hopper-core 0.1.0

Core engine for the Hopper zero-copy state framework. Account memory architecture, ABI types, validation graphs, phased execution, zero-copy collections, layout evolution, and cross-program interfaces.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646

//! Borrowed-state execution context.
//!
//! The `Frame` is Hopper's execution model. It wraps the instruction's accounts
//! and data, enforcing single-mutable-borrow discipline and phased execution.
//!
//! ## Execution Phases
//!
//! 1. **Resolve** -- Parse accounts from the input slice into named typed slots
//! 2. **Validate** -- Run the validation graph (account-local, cross-account, state-transition)
//! 3. **Borrow** -- Obtain zero-copy overlays with borrow discipline
//! 4. **Mutate** -- Execute state changes through verified mutable references
//! 5. **Emit** -- Fire events
//! 6. **Commit** -- (implicit: Solana runtime commits on success)
//!
//! The `Frame` ensures that:
//! - Each account is borrowed at most once mutably
//! - Immutable borrows can coexist
//! - Validation runs before mutation
//! - Events are emitted after state changes

pub mod args;
pub mod phase;

use crate::account::SliceCursor;
use crate::account::{FixedLayout, Pod, HEADER_LEN};
use hopper_runtime::segment_borrow::SegmentBorrowRegistry;
use hopper_runtime::{
    error::ProgramError, AccountView, Address, ProgramResult, Ref, RefMut, SegRef, SegRefMut,
    SegmentLease,
};

/// Maximum accounts in a single frame. Matches Solana's transaction limit.
pub const MAX_FRAME_ACCOUNTS: usize = 64;

/// Execution frame holding the instruction's accounts and data.
///
/// `Frame` is the entry point for Hopper's phased execution model.
/// It tracks which accounts have been borrowed (mutably or immutably)
/// to prevent aliasing violations at runtime.
pub struct Frame<'a> {
    /// Program ID that is executing.
    program_id: &'a Address,
    /// Raw account views.
    accounts: &'a [AccountView],
    /// Instruction data cursor.
    ix_data: SliceCursor<'a>,
    /// Borrow tracking: bit N = 1 means account N is mutably borrowed.
    /// This is a runtime check -- not as strong as the borrow checker, but
    /// catches the most dangerous pattern (double-mutable-borrow).
    mutable_borrows: u64,
    /// Segment-level borrow tracking for fine-grained conflict detection.
    /// Allows concurrent mutable access to non-overlapping regions of the
    /// same account, the key safety property missing from raw pointer access.
    segment_borrows: SegmentBorrowRegistry,
}

impl<'a> Frame<'a> {
    /// Create a new execution frame.
    #[inline(always)]
    pub fn new(
        program_id: &'a Address,
        accounts: &'a [AccountView],
        instruction_data: &'a [u8],
    ) -> Result<Self, ProgramError> {
        if accounts.len() > MAX_FRAME_ACCOUNTS {
            return Err(ProgramError::InvalidArgument);
        }
        Ok(Self {
            program_id,
            accounts,
            ix_data: SliceCursor::new(instruction_data),
            mutable_borrows: 0,
            segment_borrows: SegmentBorrowRegistry::new(),
        })
    }

    /// Program ID.
    #[inline(always)]
    pub fn program_id(&self) -> &Address {
        self.program_id
    }

    /// Number of accounts in this frame.
    #[inline(always)]
    pub fn account_count(&self) -> usize {
        self.accounts.len()
    }

    /// Get raw account view by index.
    #[inline(always)]
    pub fn account_view(&self, index: usize) -> Result<&AccountView, ProgramError> {
        self.accounts
            .get(index)
            .ok_or(ProgramError::NotEnoughAccountKeys)
    }

    /// Get instruction data cursor.
    #[inline(always)]
    pub fn ix_data(&mut self) -> &mut SliceCursor<'a> {
        &mut self.ix_data
    }

    /// Get raw instruction data.
    #[inline(always)]
    pub fn ix_data_raw(&self) -> &[u8] {
        self.ix_data.data_from_position()
    }

    // --- Immutable Account Access -----------------------------------

    /// Get an immutable account view (no borrow tracking needed for reads).
    #[inline(always)]
    pub fn account(&self, index: usize) -> Result<FrameAccount<'_>, ProgramError> {
        let view = self
            .accounts
            .get(index)
            .ok_or(ProgramError::NotEnoughAccountKeys)?;
        Ok(FrameAccount { view })
    }

