diff --git a/.dockerignore b/.dockerignore
index 4ab6ed1..3b21c46 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -4,7 +4,6 @@ node_modules
 frontend/node_modules
 frontend/dist
 frontend/.vite
-media
 docs
 __pycache__
 .venv
diff --git a/Dockerfile.frontend b/Dockerfile.frontend
index 9e7c60f..a2610e7 100644
--- a/Dockerfile.frontend
+++ b/Dockerfile.frontend
@@ -6,6 +6,7 @@ COPY frontend/package*.json ./
 RUN npm ci --ignore-scripts
 
 COPY frontend/ ./
+COPY media/ ./public/media/
 RUN npm run build
 
 # Runtime stage
diff --git a/backend/atlas_portal/routes/access_requests.py b/backend/atlas_portal/routes/access_requests.py
index 4e0b5f5..9740b05 100644
--- a/backend/atlas_portal/routes/access_requests.py
+++ b/backend/atlas_portal/routes/access_requests.py
@@ -148,66 +148,81 @@ def _verify_request(conn, code: str, token: str) -> str:
 
 ONBOARDING_STEPS: tuple[str, ...] = (
     "vaultwarden_master_password",
+    "vaultwarden_browser_extension",
+    "vaultwarden_mobile_app",
     "keycloak_password_rotated",
     "element_recovery_key",
     "element_recovery_key_stored",
-    "firefly_login",
-    "health_data_notice",
-    "wger_login",
-    "vaultwarden_browser_extension",
-    "vaultwarden_desktop_app",
-    "vaultwarden_mobile_app",
-    "elementx_setup",
-    "jellyfin_login",
+    "element_mobile_app",
     "mail_client_setup",
-    "actual_login",
-    "outline_login",
-    "planka_login",
-    "keycloak_mfa_optional",
+    "nextcloud_web_access",
+    "nextcloud_mail_integration",
+    "nextcloud_desktop_app",
+    "nextcloud_mobile_app",
+    "budget_encryption_ack",
+    "firefly_password_rotated",
+    "wger_password_rotated",
+    "jellyfin_web_access",
+    "jellyfin_mobile_app",
+    "jellyfin_tv_setup",
 )
 
 ONBOARDING_OPTIONAL_STEPS: set[str] = {
-    "vaultwarden_browser_extension",
-    "vaultwarden_desktop_app",
-    "vaultwarden_mobile_app",
-    "elementx_setup",
-    "jellyfin_login",
-    "mail_client_setup",
-    "actual_login",
-    "outline_login",
-    "planka_login",
-    "keycloak_mfa_optional",
+    "element_mobile_app",
+    "nextcloud_desktop_app",
+    "nextcloud_mobile_app",
+    "jellyfin_web_access",
+    "jellyfin_mobile_app",
+    "jellyfin_tv_setup",
 }
-ONBOARDING_REQUIRED_STEPS: tuple[str, ...] = tuple(
-    step for step in ONBOARDING_STEPS if step not in ONBOARDING_OPTIONAL_STEPS
+ONBOARDING_REQUIRED_STEPS: tuple[str, ...] = (
+    "vaultwarden_master_password",
+    "vaultwarden_browser_extension",
+    "vaultwarden_mobile_app",
+    "keycloak_password_rotated",
+    "element_recovery_key",
+    "element_recovery_key_stored",
+    "mail_client_setup",
+    "nextcloud_web_access",
+    "nextcloud_mail_integration",
+    "budget_encryption_ack",
+    "firefly_password_rotated",
+    "wger_password_rotated",
 )
 
-KEYCLOAK_MANAGED_STEPS: set[str] = {"keycloak_password_rotated"}
-_KEYCLOAK_MFA_OPTIONAL_STATE_ARTIFACT = "keycloak_mfa_optional_state"
-_KEYCLOAK_MFA_OPTIONAL_VALID_STATES = {"done", "skipped"}
+KEYCLOAK_MANAGED_STEPS: set[str] = {
+    "keycloak_password_rotated",
+    "vaultwarden_master_password",
+    "nextcloud_mail_integration",
+    "firefly_password_rotated",
+    "wger_password_rotated",
+}
 _KEYCLOAK_PASSWORD_ROTATION_REQUESTED_ARTIFACT = "keycloak_password_rotation_requested_at"
 
-
-def _sequential_prerequisites(
-    steps: tuple[str, ...],
-    optional_steps: set[str],
-) -> dict[str, set[str]]:
-    completed: list[str] = []
-    prerequisites: dict[str, set[str]] = {}
-    for step in steps:
-        prerequisites[step] = set(completed)
-        if step not in optional_steps:
-            completed.append(step)
-    return prerequisites
-
-
-ONBOARDING_STEP_PREREQUISITES: dict[str, set[str]] = _sequential_prerequisites(
-    ONBOARDING_STEPS,
-    ONBOARDING_OPTIONAL_STEPS,
-)
+ONBOARDING_STEP_PREREQUISITES: dict[str, set[str]] = {
+    "vaultwarden_master_password": set(),
+    "vaultwarden_browser_extension": {"vaultwarden_master_password"},
+    "vaultwarden_mobile_app": {"vaultwarden_master_password"},
+    "keycloak_password_rotated": {"vaultwarden_master_password"},
+    "element_recovery_key": {"keycloak_password_rotated"},
+    "element_recovery_key_stored": {"element_recovery_key"},
+    "element_mobile_app": {"element_recovery_key"},
+    "mail_client_setup": {"vaultwarden_master_password"},
+    "nextcloud_web_access": {"vaultwarden_master_password"},
+    "nextcloud_mail_integration": {"nextcloud_web_access"},
+    "nextcloud_desktop_app": {"nextcloud_web_access"},
+    "nextcloud_mobile_app": {"nextcloud_web_access"},
+    "budget_encryption_ack": {"nextcloud_mail_integration"},
+    "firefly_password_rotated": {"element_recovery_key_stored"},
+    "wger_password_rotated": {"firefly_password_rotated"},
+    "jellyfin_web_access": {"vaultwarden_master_password"},
+    "jellyfin_mobile_app": {"jellyfin_web_access"},
+    "jellyfin_tv_setup": {"jellyfin_web_access"},
+}
 
 _ELEMENT_RECOVERY_ARTIFACT = "element_recovery_key_sha256"
 _SHA256_HEX_RE = re.compile(r"^[0-9a-f]{64}$")
+_VAULTWARDEN_READY_STATUSES = {"already_present", "active", "ready"}
 
 
 def _normalize_status(status: str) -> str:
@@ -243,6 +258,45 @@ def _password_rotation_requested(conn, request_code: str) -> bool:
     return bool(row)
 
 
+def _extract_attr(attrs: Any, key: str) -> str:
+    if not isinstance(attrs, dict):
+        return ""
+    raw = attrs.get(key)
+    if isinstance(raw, list):
+        for item in raw:
+            if isinstance(item, str) and item.strip():
+                return item.strip()
+        return ""
+    if isinstance(raw, str) and raw.strip():
+        return raw.strip()
+    return ""
+
+
+def _auto_completed_service_steps(attrs: Any) -> set[str]:
+    completed: set[str] = set()
+    if not isinstance(attrs, dict):
+        return completed
+
+    vaultwarden_status = _extract_attr(attrs, "vaultwarden_status")
+    vaultwarden_master = _extract_attr(attrs, "vaultwarden_master_password_set_at")
+    if vaultwarden_master or vaultwarden_status in _VAULTWARDEN_READY_STATUSES:
+        completed.add("vaultwarden_master_password")
+
+    nextcloud_synced_at = _extract_attr(attrs, "nextcloud_mail_synced_at")
+    if nextcloud_synced_at:
+        completed.add("nextcloud_mail_integration")
+
+    firefly_rotated_at = _extract_attr(attrs, "firefly_password_rotated_at")
+    if firefly_rotated_at:
+        completed.add("firefly_password_rotated")
+
+    wger_rotated_at = _extract_attr(attrs, "wger_password_rotated_at")
+    if wger_rotated_at:
+        completed.add("wger_password_rotated")
+
+    return completed
+
+
 def _auto_completed_keycloak_steps(conn, request_code: str, username: str) -> set[str]:
     if not username:
         return set()
@@ -264,6 +318,9 @@ def _auto_completed_keycloak_steps(conn, request_code: str, username: str) -> se
         except Exception:
             full = user if isinstance(user, dict) else {}
 
+        attrs = full.get("attributes") if isinstance(full, dict) else {}
+        completed |= _auto_completed_service_steps(attrs)
+
         actions = full.get("requiredActions")
         required_actions: set[str] = set()
         actions_list: list[str] = []
@@ -352,26 +409,6 @@ def _advance_status(conn, request_code: str, username: str, status: str) -> str:
     return status
 
 
-def _fetch_optional_mfa_state(conn, request_code: str) -> str:
-    row = conn.execute(
-        """
-        SELECT value_hash
-        FROM access_request_onboarding_artifacts
-        WHERE request_code = %s AND artifact = %s
-        """,
-        (request_code, _KEYCLOAK_MFA_OPTIONAL_STATE_ARTIFACT),
-    ).fetchone()
-    if not row:
-        return "pending"
-    value = row.get("value_hash") if isinstance(row, dict) else None
-    if not isinstance(value, str):
-        return "pending"
-    cleaned = value.strip().lower()
-    if cleaned in _KEYCLOAK_MFA_OPTIONAL_VALID_STATES:
-        return cleaned
-    return "pending"
-
-
 def _onboarding_payload(conn, request_code: str, username: str) -> dict[str, Any]:
     completed_steps = sorted(_completed_onboarding_steps(conn, request_code, username))
     password_rotation_requested = _password_rotation_requested(conn, request_code)
@@ -382,11 +419,6 @@ def _onboarding_payload(conn, request_code: str, username: str) -> dict[str, Any
         "keycloak": {
             "password_rotation_requested": password_rotation_requested,
         },
-        "optional": {
-            "keycloak_mfa_optional": {
-                "state": _fetch_optional_mfa_state(conn, request_code),
-            }
-        },
     }
 
 
@@ -1066,70 +1098,3 @@ def register(app) -> None:
             return jsonify({"error": "failed to request password rotation"}), 502
 
