fix: lenient pre-release matching in accept header validation (#1755)

* fix: lenient pre-release matching in accept header validation

Match on the pre-release label (e.g. "alpha") but ignore the numeric
suffix, so a server at 0.14.0-alpha.3 accepts clients at alpha.1,
alpha.2, etc. This allows client and node to evolve independently
within the same pre-release phase.

- Stable and pre-release remain incompatible
- Different labels (alpha vs beta) remain incompatible
- Patch versions remain flexible (0.14.0 and 0.14.1 both accepted)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore: add changelog entry for lenient pre-release matching

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: reject different patch versions for pre-release

Pre-release versions now require exact patch match in addition to
matching the pre-release label. Patch flexibility only applies to
stable versions. For example, a 0.14.0-alpha.3 server rejects
0.14.1-alpha.1 but a stable 0.14.0 server still accepts 0.14.1.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* lint

---------

Co-authored-by: Claude (Opus) <noreply@anthropic.com>

Author: mmagician

CHANGELOG.md

@@ -32,6 +32,7 @@
 - Fixed `bundled start` panicking due to duplicate `data_directory` clap argument name between `BundledCommand::Start` and `NtxBuilderConfig` ([#1732](https://github.com/0xMiden/node/pull/1732)).
 - Fixed `bundled bootstrap` requiring `--validator.key.hex` or `--validator.key.kms-id` despite a default key being configured ([#1732](https://github.com/0xMiden/node/pull/1732)).
 - Fixed incorrectly classifying private notes with the network attachment as network notes ([#1378](https://github.com/0xMiden/node/pull/1738)).
+- Fixed accept header version negotiation rejecting all pre-release versions; pre-release label matching is now lenient, accepting any numeric suffix within the same label (e.g. `alpha.3` accepts `alpha.1`) ([#1755](https://github.com/0xMiden/node/pull/1755)).
 
 ## v0.13.7 (2026-02-25)
 

crates/rpc/src/server/accept.rs

@@ -41,6 +41,13 @@ pub enum GenesisNegotiation {
 #[derive(Clone)]
 pub struct AcceptHeaderLayer {
     supported_versions: VersionReq,
+    /// The pre-release label (e.g. `"alpha"` from `"alpha.3"`), or `None` for stable versions.
+    /// Only the label is stored so that different pre-release numbers are accepted
+    /// (e.g. a server at `alpha.3` accepts clients at `alpha.1`).
+    expected_pre_label: Option<String>,
+    /// The patch version of the server. Used to enforce exact patch matching for pre-release
+    /// versions (patch flexibility only applies to stable versions).
+    expected_patch: u64,
     genesis_commitment: Word,
     /// RPC method names for which the `genesis` parameter is mandatory.
     ///
@@ -82,8 +89,12 @@ impl AcceptHeaderLayer {
             }],
         };
 
+        let expected_pre_label = pre_release_label(&rpc_version.pre);
+
         AcceptHeaderLayer {
             supported_versions,
+            expected_pre_label,
+            expected_patch: rpc_version.patch,
             genesis_commitment,
             require_genesis_methods: Vec::new(),
         }
@@ -96,6 +107,23 @@ impl AcceptHeaderLayer {
     }
 }
 
+/// Extracts the label portion of a semver pre-release identifier, stripping any trailing
+/// numeric segment. For example, `"alpha.3"` returns `Some("alpha")` and `"rc.1"` returns
+/// `Some("rc")`. Returns `None` for empty (stable) pre-release identifiers.
+fn pre_release_label(pre: &semver::Prerelease) -> Option<String> {
+    if pre.is_empty() {
+        return None;
+    }
+    let s = pre.as_str();
+    // Strip the trailing `.N` numeric segment if present.
+    match s.rsplit_once('.') {
+        Some((label, suffix)) if suffix.bytes().all(|b| b.is_ascii_digit()) => {
+            Some(label.to_string())
+        },
+        _ => Some(s.to_string()),
+    }
+}
+
 impl<S> Layer<S> for AcceptHeaderLayer {
     type Service = AcceptHeaderService<S>;
 
