feat(tasks): wire agent server event ingest

[tatoalo]

Problem

once the backend provides a sandbox event ingest token, the agent server needs to opt into the new sender while preserving the existing local SSE behavior and task completion signaling

Changes

• read POSTHOG_TASK_RUN_EVENT_INGEST_TOKEN from the agent server env
• construct the task run event stream sender when the ingest token is present
• enqueue broadcast and terminal task events into the sender while still serving existing SSE clients
• drain the sender during agent shutdown and task completion paths

[tatoalo]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• feat(tasks): wire agent server event ingest #2111 👈 (View in Graphite)
• feat(tasks): add task run event stream sender #2110
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[greptile-apps]

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
packages/agent/src/server/agent-server.test.ts:272-449
**Repeated `AgentServer` setup violates OnceAndOnlyOnce**

The three `signalTaskComplete` tests each repeat an identical 20+ line `new AgentServer({...}) as unknown as { eventStreamSender, posthogAPI, signalTaskComplete }` cast. Extracting a shared helper (e.g. `createSignalTaskCompleteTestServer()`) would remove the duplication and make future type-shape changes a single-line fix instead of three.

_{Reviews (1): Last reviewed commit: "feat(tasks): wire agent server event ing..." | Re-trigger Greptile}

[greptile-apps]

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
packages/agent/src/server/agent-server.ts:1808-1813
`TASK_COMPLETE` is included in the union type but `enqueueTaskTerminalEvent` is only ever called with `ERROR` in this PR (and nowhere else in the codebase). Listing a type option that is never exercised is a superfluous part — if it becomes needed later it can be added then.

```suggestion
  private enqueueTaskTerminalEvent(
    method: typeof POSTHOG_NOTIFICATIONS.ERROR,
    params: Record<string, unknown>,
  ): void {
```

_{Reviews (2): Last reviewed commit: "feat(tasks): wire agent server event ing..." | Re-trigger Greptile}

[joshsny]

why don't we use the existing oauth token here, is there a reason to split this out into it's own auth?

[tatoalo]

Mainly to have cleaner mindset against the token and what it does/needs to do.
I added ^ just for event-ingestion since it has a narrower job for exactly one task run, if we were to re-use the existing oauth token, we would need to make the ingest endpoint added in the BE stack also accept a broader user-scope token, we only authorize event ingestion for the single run, if you feel strongly about it we could reuse the existing one but we would then have duplicate oauth validation and some extra checks bits, no biggie though