fix(cpi/hand): use u8 length prefix for String<50> in CPI wire format

The lever's switch_power instruction takes `String<50>`, which Quasar
serialises with a single-byte length prefix (matching every other
Quasar program: account-data, close-account, rent, realloc,
repository-layout). The hand program's pull_lever CPI builder was
manually constructing instruction data with a u32 (4-byte) length
prefix, so every hand→lever CPI call sent a malformed payload. The
breakage was masked because the lever's handler ignored the
deserialised name (`_name`), but the value itself was corrupted —
e.g. "\\0\\0\\0Al" instead of "Alice".

The lever's own tests.rs had the same stale u32 prefix in its
instruction-data builder, and hand's tests.rs had it for inbound
pull_lever data too. Both now use `data.push(name.len() as u8)`,
matching the canonical pattern used across the Quasar example suite.

To keep this from regressing again, the lever now logs the
deserialised name and both test suites assert that the round-tripped
name appears in program logs verbatim ("Alice" / "Bob"). A stale
length prefix on either leg of the CPI would surface immediately as
a corrupted log line.

Files changed:
  - hand/src/instructions/pull_lever.rs (CPI builder: u32 → u8)
  - hand/src/tests.rs                   (inbound builder: u32 → u8, name assert)
  - lever/src/instructions/switch_power.rs (log name)
  - lever/src/tests.rs                  (test builder: u32 → u8, name assert)

Author: mikemaccana

basics/cross-program-invocation/quasar/hand/src/instructions/pull_lever.rs

@@ -15,24 +15,27 @@ pub struct PullLever {
 pub fn handle_pull_lever(accounts: &PullLever, name: &str) -> Result<(), ProgramError> {
     log("Hand is pulling the lever!");
 
-    // Build the switch_power instruction data for the lever program:
-    //   [disc=1] [name: u32 len + bytes]
-    // 128 bytes is enough for any reasonable name.
+    // Build the switch_power instruction data for the lever program.
+    //
+    // Wire format: [discriminator = 1] [name: u8 length prefix + bytes].
+    //
+    // The lever's switch_power instruction takes `String<50>`, which Quasar
+    // serialises with a single-byte length prefix (matching every other
+    // Quasar program: account-data, close-account, rent, realloc,
+    // repository-layout). An earlier version of this builder used a u32
+    // length prefix, which sent a malformed payload on every CPI call.
+    //
+    // 128 bytes is enough for any reasonable name (max 50 + 1 + 1 = 52).
     let mut data = [0u8; 128];
     let name_bytes = name.as_bytes();
-    let data_len = 1 + 4 + name_bytes.len();
+    let data_len = 1 + 1 + name_bytes.len();
 
     data[0] = 1;
-
-    let len_bytes = (name_bytes.len() as u32).to_le_bytes();
-    data[1] = len_bytes[0];
-    data[2] = len_bytes[1];
-    data[3] = len_bytes[2];
-    data[4] = len_bytes[3];
+    data[1] = name_bytes.len() as u8;
 
     let mut i = 0;
     while i < name_bytes.len() {
-        data[5 + i] = name_bytes[i];
+        data[2 + i] = name_bytes[i];
         i += 1;
     }
 

basics/cross-program-invocation/quasar/hand/src/tests.rs

@@ -30,10 +30,17 @@ fn power_account(address: Pubkey, is_on: bool) -> Account {
 }
 
 /// Build pull_lever instruction data (discriminator = 0).
-/// Wire format: [disc=0] [name: String]
+///
+/// Wire format: [discriminator = 0] [name: u8 length prefix + bytes].
+///
+/// The hand's pull_lever instruction takes `String<50>`, which Quasar
+/// serialises with a single-byte length prefix. The CPI builder in
+/// `pull_lever.rs` re-serialises the same name into the lever's
+/// instruction data using the same u8 prefix.
 fn build_pull_lever(name: &str) -> Vec<u8> {
-    let mut data = vec![0u8]; // discriminator = 0
-    data.extend_from_slice(&(name.len() as u32).to_le_bytes());
+    let mut data = Vec::with_capacity(2 + name.len());
+    data.push(0u8); // discriminator = 0
+    data.push(name.len() as u8);
     data.extend_from_slice(name.as_bytes());
     data
 }
@@ -72,6 +79,14 @@ fn test_pull_lever_turns_on() {
     assert!(logs.contains("Hand is pulling"), "hand should log");
     assert!(logs.contains("pulling the power switch"), "lever should log");
     assert!(logs.contains("now on"), "power should turn on");
+    // Verifies the CPI wire format: the lever logs the name it
+    // deserialised. A stale u32 length prefix on either the inbound
+    // `pull_lever` payload or the CPI to `switch_power` would corrupt
+    // this (e.g. "\0\0\0Al" instead of "Alice").
+    assert!(
+        logs.contains("Alice"),
+        "name should round-trip through hand → lever CPI; logs: {logs}"
+    );
 