    // --- Mutable Account Access (with borrow tracking) -------------

    /// Get a mutable account view with runtime borrow checking.
    ///
    /// Returns an error if this account is already borrowed mutably.
    /// This prevents the most dangerous aliasing pattern in Solana programs.
    #[inline]
    pub fn account_mut(&mut self, index: usize) -> Result<FrameAccountMut<'_>, ProgramError> {
        if index >= self.accounts.len() {
            return Err(ProgramError::NotEnoughAccountKeys);
        }

        let bit = 1u64 << (index as u32);
        if self.mutable_borrows & bit != 0 {
            // Already mutably borrowed -- prevent aliasing.
            return Err(ProgramError::AccountBorrowFailed);
        }

        self.mutable_borrows |= bit;
        let view = &self.accounts[index];

        Ok(FrameAccountMut {
            view,
            borrow_mask: &mut self.mutable_borrows,
            bit,
        })
    }

    // --- Segment-Level Access (fine-grained borrow tracking) --------

    /// Get the segment borrow registry for direct manipulation.
    #[inline(always)]
    pub fn segment_borrows(&self) -> &SegmentBorrowRegistry {
        &self.segment_borrows
    }

    /// Get the mutable segment borrow registry.
    #[inline(always)]
    pub fn segment_borrows_mut(&mut self) -> &mut SegmentBorrowRegistry {
        &mut self.segment_borrows
    }

    /// Read a typed value from a segment of an account's data region.
    ///
    /// Registers a **read** borrow for the given byte range, then projects
    /// the pointer through the live byte-borrow guard into a `Ref<'_, T>`.
    /// Returns an error if the range conflicts with an existing write
    /// borrow on the same account.
    ///
    /// `offset` is relative to the layout body (after the 16-byte header).
    ///
    /// # Preferred path
    ///
    /// Most programs don't need to construct a `Frame` at all, the
    /// `hopper_runtime::Context` handler signature gives you
    /// `ctx.segment_ref::<T>(index, abs_offset)` with the same tightened
    /// Pod contract, the same RAII guard, and none of the phased
    /// execution bookkeeping. Reach for `Frame::segment_ref` only when
    /// you're inside the advanced `frame`-gated execution model.
    ///
    /// # Safety Contract
    ///
    /// - T must be `Pod + FixedLayout` (safe to interpret from any bit pattern,
    ///   alignment-1, no padding).
    /// - Bounds are checked at runtime.
    /// - Borrow conflicts are checked at runtime.
    /// - The returned [`SegRef<T>`] owns both the byte-slice borrow and
    ///   a RAII lease on the segment registry entry. Dropping it
    ///   releases **both**, no sticky-ledger residue from post-audit.
    #[inline]
    pub fn segment_ref<'f, T: Pod + FixedLayout>(
        &'f mut self,
        index: usize,
        offset: u32,
    ) -> Result<SegRef<'f, T>, ProgramError> {
        let view = self
            .accounts
            .get(index)
            .ok_or(ProgramError::NotEnoughAccountKeys)?;
        let data = view.try_borrow()?;

        let abs_offset = (HEADER_LEN as u32)
            .checked_add(offset)
            .ok_or(ProgramError::ArithmeticOverflow)?;
        let end = abs_offset
            .checked_add(T::SIZE as u32)
            .ok_or(ProgramError::ArithmeticOverflow)?;
        if end as usize > data.len() {
            return Err(ProgramError::AccountDataTooSmall);
        }

        let borrow = self.segment_borrows.register_leased_read(
            view.address(),
            abs_offset,
            T::SIZE as u32,
        )?;

        // SAFETY: T is Pod + FixedLayout (all bit patterns valid, align-1).
        // Bounds checked above. `Ref::project` consumes the byte-slice
        // guard and yields a `Ref<T>` whose lifetime is tied to the
        // account borrow; the `SegmentLease` we build immediately after
        // releases the registry entry on drop.
        // SAFETY: This block is part of Hopper's audited zero-copy/backend boundary; surrounding checks and caller contracts uphold the required raw-pointer, layout, and aliasing invariants.
        let ptr = unsafe { data.as_bytes_ptr().add(abs_offset as usize) as *const T };
        let inner: Ref<'f, T> = unsafe { data.project(ptr) };
        // SAFETY: `borrow` was just registered in `self.segment_borrows`;
        // the lease is the sole releaser for that entry.
        let lease: SegmentLease<'f> =
            unsafe { SegmentLease::new(&mut self.segment_borrows, borrow) };
        Ok(SegRef::new(inner, lease))
    }

