Harden connect(): never fall through to Garmin SSO login

connect() previously fell through to Garmin().login() when cached
tokens failed AND email/password were set in config. This meant the
4h garmin-pull cron could hammer Garmin SSO repeatedly on token expiry.

Now connect() always raises RuntimeError on cache failure. SSO login
only happens through explicit auth paths (auth_interactive, auth_garmin
MCP tool). Removed dead code for SSO fallback.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: a-deal

engine/integrations/garmin.py

@@ -158,27 +158,13 @@ def connect(self):
                 return client
             except Exception as e:
                 print(f"Cached token auth failed: {e}", file=sys.stderr)
-                # Never fall through to SSO login from automated context.
-                # That causes rate limits. Require interactive re-auth.
-                if not self.email or not self.password:
-                    raise RuntimeError(
-                        f"Token auth failed: {e}. Run `python3 cli.py auth garmin` to re-authenticate."
-                    ) from e
-
-        if not self.email or not self.password:
-            raise RuntimeError(
-                "No tokens found. Run `python3 cli.py auth garmin` to authenticate."
-            )
+                raise RuntimeError(
+                    f"Token auth failed: {e}. Run `python3 cli.py auth garmin` or use auth_garmin MCP tool to re-authenticate."
+                ) from e
 
-        print("Logging in to Garmin Connect...")
-        client = Garmin(self.email, self.password)
-        client.login()
-        self.token_dir.mkdir(parents=True, exist_ok=True)
-        client.garth.dump(str(self.token_dir))
-        self._sync_to_store()
-        print("Authenticated and token cached.")
-        self._client = client
-        return client
+        raise RuntimeError(
+            "No Garmin tokens found. Run `python3 cli.py auth garmin` or use auth_garmin MCP tool to authenticate."
+        )
 
     @property
     def client(self):

tests/test_garmin.py

@@ -601,6 +601,43 @@ def test_connect_without_store_no_sync(self, tmp_path):
         assert client.token_store is None
 
 
+class TestConnectNeverHitsSSO:
+    """connect() must never fall through to SSO login, even with credentials set."""
+
+    def test_connect_raises_when_cached_tokens_fail_with_credentials(self, tmp_path):
+        """If cached tokens fail and email/password are set, connect() should
+        raise RuntimeError, NOT fall through to Garmin().login().
+
+        This prevents the 4h garmin-pull cron from hammering Garmin SSO
+        when tokens expire and credentials happen to be in config.
+        """
+        token_dir = tmp_path / "tokens"
+        token_dir.mkdir()
+        # Put a bad token file so the cached path is attempted and fails
+        (token_dir / "oauth1_token.json").write_text('{"bad": "token"}')
+
+        client = GarminClient(
+            email="test@example.com",
+            password="secret",
+            token_dir=str(token_dir),
+        )
+
+        # Make garth.load succeed but profile check fail (simulates corrupted cache)
+        mock_garth = type("MockGarth", (), {
+            "load": lambda self, d: None,
+            "oauth2_token": type("T", (), {"expired": False, "refresh_expired": False})(),
+            "profile": {},  # empty profile triggers RuntimeError
+        })()
+        mock_garmin_obj = type("MockGarmin", (), {
+            "garth": mock_garth,
+            "display_name": None,
+        })()
+
+        with patch("garminconnect.Garmin", return_value=mock_garmin_obj):
+            with pytest.raises(RuntimeError, match="Token auth failed"):
+                client.connect()
+
+
 class TestSleepTimeTimezone:
     """Verify sleep_start/sleep_end are extracted correctly from Garmin timestamps.