Problem

Reported in the field on 0.3.1: hsh login printed only 'Successfully authenticated with Hoop!' and silently did nothing for the daemon, leaving it on a stale/expired token (hsh tunnel refresh then 401'd). One browser, zero daemon output — even though the daemon was running and hsh tunnel status reached it fine.

Root cause

The previous fix used existsSync() on the unix socket path to decide whether the daemon is 'present' (and thus whether the optional daemon leg may skip silently). On the affected host that existsSync returned false for a live daemon, so loginDaemon took the 'genuinely absent → silent skip' branch.

But TunnelClient.connect() (used by hsh tunnel status, which worked) never stats the socket — it keys on a readable control token. So the socket-existsSync discriminator was inconsistent with how the client actually reaches the daemon.

Fix

daemonLooksInstalled() now mirrors connect()'s reachability basis:

• readable control token → present (connect would succeed)
• token file present-but-unreadable (perms) or env-pointed → present
• env-pointed socket, or socket existsSync true → present
• only the bare-default, nothing-present case → genuinely absent → silent skip

So a live daemon is now always detected as present, and any failure to update it surfaces a warning + non-zero exit instead of a silent skip.

Note on the 401 itself

The token rejection you saw is the known no-refresh-token expiry (already tracked) — OIDC access tokens from sandbox expire well under 12h and the daemon can't renew. This PR doesn't change that; it ensures hsh login actually re-authenticates the daemon (instead of silently skipping) so the user can recover, and hsh tunnel status already hints the re-login.

Testing

• tests/login-daemon.test.ts rewritten to the token-based contract: present-but-unusable → false; env-pointed socket → false; non-optional → false; genuinely-absent default → silent skip (guarded against boxes with a real daemon).
• Full suite: 447 pass, typecheck clean.

Automated by MisterMal