    /// Get a mutable typed reference to a segment of an account's data.
    ///
    /// Registers a **write** borrow for the given byte range, then projects
    /// the pointer through the live byte-borrow guard into a `RefMut<'_, T>`.
    /// Returns an error if the range overlaps any existing borrow (read or
    /// write) on the same account.
    ///
    /// This is the core primitive that makes Hopper strictly better than
    /// raw Pinocchio: you get the same pointer arithmetic, but with
    /// segment-level conflict detection that prevents aliasing bugs.
    ///
    /// `offset` is relative to the layout body (after the 16-byte header).
    ///
    /// # Safety Contract
    ///
    /// - T must be `Pod + FixedLayout`.
    /// - Bounds are checked at runtime.
    /// - Borrow conflicts are checked at runtime.
    /// - The returned [`SegRefMut<T>`] carries both the account-level
    ///   exclusive byte guard and a RAII registry lease, dropping it
    ///   releases the full borrow cleanly, so sequential patterns on
    ///   the same segment compose like ordinary Rust borrows.
    ///
    /// # Example
    ///
    /// ```ignore
    /// // Only borrows the "balance" region [32..40), not the entire account.
    /// {
    ///     let mut balance = frame.segment_mut::<WireU64>(0, 32)?;
    ///     balance.set(balance.get() + amount);
    /// } // SegRefMut drops here, releasing both guards.
    ///
    /// // Now we can re-borrow the same (or a different) segment safely.
    /// let mut balance_again = frame.segment_mut::<WireU64>(0, 32)?;
    /// ```
    #[inline]
    pub fn segment_mut<'f, T: Pod + FixedLayout>(
        &'f mut self,
        index: usize,
        offset: u32,
    ) -> Result<SegRefMut<'f, T>, ProgramError> {
        let view = self
            .accounts
            .get(index)
            .ok_or(ProgramError::NotEnoughAccountKeys)?;

        // Check writable before doing anything else.
        if !view.is_writable() {
            return Err(ProgramError::InvalidAccountData);
        }

        let data = view.try_borrow_mut()?;
        let abs_offset = (HEADER_LEN as u32)
            .checked_add(offset)
            .ok_or(ProgramError::ArithmeticOverflow)?;
        let end = abs_offset
            .checked_add(T::SIZE as u32)
            .ok_or(ProgramError::ArithmeticOverflow)?;
        if end as usize > data.len() {
            return Err(ProgramError::AccountDataTooSmall);
        }

        let borrow = self.segment_borrows.register_leased_write(
            view.address(),
            abs_offset,
            T::SIZE as u32,
        )?;

        // SAFETY: as above; the projected `RefMut<T>` inherits the
        // byte-slice exclusive borrow, and the lease ensures the
        // registry entry is swap-removed on drop.
        let bytes_ptr = (&*data) as *const [u8] as *mut [u8] as *mut u8;
        // SAFETY: This block is part of Hopper's audited zero-copy/backend boundary; surrounding checks and caller contracts uphold the required raw-pointer, layout, and aliasing invariants.
        let ptr = unsafe { bytes_ptr.add(abs_offset as usize) as *mut T };
        let inner: RefMut<'f, T> = unsafe { data.project(ptr) };
        let lease: SegmentLease<'f> =
            // SAFETY: This block is part of Hopper's audited zero-copy/backend boundary; surrounding checks and caller contracts uphold the required raw-pointer, layout, and aliasing invariants.
            unsafe { SegmentLease::new(&mut self.segment_borrows, borrow) };
        Ok(SegRefMut::new(inner, lease))
    }