@@ -168,15 +196,33 @@ impl AcceptHeaderLayer {
             }
 
             // Skip those that don't match the version requirement.
+            //
+            // The VersionReq checks major.minor compatibility. Pre-release labels are
+            // checked separately because semver's VersionReq matching rejects all
+            // pre-release versions when the comparator has no pre-release component.
             let version = media_type
                 .get_param(Self::VERSION)
                 .map(|value| Version::parse(value.unquoted_str().as_ref()))
                 .transpose()
                 .map_err(AcceptHeaderError::InvalidVersion)?;
-            if let Some(version) = version
-                && !self.supported_versions.matches(&version)
-            {
-                continue;
+            if let Some(version) = &version {
+                // Check major.minor match by stripping pre-release first.
+                let stable_version = Version {
+                    pre: semver::Prerelease::EMPTY,
+                    ..version.clone()
+                };
+                if !self.supported_versions.matches(&stable_version) {
+                    continue;
+                }
+                // Check the pre-release label matches (ignoring the numeric suffix).
+                if pre_release_label(&version.pre) != self.expected_pre_label {
+                    continue;
+                }
+                // Pre-release versions must also match the patch version exactly
+                // (patch flexibility only applies to stable versions).
+                if self.expected_pre_label.is_some() && version.patch != self.expected_patch {
+                    continue;
+                }
             }
 
             // Skip if the genesis commitment does not match, or if it is required but missing.
@@ -413,6 +459,7 @@ mod tests {
     #[case::invalid_genesis("application/vnd.miden; genesis=aaa")]
     #[case::version_too_old("application/vnd.miden; version=0.1.0")]
     #[case::version_too_new("application/vnd.miden; version=0.3.0")]
+    #[case::version_prerelease_rejected_by_stable("application/vnd.miden; version=0.2.3-alpha.1")]
     #[case::zero_weighting("application/vnd.miden; q=0.0")]
     #[case::wildcard_subtype("application/*")]
     #[test]
@@ -498,4 +545,42 @@ mod tests {
     fn qvalue_default_is_one() {
         assert_eq!(QValue::default(), QValue::new(1_000));
     }
+
+    mod prerelease {
+        use semver::Version;
+
+        use super::*;
+
+        impl AcceptHeaderLayer {
+            fn for_prerelease_tests() -> Self {
+                let version = Version::parse("0.14.0-alpha.3").unwrap();
+                Self::new(&version, Word::try_from(TEST_GENESIS_COMMITMENT).unwrap())
+            }
+        }
+
+        #[rstest::rstest]
+        #[case::empty("")]
+        #[case::wildcard("*/*")]
+        #[case::media_type_only("application/vnd.miden")]
+        #[case::exact_prerelease("application/vnd.miden; version=0.14.0-alpha.3")]
+        #[case::different_prerelease_number("application/vnd.miden; version=0.14.0-alpha.1")]
+        #[test]
+        fn prerelease_should_pass(#[case] accept: &'static str) {
+            AcceptHeaderLayer::for_prerelease_tests()
+                .negotiate(accept, super::super::GenesisNegotiation::Optional)
+                .unwrap();
+        }
+
+        #[rstest::rstest]
+        #[case::different_patch_same_prerelease("application/vnd.miden; version=0.14.1-alpha.3")]
+        #[case::different_patch_different_number("application/vnd.miden; version=0.14.2-alpha.5")]
+        #[case::different_prerelease_tag("application/vnd.miden; version=0.14.0-beta.3")]
+        #[case::stable_version("application/vnd.miden; version=0.14.0")]
+        #[test]
+        fn prerelease_should_be_rejected(#[case] accept: &'static str) {
+            AcceptHeaderLayer::for_prerelease_tests()
+                .negotiate(accept, super::super::GenesisNegotiation::Optional)
+                .unwrap_err();
+        }
+    }
 }