         return jsonify({"ok": True, "status": status, "onboarding": onboarding_payload})
-
-    @app.route("/api/access/request/onboarding/mfa", methods=["POST"])
-    @require_auth
-    def request_access_onboarding_mfa_optional() -> Any:
-        if not configured():
-            return jsonify({"error": "server not configured"}), 503
-
-        payload = request.get_json(silent=True) or {}
-        code = (payload.get("request_code") or payload.get("code") or "").strip()
-        state = (payload.get("state") or "").strip().lower()
-
-        if not code:
-            return jsonify({"error": "request_code is required"}), 400
-        if state not in _KEYCLOAK_MFA_OPTIONAL_VALID_STATES:
-            return jsonify({"error": "invalid state"}), 400
-
-        username = getattr(g, "keycloak_username", "") or ""
-        if not username:
-            return jsonify({"error": "invalid token"}), 401
-
-        try:
-            with connect() as conn:
-                row = conn.execute(
-                    "SELECT username, status FROM access_requests WHERE request_code = %s",
-                    (code,),
-                ).fetchone()
-                if not row:
-                    return jsonify({"error": "not found"}), 404
-                if (row.get("username") or "") != username:
-                    return jsonify({"error": "forbidden"}), 403
-
-                status = _normalize_status(row.get("status") or "")
-                if status not in {"awaiting_onboarding", "ready"}:
-                    return jsonify({"error": "onboarding not available"}), 409
-
-                prerequisites = ONBOARDING_STEP_PREREQUISITES.get("keycloak_mfa_optional", set())
-                if prerequisites:
-                    current_completed = _completed_onboarding_steps(conn, code, username)
-                    missing = sorted(prerequisites - current_completed)
-                    if missing:
-                        return jsonify({"error": "step is blocked", "blocked_by": missing}), 409
-
-                conn.execute(
-                    """
-                    INSERT INTO access_request_onboarding_artifacts (request_code, artifact, value_hash)
-                    VALUES (%s, %s, %s)
-                    ON CONFLICT (request_code, artifact) DO UPDATE
-                      SET value_hash = EXCLUDED.value_hash,
-                          created_at = NOW()
-                    """,
-                    (code, _KEYCLOAK_MFA_OPTIONAL_STATE_ARTIFACT, state),
-                )
-                conn.execute(
-                    """
-                    INSERT INTO access_request_onboarding_steps (request_code, step)
-                    VALUES (%s, %s)
-                    ON CONFLICT (request_code, step) DO NOTHING
-                    """,
-                    (code, "keycloak_mfa_optional"),
-                )
-
-                status = _advance_status(conn, code, username, status)
-                onboarding_payload = _onboarding_payload(conn, code, username)
-        except Exception:
-            return jsonify({"error": "failed to update onboarding"}), 502
-
-        return jsonify({"ok": True, "status": status, "onboarding": onboarding_payload})
diff --git a/frontend/package.json b/frontend/package.json
index 55050ef..1231c14 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -5,6 +5,7 @@
   "type": "module",
   "scripts": {
     "dev": "vite",
+    "prebuild": "node scripts/build_media_manifest.mjs",
     "build": "vite build",
     "preview": "vite preview"
   },
diff --git a/frontend/scripts/build_media_manifest.mjs b/frontend/scripts/build_media_manifest.mjs
new file mode 100644
index 0000000..8994835
--- /dev/null
+++ b/frontend/scripts/build_media_manifest.mjs
@@ -0,0 +1,42 @@
+import { promises as fs } from "fs";
+import path from "path";
+
+const ROOT = path.resolve("public", "media", "onboarding");
+const MANIFEST = path.join(ROOT, "manifest.json");
+const EXTENSIONS = new Set([".png", ".jpg", ".jpeg", ".webp"]);
+
+async function walk(dir, base = "") {
+  const entries = await fs.readdir(dir, { withFileTypes: true });
+  const files = [];
+  for (const entry of entries) {
+    const full = path.join(dir, entry.name);
+    const rel = path.join(base, entry.name);
+    if (entry.isDirectory()) {
+      files.push(...(await walk(full, rel)));
+    } else if (EXTENSIONS.has(path.extname(entry.name).toLowerCase())) {
+      files.push(rel.replace(/\\/g, "/"));
+    }
+  }
+  return files;
+}
+
+async function ensureDir(dir) {
+  await fs.mkdir(dir, { recursive: true });
+}
+
+async function main() {
+  try {
+    await ensureDir(ROOT);
+    const files = await walk(ROOT).catch(() => []);
+    const payload = {
+      generated_at: new Date().toISOString(),
+      files: files.sort(),
+    };
+    await fs.writeFile(MANIFEST, JSON.stringify(payload, null, 2));
+  } catch (err) {
+    console.error("Failed to build onboarding media manifest", err);
+    process.exitCode = 1;
+  }
+}
+
+await main();
diff --git a/frontend/src/views/OnboardingView.vue b/frontend/src/views/OnboardingView.vue
index 95f5039..77a11cf 100644
--- a/frontend/src/views/OnboardingView.vue
+++ b/frontend/src/views/OnboardingView.vue
@@ -17,7 +17,13 @@
       </div>
 
       <div class="status-form">
-        <input v-model="requestCode" class="input mono" type="text" placeholder="username~XXXXXXXXXX" :disabled="loading" />
+        <input
+          v-model="requestCode"
+          class="input mono"
+          type="text"
+          placeholder="username~XXXXXXXXXX"
+          :disabled="loading"
+        />
         <button class="primary" type="button" @click="check" :disabled="loading || !requestCode.trim()">
           {{ loading ? "Checking..." : "Check" }}
         </button>
@@ -36,7 +42,8 @@
       <div v-if="status === 'pending_email_verification'" class="steps">
         <h3>Confirm your email</h3>
         <p class="muted">
-          Open the verification email from Atlas and click the link to confirm your address. After verification, an admin can approve your request.
+          Open the verification email from Atlas and click the link to confirm your address. After verification, an admin can
+          approve your request.
         </p>
         <p class="muted">
           If you did not receive an email, return to
@@ -52,9 +59,7 @@
 
       <div v-if="status === 'accounts_building'" class="steps">
         <h3>Accounts building</h3>
-        <p class="muted">
-          Your request is approved. Atlas is now preparing accounts and credentials. Check back in a minute.
-        </p>
+        <p class="muted">Your request is approved. Atlas is now preparing accounts and credentials. Check back in a minute.</p>
         <div v-if="tasks.length" class="task-box">
           <div class="module-head" style="margin-bottom: 10px;">
             <h3>Automation</h3>
@@ -75,410 +80,193 @@
         </div>
       </div>
 
-      <div v-if="status === 'awaiting_onboarding' || status === 'ready'" class="steps">
+      <div v-if="showOnboarding" class="steps">
         <div class="onboarding-head">
-          <h3>Onboarding checklist</h3>
+          <div>
+            <h3>Onboarding</h3>
+            <p class="muted">
+              Onboarding is fully self-service. Work through each section in order; you can pause and return later. Vaultwarden
+              comes first because it stores every credential that follows.
+            </p>
+          </div>
           <span class="pill mono" :class="status === 'ready' ? 'pill-info' : 'pill-ok'">
             {{ status === "ready" ? "ready" : "in progress" }}
           </span>
         </div>
 
-        <p class="muted">
-          Some steps are verified automatically from Keycloak (password). Others can't be verified yet — mark them complete once you're done.
-        </p>
-
-        <div v-if="initialPassword" class="initial-password">
-          <h3>Temporary password</h3>
-          <p class="muted">
-            Use this password to log in for the first time (Nextcloud, Element). You won't be forced to change it
-            immediately — you'll rotate it after Vaultwarden is set up. This password is shown once — copy it now. If you
-            refresh this page, it may disappear.
-          </p>
-          <div class="request-code-row">
-            <span class="label mono">Password</span>
-            <button class="copy mono" type="button" @click="copyInitialPassword">
-              {{ initialPassword }}
-              <span v-if="copied" class="copied">copied</span>
+        <ol class="section-stepper">
+          <li v-for="(section, index) in sections" :key="section.id" class="stepper-item">
+            <button
+              class="stepper-card"
+              :class="sectionCardClass(section)"
+              :disabled="isSectionLocked(section)"
+              type="button"
+              @click="selectSection(section.id)"
+            >
+              <span class="stepper-dot" aria-hidden="true"></span>
+              <div class="stepper-body">
+                <div class="stepper-title">{{ index + 1 }}. {{ section.title }}</div>
+                <div class="stepper-meta">
+                  <span class="pill mono" :class="sectionPillClass(section)">{{ sectionStatusLabel(section) }}</span>
+                  <span class="mono">{{ sectionProgress(section) }}</span>
+                </div>
+              </div>
             </button>
+          </li>
+        </ol>
+
+        <div v-if="requestUsername || initialPassword" class="credential-card">
+          <div class="credential-grid">
+            <div class="credential-field">
+              <span class="label mono">Username</span>
+              <button class="copy mono" type="button" @click="copyUsername" :disabled="!requestUsername">
+                {{ requestUsername || "" }}
+                <span v-if="usernameCopied" class="copied">copied</span>
+              </button>
+            </div>
+
+            <div class="credential-field" v-if="initialPassword">
+              <span class="label mono">Temporary password</span>
+              <div class="password-row">
+                <input
+                  class="input mono"
+                  :type="revealPassword ? 'text' : 'password'"
+                  :value="initialPassword"
+                  readonly
+                />
+                <button class="secondary" type="button" @click="togglePassword">
+                  {{ revealPassword ? "Hide" : "Reveal" }}
+                </button>
+                <button class="secondary" type="button" @click="copyInitialPassword">
+                  {{ passwordCopied ? "Copied" : "Copy" }}
+                </button>
+              </div>
+            </div>
           </div>
           <p class="muted">
-            Log in at
-            <a href="https://sso.bstein.dev" target="_blank" rel="noreferrer">sso.bstein.dev</a>
-            or go directly to
-            <a href="https://cloud.bstein.dev" target="_blank" rel="noreferrer">cloud.bstein.dev</a>.
+            Use the temporary password to sign in the first time (Nextcloud, Element). You will rotate it after Vaultwarden is
+            ready. Store the new password in Vaultwarden.
           </p>
         </div>
 
         <div v-if="!auth.authenticated" class="login-callout">
-          <p class="muted">Log in to check off onboarding steps.</p>
+          <p class="muted">Log in to check off onboarding steps and verify your Element recovery key.</p>
           <button class="primary" type="button" @click="loginToContinue" :disabled="loading">Log in</button>
         </div>
 
