diff --git a/src-tauri/Cargo.toml b/src-tauri/Cargo.toml
index 069b232..51bee79 100644
--- a/src-tauri/Cargo.toml
+++ b/src-tauri/Cargo.toml
@@ -17,4 +17,4 @@ serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 tauri-plugin-dialog = "2.7.1"
 tauri-plugin-fs = "2.5.1"
-ssh2 = "0.9"
\ No newline at end of file
+ssh2 = "0.9"
diff --git a/src-tauri/resources/firmware/openwrt-23.05.5-zbt-we826-16m-litoral-golden-sysupgrade.bin b/src-tauri/resources/firmware/openwrt-23.05.5-zbt-we826-16m-litoral-golden-sysupgrade.bin
new file mode 100644
index 0000000..8c847aa
Binary files /dev/null and b/src-tauri/resources/firmware/openwrt-23.05.5-zbt-we826-16m-litoral-golden-sysupgrade.bin differ
diff --git a/src-tauri/resources/provisioning/provision.sh b/src-tauri/resources/provisioning/provision.sh
new file mode 100644
index 0000000..1ddda5a
--- /dev/null
+++ b/src-tauri/resources/provisioning/provision.sh
@@ -0,0 +1,216 @@
+#!/bin/sh
+set -eu
+
+ENV_FILE="${1:-/tmp/router.env}"
+
+log() {
+  echo
+  echo "==> $1"
+}
+
+die() {
+  echo "ERROR: $1"
+  exit 1
+}
+
+require_var() {
+  eval "v=\${$1:-}"
+  [ -n "$v" ] || die "Missing variable: $1"
+}
+
+backup_configs() {
+  mkdir -p /root/litoral-backups
+  TS="$(date +%Y%m%d-%H%M%S || echo unknown)"
+  cp /etc/config/network "/root/litoral-backups/network.$TS.bak" || true
+  cp /etc/config/firewall "/root/litoral-backups/firewall.$TS.bak" || true
+  cp /etc/config/system "/root/litoral-backups/system.$TS.bak" || true
+  cp /etc/config/uhttpd "/root/litoral-backups/uhttpd.$TS.bak" || true
+}
+
+[ -f "$ENV_FILE" ] || die "Missing env file: $ENV_FILE"
+. "$ENV_FILE"
+
+require_var ROUTER_ID
+require_var HOSTNAME
+require_var LAN_IP
+require_var LAN_NETMASK
+require_var WG_IP
+require_var WG_CIDR
+require_var WG_SERVER_HOST
+require_var WG_SERVER_PORT
+require_var WG_SERVER_PUBLIC_KEY
+require_var CONTROLLER_IP
+require_var PLC_IP
+require_var ROOT_PASSWORD
+
+log "Starting Litoral_Regas production provisioning"
+
+log "Verifying board and firmware"
+BOARD="$(ubus call system board | jsonfilter -e '@.board_name')"
+VERSION="$(ubus call system board | jsonfilter -e '@.release.version')"
+
+[ "$BOARD" = "zbtlink,zbt-we826-16m" ] || die "Wrong board: $BOARD"
+
+case "$VERSION" in
+  23.05.*) echo "OpenWrt version OK: $VERSION" ;;
+  *) die "Wrong OpenWrt version: $VERSION" ;;
+esac
+
+log "Creating config backups"
+backup_configs
+
+log "Setting hostname"
+uci set system.@system[0].hostname="$HOSTNAME"
+uci commit system
+
+log "Setting root password"
+printf "%s\n%s\n" "$ROOT_PASSWORD" "$ROOT_PASSWORD" | passwd root
+
+log "Configuring LAN"
+uci set network.lan.ipaddr="$LAN_IP"
+uci set network.lan.netmask="$LAN_NETMASK"
+uci commit network
+
+log "Preparing WireGuard keys"
+mkdir -p /etc/wireguard
+chmod 700 /etc/wireguard
+
+if [ ! -f /etc/wireguard/privatekey ]; then
+  umask 077
+  wg genkey > /etc/wireguard/privatekey
+  cat /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
+fi
+
+ROUTER_PRIVATE_KEY="$(cat /etc/wireguard/privatekey)"
+ROUTER_PUBLIC_KEY="$(cat /etc/wireguard/publickey)"
+
+log "Configuring WireGuard"
+uci -q delete network.wg0 || true
+uci -q delete network.wgserver || true
+
+uci set network.wg0="interface"
+uci set network.wg0.proto="wireguard"
+uci set network.wg0.private_key="$ROUTER_PRIVATE_KEY"
+uci add_list network.wg0.addresses="$WG_IP/$WG_CIDR"
+
+uci set network.wgserver="wireguard_wg0"
+uci set network.wgserver.description="Litoral_Regas_VPS"
+uci set network.wgserver.public_key="$WG_SERVER_PUBLIC_KEY"
+uci set network.wgserver.endpoint_host="$WG_SERVER_HOST"
+uci set network.wgserver.endpoint_port="$WG_SERVER_PORT"
+uci set network.wgserver.persistent_keepalive="25"
+uci set network.wgserver.route_allowed_ips="1"
+uci add_list network.wgserver.allowed_ips="198.19.0.0/16"
+
+uci commit network
+
+log "Configuring LuCI over WireGuard"
+uci set uhttpd.main.rfc1918_filter="0"
+uci commit uhttpd
+
+log "Configuring firewall zones and forwarding"
+
+uci -q delete firewall.vpn || true
+uci -q delete firewall.vpn_lan || true
+uci -q delete firewall.lan_vpn || true
+
+uci set firewall.vpn="zone"
+uci set firewall.vpn.name="vpn"
+uci set firewall.vpn.input="ACCEPT"
+uci set firewall.vpn.output="ACCEPT"
+uci set firewall.vpn.forward="ACCEPT"
+uci add_list firewall.vpn.network="wg0"
+
+uci set firewall.vpn_lan="forwarding"
+uci set firewall.vpn_lan.src="vpn"
+uci set firewall.vpn_lan.dest="lan"
+
+uci set firewall.lan_vpn="forwarding"
+uci set firewall.lan_vpn.src="lan"
+uci set firewall.lan_vpn.dest="vpn"
+
+log "Configuring DNAT rules"
+
+uci -q delete firewall.dnat_controller_vnc || true
+uci -q delete firewall.dnat_controller_runtime || true
+uci -q delete firewall.dnat_controller_http || true
+uci -q delete firewall.dnat_plc_http || true
+
+uci set firewall.dnat_controller_vnc="redirect"
+uci set firewall.dnat_controller_vnc.name="DNAT_Controller_VNC_5900"
+uci set firewall.dnat_controller_vnc.src="vpn"
+uci set firewall.dnat_controller_vnc.dest="lan"
+uci set firewall.dnat_controller_vnc.proto="tcp"
+uci set firewall.dnat_controller_vnc.src_dport="5900"
+uci set firewall.dnat_controller_vnc.dest_ip="$CONTROLLER_IP"
+uci set firewall.dnat_controller_vnc.dest_port="5900"
+uci set firewall.dnat_controller_vnc.target="DNAT"
+
+uci set firewall.dnat_controller_runtime="redirect"
+uci set firewall.dnat_controller_runtime.name="DNAT_Controller_20248_to_20249"
+uci set firewall.dnat_controller_runtime.src="vpn"
+uci set firewall.dnat_controller_runtime.dest="lan"
+uci set firewall.dnat_controller_runtime.proto="tcp"
+uci set firewall.dnat_controller_runtime.src_dport="20248"
+uci set firewall.dnat_controller_runtime.dest_ip="$CONTROLLER_IP"
+uci set firewall.dnat_controller_runtime.dest_port="20249"
+uci set firewall.dnat_controller_runtime.target="DNAT"
+
+uci set firewall.dnat_controller_http="redirect"
+uci set firewall.dnat_controller_http.name="DNAT_Controller_HTTP_8000"
+uci set firewall.dnat_controller_http.src="vpn"
+uci set firewall.dnat_controller_http.dest="lan"
+uci set firewall.dnat_controller_http.proto="tcp"
+uci set firewall.dnat_controller_http.src_dport="8000"
+uci set firewall.dnat_controller_http.dest_ip="$CONTROLLER_IP"
+uci set firewall.dnat_controller_http.dest_port="8000"
+uci set firewall.dnat_controller_http.target="DNAT"
+
+uci set firewall.dnat_plc_http="redirect"
+uci set firewall.dnat_plc_http.name="DNAT_PLC_HTTP_81"
+uci set firewall.dnat_plc_http.src="vpn"
+uci set firewall.dnat_plc_http.dest="lan"
+uci set firewall.dnat_plc_http.proto="tcp"
+uci set firewall.dnat_plc_http.src_dport="81"
+uci set firewall.dnat_plc_http.dest_ip="$PLC_IP"
+uci set firewall.dnat_plc_http.dest_port="81"
+uci set firewall.dnat_plc_http.target="DNAT"
+
+uci commit firewall
+
+log "Writing provisioning markers"
+cat > /etc/litoral-router <<EOF
+ROUTER_ID=$ROUTER_ID
+HOSTNAME=$HOSTNAME
+LAN_IP=$LAN_IP
+WG_IP=$WG_IP/$WG_CIDR
+PROVISIONED_AT=$(date || true)
+EOF
+
+touch /etc/litoral_provisioned
+
+log "Restarting services"
+service system reload
+service uhttpd restart
+service firewall restart
+service network restart
+
+log "Verification summary"
+echo "Hostname: $(uci get system.@system[0].hostname)"
+echo "LAN IP: $(uci get network.lan.ipaddr)"
+echo "WG IP: $WG_IP/$WG_CIDR"
+echo "Board: $BOARD"
+echo "OpenWrt: $VERSION"
+
+echo
+echo "ROUTER PUBLIC KEY:"
+echo "$ROUTER_PUBLIC_KEY"
+
+echo
+echo "Add this peer to the VPS:"
+echo "[Peer]"
+echo "PublicKey = $ROUTER_PUBLIC_KEY"
+echo "AllowedIPs = $WG_IP/32"
+
+echo
+echo "Provisioning complete."
diff --git a/src-tauri/src/commands/router.rs b/src-tauri/src/commands/router.rs
index 7681f3d..5dc3e33 100644
--- a/src-tauri/src/commands/router.rs
+++ b/src-tauri/src/commands/router.rs
@@ -1,4 +1,10 @@
+use ssh2::Session;
+use std::process::Command;
 use std::{
+    fs::File,
+    io::{ Read, Write },
+    net::{ TcpStream, ToSocketAddrs },
+    path::Path,
     thread,
     time::Duration,
 };
@@ -8,118 +14,703 @@ fn delay() {
 }
 
 #[tauri::command]
-pub async fn detect_router(
-    ip: String,
-) -> Result<bool, String> {
+pub async fn detect_router(ip: String) -> Result<bool, String> {
     delay();
 
     if ip.trim().is_empty() {
-        return Err(
-            "router IP is required".into(),
-        );
+        return Err("router IP is required".into());
     }
 
     Ok(true)
 }
 
-#[tauri::command]
-pub async fn upload_firmware(
-    ip: String,
-    firmware_path: String,
-) -> Result<String, String> {
-    delay();
+fn authenticate_router(session: &Session, password: &str) -> Result<(), String> {
+    if !password.trim().is_empty() {
+        if session.userauth_password("root", password).is_ok() && session.authenticated() {
+            return Ok(());
+        }
+    }
 
