feat(origin): detect parent agent/IDE and propagate to HeyGen API + PostHog

[jrusso1020]

Description

Adds a new internal/origin package that detects which parent agent / IDE / managed sandbox launched the CLI, and wires the result into two outbound surfaces:

1. X-HeyGen-Client-Origin: <origin> header on every HTTP request from the CLI (internal/client/client.go). The header is omitted when origin is unknown so the backend can distinguish unknown from explicit-empty. This matches the existing self-declared-trust pattern of X-HeyGen-Client-User-Agent.
2. client_origin property on every PostHog event from the CLI (internal/analytics/analytics.go). Same omit-when-empty rule so funnel queries get clean cohorts.

Detect() is called once at startup from client.New and analytics.newWithCapture and the result is cached for the process lifetime — parent context doesn't change mid-invocation.

Why

The backend's compute_request_source label scheme currently produces cli / cli:api_key for every CLI invocation, regardless of whether it came from a developer in claude_code, cursor, a CI runner, or a plain shell. User-agent matching server-side is fragile and our internal CLI ships a generic UA. A self-declared client header is honest about the trust model and lets the backend follow up with cli:claude_code, cli:cursor, etc., falling back to today's behavior when the header is absent.

This is the CLI half of the change. A follow-up backend PR (stacked on the in-flight one that just dropped server-side cli provider-qualification) will read the header.

Detection rules

Ported from hyperframes-oss packages/cli/src/telemetry/agent_runtime.ts so the two CLIs stay in lockstep on which agent names exist and how each is identified. Existence checks only — we never read the value of an env var (some are secrets).

Origin	Trigger
claude_code	CLAUDECODE or CLAUDE_CODE_ENTRYPOINT
codex	CODEX_THREAD_ID or CODEX_CI or CODEX_SANDBOX_NETWORK_DISABLED
cursor	TERM_PROGRAM=cursor (exact)
windsurf	TERM_PROGRAM ~ windsurf (case-insensitive)
copilot_agent	GITHUB_ACTIONS=true AND (COPILOT_AGENT_ID set OR RUNNER_NAME=Copilot)
replit	REPL_ID or REPLIT_USER
hermes	HERMES_QUIET
openclaw	OPENCLAW_STATE_DIR or OPENCLAW_CONFIG_PATH
pi	PI_CODING_AGENT
cline	CLINE_ACTIVE
gemini_cli	GEMINI_CLI
crush	CRUSH
gemini_managed_agent	/.agents/ is a directory AND gVisor kernel detected (4.19.0-gvisor osrelease or gVisor in /proc/version)

First match wins; ordering pinned by test (TestDetect_FirstMatchWins).

Testing

• go test ./internal/origin/... — 25 subcases covering every vendor rule, empty-env baseline, case-sensitivity (cursor exact vs windsurf case-insensitive), first-match-wins ordering, Copilot's two-marker conjunction, and the non-Linux short-circuit on isGeminiManagedAgent.
• go test ./internal/client/... — added TestClient_Do_SetsClientOrigin (header present when origin set) and TestClient_Do_OmitsClientOriginWhenEmpty (no header at all when origin empty — http.Header map key absent, not empty string value).
• go test ./internal/analytics/... — added TestCommandRun_IncludesClientOrigin, TestCommandRunComplete_IncludesClientOrigin, and TestCommandRun_OmitsClientOriginWhenEmpty.
• go test ./... — full suite green.
• make build — builds locally.
• golangci-lint run ./... (v2.11.4, matching CI) — 0 issues.

Follow-up: backend PR will read X-HeyGen-Client-Origin from compute_request_source to produce cli:<origin> labels.

PR by Jerrai