    /// Unsafe escape hatch for performance-critical paths.
    ///
    /// Skips borrow tracking entirely. The caller takes full responsibility
    /// for aliasing safety. Returns a `RefMut<T>` so the borrow guard is
    /// still tied to the returned value's lifetime, the "unchecked" part
    /// is only the conflict-detection skip, not the lifetime tying.
    ///
    /// # Safety
    ///
    /// The caller must guarantee no other mutable reference to the same
    /// byte range exists for the duration of the returned reference, and
    /// that no overlapping segment borrow has been registered.
    #[inline(always)]
    pub unsafe fn segment_mut_unchecked<T: Pod + FixedLayout>(
        &self,
        index: usize,
        offset: u32,
    ) -> Result<RefMut<'_, T>, ProgramError> {
        let view = self
            .accounts
            .get(index)
            .ok_or(ProgramError::NotEnoughAccountKeys)?;
        let data = view.try_borrow_mut()?;

        let abs_offset = (HEADER_LEN as u32)
            .checked_add(offset)
            .ok_or(ProgramError::ArithmeticOverflow)?;
        let end = abs_offset
            .checked_add(T::SIZE as u32)
            .ok_or(ProgramError::ArithmeticOverflow)?;
        if end as usize > data.len() {
            return Err(ProgramError::AccountDataTooSmall);
        }

        let bytes_ptr = (&*data) as *const [u8] as *mut [u8] as *mut u8;
        // SAFETY: This block is part of Hopper's audited zero-copy/backend boundary; surrounding checks and caller contracts uphold the required raw-pointer, layout, and aliasing invariants.
        let ptr = unsafe { bytes_ptr.add(abs_offset as usize) as *mut T };
        Ok(unsafe { data.project(ptr) })
    }

    // --- Validation Helpers -----------------------------------------

    /// Validate that account at `index` is a signer.
    #[inline(always)]
    pub fn require_signer(&self, index: usize) -> ProgramResult {
        crate::check::check_signer(self.account_view(index)?)
    }

    /// Validate that account at `index` is writable.
    #[inline(always)]
    pub fn require_writable(&self, index: usize) -> ProgramResult {
        crate::check::check_writable(self.account_view(index)?)
    }

    /// Validate that account at `index` is owned by this program.
    #[inline(always)]
    pub fn require_owned(&self, index: usize) -> ProgramResult {
        crate::check::check_owner(self.account_view(index)?, self.program_id)
    }

    /// Validate signer + writable (common pattern for authority accounts).
    #[inline(always)]
    pub fn require_authority(&self, index: usize) -> ProgramResult {
        let view = self.account_view(index)?;
        crate::check::check_signer(view)?;
        crate::check::check_writable(view)?;
        Ok(())
    }

    /// Validate two accounts are unique.
    #[inline(always)]
    pub fn require_unique(&self, a: usize, b: usize) -> ProgramResult {
        let va = self.account_view(a)?;
        let vb = self.account_view(b)?;
        crate::check::check_accounts_unique(va, vb)
    }

    /// Require an account matches a specific program address.
    #[inline(always)]
    pub fn require_program(&self, index: usize, program: &Address) -> ProgramResult {
        crate::check::check_address(self.account_view(index)?, program)
    }
}

/// Immutable account view within a Frame.
pub struct FrameAccount<'a> {
    view: &'a AccountView,
}

impl<'a> FrameAccount<'a> {
    /// The underlying AccountView.
    #[inline(always)]
    pub fn view(&self) -> &AccountView {
        self.view
    }

    /// The account's address.
    #[inline(always)]
    pub fn address(&self) -> &Address {
        self.view.address()
    }

    /// Borrow account data (read-only).
    #[inline(always)]
    pub fn data(&self) -> Result<Ref<'a, [u8]>, ProgramError> {
        self.view.try_borrow()
    }

    /// Lamports balance.
    #[inline(always)]
    pub fn lamports(&self) -> u64 {
        self.view.lamports()
    }

    /// Is this account a signer?
    #[inline(always)]
    pub fn is_signer(&self) -> bool {
        self.view.is_signer()
    }

    /// Is this account writable?
    #[inline(always)]
    pub fn is_writable(&self) -> bool {
        self.view.is_writable()
    }
}

/// Mutable account view within a Frame.
///
/// When this is dropped, the mutable borrow tracking bit is cleared,
/// allowing the account to be re-borrowed.
pub struct FrameAccountMut<'a> {
    view: &'a AccountView,
    borrow_mask: &'a mut u64,
    bit: u64,
}

impl<'a> FrameAccountMut<'a> {
    /// The underlying AccountView.
    #[inline(always)]
    pub fn view(&self) -> &AccountView {
        self.view
    }

