diff --git a/TASKS.md b/TASKS.md
index 18ffca7..c0b91f4 100644
--- a/TASKS.md
+++ b/TASKS.md
@@ -4,11 +4,6 @@
 
 ## Current Sprint: v1.1 - Passive Sensing & Multi-Sensor
 
-### P1 - Important
-- [ ] Build + flash firmware (sensor ID, temp, deauth detection)
-- [ ] OTA update remaining fleet (muddy-storm, hollow-acorn)
-- [ ] WiFi probe request capture (PROBE_DATA via promiscuous mode)
-
 ### P2 - Normal
 - [ ] Multi-sensor BLE correlation in esp-ctl (zone tracking)
 - [ ] Test OTA rollback (flash bad firmware, verify auto-revert)
@@ -18,7 +13,7 @@
 - [ ] Document esp-radar console features
 - [ ] Pin mapping for ESP32-DevKitC V1
 
-## Completed: v1.1 (partial)
+## Completed: v1.1
 
 - [x] Sensor ID in data packets (hostname prefix on CSI_DATA, BLE_DATA, EVENT)
 - [x] Deauth/disassoc frame detection (ALERT_DATA via promiscuous mode)
@@ -27,6 +22,12 @@
 - [x] BLE dwell time tracking (dwell column in `--track` summary)
 - [x] Timestamped event logging (`esp-ctl listen --timestamp`)
 - [x] Alert filter in esp-ctl (`listen -f alert`)
+- [x] Runtime HOSTNAME command (NVS persisted, mDNS updated)
+- [x] WiFi probe request capture (PROBE_DATA via promiscuous mode, 10s dedup)
+- [x] mDNS service advertisement (`_esp-csi._udp`)
+- [x] mDNS sensor discovery (`esp-ctl discover`)
+- [x] Probe filter in esp-ctl (`listen -f probe`)
+- [x] OTA fleet to same firmware (ca526ef)
 
 ## Completed: v0.5 - BLE Scanning
 
@@ -85,7 +86,11 @@
 ## Notes
 
 - Adaptive threshold varies by environment; 0.001-0.01 is a good starting range
-- NVS keys: `send_rate`, `tx_power`, `adaptive`, `threshold`, `ble_scan`, `target_ip`, `target_port`
+- NVS keys: `send_rate`, `tx_power`, `adaptive`, `threshold`, `ble_scan`, `target_ip`, `target_port`, `hostname`
 - EVENT packets now include sensor hostname: `EVENT,<hostname>,motion=... rate=... wander=...`
 - ALERT_DATA format: `ALERT_DATA,<hostname>,<deauth|disassoc>,<sender_mac>,<target_mac>,<rssi>`
 - STATUS now includes `temp=` field (chip temperature in Celsius)
+- PROBE_DATA format: `PROBE_DATA,<hostname>,<mac>,<rssi>,<ssid>`
+- Probe requests deduped per MAC (10s cooldown) to limit volume
+- mDNS service: `_esp-csi._udp` on data port (for sensor discovery)
+- HOSTNAME command: `HOSTNAME <name>` sets NVS + mDNS, `HOSTNAME` queries current
diff --git a/TODO.md b/TODO.md
index 65ffd5f..d3642fc 100644
--- a/TODO.md
+++ b/TODO.md
@@ -1,14 +1,12 @@
 # ESP32 Hacking TODO
 
 ## Firmware
-- [ ] WiFi probe request capture (PROBE_DATA via promiscuous mode)
 - [ ] On-device CSI processing (send metrics, not raw)
 - [ ] Deep sleep mode with wake-on-CSI-motion
 - [ ] Battery-optimized duty cycling
 
 ## Tools (esp-ctl)
 - [ ] Multi-sensor BLE correlation (zone tracking by source sensor)
-- [ ] Sensor discovery script (find all ESP32s on network via mDNS)
 
 ## Testing
 - [ ] Benchmark: CSI callback latency
diff --git a/docs/CHEATSHEET.md b/docs/CHEATSHEET.md
index 24b6b14..e0131aa 100644
--- a/docs/CHEATSHEET.md
+++ b/docs/CHEATSHEET.md
@@ -42,6 +42,7 @@ esp-cmd <host> ADAPTIVE ON              # Enable adaptive sampling (NVS saved)
 esp-cmd <host> ADAPTIVE OFF             # Disable adaptive sampling
 esp-cmd <host> THRESHOLD 0.005          # Set motion sensitivity (NVS saved)
 esp-cmd <host> OTA http://pi:8070/fw    # Trigger OTA update (use esp-ota instead)
+esp-cmd <host> HOSTNAME mydevice         # Set hostname (NVS saved, mDNS updated)
 esp-cmd <host> REBOOT                   # Restart device
 ```
 
@@ -112,6 +113,17 @@ esp-cmd amber-maple.local THRESHOLD 0.005  # Tune sensitivity
 | Solid (5s) | IDENTIFY command active |
 | Double blink | OTA in progress |
 
+## Sensor Discovery
+
+```bash
+esp-ctl discover                        # Find all sensors via mDNS
+esp-ctl discover -t 5                   # Longer browse (5s timeout)
+esp-ctl status --discover               # Status using discovered fleet
+esp-ctl target --discover               # Query targets via discovery
+```
+
+Requires firmware with `_esp-csi._udp` mDNS service (v1.1+).
+
 ## Test CSI Reception
 
 ```bash
@@ -119,6 +131,8 @@ nc -lu 5500                             # Listen for CSI packets
 socat UDP-RECV:5500 STDOUT              # Alternative listener
 nc -lu 5500 | head -1                   # See one packet
 nc -lu 5500 | wc -l                     # Count packets/sec (Ctrl+C)
+esp-ctl listen -f probe -n 5            # Capture 5 probe requests
+esp-ctl listen -f alert                 # Monitor deauth/disassoc alerts
 ```
 
 ## Firmware Variants
@@ -143,7 +157,7 @@ nc -lu 5500 | wc -l                     # Count packets/sec (Ctrl+C)
 ## USB Flash Notes
 
 - **Use 460800 baud** (`-b 460800`) — 921600 causes connection failures on some boards
-- Each device needs its own build with its hostname set in menuconfig
+- Hostname can be changed at runtime via `esp-ctl cmd <host> HOSTNAME <name>`
 - First flash after enabling OTA partitions must be via USB
 
 ## Data Packet Formats
@@ -155,6 +169,7 @@ CSI_DATA,<hostname>,seq,mac,rssi,rate,...,len,first_word,"[I,Q,...]"
 BLE_DATA,<hostname>,mac,rssi,pub|rnd,name
 EVENT,<hostname>,motion=0|1 rate=<hz> wander=<value>
 ALERT_DATA,<hostname>,deauth|disassoc,sender_mac,target_mac,rssi
+PROBE_DATA,<hostname>,mac,rssi,ssid
 ```
 
 ## Source Paths