Expand description
Jiminy — Anchor-style safety abstractions for pinocchio programs.
Pinocchio is the engine. Jiminy keeps it honest.
Zero-copy, no_std, no_alloc, BPF-safe. Account checks, token + mint
readers, Token-2022 extension screening, CPI reentrancy guards, DeFi math
with u128 intermediates, slippage protection, time/deadline checks, state
machine validation, zero-copy cursors, and more. All #[inline(always)].
§Quick-start
ⓘ
use jiminy::prelude::*;One import gives you everything: account checks, token/mint readers,
Token-2022 screening, CPI guards, DeFi math, slippage, time checks,
state machines, cursors, macros, AccountList, and the pinocchio
core types.
§Account validation
| Function | What it verifies |
|---|---|
check_signer | account is a transaction signer |
check_writable | account is marked writable |
check_owner | account is owned by your program |
check_pda | account address equals a derived PDA |
check_system_program | account is the system program |
check_executable | account is an executable program |
check_uninitialized | account has no data yet (anti-reinit) |
check_has_one | stored address field matches account key |
check_keys_eq | two addresses are equal |
check_lamports_gte | account holds at least N lamports |
check_rent_exempt | account holds enough lamports for rent exemption |
check_closed | account has zero lamports and empty data |
check_size | raw data slice is at least N bytes |
check_discriminator | first byte matches expected type tag |
check_account | owner + size + discriminator in one call |
check_accounts_unique_2 | two accounts have different addresses |
check_accounts_unique_3 | three accounts all different (src ≠ dest ≠ fee) |
check_instruction_data_len | exact instruction data length |
check_instruction_data_min | minimum instruction data length |
check_version | header version byte ≥ minimum |
rent_exempt_min | compute minimum lamports for rent exemption |
§Assert functions
| Function | What it does |
|---|---|
assert_pda | derive PDA, verify match, return bump |
assert_pda_with_bump | verify PDA with known bump (cheaper) |
assert_pda_external | same as assert_pda for external programs |
assert_token_program | account is SPL Token or Token-2022 |
assert_address | account address matches expected key |
assert_program | address matches + account is executable |
assert_not_initialized | lamports == 0 (account doesn’t exist yet) |
§Token account readers + checks
Zero-copy reads from the 165-byte SPL Token layout.
| Function | What it reads / checks |
|---|---|
token_account_owner | owner address (bytes 32..64) |
token_account_amount | token balance as u64 (bytes 64..72) |
token_account_mint | mint address (bytes 0..32) |
token_account_delegate | optional delegate address |
token_account_state | state byte (0=uninit, 1=init, 2=frozen) |
token_account_close_authority | optional close authority |
token_account_delegated_amount | delegated amount (u64) |
check_token_account_mint | mint matches expected |
check_token_account_owner | owner matches expected |
check_token_account_initialized | state == 1 |
check_no_delegate | no active delegate |
check_no_close_authority | no close authority set |
check_token_balance_gte | token balance ≥ minimum |
check_token_program_match | account owned by the right token program |
§Mint account readers + checks
Zero-copy reads from the 82-byte SPL Mint layout.
| Function | What it reads / checks |
|---|---|
mint_authority | optional mint authority address |
mint_supply | total supply (u64) |
mint_decimals | decimals (u8) |
mint_is_initialized | is initialized (bool) |
mint_freeze_authority | optional freeze authority |
check_mint_owner | mint owned by expected token program |
check_mint_authority | mint authority matches expected |
§Token-2022 extension screening
Programs accepting Token-2022 tokens must screen for dangerous extensions.
See the token_2022 module for full TLV extension reading and one-line
safety guards like token_2022::check_safe_token_2022_mint.
§CPI reentrancy protection
See the cpi_guard module. Reads the Sysvar Instructions account to
detect CPI callers: cpi_guard::check_no_cpi_caller,
cpi_guard::check_cpi_caller.