    /// The account's address.
    #[inline(always)]
    pub fn address(&self) -> &Address {
        self.view.address()
    }

    /// Borrow account data (read-only).
    #[inline(always)]
    pub fn data(&self) -> Result<Ref<'a, [u8]>, ProgramError> {
        self.view.try_borrow()
    }

    /// Borrow account data (mutable).
    #[inline(always)]
    pub fn data_mut(&self) -> Result<RefMut<'a, [u8]>, ProgramError> {
        self.view.try_borrow_mut()
    }

    /// Lamports balance.
    #[inline(always)]
    pub fn lamports(&self) -> u64 {
        self.view.lamports()
    }
}

impl<'a> Drop for FrameAccountMut<'a> {
    fn drop(&mut self) {
        // Release the borrow tracking bit.
        *self.borrow_mask &= !self.bit;
    }
}

// ══════════════════════════════════════════════════════════════════════
//  Audit regression tests
// ══════════════════════════════════════════════════════════════════════
//
// Lock in the Hopper Safety Audit's top-priority fix: Frame's segment
// accessors now hand back `Ref<T>` / `RefMut<T>` that keep the
// underlying account borrow alive for their full lifetime. The
// pre-audit version dropped the byte-slice guard before returning the
// typed reference, which is silent UB. These tests prove the guard is
// still live at use time.
#[cfg(all(test, feature = "hopper-native-backend"))]
mod audit_tests {
    use super::*;
    use hopper_native::{
        AccountView as NativeAccountView, Address as NativeAddress, RuntimeAccount, NOT_BORROWED,
    };

    #[repr(C)]
    #[derive(Clone, Copy)]
    struct Counter {
        value: u64,
    }

    unsafe impl hopper_runtime::__hopper_native::bytemuck::Zeroable for Counter {}
    unsafe impl hopper_runtime::__hopper_native::bytemuck::Pod for Counter {}
    unsafe impl hopper_runtime::Pod for Counter {}

    impl crate::account::FixedLayout for Counter {
        const SIZE: usize = 8;
    }

    fn make_account(data_len: usize, seed: u8) -> (std::vec::Vec<u8>, AccountView) {
        let mut backing = std::vec![0u8; RuntimeAccount::SIZE + data_len];
        let raw = backing.as_mut_ptr() as *mut RuntimeAccount;
        // SAFETY: This block is part of Hopper's audited zero-copy/backend boundary; surrounding checks and caller contracts uphold the required raw-pointer, layout, and aliasing invariants.
        unsafe {
            raw.write(RuntimeAccount {
                borrow_state: NOT_BORROWED,
                is_signer: 1,
                is_writable: 1,
                executable: 0,
                resize_delta: 0,
                address: NativeAddress::new_from_array([seed; 32]),
                owner: NativeAddress::new_from_array([2; 32]),
                lamports: 42,
                data_len: data_len as u64,
            });
        }
        // Zero the Hopper header region so the frame doesn't trip on
        // uninitialized bytes later.
        // SAFETY: This block is part of Hopper's audited zero-copy/backend boundary; surrounding checks and caller contracts uphold the required raw-pointer, layout, and aliasing invariants.
        let backend = unsafe { NativeAccountView::new_unchecked(raw) };
        let view = unsafe { core::mem::transmute::<NativeAccountView, AccountView>(backend) };
        (backing, view)
    }

    fn new_frame<'a>(program_id: &'a Address, accounts: &'a [AccountView]) -> Frame<'a> {
        Frame::new(program_id, accounts, &[]).unwrap()
    }

    #[test]
    fn frame_segment_mut_writes_through_ref_mut() {
        // This test is the ground-truth for the audit fix: the fact
        // that we can write through `RefMut<Counter>` returned by
        // `Frame::segment_mut` and see the write persist proves the
        // projection and guard release are now correctly tied together.
        // Pre-audit this same code compiled but the byte-slice guard
        // had already been dropped when `segment_mut` returned, any
        // overlapping borrow tracking was racing against stale state.
        let (_backing, account) = make_account(HEADER_LEN + 8, 1);
        let program_id = NativeAddress::new_from_array([9; 32]);
        let hopper_program_id =
            // SAFETY: This block is part of Hopper's audited zero-copy/backend boundary; surrounding checks and caller contracts uphold the required raw-pointer, layout, and aliasing invariants.
            unsafe { core::mem::transmute::<NativeAddress, Address>(program_id) };
        let accounts = [account];
        let mut frame = new_frame(&hopper_program_id, &accounts);