-    Ok(format!(
-        "uploaded {} to {}:/tmp/firmware.bin",
-        firmware_path, ip,
-    ))
+    if session.userauth_agent("root").is_ok() && session.authenticated() {
+        return Ok(());
+    }
+
+    Err("SSH authentication failed for root".into())
+}
+
+fn run_system_ssh(ip: &str, command: &str) -> Result<String, String> {
+    let target = format!("root@{}", ip);
+
+    let output = Command::new("ssh")
+        .args([
+            "-o",
+            "BatchMode=yes",
+            "-o",
+            "ConnectTimeout=6",
+            "-o",
+            "StrictHostKeyChecking=no",
+            "-o",
+            "UserKnownHostsFile=NUL",
+            &target,
+            command,
+        ])
+        .output()
+        .map_err(|error| format!("failed to run system ssh: {}", error))?;
+
+    let stdout = String::from_utf8_lossy(&output.stdout);
+    let stderr = String::from_utf8_lossy(&output.stderr);
+
+    if output.status.success() {
+        return Ok(format!("{}{}", stdout, stderr));
+    }
+
+    Err(
+        format!("system ssh failed with status {:?}:\n{}\n{}", output.status.code(), stderr, stdout)
+    )
+}
+
+fn open_router_session(ip: &str, password: &str) -> Result<Session, String> {
+    let address = format!("{}:22", ip);
+
+    let socket_address = address
+        .to_socket_addrs()
+        .map_err(|error| format!("failed to resolve router address: {}", error))?
+        .next()
+        .ok_or_else(|| format!("failed to resolve router address {}", address))?;
+
+    let tcp = TcpStream::connect_timeout(&socket_address, Duration::from_secs(8)).map_err(|error|
+        format!("failed to connect to SSH on {}: {}", ip, error)
+    )?;
+
+    let _ = tcp.set_read_timeout(Some(Duration::from_secs(30)));
+    let _ = tcp.set_write_timeout(Some(Duration::from_secs(30)));
+
+    let mut session = Session::new().map_err(|error|
+        format!("failed to create SSH session: {}", error)
+    )?;
+
+    session.set_tcp_stream(tcp);
+
+    session.handshake().map_err(|error| format!("SSH handshake failed for {}: {}", ip, error))?;
+
+    authenticate_router(&session, password).map_err(|error| format!("root@{}: {}", ip, error))?;
+
+    Ok(session)
+}
+
+fn scp_file_from_disk(
+    session: &Session,
+    local_path: &str,
+    remote_path: &str,
+    mode: i32
+) -> Result<(), String> {
+    let mut local_file = File::open(local_path).map_err(|error|
+        format!("failed to open {}: {}", local_path, error)
+    )?;
+
+    let file_size = local_file
+        .metadata()
+        .map_err(|error| format!("failed to read metadata for {}: {}", local_path, error))?
+        .len();
+
+    let mut buffer = Vec::new();
+
+    local_file
+        .read_to_end(&mut buffer)
+        .map_err(|error| format!("failed to read {}: {}", local_path, error))?;
+
+    let mut remote_file = session
+        .scp_send(Path::new(remote_path), mode, file_size, None)
+        .map_err(|error| format!("failed to start SCP upload to {}: {}", remote_path, error))?;
+
+    remote_file
+        .write_all(&buffer)
+        .map_err(|error| format!("failed to write {}: {}", remote_path, error))?;
+
+    remote_file.send_eof().ok();
+    remote_file.wait_eof().ok();
+    remote_file.close().ok();
+    remote_file.wait_close().ok();
+
+    Ok(())
+}
+
+fn scp_string(
+    session: &Session,
+    content: &str,
+    remote_path: &str,
+    mode: i32
+) -> Result<(), String> {
+    let bytes = content.as_bytes();
+
+    let mut remote_file = session
+        .scp_send(Path::new(remote_path), mode, bytes.len() as u64, None)
+        .map_err(|error| format!("failed to start SCP upload to {}: {}", remote_path, error))?;
+
+    remote_file
+        .write_all(bytes)
+        .map_err(|error| format!("failed to write {}: {}", remote_path, error))?;
+
+    remote_file.send_eof().ok();
+    remote_file.wait_eof().ok();
+    remote_file.close().ok();
+    remote_file.wait_close().ok();
+
+    Ok(())
+}
+
+fn run_ssh_command(session: &Session, command: &str) -> Result<String, String> {
+    let mut channel = session
+        .channel_session()
+        .map_err(|error| format!("failed to open SSH channel: {}", error))?;
+
+    channel
+        .exec(command)
+        .map_err(|error| format!("failed to run command `{}`: {}", command, error))?;
+
+    let mut output = String::new();
+
+    let _ = channel.read_to_string(&mut output);
+    let _ = channel.wait_close();
+
+    Ok(output)
 }
 
 #[tauri::command]
-pub async fn flash_router(
-    ip: String,
-    remote_firmware_path: String,
-) -> Result<String, String> {
+pub async fn upload_firmware(ip: String, firmware_path: String) -> Result<String, String> {
     delay();
 
-    Ok(format!(
-        "sysupgrade started on {} with {}",
-        ip, remote_firmware_path,
-    ))
+    Ok(format!("uploaded {} to {}:/tmp/firmware.bin", firmware_path, ip))
 }
 
 #[tauri::command]
-pub async fn wait_for_ssh(
-    ip: String,
-) -> Result<bool, String> {
+pub async fn flash_router(ip: String, remote_firmware_path: String) -> Result<String, String> {
+    delay();
+
+    Ok(format!("sysupgrade started on {} with {}", ip, remote_firmware_path))
+}
+
+#[tauri::command]
+pub async fn wait_for_ssh(ip: String) -> Result<bool, String> {
     for _ in 0..3 {
         delay();
     }
 
-    if ip == "198.51.100.1"
-        || ip == "192.168.1.1"
-    {
+    if ip == "198.51.100.1" || ip == "192.168.1.1" {
         Ok(true)
     } else {
-        Err(format!(
-            "SSH timeout waiting for {}",
-            ip,
-        ))
+        Err(format!("SSH timeout waiting for {}", ip))
     }
 }
 
 #[tauri::command]
-pub async fn upload_provisioning_bundle(
-    ip: String,
-    env_content: String,
-    script_content: String,
-) -> Result<String, String> {
-    delay();
+pub async fn run_provisioning(ip: String, password: String) -> Result<String, String> {
+    if ip.trim().is_empty() {
+        return Err("router IP is required".into());
+    }
 
-    Ok(format!(
-        "uploaded router.env ({} bytes) and provision.sh ({} bytes) to {}",
-        env_content.len(),
-        script_content.len(),
-        ip,
-    ))
+    let command = "cd /tmp && ./provision.sh";
+
+    if password.trim().is_empty() {
+        return run_system_ssh(&ip, command);
+    }
+
+    let session = open_router_session(&ip, &password)?;
+
+    run_ssh_command(&session, command)
 }
 
 #[tauri::command]
-pub async fn run_provisioning(
-    ip: String,
-) -> Result<String, String> {
-    delay();
+pub async fn capture_wireguard_public_key(ip: String, password: String) -> Result<String, String> {
+    if ip.trim().is_empty() {
+        return Err("router IP is required".into());
+    }
 
-    Ok(format!(
-        "provision.sh completed on {}; fw4/nftables, wg0, DNAT, LuCI over WireGuard configured",
-        ip,
-    ))
+    let command = "wg show wg0 public-key";
+
+    let output = if password.trim().is_empty() {
+        run_system_ssh(&ip, command)?
+    } else {
+        let session = open_router_session(&ip, &password)?;
+        run_ssh_command(&session, command)?
+    };
+
+    let public_key = output.trim();
+
+    if public_key.is_empty() {
+        return Err("WireGuard public key was empty".into());
+    }
+
+    if !public_key.ends_with('=') || public_key.len() < 40 {
+        return Err(format!("unexpected WireGuard public key output: {}", public_key));
+    }
+
+    Ok(public_key.to_string())
 }
 
 #[tauri::command]
-pub async fn capture_wireguard_public_key(
-    _ip: String,
-) -> Result<String, String> {
-    delay();
-
-    Ok(
-        "MOCK_ROUTER_WIREGUARD_PUBLIC_KEY_BASE64="
-            .into(),
-    )
-}
-
-#[tauri::command]
-pub async fn verify_router(
-    ip: String,
-) -> Result<bool, String> {
+pub async fn verify_router(ip: String) -> Result<bool, String> {
     delay();
 