§DeFi math
| Function | What it does |
|---|---|
checked_add | overflow-safe u64 addition |
checked_sub | underflow-safe u64 subtraction |
checked_mul | overflow-safe u64 multiplication |
checked_div | division with zero check |
checked_div_ceil | ceiling division |
checked_mul_div | (a * b) / c with u128 intermediate |
checked_mul_div_ceil | same, ceiling |
bps_of | basis point fee: amount * bps / 10_000 |
bps_of_ceil | same, ceiling |
checked_pow | exponentiation via repeated squaring |
to_u64 | safe u128 → u64 narrowing |
§Slippage + economic bounds
See the slippage module: slippage::check_slippage,
slippage::check_min_amount, slippage::check_nonzero,
slippage::check_within_bps, slippage::check_price_bounds, and more.
§Time + deadline checks
| Function | What it does |
|---|---|
check_not_expired | current time ≤ deadline |
check_expired | current time > deadline |
check_within_window | time is within [start, end] |
check_cooldown | rate limiting (oracle updates, admin changes) |
check_deadline | read Clock sysvar + check not expired |
check_after | read Clock sysvar + check expired |
§Sysvar readers
| Function | What it does |
|---|---|
read_clock | read (slot, timestamp) from Clock sysvar |
read_clock_epoch | read epoch from Clock sysvar |
[read_rent] | read (lamports_per_byte_year, exemption_threshold) from Rent |
§State machine validation
See the state module: state::check_state,
state::check_state_transition, state::write_state,
state::check_state_not, state::check_state_in.
§PDA utilities
| Macro / Function | What it does |
|---|---|
find_pda! | find canonical PDA + bump via syscall |
derive_pda! | derive PDA with known bump (cheap, ~100 CU) |
derive_pda_const! | derive PDA at compile time |
derive_ata | derive ATA address for wallet + mint |
derive_ata_with_program | derive ATA with explicit token program |
derive_ata_with_bump | derive ATA with known bump (cheap) |
derive_ata_const! | derive ATA at compile time |
§Zero-copy cursors
SliceCursor reads typed fields sequentially from account data.
DataWriter writes them when initializing a new account.
zero_init zero-fills account data before the first write.
§Account iteration
AccountList provides iterator-style account consumption with
inline constraint checks, replacing manual index arithmetic.
§Well-known program IDs
programs module: SYSTEM, TOKEN, TOKEN_2022, ASSOCIATED_TOKEN,
METADATA, BPF_LOADER, COMPUTE_BUDGET, SYSVAR_CLOCK, SYSVAR_RENT,
SYSVAR_INSTRUCTIONS.
Re-exports§
pub use pinocchio;pub use pinocchio_system;pub use pinocchio_token;
Modules§
- cpi
- Safe CPI wrappers that bundle validation + invocation.
- cpi_
guard - CPI reentrancy protection via Sysvar Instructions introspection.
- prelude
- Convenience re-exports for the common Jiminy usage pattern.
- programs
- realloc
- Safe account reallocation with rent top-up.
- slippage
- Slippage, price bounds, and economic constraint checks.
- state
- State machine transition checks.
- token_
2022 - Token-2022 extension reader and safety checks.
Macros§
- derive_
ata_ const - Derive an ATA address at compile time. Requires known bump.
- derive_
pda - Derive a PDA with a known bump. Cheap (~100 CU, no curve check).
- derive_
pda_ const - Derive a PDA at compile time. Requires
constseeds and bump. - find_
pda - Find a PDA and return
(Address, u8)with the canonical bump. - require
- Require a boolean condition: return
$err(converted viaInto) if false. - require_
accounts_ ne - Require two accounts to have different addresses.
- require_
eq - Require
a == bfor scalar types. - require_
flag - Require bit
nto be set in$byte, else return$err. - require_
gt - Require
a > b. - require_
gte - Require
a >= b. - require_
keys_ eq - Require two
Addressvalues to be equal. - require_
keys_ neq - Require two
Addressvalues to be different. - require_
lt - Require
a < b. - require_
lte - Require
a <= b. - require_
neq - Require
a != bfor scalar types.
Structs§
- Account
List - Iterator-style account accessor with inline constraint checks.
- Account
View - Wrapper struct for a
RuntimeAccount. - Address
- The address of a Solana account.
- Data
Writer - Zero-copy write cursor over a mutable byte slice.
- Slice
Cursor - Zero-copy read cursor over a byte slice.
