proofbench-collector 1.0.0__tar.gz

proofbench_collector-1.0.0/.gitignore

@@ -0,0 +1,89 @@
+# ============================================================
+# ProofBench · .gitignore
+# ============================================================
+
+# ── Secrets (never commit) ──────────────────────────────────
+.env
+.env.*
+!.env.example
+*.pem
+*.key
+.dev.vars
+.dev.vars.*
+secrets/
+.cloudflare-token
+.wrangler-token
+
+# ── Local Cloudflare state ──────────────────────────────────
+.wrangler/
+wrangler.log
+.cloudflared/
+
+# ── Node ────────────────────────────────────────────────────
+node_modules/
+.npm/
+.yarn/
+.pnpm-store/
+.pnp.*
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+pnpm-debug.log*
+.turbo/
+
+# ── TypeScript / build output ───────────────────────────────
+dist/
+build/
+.next/
+.nuxt/
+*.tsbuildinfo
+
+# ── Python (collector) ──────────────────────────────────────
+__pycache__/
+*.py[cod]
+*$py.class
+*.egg-info/
+.eggs/
+.venv/
+venv/
+env/
+.pytest_cache/
+.mypy_cache/
+.ruff_cache/
+.coverage
+htmlcov/
+
+# ── Supabase ────────────────────────────────────────────────
+supabase/.temp/
+supabase/.branches/
+
+# ── Editor / OS ─────────────────────────────────────────────
+.DS_Store
+._*
+Thumbs.db
+.idea/
+.vscode/*
+!.vscode/settings.example.json
+*.swp
+*.swo
+*~
+.history/
+
+# ── Archives (snapshots — committed separately as tagged releases) ──
+June 02 2026/**/Archive.zip
+June 02 2026/developer-packet/Archive/
+June 02 2026/developer-packet/code/node_modules/
+June 02 2026/code/node_modules/
+
+# ── Logs ────────────────────────────────────────────────────
+*.log
+logs/
+
+# ── Test / coverage ─────────────────────────────────────────
+coverage/
+.nyc_output/
+
+# ── Tmp ─────────────────────────────────────────────────────
+tmp/
+.tmp/
+*.tmp

proofbench_collector-1.0.0/PKG-INFO

@@ -0,0 +1,222 @@
+Metadata-Version: 2.4
+Name: proofbench-collector
+Version: 1.0.0
+Summary: ProofBench — local network discovery collector. Wraps nmap + passive ARP/mDNS, signs the bundle locally, uploads to proofbench.io for cryptographic counter-signing.
+Project-URL: Homepage, https://proofbench.io
+Project-URL: Documentation, https://proofbench.io/about/architecture
+Project-URL: Repository, https://github.com/proofbench/proofbench-collector
+Project-URL: Issues, https://github.com/proofbench/proofbench-collector/issues
+Author-email: "ProofBench, Inc." <rayve@eftconsultants.com>
+License: Apache-2.0
+Keywords: attestation,compliance,cyber-insurance,cybersecurity,mcp,network-discovery
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Information Technology
+Classifier: Intended Audience :: System Administrators
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Operating System :: MacOS
+Classifier: Operating System :: Microsoft :: Windows
+Classifier: Operating System :: POSIX :: Linux
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Requires-Python: >=3.9
+Requires-Dist: requests<3.0,>=2.31
+Provides-Extra: dev
+Requires-Dist: mypy>=1.7; extra == 'dev'
+Requires-Dist: pytest-cov>=4.1; extra == 'dev'
+Requires-Dist: pytest>=7.4; extra == 'dev'
+Requires-Dist: ruff>=0.1; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# Provelab Collector
+
+Local network discovery for SMBs. Runs on your laptop, signs the evidence, uploads to proofbench.io.
+
+**What it does in 90 seconds:** wraps `nmap` + passive ARP/mDNS observation, normalizes results into the Provelab Run/Asset/Evidence schema, signs the bundle with HMAC-SHA256 using your collector's enrollment token, and POSTs the signed bundle to proofbench.io. The cloud verifies the signature and renders your inventory + Coalition cyber-insurance renewal questionnaire.
+
+**What it does NOT do:** initiate any scan from the cloud, collect default credentials, run exploits, scan anything outside the CIDR you authorize, store data anywhere except `~/.config/provelab/` locally and your authorized ProofBench cloud bucket.
