DEV Community

Dmitry Labintcev
Dmitry Labintcev

Posted on • Edited on

4 Days, 18,599 Lines: What Happens When You Go All-In on Pure C

#security #ai #opensource #c

πŸ“Œ This post is now archived. For the latest updates on SENTINEL, see the new consolidated article:
SENTINEL Platform β€” Complete AI Security Toolkit (2026 Update Log)

From 600 lines to 18,599: I went all-in on Pure C for AI security.
Here's exactly what I built in 4 days β€” every file, every line.

Four days ago, I published a post about replacing my Go gateway with 600 lines of C. The response blew my mind β€” our dev.to following grew 10x in under a week.

Today, I'm sharing exactly what I built since then. Every file. Every line. Every late-night decision.

TL;DR: The Numbers

Metric Before (Jan 1) After (Jan 5) Delta
Files changed β€” 112 +112
Lines added β€” 18,599 +18,599
Lines deleted β€” 2,119 -2,119
CLI Commands 194 ~199 +5
LOC total 23K 28K+ +5K
Academy Modules 16 22 +6

Let me break down what actually happened.

Day 1-2: Phase 4 Core Modules

ThreatHunter β€” Proactive Threat Hunting

Not just waiting for attacks. Actively hunting them.

// src/core/threat_hunter.c
typedef struct threat_hunter_config {
    bool hunt_ioc;           // Indicators of Compromise
    bool hunt_behavioral;    // Behavioral analysis
    bool hunt_anomaly;       // Anomaly detection
    float sensitivity;       // 0.0 - 1.0
} threat_hunter_config_t;

shield_err_t threat_hunter_start_hunt(threat_hunter_t *th);
Enter fullscreen mode Exit fullscreen mode

Why? Most security tools are reactive. ThreatHunter runs continuous sweeps looking for patterns that might become attacks.

Honest status: Architecture done, ML integration pending.

Watchdog β€” System Health Monitor 

// src/core/watchdog.c
typedef struct watchdog_state {
    module_state_t state;
    bool auto_recovery;
    uint32_t check_interval_ms;
    float system_health;        // 0.0 - 1.0
    uint64_t recoveries_attempted;
} watchdog_state_t;
Enter fullscreen mode Exit fullscreen mode

Monitors all Shield subsystems. If something dies, it brings it back.

Real CLI output:

Shield# watchdog enable
Shield# watchdog auto-recovery enable
Watchdog: monitoring 6 components
Enter fullscreen mode Exit fullscreen mode

PQC β€” Post-Quantum Cryptography 

// src/core/pqc.c
typedef struct pqc_state {
    module_state_t state;
    bool kyber_available;      // Key encapsulation
    bool dilithium_available;  // Digital signatures
} pqc_state_t;
Enter fullscreen mode Exit fullscreen mode

NIST Level 5 stubs. When quantum computers break RSA, we're ready.

Honest status: Stubs only. Real Kyber/Dilithium integration requires linking liboqs.

Cognitive Signatures β€” Pattern Recognition

7 signature types for detecting attack patterns:

  1. Syntactic β€” Keyword matching
  2. Semantic β€” Meaning analysis
  3. Temporal β€” Time-based patterns
  4. Entropy β€” Randomness detection
  5. Behavioral β€” Action sequences
  6. Contextual β€” Environment awareness
  7. Adaptive β€” Learning patterns 
typedef enum cognitive_sig_type {
    COG_SIG_SYNTACTIC,
    COG_SIG_SEMANTIC,
    COG_SIG_TEMPORAL,
    COG_SIG_ENTROPY,
    COG_SIG_BEHAVIORAL,
    COG_SIG_CONTEXTUAL,
    COG_SIG_ADAPTIVE
} cognitive_sig_type_t;
Enter fullscreen mode Exit fullscreen mode

Day 2-3: Shield State Persistence

The biggest user-facing improvement: your configuration survives restarts.

Before 

Shield# guard enable all
Shield# threat-hunter sensitivity 0.8
# ... restart ...
# Everything gone. Start over.
Enter fullscreen mode Exit fullscreen mode

After 

Shield# guard enable all
Shield# threat-hunter sensitivity 0.8
Shield# write memory
Building configuration...
[OK] Configuration saved to startup-config.conf

# ... restart ...
Shield# show running-config
! Configuration restored
threat-hunter enable
threat-hunter sensitivity 0.8
guard enable all
Enter fullscreen mode Exit fullscreen mode

The Implementation 

// include/shield_state.h
typedef struct shield_state {
    threat_hunter_state_t threat_hunter;
    watchdog_state_t watchdog;
    cognitive_state_t cognitive;
    pqc_state_t pqc;
    guards_state_t guards;
    system_config_t config;
    bool config_modified;  // Dirty flag
} shield_state_t;

// Singleton access
shield_state_t *shield_state_get(void);
shield_err_t shield_state_save(const char *path);
shield_err_t shield_state_load(const char *path);
Enter fullscreen mode Exit fullscreen mode

INI-style config files. Human-readable. Git-friendly.

