Multi-user via PocketID: account linking, group gating, admin user management

PocketID OIDC already auto-provisioned users keyed by pocketid_sub, and the
data layer was already fully user-scoped. This adds the missing pieces for
running real multi-user:

- auth.py callback: link by email to an existing un-linked account (so the
  admin keeps their data when first signing in by passkey), collision-safe
  username generation, and request the `groups` scope.
- Group gating: optional pocketid_allowed_group (admin-config or
  POCKETID_ALLOWED_GROUP env); users lacking the group are rejected at the
  callback and redirected to /login?auth_error=not_authorized.
- New admin users API (app/api/users.py): list users, promote/demote admin
  (guards against demoting/locking out the last admin or yourself), and delete
  a user with ordered bulk deletes of all their data + on-disk files.
- ProfilePage: allowed-group field; LoginPage: rejected-login message;
  Layout: admin-only Users nav; new UsersPage.

Resync milevault_export to current source (it had drifted many features behind
— missing garmin_sync, npm-ci Dockerfile and @polyline-codec that broke its own
CI) and add POCKETID_ALLOWED_GROUP to .env.example.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

milevault_export/backend/app/models/user.py

@@ -1,6 +1,6 @@
 from sqlalchemy import (
     Column, Integer, String, Float, DateTime, Boolean,
-    ForeignKey, Text, JSON, Index, UniqueConstraint
+    ForeignKey, Text, JSON, Index, UniqueConstraint, text
 )
 from sqlalchemy.orm import relationship
 from datetime import datetime, timezone
@@ -27,16 +27,40 @@ class User(Base):
     resting_heart_rate = Column(Integer, nullable=True)
     birth_year = Column(Integer, nullable=True)
     height_cm = Column(Float, nullable=True)
+    biological_sex = Column(String(8), nullable=True)   # 'male' | 'female'
 
     # PocketID config (stored per-user so admin can set via UI)
     pocketid_issuer = Column(String(512), nullable=True)
     pocketid_client_id = Column(String(256), nullable=True)
     pocketid_client_secret = Column(String(256), nullable=True)
+    # Only PocketID users in this group may sign in. Null/blank = allow all.
+    pocketid_allowed_group = Column(String(128), nullable=True)
 
     activities = relationship("Activity", back_populates="user", cascade="all, delete-orphan")
     health_metrics = relationship("HealthMetric", back_populates="user", cascade="all, delete-orphan")
     named_routes = relationship("NamedRoute", back_populates="user", cascade="all, delete-orphan")
     weight_logs = relationship("WeightLog", back_populates="user", cascade="all, delete-orphan")
+    garmin_connect_config = relationship("GarminConnectConfig", back_populates="user", uselist=False, cascade="all, delete-orphan")
+
+
+class GarminConnectConfig(Base):
+    """Per-user Garmin Connect credentials and sync state."""
+    __tablename__ = "garmin_connect_configs"
+
+    id = Column(Integer, primary_key=True)
+    user_id = Column(Integer, ForeignKey("users.id"), nullable=False, unique=True, index=True)
+    email = Column(String(256), nullable=False)
+    password_enc = Column(String(512), nullable=False)   # Fernet-encrypted
+    token_store = Column(Text, nullable=True)             # garth OAuth2 token JSON
+    sync_enabled = Column(Boolean, default=True)
+    sync_activities = Column(Boolean, default=True)
+    sync_wellness = Column(Boolean, default=True)
+    sync_lookback_days = Column(Integer, default=30)   # -1 = all-time
+    last_sync_at = Column(DateTime(timezone=True), nullable=True)
+    last_sync_status = Column(String(512), nullable=True)
+    created_at = Column(DateTime(timezone=True), default=now_utc)
+
+    user = relationship("User", back_populates="garmin_connect_config")
 
 
 class WeightLog(Base):
@@ -81,7 +105,7 @@ class Activity(Base):
     calories = Column(Float, nullable=True)
     training_stress_score = Column(Float, nullable=True)
     vo2max_estimate = Column(Float, nullable=True)
-    named_route_id = Column(Integer, ForeignKey("named_routes.id"), nullable=True)
+    named_route_id = Column(Integer, ForeignKey("named_routes.id", ondelete="SET NULL"), nullable=True)
     polyline = Column(Text, nullable=True)
     bounding_box = Column(JSON, nullable=True)
     source_file = Column(String(512), nullable=True)
@@ -160,6 +184,8 @@ class RouteSegment(Base):
     start_distance_m = Column(Float, nullable=False)
     end_distance_m = Column(Float, nullable=False)
     description = Column(Text, nullable=True)
+    auto_generated = Column(Boolean, default=False)
+    auto_generated_type = Column(String(20), nullable=True)  # '1km' | 'turns' | 'hills'
 
     route = relationship("NamedRoute", back_populates="segments")
 
@@ -178,8 +204,12 @@ class PersonalRecord(Base):
     is_current_record = Column(Boolean, default=True)
 
     __table_args__ = (
-        UniqueConstraint("user_id", "sport_type", "distance_m", "is_current_record",
-                         name="uq_pr_current"),
+        # Uniqueness is enforced at runtime by the partial index uq_pr_current_active
+        # (created in init_db), which only covers is_current_record=true rows.
+        # The old all-columns UniqueConstraint was dropped because it incorrectly
+        # constrained is_current_record=false rows too, causing multi-worker races.
+        Index("uq_pr_current_active", "user_id", "sport_type", "distance_m",
+              postgresql_where=text("is_current_record = true"), unique=True),
     )
 
 
@@ -218,6 +248,10 @@ class HealthMetric(Base):
     active_calories = Column(Float, nullable=True)
     total_calories = Column(Float, nullable=True)
     spo2_avg = Column(Float, nullable=True)
+    intraday_hr = Column(JSON, nullable=True)           # [[epoch_ms, bpm], ...] — not in API list response
+    body_battery = Column(JSON, nullable=True)          # {charged,drained,start_level,end_level,values:[[ts_ms,level,type,stress]...]}
+    body_battery_hires = Column(JSON, nullable=True)    # [[ts_ms, level], ...] interpolated from bb + HR; higher resolution than raw values
+    sleep_stages = Column(JSON, nullable=True)          # [[ts_ms, level], ...] 0=unmeasurable,1=awake,2=light,3=deep,4=rem
 
     __table_args__ = (
         UniqueConstraint("user_id", "date", name="uq_health_user_date"),