     let account = result.account(&power_addr).unwrap();
     assert_eq!(account.data[1], 1, "power should be on");
@@ -107,6 +122,10 @@ fn test_pull_lever_turns_off() {
 
     let logs = result.logs.join("\n");
     assert!(logs.contains("now off"), "power should turn off");
+    assert!(
+        logs.contains("Bob"),
+        "name should round-trip through hand → lever CPI; logs: {logs}"
+    );
 
     let account = result.account(&power_addr).unwrap();
     assert_eq!(account.data[1], 0, "power should be off");

basics/cross-program-invocation/quasar/lever/src/instructions/switch_power.rs

@@ -11,13 +11,18 @@ pub struct SwitchPower {
 }
 
 #[inline(always)]
-pub fn handle_switch_power(accounts: &mut SwitchPower, _name: &str) -> Result<(), ProgramError> {
+pub fn handle_switch_power(accounts: &mut SwitchPower, name: &str) -> Result<(), ProgramError> {
     let current: bool = accounts.power.is_on.into();
     let new_state = !current;
     accounts.power.is_on = PodBool::from(new_state);
 
     // Quasar's log() takes &str — no format! in no_std.
+    // Logging the name verifies the wire format end-to-end: a stale u32
+    // length prefix would surface here as a corrupted name (e.g. the
+    // first three bytes parsed as zeros, leaving "\0\0\0Al" instead of
+    // "Alice").
     log("Someone is pulling the power switch!");
+    log(name);
 
     if new_state {
         log("The power is now on.");

basics/cross-program-invocation/quasar/lever/src/tests.rs

@@ -47,10 +47,19 @@ fn build_initialize() -> Vec<u8> {
 }
 
 /// Build switch_power instruction data (discriminator = 1).
-/// Wire format: [disc=1] [name: String]
+///
+/// Wire format: [discriminator = 1] [name: u8 length prefix + bytes].
+///
+/// The lever's switch_power instruction takes `String<50>`, which Quasar
+/// serialises with a single-byte length prefix (matching every other
+/// Quasar program: account-data, close-account, rent, realloc,
+/// repository-layout). An earlier version of this builder used a u32
+/// length prefix, which produced a malformed payload that happened to
+/// pass because the handler ignored the deserialised name.
 fn build_switch_power(name: &str) -> Vec<u8> {
-    let mut data = vec![1u8]; // discriminator = 1
-    data.extend_from_slice(&(name.len() as u32).to_le_bytes());
+    let mut data = Vec::with_capacity(2 + name.len());
+    data.push(1u8); // discriminator = 1
+    data.push(name.len() as u8);
     data.extend_from_slice(name.as_bytes());
     data
 }
@@ -104,6 +113,12 @@ fn test_switch_power_on() {
     let logs = result.logs.join("\n");
     assert!(logs.contains("pulling the power switch"), "should log switch");
     assert!(logs.contains("now on"), "should say power is on");
+    // Verifies wire format: a stale u32 length prefix would corrupt the
+    // deserialised name (e.g. "\0\0\0Al" instead of "Alice").
+    assert!(
+        logs.contains("Alice"),
+        "deserialised name should round-trip exactly; logs: {logs}"
+    );
 
     let account = result.account(&power_addr).unwrap();
     assert_eq!(account.data[1], 1, "power should now be on");
@@ -128,6 +143,10 @@ fn test_switch_power_off() {
 
     let logs = result.logs.join("\n");
     assert!(logs.contains("now off"), "should say power is off");
+    assert!(
+        logs.contains("Bob"),
+        "deserialised name should round-trip exactly; logs: {logs}"
+    );
 
     let account = result.account(&power_addr).unwrap();
     assert_eq!(account.data[1], 0, "power should now be off");