diff --git a/live/operator-session/clawdie-vault-fetch b/live/operator-session/clawdie-vault-fetch
index 898a6605..e3b7898b 100644
--- a/live/operator-session/clawdie-vault-fetch
+++ b/live/operator-session/clawdie-vault-fetch
@@ -105,10 +105,17 @@ cleanup() {
 }
 trap cleanup EXIT INT TERM
 
-bw config server "$SERVER" >/dev/null 2>&1 || {
-    log "could not set bw server to $SERVER"
-    exit 1
-}
+# Set the server. When already logged in, `bw config` refuses with
+# "Logout required before server config update" — tolerate that, since the
+# server is already set to the right value (we read it from VAULT_SERVER).
+# Mirror the login tolerance: capture stderr and only fail on a real error.
+if ! bw config server "$SERVER" >"$WORK/config.out" 2>"$WORK/config.err"; then
+    if ! grep -qi 'logout required\|already configured\|already set' "$WORK/config.err" "$WORK/config.out" 2>/dev/null; then
+        log "could not set bw server to $SERVER:"
+        sed 's/^/  /' "$WORK/config.err" >&2
+        exit 1
+    fi
+fi
 
 # login --apikey reads BW_CLIENTID/BW_CLIENTSECRET from env. Tolerate the
 # "already logged in" case so repeat runs don't fail.