Use ISSUES_PAT for unanswered issues workflow and fail hard on token misconfiguration

[harrism]

Summary

Follows up on #522 which fixed insider filtering in the script.

• Workflow: use ISSUES_PAT instead of GITHUB_TOKEN: The default
  GITHUB_TOKEN cannot resolve org/team membership, so author_association
  is unreliable in CI. The workflow now uses the ISSUES_PAT secret (a
  fine-grained PAT with Organization > Members > Read).
• Script: fail hard on token misconfiguration: fetch_team_members now
  raises instead of silently falling back to author_association when the
  team members API call fails. This prevents sending an incorrect report.

Test plan

• Triggered workflow on branch -- report correctly shows 13 external
  issues (8 fvdb-core + 5 fvdb-reality-capture), no insiders, no duplicates
• Verified Slack message posted successfully to test channel
• Confirmed 9 fvdb-dev team members detected as insiders

[blackencino]

I'm concerned that this is the wrong way to draw attention to these issues. It will be like when a build system spits out a thousand lines of warnings and you just train yourself to ignore them because you can't possibly process all that information. The same will necessarily happen here - there's no way we can consume this information in "notification" form. I think it should, if it is going to be daily or regularly, simply say, "there are N P0 issues, M P1, issues, ... P5 issues, Q unranked issues, with a link to the issues and nothing else.