
|
+-------+-------+
| Tier 1 | Rust proxy + ONNX reflex model
| spinal-cord | ML-KEM-768+X25519 | ML-DSA-65
+-------+-------+
| |
+-------+--+ +----+--------+
| Tier 2 | | Tier 3 |
| vortex- | | cortex- |
| sink | | engine |
| (Rust) | | (Python) |
+----------+ +------+------+
Merkle chain Local LLM
AES-256-GCM DuckDB (read-only)
Syslog mirror Deterministic validator
Trust model: The Python Cortex is treated as untrusted by the Rust layer. All rule updates require ML-DSA-65 signatures verified in Rust before any field is parsed. Sacrosanct IP enforcement (SCADA gateways, loopback, management networks) is hardcoded in Rust and cannot be bypassed by a compromised Cortex process.
| Component | Language | Phase | Purpose |
|---|---|---|---|
| spinal-cord | Rust | 1 | Tier 1 proxy, ONNX inference, hybrid KEM, ML-DSA-65, IPC handler, sacrosanct enforcement, nftables integration |
| vortex-sink | Rust | 2 | SHA3-256 Merkle hash chain, AES-256-GCM encrypted segment storage, RFC 5424 syslog mirror for SIEM |
| pqc-keymgmt | Rust | 3 | ML-DSA-65 key lifecycle, KeyStore trait (File/TPM 2.0/Vault backends), ONNX model signing, rule bundle signing |
| cortex-engine | Python | 4 | Hardened LLM analysis, DuckDB read-only queries, deterministic validator, DATA_WRAPPER payload isolation |
| tier0-ratelimit | nftables | 5 | Kernel-level rate limiting, SYN flood mitigation, IPv4+IPv6 blocklist sets |
These are absolute — no exception, no "it's just a test":
- LLM output never reaches subprocess, exec, or eval — all rule updates flow through the typed Rust IPC socket
- DuckDB always runs read-only — filesystem extensions explicitly disabled
- All LLM-analyzed data is wrapped in
DATA_WRAPPERdelimiters — payload content is never interpolated into instructions - ONNX model loads require SHA-256 hash + ML-DSA-65 signature verification — fail hard on mismatch
- Sacrosanct IPs cannot be blocked — enforced in Rust, not Python
- Local LLM by default — cloud endpoints require explicit
--allow-cloudflag - No flat-file PQC private keys — TPM 2.0 or Vault transit in production
- IPv6 parity — every IPv4 code path has an IPv6 equivalent
| Use Case | Algorithm | Standard | Library |
|---|---|---|---|
| Key exchange | ML-KEM-768 + X25519 hybrid | FIPS 203 | aws-lc-rs |
| Signatures | ML-DSA-65 | FIPS 204 | aws-lc-rs |
| Hashing | SHA3-256 | FIPS 202 | sha3 crate |
| Encryption at rest | AES-256-GCM | — | aws-lc-rs |
All algorithm references go through crypto agility traits — never hardcoded outside spinal-cord/src/crypto/traits.rs.
- Rust 1.82+ (tested on 1.93)
- Python 3.11+ (3.12 preferred)
cmakeandclang(foraws-lc-rsbuild)- A local LLM at
localhost:11434(Ollama recommended) for Cortex
# Build the full Rust workspace
cargo build --release --workspace
# Run all 157 tests
cargo test --workspace
# Clippy (zero warnings enforced)
cargo clippy --workspace --all-targets
# Run Python Cortex tests
python -m pytest cortex-engine/tests/ -v
# Start Cortex (requires local LLM)
python -m cortex.main --config config/cortex.toml
# Load nftables rules (requires root)
sudo nft -f tier0-ratelimit/nftables.conf| Flag | Default | Description |
|---|---|---|
--config |
config/vglf.toml |
Main config file |
--model |
models/reflex.onnx |
ONNX model path (hash-verified) |
--ipc-socket |
/var/run/vglf/rules.sock |
Cortex-to-Rust rule socket |
--allow-cloud |
false |
Allow non-localhost LLM endpoint |
--dry-run |
false |
Log rules without applying to nftables |
--sacrosanct |
config/sacrosanct.toml |
Protected IP list |
vglf/
├── CLAUDE.md # Project constitution & coding standards
├── Cargo.toml # Workspace root
├── spinal-cord/ # Rust: Tier 1 proxy + crypto + IPC
│ └── src/
│ ├── crypto/ # KEM, DSA, agility traits
│ └── ipc/ # Handler, protocol, sacrosanct, nft
├── vortex-sink/ # Rust: Tier 2 persistence + integrity
│ └── src/
│ ├── merkle.rs # SHA3-256 hash chain
│ ├── store.rs # AES-256-GCM encrypted storage
│ ├── schema.rs # Traffic record schema
│ └── syslog.rs # RFC 5424 SIEM mirror
├── pqc-keymgmt/ # Rust: Key lifecycle + signing
│ └── src/
│ ├── keystore.rs # KeyStore trait (File/TPM/Vault)
│ ├── lifecycle.rs # Generate, rotate, revoke
│ ├── model_signer.rs # ONNX model signing
│ └── bundle_signer.rs # Rule bundle signing
├── cortex-engine/ # Python: LLM analysis engine
│ └── cortex/
│ ├── analyzer.py # Traffic analysis pipeline
│ ├── validator.py # Deterministic rule validator
│ ├── db.py # DuckDB read-only queries
│ └── ipc_client.py # Signed IPC to Rust handler
├── tier0-ratelimit/ # nftables baseline config
├── tests/ # Red-team regression + canary suites
├── config/ # Example config files
└── models/ # ONNX models + hash sidecars
157 tests total, 0 failures
spinal-cord 46 tests (KEM, DSA, IPC handler, sacrosanct, nftables)
vortex-sink 50 tests (Merkle chain, AES-GCM store, schema, syslog)
pqc-keymgmt 61 tests (KeyStore, lifecycle, model signing, bundle signing)
Every commit touching crypto runs NIST KAT size validation. Every commit touching the IPC handler runs the sacrosanct enforcement test. Every new IPv4 test has a corresponding IPv6 test.
VGLF is designed for OT/ICS environments:
- Production keys: TPM 2.0 (never flat-file)
- Staging keys: HashiCorp Vault transit
- Sacrosanct list: Must be populated with SCADA/PLC/HMI addresses before first run
- LLM: Local only by default —
temperature=0.0,max_tokens=10for block/allow decisions
See config/sacrosanct.toml.example for the protected IP list format.
Licensed under the Apache License, Version 2.0. See LICENSE for details.
VGLF | BreakingCircuits.com | February 2026