Struct HopperProgramPolicy 

pub struct HopperProgramPolicy {
    pub strict: bool,
    pub enforce_token_checks: bool,
    pub allow_unsafe: bool,
}

Program-level safety policy emitted by #[hopper::program(...)].

Each field is a compile-time lever. The const value ends up inlined at every call site the program evaluates it from, so the branches fold away when a lever is known to be on or off at compile time.

Fields

strict: bool

Program-level intent marker: handlers in this program run under Hopper’s full enforcement envelope.

The actual per-handler behaviour is controlled by the handler’s context parameter type. A handler typed as Context<MyAccounts> always runs MyAccounts::bind(ctx)? (which chains into validate(ctx)?) regardless of policy. A handler typed as &mut Context<'_> always receives the context raw. strict = true is the documentation contract that every handler in the module opts into the typed form; strict = false signals the author intends to use raw contexts and accepts the responsibility of calling validate() manually where needed.

The flag is read back by callers at compile time (HOPPER_PROGRAM_POLICY.strict) to specialize code paths that depend on whether the enforcement envelope is active.

enforce_token_checks: bool

Token CPI authors must pair every raw invocation with the matching *Checked builder (which carries the decimals: u8 byte the SPL Token program validates against the mint). Handlers that do their own SPL plumbing read this back to decide whether the signer + owner invariants are already upheld elsewhere.

allow_unsafe: bool

Permit unsafe { ... } blocks inside handler bodies. When false the program macro wraps each handler in #[deny(unsafe_code)] so the compiler rejects any raw pointer detour.

Implementations

impl HopperProgramPolicy

pub const STRICT: Self

Every safety lever engaged. The shipping default.

pub const SEALED: Self

Strict + token checks + no unsafe in handlers. The zero-escape mode for programs that never want to drop to raw pointers.

pub const RAW: Self

Every lever disengaged. Pinocchio-parity throughput with responsibility pushed to the handler author.

pub const fn default_policy() -> Self

The shipping default, identical to HopperProgramPolicy::STRICT.

Exposed as a const fn so downstream macro expansion can reach it from const context without an intermediate binding.

Trait Implementations

impl Clone for HopperProgramPolicy

fn clone(&self) -> HopperProgramPolicy

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for HopperProgramPolicy

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for HopperProgramPolicy

fn default() -> Self

Returns the “default value” for a type.

impl PartialEq for HopperProgramPolicy

fn eq(&self, other: &HopperProgramPolicy) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Copy for HopperProgramPolicy

impl Eq for HopperProgramPolicy

impl StructuralPartialEq for HopperProgramPolicy