     if ip == "198.51.100.1" {
         Ok(true)
     } else {
-        Err(
-            "router verification failed"
-                .into(),
-        )
+        Err("router verification failed".into())
     }
-}
\ No newline at end of file
+}
+
+#[tauri::command]
+pub async fn upload_firmware_to_router(ip: String, password: String) -> Result<String, String> {
+    let local_firmware_path =
+        "resources/firmware/openwrt-23.05.5-zbt-we826-16m-litoral-golden-sysupgrade.bin";
+
+    let remote_firmware_path = "/tmp/firmware.bin";
+
+    if ip.trim().is_empty() {
+        return Err("router IP is required".into());
+    }
+
+    /*
+     * FACTORY / FRESH OPENWRT PATH
+     * Uses system scp when no password is set.
+     */
+
+    if password.trim().is_empty() {
+        let target = format!("root@{}:{}", ip, remote_firmware_path);
+
+        let output = std::process::Command
+            ::new("scp")
+            .args([
+                "-O",
+                "-o",
+                "BatchMode=yes",
+                "-o",
+                "ConnectTimeout=10",
+                "-o",
+                "StrictHostKeyChecking=accept-new",
+                local_firmware_path,
+                &target,
+            ])
+            .output()
+            .map_err(|error| { format!("failed to run system scp: {}", error) })?;
+
+        if output.status.success() {
+            return Ok(
+                format!("Firmware uploaded to {}:{} using system scp", ip, remote_firmware_path)
+            );
+        }
+
+        return Err(
+            format!(
+                "system scp failed:\n{}\n{}",
+                String::from_utf8_lossy(&output.stderr),
+                String::from_utf8_lossy(&output.stdout)
+            )
+        );
+    }
+
+    /*
+     * PASSWORD SSH PATH
+     */
+
+    let address = format!("{}:22", ip);
+
+    let socket_address = address
+        .to_socket_addrs()
+        .map_err(|error| { format!("failed to resolve router address: {}", error) })?
+        .next()
+        .ok_or_else(|| { format!("failed to resolve router address {}", address) })?;
+
+    let tcp = TcpStream::connect_timeout(&socket_address, Duration::from_secs(8)).map_err(|error| {
+        format!("failed to connect to SSH on {}: {}", ip, error)
+    })?;
+
+    tcp
+        .set_read_timeout(Some(Duration::from_secs(30)))
+        .map_err(|error| { format!("failed to set read timeout: {}", error) })?;
+
+    tcp
+        .set_write_timeout(Some(Duration::from_secs(30)))
+        .map_err(|error| { format!("failed to set write timeout: {}", error) })?;
+
+    let mut session = Session::new().map_err(|error| {
+        format!("failed to create SSH session: {}", error)
+    })?;
+
+    session.set_tcp_stream(tcp);
+
+    session.handshake().map_err(|error| { format!("SSH handshake failed for {}: {}", ip, error) })?;
+
+    session
+        .userauth_password("root", &password)
+        .map_err(|error| { format!("SSH authentication failed for root@{}: {}", ip, error) })?;
+
+    if !session.authenticated() {
+        return Err(format!("SSH authentication failed for root@{}", ip));
+    }
+
+    let mut local_file = File::open(local_firmware_path).map_err(|error| {
+        format!("failed to open local firmware file {}: {}", local_firmware_path, error)
+    })?;
+
+    let firmware_size = local_file
+        .metadata()
+        .map_err(|error| { format!("failed to read firmware metadata: {}", error) })?
+        .len();
+
+    let mut buffer = Vec::new();
+
+    local_file
+        .read_to_end(&mut buffer)
+        .map_err(|error| { format!("failed to read firmware file: {}", error) })?;
+
+    let mut remote_file = session
+        .scp_send(Path::new(remote_firmware_path), 0o644, firmware_size, None)
+        .map_err(|error| {
+            format!("failed to start SCP upload to {}: {}", remote_firmware_path, error)
+        })?;
+
+    remote_file
+        .write_all(&buffer)
+        .map_err(|error| { format!("failed to upload firmware via SCP: {}", error) })?;
+
+    remote_file.send_eof().map_err(|error| { format!("failed to send SCP EOF: {}", error) })?;
+
+    remote_file.wait_eof().map_err(|error| { format!("failed waiting for SCP EOF: {}", error) })?;
+
+    remote_file.close().map_err(|error| { format!("failed closing SCP channel: {}", error) })?;
+
+    remote_file
+        .wait_close()
+        .map_err(|error| { format!("failed waiting for SCP close: {}", error) })?;
+
+    Ok(format!("Firmware uploaded to {}:{} ({} bytes)", ip, remote_firmware_path, firmware_size))
+}
+
+#[tauri::command]
+pub async fn flash_router_sysupgrade(ip: String, password: String) -> Result<String, String> {
+    if ip.trim().is_empty() {
+        return Err("router IP is required".into());
+    }
+
+    let flash_command = "test -f /tmp/firmware.bin && sysupgrade -n /tmp/firmware.bin";
+
+    if password.trim().is_empty() {
+        let output = run_system_ssh(&ip, flash_command);
+
+        return match output {
+            Ok(output) =>
+                Ok(format!("sysupgrade command submitted on {} using system ssh. {}", ip, output)),
+            Err(error) => {
+                let lowered = error.to_lowercase();
+
+                if
+                    lowered.contains("commencing upgrade") ||
+                    lowered.contains("closing all shell sessions") ||
+                    lowered.contains("connection failed") ||
+                    lowered.contains("connection reset") ||
+                    lowered.contains("broken pipe") ||
+                    lowered.contains("closed") ||
+                    lowered.contains("disconnect") ||
+                    lowered.contains("sysupgrade")
+                {
+                    Ok(format!("sysupgrade started on {}; SSH disconnected as expected.", ip))
+                } else {
+                    Err(error)
+                }
+            }
+        };
+    }
+
+    let address = format!("{}:22", ip);
+
+    let socket_address = address
+        .to_socket_addrs()
+        .map_err(|error| { format!("failed to resolve router address: {}", error) })?
+        .next()
+        .ok_or_else(|| { format!("failed to resolve router address {}", address) })?;
+
+    let tcp = TcpStream::connect_timeout(&socket_address, Duration::from_secs(8)).map_err(|error| {
+        format!("failed to connect to SSH on {}: {}", ip, error)
+    })?;
+
+    tcp.set_read_timeout(Some(Duration::from_secs(8))).ok();
+    tcp.set_write_timeout(Some(Duration::from_secs(8))).ok();
+
+    let mut session = Session::new().map_err(|error| {
+        format!("failed to create SSH session: {}", error)
+    })?;
+
+    session.set_tcp_stream(tcp);
+
+    session.handshake().map_err(|error| { format!("SSH handshake failed for {}: {}", ip, error) })?;
+
+    authenticate_router(&session, &password).map_err(|error| {
+        format!("root@{}: {}", ip, error)
+    })?;
+
+    let mut channel = session
+        .channel_session()
+        .map_err(|error| { format!("failed to open SSH channel: {}", error) })?;
+
+    channel
+        .exec(flash_command)
+        .map_err(|error| { format!("failed to start sysupgrade: {}", error) })?;
+
+    let mut output = String::new();
+    let _ = channel.read_to_string(&mut output);
+    let _ = channel.wait_close();
+
+    let lowered = output.to_lowercase();
+
+    if
+        lowered.contains("commencing upgrade") ||
+        lowered.contains("closing all shell sessions") ||
+        lowered.contains("sysupgrade")
+    {
+        return Ok(
+            format!("sysupgrade started on {}; router should reboot shortly. {}", ip, output)
+        );
+    }
+
+    Ok(format!("sysupgrade command submitted on {}. Router should reboot shortly. {}", ip, output))
+}
+
+#[tauri::command]
+pub async fn reconnect_router_after_flash(ip: String, password: String) -> Result<String, String> {
+    if ip.trim().is_empty() {
+        return Err("router IP is required".into());
+    }
+
+    let max_attempts = 30;
+    let wait_between_attempts = Duration::from_secs(5);
+
+    for attempt in 1..=max_attempts {
+        if password.trim().is_empty() {
+            match run_system_ssh(&ip, "ubus call system board") {
+                Ok(output) => {
+                    return Ok(
+                        format!(
+                            "Router reconnected after flash on attempt {}/{} using system ssh.\n{}",
+                            attempt,
+                            max_attempts,
+                            output
+                        )
+                    );
+                }
+                Err(_) => {
+                    thread::sleep(wait_between_attempts);
+                    continue;
+                }
+            }
+        }
+
+        let address = format!("{}:22", ip);
+
+        let socket_address = match address.to_socket_addrs() {
+            Ok(mut addresses) =>
+                match addresses.next() {
+                    Some(socket_address) => socket_address,
+                    None => {
+                        thread::sleep(wait_between_attempts);
+                        continue;
+                    }
+                }
+            Err(_) => {
+                thread::sleep(wait_between_attempts);
+                continue;
+            }
+        };
+
+        let tcp = match TcpStream::connect_timeout(&socket_address, Duration::from_secs(4)) {
+            Ok(tcp) => tcp,
+            Err(_) => {
+                thread::sleep(wait_between_attempts);
+                continue;
+            }
+        };
+
+        let _ = tcp.set_read_timeout(Some(Duration::from_secs(8)));
+        let _ = tcp.set_write_timeout(Some(Duration::from_secs(8)));
+
+        let mut session = match Session::new() {
+            Ok(session) => session,
+            Err(_) => {
+                thread::sleep(wait_between_attempts);
+                continue;
+            }
+        };
+
+        session.set_tcp_stream(tcp);
+
+        if session.handshake().is_err() {
+            thread::sleep(wait_between_attempts);
+            continue;
+        }
+
+        if authenticate_router(&session, &password).is_err() {
+            thread::sleep(wait_between_attempts);
+            continue;
+        }
+
+        let mut channel = match session.channel_session() {
+            Ok(channel) => channel,
+            Err(_) => {
+                thread::sleep(wait_between_attempts);
+                continue;
+            }
+        };
+
+        if channel.exec("ubus call system board").is_err() {
+            thread::sleep(wait_between_attempts);
+            continue;
+        }
+
+        let mut output = String::new();
+
+        if channel.read_to_string(&mut output).is_err() {
+            thread::sleep(wait_between_attempts);
+            continue;
+        }
+
+        let _ = channel.wait_close();
+
+        return Ok(
+            format!(
+                "Router reconnected after flash on attempt {}/{}.\n{}",
+                attempt,
+                max_attempts,
+                output
+            )
+        );
+    }
+
+    Err(
+        format!(
+            "Router did not become reachable over SSH at {} after {} attempts. Replug Ethernet and retry.",
+            ip,
+            max_attempts
+        )
+    )
+}
+
+#[tauri::command]
+pub async fn check_router_after_flash(ip: String, password: String) -> Result<String, String> {
+    if ip.trim().is_empty() {
+        return Err("router IP is required".into());
+    }
+
+    if password.trim().is_empty() {
+        return run_system_ssh(&ip, "ubus call system board");
+    }
+
+    let address = format!("{}:22", ip);
+
+    let socket_address = address
+        .to_socket_addrs()
+        .map_err(|error| format!("failed to resolve router address: {}", error))?
+        .next()
+        .ok_or_else(|| format!("failed to resolve router address {}", address))?;
+
+    let tcp = TcpStream::connect_timeout(&socket_address, Duration::from_secs(4)).map_err(|error|
+        format!("SSH not ready at {}: {}", ip, error)
+    )?;
+
+    let _ = tcp.set_read_timeout(Some(Duration::from_secs(8)));
+    let _ = tcp.set_write_timeout(Some(Duration::from_secs(8)));
+
+    let mut session = Session::new().map_err(|error|
+        format!("failed to create SSH session: {}", error)
+    )?;
+
+    session.set_tcp_stream(tcp);
+
+    session.handshake().map_err(|error| format!("SSH handshake failed: {}", error))?;
+
+    authenticate_router(&session, &password).map_err(|error| format!("root@{}: {}", ip, error))?;
+
+    let mut channel = session
+        .channel_session()
+        .map_err(|error| format!("failed to open SSH channel: {}", error))?;
+
+    channel
+        .exec("ubus call system board")
+        .map_err(|error| format!("failed to run ubus: {}", error))?;
+
+    let mut output = String::new();
+
+    channel
+        .read_to_string(&mut output)
+        .map_err(|error| format!("failed to read router info: {}", error))?;
+
+    let _ = channel.wait_close();
+
+    Ok(output)
+}
+
+#[tauri::command]
+pub async fn upload_provisioning_bundle(
+    ip: String,
+    password: String,
+    env_content: String
+) -> Result<String, String> {
+    if ip.trim().is_empty() {
+        return Err("router IP is required".into());
+    }
+
+    let local_script_path = "resources/provisioning/provision.sh";
+    let remote_script_path = "/tmp/provision.sh";
+    let remote_env_path = "/tmp/router.env";
+
+    if password.trim().is_empty() {
+        let script_target = format!("root@{}:{}", ip, remote_script_path);
+
+        let script_upload = Command::new("scp")
+            .args([
+                "-O",
+                "-o",
+                "BatchMode=yes",
+                "-o",
+                "ConnectTimeout=10",
+                "-o",
+                "StrictHostKeyChecking=no",
+                "-o",
+                "UserKnownHostsFile=NUL",
+                local_script_path,
+                &script_target,
+            ])
+            .output()
+            .map_err(|error| format!("failed to run scp for provision.sh: {}", error))?;
+
+        if !script_upload.status.success() {
+            return Err(
+                format!(
+                    "failed to upload provision.sh:\n{}\n{}",
+                    String::from_utf8_lossy(&script_upload.stderr),
+                    String::from_utf8_lossy(&script_upload.stdout)
+                )
+            );
+        }
+
+        let env_command = format!(
+            "cat > {} <<'EOF'\n{}\nEOF\nchmod +x {}",
+            remote_env_path,
+            env_content,
+            remote_script_path
+        );
+
+        run_system_ssh(&ip, &env_command)?;
+
+        return Ok(format!("uploaded provision.sh and router.env to {} using system ssh/scp", ip));
+    }
+
+    let session = open_router_session(&ip, &password)?;
+
+    scp_file_from_disk(&session, local_script_path, remote_script_path, 0o755)?;
+
+    scp_string(&session, &env_content, remote_env_path, 0o600)?;
+
+    run_ssh_command(&session, "chmod +x /tmp/provision.sh")?;
+
+    Ok(format!("uploaded provision.sh and router.env to {}", ip))
+}
diff --git a/src-tauri/src/lib.rs b/src-tauri/src/lib.rs
index c16a9c1..816714f 100644
--- a/src-tauri/src/lib.rs
+++ b/src-tauri/src/lib.rs
@@ -7,11 +7,15 @@ use commands::{
         capture_wireguard_public_key,
         detect_router,
         flash_router,
+        flash_router_sysupgrade,
         run_provisioning,
         upload_firmware,
+        upload_firmware_to_router,
         upload_provisioning_bundle,
+        reconnect_router_after_flash,
         verify_router,
         wait_for_ssh,
+        check_router_after_flash
     },
     ssh::{
         inspect_router_with_password,
@@ -33,12 +37,16 @@ pub fn run() {
             inspect_router_with_password,
             detect_router,
             upload_firmware,
+            upload_firmware_to_router,
             flash_router,
+            flash_router_sysupgrade,
+            reconnect_router_after_flash,
             wait_for_ssh,
             upload_provisioning_bundle,
             run_provisioning,
             capture_wireguard_public_key,
             verify_router,
+            check_router_after_flash
         ])
         .run(tauri::generate_context!())
         .expect("error while running tauri application");
diff --git a/src/app/routes.tsx b/src/app/routes.tsx
index 8f8a9e8..b9546d1 100644
--- a/src/app/routes.tsx
+++ b/src/app/routes.tsx
@@ -8,13 +8,9 @@ import {
 
 import { TopBar } from '@/components/layout/TopBar';
 import { MetricCard } from '@/components/dashboard/MetricCard';
-import { ProvisioningWorkflow } from '@/components/dashboard/ProvisioningWorkflow';
 import { IpPoolChart } from '@/components/dashboard/IpPoolChart';
 import { NetworkTrafficChart } from '@/components/dashboard/NetworkTrafficChart';
 
-import { VpnPeersTable } from '@/components/vpn/VpnPeersTable';
-import { IpManagementPanel } from '@/components/vpn/IpManagementPanel';
-
 import { ProvisioningWizard } from '@/components/provisioning/ProvisioningWizard';
 import { BackendSettings } from '@/components/settings/BackendSettings';
 import { ActivityLogs } from '@/components/activity/ActivityLogs';
@@ -40,8 +36,6 @@ export function DashboardRoute() {
   useEffect(() => {
     async function loadDashboard() {
       try {
-        setError('');
-
         const [
           healthResponse,
           usedIpsResponse,
@@ -52,7 +46,11 @@ export function DashboardRoute() {
 
         setHealth(healthResponse);
         setUsedIps(usedIpsResponse);
+        setError('');
       } catch (err) {
+        setHealth(null);
+        setUsedIps(null);
+
         setError(String(err));
       }
     }
@@ -84,15 +82,21 @@ export function DashboardRoute() {
     ).toFixed(2);
   }, [usedCount, ipPoolTotal]);
 
-  const vpnHealthy =
-    health?.wireGuardRunning ?? false;
-
   const backendHealthy =
-    health?.backend ?? !error;
+    health?.backend === true;
+
+  const vpnHealthy =
+    health?.wireGuardRunning === true;
+
+  const dashboardReady =
+    !error &&
+    Boolean(health) &&
+    backendHealthy &&
+    vpnHealthy;
 
   return (
     <div className="flex h-full flex-col overflow-hidden">
-      <TopBar />
+      <TopBar healthy={dashboardReady} />
 
       {error && (
         <div className="mb-3 rounded-xl border border-red-500/20 bg-red-500/10 p-3 text-sm text-red-300">
@@ -146,7 +150,7 @@ export function DashboardRoute() {
         />
       </div>
 
-      <div className="mt-4 grid flex-1 grid-cols-12 grid-rows-[minmax(0,1fr)_auto] gap-4 overflow-hidden">
+      <div className="mt-4 grid min-h-0 flex-1 grid-cols-12 gap-4 overflow-hidden pb-4">
         <div className="col-span-9 min-h-0">
           <NetworkTrafficChart />
         </div>
@@ -157,10 +161,6 @@ export function DashboardRoute() {
             total={ipPoolTotal}
           />
         </div>
-
-        <div className="col-span-12">
-          <ProvisioningWorkflow />
-        </div>
       </div>
     </div>
   );
diff --git a/src/components/dashboard/IpPoolChart.tsx b/src/components/dashboard/IpPoolChart.tsx
index 664b916..5452ea8 100644
--- a/src/components/dashboard/IpPoolChart.tsx
+++ b/src/components/dashboard/IpPoolChart.tsx
@@ -16,15 +16,15 @@ export function IpPoolChart({
   used,
   total,
 }: IpPoolChartProps) {
-  const available = Math.max(
-    total - used,
-    0,
-  );
+  const available = Math.max(total - used, 0);
 
   const percentage =
     total > 0
-      ? ((used / total) * 100).toFixed(2)
-      : '0.00';
+      ? (used / total) * 100
+      : 0;
+
+  const displayPercentage =
+    percentage.toFixed(2);
 
   const data = [
     {
@@ -38,23 +38,28 @@ export function IpPoolChart({
   ];
 
   return (
-    <Card className="h-full">
-      <h3 className="mb-4 font-semibold text-white">
-        IP Pool Usage
-      </h3>
+    <Card className="flex h-full flex-col">
+      <div>
+        <h3 className="font-semibold text-white">
+          IP Pool Usage
+        </h3>
 