Enums§
- Program
Error - Reasons the program may fail
Constants§
- HEADER_
LEN - Size of the Jiminy standard account header, in bytes.
- MINT_
LEN - Minimum size of an SPL Token mint account.
- TOKEN_
ACCOUNT_ LEN - Minimum size of an SPL Token account.
Functions§
- assert_
address - Verify an account’s address matches an expected address exactly.
- assert_
not_ initialized - Verify an account has never been initialized by checking that its lamports are zero.
- assert_
pda - Derive a PDA from the given seeds and program id, verify it matches the account’s address, and return the bump.
- assert_
pda_ external - Verify a PDA derived from an external program’s seeds. Returns the bump.
- assert_
pda_ with_ bump - Verify a PDA matches when the bump is already known. Way cheaper than
assert_pdabecause it only does one derivation instead of searching all 256 bumps. - assert_
program - Verify an account’s address matches a known program id.
- assert_
token_ program - Verify the account is the SPL Token program.
- bps_of
- Compute basis-point fee:
amount * bps / 10_000(floor). - bps_
of_ ceil - Compute basis-point fee with ceiling:
ceil(amount * bps / 10_000). - check_
account - Combined check: ownership + minimum size + discriminator.
- check_
accounts_ unique_ 2 - Verify two accounts have different addresses.
- check_
accounts_ unique_ 3 - Verify three accounts all have different addresses.
- check_
after - Combined: read clock timestamp and verify expired.
- check_
any_ flag - Return
trueif ANY bit inmaskis set inbyte. - check_
ata - Verify a token account is the correct ATA for a wallet + mint pair.
- check_
ata_ with_ program - Verify a token account is the correct ATA for a specific token program.
- check_
clock_ sysvar - Verify the account is the Clock sysvar.
- check_
closed - Verify an account is fully closed: zero lamports and empty data.
- check_
cooldown - Verify enough time has passed since the last action (cooldown/rate-limit).
- check_
deadline - Combined: read clock timestamp and verify not expired.
- check_
discriminator - Verify the first byte of account data matches the expected discriminator.
- check_
executable - Verify the account is an executable program.
- check_
expired - Verify the current time HAS passed a deadline.
- check_
flags - Return
trueif ALL bits inmaskare set inbyte. - check_
has_ one - Verify that a stored address field matches an account’s actual address.
- check_
header - Validate the discriminator and minimum version of an account header.
- check_
instruction_ data_ len - Verify instruction data is exactly the expected length.
- check_
instruction_ data_ min - Verify instruction data has at least N bytes.
- check_
keys_ eq - Verify two addresses are equal.
- check_
lamports_ gte - Verify
accountholds at leastmin_lamports. - check_
mint_ authority - Verify the mint authority matches an expected address.
- check_
mint_ owner - Verify a mint account is owned by the expected token program.
- check_
no_ close_ authority - Reject token accounts that have a close authority set.
- check_
no_ delegate - Reject token accounts that have an active delegate.
- check_
not_ expired - Verify the current time has NOT passed a deadline.
- check_
not_ frozen - Reject frozen token accounts.
- check_
owner - Verify the account is owned by
program_id. - check_
pda - Verify the account’s address equals the expected PDA.
- check_
rent_ exempt - Verify an account holds enough lamports to be rent-exempt for its data size.
- check_
rent_ sysvar - Verify the account is the Rent sysvar.
- check_
signer - Verify the account signed the transaction.
- check_
size - Verify account data is at least
min_lenbytes. - check_
system_ program - Verify the account is the canonical system program.
- check_
token_ account_ frozen - Verify a token account is frozen (state byte == 2).
- check_
token_ account_ initialized - Verify a token account is in the
Initializedstate (state byte == 1). - check_
token_ account_ mint - Verify a token account’s mint matches the expected mint address.
- check_
token_ account_ owner - Verify a token account’s owner matches the expected authority.
- check_
token_ balance_ gte - Verify a token account holds at least
min_amounttokens. - check_
token_ program_ match - Verify that a token account’s owning program matches the passed token program.
- check_
uninitialized - Verify the account has no data (uninitialized). Prevents reinitialization attacks.