+
+## Install
+
+### macOS
+
+```bash
+brew install nmap
+pipx install provelab-collector       # or: pip install --user provelab-collector
+```
+
+### Linux (Debian / Ubuntu)
+
+```bash
+sudo apt install nmap avahi-utils
+pipx install provelab-collector       # or: pip install --user provelab-collector
+```
+
+### Windows (via WSL — native Windows native binary in v1.1)
+
+```bash
+# inside WSL Ubuntu
+sudo apt install nmap
+pipx install provelab-collector
+```
+
+Verify:
+
+```bash
+provelab --version
+# provelab v0.0.1
+```
+
+## Quick start
+
+```bash
+# 1. Enroll the collector with your ProofBench account
+provelab enroll
+
+# 2. Run a scan against your network
+provelab scan 192.168.1.0/24
+
+# 3. Upload the signed bundle to proofbench.io
+provelab scan 192.168.1.0/24 --upload
+```
+
+After `--upload`, your dashboard at https://proofbench.io/app updates within ~10 seconds and your Trust Center URL at `proofbench.io/trust/{your-slug}` shows the new posture.
+
+## Commands
+
+### `provelab enroll`
+
+Pairs this collector with your ProofBench organization. Interactive — opens an enrollment URL, you sign in, paste the one-time token back into the terminal. The token is stored locally at `~/.config/provelab/config.json` with `0600` permissions.
+
+```bash
+provelab enroll
+provelab enroll --api https://proofbench.io   # custom API base (default is proofbench.io)
+```
+
+### `provelab scan <cidr>`
+
+Run a discovery scan against a CIDR.
+
+```bash
+provelab scan 192.168.1.0/24                     # default profile: iot_ot_cautious
+provelab scan 10.0.0.0/16 --profile passive_only  # passive observations only
+provelab scan 192.168.1.0/24 --profile lab_permissive  # broader probes (lab only)
+provelab scan 192.168.1.0/24 --output run.json   # save locally without uploading
+provelab scan 192.168.1.0/24 --upload            # sign + upload in one step
+```
+
+**Scan profiles:**
+
+| Profile | What it does | When to use |
+| --- | --- | --- |
+| `passive_only` | ARP + mDNS observation only. No active probes. | Quiet networks, sensitive OT environments, or pre-flight reconnaissance. |
+| `iot_ot_cautious` *(default)* | Bounded probes: mDNS, SSDP, ICMP, selected TCP banners on common ports (22, 80, 443, 554, etc.). | Normal office and SMB networks. Safe for production. |
+| `lab_permissive` | Broader TCP banner reads across more ports. Higher network activity. | Lab environments and explicit maintenance windows. **Do not use on sensitive production OT.** |
+
+Each profile has a strict allowlist of nmap flags. The CLI rejects anything outside the allowlist — you can't accidentally invoke an aggressive scan.
+
+### `provelab status`
+
+Show the current collector configuration.
+
+```bash
+provelab status
+# provelab v0.0.1
+#   api_base:     https://proofbench.io
+#   collector_id: collector-acme-corp-laptop
+#   enrolled:     yes
+#   config_path:  /Users/you/.config/provelab/config.json
+```
+
+### `provelab verify <bundle.json>`
+
+Verify the HMAC signature on a bundle file. Useful for offline review or for a customer to independently check that an uploaded bundle wasn't tampered with.
+
+```bash
+provelab verify provelab-run-20260601-...json
+# [provelab] ✓ signature valid
+#   run_id:        run-20260601-...
+#   collector_id:  collector-acme-corp-laptop
+#   completed_at:  2026-06-01T14:23:11Z
+#   bundle_sha256: a3f9b12e...
