diff --git a/bastion/src/bastion/src/templates/install.ks.ts b/bastion/src/bastion/src/templates/install.ks.ts
index a3c4867..fc3b5f7 100644
--- a/bastion/src/bastion/src/templates/install.ks.ts
+++ b/bastion/src/bastion/src/templates/install.ks.ts
@@ -302,6 +302,29 @@ bastion_progress() {
         -d "{\\"mac\\":\\"$mac\\",\\"stage\\":\\"$stage\\",\\"detail\\":\\"$detail\\"}" 2>/dev/null || true
 }
 
+# Send log lines to bastion
+bastion_log() {
+    local line="$1"
+    local mac=$(ip link show | awk '/ether/ && !/00:00:00:00/ {print $2; exit}')
+    curl -sf -X POST "http://${serverIp}:${httpPort}/api/log" \\
+        -H "Content-Type: application/json" \\
+        -d "{\\"mac\\":\\"$mac\\",\\"line\\":\\"$(echo "$line" | sed 's/\\\\/\\\\\\\\/g; s/"/\\\\"/g')\\"}\" \\
+        --connect-timeout 5 --max-time 10 2>/dev/null || true
+}
+
+# Send an error stage to bastion
+bastion_error() {
+    local detail="$1"
+    bastion_progress "error" "$detail"
+}
+
+# --- Error trap: catch any failure and report to bastion ---
+_post_error_handler() {
+    local exit_code=$? lineno=$1
+    bastion_error "%post failed at line $lineno (exit $exit_code)"
+}
+trap '_post_error_handler $LINENO' ERR
+
 bastion_progress "post-install" "configuring system"
 
 # -- SSH --
@@ -318,7 +341,10 @@ echo "tmpfs /tmp tmpfs defaults,noatime,nosuid,nodev,size=4G 0 0" >> /etc/fstab
 
 ${isVanilla ? `# -- vanilla role: skip k3s kernel/sysctl/firewall setup --
 # -- Enable chronyd for time sync --
-systemctl enable chronyd || true` : `# -- Kernel modules for k3s --
+systemctl enable chronyd || true
+
+# -- Serial console (for debugging — auto-login as root on ttyS0) --
+systemctl enable serial-getty@ttyS0.service || true` : `# -- Kernel modules for k3s --
 cat > /etc/modules-load.d/k3s.conf << 'MODULES'
 br_netfilter
 overlay