-      <div className="flex h-[calc(100%-2rem)] items-center justify-between gap-6">
-        <div className="h-44 w-44">
-          <ResponsiveContainer
-            width="100%"
-            height="100%"
-          >
+        <p className="text-xs text-slate-500">
+          WireGuard allocation capacity
+        </p>
+      </div>
+
+      <div className="flex min-h-0 flex-1 flex-col justify-center">
+        <div className="relative mx-auto h-56 w-56">
+          <ResponsiveContainer width="100%" height="100%">
             <PieChart>
               <Pie
                 data={data}
                 dataKey="value"
-                innerRadius={55}
-                outerRadius={78}
+                innerRadius={76}
+                outerRadius={100}
+                startAngle={90}
+                endAngle={-270}
                 paddingAngle={2}
               >
                 {data.map((_, index) => (
@@ -70,26 +75,54 @@ export function IpPoolChart({
               </Pie>
             </PieChart>
           </ResponsiveContainer>
+
+          <div className="absolute inset-0 flex flex-col items-center justify-center">
+            <p className="text-4xl font-bold text-white">
+              {displayPercentage}%
+            </p>
+
+            <p className="mt-1 text-xs text-slate-500">
+              pool used
+            </p>
+          </div>
         </div>
 
-        <div className="text-sm text-slate-300">
-          <p>
-            <span className="text-green-300">
+        <div className="mt-8 space-y-4">
+          <div className="rounded-2xl border border-white/10 bg-white/[0.03] p-4">
+            <p className="text-xs uppercase tracking-wide text-slate-500">
+              Used IPs
+            </p>
+
+            <p className="mt-1 text-2xl font-bold text-green-300">
               {used}
-            </span>{' '}
-            used IPs
-          </p>
+            </p>
+          </div>
 
-          <p className="mt-2">
-            <span className="text-blue-300">
+          <div className="rounded-2xl border border-white/10 bg-white/[0.03] p-4">
+            <p className="text-xs uppercase tracking-wide text-slate-500">
+              Available IPs
+            </p>
+
+            <p className="mt-1 text-2xl font-bold text-blue-300">
               {available}
-            </span>{' '}
-            available
-          </p>
+            </p>
+          </div>
 
-          <p className="mt-4 text-3xl font-bold text-white">
-            {percentage}%
-          </p>
+          <div className="rounded-2xl border border-white/10 bg-white/[0.03] p-4">
+            <div className="mb-2 flex justify-between text-xs text-slate-500">
+              <span>Capacity</span>
+              <span>{used} / {total}</span>
+            </div>
+
+            <div className="h-2 overflow-hidden rounded-full bg-slate-800">
+              <div
+                className="h-full rounded-full bg-green-400"
+                style={{
+                  width: `${Math.min(percentage, 100)}%`,
+                }}
+              />
+            </div>
+          </div>
         </div>
       </div>
     </Card>
diff --git a/src/components/dashboard/NetworkTrafficChart.tsx b/src/components/dashboard/NetworkTrafficChart.tsx
index 19e40a6..a930c04 100644
--- a/src/components/dashboard/NetworkTrafficChart.tsx
+++ b/src/components/dashboard/NetworkTrafficChart.tsx
@@ -103,7 +103,7 @@ export function NetworkTrafficChart() {
         </div>
       )}
 
-      <div className="h-72">
+      <div className="h-[calc(100%-4.5rem)] min-h-[360px]">
         <ResponsiveContainer
           width="100%"
           height="100%"
diff --git a/src/components/layout/TopBar.tsx b/src/components/layout/TopBar.tsx
index b811847..14cf69c 100644
--- a/src/components/layout/TopBar.tsx
+++ b/src/components/layout/TopBar.tsx
@@ -2,7 +2,13 @@ import { RefreshCw } from 'lucide-react';
 
 import { Badge } from '@/components/ui/Badge';
 
-export function TopBar() {
+type TopBarProps = {
+  healthy?: boolean;
+};
+
+export function TopBar({
+  healthy = false,
+}: TopBarProps) {
   return (
     <header className="mb-6 flex items-center justify-between">
       <div>
@@ -26,8 +32,12 @@ export function TopBar() {
           </span>
         </div>
 
-        <Badge>
-          All Systems Operational
+        <Badge
+          tone={healthy ? 'green' : 'red'}
+        >
+          {healthy
+            ? 'All Systems Operational'
+            : 'System Issues Detected'}
         </Badge>
       </div>
     </header>
diff --git a/src/components/provisioning/ProvisioningWizard.tsx b/src/components/provisioning/ProvisioningWizard.tsx
index f012ae0..dc78f46 100644
--- a/src/components/provisioning/ProvisioningWizard.tsx
+++ b/src/components/provisioning/ProvisioningWizard.tsx
@@ -1,15 +1,25 @@
-import { useState } from 'react';
+import {
+  useEffect,
+  useMemo,
+  useRef,
+  useState,
+} from 'react';
 import { invoke } from '@tauri-apps/api/core';
 
 import {
   AlertTriangle,
   CheckCircle2,
-  KeyRound,
+  Cpu,
+  FileUp,
   Network,
+  PlugZap,
+  RefreshCw,
+  Rocket,
   Search,
   ShieldAlert,
   Terminal,
-  Wifi,
+  UploadCloud,
+  Wifi
 } from 'lucide-react';
 
 import { Badge } from '@/components/ui/Badge';
@@ -17,6 +27,27 @@ import { Button } from '@/components/ui/Button';
 import { Card } from '@/components/ui/Card';
 
 import { addActivityLog } from '@/services/activityLogService';
+import { vpnApi } from '@/services/vpnApi';
+
+type ProvisioningMode =
+  | 'full'
+  | 'provision_only';
+
+type WorkflowStep =
+  | 'DETECT_ROUTER'
+  | 'UPLOAD_FIRMWARE'
+  | 'FLASH_FIRMWARE'
+  | 'WAIT_REBOOT'
+  | 'RECONNECT_ROUTER'
+  | 'UPLOAD_PROVISIONING'
+  | 'RUN_PROVISIONING'
+  | 'REGISTER_PEER';
+
+type StepStatus =
+  | 'pending'
+  | 'active'
+  | 'done'
+  | 'blocked';
 
 type DetectionStatus =
   | 'idle'
@@ -25,13 +56,95 @@ type DetectionStatus =
   | 'ssh_ok'
   | 'auth_required'
   | 'stale_host_key'
-  | 'failed';
+  | 'failed'
+  | 'flashing'
+  | 'waiting_reboot'
+  | 'reconnecting';
 
-const ROUTER_IPS = [
-  '192.168.1.1',
-  '198.51.100.1',
+type RouterEnvForm = {
+  routerId: string;
+  hostname: string;
+  wgIp: string;
+  rootPassword: string;
+};
+
+const routerPresets = [
+  {
+    ip: '192.168.1.1',
+    label: 'Factory/default',
+    password: '',
+  },
+  {
+    ip: '198.51.100.1',
+    label: 'Provisioned LAN',
+    password: 'litoralr',
+  },
 ];
 
+const FLASH_SECONDS = 300;
+const PROVISION_SECONDS = 90;
+
+const stopPhrase = 'STOP PROVISIONING';
+
+const workflowSteps: Array<{
+  id: WorkflowStep;
+  title: string;
+  description: string;
+  icon: typeof Search;
+}> = [
+    {
+      id: 'DETECT_ROUTER',
+      title: 'Detect Router',
+      description: 'Ping and inspect router over SSH.',
+      icon: Search,
+    },
+    {
+      id: 'UPLOAD_FIRMWARE',
+      title: 'Upload Firmware',
+      description: 'Copy firmware image to /tmp.',
+      icon: UploadCloud,
+    },
+    {
+      id: 'FLASH_FIRMWARE',
+      title: 'Flash Firmware',
+      description: 'Run sysupgrade -n /tmp/firmware.bin.',
+      icon: Cpu,
+    },
+    {
+      id: 'WAIT_REBOOT',
+      title: 'Wait for Reboot',
+      description: 'Block actions while router restarts.',
+      icon: RefreshCw,
+    },
+    {
+      id: 'RECONNECT_ROUTER',
+      title: 'Reconnect Router',
+      description: 'Reconnect Ethernet and wait for SSH.',
+      icon: PlugZap,
+    },
+    {
+      id: 'UPLOAD_PROVISIONING',
+      title: 'Upload Bundle',
+      description: 'Copy router.env and provision.sh.',
+      icon: FileUp,
+    },
+    {
+      id: 'RUN_PROVISIONING',
+      title: 'Run Provisioning',
+      description: 'Execute router-side setup script.',
+      icon: Terminal,
+    },
+    {
+      id: 'REGISTER_PEER',
+      title: 'Register VPS Peer',
+      description: 'Apply WireGuard peer on VPS.',
+      icon: Network,
+    }
+  ];
+
+const scrollClass =
+  '[scrollbar-width:thin] [scrollbar-color:rgba(59,130,246,0.45)_transparent] [&::-webkit-scrollbar]:w-2 [&::-webkit-scrollbar-track]:bg-transparent [&::-webkit-scrollbar-thumb]:rounded-full [&::-webkit-scrollbar-thumb]:bg-blue-500/30 hover:[&::-webkit-scrollbar-thumb]:bg-blue-500/50';
+
 function statusTone(status: DetectionStatus) {
   if (
     status === 'reachable' ||
@@ -42,7 +155,10 @@ function statusTone(status: DetectionStatus) {
 
   if (
     status === 'auth_required' ||
-    status === 'stale_host_key'
+    status === 'stale_host_key' ||
+    status === 'flashing' ||
+    status === 'waiting_reboot' ||
+    status === 'reconnecting'
   ) {
     return 'purple';
   }
@@ -54,18 +170,190 @@ function statusTone(status: DetectionStatus) {
   return 'blue';
 }
 
+function statusLabel(status: DetectionStatus) {
+  return status.replace(/_/g, ' ');
+}
+
+function formatSeconds(totalSeconds: number) {
+  const minutes = Math.floor(totalSeconds / 60);
+  const seconds = totalSeconds % 60;
+
+  return `${minutes}:${String(seconds).padStart(2, '0')}`;
+}
+
+function defaultRouterEnv(): RouterEnvForm {
+  return {
+    routerId: '',
+    hostname: '',
+    wgIp: '',
+    rootPassword: 'litoralr',
+  };
+}
+
+function buildRouterEnv(form: RouterEnvForm) {
+  return [
+    `ROUTER_ID=${form.routerId}`,
+    `HOSTNAME=${form.hostname}`,
+    '',
+    'LAN_IP=198.51.100.1',
+    'LAN_NETMASK=255.255.255.0',
+    '',
+    `WG_IP=${form.wgIp}`,
+    'WG_CIDR=32',
+    'WG_SERVER_HOST=146.59.230.190',
+    'WG_SERVER_PORT=4999',
+    'WG_SERVER_PUBLIC_KEY=eSe9hH/X1tcAqGo09hDHvOXmy6o6NPk5sPwCzMXE7kc=',
+    '',
+    'CONTROLLER_IP=198.51.100.10',
+    'PLC_IP=198.51.100.50',
+    '',
+    `ROOT_PASSWORD=${form.rootPassword.trim() || 'litoralr'}`,
+    '',
+  ].join('\n');
+}
+
 export function ProvisioningWizard() {
+  const [provisioningMode, setProvisioningMode] =
+    useState<ProvisioningMode>('full');
+
   const [selectedIp, setSelectedIp] =
-    useState(ROUTER_IPS[0]);
+    useState(routerPresets[0].ip);
+
+  const [customIp, setCustomIp] = useState('');
+  const [routerPassword, setRouterPassword] =
+    useState(routerPresets[0].password);
+  const [customPassword, setCustomPassword] =
+    useState('');
 
   const [status, setStatus] =
     useState<DetectionStatus>('idle');
 
+  const [activeStep, setActiveStep] =
+    useState<WorkflowStep>('DETECT_ROUTER');
+
+  const [completedSteps, setCompletedSteps] =
+    useState<WorkflowStep[]>([]);
+
   const [routerInfo, setRouterInfo] =
     useState('');
 
   const [log, setLog] = useState<string[]>([]);
 