+```
+
+## What the bundle contains
+
+The signed JSON has this shape (full schema in `fixture-network-v0.json`):
+
+```json
+{
+  "version": "1.0.0",
+  "run_metadata": {
+    "run_id": "run-20260601-...",
+    "collector_id": "collector-acme-corp-laptop",
+    "profile": "iot_ot_cautious",
+    "scope": "192.168.1.0/24",
+    "started_at": "2026-06-01T14:22:11Z",
+    "completed_at": "2026-06-01T14:23:11Z",
+    "asset_count": 47,
+    "evidence_count": 132,
+    "needs_review_count": 3
+  },
+  "assets": [
+    {
+      "id": "asset-a3f9b12e",
+      "ip": "192.168.1.1",
+      "mac": "aa:bb:cc:00:00:01",
+      "hostname": "edge-firewall",
+      "vendor": "Fortinet",
+      "os_hint": "FortiOS 7.4.2",
+      "identity_class": "router-firewall",
+      "identity_label": "Edge firewall",
+      "confidence": 98,
+      "review_state": "accepted",
+      "review_reason": "normal",
+      "subnet": "192.168.1.0/24",
+      "open_ports": [22, 443],
+      "protocols_observed": ["ssh", "https", "snmp", "arp"],
+      "evidence_ids": ["ev-a3f9b12e-arp", "ev-a3f9b12e-p22", "..."],
+      "coalition_questions": ["Q22_internet_facing_inventory"]
+    }
+  ],
+  "signature": {
+    "version": "v1",
+    "bundle_sha256": "...",
+    "hmac_sha256": "..."
+  }
+}
+```
+
+## Security notes
+
+- **Your enrollment token never leaves your machine** except as the HMAC key used to sign bundles. The server stores only the SHA-256 hash of the token.
+- **Bundles are signed locally before upload.** The signature binds the bundle hash to the collector ID, run ID, site ID, profile, and authorized scope. A signature for one bundle cannot be replayed against a different one.
+- **The cloud cannot forge a signature.** It does not have your enrollment token, only its hash. Token compromise requires direct access to your laptop or your `~/.config/provelab/` directory.
+- **Bundles can be verified offline.** `provelab verify <bundle.json>` re-runs the signature check locally. Anyone with the token (you) can verify; nobody else can.
+
+## Troubleshooting
+
+**"nmap not found"** — install nmap via your package manager (see Install above).
+
+**"Permission denied" on ARP scans** — nmap's `-PR` ARP discovery requires root. Run with `sudo provelab scan ...`. The scan profiles use SYN scans (also root-required on Linux) for similar reasons.
+
+**Scan takes too long** — the `iot_ot_cautious` profile has a 3-minute timeout per /24. Larger CIDRs scale linearly. For /16 networks, expect ~10 minutes.
+
+**"upload rejected: rate limit exceeded"** — Free Forever tier allows 1 attested run per month. Upgrade to Solo ($49/mo) for unlimited runs at https://proofbench.io/upgrade.
+
+**"signature verification failed"** — your enrollment token may be invalid. Re-enroll with `provelab enroll`.
+
+**No mDNS observations on macOS** — v0 doesn't parse macOS `dns-sd` output. mDNS enrichment requires `avahi-browse` (Linux). The scan still works; mDNS just doesn't enrich.
+
+## Source
+
+Open source. Apache 2.0. https://github.com/proofbench/provelab-collector
+
+Bug reports + security disclosures: rayve@eftconsultants.com
+
+---
+
+*Provelab by ProofBench · provelab-collector v0.0.1 · The evidence layer for SMB cyber posture.*

proofbench_collector-1.0.0/README.md

@@ -0,0 +1,189 @@
+# Provelab Collector
+
+Local network discovery for SMBs. Runs on your laptop, signs the evidence, uploads to proofbench.io.
+
+**What it does in 90 seconds:** wraps `nmap` + passive ARP/mDNS observation, normalizes results into the Provelab Run/Asset/Evidence schema, signs the bundle with HMAC-SHA256 using your collector's enrollment token, and POSTs the signed bundle to proofbench.io. The cloud verifies the signature and renders your inventory + Coalition cyber-insurance renewal questionnaire.
+
+**What it does NOT do:** initiate any scan from the cloud, collect default credentials, run exploits, scan anything outside the CIDR you authorize, store data anywhere except `~/.config/provelab/` locally and your authorized ProofBench cloud bucket.
+
+## Install
+
+### macOS
+
+```bash
+brew install nmap
+pipx install provelab-collector       # or: pip install --user provelab-collector
+```
+
+### Linux (Debian / Ubuntu)
+
+```bash
+sudo apt install nmap avahi-utils
+pipx install provelab-collector       # or: pip install --user provelab-collector
+```
+
+### Windows (via WSL — native Windows native binary in v1.1)
+
+```bash
+# inside WSL Ubuntu
+sudo apt install nmap
+pipx install provelab-collector
+```
+
+Verify:
+
+```bash
+provelab --version
+# provelab v0.0.1
+```
+
+## Quick start
+
+```bash
+# 1. Enroll the collector with your ProofBench account
+provelab enroll
+
+# 2. Run a scan against your network
+provelab scan 192.168.1.0/24
+
+# 3. Upload the signed bundle to proofbench.io
+provelab scan 192.168.1.0/24 --upload
+```
+
+After `--upload`, your dashboard at https://proofbench.io/app updates within ~10 seconds and your Trust Center URL at `proofbench.io/trust/{your-slug}` shows the new posture.
