Being a bit of a devils advocate here: main also, seems to be unsafe since the caller is again required to provide a valid pointer.

The same logic works here as with parse: since it is a generated function, it is accessible to nearby code which may, for example, call it with null.

Not to be too copy-pasty here, something like

# Safety

This should only be called by Flipperzero OS
and never manually.

would be enough.

Originally posted by @JarvisCraft in #95 (comment)

I agree something like main(args: *mut u8) should be marked unsafe since it has the prerequisite that args contains NUL-terminated bytes. It's also not something that user programs should typically be doing (intended to be called only by the Flipper runtime).