-        <ul class="checklist">
-          <li class="check-item" :class="checkItemClass('vaultwarden_master_password')">
-            <label>
-              <input
-                type="checkbox"
-                :checked="isStepDone('vaultwarden_master_password')"
-                :disabled="!auth.authenticated || loading || isStepBlocked('vaultwarden_master_password')"
-                @change="toggleStep('vaultwarden_master_password', $event)"
-              />
-              <span>Set a Vaultwarden master password</span>
-              <span class="pill mono auto-pill" :class="stepPillClass('vaultwarden_master_password')">
-                {{ stepPillLabel("vaultwarden_master_password") }}
-              </span>
-            </label>
-            <p class="muted">
-              Open <a href="https://vault.bstein.dev" target="_blank" rel="noreferrer">Passwords</a> and set a strong master
-              password you won't forget. Your master password is the one password to rule all passwords: use a long passphrase
-              (64+ characters is a good target), and never write it down or share it with anyone. If you lose it, Atlas can't
-              recover your vault. If you can't sign in yet, check your Atlas mailbox in
-              <a href="https://cloud.bstein.dev" target="_blank" rel="noreferrer">Nextcloud Mail</a> for the invite link.
-            </p>
-            <details class="howto">
-              <summary class="mono">Master password guidance</summary>
-              <ul class="muted howto-list">
-                <li>Prefer a multi-word passphrase over a single word.</li>
-                <li>Never store it in plaintext or share it with anyone.</li>
-                <li>If you forget it, Vaultwarden can’t decrypt your data.</li>
-              </ul>
-            </details>
-          </li>
-
-          <li class="check-item" :class="checkItemClass('keycloak_password_rotated')">
-            <label>
-              <input type="checkbox" :checked="isStepDone('keycloak_password_rotated')" disabled />
-              <span>Sign in to Element and update your Keycloak profile</span>
-              <span class="pill mono auto-pill" :class="keycloakRotationPillClass()">
-                {{ keycloakRotationPillLabel() }}
-              </span>
-            </label>
-            <div class="mfa-actions">
+        <div class="section-shell" v-if="activeSection">
+          <div class="section-header">
+            <div>
+              <h3>{{ activeSection.title }}</h3>
+              <p class="muted">{{ activeSection.description }}</p>
+            </div>
+            <div class="section-actions">
+              <button class="secondary" type="button" @click="prevSection" :disabled="!hasPrevSection">
+                Previous
+              </button>
               <button
                 class="secondary"
                 type="button"
-                @click="requestKeycloakPasswordRotation"
-                :disabled="
-                  !auth.authenticated ||
-                  loading ||
-                  isStepDone('keycloak_password_rotated') ||
-                  isStepBlocked('keycloak_password_rotated') ||
-                  keycloakPasswordRotationRequested
-                "
+                @click="nextSection"
+                :disabled="!hasNextSection || isSectionLocked(nextSectionItem)"
               >
-                Start Keycloak update
-              </button>
-              <a class="mono" href="https://live.bstein.dev" target="_blank" rel="noreferrer">Open Element</a>
-            </div>
-            <p class="muted">
-              After Vaultwarden is ready, sign in to Element with the temporary password. Keycloak will prompt you to set
-              a new password and your name. Store the new password in Vaultwarden. Atlas will mark this step complete once
-              Keycloak no longer requires a password update.
-            </p>
-          </li>
-
-          <li class="check-item mfa-optional" :class="mfaItemClass()">
-            <div class="mfa-row">
-              <div class="mfa-text">
-                <span class="mfa-title">Optional: enable MFA (TOTP) for Keycloak</span>
-                <p class="muted mfa-description">
-                  Add a second factor with a mobile authenticator app. This is optional and won't block the rest of onboarding.
-                </p>
-              </div>
-              <span class="pill mono auto-pill" :class="mfaPillClass()">{{ mfaPillLabel() }}</span>
-            </div>
-
-            <div class="mfa-actions">
-              <button
-                class="secondary"
-                type="button"
-                @click="setMfaOptional('skipped')"
-                :disabled="!auth.authenticated || loading || isMfaBlocked() || isMfaDecided()"
-              >
-                Skip
-              </button>
-              <button
-                class="primary"
-                type="button"
-                @click="setMfaOptional('done')"
-                :disabled="!auth.authenticated || loading || isMfaBlocked() || isMfaDecided()"
-              >
-                Mark complete
+                Next
               </button>
             </div>
-
-            <details class="mfa-qr" @toggle="maybeGenerateMfaQrs">
-              <summary class="mono">Show app install QR codes</summary>
-              <p v-if="mfaQrError" class="muted mfa-error">{{ mfaQrError }}</p>
-              <div v-else class="mfa-qr-grid">
-                <div class="mfa-qr-card">
-                  <span class="mono mfa-qr-label">Aegis (Android)</span>
-                  <img v-if="aegisQr" class="mfa-qr-img" :src="aegisQr" alt="Aegis Android app QR code" />
-                  <a class="mono mfa-qr-link" :href="AEGIS_URL" target="_blank" rel="noreferrer">Open store</a>
-                </div>
-                <div class="mfa-qr-card">
-                  <span class="mono mfa-qr-label">FreeOTP (iPhone)</span>
-                  <img v-if="freeOtpQr" class="mfa-qr-img" :src="freeOtpQr" alt="FreeOTP iPhone app QR code" />
-                  <a class="mono mfa-qr-link" :href="FREEOTP_URL" target="_blank" rel="noreferrer">Open store</a>
-                </div>
-              </div>
-            </details>
-          </li>
-
-          <li class="check-item" :class="checkItemClass('element_recovery_key')">
-            <label>
-              <input type="checkbox" :checked="isStepDone('element_recovery_key')" disabled />
-              <span>Create an Element recovery key</span>
-              <span class="pill mono auto-pill" :class="stepPillClass('element_recovery_key')">
-                {{ stepPillLabel("element_recovery_key") }}
-              </span>
-            </label>
-            <div class="recovery-verify">
-              <input
-                v-model="elementRecoveryKey"
-                class="input mono"
-                type="text"
-                placeholder="Paste recovery key (hashed locally)"
-                :disabled="
-                  !auth.authenticated || loading || isStepDone('element_recovery_key') || isStepBlocked('element_recovery_key')
-                "
-              />
-              <button
-                class="primary verify"
-                type="button"
-                @click="verifyElementRecoveryKey"
-                :disabled="
-                  !auth.authenticated ||
-                  loading ||
-                  isStepDone('element_recovery_key') ||
-                  isStepBlocked('element_recovery_key') ||
-                  !elementRecoveryKey.trim()
-                "
-              >
-                Verify
-              </button>
-            </div>
-            <p class="muted">
-              In Element, create a recovery key so you can restore encrypted history if you lose a device. Atlas stores only a
-              SHA-256 hash so the recovery key itself is never saved server-side. Open
-              <a href="https://live.bstein.dev/#/settings" target="_blank" rel="noreferrer">Element settings</a> → Encryption.
-            </p>
-          </li>
-
-          <li class="check-item" :class="checkItemClass('element_recovery_key_stored')">
-            <label>
-              <input
-                type="checkbox"
-                :checked="isStepDone('element_recovery_key_stored')"
-                :disabled="!auth.authenticated || loading || isStepBlocked('element_recovery_key_stored')"
-                @change="toggleStep('element_recovery_key_stored', $event)"
-              />
-              <span>Store the recovery key in Vaultwarden</span>
-              <span class="pill mono auto-pill" :class="stepPillClass('element_recovery_key_stored')">
-                {{ stepPillLabel("element_recovery_key_stored") }}
-              </span>
-            </label>
-            <p class="muted">Add the Element recovery key to Vaultwarden so it's stored safely.</p>
-          </li>
-
-          <li class="check-item" :class="checkItemClass('firefly_login')">
-            <label>
-              <input
-                type="checkbox"
-                :checked="isStepDone('firefly_login')"
-                :disabled="!auth.authenticated || loading || isStepBlocked('firefly_login')"
-                @change="toggleStep('firefly_login', $event)"
-              />
-              <span>Sign in to Firefly III</span>
-              <span class="pill mono auto-pill" :class="stepPillClass('firefly_login')">
-                {{ stepPillLabel("firefly_login") }}
-              </span>
-            </label>
-            <p class="muted">
-              Open <a href="https://money.bstein.dev" target="_blank" rel="noreferrer">money.bstein.dev</a> and sign in
-              with the credentials from your <a href="/account">Account</a> page. Change the password immediately and
-              save it in Vaultwarden. In the Abacus app, set the server URL to money.bstein.dev and log in once.
-            </p>
-          </li>
-
-          <li class="check-item" :class="checkItemClass('health_data_notice')">
-            <label>
-              <input
-                type="checkbox"
-                :checked="isStepDone('health_data_notice')"
-                :disabled="!auth.authenticated || loading || isStepBlocked('health_data_notice')"
-                @change="toggleStep('health_data_notice', $event)"
-              />
-              <span>Review the Wger health data notice</span>
-              <span class="pill mono auto-pill" :class="stepPillClass('health_data_notice')">
-                {{ stepPillLabel("health_data_notice") }}
-              </span>
-            </label>
-            <p class="muted">
-              Wger is a personal wellness tool, not medical advice. Use it at your own risk. Your health data belongs to
-              you and will never be sold or used beyond providing the service. We apply best practices to protect it,
-              but no system is risk-free.
-            </p>
-          </li>
-
-          <li class="check-item" :class="checkItemClass('wger_login')">
-            <label>
-              <input
-                type="checkbox"
-                :checked="isStepDone('wger_login')"
-                :disabled="!auth.authenticated || loading || isStepBlocked('wger_login')"
-                @change="toggleStep('wger_login', $event)"
-              />
-              <span>Sign in to Wger</span>
-              <span class="pill mono auto-pill" :class="stepPillClass('wger_login')">
-                {{ stepPillLabel("wger_login") }}
-              </span>
-            </label>
-            <p class="muted">
-              Open <a href="https://health.bstein.dev" target="_blank" rel="noreferrer">health.bstein.dev</a> and sign in
-              with the credentials shown on your <a href="/account">Account</a> page. Change the password immediately and
-              store it in Vaultwarden. In the mobile app, set the server to health.bstein.dev and sign in once.
-            </p>
-          </li>
-
-          <li class="check-item" :class="checkItemClass('vaultwarden_browser_extension')">
-            <label>
-              <input
-                type="checkbox"
-                :checked="isStepDone('vaultwarden_browser_extension')"
-                :disabled="!auth.authenticated || loading || isStepBlocked('vaultwarden_browser_extension')"
-                @change="toggleStep('vaultwarden_browser_extension', $event)"
-              />
-              <span>Install the Vaultwarden browser extension</span>
-              <span class="pill mono auto-pill" :class="stepPillClass('vaultwarden_browser_extension')">
-                {{ stepPillLabel("vaultwarden_browser_extension") }}
-              </span>
-            </label>
-            <p class="muted">
-              Install Bitwarden in your browser and point it at vault.bstein.dev (Settings → Account → Environment → Self-hosted).
-              <a href="https://bitwarden.com/download" target="_blank" rel="noreferrer">Bitwarden downloads</a>.
-            </p>
-          </li>
-
-          <li class="check-item" :class="checkItemClass('vaultwarden_desktop_app')">
-            <label>
-              <input
-                type="checkbox"
-                :checked="isStepDone('vaultwarden_desktop_app')"
-                :disabled="!auth.authenticated || loading || isStepBlocked('vaultwarden_desktop_app')"
-                @change="toggleStep('vaultwarden_desktop_app', $event)"
-              />
-              <span>Install the Vaultwarden desktop app</span>
-              <span class="pill mono auto-pill" :class="stepPillClass('vaultwarden_desktop_app')">
-                {{ stepPillLabel("vaultwarden_desktop_app") }}
-              </span>
-            </label>
-            <p class="muted">
-              Install the Bitwarden desktop app and set the server to vault.bstein.dev (Settings → Account → Environment → Self-hosted).
-              <a href="https://bitwarden.com/download" target="_blank" rel="noreferrer">Bitwarden downloads</a>.
-            </p>
-          </li>
-
-          <li class="check-item" :class="checkItemClass('vaultwarden_mobile_app')">
-            <label>
-              <input
-                type="checkbox"
-                :checked="isStepDone('vaultwarden_mobile_app')"
-                :disabled="!auth.authenticated || loading || isStepBlocked('vaultwarden_mobile_app')"
-                @change="toggleStep('vaultwarden_mobile_app', $event)"
-              />
-              <span>Install Bitwarden on your phone</span>
-              <span class="pill mono auto-pill" :class="stepPillClass('vaultwarden_mobile_app')">
-                {{ stepPillLabel("vaultwarden_mobile_app") }}
-              </span>
-            </label>
-            <p class="muted">
-              Install the mobile app, set the server to vault.bstein.dev, and enable biometrics for fast unlock.
-              <a href="https://bitwarden.com/download" target="_blank" rel="noreferrer">Bitwarden downloads</a>.
-            </p>
-          </li>
-
-          <li class="check-item" :class="checkItemClass('actual_login')">
-            <label>
-              <input
-                type="checkbox"
-                :checked="isStepDone('actual_login')"
-                :disabled="!auth.authenticated || loading || isStepBlocked('actual_login')"
-                @change="toggleStep('actual_login', $event)"
-              />
-              <span>Optional: sign in to Actual Budget</span>
-              <span class="pill mono auto-pill" :class="stepPillClass('actual_login')">
-                {{ stepPillLabel("actual_login") }}
-              </span>
-            </label>
-            <p class="muted">
-              Open <a href="https://budget.bstein.dev" target="_blank" rel="noreferrer">budget.bstein.dev</a> and sign in
-              with your Keycloak account.
-            </p>
-          </li>
-
-          <li v-for="step in extraSteps" :key="step.id" class="check-item" :class="checkItemClass(step.id)">
-            <label>
-              <input
-                type="checkbox"
-                :checked="isStepDone(step.id)"
-                :disabled="!auth.authenticated || loading || isStepBlocked(step.id)"
-                @change="toggleStep(step.id, $event)"
-              />
-              <span>{{ step.title }}</span>
-              <span class="pill mono auto-pill" :class="stepPillClass(step.id)">
-                {{ stepPillLabel(step.id) }}
-              </span>
-            </label>
-            <p class="muted">
-              {{ step.description }}
-              <a v-if="step.primaryLink" :href="step.primaryLink.href" target="_blank" rel="noreferrer">{{
-                step.primaryLink.text
-              }}</a>
-              .
-            </p>
-          </li>
-        </ul>
-        <div class="mobile-guides">
-          <div class="module-head">
-            <h3>Mobile app guides</h3>
-            <span class="pill mono">step-by-step</span>
           </div>
-          <p class="muted">
-            Each guide expands with screenshots. Set the server URL before logging in so everything points at Atlas.
-          </p>
-          <div class="guide-grid">
-            <div v-for="guide in mobileGuides" :key="guide.id" class="card module guide-card">
-              <div class="module-head">
-                <h3>{{ guide.title }}</h3>
-                <span class="pill mono">{{ guide.app }}</span>
-              </div>
-              <p class="muted">{{ guide.description }}</p>
-              <div class="kv">
-                <div v-for="field in guide.fields" :key="`${guide.id}-${field.label}`" class="row">
-                  <span class="k mono">{{ field.label }}</span>
-                  <span class="v mono">
-                    <a v-if="field.href" class="guide-link" :href="field.href" target="_blank" rel="noreferrer">
-                      {{ field.value }}
-                    </a>
-                    <span v-else>{{ field.value }}</span>
-                  </span>
+
+          <div class="step-grid">
+            <article v-for="step in activeSection.steps" :key="step.id" class="step-card" :class="stepCardClass(step)">
+              <div class="step-head">
+                <div class="step-title">
+                  <label v-if="step.action === 'checkbox'" class="step-label">
+                    <input
+                      type="checkbox"
+                      :checked="isStepDone(step.id)"
+                      :disabled="!auth.authenticated || loading || isStepBlocked(step.id)"
+                      @change="toggleStep(step.id, $event)"
+                    />
+                    <span>{{ step.title }}</span>
+                  </label>
+                  <div v-else class="step-label">
+                    <span>{{ step.title }}</span>
+                  </div>
                 </div>
+                <span class="pill mono auto-pill" :class="stepPillClass(step)">
+                  {{ stepPillLabel(step) }}
+                </span>
               </div>
-              <div class="guide-actions">
-                <a class="pill mono guide-link" :href="guide.url" target="_blank" rel="noreferrer">Open</a>
+
+              <p class="muted" v-if="step.description">{{ step.description }}</p>
+
+              <ul v-if="step.bullets && step.bullets.length" class="step-bullets">
+                <li v-for="bullet in step.bullets" :key="bullet">{{ bullet }}</li>
+              </ul>
+
+              <div v-if="step.links && step.links.length" class="step-links">
+                <a v-for="link in step.links" :key="link.href" :href="link.href" target="_blank" rel="noreferrer">
+                  {{ link.text }}
+                </a>
               </div>
-              <details class="guide-details">
+
+              <div v-if="step.action === 'keycloak_rotate'" class="step-actions">
+                <button
+                  class="secondary"
+                  type="button"
+                  @click="requestKeycloakPasswordRotation"
+                  :disabled="
+                    !auth.authenticated ||
+                    loading ||
+                    isStepDone('keycloak_password_rotated') ||
+                    isStepBlocked('keycloak_password_rotated') ||
+                    keycloakPasswordRotationRequested
+                  "
+                >
+                  Start Keycloak update
+                </button>
+                <a class="mono" href="https://live.bstein.dev" target="_blank" rel="noreferrer">Open Element</a>
+              </div>
+
+              <div v-if="step.action === 'element_recovery'" class="recovery-verify">
+                <input
+                  v-model="elementRecoveryKey"
+                  class="input mono"
+                  type="text"
+                  placeholder="Paste recovery key (hashed locally)"
+                  :disabled="!auth.authenticated || loading || isStepDone(step.id) || isStepBlocked(step.id)"
+                />
+                <button
+                  class="primary verify"
+                  type="button"
+                  @click="verifyElementRecoveryKey"
+                  :disabled="
+                    !auth.authenticated ||
+                    loading ||
+                    isStepDone(step.id) ||
+                    isStepBlocked(step.id) ||
+                    !elementRecoveryKey.trim()
+                  "
+                >
+                  Verify
+                </button>
+              </div>
+
+              <details v-if="step.guide" class="guide-details">
                 <summary class="mono">Photo guide</summary>
-                <div v-if="guideShots[guide.id] && guideShots[guide.id].length" class="guide-images">
-                  <figure v-for="(shot, index) in guideShots[guide.id]" :key="shot.url" class="guide-shot">
-                    <img :src="shot.url" :alt="`${guide.title} step ${index + 1}`" loading="lazy" />
-                    <figcaption v-if="shot.label" class="mono">{{ shot.label }}</figcaption>
-                  </figure>
+                <div v-if="guideGroups(step).length" class="guide-groups">
+                  <div v-for="group in guideGroups(step)" :key="group.id" class="guide-group">
+                    <h4 v-if="group.title" class="mono guide-title">{{ group.title }}</h4>
+                    <div class="guide-images">
+                      <figure v-for="shot in group.shots" :key="shot.url" class="guide-shot">
+                        <img :src="shot.url" :alt="shot.label || step.title" loading="lazy" />
+                        <figcaption v-if="shot.label" class="mono">{{ shot.label }}</figcaption>
+                      </figure>
+                    </div>
+                  </div>
                 </div>
                 <p v-else class="muted">Guide coming soon.</p>
               </details>
-            </div>
+            </article>
           </div>
         </div>
 
