ZELC Developer Cheat Sheet

This reference defines the production visual syntax of ZelC, including symbolic operators, structural blocks, execution markers, and block-closure notation.

Build 168.0 // Haja Mo Sovereign

1. Core Syntax

Marker Keyword Description
๐Ÿ“ฆ package Namespace: Declares the operational scope of the file.
๐Ÿ”Œ use Import: Loads engines or providers like aina, edr, aws, and threat.
โš™๏ธ keep Constant: Defines thresholds, modes, and fixed configuration values.
โญ•๏ธ define Open Circle Block: Starts a reusable helper function block.
๐Ÿ”ฅ check Entry Point: Starts an active monitoring or execution routine.
โš ๏ธ when Conditional Gate: Opens a condition block.
๐Ÿ”น set Assignment: Stores runtime values such as hostnames, users, processes, or scores.
๐ŸŒ€ change Mutation: Updates an existing value.
โšก do Action Block: Opens the live execution zone.
โญ•๏ธ each Open Circle Block: Starts an iterator block.
โ†ฉ๏ธ return Output: Returns helper data or results.
โ˜๏ธ provider action Execution Call: Invokes real cloud, EDR, Linux, IAM, or API actions.
๐Ÿšจ alert Signal: Raises an alert for analysts or dashboards.
๐Ÿ“ฃ notify Communication: Sends messages to Teams or other channels.
๐Ÿงพ evidence Forensic Proof: Records artifacts, timestamps, and outcomes.
โ›“๏ธ rosecoin Immutable Provenance: Anchors evidence to Rosecoin.
โœจ gui Visual Update: Pushes state into the visual interface layer.
๐Ÿ”ด close block Close Circle Block: Closes define, each, when, do, and check blocks.

2. Block Model

Open Circle Block starts structure. Full Red Circle closes structure.

โญ•๏ธ define

Open Circle Block for reusable helper logic.

โญ•๏ธ each

Open Circle Block for iterator logic.

โš ๏ธ when

Conditional block opener.

โšก do

Action block opener.

๐Ÿ”ด

Close Circle Block.

โญ•๏ธ define assess_risk(event) ... ๐Ÿ”ด
โญ•๏ธ each proc in suspicious_procs ... ๐Ÿ”ด
โš ๏ธ when confidence > 95 ... ๐Ÿ”ด
โšก do ... ๐Ÿ”ด
๐Ÿ”ฅ check RansomwareOutbreakDefense ... ๐Ÿ”ด

3. Sample Code for Each Marker

Every symbol below has a direct sample developers can read quickly.
๐Ÿ“ฆ package
๐Ÿ“ฆ package soc.endpoint
๐Ÿ”Œ use
๐Ÿ”Œ use aina, edr, aws, threat
โš™๏ธ keep
โš™๏ธ keep ENCRYPTION_VELOCITY_LIMIT = 50
โญ•๏ธ define ... ๐Ÿ”ด
โญ•๏ธ define assess_risk(event)

  ๐Ÿ”น set score = event.risk_score
  โ†ฉ๏ธ return score

๐Ÿ”ด
๐Ÿ”ฅ check ... ๐Ÿ”ด
๐Ÿ”ฅ check RansomwareOutbreakDefense

  โš ๏ธ when file_modifications_per_sec > 50
    ๐Ÿ”น set infected_host = event.hostname
  ๐Ÿ”ด

๐Ÿ”ด
โš ๏ธ when ... ๐Ÿ”ด
โš ๏ธ when confidence > 95
  ๐Ÿšจ alert critical message "Ransomware detected"
๐Ÿ”ด
๐Ÿ”น set
๐Ÿ”น set infected_host = event.hostname
๐ŸŒ€ change
๐ŸŒ€ change confidence = confidence + 10
โšก do ... ๐Ÿ”ด
โšก do
  โ˜๏ธ edr isolate host infected_host mode ISOLATION_MODE
๐Ÿ”ด
โญ•๏ธ each ... ๐Ÿ”ด
โญ•๏ธ each proc in suspicious_procs
  โ˜๏ธ edr kill process proc.pid on infected_host
๐Ÿ”ด
โ†ฉ๏ธ return
โ†ฉ๏ธ return ai_verdict
โ˜๏ธ provider action
โ˜๏ธ edr isolate host infected_host mode ISOLATION_MODE
๐Ÿšจ alert
๐Ÿšจ alert critical message "RANSOMWARE VELOCITY DETECTED"
๐Ÿ“ฃ notify
๐Ÿ“ฃ notify teams channel "Incident Response" message "Containment started"
๐Ÿงพ evidence
๐Ÿงพ evidence record "Containment_Event" details {
  target_host: infected_host,
  confidence: threat_assessment.confidence
}
โ›“๏ธ rosecoin
โ›“๏ธ rosecoin anchor evidence_pack "latest"
โœจ gui
โœจ gui update panel "warroom" with {
  status: "containment_active",
  host: infected_host
}
๐Ÿ”ด close block
๐Ÿ”ด
Copyright Haja Mo โ€ข ยฉ