diff --git a/deploy/install.sh b/deploy/install.sh
index 0779736..b7f37ec 100755
--- a/deploy/install.sh
+++ b/deploy/install.sh
@@ -144,6 +144,18 @@ else
 fi
 install -m 0644 "${SCRIPT_DIR}/vetting.service" /etc/systemd/system/vetting.service
 
+# Install pxe-setup.sh + its pinned iPXE SHAs into a stable path so the
+# operator can run `vetting-pxe-setup ...` after the one-liner install.
+# The bundle's tempdir gets wiped by proxmox-install.sh on exit, so
+# without this the script would be inaccessible.
+if [[ -f "${SCRIPT_DIR}/pxe-setup.sh" && -f "${SCRIPT_DIR}/ipxe-shas.txt" ]]; then
+    echo "==> installing pxe-setup.sh and ipxe-shas.txt"
+    install -d -m 0755 /usr/local/share/vetting
+    install -m 0755 "${SCRIPT_DIR}/pxe-setup.sh"    /usr/local/share/vetting/pxe-setup.sh
+    install -m 0644 "${SCRIPT_DIR}/ipxe-shas.txt"   /usr/local/share/vetting/ipxe-shas.txt
+    ln -sfn /usr/local/share/vetting/pxe-setup.sh /usr/local/sbin/vetting-pxe-setup
+fi
+
 # Stage the live image into LIVE_DIR if we can find one. Two layouts:
 #   - release bundle:    ${SCRIPT_DIR}/live-image/{vmlinuz,initrd.img}
 #   - repo-tree dev run: ${REPO_ROOT}/live-image/build/{vmlinuz,initrd.img}
diff --git a/deploy/proxmox-install.sh b/deploy/proxmox-install.sh
index 78cb332..77634df 100644
--- a/deploy/proxmox-install.sh
+++ b/deploy/proxmox-install.sh
@@ -78,7 +78,12 @@ To pin a specific build:
         ${REGISTRY_URL}/${PACKAGE_OWNER}/Vetting/raw/branch/main/deploy/proxmox-install.sh \\
         | sudo bash
 
-For PXE support, the bundle also ships deploy/pxe-setup.sh — see
-docs/operations.md for the flow.
+For PXE support, run:
+    sudo vetting-pxe-setup \\
+        --interface eth0 \\
+        --subnet 192.168.1.0/24 \\
+        --orchestrator-url http://<lxc-lan-ip>:8080
+
+See docs/operations.md for the full flow.
 
 EOF
diff --git a/deploy/pxe-setup.sh b/deploy/pxe-setup.sh
index 95b378b..b82f28f 100755
--- a/deploy/pxe-setup.sh
+++ b/deploy/pxe-setup.sh
@@ -38,7 +38,10 @@ BUNDLE_DIR=""
 FORCE=0
 SERVICE_USER="vetting"
 
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+# Resolve symlinks so `vetting-pxe-setup` (a symlink into /usr/local/sbin
+# installed by install.sh) finds ipxe-shas.txt alongside the real script
+# in /usr/local/share/vetting/.
+SCRIPT_DIR="$(cd "$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")" && pwd)"
 
 usage() {
     sed -n '2,28p' "${BASH_SOURCE[0]}"
@@ -176,10 +179,17 @@ for cand in \
 done
 
 if [[ -z "${LIVE_SRC}" ]]; then
-    echo "WARN: no live image found under ${BUNDLE_DIR}/live-image or" >&2
-    echo "      ${BUNDLE_DIR}/../live-image/build — skipping live_dir staging." >&2
-    echo "      Build with 'wsl make live-image' or use a release tarball," >&2
-    echo "      then copy vmlinuz + initrd.img into ${LIVE_DIR} manually." >&2
+    # install.sh already stages vmlinuz + initrd.img into LIVE_DIR during
+    # the one-liner install, so a missing bundle/live-image/ is expected
+    # when pxe-setup.sh is run from /usr/local/sbin.
+    if [[ -f "${LIVE_DIR}/vmlinuz" && -f "${LIVE_DIR}/initrd.img" ]]; then
+        echo "==> live image already staged in ${LIVE_DIR} (from install.sh)"
+    else
+        echo "WARN: no live image found under ${BUNDLE_DIR}/live-image," >&2
+        echo "      ${BUNDLE_DIR}/../live-image/build, or ${LIVE_DIR}." >&2
+        echo "      The orchestrator will fail PXE startup validation until" >&2
+        echo "      vmlinuz + initrd.img land in ${LIVE_DIR}." >&2
+    fi
 else
     echo "==> staging live image from ${LIVE_SRC} into ${LIVE_DIR}"
     install -d -m 0755 -o "${SERVICE_USER}" -g "${SERVICE_USER}" "${LIVE_DIR}"
diff --git a/docs/operations.md b/docs/operations.md
index d88d9e7..f92e11b 100644
--- a/docs/operations.md
+++ b/docs/operations.md
@@ -73,15 +73,19 @@ That means **no dedicated bridge, no VLAN, no cabling changes**. The
 LXC just needs an interface on the same L2 segment as the hosts
 you're repairing — typically `eth0` on the LAN bridge.
 
-On the LXC, inside the extracted bundle:
+On the LXC, after the one-liner install completes:
 
 ```
-sudo ./pxe-setup.sh \
+sudo vetting-pxe-setup \
     --interface eth0 \
     --subnet 192.168.1.0/24 \
     --orchestrator-url http://<lxc-lan-ip>:8080
 ```
 
+(`vetting-pxe-setup` is a symlink installed into `/usr/local/sbin/` by
+`install.sh`, pointing at the `pxe-setup.sh` script and `ipxe-shas.txt`
+staged under `/usr/local/share/vetting/`.)
+
 The script:
 
 - Fetches `ipxe.efi` + `undionly.kpxe` from boot.ipxe.org and verifies
@@ -103,7 +107,7 @@ exists, iPXE binaries are on disk, `subnet` parses as CIDR) and
 exits non-zero with a clear error if anything's wrong, instead of
 failing silently when a host first PXE-boots.
 
-`pxe-setup.sh` is idempotent — safe to re-run. Pass `--force` to
+`vetting-pxe-setup` is idempotent — safe to re-run. Pass `--force` to
 overwrite a hand-edited `pxe:` block.
 
 **Router caveat.** Most home/prosumer routers (UniFi, Asus, Netgear,