garmin sync first attempt

docs/garmin_connect_disclaimer.md

@@ -42,6 +42,40 @@ This feature relies on a reverse-engineered interface that:
 BincioActivity takes no responsibility for account restrictions or bans
 that may result from using this feature.
 
+### Cloudflare bot protection and rate limiting
+
+Garmin's login page (`sso.garmin.com`) is protected by Cloudflare, which
+periodically blocks automated login attempts. When this happens, the sync
+feature will fail at the login step with a "Login failed" error — even if
+your credentials are correct.
+
+The underlying `garth` library tries three login strategies in sequence.
+A blocked session typically looks like this in the server logs:
+
+```
+mobile+cffi returned 429: Mobile login returned 429 — IP rate limited by Garmin
+mobile+requests failed: Mobile login failed (non-JSON): HTTP 403
+widget+cffi failed: Widget login: unexpected title 'GARMIN Authentication Application'
+```
+
+What each error means:
+- **429** — Garmin is rate-limiting the server's IP address
+- **403** — Cloudflare is blocking the request outright
+- **unexpected title 'GARMIN Authentication Application'** — the login flow hit a
+  CAPTCHA or MFA challenge page that the library cannot handle automatically
+
+This is an upstream issue outside BincioActivity's control. The underlying
+`garminconnect`/`garth` library usually releases a fix within days to weeks.
+The workaround is to update those packages on the server:
+
+```bash
+uv sync --extra garmin
+```
+
+If login consistently fails despite updating, check the
+[garminconnect issue tracker](https://github.com/cyberjunky/python-garminconnect/issues)
+for the current status.
+
 ### Two-factor authentication (2FA)
 
 If your Garmin account has 2FA enabled, this feature may not work or may