fix(vault-fetch): tolerate 'already logged in' at bw config server

bw config server refuses with 'Logout required before server config update'
when the CLI is already authenticated. The helper treated that as fatal
(exit 1), which broke every repeat run on an already-logged-in host — exactly
the 'refresh .env from vault' case the helper exists for.

The bw login block already tolerates 'already logged in'; mirror that for
bw config: capture stderr/stdout and tolerate 'logout required' /
'already configured' / 'already set', failing only on a real error.

Verified on domedog: fixed helper runs cleanly from the logged-in state
(previously exited 1 at the config step).

Checks: sh -n; git diff --check; ./scripts/check-format.sh (prettier clean).

Co-Authored-By: Hermes & Sam <hello@clawdie.si>

live/operator-session/clawdie-vault-fetch

@@ -105,10 +105,17 @@ cleanup() {
 }
 trap cleanup EXIT INT TERM
 
-bw config server "$SERVER" >/dev/null 2>&1 || {
-    log "could not set bw server to $SERVER"
-    exit 1
-}
+# Set the server. When already logged in, `bw config` refuses with
+# "Logout required before server config update" — tolerate that, since the
+# server is already set to the right value (we read it from VAULT_SERVER).
+# Mirror the login tolerance: capture stderr and only fail on a real error.
+if ! bw config server "$SERVER" >"$WORK/config.out" 2>"$WORK/config.err"; then
+    if ! grep -qi 'logout required\|already configured\|already set' "$WORK/config.err" "$WORK/config.out" 2>/dev/null; then
+        log "could not set bw server to $SERVER:"
+        sed 's/^/  /' "$WORK/config.err" >&2
+        exit 1
+    fi
+fi
 
 # login --apikey reads BW_CLIENTID/BW_CLIENTSECRET from env. Tolerate the
 # "already logged in" case so repeat runs don't fail.