garminconnect_backend gains web-friendly auth: resume() (token restore with
API validation), begin_login()/complete_mfa() (two-step MFA handshake via
return_on_mfa), user_label(), and patch_garth() split out of activate().
5_Sync.py drops the garth login flow (Cloudflare-blocked) for the new
backend; the authenticated client is cached in st.session_state. Verified
headlessly with streamlit AppTest: token restore, sync-button click, full
incremental sync, no exceptions.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
garth's SSO login is Cloudflare-rate-limited (429) and garth is now
deprecated upstream. New openrun.ingest.garminconnect_backend authenticates
via python-garminconnect 0.3.5 DI Bearer tokens and shims garth's client
surface (connectapi/download/username), so the existing sync pipeline runs
unchanged. openrun-sync gains --backend {auto,garth,garminconnect}; auto
prefers garminconnect when .secrets/garmin_tokens.json exists.
Login: uv run python -m openrun.ingest.garminconnect_backend
Synced: 7 activities (-> 2026-06-02) + splits + FITs, wellness through
2026-06-12, time-in-zone recomputed (364 activities).
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
