1d8de3365f
CI / commits (pull_request) Successful in 3m51s
CI / scan (pull_request) Successful in 4m13s
CI / check (pull_request) Successful in 4m24s
CI / a11y (pull_request) Successful in 3m49s
Docs site / build (pull_request) Successful in 3m51s
CI / perf (pull_request) Successful in 6m54s
Three branches now: (1) already running -> skip; (2) installed but stopped -> prompt to enable+start; (3) not installed -> prompt to install+enable+start. Each decline path logs `(user choice)` so a re-run doesn't surprise the dev with a different state. Reasoning: some corp environments already ship brute-force protection at the network layer (ACL / corp firewall / appliance). fail2ban on the host is then redundant and can be the wrong layer to debug from when a rule misfires. The other three hardening steps (UFW, sshd lockdown) were already prompt-gated; fail2ban was the odd one out. Table descriptors in the main doc + setup README updated to make each sub-step's prompt posture visible.