Command Center live tiles + SF MCP Worker OAuth fix (2026-06-12)

TL;DR

The Command Center's "Today" strip went from 2/5 tiles live to 5/5 live, and the 41-day-old Salesforce MCP Worker auth blocker is cleared. Three production env vars installed, two code/config root causes found and fixed, one infra root cause diagnosed (My Domain vs login.salesforce.com).

What was done (in order)

Vercel env vars installed — Sam added CALLRAIL_ACCOUNT_ID, SF_MCP_ENDPOINT, SF_MCP_TOKEN to the projects Vercel project (production) via Vercel CLI from his MacBook, after the dashboard route proved too fiddly. Gotcha hit and solved: vercel link must run from a linked directory — used ~/vercel-link scratch dir with npx vercel link --yes --project projects.
Production redeploy triggered via Vercel REST API (using vault VERCEL_TOKEN) — no git no-op commit needed. Project id prj_HoPLce4Ib1IK5QASScp7YTOAu30H.
Notion tile 404 root-caused and fixed — command-center/lib/live/daily.ts queried api.notion.com/v1/databases/{id}/query with the internal data-source/collection id (13d5d9db-…) instead of the database id (5d558b97-…). Fixed in PR #48, merged + deployed 2026-06-12.
Salesforce OAuth blocker root-caused — Worker's /oauth/start redirects to login.salesforce.com; the org's My Domain blocks OAuth approvals from there → OAUTH_APPROVAL_ERROR_GENERIC. Connected App config was verified correct via screenshots (self-authorize ON, PKCE off, secrets required, rotation on, scopes api/full/refresh). Sam completed the flow via a My Domain authorize URL and got a fresh refresh token.
Worker captured the token automatically in its callback (KV) — the "paste it back / run wrangler" instructions on the success page were stale. Verified by direct soql_query (returned a User record) and newMattersToday tile flipping to live.
Vault page updated — full root-cause writeup, bypass URL, and corrections appended to 🔑 API Keys & App Secrets.

Current production state (verified 2026-06-12 ~01:50 UTC)

GET <https://projects-indol-kappa.vercel.app/api/live/daily> → all five metrics state:"live" (newMatters 0, calls 0 — UTC day had just rolled over; emails 79, calendar 1, Notion 100).

Open items / bring-home list

Worker patch (one line): make /oauth/start redirect to ${SF_LOGIN_URL}/services/oauth2/authorize (My Domain) instead of login.salesforce.com. Until then, any future re-auth must use the bypass URL saved in the vault page.
Vault placeholder: SF_REFRESH_TOKEN in the vault still says PENDING. Worker holds the live token in KV, so this is mirror-only — Sam can paste from the OAuth success page if he wants the vault mirror complete. Note: refresh token rotation is ON, so the vault mirror will drift; the Worker's KV copy is canonical.
CF token gap: no token in the vault has workers:edit on the Hatfield CF account (0dc22e0…) where the Worker lives. Mint a scoped Workers Scripts:Edit token next time someone is in that dashboard, so agents can manage Worker secrets without wrangler.
Scope trim (hygiene): Connected App SamAguiar_AI_Integration grants Full access (full) — overpowered; trim to api + refresh_token someday.
OAuth routes still live on the Worker: the success page footer says "OAuth routes will be removed after deployment is finalized" — they never were. Low risk (org-scoped Connected App), but worth a look during the Worker patch.
Env vars are production-target only: preview/dev deployments of the Command Center won't have the three new vars. Add to other targets if preview testing of live tiles is ever needed.
Redesign branch parked: claude/ai-command-center-KD37G (life-OS homepage redesign, 3 commits) has diverged hard from main — ~34 files conflict. Whoever resumes it should rebase onto main carefully or cherry-pick; do NOT bulk-merge it into main.
Mac cleanup (optional): ~/vercel-link scratch dir on Sam's MacBook can be deleted; the short-lived Vercel CLI token expires 2026-06-12 on its own.