Day 3: CLI Expansion β€” From 194 to ~199 Commands

New Command Files

  • cmd_system.c β€” write memory, copy running-config, reload
  • cmd_security.c β€” Canaries, blocklists, rate limiting
  • cmd_network.c β€” Interface management

New Phase 4 Commands 

threat-hunter enable
threat-hunter sensitivity <0.0-1.0>
threat-hunter mode <ioc|behavioral|anomaly>
no threat-hunter enable

watchdog enable
watchdog auto-recovery enable
watchdog interval <ms>
show watchdog status

cognitive enable
pqc enable

write memory
copy running-config startup-config
Enter fullscreen mode Exit fullscreen mode

Every command is Cisco-style. Tab completion. Context help with ?.

Day 3-4: SENTINEL Academy β€” Full Localization

22 modules. English AND Russian. Because security knowledge shouldn't have language barriers.

New Modules (17-22)

Module EN RU Topic
17 βœ… βœ… ThreatHunter deep-dive
18 βœ… βœ… Watchdog configuration
19 βœ… βœ… Cognitive Signatures
20 βœ… βœ… Post-Quantum Cryptography
21 βœ… βœ… Shield State management
22 βœ… βœ… Advanced CLI techniques

Exam Bank & Labs

  • +25 new exam questions covering Phase 4
  • +6 new hands-on labs
    • Lab 17: ThreatHunter sweep
    • Lab 18: Watchdog recovery scenario
    • Lab 19: Cognitive signature creation
    • Lab 20: PQC key generation
    • Lab 21: State persistence testing
    • Lab 22: CLI scripting

Day 4: E2E Test Harness

48+ tests. Every CLI command category covered.

// tests/test_cli.c
static void test_guard_enable_llm(void) {
    TEST_START("guard enable llm");

    cli_set_mode(g_ctx, CLI_MODE_CONFIG);
    shield_err_t err = exec_cmd("guard enable llm");
    ASSERT_EQ(err, SHIELD_OK, "guard enable llm failed");

    shield_state_t *state = shield_state_get();
    ASSERT_EQ(state->guards.llm.state, MODULE_ENABLED, 
              "llm guard not enabled");

    TEST_PASS();
}
Enter fullscreen mode Exit fullscreen mode

Test Categories:

  • Show commands (15 tests)
  • Guard commands (8 tests)
  • Phase 4 modules (7 tests)
  • State persistence (3 tests)
  • Debug commands (2 tests)
  • Mode transitions (2 tests)

Run with:

make test_cli

═══════════════════════════════════════════════════════════════
  Total Tests:  48
  Passed:       48
  Failed:       0
═══════════════════════════════════════════════════════════════
  βœ… ALL CLI E2E TESTS PASSED
Enter fullscreen mode Exit fullscreen mode

Complete File Manifest

New Source Files (35 files)

Core modules:

  • src/core/threat_hunter.c
  • src/core/watchdog.c
  • src/core/cognitive_sig.c
  • src/core/pqc.c
  • src/core/shield_state.c
  • src/core/http_client.c
  • src/core/secure_comm.c
  • src/core/stubs.c

CLI commands:

  • src/cli/cmd_system.c
  • src/cli/cmd_security.c
  • src/cli/cmd_network.c

Headers:

  • include/shield_state.h
  • include/shield_policy.h
  • include/shield_protocol.h

Academy (12 modules):

  • docs/academy/en/MODULE_17_THREAT_HUNTER.md through MODULE_22_CLI_ADVANCED.md
  • docs/academy/ru/MODULE_17_THREAT_HUNTER.md through MODULE_22_CLI_ADVANCED.md

Tests:

  • tests/test_cli.c β€” E2E test harness
  • tests/test_sllm.c β€” SLLM protocol tests

Modified Files (77 files)

All 6 guards updated, 14 protocols updated, 10 headers updated, 13 CLI files updated.

What's Still Missing (Honesty Section)

I believe in transparency. Here's what Shield is NOT yet:

Component Status What's needed
REST API Server ❌ Full HTTP endpoint handling
mTLS ❌ OpenSSL/mbedTLS integration
Real ML in Guards ❌ Brain FFI integration
Fuzzing ❌ AFL/libFuzzer campaign
Memory Sanitizers ❌ ASan/MSan/UBSan passes
Production Docker ❌ Hardened container

Shield is a production-grade ARCHITECTURE, not yet a production-ready PRODUCT.

The foundation is solid. The protocols work. The CLI is complete. But ML integration and HTTP serving are still in development.

What's Next?

  1. Brain FFI β€” Connect Python ML engines to C guards
  2. REST API β€” Full HTTP server with OpenAPI spec
  3. CI/CD β€” GitHub Actions with test matrix
  4. Fuzzing β€” AFL++ campaign for security validation

Try It Yourself 

git clone https://github.com/DmitrL-dev/AISecurity.git
cd AISecurity/sentinel-community/shield
make
Enter fullscreen mode Exit fullscreen mode 
./build/shield

Shield# show version
SENTINEL Shield v4.1 "Dragon"
112 files | 28K LOC | 20 protocols | ~199 commands

Shield# configure terminal
Shield(config)# guard enable all
Shield(config)# threat-hunter enable
Shield(config)# write memory
Enter fullscreen mode Exit fullscreen mode

The Real Lesson

Transparency builds trust faster than perfection.

I could've waited until everything was "done." Instead, I'm sharing the messy middle. The stubs. The honest status. The late-night typing.

Our audience grew 10x not because the code is perfect β€” but because it's real.

Star ⭐ the repo: github.com/DmitrL-dev/AISecurity

Questions? Drop a comment or DM @DmLabincev

Tags: #c #security #ai #opensource

Top comments (0)