+  const [confirmFlashOpen, setConfirmFlashOpen] =
+    useState(false);
+
+  const [flashOverlayOpen, setFlashOverlayOpen] =
+    useState(false);
+
+  const [flashSecondsRemaining, setFlashSecondsRemaining] =
+    useState(FLASH_SECONDS);
+
+  const [isReconnecting, setIsReconnecting] =
+    useState(false);
+
+  const [envModalOpen, setEnvModalOpen] =
+    useState(false);
+
+  const [routerEnv, setRouterEnv] =
+    useState<RouterEnvForm>(defaultRouterEnv());
+
+  const [stopConfirmOpen, setStopConfirmOpen] =
+    useState(false);
+
+  const [stopConfirmText, setStopConfirmText] =
+    useState('');
+
+  const flashCompletionHandledRef =
+    useRef(false);
+
+  const [provisionOverlayOpen, setProvisionOverlayOpen] =
+    useState(false);
+
+  const [provisionSecondsRemaining, setProvisionSecondsRemaining] =
+    useState(PROVISION_SECONDS);
+
+
+  const [isActionRunning, setIsActionRunning] =
+    useState(false);
+
+  const [setupCompleteOpen, setSetupCompleteOpen] =
+    useState(false);
+
+  const effectivePassword =
+    customIp.trim() &&
+      selectedIp === customIp.trim()
+      ? customPassword
+      : routerPassword;
+
+  const provisioningStarted =
+    activeStep !== 'DETECT_ROUTER' ||
+    completedSteps.length > 0 ||
+    status === 'flashing' ||
+    status === 'waiting_reboot' ||
+    status === 'reconnecting';
+
+  const controlsLocked =
+    provisioningStarted ||
+    isReconnecting ||
+    isActionRunning;
+
+  const canContinue =
+    status === 'ssh_ok' ||
+    completedSteps.includes('UPLOAD_FIRMWARE') ||
+    activeStep === 'UPLOAD_PROVISIONING' ||
+    activeStep === 'RUN_PROVISIONING' ||
+    activeStep === 'REGISTER_PEER';
+
+  const visibleWorkflowSteps = useMemo(() => {
+    if (provisioningMode === 'full') {
+      return workflowSteps;
+    }
+
+    return workflowSteps.filter(
+      (step) =>
+        ![
+          'UPLOAD_FIRMWARE',
+          'FLASH_FIRMWARE',
+          'WAIT_REBOOT',
+          'RECONNECT_ROUTER',
+        ].includes(step.id),
+    );
+  }, [provisioningMode]);
+
+  const flashProgress =
+    ((FLASH_SECONDS - flashSecondsRemaining) /
+      FLASH_SECONDS) *
+    100;
+
+  const workflowState = useMemo(() => {
+    return visibleWorkflowSteps.map((step) => {
+      let stepStatus: StepStatus = 'pending';
+
+      if (completedSteps.includes(step.id)) {
+        stepStatus = 'done';
+      } else if (step.id === activeStep) {
+        stepStatus = 'active';
+      }
+
+      if (
+        !canContinue &&
+        step.id !== 'DETECT_ROUTER'
+      ) {
+        stepStatus = 'blocked';
+      }
+
+      return {
+        ...step,
+        status: stepStatus,
+      };
+    });
+  }, [
+    activeStep,
+    completedSteps,
+    canContinue,
+    visibleWorkflowSteps,
+  ]);
+
   function addLog(
     message: string,
     level:
@@ -82,13 +370,158 @@ export function ProvisioningWizard() {
     addActivityLog({
       level,
       source: 'desktop',
-      action: 'ROUTER_DETECTION',
+      action: activeStep,
       message,
       routerIp: selectedIp,
     });
   }
 
+  function resetProvisioning(shouldLog = true) {
+    setProvisioningMode('full');
+    setSelectedIp(routerPresets[0].ip);
+    setRouterPassword(routerPresets[0].password);
+    setCustomIp('');
+    setCustomPassword('');
+
+    setActiveStep('DETECT_ROUTER');
+    setCompletedSteps([]);
+    setStatus('idle');
+    setRouterInfo('');
+    setIsReconnecting(false);
+    setIsActionRunning(false);
+
+    setFlashOverlayOpen(false);
+    setConfirmFlashOpen(false);
+    setProvisionOverlayOpen(false);
+    setEnvModalOpen(false);
+    setStopConfirmOpen(false);
+    setStopConfirmText('');
+    setSetupCompleteOpen(false);
+
+    setRouterEnv(defaultRouterEnv());
+
+    flashCompletionHandledRef.current = false;
+
+    if (shouldLog) {
+      addLog(
+        'Provisioning flow was reset.',
+        'warning',
+      );
+    }
+  }
+
+  function finishProvisioning() {
+    resetProvisioning(false);
+
+    setLog((currentLog) => [
+      `${new Date().toLocaleTimeString()}  Router setup completed successfully. Ready for next router.`,
+      ...currentLog,
+    ]);
+  }
+
+  useEffect(() => {
+    if (!flashOverlayOpen) {
+      return;
+    }
+
+    const intervalId = window.setInterval(() => {
+      setFlashSecondsRemaining((current) => {
+        if (current <= 1) {
+          window.clearInterval(intervalId);
+
+          if (!flashCompletionHandledRef.current) {
+            flashCompletionHandledRef.current = true;
+
+            setFlashOverlayOpen(false);
+            setStatus('waiting_reboot');
+
+            setCompletedSteps((currentSteps) => [
+              ...new Set([
+                ...currentSteps,
+                'FLASH_FIRMWARE' as WorkflowStep,
+                'WAIT_REBOOT' as WorkflowStep,
+              ]),
+            ]);
+
+            setSelectedIp(routerPresets[0].ip);
+            setRouterPassword(routerPresets[0].password);
+            setCustomIp('');
+            setCustomPassword('');
+
+            setActiveStep('RECONNECT_ROUTER');
+
+            addLog(
+              'Flash wait window completed. Reconnect or replug Ethernet if needed, then continue with reconnect checks.',
+              'success',
+            );
+          }
+
+          return 0;
+        }
+
+        return current - 1;
+      });
+    }, 1000);
+
+    return () => {
+      window.clearInterval(intervalId);
+    };
+  }, [flashOverlayOpen]);
+
+  useEffect(() => {
+    if (!provisionOverlayOpen) {
+      return;
+    }
+
+    const intervalId = window.setInterval(() => {
+      setProvisionSecondsRemaining((current) => {
+        if (current <= 1) {
+          window.clearInterval(intervalId);
+
+          setProvisionOverlayOpen(false);
+
+          setSelectedIp(routerPresets[1].ip);
+          setRouterPassword(routerPresets[1].password);
+          setCustomIp('');
+          setCustomPassword('');
+
+          setActiveStep('REGISTER_PEER');
+
+          addLog(
+            'Provisioning wait completed. Replug Ethernet now, wait a few seconds, then continue to verify WireGuard and register peer.',
+            'warning',
+          );
+
+          return 0;
+        }
+
+        return current - 1;
+      });
+    }, 1000);
+
+    return () => {
+      window.clearInterval(intervalId);
+    };
+  }, [provisionOverlayOpen]);
+
   async function detectRouter() {
+    if (controlsLocked) {
+      addLog(
+        'Router detection is locked while provisioning is active.',
+        'warning',
+      );
+      return;
+    }
+
+    if (!selectedIp.trim()) {
+      addLog(
+        'Router detection blocked: no IP selected',
+        'warning',
+      );
+      return;
+    }
+
+    setActiveStep('DETECT_ROUTER');
     setStatus('checking');
     setRouterInfo('');
 
@@ -115,8 +548,14 @@ export function ProvisioningWizard() {
         );
 
         setRouterInfo(info);
-
         setStatus('ssh_ok');
+        setCompletedSteps(['DETECT_ROUTER']);
+
+        setActiveStep(
+          provisioningMode === 'full'
+            ? 'UPLOAD_FIRMWARE'
+            : 'UPLOAD_PROVISIONING',
+        );
 
         addLog(
           `SSH key authentication succeeded at ${selectedIp}`,
@@ -148,7 +587,7 @@ export function ProvisioningWizard() {
           )
         ) {
           addLog(
-            `Router requires password authentication. Attempting automatic inspection...`,
+            'Router requires password authentication. Attempting automatic inspection...',
             'warning',
           );
 
@@ -158,13 +597,21 @@ export function ProvisioningWizard() {
                 'inspect_router_with_password',
                 {
                   ip: selectedIp,
-                  password: 'litoralr',
+                  password: effectivePassword,
                 },
               );
 
             setRouterInfo(passwordInfo);
-
             setStatus('ssh_ok');
+            setCompletedSteps([
+              'DETECT_ROUTER',
+            ]);
+
+            setActiveStep(
+              provisioningMode === 'full'
+                ? 'UPLOAD_FIRMWARE'
+                : 'UPLOAD_PROVISIONING',
+            );
 
             addLog(
               `Password SSH inspection succeeded at ${selectedIp}`,
@@ -199,7 +646,24 @@ export function ProvisioningWizard() {
       );
     }
   }
+
   async function fixKnownHost() {
+    if (controlsLocked) {
+      addLog(
+        'Known host cleanup is locked while provisioning is active.',
+        'warning',
+      );
+      return;
+    }
+
+    if (!selectedIp.trim()) {
+      addLog(
+        'Cannot remove known_hosts entry: no IP selected',
+        'warning',
+      );
+      return;
+    }
+
     try {
       addLog(
         `Removing known_hosts entry for ${selectedIp}`,
@@ -213,67 +677,524 @@ export function ProvisioningWizard() {
       );
 
       addLog(result, 'success');
-
       setStatus('idle');
+      setCompletedSteps([]);
+      setActiveStep('DETECT_ROUTER');
     } catch (error) {
       addLog(String(error), 'error');
     }
   }
 