@@ -486,9 +274,7 @@
           <h3>You're ready</h3>
           <p class="muted">
             Your Atlas account is provisioned and onboarding is complete. You can log in at
-            <a href="https://cloud.bstein.dev" target="_blank" rel="noreferrer">cloud.bstein.dev</a>,
-            <a href="https://notes.bstein.dev" target="_blank" rel="noreferrer">notes.bstein.dev</a>, and
-            <a href="https://tasks.bstein.dev" target="_blank" rel="noreferrer">tasks.bstein.dev</a>.
+            <a href="https://cloud.bstein.dev" target="_blank" rel="noreferrer">cloud.bstein.dev</a>.
           </p>
         </div>
       </div>
@@ -506,172 +292,331 @@
 </template>
 
 <script setup>
-import { onMounted, ref } from "vue";
-import QRCode from "qrcode";
+import { computed, onMounted, ref } from "vue";
 import { useRoute } from "vue-router";
 import { auth, authFetch, login } from "../auth";
 
 const route = useRoute();
 
-const AEGIS_URL = "https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis";
-const FREEOTP_URL = "https://apps.apple.com/app/freeotp-authenticator/id872559395";
-
 const requestCode = ref("");
 const requestUsername = ref("");
 const status = ref("");
 const loading = ref(false);
 const error = ref("");
-const onboarding = ref({ required_steps: [], optional_steps: [], completed_steps: [], optional: {} });
+const onboarding = ref({ required_steps: [], optional_steps: [], completed_steps: [] });
 const initialPassword = ref("");
-const copied = ref(false);
+const revealPassword = ref(false);
+const passwordCopied = ref(false);
 const usernameCopied = ref(false);
 const tasks = ref([]);
 const blocked = ref(false);
 const elementRecoveryKey = ref("");
-const aegisQr = ref("");
-const freeOtpQr = ref("");
-const mfaQrError = ref("");
-const mfaQrReady = ref(false);
 const keycloakPasswordRotationRequested = ref(false);
-const extraSteps = [
-  {
-    id: "elementx_setup",
-    title: "Install Element X and sign in",
-    description:
-      "Install Element X on mobile and sign in with your Atlas username/password. Use Element Web → Settings → Sessions to connect your phone via QR.",
-    primaryLink: { href: "https://live.bstein.dev", text: "Element" },
-  },
-  {
-    id: "mail_client_setup",
-    title: "Set up mail on a device",
-    description:
-      "Use the IMAP/SMTP details on your Account page to add mail to your phone or desktop client (FairEmail on Android, Apple Mail on iOS, Thunderbird on desktop).",
-    primaryLink: { href: "/account", text: "Account" },
-  },
-  {
-    id: "jellyfin_login",
-    title: "Sign in to Jellyfin",
-    description: "Sign in with your Atlas username/password (LDAP-backed).",
-    primaryLink: { href: "https://stream.bstein.dev", text: "Jellyfin" },
-  },
-  {
-    id: "outline_login",
-    title: "Open Outline and create your first doc",
-    description: "Create a space for your docs and invite collaborators when you're ready.",
-    primaryLink: { href: "https://notes.bstein.dev", text: "Outline" },
-  },
-  {
-    id: "planka_login",
-    title: "Open Planka and create a board",
-    description: "Spin up a project board and invite teammates to collaborate.",
-    primaryLink: { href: "https://tasks.bstein.dev", text: "Planka" },
-  },
-];
+const activeSectionId = ref("vaultwarden");
+const guideShots = ref({});
 
-// Guide images: drop files into src/assets/onboarding/<guideId>/01-step.png to auto-load and order.
-const guideShots = buildGuideShots(
-  import.meta.glob("../assets/onboarding/**/*.{png,jpg,jpeg,webp}", { eager: true, as: "url" }),
-);
+const STEP_PREREQS = {
+  vaultwarden_master_password: [],
+  vaultwarden_browser_extension: ["vaultwarden_master_password"],
+  vaultwarden_mobile_app: ["vaultwarden_master_password"],
+  keycloak_password_rotated: ["vaultwarden_master_password"],
+  element_recovery_key: ["keycloak_password_rotated"],
+  element_recovery_key_stored: ["element_recovery_key"],
+  element_mobile_app: ["element_recovery_key"],
+  mail_client_setup: ["vaultwarden_master_password"],
+  nextcloud_web_access: ["vaultwarden_master_password"],
+  nextcloud_mail_integration: ["nextcloud_web_access"],
+  nextcloud_desktop_app: ["nextcloud_web_access"],
+  nextcloud_mobile_app: ["nextcloud_web_access"],
+  budget_encryption_ack: ["nextcloud_mail_integration"],
+  firefly_password_rotated: ["element_recovery_key_stored"],
+  wger_password_rotated: ["firefly_password_rotated"],
+  jellyfin_web_access: ["vaultwarden_master_password"],
+  jellyfin_mobile_app: ["jellyfin_web_access"],
+  jellyfin_tv_setup: ["jellyfin_web_access"],
+};
 