- check_
version - Verify the header version byte (
data[1]) meets a minimum version. - check_
within_ window - Verify the current time is within an inclusive window
[start, end]. - check_
writable - Verify the account is marked writable in the transaction.
- checked_
add - Checked u64 addition: returns
ArithmeticOverflowon overflow. - checked_
div - Checked u64 division: returns
ArithmeticOverflowon divide-by-zero. - checked_
div_ ceil - Checked ceiling division:
ceil(a / b). ReturnsArithmeticOverflowon zero. - checked_
mul - Checked u64 multiplication: returns
ArithmeticOverflowon overflow. - checked_
mul_ div - Compute
(a * b) / cwith u128 intermediate to prevent overflow. - checked_
mul_ div_ ceil - Compute
ceil((a * b) / c)with u128 intermediate. - checked_
pow - Checked exponentiation via repeated squaring.
- checked_
sub - Checked u64 subtraction: returns
ArithmeticOverflowon underflow. - clear_
bit - Clear bit
nin a byte, returning the modified value. - derive_
address - Derive a program address from the given seeds, optional bump, and program id.
- derive_
address_ const - Compile-time version of
derive_address. - derive_
ata - Derive the associated token account (ATA) address for a wallet + mint pair.
- derive_
ata_ with_ bump - Derive an ATA address with a known bump. Skips the bump search.
- derive_
ata_ with_ program - Derive an ATA address with an explicit token program (SPL Token or Token-2022).
- header_
payload - Return the payload slice that follows the 8-byte header.
- header_
payload_ mut - Return the mutable payload slice that follows the 8-byte header.
- mint_
authority - Read the mint authority field (bytes 0..36).
- mint_
decimals - Read the decimals field (byte 44).
- mint_
freeze_ authority - Read the freeze authority field (bytes 46..82).
- mint_
is_ initialized - Check if the mint is initialized (byte 45).
- mint_
supply - Read the total supply field (bytes 36..44).
- read_
bit - Read bit
nfrom a byte. Returnstrueif the bit is set. - read_
clock - Read both slot and unix_timestamp from the Clock sysvar account.
- read_
clock_ epoch - Read the epoch from the Clock sysvar.
- read_
clock_ slot - Read just the slot from the Clock sysvar.
- read_
clock_ timestamp - Read just the unix_timestamp from the Clock sysvar.
- read_
data_ len - Read the
data_lenfield (bytes 4-7) from an account header. - read_
flags_ at - Read the
flagsbyte from a data slice atoffset, returning the value. Bounds-checked:AccountDataTooSmallif offset is out of range. - read_
header_ flags - Read the flags byte from an account header.
- read_
rent_ lamports_ per_ byte_ year - Read the lamports_per_byte_year from the Rent sysvar.
- read_
version - Read the version byte from an account header.
- rent_
exempt_ min - Approximate minimum lamports for rent exemption at the current mainnet rate.
- safe_
close - Close
account, sending all its lamports todestination. - set_bit
- Set bit
nin a byte, returning the modified value. - to_u64
- Safe narrowing cast from u128 to u64.
- toggle_
bit - Toggle bit
nin a byte, returning the modified value. - token_
account_ amount - Read the amount field from a token account (bytes 64..72).
- token_
account_ close_ authority - Read the close authority field from a token account (bytes 129..165).
- token_
account_ delegate - Read the delegate field from a token account (bytes 76..108).
- token_
account_ delegated_ amount - Read the delegated amount from a token account (bytes 121..129).
- token_
account_ mint - Read the mint field from a token account (bytes 0..32).
- token_
account_ owner - Read the owner field from a token account (bytes 32..64).
- token_
account_ state - Read the state byte from a token account (byte 108).
- write_
discriminator - Write a discriminator byte to
data[0]. - write_
flags_ at - Write
valueto the flags byte atoffsetin a mutable data slice. Bounds-checked:AccountDataTooSmallif offset is out of range. - write_
header - Write the standard 8-byte Jiminy account header.
- write_
header_ with_ len - Write the full 8-byte header including an explicit
data_lenvalue. - zero_
init - Zero-fill
databefore writing any fields.