+
+## Commands
+
+### `provelab enroll`
+
+Pairs this collector with your ProofBench organization. Interactive — opens an enrollment URL, you sign in, paste the one-time token back into the terminal. The token is stored locally at `~/.config/provelab/config.json` with `0600` permissions.
+
+```bash
+provelab enroll
+provelab enroll --api https://proofbench.io   # custom API base (default is proofbench.io)
+```
+
+### `provelab scan <cidr>`
+
+Run a discovery scan against a CIDR.
+
+```bash
+provelab scan 192.168.1.0/24                     # default profile: iot_ot_cautious
+provelab scan 10.0.0.0/16 --profile passive_only  # passive observations only
+provelab scan 192.168.1.0/24 --profile lab_permissive  # broader probes (lab only)
+provelab scan 192.168.1.0/24 --output run.json   # save locally without uploading
+provelab scan 192.168.1.0/24 --upload            # sign + upload in one step
+```
+
+**Scan profiles:**
+
+| Profile | What it does | When to use |
+| --- | --- | --- |
+| `passive_only` | ARP + mDNS observation only. No active probes. | Quiet networks, sensitive OT environments, or pre-flight reconnaissance. |
+| `iot_ot_cautious` *(default)* | Bounded probes: mDNS, SSDP, ICMP, selected TCP banners on common ports (22, 80, 443, 554, etc.). | Normal office and SMB networks. Safe for production. |
+| `lab_permissive` | Broader TCP banner reads across more ports. Higher network activity. | Lab environments and explicit maintenance windows. **Do not use on sensitive production OT.** |
+
+Each profile has a strict allowlist of nmap flags. The CLI rejects anything outside the allowlist — you can't accidentally invoke an aggressive scan.
+
+### `provelab status`
+
+Show the current collector configuration.
+
+```bash
+provelab status
+# provelab v0.0.1
+#   api_base:     https://proofbench.io
+#   collector_id: collector-acme-corp-laptop
+#   enrolled:     yes
+#   config_path:  /Users/you/.config/provelab/config.json
+```
+
+### `provelab verify <bundle.json>`
+
+Verify the HMAC signature on a bundle file. Useful for offline review or for a customer to independently check that an uploaded bundle wasn't tampered with.
+
+```bash
+provelab verify provelab-run-20260601-...json
+# [provelab] ✓ signature valid
+#   run_id:        run-20260601-...
+#   collector_id:  collector-acme-corp-laptop
+#   completed_at:  2026-06-01T14:23:11Z
+#   bundle_sha256: a3f9b12e...
+```
+
+## What the bundle contains
+
+The signed JSON has this shape (full schema in `fixture-network-v0.json`):
+
+```json
+{
+  "version": "1.0.0",
+  "run_metadata": {
+    "run_id": "run-20260601-...",
+    "collector_id": "collector-acme-corp-laptop",
+    "profile": "iot_ot_cautious",
+    "scope": "192.168.1.0/24",
+    "started_at": "2026-06-01T14:22:11Z",
+    "completed_at": "2026-06-01T14:23:11Z",
+    "asset_count": 47,
+    "evidence_count": 132,
+    "needs_review_count": 3
+  },
+  "assets": [
+    {
+      "id": "asset-a3f9b12e",
+      "ip": "192.168.1.1",
+      "mac": "aa:bb:cc:00:00:01",
+      "hostname": "edge-firewall",
+      "vendor": "Fortinet",
+      "os_hint": "FortiOS 7.4.2",
+      "identity_class": "router-firewall",
+      "identity_label": "Edge firewall",
+      "confidence": 98,
+      "review_state": "accepted",
+      "review_reason": "normal",
+      "subnet": "192.168.1.0/24",
+      "open_ports": [22, 443],
+      "protocols_observed": ["ssh", "https", "snmp", "arp"],
+      "evidence_ids": ["ev-a3f9b12e-arp", "ev-a3f9b12e-p22", "..."],
+      "coalition_questions": ["Q22_internet_facing_inventory"]
+    }
+  ],
+  "signature": {
+    "version": "v1",
+    "bundle_sha256": "...",
+    "hmac_sha256": "..."