+  async function continueProvisioning() {
+    if (isActionRunning || isReconnecting) {
+      return;
+    }
+
+    setIsActionRunning(true);
+
+    try {
+      await continueProvisioningInner();
+    } finally {
+      setIsActionRunning(false);
+    }
+  }
+
+  async function continueProvisioningInner() {
+    if (activeStep === 'UPLOAD_FIRMWARE') {
+      try {
+        addLog(
+          `Uploading firmware to ${selectedIp}:/tmp/firmware.bin`,
+        );
+
+        const result = await invoke<string>(
+          'upload_firmware_to_router',
+          {
+            ip: selectedIp,
+            password: effectivePassword,
+          },
+        );
+
+        addLog(result, 'success');
+
+        setCompletedSteps((currentSteps) => [
+          ...new Set([
+            ...currentSteps,
+            'UPLOAD_FIRMWARE' as WorkflowStep,
+          ]),
+        ]);
+
+        setActiveStep('FLASH_FIRMWARE');
+
+        return;
+      } catch (error) {
+        addLog(
+          `Firmware upload failed: ${String(error)}`,
+          'error',
+        );
+
+        return;
+      }
+    }
+
+    if (activeStep === 'FLASH_FIRMWARE') {
+      setConfirmFlashOpen(true);
+      return;
+    }
+
+    if (activeStep === 'RECONNECT_ROUTER') {
+      if (isReconnecting) {
+        return;
+      }
+
+      setIsReconnecting(true);
+      setStatus('reconnecting');
+
+      addLog(
+        `Checking router SSH after flash at ${selectedIp}`,
+        'warning',
+      );
+
+      for (let attempt = 1; attempt <= 30; attempt += 1) {
+        try {
+          addLog(`Reconnect attempt ${attempt}/30`);
+
+          const info = await invoke<string>(
+            'check_router_after_flash',
+            {
+              ip: selectedIp,
+              password: effectivePassword,
+            },
+          );
+
+          setRouterInfo(info);
+
+          addLog(
+            `Router SSH reconnected after flash at ${selectedIp}`,
+            'success',
+          );
+
+          setCompletedSteps((currentSteps) => [
+            ...new Set([
+              ...currentSteps,
+              'RECONNECT_ROUTER' as WorkflowStep,
+            ]),
+          ]);
+
+          setStatus('ssh_ok');
+          setActiveStep('UPLOAD_PROVISIONING');
+          setIsReconnecting(false);
+
+          return;
+        } catch (error) {
+          addLog(
+            `Reconnect attempt ${attempt}/30 failed: ${String(error)}`,
+            'warning',
+          );
+
+          await new Promise((resolve) =>
+            window.setTimeout(resolve, 5000),
+          );
+        }
+      }
+
+      setStatus('failed');
+      setIsReconnecting(false);
+
+      addLog(
+        'Router reconnect failed after 30 attempts. Replug Ethernet and retry.',
+        'error',
+      );
+
+      return;
+    }
+
+    if (activeStep === 'UPLOAD_PROVISIONING') {
+      await prepareRouterEnv();
+      return;
+    }
+
+    if (activeStep === 'RUN_PROVISIONING') {
+      setProvisionSecondsRemaining(PROVISION_SECONDS);
+      setProvisionOverlayOpen(true);
+
+      try {
+        addLog(
+          `Running provisioning script on ${selectedIp}`,
+          'warning',
+        );
+
+        const result = await invoke<string>(
+          'run_provisioning',
+          {
+            ip: selectedIp,
+            password: effectivePassword,
+          },
+        );
+
+        addLog(result, 'success');
+      } catch (error) {
+        const message = String(error);
+        const lowered = message.toLowerCase();
+
+        const expectedProvisionDisconnect =
+          lowered.includes('connection reset') ||
+          lowered.includes('client_loop') ||
+          lowered.includes('failed to connect to ubus') ||
+          lowered.includes('disconnect') ||
+          lowered.includes('broken pipe') ||
+          lowered.includes('restart') ||
+          lowered.includes('radio0');
+
+        if (expectedProvisionDisconnect) {
+          addLog(
+            'Provisioning script reached network/service restart and SSH disconnected as expected.',
+            'warning',
+          );
+
+          addLog(message, 'info');
+        } else {
+          setProvisionOverlayOpen(false);
+
+          addLog(
+            `Provisioning script failed: ${message}`,
+            'error',
+          );
+
+          return;
+        }
+      }
+
+      setCompletedSteps((currentSteps) => [
+        ...new Set([
+          ...currentSteps,
+          'RUN_PROVISIONING' as WorkflowStep,
+        ]),
+      ]);
+
+      setActiveStep('REGISTER_PEER');
+
+      return;
+    }
+
+    if (activeStep === 'REGISTER_PEER') {
+      try {
+        addLog(
+          `Capturing router WireGuard public key from ${routerPresets[1].ip}`,
+          'warning',
+        );
+
+        const publicKey = await invoke<string>(
+          'capture_wireguard_public_key',
+          {
+            ip: routerPresets[1].ip,
+            password: routerEnv.rootPassword.trim() || routerPresets[1].password,
+          },
+        );
+
+        addLog(
+          `Captured router public key ${publicKey.slice(0, 12)}...`,
+          'success',
+        );
+
+        await vpnApi.registerPeer({
+          vpnIp: routerEnv.wgIp,
+          publicKey,
+        });
+
+        addLog(
+          `Registered VPS peer ${routerEnv.wgIp}`,
+          'success',
+        );
+
+        setCompletedSteps((currentSteps) => [
+          ...new Set([
+            ...currentSteps,
+            'REGISTER_PEER' as WorkflowStep,
+          ]),
+        ]);
+
+        setStatus('ssh_ok');
+        setSetupCompleteOpen(true);
+
+        return;
+      } catch (error) {
+        addLog(
+          `Peer registration failed: ${String(error)}`,
+          'error',
+        );
+
+        return;
+      }
+    }
+
+    addLog(
+      `Step ${activeStep} is not wired yet.`,
+      'warning',
+    );
+  }
+
+  async function uploadProvisioningBundle() {
+    if (
+      !routerEnv.routerId.trim() ||
+      !routerEnv.hostname.trim() ||
+      !routerEnv.wgIp.trim()
+    ) {
+      addLog(
+        'router.env is missing router ID, hostname, or WireGuard IP.',
+        'error',
+      );
+      return;
+    }
+
+    try {
+      const envContent = buildRouterEnv(routerEnv);
+
+      addLog(
+        `Uploading router.env and provision.sh to ${selectedIp}`,
+        'warning',
+      );
+
+      const result = await invoke<string>(
+        'upload_provisioning_bundle',
+        {
+          ip: selectedIp,
+          password: effectivePassword,
+          envContent,
+        },
+      );
+
+      addLog(result, 'success');
+
+      setEnvModalOpen(false);
+
+      setCompletedSteps((currentSteps) => [
+        ...new Set([
+          ...currentSteps,
+          'UPLOAD_PROVISIONING' as WorkflowStep,
+        ]),
+      ]);
+
+      setActiveStep('RUN_PROVISIONING');
+    } catch (error) {
+      addLog(
+        `Provisioning bundle upload failed: ${String(error)}`,
+        'error',
+      );
+    }
+  }
+
+  async function confirmAndFlashRouter() {
+    setConfirmFlashOpen(false);
+    setStatus('flashing');
+    setActiveStep('FLASH_FIRMWARE');
+
+    flashCompletionHandledRef.current = false;
+
+    addLog(
+      'Starting firmware flash with sysupgrade -n /tmp/firmware.bin',
+      'warning',
+    );
+
+    try {
+      await invoke<string>(
+        'flash_router_sysupgrade',
+        {
+          ip: selectedIp,
+          password: effectivePassword,
+        },
+      );
+
+      addLog(
+        'Flash command submitted. SSH session may disconnect; entering protected wait window.',
+        'success',
+      );
+    } catch (error) {
+      const message = String(error);
+      const loweredMessage = message.toLowerCase();
+
+      if (
+        loweredMessage.includes('broken pipe') ||
+        loweredMessage.includes('connection reset') ||
+        loweredMessage.includes('channel') ||
+        loweredMessage.includes('disconnect') ||
+        loweredMessage.includes('commencing upgrade') ||
+        loweredMessage.includes('closing all shell sessions') ||
+        loweredMessage.includes('connection failed') ||
+        loweredMessage.includes('sysupgrade')
+      ) {
+        addLog(
+          'Router accepted sysupgrade and disconnected as expected during flash.',
+          'warning',
+        );
+      } else {
+        setStatus('failed');
+
+        addLog(
+          `Flash command failed before reboot: ${message}`,
+          'error',
+        );
+
+        return;
+      }
+    }
+
+    setFlashSecondsRemaining(FLASH_SECONDS);
+    setFlashOverlayOpen(true);
+  }
+
+  async function prepareRouterEnv() {
+    try {
+      addLog(
+        'Requesting next available WireGuard IP from backend...',
+      );
+
+      const response = await vpnApi.availableIp();
+      const vpnIp = response.vpnIp;
+
+      const vpnParts = vpnIp.split('.');
+      const routerId =
+        vpnParts[vpnParts.length - 1] || '';
+
+      setRouterEnv((current) => ({
+        ...current,
+        routerId,
+        hostname: `Litoral_Regas_${routerId}`,
+        wgIp: vpnIp,
+      }));
+
+      addLog(
+        `Reserved next available WireGuard IP candidate: ${vpnIp}`,
+        'success',
+      );
+
+      setEnvModalOpen(true);
+    } catch (error) {
+      addLog(
+        `Failed to get available WireGuard IP: ${String(error)}`,
+        'error',
+      );
+    }
+  }
+
   return (
     <div className="flex h-full flex-col overflow-hidden">
-      <div className="mb-6 flex items-start justify-between">
+      <div className="mb-5 flex items-start justify-between">
         <div>
           <h1 className="text-3xl font-bold tracking-tight text-white">
             Provisioning
           </h1>
 
           <p className="mt-1 text-slate-400">
-            Safe router detection and SSH
-            inspection. No flashing or
-            configuration changes are performed.
+            Guided router provisioning from
+            detection to VPS peer registration.
           </p>
         </div>
 
-        <Badge tone={statusTone(status)}>
-          {status.replace(/_/g, ' ')}
-        </Badge>
+        <div className="flex items-center gap-3">
+          {provisioningStarted && (
+            <Button
+              type="button"
+              variant="danger"
+              onClick={() => setStopConfirmOpen(true)}
+              disabled={
+                status === 'flashing' ||
+                isReconnecting ||
+                isActionRunning
+              }
+            >
+              Stop Provisioning
+            </Button>
+          )}
+
+          <Badge tone={statusTone(status)}>
+            {statusLabel(status)}
+          </Badge>
+        </div>
       </div>
 
       <div className="grid min-h-0 flex-1 grid-cols-12 gap-5 overflow-hidden">
-        <Card className="col-span-7 flex flex-col">
-          <div className="mb-6 flex items-center gap-4">
-            <div className="rounded-2xl bg-blue-500/10 p-3 text-blue-300">
-              <Search size={24} />
+        <Card className="col-span-5 flex min-h-0 flex-col overflow-hidden">
+          <div
+            className={`min-h-0 flex-1 overflow-y-auto pr-1 ${scrollClass}`}
+          >
+            <div className="mb-5 flex items-center gap-4">
+              <div className="rounded-2xl bg-blue-500/10 p-3 text-blue-300">
+                <Search size={24} />
+              </div>
+
+              <div>
+                <h2 className="text-xl font-semibold text-white">
+                  Router Connection
+                </h2>
+
+                <p className="text-sm text-slate-400">
+                  Select target and validate SSH
+                  before provisioning.
+                </p>
+              </div>
             </div>
 
-            <div>
-              <h2 className="text-xl font-semibold text-white">
-                Safe Router Detection
-              </h2>
+            <div className="mb-4 grid grid-cols-2 gap-3">
+              <button
+                type="button"
+                disabled={controlsLocked}
+                onClick={() =>
+                  setProvisioningMode('full')
+                }
+                className={`rounded-2xl border p-4 text-left transition disabled:cursor-not-allowed disabled:opacity-60 ${provisioningMode === 'full'
+                  ? 'border-blue-500/40 bg-blue-500/10'
+                  : 'border-white/10 bg-white/[0.02]'
+                  }`}
+              >
+                <p className="font-semibold text-white">
+                  Full Provisioning
+                </p>
+                <p className="mt-1 text-xs text-slate-500">
+                  Flash firmware, reconnect, then provision.
+                </p>
+              </button>
 
-              <p className="text-sm text-slate-400">
-                Check reachability and attempt
-                read-only SSH inspection.
-              </p>
+              <button
+                type="button"
+                disabled={controlsLocked}
+                onClick={() =>
+                  setProvisioningMode('provision_only')
+                }
+                className={`rounded-2xl border p-4 text-left transition disabled:cursor-not-allowed disabled:opacity-60 ${provisioningMode === 'provision_only'
+                  ? 'border-blue-500/40 bg-blue-500/10'
+                  : 'border-white/10 bg-white/[0.02]'
+                  }`}
+              >
+                <p className="font-semibold text-white">
+                  Provision Only
+                </p>
+                <p className="mt-1 text-xs text-slate-500">
+                  Router is already flashed and stable.
+                </p>
+              </button>
             </div>
-          </div>
 
-          <div className="grid grid-cols-2 gap-3">
-            {ROUTER_IPS.map((ip) => {
-              const active = selectedIp === ip;
+            <div className="grid grid-cols-2 gap-3">
+              {routerPresets.map((preset) => {
+                const active =
+                  selectedIp === preset.ip &&
+                  customIp.trim() === '';
 
-              return (
-                <button
-                  key={ip}
-                  type="button"
-                  onClick={() => setSelectedIp(ip)}
-                  className={`rounded-2xl border p-4 text-left transition ${active
+                return (
+                  <button
+                    key={preset.ip}
+                    type="button"
+                    disabled={controlsLocked}
+                    onClick={() => {
+                      setSelectedIp(preset.ip);
+                      setRouterPassword(preset.password);
+                      setCustomIp('');
+                    }}
+                    className={`rounded-2xl border p-4 text-left transition disabled:cursor-not-allowed disabled:opacity-60 ${active
                       ? 'border-blue-500/40 bg-blue-500/10'
                       : 'border-white/10 bg-white/[0.02] hover:border-blue-500/20 hover:bg-white/[0.04]'
-                    }`}
-                >
-                  <div className="flex items-center gap-3">
+                      }`}
+                  >
                     <Network
                       size={18}
                       className={
@@ -283,148 +1204,213 @@ export function ProvisioningWizard() {
                       }
                     />
 
-                    <div>
-                      <p className="font-mono text-sm font-semibold text-white">
-                        {ip}
-                      </p>
+                    <p className="mt-3 font-mono text-sm font-semibold text-white">
+                      {preset.ip}
+                    </p>
 
-                      <p className="mt-1 text-xs text-slate-500">
-                        {ip === '192.168.1.1'
-                          ? 'Factory/default OpenWrt'
-                          : 'Provisioned Litoral Regas LAN'}
-                      </p>
-                    </div>
-                  </div>
-                </button>
-              );
-            })}
-          </div>
+                    <p className="mt-1 text-xs text-slate-500">
+                      {preset.label}
+                    </p>
 
-          <div className="mt-6 rounded-2xl border border-white/10 bg-slate-950/70 p-5">
-            <div className="flex items-start gap-4">
-              <div className="rounded-2xl bg-green-500/10 p-3 text-green-300">
-                <Wifi size={22} />
-              </div>
+                    <p className="mt-3 text-xs text-slate-500">
+                      Password:{' '}
+                      <span className="font-mono text-slate-300">
+                        {preset.password || 'empty'}
+                      </span>
+                    </p>
+                  </button>
+                );
+              })}
 
-              <div className="flex-1">
-                <p className="font-semibold text-white">
-                  Detection Target
-                </p>
-
-                <p className="mt-1 font-mono text-sm text-slate-400">
-                  root@{selectedIp}
-                </p>
-
-                <p className="mt-3 text-sm text-slate-400">
-                  Already provisioned routers
-                  use password{' '}
-                  <span className="font-mono text-slate-200">
-                    litoralr
-                  </span>
-                  .
-                </p>
-              </div>
-
-              <Badge tone={statusTone(status)}>
-                {status.replace(/_/g, ' ')}
-              </Badge>
-            </div>
-          </div>
-
-          <div className="mt-6 flex flex-wrap gap-3">
-            <Button
-              type="button"
-              onClick={detectRouter}
-              disabled={status === 'checking'}
-            >
-              <Search size={16} />
-              Detect Router
-            </Button>
-
-            <Button
-              type="button"
-              variant="secondary"
-              onClick={fixKnownHost}
-            >
-              <ShieldAlert size={16} />
-              Fix Known Host
-            </Button>
-          </div>
-
-          {(status === 'auth_required' ||
-            status === 'stale_host_key') && (
-              <div className="mt-6 rounded-2xl border border-purple-500/20 bg-purple-500/10 p-5">
-                <div className="flex gap-3">
-                  <AlertTriangle
-                    size={20}
-                    className="mt-0.5 text-purple-300"
+              <div
+                className={`col-span-2 rounded-2xl border p-4 transition ${customIp.trim()
+                  ? 'border-blue-500/40 bg-blue-500/10'
+                  : 'border-white/10 bg-white/[0.02]'
+                  }`}
+              >
+                <div className="mb-3 flex items-center gap-3">
+                  <Network
+                    size={18}
+                    className={
+                      customIp.trim()
+                        ? 'text-blue-300'
+                        : 'text-slate-500'
+                    }
                   />
 