-const mobileGuides = [
+const SECTION_DEFS = [
   {
     id: "vaultwarden",
     title: "Vaultwarden",
-    app: "Bitwarden",
-    description: "Password manager with autofill across devices.",
-    url: "https://vault.bstein.dev",
-    fields: [
-      { label: "Server", value: "vault.bstein.dev" },
-      { label: "Login", value: "Atlas email + password" },
+    description: "Unlock your vault and install the tools that will store every other credential.",
+    steps: [
+      {
+        id: "vaultwarden_master_password",
+        title: "Set your Vaultwarden master password",
+        action: "auto",
+        description:
+          "Open Nextcloud Mail to find the invite, then visit vault.bstein.dev and create your master password. Use the temporary Keycloak password to sign in to Nextcloud for the first time.",
+        bullets: [
+          "Prefer a long (64+ character) multi word phrase over a single word. Length is stronger than complexity.",
+          "Never share, write, or store your password with anyone or anywhere for any reason. Your password must only live between your ears.",
+          "Pick something you will not forget, probably something you already know, something easy to remember, maybe something close to you.",
+        ],
+        links: [
+          { href: "https://cloud.bstein.dev", text: "Nextcloud Mail" },
+          { href: "https://vault.bstein.dev", text: "vault.bstein.dev" },
+        ],
+        guide: { service: "vaultwarden", step: "step1_website" },
+      },
+      {
+        id: "vaultwarden_browser_extension",
+        title: "Install the browser extension",
+        action: "checkbox",
+        description:
+          "Install Bitwarden in your browser and point it at vault.bstein.dev (Settings → Account → Environment → Self-hosted).",
+        links: [
+          { href: "https://addons.mozilla.org/en-US/firefox/addon/bitwarden-password-manager/", text: "Firefox" },
+          { href: "https://chromewebstore.google.com/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb", text: "Chrome" },
+          { href: "https://apps.apple.com/app/bitwarden/id1352778147", text: "Safari" },
+          { href: "https://www.mozilla.org/firefox/new/", text: "Need a browser? Get Firefox" },
+        ],
+        guide: { service: "vaultwarden", step: "step2_browser_extension" },
+      },
+      {
+        id: "vaultwarden_mobile_app",
+        title: "Install the mobile app",
+        action: "checkbox",
+        description: "Install Bitwarden on your phone, set the server to vault.bstein.dev, and enable biometrics.",
+        links: [{ href: "https://bitwarden.com/download/", text: "Bitwarden downloads" }],
+        guide: { service: "vaultwarden", step: "step3_mobile_app" },
+      },
     ],
   },
   {
-    id: "elementx",
-    title: "Element X",
-    app: "Matrix chat",
-    description: "Secure chat for Othrys rooms and direct messages.",
-    url: "https://live.bstein.dev",
-    fields: [
-      { label: "Homeserver", value: "live.bstein.dev" },
-      { label: "Login", value: "Atlas username + password" },
+    id: "element",
+    title: "Element",
+    description: "Rotate your Keycloak password, create a recovery key, and store it safely.",
+    steps: [
+      {
+        id: "keycloak_password_rotated",
+        title: "Rotate your Keycloak password",
+        action: "keycloak_rotate",
+        description:
+          "Sign in to Element with the temporary password. Keycloak will prompt you to set a new password. Store the new password in Vaultwarden.",
+        links: [
+          { href: "https://live.bstein.dev", text: "Element" },
+          { href: "https://sso.bstein.dev/realms/atlas/account", text: "Keycloak account" },
+        ],
+        guide: { service: "element", step: "step1_web_access" },
+      },
+      {
+        id: "element_recovery_key",
+        title: "Create and verify your recovery key",
+        action: "element_recovery",
+        description:
+          "In Element settings → Encryption, create a recovery key so you can restore encrypted history if you lose a device.",
+        guide: { service: "element", step: "step2_record_recovery_key" },
+      },
+      {
+        id: "element_recovery_key_stored",
+        title: "Store the recovery key in Vaultwarden",
+        action: "checkbox",
+        description: "Save the recovery key in Vaultwarden so it never gets lost.",
+      },
+      {
+        id: "element_mobile_app",
+        title: "Optional: install Element X on mobile",
+        action: "checkbox",
+        description:
+          "Install Element X and sign in. Use Element Web → Settings → Sessions to connect your phone via QR.",
+        links: [{ href: "https://element.io/download", text: "Element X downloads" }],
+        guide: { service: "element", step: "step3_mobile_app_and_qr_code_login" },
+      },
     ],
   },
   {
-    id: "wger",
-    title: "Wger",
-    app: "Health tracking",
-    description: "Workout + nutrition tracking for Atlas.",
-    url: "https://health.bstein.dev",
-    fields: [
-      { label: "Server", value: "health.bstein.dev" },
-      { label: "Login", value: "Use Account page credentials" },
-    ],
-  },
-  {
-    id: "firefly",
-    title: "Firefly III",
-    app: "Abacus",
-    description: "Personal finance manager for budgets and spending.",
-    url: "https://money.bstein.dev",
-    fields: [
-      { label: "Server", value: "money.bstein.dev" },
-      { label: "Login", value: "Use Account page credentials" },
+    id: "mail",
+    title: "Mail",
+    description: "Add your @bstein.dev mailbox to your preferred mail apps.",
+    steps: [
+      {
+        id: "mail_client_setup",
+        title: "Set up mail on a device",
+        action: "checkbox",
+        description:
+          "Use the IMAP/SMTP details on your Account page to add mail to your phone or desktop client (Thunderbird, Apple Mail, FairEmail).",
+        links: [{ href: "/account", text: "Open Account details" }],
+        guide: { service: "nextcloud", step: "step2_mail_integration" },
+      },
     ],
   },
   {
     id: "nextcloud",
     title: "Nextcloud",
-    app: "Files + mail",
-    description: "Files, calendar, and mail on the go.",
-    url: "https://cloud.bstein.dev",
-    fields: [
-      { label: "Server", value: "cloud.bstein.dev" },
-      { label: "Login", value: "Atlas username + password" },
+    description: "Access files and confirm your Atlas mail integration inside Nextcloud.",
+    steps: [
+      {
+        id: "nextcloud_web_access",
+        title: "Sign in to Nextcloud",
+        action: "checkbox",
+        description:
+          "Open Nextcloud, confirm you can access Files, Calendar, and Mail, and keep the tab handy during onboarding.",
+        links: [{ href: "https://cloud.bstein.dev", text: "cloud.bstein.dev" }],
+        guide: { service: "nextcloud", step: "step1_web_access" },
+      },
+      {
+        id: "nextcloud_mail_integration",
+        title: "Mail integration ready",
+        action: "auto",
+        description:
+          "Atlas configures your mailbox inside Nextcloud automatically. If this stays pending, use Accounts → Sync Mail and retry.",
+        guide: { service: "nextcloud", step: "step2_mail_integration" },
+      },
+      {
+        id: "nextcloud_desktop_app",
+        title: "Optional: install the desktop sync app",
+        action: "checkbox",
+        description: "Install the Nextcloud desktop app to sync files locally.",
+        links: [{ href: "https://nextcloud.com/install/", text: "Nextcloud desktop" }],
+        guide: { service: "nextcloud", step: "step3_desktop_storage_app" },
+      },
+      {
+        id: "nextcloud_mobile_app",
+        title: "Optional: install the mobile app",
+        action: "checkbox",
+        description: "Install the Nextcloud mobile app for files and photos on the go.",
+        links: [{ href: "https://nextcloud.com/install/", text: "Nextcloud mobile" }],
+        guide: { service: "nextcloud", step: "step4_mobile_app" },
+      },
+    ],
+  },
+  {
+    id: "budget",
+    title: "Budget & Encryption",
+    description: "Protect sensitive data and keep the shared storage budget predictable.",
+    steps: [
+      {
+        id: "budget_encryption_ack",
+        title: "Encrypt sensitive data before you upload",
+        action: "checkbox",
+        description:
+          "Atlas storage is shared, backed up, and budgeted. Encrypt anything sensitive before uploading. If it would hurt to leak, encrypt it.",
+        bullets: [
+          "Use a modern tool (age, GPG) or store secrets directly in Vaultwarden.",
+          "When in doubt, encrypt first and ask questions later.",
+        ],
+        links: [
+          { href: "https://age-encryption.org", text: "age" },
+          { href: "https://www.gnupg.org", text: "GnuPG" },
+        ],
+        guide: { service: "budget", step: "step1_encrypt_data" },
+      },
+    ],
+  },
+  {
+    id: "firefly",
+    title: "Firefly III",
+    description: "Change your initial Firefly password and store it in Vaultwarden.",
+    steps: [
+      {
+        id: "firefly_password_rotated",
+        title: "Change your Firefly password",
+        action: "auto",
+        description:
+          "Sign in to money.bstein.dev with the credentials on your Account page, then change the password. This step completes once the original password no longer works.",
+        links: [
+          { href: "https://money.bstein.dev", text: "money.bstein.dev" },
+          { href: "/account", text: "Account credentials" },
+        ],
+        guide: { service: "firefly", step: "step1_web_access" },
+      },
+    ],
+  },
+  {
+    id: "wger",
+    title: "Wger",
+    description: "Change your initial Wger password and store it in Vaultwarden.",
+    steps: [
+      {
+        id: "wger_password_rotated",
+        title: "Change your Wger password",
+        action: "auto",
+        description:
+          "Sign in to health.bstein.dev with the credentials on your Account page, then change the password. This step completes once the original password no longer works.",
+        links: [
+          { href: "https://health.bstein.dev", text: "health.bstein.dev" },
+          { href: "/account", text: "Account credentials" },
+        ],
+        guide: { service: "wger", step: "step1_web_access" },
+      },
     ],
   },
   {
     id: "jellyfin",
     title: "Jellyfin",
-    app: "Media streaming",
-    description: "Personal media library for Atlas.",
-    url: "https://stream.bstein.dev",
-    fields: [
-      { label: "Server", value: "stream.bstein.dev" },
-      { label: "Login", value: "Atlas username + password" },
+    description: "Optional media access across web, mobile, and TV clients.",
+    steps: [
+      {
+        id: "jellyfin_web_access",
+        title: "Optional: sign in to Jellyfin",
+        action: "checkbox",
+        description:
+          "Sign in with your Atlas username/password (LDAP-backed).",
+        links: [{ href: "https://stream.bstein.dev", text: "stream.bstein.dev" }],
+        guide: { service: "jellyfin", step: "step1_web_access" },
+      },
+      {
+        id: "jellyfin_mobile_app",
+        title: "Optional: install the mobile app",
+        action: "checkbox",
+        description: "Install Jellyfin on mobile and connect to stream.bstein.dev.",
+        links: [{ href: "https://jellyfin.org/downloads/", text: "Jellyfin downloads" }],
+        guide: { service: "jellyfin", step: "step2_mobile_app" },
+      },
+      {
+        id: "jellyfin_tv_setup",
+        title: "Optional: connect a TV client",
+        action: "checkbox",
+        description:
+          "Use the Jellyfin app on your TV or streaming device (LG, Samsung, Roku, Apple TV, Xbox).",
+        links: [{ href: "https://jellyfin.org/downloads/", text: "Jellyfin TV apps" }],
+        guide: { service: "jellyfin", step: "step3_tv_integrations" },
+      },
     ],
   },
 ];
 
-function buildGuideShots(rawShots) {
-  const grouped = {};
-  for (const [path, url] of Object.entries(rawShots)) {
-    const normalized = path.replace(/\\/g, "/");
-    const parts = normalized.split("/assets/onboarding/");
-    if (parts.length < 2) continue;
-    const [guideId, file] = parts[1].split("/");
-    if (!guideId || !file) continue;
-    const order = guideOrder(file);
-    const label = guideLabel(file);
-    if (!grouped[guideId]) grouped[guideId] = [];
-    grouped[guideId].push({ url, order, label, file });
+const sections = computed(() => SECTION_DEFS);
+const activeSection = computed(() => sections.value.find((item) => item.id === activeSectionId.value));
+
+const nextSectionItem = computed(() => {
+  const list = sections.value;
+  const index = list.findIndex((item) => item.id === activeSectionId.value);
+  return index >= 0 ? list[index + 1] : null;
+});
+
+const hasPrevSection = computed(() => {
+  const list = sections.value;
+  const index = list.findIndex((item) => item.id === activeSectionId.value);
+  return index > 0;
+});
+
+const hasNextSection = computed(() => Boolean(nextSectionItem.value));
+
+const showOnboarding = computed(() => status.value === "awaiting_onboarding" || status.value === "ready");
+
+function selectSection(sectionId) {
+  if (!sectionId) return;
+  const section = sections.value.find((item) => item.id === sectionId);
+  if (!section) return;
+  if (isSectionLocked(section)) return;
+  activeSectionId.value = sectionId;
+}
+
+function prevSection() {
+  const list = sections.value;
+  const index = list.findIndex((item) => item.id === activeSectionId.value);
+  if (index > 0) {
+    activeSectionId.value = list[index - 1].id;
   }
-  Object.values(grouped).forEach((shots) => {
-    shots.sort((a, b) => (a.order - b.order) || a.file.localeCompare(b.file));
-  });
-  return grouped;
 }
 
-function guideOrder(filename) {
-  const prefix = filename.match(/^(\d{1,3})/);
-  if (prefix) return Number(prefix[1]);
-  const step = filename.match(/step[-_]?(\d{1,3})/i);
-  if (step) return Number(step[1]);
-  return Number.MAX_SAFE_INTEGER;
-}
-
-function guideLabel(filename) {
-  const base = filename.replace(/\.(png|jpe?g|webp)$/i, "");
-  return base.replace(/^\d+[-_]?/, "").replace(/[-_]/g, " ").trim();
+function nextSection() {
+  const nextItem = nextSectionItem.value;
+  if (nextItem && !isSectionLocked(nextItem)) {
+    activeSectionId.value = nextItem.id;
+  }
 }
 
 function statusLabel(value) {
@@ -696,141 +641,121 @@ function statusPillClass(value) {
   return "pill-warn";
 }
 
-function isStepDone(step) {
+function isStepDone(stepId) {
   const steps = onboarding.value?.completed_steps || [];
-  return Array.isArray(steps) ? steps.includes(step) : false;
+  return Array.isArray(steps) ? steps.includes(stepId) : false;
 }
 
-function requiredStepOrder() {
-  if (Array.isArray(onboarding.value?.required_steps) && onboarding.value.required_steps.length) {
-    return onboarding.value.required_steps;
-  }
-  return [
-    "vaultwarden_master_password",
-    "keycloak_password_rotated",
-    "element_recovery_key",
-    "element_recovery_key_stored",
-    "firefly_login",
-    "health_data_notice",
-    "wger_login",
-  ];
+function isStepRequired(stepId) {
+  const required = onboarding.value?.required_steps || [];
+  return Array.isArray(required) && required.includes(stepId);
 }
 
