Three branches now: (1) already running -> skip; (2) installed but
stopped -> prompt to enable+start; (3) not installed -> prompt to
install+enable+start. Each decline path logs `(user choice)` so a
re-run doesn't surprise the dev with a different state.
Reasoning: some corp environments already ship brute-force protection
at the network layer (ACL / corp firewall / appliance). fail2ban on
the host is then redundant and can be the wrong layer to debug from
when a rule misfires. The other three hardening steps (UFW,
sshd lockdown) were already prompt-gated; fail2ban was the odd one out.
Table descriptors in the main doc + setup README updated to make
each sub-step's prompt posture visible.