Zero-copy Solana state,
with the safety rails left on.
Write Solana programs with the Anchor shape developers already know, while Hopper verifies owner, role, discriminator, version, and layout fingerprint before account bytes reach a typed zero-copy borrow. Add bounded dynamic tails, Token-2022 checks, receipts, and manifests when the protocol needs more than a raw cast. Verify native Ed25519/secp256k1 payloads and hash with SHA-256, Keccak, or BLAKE3 without leaving the Hopper surface.
The fast path should still have names, types, and guardrails.
Choose the trust tier per field.
Use load::<T>() for full validation, segment_ref::<T>() for one field, raw_ref() for audited escape hatches, and load_cross_program::<T>() for foreign layouts. The access model is explicit at the call site.
Token-2022 checks without a detour.
Screen transfer hooks, permanent delegates, transfer fees, confidential transfers, default account state, and more with direct TLV byte scans. The mint stays on the zero-copy path while your handler gets a typed rejection.
Precompile bytes you can review.
Hash with SHA-256, Keccak, or BLAKE3; inspect Ed25519 and secp256k1 native precompile instructions; and recover Ethereum addresses through the runtime syscall when a protocol needs it in-program.
State changes you can explain later.
Handlers can stamp the current 72-byte StateReceipt with fingerprints, changed fields, invariant indexes, and CPI flags. Decoders still accept the legacy 64-byte prefix for older programs.
Every program is self-describing.
Export manifests, inspect accounts, explain layouts, decode receipts, run manager invoke or crank loops, and generate client SDKs or route scaffolds from metadata. Hopper treats the CLI as part of the framework surface.
The authoring model stays Rust-native.
Start with the proc-macro path when you want speed. Drop to declarative macros or raw tiers when you need control. The layout, context, dispatcher, and CPI surface all stay inspectable.
1#[derive(Clone, Copy)]2#[repr(C)]3#[account(discriminator = 1, version = 1)]4pub struct Counter {5 pub authority: Address,6 pub value: WireU64,7}Forward-secret messaging with verifier-bound ferry proofs.
The Styx ferry example uses Hopper accounts for prekeys, ratchet threads, and proof counters while exposing the Solana crypto surface: Keccak domain derivation, Ed25519 precompile checks, sibling instruction inspection, and typed verifier CPI.
Open Styx docEd25519 precompile inspection ties the owner to the current signed prekey
bounded ciphertext events with monotonic counters and sealed-message hashes
513-byte proof v2 with checked domain, fee tier, and base fee inputs
proof bytes are forwarded only to the config-pinned verifier program
#[instruction(5)]
pub fn submit_zk_ferry(
ctx: Ctx<SubmitZkFerry>,
proof: HopperVec<u8, STYX_ZK_PROOF_V2_LEN>,
encrypted_outputs: [u8; 64],
) -> ProgramResult {
ctx.accounts.submit(proof, encrypted_outputs)
}Coverage where zero-copy gets hard.
Hopper keeps the Anchor/Quasar authoring shape, then adds the contract layer serious state needs: layout identity, field-level borrows, Token-2022 extension checks, dynamic tails, receipts, manifests, migrations, and generated clients.
Same harness, same seeds, scoped claims.
Current release-facing numbers come from the sibling hopper-bench Mollusk harness, averaged across 8 deterministic seeds. Quasar's upstream vault exposes only deposit and withdraw, so validation-only rows stay n/a instead of being synthesized.
Start from the published release line.
Add the published `hopper-lang` package under the Rust crate name `hopper`, install the CLI from crates.io, and scaffold a Solana program that already knows about Hopper layouts, manifests, receipts, and the native backend.