-function activeRequiredStep() {
-  const order = requiredStepOrder();
-  for (const step of order) {
-    if (!isStepDone(step)) return step;
-  }
-  return "";
-}
-
-function mfaOptionalState() {
-  const state = onboarding.value?.optional?.keycloak_mfa_optional?.state;
-  if (state === "done" || state === "skipped") return state;
-  return "pending";
-}
-
-function isMfaDecided() {
-  const state = mfaOptionalState();
-  return state === "done" || state === "skipped";
-}
-
-function isMfaBlocked() {
-  return !isStepDone("keycloak_password_rotated");
-}
-
-function mfaItemClass() {
-  const state = mfaOptionalState();
-  return {
-    blocked: isMfaBlocked(),
-    done: state === "done",
-    skipped: state === "skipped",
-    optional: true,
-  };
-}
-
-function mfaPillLabel() {
-  if (isMfaBlocked()) return "blocked";
-  const state = mfaOptionalState();
-  if (state === "done") return "done";
-  if (state === "skipped") return "skipped";
-  return "optional";
-}
-
-function mfaPillClass() {
-  if (isMfaBlocked()) return "pill-wait";
-  const state = mfaOptionalState();
-  if (state === "done") return "pill-ok";
-  if (state === "skipped") return "pill-info";
-  return "pill-warn";
-}
-
-function keycloakRotationPillLabel() {
-  if (isStepDone("keycloak_password_rotated")) return "done";
-  if (isStepBlocked("keycloak_password_rotated")) return "blocked";
-  if (keycloakPasswordRotationRequested.value) return "update now";
-  return "ready";
-}
-
-function keycloakRotationPillClass() {
-  if (isStepDone("keycloak_password_rotated")) return "pill-ok";
-  if (isStepBlocked("keycloak_password_rotated")) return "pill-wait";
-  if (keycloakPasswordRotationRequested.value) return "pill-warn";
-  return "pill-info";
-}
-
-async function maybeGenerateMfaQrs(event) {
-  if (mfaQrReady.value) return;
-  const details = event?.target;
-  if (details && details.tagName === "DETAILS" && !details.open) return;
-  mfaQrError.value = "";
-  try {
-    aegisQr.value = await QRCode.toDataURL(AEGIS_URL, { width: 220, margin: 2 });
-    freeOtpQr.value = await QRCode.toDataURL(FREEOTP_URL, { width: 220, margin: 2 });
-    mfaQrReady.value = true;
-  } catch (err) {
-    mfaQrError.value = err?.message || "Failed to generate QR codes";
-  }
-}
-
-function isStepBlocked(step) {
-  const order = requiredStepOrder();
-  const idx = order.indexOf(step);
-  if (idx <= 0) return false;
-  for (let i = 0; i < idx; i += 1) {
-    if (!isStepDone(order[i])) return true;
-  }
-  return false;
-}
-
-function checkItemClass(step) {
-  const activeStep = activeRequiredStep();
-  const done = isStepDone(step);
-  const blockedStep = isStepBlocked(step);
-  const active = !done && !blockedStep && activeStep === step;
-  return { done, blocked: blockedStep, active };
+function isStepBlocked(stepId) {
+  const prereqs = STEP_PREREQS[stepId] || [];
+  if (!prereqs.length) return false;
+  return prereqs.some((req) => !isStepDone(req));
 }
 
 function stepPillLabel(step) {
-  if (isStepDone(step)) return "done";
-  if (isStepBlocked(step)) return "blocked";
+  if (isStepDone(step.id)) return "done";
+  if (isStepBlocked(step.id)) return "blocked";
+  if (step.action === "auto") return "pending";
+  if (!isStepRequired(step.id)) return "optional";
+  if (step.id === "keycloak_password_rotated") {
+    return keycloakPasswordRotationRequested.value ? "rotate now" : "ready";
+  }
   return "pending";
 }
 
 function stepPillClass(step) {
-  if (isStepDone(step)) return "pill-ok";
-  if (isStepBlocked(step)) return "pill-wait";
+  if (isStepDone(step.id)) return "pill-ok";
+  if (isStepBlocked(step.id)) return "pill-wait";
+  if (!isStepRequired(step.id)) return "pill-info";
+  if (step.id === "keycloak_password_rotated" && !keycloakPasswordRotationRequested.value) {
+    return "pill-info";
+  }
   return "pill-warn";
 }
 
-function taskPillClass(status) {
-  const key = (status || "").trim();
+function stepCardClass(step) {
+  return {
+    done: isStepDone(step.id),
+    blocked: isStepBlocked(step.id),
+    optional: !isStepRequired(step.id),
+  };
+}
+
+function sectionProgress(section) {
+  const requiredSteps = section.steps.filter((step) => isStepRequired(step.id));
+  if (!requiredSteps.length) return "optional";
+  const doneCount = requiredSteps.filter((step) => isStepDone(step.id)).length;
+  return `${doneCount}/${requiredSteps.length} required`;
+}
+
+function sectionStatusLabel(section) {
+  if (isSectionDone(section)) return "done";
+  if (isSectionLocked(section)) return "locked";
+  return "in progress";
+}
+
+function sectionPillClass(section) {
+  if (isSectionDone(section)) return "pill-ok";
+  if (isSectionLocked(section)) return "pill-wait";
+  return "pill-info";
+}
+
+function isSectionLocked(section) {
+  const list = sections.value;
+  const index = list.findIndex((item) => item.id === section.id);
+  if (index <= 0) return false;
+  const previous = list[index - 1];
+  return !sectionGateComplete(previous);
+}
+
+function isSectionDone(section) {
+  const requiredSteps = section.steps.filter((step) => isStepRequired(step.id));
+  const stepsToCheck = requiredSteps.length ? requiredSteps : section.steps;
+  if (!stepsToCheck.length) return false;
+  return stepsToCheck.every((step) => isStepDone(step.id));
+}
+
+function sectionCardClass(section) {
+  return {
+    active: section.id === activeSectionId.value,
+    done: isSectionDone(section),
+    locked: isSectionLocked(section),
+  };
+}
+
+function sectionGateComplete(section) {
+  const requiredSteps = section.steps.filter((step) => isStepRequired(step.id));
+  if (!requiredSteps.length) return true;
+  return requiredSteps.every((step) => isStepDone(step.id));
+}
+
+function guideGroups(step) {
+  if (!step.guide) return [];
+  const service = step.guide.service;
+  const stepKey = step.guide.step;
+  const serviceShots = guideShots.value?.[service] || {};
+  const stepShots = serviceShots?.[stepKey] || {};
+  return Object.values(stepShots);
+}
+
+function taskPillClass(value) {
+  const key = (value || "").trim();
   if (key === "ok") return "pill-ok";
   if (key === "error") return "pill-bad";
-  if (key === "pending") return "pill-warn";
   return "pill-warn";
 }
 
+function selectDefaultSection() {
+  const list = sections.value;
+  const firstIncomplete = list.find((section) => !isSectionDone(section) && !isSectionLocked(section));
+  activeSectionId.value = (firstIncomplete || list[0] || {}).id || "vaultwarden";
+}
+
 async function check() {
   if (loading.value) return;
   error.value = "";
@@ -845,13 +770,16 @@ async function check() {
     if (!resp.ok) throw new Error(data.error || resp.statusText || `status ${resp.status}`);
     status.value = data.status || "unknown";
     requestUsername.value = data.username || "";
-    onboarding.value = data.onboarding || { required_steps: [], optional_steps: [], completed_steps: [], optional: {} };
+    onboarding.value = data.onboarding || { required_steps: [], optional_steps: [], completed_steps: [] };
     keycloakPasswordRotationRequested.value = Boolean(data.onboarding?.keycloak?.password_rotation_requested);
     tasks.value = Array.isArray(data.tasks) ? data.tasks : [];
     blocked.value = Boolean(data.blocked);
     initialPassword.value = data.initial_password || "";
+    if (showOnboarding.value) {
+      selectDefaultSection();
+    }
   } catch (err) {
-    error.value = err.message || "Failed to check status";
+    error.value = err?.message || "Failed to check status";
     tasks.value = [];
     blocked.value = false;
     keycloakPasswordRotationRequested.value = false;
@@ -860,86 +788,110 @@ async function check() {
   }
 }
 
-async function copyInitialPassword() {
-  if (!initialPassword.value) return;
+function togglePassword() {
+  revealPassword.value = !revealPassword.value;
+}
+
+async function copyText(text, setFlag) {
+  if (!text) return;
   try {
     if (navigator?.clipboard?.writeText) {
-      await navigator.clipboard.writeText(initialPassword.value);
+      await navigator.clipboard.writeText(text);
     } else {
-      const textarea = document.createElement("textarea");
-      textarea.value = initialPassword.value;
-      textarea.setAttribute("readonly", "");
-      textarea.style.position = "fixed";
-      textarea.style.top = "-9999px";
-      textarea.style.left = "-9999px";
-      document.body.appendChild(textarea);
-      textarea.select();
-      textarea.setSelectionRange(0, textarea.value.length);
+      const fallback = document.createElement("textarea");
+      fallback.value = text;
+      fallback.setAttribute("readonly", "");
+      fallback.style.position = "fixed";
+      fallback.style.top = "-9999px";
+      fallback.style.left = "-9999px";
+      document.body.appendChild(fallback);
+      fallback.select();
+      fallback.setSelectionRange(0, fallback.value.length);
       document.execCommand("copy");
-      document.body.removeChild(textarea);
+      document.body.removeChild(fallback);
     }
-    copied.value = true;
-    setTimeout(() => (copied.value = false), 1500);
+    setFlag(true);
+    setTimeout(() => setFlag(false), 1500);
   } catch (err) {
-    error.value = err?.message || "Failed to copy password";
+    error.value = err?.message || "Copy failed";
   }
 }
 
-async function copyUsername() {
-  if (!requestUsername.value) return;
-  try {
-    if (navigator?.clipboard?.writeText) {
-      await navigator.clipboard.writeText(requestUsername.value);
-    } else {
-      const textarea = document.createElement("textarea");
-      textarea.value = requestUsername.value;
-      textarea.setAttribute("readonly", "");
-      textarea.style.position = "fixed";
-      textarea.style.top = "-9999px";
-      textarea.style.left = "-9999px";
-      document.body.appendChild(textarea);
-      textarea.select();
-      textarea.setSelectionRange(0, textarea.value.length);
-      document.execCommand("copy");
-      document.body.removeChild(textarea);
-    }
-    usernameCopied.value = true;
-    setTimeout(() => (usernameCopied.value = false), 1500);
-  } catch (err) {
-    error.value = err?.message || "Failed to copy username";
-  }
+function copyInitialPassword() {
+  copyText(initialPassword.value, (value) => (passwordCopied.value = value));
+}
+
+function copyUsername() {
+  copyText(requestUsername.value, (value) => (usernameCopied.value = value));
 }
 
 async function loginToContinue() {
-  const trimmedCode = requestCode.value.trim();
-  const hint = requestUsername.value.trim() || trimmedCode.split("~", 1)[0] || "";
-  await login(`/onboarding?code=${encodeURIComponent(trimmedCode)}`, hint);
+  const hint = requestUsername.value.trim() || requestCode.value.split("~", 1)[0] || "";
+  await login(`/onboarding?code=${encodeURIComponent(requestCode.value.trim())}`, hint);
 }
 
-async function setMfaOptional(state) {
+async function toggleStep(stepId, event) {
+  const checked = Boolean(event?.target?.checked);
   if (!auth.authenticated) {
+    event?.preventDefault?.();
     error.value = "Log in to update onboarding steps.";
     return;
   }
-  if (isMfaBlocked()) {
-    error.value = "Rotate your Keycloak password first.";
+  if (isStepBlocked(stepId)) {
+    event?.preventDefault?.();
+    return;
+  }
+  if (stepId === "element_recovery_key") {
+    event?.preventDefault?.();
     return;
   }
-  if (state !== "done" && state !== "skipped") return;
-  error.value = "";
   loading.value = true;
+  error.value = "";
   try {
-    const resp = await authFetch("/api/access/request/onboarding/mfa", {
+    const resp = await authFetch("/api/access/request/onboarding/attest", {
       method: "POST",
       headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ request_code: requestCode.value.trim(), state }),
+      body: JSON.stringify({ request_code: requestCode.value.trim(), step: stepId, completed: checked }),
     });
     const data = await resp.json().catch(() => ({}));
     if (!resp.ok) throw new Error(data.error || resp.statusText || `status ${resp.status}`);
     status.value = data.status || status.value;
     onboarding.value = data.onboarding || onboarding.value;
   } catch (err) {
-    error.value = err.message || "Failed to update MFA step";
+    error.value = err?.message || "Failed to update onboarding";
+  } finally {
+    loading.value = false;
+  }
+}
+
+async function verifyElementRecoveryKey() {
+  if (!auth.authenticated) {
+    error.value = "Log in to verify your recovery key.";
+    return;
+  }
+  if (isStepBlocked("element_recovery_key")) {
+    error.value = "Complete earlier onboarding steps first.";
+    return;
+  }
+  const raw = elementRecoveryKey.value.trim();
+  if (!raw) return;
+
+  error.value = "";
+  loading.value = true;
+  try {
+    const sha256 = await sha256Hex(raw);
+    const resp = await authFetch("/api/access/request/onboarding/element-recovery", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ request_code: requestCode.value.trim(), sha256 }),
+    });
+    const data = await resp.json().catch(() => ({}));
+    if (!resp.ok) throw new Error(data.error || resp.statusText || `status ${resp.status}`);
+    status.value = data.status || status.value;
+    onboarding.value = data.onboarding || onboarding.value;
+    elementRecoveryKey.value = "";
+  } catch (err) {
+    error.value = err?.message || "Failed to verify recovery key";
   } finally {
     loading.value = false;
   }
@@ -955,8 +907,9 @@ async function requestKeycloakPasswordRotation() {
     return;
   }
   if (keycloakPasswordRotationRequested.value) return;
-  error.value = "";
+
   loading.value = true;
+  error.value = "";
   try {
     const resp = await authFetch("/api/access/request/onboarding/keycloak-password-rotate", {
       method: "POST",
@@ -965,87 +918,82 @@ async function requestKeycloakPasswordRotation() {
     });
     const data = await resp.json().catch(() => ({}));
     if (!resp.ok) throw new Error(data.error || resp.statusText || `status ${resp.status}`);
-    status.value = data.status || status.value;
     onboarding.value = data.onboarding || onboarding.value;
+    status.value = data.status || status.value;
     keycloakPasswordRotationRequested.value = Boolean(data.onboarding?.keycloak?.password_rotation_requested);
   } catch (err) {
-    error.value = err.message || "Failed to request password rotation";
+    error.value = err?.message || "Failed to request password rotation";
   } finally {
     loading.value = false;
   }
 }
 