        {
            let mut counter: SegRefMut<'_, Counter> = frame.segment_mut::<Counter>(0, 0).unwrap();
            counter.value = 7;
            // counter (SegRefMut with byte-slice guard AND registry
            // lease) drops here, releasing both.
        }

        // Reopen the account through the account-view path; the
        // segment registry already recorded the write for the whole
        // instruction, so we confirm persistence by rereading the raw
        // bytes via the underlying account view.
        let bytes = frame.account(0).unwrap().data().unwrap();
        let slice: &[u8] = &*bytes;
        // SAFETY: This block is part of Hopper's audited zero-copy/backend boundary; surrounding checks and caller contracts uphold the required raw-pointer, layout, and aliasing invariants.
        let raw_u64 =
            unsafe { core::ptr::read_unaligned(slice.as_ptr().add(HEADER_LEN) as *const u64) };
        assert_eq!(raw_u64, 7);
    }

    #[test]
    fn frame_segment_ref_returns_live_guard() {
        // Seed the counter via direct byte access, then verify a
        // `segment_ref` returned guard lets us read that value. The
        // crucial property this exercises: `Ref<'_, Counter>` deref
        // into `Counter` after `segment_ref` returns, which pre-audit
        // would have been reading through a dropped byte-slice guard.
        let (_backing, account) = make_account(HEADER_LEN + 8, 2);
        {
            let mut bytes = account.try_borrow_mut().unwrap();
            // SAFETY: This block is part of Hopper's audited zero-copy/backend boundary; surrounding checks and caller contracts uphold the required raw-pointer, layout, and aliasing invariants.
            let slot = unsafe { bytes.as_bytes_mut_ptr().add(HEADER_LEN) as *mut u64 };
            // SAFETY: This block is part of Hopper's audited zero-copy/backend boundary; surrounding checks and caller contracts uphold the required raw-pointer, layout, and aliasing invariants.
            unsafe { core::ptr::write_unaligned(slot, 99) };
        }
        let program_id = NativeAddress::new_from_array([9; 32]);
        let hopper_program_id =
            // SAFETY: This block is part of Hopper's audited zero-copy/backend boundary; surrounding checks and caller contracts uphold the required raw-pointer, layout, and aliasing invariants.
            unsafe { core::mem::transmute::<NativeAddress, Address>(program_id) };
        let accounts = [account];
        let mut frame = new_frame(&hopper_program_id, &accounts);

        let reader: SegRef<'_, Counter> = frame.segment_ref::<Counter>(0, 0).unwrap();
        assert_eq!(reader.value, 99);
    }

    /// Audit regression: post-fix, dropping a `SegRefMut` from
    /// `Frame::segment_mut` must release the segment-registry lease so
    /// a sequential re-acquire on the same region succeeds. Pre-audit
    /// the sticky ledger blocked this for the rest of the instruction.
    #[test]
    fn frame_segment_lease_releases_on_drop() {
        let (_backing, account) = make_account(HEADER_LEN + 8, 3);
        let program_id = NativeAddress::new_from_array([9; 32]);
        let hopper_program_id =
            // SAFETY: This block is part of Hopper's audited zero-copy/backend boundary; surrounding checks and caller contracts uphold the required raw-pointer, layout, and aliasing invariants.
            unsafe { core::mem::transmute::<NativeAddress, Address>(program_id) };
        let accounts = [account];
        let mut frame = new_frame(&hopper_program_id, &accounts);

        // First write.
        {
            let mut w: SegRefMut<'_, Counter> = frame.segment_mut::<Counter>(0, 0).unwrap();
            w.value = 50;
        }
        assert_eq!(frame.segment_borrows().len(), 0);

        // Second write on the same region, pre-audit this returned
        // `AccountBorrowFailed`; now it succeeds because the prior
        // lease has been released.
        {
            let mut w: SegRefMut<'_, Counter> = frame.segment_mut::<Counter>(0, 0).unwrap();
            assert_eq!(w.value, 50);
            w.value = 77;
        }
        assert_eq!(frame.segment_borrows().len(), 0);

        let r: SegRef<'_, Counter> = frame.segment_ref::<Counter>(0, 0).unwrap();
        assert_eq!(r.value, 77);
    }
}