Expand description
Program-level safety policy.
Hopper’s “policy-driven zero-copy runtime” model exposes each
safety lever as a bit in a compile-time const struct. The
#[hopper::program(...)] macro parses the attribute args and
emits pub const HOPPER_PROGRAM_POLICY: HopperProgramPolicy = ...;
inside the annotated module. Users read it back through
HopperProgramPolicy to specialize handler paths.
§Named modes
| Mode | Levers |
|---|---|
HopperProgramPolicy::STRICT | strict, enforce_token_checks, allow_unsafe all on. Recommended default. |
HopperProgramPolicy::SEALED | strict + enforce_token_checks on, allow_unsafe off. Zero-unsafe-in-handlers programs. |
HopperProgramPolicy::RAW | Every lever off. Pinocchio-parity throughput. Responsibility shifts fully to the handler author. |
§Zero runtime cost
The policy is consumed by the program macro at compile time.
allow_unsafe = false emits #[deny(unsafe_code)] on each
handler so a stray unsafe block fails to compile. strict
toggles auto-injection of ContextSpec::bind(ctx)? (which in turn
calls validate(ctx)?). enforce_token_checks is a load-bearing
promise read back by the author from
HOPPER_PROGRAM_POLICY.enforce_token_checks to decide whether to
invoke the *Checked token CPI pre-check helpers in handlers that
reach outside the typed-context envelope.
No runtime flag, no thread-local, no syscall. Users who need to branch on the policy inside a handler read the const directly:
if super::HOPPER_PROGRAM_POLICY.enforce_token_checks {
hopper_runtime::require!(authority.is_signer());
}§Per-instruction overrides
A handler can override the program-level policy with
#[instruction(N, unsafe_memory, skip_token_checks)]. The macro
emits pub const <HANDLER>_POLICY: HopperInstructionPolicy = ...;
alongside the handler so the same const-branch pattern works at
the per-instruction grain.
Structs§
- Hopper
Instruction Policy - Per-instruction policy override.
- Hopper
Program Policy - Program-level safety policy emitted by
#[hopper::program(...)].