-async function toggleStep(step, event) {
-  const checked = Boolean(event?.target?.checked);
-  if (!auth.authenticated) {
-    event?.preventDefault?.();
-    return;
-  }
-  if (step === "keycloak_password_rotated") {
-    event?.preventDefault?.();
-    return;
-  }
-  if (step === "element_recovery_key") {
-    event?.preventDefault?.();
-    return;
-  }
-  error.value = "";
-  loading.value = true;
-  try {
-    const resp = await authFetch("/api/access/request/onboarding/attest", {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ request_code: requestCode.value.trim(), step, completed: checked }),
-    });
-    const data = await resp.json().catch(() => ({}));
-    if (!resp.ok) throw new Error(data.error || resp.statusText || `status ${resp.status}`);
-    status.value = data.status || status.value;
-    onboarding.value = data.onboarding || onboarding.value;
-  } catch (err) {
-    error.value = err.message || "Failed to update onboarding";
-  } finally {
-    loading.value = false;
-  }
-}
-
-async function sha256Hex(text) {
-  const encoder = new TextEncoder();
-  const data = encoder.encode(text);
-  const digest = await crypto.subtle.digest("SHA-256", data);
-  return Array.from(new Uint8Array(digest))
+async function sha256Hex(value) {
+  const data = new TextEncoder().encode(value);
+  const hash = await crypto.subtle.digest("SHA-256", data);
+  return Array.from(new Uint8Array(hash))
     .map((byte) => byte.toString(16).padStart(2, "0"))
     .join("");
 }
 
-async function verifyElementRecoveryKey() {
-  if (!auth.authenticated) {
-    error.value = "Log in to verify your recovery key.";
-    return;
+function parseManifest(files) {
+  const grouped = {};
+  for (const path of files) {
+    if (typeof path !== "string") continue;
+    const cleaned = path.replace(/^\/+/, "").replace(/\\/g, "/");
+    const parts = cleaned.split("/");
+    if (parts.length < 3) continue;
+    const service = parts[0];
+    const step = parts[1];
+    const rest = parts.slice(2);
+    let variant = "default";
+    let filename = rest.join("/");
+    if (rest.length > 1) {
+      variant = rest[0];
+      filename = rest.slice(1).join("/");
+    }
+    const order = guideOrder(filename);
+    const label = guideLabel(filename);
+    const url = `/media/onboarding/${cleaned}`;
+    grouped[service] = grouped[service] || {};
+    grouped[service][step] = grouped[service][step] || {};
+    grouped[service][step][variant] = grouped[service][step][variant] || { id: variant, title: variant === "default" ? "" : variant, shots: [] };
+    grouped[service][step][variant].shots.push({ url, order, label, file: filename });
   }
-  if (isStepBlocked("element_recovery_key")) {
-    error.value = "Complete earlier onboarding steps first.";
-    return;
-  }
-  const raw = elementRecoveryKey.value.trim();
-  if (!raw) return;
-  error.value = "";
-  loading.value = true;
-  try {
-    const hash = await sha256Hex(raw);
-    const resp = await authFetch("/api/access/request/onboarding/element-recovery", {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ request_code: requestCode.value.trim(), sha256: hash }),
+
+  Object.values(grouped).forEach((serviceSteps) => {
+    Object.values(serviceSteps).forEach((variants) => {
+      Object.values(variants).forEach((group) => {
+        group.shots.sort((a, b) => (a.order - b.order) || a.file.localeCompare(b.file));
+      });
     });
-    const data = await resp.json().catch(() => ({}));
-    if (!resp.ok) throw new Error(data.error || resp.statusText || `status ${resp.status}`);
-    status.value = data.status || status.value;
-    onboarding.value = data.onboarding || onboarding.value;
-    elementRecoveryKey.value = "";
-  } catch (err) {
-    error.value = err.message || "Failed to verify recovery key";
-  } finally {
-    loading.value = false;
+  });
+
+  return grouped;
+}
+
+function guideOrder(filename) {
+  const prefix = filename.match(/^(\d{1,3})/);
+  if (prefix) return Number(prefix[1]);
+  const step = filename.match(/step[-_ ]?(\d{1,3})/i);
+  if (step) return Number(step[1]);
+  return Number.MAX_SAFE_INTEGER;
+}
+
+function guideLabel(filename) {
+  const base = filename.replace(/\.(png|jpe?g|webp)$/i, "");
+  return base.replace(/^\d+[-_]?/, "").replace(/[-_]/g, " ").trim();
+}
+
+async function loadGuideShots() {
+  try {
+    const resp = await fetch("/media/onboarding/manifest.json", { headers: { Accept: "application/json" } });
+    if (!resp.ok) return;
+    const payload = await resp.json();
+    const files = Array.isArray(payload?.files) ? payload.files : [];
+    guideShots.value = parseManifest(files);
+  } catch {
+    guideShots.value = {};
   }
 }
 
@@ -1055,12 +1003,13 @@ onMounted(async () => {
     requestCode.value = code.trim();
     await check();
   }
+  await loadGuideShots();
 });
 </script>
 
 <style scoped>
 .page {
-  max-width: 960px;
+  max-width: 1080px;
   margin: 0 auto;
   padding: 32px 22px 72px;
 }
@@ -1125,10 +1074,6 @@ h1 {
   color: var(--text-muted);
 }
 
-.meta-row .value {
-  color: var(--text-strong);
-}
-
 .input {
   flex: 1;
   padding: 10px 12px;
@@ -1148,24 +1093,162 @@ button.primary {
   font-weight: 700;
 }
 
+button.secondary {
+  background: rgba(255, 255, 255, 0.08);
+  border: 1px solid rgba(255, 255, 255, 0.16);
+  color: var(--text-primary);
+  padding: 8px 12px;
+  border-radius: 10px;
+  cursor: pointer;
+  font-weight: 600;
+}
+
 .steps {
   margin-top: 16px;
 }
 
-.steps h3 {
-  margin: 0 0 8px;
+.onboarding-head {
+  display: flex;
+  align-items: flex-start;
+  justify-content: space-between;
+  gap: 14px;
+  margin-bottom: 8px;
 }
 
-.onboarding-head {
+.section-stepper {
+  margin: 16px 0 18px;
+  list-style: none;
+  display: flex;
+  flex-wrap: wrap;
+  gap: 10px;
+  padding: 0;
+}
+
+.stepper-item {
+  flex: 1 1 180px;
+  min-width: 170px;
+}
+
+.stepper-card {
+  width: 100%;
+  text-align: left;
+  padding: 12px 12px 12px 36px;
+  border-radius: 12px;
+  border: 1px solid rgba(255, 255, 255, 0.12);
+  background: rgba(0, 0, 0, 0.2);
+  color: var(--text-primary);
+  display: flex;
+  gap: 8px;
+  position: relative;
+}
+
+.stepper-card::after {
+  content: "";
+  position: absolute;
+  left: 24px;
+  right: -12px;
+  top: 18px;
+  height: 2px;
+  background: rgba(255, 255, 255, 0.08);
+  z-index: 0;
+}
+
+.stepper-item:last-child .stepper-card::after {
+  display: none;
+}
+
+.stepper-dot {
+  position: absolute;
+  left: 12px;
+  top: 12px;
+  width: 10px;
+  height: 10px;
+  border-radius: 999px;
+  border: 2px solid rgba(255, 255, 255, 0.22);
+  background: rgba(255, 255, 255, 0.16);
+  z-index: 1;
+}
+
+.stepper-body {
+  display: flex;
+  flex-direction: column;
+  gap: 6px;
+}
+
+.stepper-title {
+  font-weight: 700;
+}
+
+.stepper-meta {
   display: flex;
   align-items: center;
   justify-content: space-between;
   gap: 12px;
-  margin-bottom: 8px;
+  color: var(--text-muted);
+}
+
+.stepper-card.active {
+  border-color: rgba(125, 208, 255, 0.5);
+  box-shadow: 0 0 0 1px rgba(79, 139, 255, 0.3);
+}
+
+.stepper-card.active .stepper-dot {
+  background: rgba(125, 208, 255, 0.8);
+  border-color: rgba(125, 208, 255, 0.85);
+}
+
+.stepper-card.done {
+  border-color: rgba(92, 214, 167, 0.35);
+  background: rgba(92, 214, 167, 0.08);
+}
+
+.stepper-card.done .stepper-dot {
+  background: rgba(92, 214, 167, 0.9);
+  border-color: rgba(92, 214, 167, 0.95);
+}
+
+.stepper-card.locked {
+  opacity: 0.6;
+}
+
+@media (max-width: 860px) {
+  .stepper-card::after {
+    display: none;
+  }
+}
+
+.credential-card {
+  margin-top: 14px;
+  padding: 14px;
+  border-radius: 14px;
+  border: 1px solid rgba(255, 255, 255, 0.12);
+  background: rgba(0, 0, 0, 0.2);
+}
+
+.credential-grid {
+  display: grid;
+  grid-template-columns: repeat(auto-fit, minmax(220px, 1fr));
+  gap: 14px;
+}
+
+.credential-field .label {
+  display: block;
+  margin-bottom: 6px;
+  color: var(--text-muted);
+}
+
+.password-row {
+  display: flex;
+  gap: 8px;
+  align-items: center;
+}
+
+.password-row .input {
+  flex: 1;
 }
 
 .login-callout {
-  margin-top: 10px;
+  margin-top: 14px;
   display: flex;
   align-items: center;
   justify-content: space-between;
@@ -1176,51 +1259,50 @@ button.primary {
   background: rgba(0, 0, 0, 0.18);
 }
 
-.checklist {
-  margin: 14px 0 0;
-  padding: 0;
-  list-style: none;
+.section-shell {
+  margin-top: 16px;
+  padding-top: 12px;
+  border-top: 1px solid rgba(255, 255, 255, 0.08);
+}
+
+.section-header {
+  display: flex;
+  align-items: flex-start;
+  justify-content: space-between;
+  gap: 12px;
+  margin-bottom: 12px;
+}
+
+.section-actions {
+  display: flex;
+  gap: 8px;
+}
+
+.step-grid {
   display: grid;
   gap: 12px;
 }
 
-.check-item {
+.step-card {
   border: 1px solid rgba(255, 255, 255, 0.08);
   border-radius: 14px;
   padding: 12px 12px 10px;
   background: rgba(255, 255, 255, 0.02);
 }
 
-.check-item.blocked {
+.step-card.blocked {
   opacity: 0.55;
 }
 
-.check-item.active {
-  border-color: rgba(125, 208, 255, 0.45);
-  background: rgba(79, 139, 255, 0.08);
-  box-shadow: 0 0 0 1px rgba(79, 139, 255, 0.2);
-}
-
-.check-item.done {
+.step-card.done {
   border-color: rgba(92, 214, 167, 0.35);
   background: rgba(92, 214, 167, 0.05);
 }
 