+  }
+}
+```
+
+## Security notes
+
+- **Your enrollment token never leaves your machine** except as the HMAC key used to sign bundles. The server stores only the SHA-256 hash of the token.
+- **Bundles are signed locally before upload.** The signature binds the bundle hash to the collector ID, run ID, site ID, profile, and authorized scope. A signature for one bundle cannot be replayed against a different one.
+- **The cloud cannot forge a signature.** It does not have your enrollment token, only its hash. Token compromise requires direct access to your laptop or your `~/.config/provelab/` directory.
+- **Bundles can be verified offline.** `provelab verify <bundle.json>` re-runs the signature check locally. Anyone with the token (you) can verify; nobody else can.
+
+## Troubleshooting
+
+**"nmap not found"** — install nmap via your package manager (see Install above).
+
+**"Permission denied" on ARP scans** — nmap's `-PR` ARP discovery requires root. Run with `sudo provelab scan ...`. The scan profiles use SYN scans (also root-required on Linux) for similar reasons.
+
+**Scan takes too long** — the `iot_ot_cautious` profile has a 3-minute timeout per /24. Larger CIDRs scale linearly. For /16 networks, expect ~10 minutes.
+
+**"upload rejected: rate limit exceeded"** — Free Forever tier allows 1 attested run per month. Upgrade to Solo ($49/mo) for unlimited runs at https://proofbench.io/upgrade.
+
+**"signature verification failed"** — your enrollment token may be invalid. Re-enroll with `provelab enroll`.
+
+**No mDNS observations on macOS** — v0 doesn't parse macOS `dns-sd` output. mDNS enrichment requires `avahi-browse` (Linux). The scan still works; mDNS just doesn't enrich.
+
+## Source
+
+Open source. Apache 2.0. https://github.com/proofbench/provelab-collector
+
+Bug reports + security disclosures: rayve@eftconsultants.com
+
+---
+
+*Provelab by ProofBench · provelab-collector v0.0.1 · The evidence layer for SMB cyber posture.*

proofbench_collector-1.0.0/install.ps1

@@ -0,0 +1,135 @@
+# ============================================================================
+# Provelab by ProofBench - one-line installer for Windows (PowerShell 5.1+)
+#
+# Usage (interactive, from an elevated PowerShell prompt):
+#   irm https://proofbench.io/install.ps1 | iex
+#
+# Usage (non-interactive, with token from the dashboard):
+#   $env:PROOFBENCH_TOKEN = "provelab_enroll_xxx"
+#   $env:PROOFBENCH_COLLECTOR_ID = "collector-xxx"
+#   irm https://proofbench.io/install.ps1 | iex
+#
+# What this does:
+#   1. Verifies PowerShell 5.1+ and admin rights.
+#   2. Installs nmap and Python via winget (or scoop fallback).
+#   3. Installs the provelab CLI via pip --user.
+#   4. If $env:PROOFBENCH_TOKEN is set, enrolls non-interactively.
+#   5. Optionally registers a daily scheduled task. Controlled by
+#      $env:PROOFBENCH_INSTALL_SERVICE = "1" (default: off; opt-in).
+# ============================================================================
+
+$ErrorActionPreference = "Stop"
+
+function Write-Step  { param($msg) Write-Host "[provelab-install] $msg" -ForegroundColor DarkGray }
+function Write-OK    { param($msg) Write-Host "OK $msg" -ForegroundColor Green }
+function Write-Warn2 { param($msg) Write-Host "!  $msg" -ForegroundColor Yellow }
+function Write-Fail  { param($msg) Write-Host "X  $msg" -ForegroundColor Red }
+
+Write-Host ""
+Write-Host "  Provelab by ProofBench - collector installer" -ForegroundColor White
+Write-Host "  This script installs nmap, Python, and the provelab CLI." -ForegroundColor DarkGray
+Write-Host ""
+
+# ----- pre-flight -----------------------------------------------------------
+if ($PSVersionTable.PSVersion.Major -lt 5) {
+  Write-Fail "PowerShell 5.1 or newer required. Current: $($PSVersionTable.PSVersion)"
+  exit 1
+}
+
+$isAdmin = ([Security.Principal.WindowsPrincipal] `
+  [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(
+  [Security.Principal.WindowsBuiltInRole]::Administrator)
+
+if (-not $isAdmin) {
+  Write-Warn2 "Not running as Administrator. Some installs may fail."
