From 76061eb3ae8e6606da7da9158b8b8e17fefb7078 Mon Sep 17 00:00:00 2001
From: iris <iris@hyperhive>
Date: Wed, 20 May 2026 17:31:41 +0200
Subject: [PATCH] screen: reject unsupported security types with clear error
 instead of mishandling

---
 hive-ag3nt/assets/screen.html | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/hive-ag3nt/assets/screen.html b/hive-ag3nt/assets/screen.html
index 29b7622..31c1db1 100644
--- a/hive-ag3nt/assets/screen.html
+++ b/hive-ag3nt/assets/screen.html
@@ -221,12 +221,18 @@ canvas { display: block; cursor: default; }
         if (types.indexOf(1) !== -1)       prefer = 1;   // plain None
         else if (types.indexOf(19) !== -1) prefer = 19;  // VeNCrypt
         else                               prefer = types[0];
+        // Only handle known-safe types; reject everything else.
+        if (prefer !== 1 && prefer !== 19) {
+          dbg('no supported security type in [' + Array.from(types).join(', ') + '] — need 1 (None) or 19 (VeNCrypt)', 'err');
+          setStatus('unsupported security types: [' + Array.from(types).join(', ') + ']', 'error');
+          ws.close();
+          return false;
+        }
         dbg('→ choosing security type ' + prefer +
-          (prefer === 1 ? ' (None)' : prefer === 19 ? ' (VeNCrypt)' : prefer === 2 ? ' (VncAuth)' : ''));
+          (prefer === 1 ? ' (None)' : ' (VeNCrypt)'));
         send(new Uint8Array([prefer]));
         if (prefer === 1)        state = 'security-result';
-        else if (prefer === 19)  state = 'vencrypt-version';
-        else                     state = 'security-vnc-challenge';
+        else                     state = 'vencrypt-version';
         return true;
       }
       case 'security-vnc-challenge': {