Write Solana programs
that explain themselves.
Pointer-cast accounts. Segment-level borrow tracking. Token-2022 extensions on the zero-copy path. When a handler fails, the receipt tells you which invariant broke and where. No more hex codes, no more Borsh tax, no more guessing.
Safety primitives Solana programs actually ship with.
One way in. Four ways through.
load::<T>() for the whole account. segment_ref::<T>() for a single field. raw_ref() when you know what you are doing. load_cross_program::<T>() for foreign accounts. No Borsh tax, no AccountLoader wrapper, no surprise deserialize.
Extension constraints on the zero-copy path.
transfer_hook, metadata_pointer, non_transferable, permanent_delegate, transfer_fee_config, mint_close_authority, default_account_state, interest_bearing, eight more. Each declarative constraint compiles to a direct TLV byte scan. Anchor hits the Borsh path; Hopper does not.
Failures that explain themselves.
Handlers stamp a 64-byte StateReceipt with error_code, failed_invariant_idx, and failure_stage. Indexers render "Invariant balance_nonzero failed at PostMutation" instead of 0x1001. The mapping is compile-time; no runtime lookup table.
Every program is self-describing.
hopper fetch <program-id> pulls a program's manifest from its PDA. hopper manager invoke builds a transaction from that manifest. hopper manager crank run drives autonomous instructions with zero per-program config. Point it at any Hopper program on any cluster.
The whole program fits on one screen.
Four tabs, four concepts. The same macros you write on day one scale to an AMM or a keeper bot without a second framework.
1#[hopper::state(disc = 1, version = 1)]2#[repr(C)]3pub struct Vault {4 pub authority: TypedAddress<Authority>,5 pub balance: WireU64,6 pub bump: u8,7}89// Auto-emitted by the macro:10// Vault::LEN, Vault::DISC, Vault::VERSION11// Vault::LAYOUT_ID (compile-time fingerprint)12// vault.load::<Vault>() / load_mut::<Vault>()13// Vault::SCHEMA_METADATA (indexer-ready)Strict superset.
Scoped to the zero-copy path. Anchor's column shows what AccountLoader-backed programs can actually reach; Borsh shortcuts do not count. Hopper wins every row that matters and five that nobody else even has.
Three commands to devnet.
No workspace scaffolding to babysit, no hidden config step, no hand-rolled keypair dance. Every command below ships in the current release and exits zero on the happy path.