fix(webapp): require user auth + org-membership on replay action

The `action` handler in resources.taskruns.$runParam.replay.ts had no
`requireUser`/`requireUserId` call and the underlying PG findFirst was
keyed only on `friendlyId` — any request with a valid runParam could
POST a replay against any run. The buffered fallback inherited the same
gap.

Mirrors the canonical pattern from resources.taskruns.$runParam.cancel.ts:
- `await requireUser(request)` at the top of the action.
- PG findFirst scoped by `project.organization.members.some.userId`.
- Buffered path verifies org membership via `orgMember.findFirst`
  against the snapshot's orgId before synthesising the TaskRun.

Devin-follow-up on PR #3757 (🚩 finding on commit bc6de3e). Surfaces
as a pre-existing PG-side auth gap that the new buffered surface would
have extended.

Target PR: phase-3-dashboard.

Author: d-cs

apps/webapp/app/routes/resources.taskruns.$runParam.replay.ts

@@ -247,6 +247,15 @@ export async function loader({ request, params }: LoaderFunctionArgs) {
 }
 
 export const action: ActionFunction = async ({ request, params }) => {
+  // Dashboard auth: identical pattern to resources.taskruns.$runParam.cancel.ts.
+  // The loader above this action already gates with `requireUser`, but
+  // Remix's action runs independently — without this call any request
+  // with a valid runParam could submit a replay. The PG findFirst below
+  // also adds the org-membership filter so a PAT can't replay another
+  // org's run, and the buffered fallback verifies org membership via
+  // orgMember.findFirst against the snapshot's orgId.
+  const user = await requireUser(request);
+  const userId = user.id;
   const { runParam } = ParamSchema.parse(params);
 
   const formData = await request.formData();
@@ -260,6 +269,15 @@ export const action: ActionFunction = async ({ request, params }) => {
     const pgRun = await prisma.taskRun.findFirst({
       where: {
         friendlyId: runParam,
+        project: {
+          organization: {
+            members: {
+              some: {
+                userId,
+              },
+            },
+          },
+        },
       },
       include: {
         runtimeEnvironment: {
@@ -285,6 +303,20 @@ export const action: ActionFunction = async ({ request, params }) => {
       const buffer = getMollifierBuffer();
       const entry = buffer ? await buffer.getEntry(runParam) : null;
       if (entry) {
+        // Same org-membership gate as the PG path above. Without this
+        // any authenticated user who knows a runId could replay the
+        // buffered run across orgs.
+        const member = await prisma.orgMember.findFirst({
+          where: { userId, organizationId: entry.orgId },
+          select: { id: true },
+        });
+        if (!member) {
+          return redirectWithErrorMessage(
+            submission.value.failedRedirect,
+            request,
+            "Run not found"
+          );
+        }
         const synthetic = await findRunByIdWithMollifierFallback({
           runId: runParam,
           environmentId: entry.envId,