{"id":24749940,"url":"https://github.com/t0rr3sp3dr0/moones","last_synced_at":"2026-05-11T07:19:41.973Z","repository":{"id":274395749,"uuid":"922041119","full_name":"t0rr3sp3dr0/moones","owner":"t0rr3sp3dr0","description":"Lua-Scriptable Endpoint Security for macOS","archived":false,"fork":false,"pushed_at":"2025-07-11T10:38:03.000Z","size":32,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-09-13T11:40:54.290Z","etag":null,"topics":["endpoint-security","lua","luajit","macos"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/t0rr3sp3dr0.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-01-25T06:41:40.000Z","updated_at":"2025-07-11T10:38:07.000Z","dependencies_parsed_at":null,"dependency_job_id":"5109cd55-a09a-4035-9a70-91e3e221185d","html_url":"https://github.com/t0rr3sp3dr0/moones","commit_stats":null,"previous_names":["t0rr3sp3dr0/moones"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/t0rr3sp3dr0/moones","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t0rr3sp3dr0%2Fmoones","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t0rr3sp3dr0%2Fmoones/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t0rr3sp3dr0%2Fmoones/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t0rr3sp3dr0%2Fmoones/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/t0rr3sp3dr0","download_url":"https://codeload.github.com/t0rr3sp3dr0/moones/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t0rr3sp3dr0%2Fmoones/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":275312968,"owners_count":25442564,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-15T02:00:09.272Z","response_time":75,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["endpoint-security","lua","luajit","macos"],"created_at":"2025-01-28T08:52:50.622Z","updated_at":"2025-09-15T20:08:28.554Z","avatar_url":"https://github.com/t0rr3sp3dr0.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 🌙 MoonES\nLua-Scriptable Endpoint Security for macOS\n\n## Pronunciation\n[/mˈuːnz/](dat/pronunciation.mp3), like the plural of Moon.\n\n## Getting Started\n1. Download and install MoonES.\n2. Write a Lua script for MoonES.\n3. Give Full Disk Access to Terminal.\n4. Run `sudo /Applications/MoonES.app/Contents/MacOS/MoonES ./script.lua` in Terminal.\n\n## Scripting\nThe script provided to MoonES must implement two Lua functions, `moones.events` and `moones.handler`, as specified bellow. An example based on the [Monitoring System Events with Endpoint Security](https://developer.apple.com/documentation/endpointsecurity/monitoring-system-events-with-endpoint-security?language=objc) sample code from Apple is available at [dat/script.lua](dat/example.lua).\n\n### `moones.events`\nThis function should return an array of events you want to subscribe to. The enumeration constants of [es_event_type_t](https://developer.apple.com/documentation/endpointsecurity/es_event_type_t?language=objc) can be referenced as defined in Objective-C.\n\n```lua\nfunction moones.events ()\n    return {\n        ES_EVENT_TYPE_NOTIFY_OPEN,\n    }\nend\n```\n\n### `moones.handler`\nThis function should handle the events you have subscribed to, allowing or denying auth events. The argument value received by the function is a [es_message_t](https://developer.apple.com/documentation/endpointsecurity/es_message_t?language=objc) and its members can be accessed as defined in Objective-C. The return value of the function must be an integer: between `0x00000000` and `0xFFFFFFFF` to be used as `authorized_flags` in [es_respond_flags_result](https://developer.apple.com/documentation/endpointsecurity/es_respond_flags_result(_:_:_:_:)?language=objc) for `ES_EVENT_TYPE_AUTH_OPEN` events, `ES_AUTH_RESULT_ALLOW` or `ES_AUTH_RESULT_DENY` to be used as `result` in [es_respond_auth_result](https://developer.apple.com/documentation/endpointsecurity/es_respond_auth_result(_:_:_:_:)?language=objc) for other auth events, and `0` for notify events.\n\n```lua\nfunction moones.handler (message)\n    local path = tostring(message.event.open.file.path)\n    print(path)\n\n    return 0\nend\n```\n\n## Common Errors\n\n### `argc != 2: 1`\nYou haven't passed the script path as a command-line argument to MoonES.\n\n### `ret[1] is not a number`\nYou haven't returned an integer in `moones.handler`.\n\n### `ret[1] is not a table`\nYou haven't returned an array in `moones.events`.\n\n### `ret[1][1] is not a number`\nYou haven't returned an array of integers in `moones.events`.\n\n### `es_new_client(\u0026client, ^(es_client_t *client, const es_message_t *message) { ... }) failed: 3`\nYou haven't entitled MoonES with [com.apple.developer.endpoint-security.client](https://developer.apple.com/documentation/bundleresources/entitlements/com.apple.developer.endpoint-security.client?language=objc).\n\n### `es_new_client(\u0026client, ^(es_client_t *client, const es_message_t *message) { ... }) failed: 4`\nYou haven't given Full Disk Access to Terminal or the parent of MoonES.\n\n### `es_new_client(\u0026client, ^(es_client_t *client, const es_message_t *message) { ... }) failed: 5`\nYou haven't started MoonES as root.\n\n## Developement\n\n### Requirements\n1. LuaJIT 2.1 or later.\n2. Xcode 12.2 or later.\n\n### Building\n1. Replace [src/embedded.provisionprofile](src/embedded.provisionprofile) with your Provisioning Profile.\n2. Optionally, create [.env](.env) and define `DISABLE_NOTARIZATION` to disable notarization or `SIGNING_IDENTITY` to override the signing identity.\n3. Run `make`.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ft0rr3sp3dr0%2Fmoones","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ft0rr3sp3dr0%2Fmoones","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ft0rr3sp3dr0%2Fmoones/lists"}