                   <div>
-                    <p className="font-semibold text-purple-200">
-                      Manual SSH may be required
+                    <p className="text-sm font-semibold text-white">
+                      Custom Router Access
                     </p>
 
-                    <p className="mt-2 text-sm text-purple-100/80">
-                      Open a terminal and run:
+                    <p className="text-xs text-slate-500">
+                      Use this for non-standard router IPs
+                      or passwords.
                     </p>
+                  </div>
+                </div>
 
-                    <pre className="mt-3 rounded-xl bg-slate-950 p-3 font-mono text-sm text-slate-200">
-                      ssh root@{selectedIp}
-                    </pre>
+                <div className="grid grid-cols-2 gap-3">
+                  <div>
+                    <label className="mb-2 block text-xs font-medium uppercase tracking-wide text-slate-500">
+                      Router IP
+                    </label>
 
-                    <p className="mt-3 text-sm text-purple-100/80">
-                      Password for provisioned
-                      routers:
-                    </p>
+                    <input
+                      disabled={controlsLocked}
+                      value={customIp}
+                      onChange={(event) => {
+                        const value =
+                          event.target.value;
 
-                    <pre className="mt-3 rounded-xl bg-slate-950 p-3 font-mono text-sm text-slate-200">
-                      litoralr
-                    </pre>
+                        setCustomIp(value);
+                        setSelectedIp(value.trim());
+                      }}
+                      onFocus={() => {
+                        setSelectedIp(customIp.trim());
+                      }}
+                      placeholder="Example: 192.168.8.1"
+                      className="w-full rounded-xl border border-white/10 bg-slate-950 px-3 py-2 font-mono text-sm text-white outline-none transition focus:border-blue-500/40 disabled:cursor-not-allowed disabled:opacity-60"
+                    />
+                  </div>
 
-                    <p className="mt-3 text-sm text-purple-100/80">
-                      Once connected, run this
-                      read-only command:
-                    </p>
+                  <div>
+                    <label className="mb-2 block text-xs font-medium uppercase tracking-wide text-slate-500">
+                      SSH Password
+                    </label>
 
-                    <pre className="mt-3 rounded-xl bg-slate-950 p-3 font-mono text-sm text-slate-200">
-                      ubus call system board
-                    </pre>
+                    <input
+                      disabled={controlsLocked}
+                      type="password"
+                      value={customPassword}
+                      onChange={(event) =>
+                        setCustomPassword(
+                          event.target.value,
+                        )
+                      }
+                      onFocus={() => {
+                        if (customIp.trim()) {
+                          setSelectedIp(
+                            customIp.trim(),
+                          );
+                        }
+                      }}
+                      placeholder="Leave empty if no password"
+                      className="w-full rounded-xl border border-white/10 bg-slate-950 px-3 py-2 font-mono text-sm text-white outline-none transition focus:border-blue-500/40 disabled:cursor-not-allowed disabled:opacity-60"
+                    />
                   </div>
                 </div>
               </div>
-            )}
+            </div>
+
+            <div className="mt-4 rounded-2xl border border-white/10 bg-slate-950/70 p-4">
+              <div className="flex items-start gap-4">
+                <div className="rounded-2xl bg-green-500/10 p-3 text-green-300">
+                  <Wifi size={22} />
+                </div>
+
+                <div className="flex-1">
+                  <p className="font-semibold text-white">
+                    Detection Target
+                  </p>
+
+                  <p className="mt-1 font-mono text-sm text-slate-400">
+                    root@{selectedIp || '—'}
+                  </p>
+                </div>
+
+                <Badge tone={statusTone(status)}>
+                  {statusLabel(status)}
+                </Badge>
+              </div>
+            </div>
+
+            <div className="mt-4 flex flex-wrap gap-3">
+              <Button
+                type="button"
+                onClick={detectRouter}
+                disabled={
+                  controlsLocked ||
+                  status === 'checking' ||
+                  !selectedIp.trim()
+                }
+              >
+                <Search size={16} />
+                Detect Router
+              </Button>
+
+              <Button
+                type="button"
+                variant="secondary"
+                onClick={fixKnownHost}
+                disabled={
+                  controlsLocked ||
+                  !selectedIp.trim()
+                }
+              >
+                <ShieldAlert size={16} />
+                Fix Known Host
+              </Button>
+            </div>
+          </div>
         </Card>
 
-        <div className="col-span-5 flex min-h-0 flex-col gap-5">
-          <Card>
+        <div className="col-span-4 flex min-h-0 flex-col gap-5">
+          <Card className="flex min-h-0 flex-1 flex-col overflow-hidden">
             <div className="mb-4 flex items-center gap-3">
-              <div className="rounded-2xl bg-green-500/10 p-3 text-green-300">
-                <CheckCircle2 size={22} />
+              <div className="rounded-2xl bg-blue-500/10 p-3 text-blue-300">
+                <Rocket size={22} />
               </div>
 
               <div>
                 <h2 className="text-lg font-semibold text-white">
-                  Current Safety Scope
+                  Provisioning Flow
                 </h2>
 
                 <p className="text-sm text-slate-400">
-                  This screen is read-only.
+                  Full router onboarding sequence.
                 </p>
               </div>
             </div>
 
-            <div className="space-y-3 text-sm text-slate-300">
-              <p>✓ Ping reachability check</p>
-              <p>✓ SSH host key detection</p>
-              <p>✓ Read-only router inspection</p>
-              <p>✕ No firmware flashing</p>
-              <p>✕ No config upload</p>
-              <p>✕ No password changes</p>
+            <div
+              className={`min-h-0 flex-1 space-y-3 overflow-y-auto pr-1 ${scrollClass}`}
+            >
+              {workflowState.map((step) => (
+                <WorkflowStepCard
+                  key={step.id}
+                  title={step.title}
+                  description={step.description}
+                  icon={step.icon}
+                  status={step.status}
+                />
+              ))}
+            </div>
+
+            <div className="mt-4">
+              <Button
+                type="button"
+                onClick={continueProvisioning}
+                disabled={
+                  !canContinue ||
+                  status === 'flashing' ||
+                  isReconnecting ||
+                  isActionRunning
+                }
+              >
+                <Rocket size={16} />
+                {isActionRunning
+                  ? 'Working...'
+                  : isReconnecting
+                    ? 'Reconnecting...'
+                    : 'Continue Provisioning'}
+              </Button>
             </div>
           </Card>
+        </div>
 
-          <Card className="min-h-0 flex-1 overflow-hidden">
+        <div className="col-span-3 flex min-h-0 flex-col gap-5">
+          <Card className="flex min-h-0 flex-1 flex-col overflow-hidden">
             <div className="mb-4 flex items-center gap-3">
               <div className="rounded-2xl bg-blue-500/10 p-3 text-blue-300">
                 <Terminal size={22} />
@@ -436,29 +1422,551 @@ export function ProvisioningWizard() {
                 </h2>
 
                 <p className="text-sm text-slate-400">
-                  Output from ubus system board.
+                  ubus system board output.
                 </p>
               </div>
             </div>
 
-            <pre className="min-h-[180px] overflow-auto whitespace-pre-wrap rounded-2xl border border-white/10 bg-slate-950 p-4 font-mono text-xs text-slate-300">
-              {routerInfo ||
-                'No router information captured yet.'}
+            <pre
+              className={`min-h-0 flex-1 overflow-auto whitespace-pre-wrap rounded-2xl border border-white/10 bg-slate-950 p-4 font-mono text-xs text-slate-300 ${scrollClass}`}
+            >
+              {routerInfo || 'No router information captured yet.'}
             </pre>
           </Card>
         </div>
       </div>
 
-      <Card className="mt-5 max-h-44 overflow-hidden">
-        <h3 className="mb-3 font-semibold text-white">
+      <Card className="mt-4 flex h-52 flex-col overflow-hidden">
+        <h3 className="mb-2 text-sm font-semibold text-white">
           Technician Log
         </h3>
 
