Implement automatic Garmin token refresh and fix expiry tracking

- Add OAuth1 to OAuth2 token exchange using Garmin's exchange endpoint
- Track refresh token expiry (~30 days) instead of access token expiry (~21 hours)
- Auto-refresh access tokens in cron sync before they expire
- Update Python script to output refresh_token_expires_at
- Add garminRefreshTokenExpiresAt field to User type and database schema
- Fix token input UX: show when warning active, not just when disconnected
- Add Cache-Control headers to /api/user and /api/garmin/status to prevent stale data
- Add oauth-1.0a package for OAuth1 signature generation

The system now automatically refreshes OAuth2 tokens using the stored OAuth1 token,
so users only need to re-run the Python auth script every ~30 days (when refresh
token expires) instead of every ~21 hours (when access token expires).

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

src/app/api/user/route.ts

@@ -26,16 +26,21 @@ export const GET = withAuth(async (_request, user, pb) => {
     ? new Date(freshUser.lastPeriodDate as string).toISOString().split("T")[0]
     : null;
 
-  return NextResponse.json({
-    id: freshUser.id,
-    email: freshUser.email,
-    garminConnected: freshUser.garminConnected ?? false,
-    cycleLength: freshUser.cycleLength,
-    lastPeriodDate,
-    notificationTime: freshUser.notificationTime,
-    timezone: freshUser.timezone,
-    activeOverrides: freshUser.activeOverrides ?? [],
-  });
+  return NextResponse.json(
+    {
+      id: freshUser.id,
+      email: freshUser.email,
+      garminConnected: freshUser.garminConnected ?? false,
+      cycleLength: freshUser.cycleLength,
+      lastPeriodDate,
+      notificationTime: freshUser.notificationTime,
+      timezone: freshUser.timezone,
+      activeOverrides: freshUser.activeOverrides ?? [],
+    },
+    {
+      headers: { "Cache-Control": "no-store, no-cache, must-revalidate" },
+    },
+  );
 });
 
 /**