-.check-item.skipped {
-  border-color: rgba(146, 158, 182, 0.25);
-}
-
-.check-item.done label,
-.check-item.active label {
-  color: var(--text-primary);
-}
-
-.check-item label {
+.step-head {
   display: flex;
   align-items: center;
-  gap: 10px;
-  font-weight: 650;
-  color: var(--text-strong);
+  gap: 12px;
 }
 
 .auto-pill {
@@ -1230,11 +1312,46 @@ button.primary {
   border-radius: 999px;
 }
 
-.check-item input[type="checkbox"] {
+.step-title {
+  font-weight: 650;
+  color: var(--text-strong);
+}
+
+.step-label {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+}
+
+.step-label input {
   width: 18px;
   height: 18px;
 }
 
+.step-bullets {
+  margin: 8px 0 0;
+  padding-left: 18px;
+  color: var(--text-muted);
+}
+
+.step-links {
+  margin-top: 8px;
+  display: flex;
+  flex-wrap: wrap;
+  gap: 10px;
+}
+
+.step-links a {
+  color: var(--text-link);
+}
+
+.step-actions {
+  margin-top: 10px;
+  display: flex;
+  align-items: center;
+  gap: 12px;
+}
+
 .recovery-verify {
   display: flex;
   gap: 10px;
@@ -1246,281 +1363,90 @@ button.primary {
   flex: 1;
 }
 
-.recovery-verify .verify {
-  min-width: 96px;
-}
-
-.mfa-row {
-  display: flex;
-  align-items: flex-start;
-  justify-content: space-between;
-  gap: 12px;
-}
-
-.mfa-title {
-  font-weight: 650;
-  color: var(--text-strong);
-}
-
-.mfa-description {
-  margin: 6px 0 0;
-}
-
-.mfa-actions {
-  display: flex;
-  justify-content: flex-end;
-  gap: 10px;
-  margin-top: 10px;
-}
-
-button.secondary {
-  padding: 10px 14px;
-  border-radius: 10px;
-  border: 1px solid rgba(255, 255, 255, 0.14);
-  background: rgba(0, 0, 0, 0.22);
-  color: var(--text-primary);
-  cursor: pointer;
-  font-weight: 650;
-}
-
-.mfa-qr {
-  margin-top: 12px;
-  border-radius: 12px;
-  border: 1px solid rgba(255, 255, 255, 0.08);
-  background: rgba(0, 0, 0, 0.16);
-  padding: 10px 12px;
-}
-
-.mfa-qr summary {
-  cursor: pointer;
-  color: var(--text-muted);
-}
-
-.mfa-qr-grid {
-  margin-top: 12px;
-  display: grid;
-  grid-template-columns: repeat(auto-fit, minmax(210px, 1fr));
-  gap: 12px;
-}
-
-.mfa-qr-card {
-  display: grid;
-  justify-items: center;
-  gap: 8px;
-  padding: 12px;
-  border-radius: 12px;
-  border: 1px solid rgba(255, 255, 255, 0.08);
-  background: rgba(255, 255, 255, 0.02);
-}
-
-.mfa-qr-label {
-  color: var(--text-muted);
-  font-size: 12px;
-}
-
-.mfa-qr-img {
-  width: 180px;
-  height: 180px;
-  border-radius: 10px;
-  background: #ffffff;
-  padding: 6px;
-}
-
-.mfa-qr-link {
-  color: rgba(125, 208, 255, 0.9);
-  font-size: 12px;
-  text-decoration: none;
-}
-
-.mfa-error {
-  margin-top: 10px;
-}
-
-.howto {
-  margin-top: 10px;
-  border-radius: 12px;
-  border: 1px solid rgba(255, 255, 255, 0.08);
-  background: rgba(0, 0, 0, 0.16);
-  padding: 10px 12px;
-}
-
-.howto summary {
-  cursor: pointer;
-  color: var(--text-muted);
-}
-
-.howto-list {
-  margin: 10px 0 0;
-  padding-left: 18px;
-  display: grid;
-  gap: 6px;
-}
-
-.mobile-guides {
-  margin-top: 18px;
-  display: grid;
-  gap: 12px;
-}
-
-.guide-grid {
-  display: grid;
-  grid-template-columns: repeat(auto-fit, minmax(240px, 1fr));
-  gap: 12px;
-}
-
-.guide-card {
-  display: flex;
-  flex-direction: column;
-  gap: 8px;
-}
-
-.guide-actions {
-  margin-top: 10px;
-  display: flex;
-  gap: 10px;
-}
-
-.guide-link {
-  color: rgba(125, 208, 255, 0.9);
-  text-decoration: none;
-}
-
 .guide-details {
   margin-top: 10px;
-  border-radius: 12px;
-  border: 1px solid rgba(255, 255, 255, 0.08);
-  background: rgba(0, 0, 0, 0.16);
-  padding: 10px 12px;
 }
 
-.guide-details summary {
-  cursor: pointer;
-  color: var(--text-muted);
+.guide-groups {
+  display: grid;
+  gap: 12px;
+  margin-top: 8px;
+}
+
+.guide-title {
+  margin: 0 0 6px;
 }
 
 .guide-images {
-  margin-top: 12px;
   display: grid;
-  grid-template-columns: repeat(auto-fit, minmax(140px, 1fr));
+  grid-template-columns: repeat(auto-fit, minmax(160px, 1fr));
   gap: 10px;
 }
 
 .guide-shot {
-  margin: 0;
-  display: grid;
-  gap: 6px;
+  border-radius: 10px;
+  overflow: hidden;
+  border: 1px solid rgba(255, 255, 255, 0.1);
+  background: rgba(0, 0, 0, 0.2);
+  padding: 6px;
 }
 
 .guide-shot img {
   width: 100%;
-  border-radius: 10px;
-  border: 1px solid rgba(255, 255, 255, 0.08);
-  background: rgba(0, 0, 0, 0.25);
-}
-
-.guide-shot figcaption {
-  color: var(--text-muted);
-  font-size: 12px;
-}
-
-@media (max-width: 560px) {
-  .recovery-verify {
-    flex-direction: column;
-  }
-
-  .recovery-verify .verify {
-    width: 100%;
-  }
+  border-radius: 8px;
 }
 
 .ready-box {
-  margin-top: 14px;
+  margin-top: 18px;
   padding: 14px;
   border-radius: 14px;
-  border: 1px solid rgba(120, 180, 255, 0.25);
-  background: rgba(120, 180, 255, 0.06);
-}
-
-.initial-password {
-  margin-top: 14px;
-  padding: 14px;
-  border-radius: 14px;
-  border: 1px solid rgba(255, 220, 120, 0.25);
-  background: rgba(255, 220, 120, 0.06);
-}
-
-.task-box {
-  margin-top: 14px;
-  padding: 14px;
-  border: 1px solid rgba(255, 255, 255, 0.08);
-  border-radius: 14px;
-  background: rgba(0, 0, 0, 0.25);
+  border: 1px solid rgba(92, 214, 167, 0.3);
+  background: rgba(92, 214, 167, 0.08);
 }
 
 .task-list {
-  list-style: none;
-  padding: 0;
   margin: 0;
+  padding: 0;
+  list-style: none;
   display: grid;
-  gap: 10px;
+  gap: 8px;
 }
 
 .task-row {
-  display: grid;
-  gap: 6px;
-  grid-template-columns: 1fr auto;
+  display: flex;
   align-items: center;
+  gap: 12px;
 }
 
 .task-name {
-  color: var(--text);
+  min-width: 180px;
 }
 
 .task-detail {
-  grid-column: 1 / -1;
-  color: var(--text-muted);
-  font-size: 12px;
-}
-
-.request-code-row {
-  margin-top: 12px;
-  display: flex;
-  flex-direction: column;
-  gap: 6px;
-}
-
-.copy {
-  display: inline-flex;
-  align-items: center;
-  gap: 10px;
-  border-radius: 12px;
-  border: 1px solid rgba(255, 255, 255, 0.14);
-  background: rgba(0, 0, 0, 0.22);
-  color: var(--text-primary);
-  padding: 10px 12px;
-  cursor: pointer;
-}
-
-.copied {
-  font-size: 12px;
-  color: rgba(120, 255, 160, 0.9);
-}
-
-.steps ol {
-  margin: 0;
-  padding-left: 18px;
-  color: var(--text-muted);
-}
-
-.muted {
   color: var(--text-muted);
 }
 
 .error-box {
   margin-top: 12px;
-  border-radius: 12px;
-  border: 1px solid rgba(255, 87, 87, 0.5);
-  background: rgba(255, 87, 87, 0.06);
-  padding: 10px 12px;
+  padding: 12px;
+  border-radius: 14px;
+  border: 1px solid rgba(255, 120, 120, 0.4);
+  background: rgba(255, 70, 70, 0.1);
+}
+
+@media (max-width: 720px) {
+  .status-form {
+    flex-direction: column;
+  }
+
+  .section-actions {
+    width: 100%;
+    justify-content: flex-start;
+  }
+
+  .password-row {
+    flex-direction: column;
+    align-items: stretch;
+  }
 }
 </style>
diff --git a/media/onboarding/budget/step1_encrypt_data/.keep b/media/onboarding/budget/step1_encrypt_data/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/media/onboarding/element/step1_web_access/.keep b/media/onboarding/element/step1_web_access/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/media/onboarding/element/step2_record_recovery_key/.keep b/media/onboarding/element/step2_record_recovery_key/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/media/onboarding/element/step3_mobile_app_and_qr_code_login/.keep b/media/onboarding/element/step3_mobile_app_and_qr_code_login/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/media/onboarding/firefly/step1_web_access/.keep b/media/onboarding/firefly/step1_web_access/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/media/onboarding/firefly/step2_mobile_app/.keep b/media/onboarding/firefly/step2_mobile_app/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/media/onboarding/jellyfin/step1_web_access/.keep b/media/onboarding/jellyfin/step1_web_access/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/media/onboarding/jellyfin/step2_mobile_app/.keep b/media/onboarding/jellyfin/step2_mobile_app/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/media/onboarding/jellyfin/step3_tv_integrations/.keep b/media/onboarding/jellyfin/step3_tv_integrations/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/media/onboarding/jellyfin/step3_tv_integrations/Apple/.keep b/media/onboarding/jellyfin/step3_tv_integrations/Apple/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/media/onboarding/jellyfin/step3_tv_integrations/LG/.keep b/media/onboarding/jellyfin/step3_tv_integrations/LG/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/media/onboarding/jellyfin/step3_tv_integrations/Roku/.keep b/media/onboarding/jellyfin/step3_tv_integrations/Roku/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/media/onboarding/jellyfin/step3_tv_integrations/Samsung/.keep b/media/onboarding/jellyfin/step3_tv_integrations/Samsung/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/media/onboarding/jellyfin/step3_tv_integrations/Xbox/.keep b/media/onboarding/jellyfin/step3_tv_integrations/Xbox/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/media/onboarding/mail/step1_mail_app/.keep b/media/onboarding/mail/step1_mail_app/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/media/onboarding/nextcloud/step1_web_access/.keep b/media/onboarding/nextcloud/step1_web_access/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/media/onboarding/nextcloud/step2_mail_integration/.keep b/media/onboarding/nextcloud/step2_mail_integration/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/media/onboarding/nextcloud/step3_desktop_storage_app/.keep b/media/onboarding/nextcloud/step3_desktop_storage_app/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/media/onboarding/nextcloud/step4_mobile_app/.keep b/media/onboarding/nextcloud/step4_mobile_app/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/media/onboarding/vaultwarden/step1_website/.keep b/media/onboarding/vaultwarden/step1_website/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/media/onboarding/vaultwarden/step2_browser_extension/.keep b/media/onboarding/vaultwarden/step2_browser_extension/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/media/onboarding/vaultwarden/step3_mobile_app/.keep b/media/onboarding/vaultwarden/step3_mobile_app/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/media/onboarding/wger/step1_web_access/.keep b/media/onboarding/wger/step1_web_access/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/media/onboarding/wger/step2_mobile_app/.keep b/media/onboarding/wger/step2_mobile_app/.keep
new file mode 100644
index 0000000..e69de29