+  Write-Warn2 "Right-click PowerShell -> Run as Administrator, then re-run."
+  Start-Sleep -Seconds 2
+}
+
+# ----- nmap install ---------------------------------------------------------
+if (Get-Command nmap -ErrorAction SilentlyContinue) {
+  Write-OK "nmap already installed"
+} else {
+  Write-Step "Installing nmap..."
+  if (Get-Command winget -ErrorAction SilentlyContinue) {
+    winget install --silent --accept-package-agreements --accept-source-agreements --id Insecure.Nmap
+  } elseif (Get-Command scoop -ErrorAction SilentlyContinue) {
+    scoop install nmap
+  } else {
+    Write-Fail "Neither winget nor scoop is installed. Install nmap manually from https://nmap.org/download.html then re-run."
+    exit 2
+  }
+  Write-OK "nmap installed"
+}
+
+# ----- python install -------------------------------------------------------
+if (Get-Command python -ErrorAction SilentlyContinue) {
+  Write-OK "Python already installed: $(python --version 2>&1)"
+} else {
+  Write-Step "Installing Python..."
+  if (Get-Command winget -ErrorAction SilentlyContinue) {
+    winget install --silent --accept-package-agreements --accept-source-agreements --id Python.Python.3.12
+    $env:Path = [System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + `
+                [System.Environment]::GetEnvironmentVariable("Path","User")
+  } else {
+    Write-Fail "Install Python 3.10+ from https://python.org/downloads then re-run."
+    exit 2
+  }
+  Write-OK "Python installed"
+}
+
+# ----- provelab install -----------------------------------------------------
+Write-Step "Installing provelab-collector via pip..."
+python -m pip install --user --upgrade pip --quiet
+python -m pip install --user --upgrade provelab-collector --quiet
+if ($LASTEXITCODE -ne 0) {
+  Write-Fail "pip install provelab-collector failed."
+  exit 3
+}
+Write-OK "provelab CLI installed"
+
+# Make sure %APPDATA%\Python\Scripts is on PATH for this session.
+$userScripts = "$env:APPDATA\Python\Python312\Scripts"
+if (Test-Path $userScripts) { $env:Path = "$userScripts;$env:Path" }
+
+provelab --version
+
+# ----- enroll ---------------------------------------------------------------
+$tok = $env:PROOFBENCH_TOKEN
+$cid = $env:PROOFBENCH_COLLECTOR_ID
+$api = if ($env:PROOFBENCH_API) { $env:PROOFBENCH_API } else { "https://proofbench.io" }
+
+if ($tok -and $cid) {
+  Write-Step "Enrolling non-interactively..."
+  provelab enroll --token $tok --collector-id $cid --api $api
+  if ($LASTEXITCODE -ne 0) {
+    Write-Fail "Enrollment failed. Re-issue the token in your dashboard."
+    exit 4
+  }
+  Write-OK "Collector enrolled"
+} else {
+  Write-Host ""
+  Write-Warn2 "No PROOFBENCH_TOKEN provided. To finish setup, run:"
+  Write-Host  "      provelab enroll" -ForegroundColor White
+  Write-Host  "    and paste the token from https://proofbench.io/app/collectors"
+}
+
+# ----- optional scheduled task ---------------------------------------------
+if ($env:PROOFBENCH_INSTALL_SERVICE -eq "1") {
+  Write-Step "Registering daily scheduled scan..."
+  $cidr = if ($env:PROOFBENCH_DEFAULT_CIDR) { $env:PROOFBENCH_DEFAULT_CIDR } else { "192.168.1.0/24" }
+  provelab install-service --cidr $cidr
+  if ($LASTEXITCODE -ne 0) {
+    Write-Warn2 "Scheduled task registration failed. Run scans manually with: provelab scan <cidr>"
+  } else {
+    Write-OK "Scheduled task registered (runs daily at 03:00)"
+  }
+}
+
+Write-Host ""
+Write-Host "  Installation complete." -ForegroundColor Green
+Write-Host ""
+Write-Host "  Next steps:"
+Write-Host "    provelab scan 192.168.1.0/24 --upload"
+Write-Host "    Open https://proofbench.io/app to see your inventory."
+Write-Host ""