-        <pre className="max-h-28 overflow-auto whitespace-pre-wrap text-sm text-slate-300">
-          {log.join('\n') ||
-            'No provisioning activity yet.'}
+        <pre
+          className={`min-h-0 flex-1 overflow-auto whitespace-pre-wrap break-words rounded-xl border border-white/10 bg-slate-950/70 p-3 font-mono text-sm text-slate-300 ${scrollClass}`}
+        >
+          {log.join('\n') || 'No provisioning activity yet.'}
         </pre>
       </Card>
+
+      {confirmFlashOpen && (
+        <ConfirmFlashModal
+          selectedIp={selectedIp}
+          onCancel={() => setConfirmFlashOpen(false)}
+          onConfirm={confirmAndFlashRouter}
+        />
+      )}
+
+      {flashOverlayOpen && (
+        <FlashOverlay
+          flashSecondsRemaining={flashSecondsRemaining}
+          flashProgress={flashProgress}
+        />
+      )}
+
+      {provisionOverlayOpen && (
+        <ProvisionOverlay
+          provisionSecondsRemaining={provisionSecondsRemaining}
+          provisionProgress={
+            ((PROVISION_SECONDS - provisionSecondsRemaining) /
+              PROVISION_SECONDS) *
+            100
+          }
+        />
+      )}
+
+      {envModalOpen && (
+        <RouterEnvModal
+          routerEnv={routerEnv}
+          setRouterEnv={setRouterEnv}
+          onCancel={() => setEnvModalOpen(false)}
+          onUpload={uploadProvisioningBundle}
+        />
+      )}
+
+      {stopConfirmOpen && (
+        <StopProvisioningModal
+          value={stopConfirmText}
+          onChange={setStopConfirmText}
+          onCancel={() => {
+            setStopConfirmOpen(false);
+            setStopConfirmText('');
+          }}
+          onConfirm={() => resetProvisioning(true)}
+          canConfirm={stopConfirmText === stopPhrase}
+        />
+      )}
+
+      {setupCompleteOpen && (
+        <SetupCompleteModal
+          routerId={routerEnv.routerId}
+          hostname={routerEnv.hostname}
+          wgIp={routerEnv.wgIp}
+          onClose={finishProvisioning}
+        />
+      )}
+    </div>
+  );
+}
+
+function RouterEnvModal({
+  routerEnv,
+  setRouterEnv,
+  onCancel,
+  onUpload,
+}: {
+  routerEnv: RouterEnvForm;
+  setRouterEnv: React.Dispatch<
+    React.SetStateAction<RouterEnvForm>
+  >;
+  onCancel: () => void;
+  onUpload: () => void;
+}) {
+  function updateField(
+    field: keyof RouterEnvForm,
+    value: string,
+  ) {
+    setRouterEnv((current) => ({
+      ...current,
+      [field]: value,
+    }));
+  }
+
+  return (
+    <div className="fixed inset-0 z-50 flex items-center justify-center bg-black/75 backdrop-blur-sm">
+      <div className="w-full max-w-3xl rounded-3xl border border-blue-500/30 bg-slate-950 p-6 shadow-2xl shadow-blue-500/10">
+        <div className="mb-5 flex items-center gap-4">
+          <div className="rounded-2xl bg-blue-500/10 p-3 text-blue-300">
+            <FileUp size={26} />
+          </div>
+
+          <div>
+            <h2 className="text-2xl font-bold text-white">
+              Router Environment
+            </h2>
+
+            <p className="text-sm text-slate-400">
+              Values used to generate router.env before upload.
+            </p>
+          </div>
+        </div>
+
+        <div className="grid grid-cols-2 gap-4">
+          <EnvInput
+            label="Router ID"
+            value={routerEnv.routerId}
+            onChange={(value) => updateField('routerId', value)}
+            placeholder="203"
+          />
+
+          <EnvInput
+            label="Hostname"
+            value={routerEnv.hostname}
+            onChange={(value) => updateField('hostname', value)}
+            placeholder="Litoral_Regas_203"
+          />
+
+          <EnvInput
+            label="WireGuard IP"
+            value={routerEnv.wgIp}
+            onChange={(value) => updateField('wgIp', value)}
+            placeholder="198.19.1.203"
+          />
+
+          <EnvInput
+            label="Root Password"
+            value={routerEnv.rootPassword}
+            onChange={(value) => updateField('rootPassword', value)}
+            placeholder="litoralr"
+            type="password"
+          />
+        </div>
+
+        <div className="mt-5 rounded-2xl border border-white/10 bg-white/[0.02] p-4">
+          <p className="text-xs font-semibold uppercase tracking-wide text-slate-500">
+            Static router.env values
+          </p>
+
+          <div className="mt-3 grid grid-cols-2 gap-3 font-mono text-xs text-slate-300">
+            <p>LAN_IP=198.51.100.1</p>
+            <p>LAN_NETMASK=255.255.255.0</p>
+            <p>WG_CIDR=32</p>
+            <p>WG_SERVER_HOST=146.59.230.190</p>
+            <p>WG_SERVER_PORT=4999</p>
+            <p>CONTROLLER_IP=198.51.100.10</p>
+            <p>PLC_IP=198.51.100.50</p>
+            <p className="truncate">
+              WG_SERVER_PUBLIC_KEY=eSe9hH/X1tcAqGo09hDHvOXmy6o6NPk5sPwCzMXE7kc=
+            </p>
+          </div>
+        </div>
+
+        <div className="mt-6 flex justify-end gap-3">
+          <Button type="button" variant="secondary" onClick={onCancel}>
+            Cancel
+          </Button>
+
+          <Button type="button" onClick={onUpload}>
+            <FileUp size={16} />
+            Upload Bundle
+          </Button>
+        </div>
+      </div>
+    </div>
+  );
+}
+
+function EnvInput({
+  label,
+  value,
+  onChange,
+  placeholder,
+  type = 'text',
+}: {
+  label: string;
+  value: string;
+  onChange: (value: string) => void;
+  placeholder?: string;
+  type?: string;
+}) {
+  return (
+    <div>
+      <label className="mb-2 block text-xs font-medium uppercase tracking-wide text-slate-500">
+        {label}
+      </label>
+
+      <input
+        type={type}
+        value={value}
+        onChange={(event) => onChange(event.target.value)}
+        placeholder={placeholder}
+        className="w-full rounded-xl border border-white/10 bg-slate-950 px-3 py-2 font-mono text-sm text-white outline-none transition focus:border-blue-500/40"
+      />
+    </div>
+  );
+}
+
+function ConfirmFlashModal({
+  selectedIp,
+  onCancel,
+  onConfirm,
+}: {
+  selectedIp: string;
+  onCancel: () => void;
+  onConfirm: () => void;
+}) {
+  return (
+    <div className="fixed inset-0 z-50 flex items-center justify-center bg-black/75 backdrop-blur-sm">
+      <div className="w-full max-w-xl rounded-3xl border border-red-500/30 bg-slate-950 p-6 shadow-2xl shadow-red-500/10">
+        <div className="flex gap-4">
+          <div className="rounded-2xl bg-red-500/10 p-3 text-red-300">
+            <AlertTriangle size={28} />
+          </div>
+
+          <div>
+            <h2 className="text-2xl font-bold text-white">
+              Confirm Firmware Flash
+            </h2>
+
+            <p className="mt-3 text-sm leading-6 text-slate-300">
+              This will run{' '}
+              <span className="font-mono text-red-200">
+                sysupgrade -n /tmp/firmware.bin
+              </span>{' '}
+              on router{' '}
+              <span className="font-mono text-red-200">
+                {selectedIp}
+              </span>
+              . The SSH session will drop and the router may be unreachable for several minutes.
+            </p>
+
+            <div className="mt-5 rounded-2xl border border-red-500/20 bg-red-500/10 p-4 text-sm text-red-100">
+              Do not unplug router power. Do not close this application.
+            </div>
+
+            <div className="mt-6 flex justify-end gap-3">
+              <Button type="button" variant="secondary" onClick={onCancel}>
+                Cancel
+              </Button>
+
+              <Button type="button" onClick={onConfirm} className="bg-red-500 hover:bg-red-400">
+                <Cpu size={16} />
+                Flash Router
+              </Button>
+            </div>
+          </div>
+        </div>
+      </div>
+    </div>
+  );
+}
+
+function FlashOverlay({
+  flashSecondsRemaining,
+  flashProgress,
+}: {
+  flashSecondsRemaining: number;
+  flashProgress: number;
+}) {
+  return (
+    <div className="fixed inset-0 z-[60] flex items-center justify-center bg-black/85 backdrop-blur-md">
+      <div className="w-full max-w-2xl rounded-3xl border border-purple-500/30 bg-slate-950 p-8 shadow-2xl shadow-purple-500/20">
+        <div className="flex items-start gap-5">
+          <div className="rounded-3xl bg-purple-500/10 p-4 text-purple-300">
+            <RefreshCw size={34} className="animate-spin" />
+          </div>
+
+          <div className="flex-1">
+            <h2 className="text-3xl font-bold text-white">
+              Flashing router firmware
+            </h2>
+
+            <p className="mt-3 leading-7 text-slate-300">
+              The router is applying firmware and rebooting. The SSH session will be unavailable during this window.
+            </p>
+
+            <div className="mt-6 rounded-2xl border border-white/10 bg-white/[0.03] p-5">
+              <div className="mb-3 flex items-center justify-between text-sm">
+                <span className="text-slate-400">
+                  Protected wait window
+                </span>
+
+                <span className="font-mono text-purple-200">
+                  {formatSeconds(flashSecondsRemaining)}
+                </span>
+              </div>
+
+              <div className="h-3 overflow-hidden rounded-full bg-slate-800">
+                <div
+                  className="h-full rounded-full bg-purple-400 transition-all duration-1000"
+                  style={{ width: `${flashProgress}%` }}
+                />
+              </div>
+            </div>
+
+            <div className="mt-6 rounded-2xl border border-red-500/20 bg-red-500/10 p-4 text-sm leading-6 text-red-100">
+              Do not unplug power. Do not close this app. Wait for this screen to finish before touching the Ethernet cable.
+            </div>
+          </div>
+        </div>
+      </div>
+    </div>
+  );
+}
+
+function ProvisionOverlay({
+  provisionSecondsRemaining,
+  provisionProgress,
+}: {
+  provisionSecondsRemaining: number;
+  provisionProgress: number;
+}) {
+  return (
+    <div className="fixed inset-0 z-[60] flex items-center justify-center bg-black/85 backdrop-blur-md">
+      <div className="w-full max-w-2xl rounded-3xl border border-blue-500/30 bg-slate-950 p-8 shadow-2xl shadow-blue-500/20">
+        <div className="flex items-start gap-5">
+          <div className="rounded-3xl bg-blue-500/10 p-4 text-blue-300">
+            <RefreshCw size={34} className="animate-spin" />
+          </div>
+
+          <div className="flex-1">
+            <h2 className="text-3xl font-bold text-white">
+              Applying router provisioning
+            </h2>
+
+            <p className="mt-3 leading-7 text-slate-300">
+              The router is changing LAN, firewall, WireGuard, LuCI,
+              and root password settings. SSH or Ethernet may drop during this step.
+            </p>
+
+            <div className="mt-6 rounded-2xl border border-white/10 bg-white/[0.03] p-5">
+              <div className="mb-3 flex items-center justify-between text-sm">
+                <span className="text-slate-400">
+                  Protected provisioning window
+                </span>
+
+                <span className="font-mono text-blue-200">
+                  {formatSeconds(provisionSecondsRemaining)}
+                </span>
+              </div>
+
+              <div className="h-3 overflow-hidden rounded-full bg-slate-800">
+                <div
+                  className="h-full rounded-full bg-blue-400 transition-all duration-1000"
+                  style={{ width: `${provisionProgress}%` }}
+                />
+              </div>
+            </div>
+
+            <div className="mt-6 rounded-2xl border border-yellow-500/20 bg-yellow-500/10 p-4 text-sm leading-6 text-yellow-100">
+              Do not unplug power. When this timer finishes, unplug and replug Ethernet,
+              then continue to verify WireGuard and register the VPS peer.
+            </div>
+          </div>
+        </div>
+      </div>
+    </div>
+  );
+}
+
+function StopProvisioningModal({
+  value,
+  onChange,
+  onCancel,
+  onConfirm,
+  canConfirm,
+}: {
+  value: string;
+  onChange: (value: string) => void;
+  onCancel: () => void;
+  onConfirm: () => void;
+  canConfirm: boolean;
+}) {
+  return (
+    <div className="fixed inset-0 z-50 flex items-center justify-center bg-black/75 backdrop-blur-sm">
+      <div className="w-full max-w-xl rounded-3xl border border-red-500/30 bg-slate-950 p-6 shadow-2xl shadow-red-500/10">
+        <div className="flex gap-4">
+          <div className="rounded-2xl bg-red-500/10 p-3 text-red-300">
+            <AlertTriangle size={28} />
+          </div>
+
+          <div className="flex-1">
+            <h2 className="text-2xl font-bold text-white">
+              Stop Provisioning?
+            </h2>
+
+            <p className="mt-3 text-sm leading-6 text-slate-300">
+              Stopping in the middle of provisioning can leave the router in a partial or broken state. Only continue if you know the current router state is safe.
+            </p>
+
+            <p className="mt-5 text-sm text-slate-400">
+              Type{' '}
+              <span className="font-mono text-red-200">
+                {stopPhrase}
+              </span>{' '}
+              to confirm.
+            </p>
+
+            <input
+              value={value}
+              onChange={(event) => onChange(event.target.value)}
+              className="mt-3 w-full rounded-xl border border-red-500/20 bg-slate-950 px-3 py-2 font-mono text-sm text-white outline-none focus:border-red-400/50"
+            />
+
+            <div className="mt-6 flex justify-end gap-3">
+              <Button type="button" variant="secondary" onClick={onCancel}>
+                Cancel
+              </Button>
+
+              <Button
+                type="button"
+                variant="danger"
+                disabled={!canConfirm}
+                onClick={onConfirm}
+              >
+                Stop Provisioning
+              </Button>
+            </div>
+          </div>
+        </div>
+      </div>
+    </div>
+  );
+}
+
+function WorkflowStepCard({
+  title,
+  description,
+  icon: Icon,
+  status,
+}: {
+  title: string;
+  description: string;
+  icon: typeof Search;
+  status: StepStatus;
+}) {
+  const active = status === 'active';
+  const done = status === 'done';
+  const blocked = status === 'blocked';
+
+  return (
+    <div
+      className={`rounded-2xl border p-3 transition ${done
+        ? 'border-green-500/30 bg-green-500/10'
+        : active
+          ? 'border-blue-500/40 bg-blue-500/10'
+          : blocked
+            ? 'border-white/5 bg-white/[0.015] opacity-60'
+            : 'border-white/10 bg-white/[0.02]'
+        }`}
+    >
+      <div className="flex gap-3">
+        <div
+          className={`rounded-xl p-2 ${done
+            ? 'bg-green-500/10 text-green-300'
+            : active
+              ? 'bg-blue-500/10 text-blue-300'
+              : 'bg-slate-900 text-slate-500'
+            }`}
+        >
+          <Icon size={16} />
+        </div>
+
+        <div>
+          <p className="text-sm font-semibold text-white">
+            {title}
+          </p>
+
+          <p className="mt-1 text-xs leading-5 text-slate-500">
+            {description}
+          </p>
+        </div>
+      </div>
+    </div>
+  );
+}
+
+function SetupCompleteModal({
+  routerId,
+  hostname,
+  wgIp,
+  onClose,
+}: {
+  routerId: string;
+  hostname: string;
+  wgIp: string;
+  onClose: () => void;
+}) {
+  return (
+    <div className="fixed inset-0 z-50 flex items-center justify-center bg-black/75 backdrop-blur-sm">
+      <div className="w-full max-w-xl rounded-3xl border border-green-500/30 bg-slate-950 p-6 shadow-2xl shadow-green-500/10">
+        <div className="flex gap-4">
+          <div className="rounded-2xl bg-green-500/10 p-3 text-green-300">
+            <CheckCircle2 size={30} />
+          </div>
+
+          <div className="flex-1">
+            <h2 className="text-2xl font-bold text-white">
+              Router setup completed
+            </h2>
+
+            <p className="mt-3 text-sm leading-6 text-slate-300">
+              Router provisioning finished successfully and the VPS WireGuard peer was registered.
+            </p>
+
+            <div className="mt-5 rounded-2xl border border-white/10 bg-white/[0.03] p-4 font-mono text-sm text-slate-300">
+              <p>ROUTER_ID={routerId}</p>
+              <p>HOSTNAME={hostname}</p>
+              <p>WG_IP={wgIp}</p>
+            </div>
+
+            <div className="mt-6 flex justify-end">
+              <Button type="button" onClick={onClose}>
+                Done
+              </Button>
+            </div>
+          </div>
+        </div>
+      </div>
     </div>
   );
 }
\ No newline at end of file
diff --git a/src/components/settings/BackendSettings.tsx b/src/components/settings/BackendSettings.tsx
index 9f4b5c6..1424360 100644
--- a/src/components/settings/BackendSettings.tsx
+++ b/src/components/settings/BackendSettings.tsx
@@ -24,7 +24,7 @@ const DEFAULT_ROUTER_IP = '198.51.100.1';
 const DEFAULT_CONTROLLER_IP = '198.51.100.10';
 const DEFAULT_PLC_IP = '198.51.100.50';
 const DEFAULT_FIRMWARE =
-  'openwrt-23.05-zbt-we826-16m.bin';
+  'openwrt-23.05.5-zbt-we826-16m-litoral-golden-sysupgrade.bin';
 
 export function BackendSettings() {
   const [settings, setSettings] =