Prevent team-sync downgrade on transient GitHub API failure

[KerwinTsaiii]

Summary

fetch_github_teams() currently returns an empty list on GitHub API/network failures, and sync_user_github_teams() treats that as authoritative state. This can remove users from all github-team groups during transient outages.

Why this matters

A temporary API error (rate limit, network hiccup, timeout) can accidentally revoke group-based resource access for users.

Current behavior

• fetch_github_teams() logs warning and returns [] on failure.
• sync_user_github_teams() removes memberships not in the incoming team list.

Expected behavior

Transient failures should not be interpreted as "user belongs to zero teams".

Proposed fix

• Make fetch return an explicit failure signal (e.g. None/Result type) instead of [].
• Skip removal sync when team-fetch status is unknown/failed.
• Add tests for failure-path semantics to prevent regressions.

Acceptance criteria

• No github-team membership removals happen when team fetch fails.
• Existing successful sync behavior remains unchanged.
• Unit tests cover success and failure paths.