fix(traffic): require a traffic-capable PAT for the archive workflow

[davida-ps]

User description

Summary

The daily Archive GitHub Traffic workflow (example failure) has failed on every scheduled run since it was added in #252, so no traffic history has been captured yet. Root cause: the TRAFFIC_ARCHIVE_TOKEN secret was never provisioned, and the || github.token fallback can never work — GitHub rejects the Actions installation token on all traffic endpoints (403 Resource not accessible by integration). Traffic endpoints require a PAT from a user with push access.

Changes

• .github/workflows/archive-traffic.yml — GH_TRAFFIC_TOKEN now uses secrets.TRAFFIC_ARCHIVE_TOKEN only (the github.token fallback was guaranteed to 403). When the secret is missing, the step fails fast with an actionable ::error annotation instead of a cryptic API error.
• scripts/archive-github-traffic.mjs — 403 push-access failures and 401 invalid-token failures now append a hint explaining the token requirements.
• scripts/test-github-traffic-archive.mjs — new tests for the 401/403 hints; the workflow-shape test now asserts GH_TRAFFIC_TOKEN binds to secrets.TRAFFIC_ARCHIVE_TOKEN and never to github.token.

Live verification (workflow_dispatch from this branch)

• An intermediate commit tried falling back to the existing POLL_NVD_CVES_PAT — it returned 401 Bad credentials, i.e. that PAT (set 2026-02-05) is expired or revoked, so the fallback was dropped.
• Second dispatch confirms the fail-fast guard: the run now stops with “No traffic-capable token configured. Set the TRAFFIC_ARCHIVE_TOKEN secret to a PAT with push access (classic: repo scope; fine-grained: Administration read).”
• A classic repo-scoped token from a maintainer was confirmed to read /traffic/views successfully (834 views / 378 uniques in the current 14-day window).

Required follow-up after merge (ops)

1. Create a PAT — recommended: fine-grained, scoped to this repository only, with Administration: read (a classic PAT with repo scope also works), owned by a user with push access.
2. gh secret set TRAFFIC_ARCHIVE_TOKEN --repo prompt-security/clawsec
3. gh workflow run archive-traffic.yml --repo prompt-security/clawsec — the first green run creates the traffic-archive branch and seeds it with the current 14-day window.

⏳ GitHub only retains ~14 days of traffic data; each day without the secret permanently loses a day of history.

Heads-up (separate issue)

POLL_NVD_CVES_PAT returning 401 also means the community-advisory.yml automation will fail the next time an issue is labeled advisory-approved — that PAT needs rotation regardless of this PR.

🤖 Generated with Claude Code

---

Generated description

Below is a concise technical summary of the changes proposed in this PR:
Clarify the archive workflow token requirements by binding GH_TRAFFIC_TOKEN exclusively to secrets.TRAFFIC_ARCHIVE_TOKEN and failing fast with guidance when the secret is missing. Enhance archive-github-traffic.mjs and its tests to append specific hints for 403/401 errors so operators know to provide a push-capable PAT.

Topic	Details
Workflow token guard	Enforce the traffic archive workflow to require a configured PAT via secrets.TRAFFIC_ARCHIVE_TOKEN, report an actionable error when absent, and only run archive-github-traffic once the token guard passes. Modified files (1) .github/workflows/archive-traffic.yml Latest Contributors(2) User Commit Date David.a@prompt.security fix(traffic): require ... June 10, 2026 david.a@prompt.security feat(traffic): archive... June 04, 2026
Token error hints	Clarify scripts/archive-github-traffic.mjs and its tests to append push-access or rotation hints on 403/401 responses so failures point to the required PAT credentials. Modified files (2) scripts/archive-github-traffic.mjs scripts/test-github-traffic-archive.mjs Latest Contributors(2) User Commit Date David.a@prompt.security fix(traffic): use a tr... June 10, 2026 david.a@prompt.security feat(traffic): archive... June 04, 2026

_{Review this PR on Baz | Customize your next review}

[baz-reviewer]

The invalid-token hint is gated only on response.status === 401, but GitHub can return 403/404 for auth failures too — should we key this off the error body (for example Bad credentials) or include those cases as well?

Want Baz to fix this for you? Activate Fixer

Other fix methods

Prompt for AI Agents

Before applying, verify this suggestion against the current code. In
scripts/archive-github-traffic.mjs around lines 321-332 inside the `if (!response.ok)`
error handling, the token-invalid/expired hint is currently only shown when
`response.status === 401` (lines ~328-330). Refactor the `hint` selection so it also
covers GitHub’s documented auth/permission failure variants (notably 403 and 404) by
keying off the response body text (e.g., look for “Bad credentials” /
authentication-failure phrases) rather than status alone, while keeping the existing
dedicated “missing push access” hint for 403 with the “resource not
accessible/must have push access” messages. Ensure the body-based checks are used in
the right precedence order so unrelated 401s don’t incorrectly get the expired-token
message, and revoked/expired tokens get the correct hint for 401/403/404 shapes.