fix(webapp): mollifier buffered-path auth checks + drop high-cardinality envId from realtime counter

Three CodeRabbit findings from #3709, re-raised on #3757:

- resources.taskruns.$runParam.debug.ts: buffered fallback returned the
  run's queue / concurrencyKey / queueTimestamp from the snapshot
  without verifying org membership. Any authenticated user who knew a
  friendlyId could read those fields across orgs. Now joins through
  orgMember the same way the PG path does and 404s on miss.
- resources.runs.$runParam.logs.download.ts: same shape — the buffered
  placeholder leaked runId existence to non-members on direct URL
  access. Same orgMember check now gates the buffered branch.
- mollifierTelemetry.server.ts: recordRealtimeBufferedSubscription was
  attaching envId (a UUID) as an OTEL counter dimension, violating the
  project's "no high-cardinality IDs in metric attributes" guideline.
  Dropped the parameter; the call site's logger.info still emits envId.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: d-cs

apps/webapp/app/routes/realtime.v1.runs.$runId.ts

@@ -79,7 +79,7 @@ export const loader = createLoaderApiRoute(
       typeof bufferedDwellMs === "number" &&
       isInitialBufferedSubscriptionRequest(request.url)
     ) {
-      recordRealtimeBufferedSubscription(authentication.environment.id);
+      recordRealtimeBufferedSubscription();
       logger.info("mollifier.realtime.buffered_subscription", {
         runId: run.friendlyId,
         envId: authentication.environment.id,

apps/webapp/app/routes/resources.runs.$runParam.logs.download.ts

@@ -33,15 +33,21 @@ export async function loader({ params, request }: LoaderFunctionArgs) {
   if (!run || !run.organizationId) {
     // Buffered run has no events to package yet. Return a small gzipped
     // placeholder file so the dashboard's "Download logs" button doesn't
-    // 404 mid-burst. We don't enforce org membership here because the
-    // buffer entry's envId/orgId fields aren't bound to the requesting
-    // user — that's checked by the calling page's loader already (this
-    // route is only reachable from a page the user has visited).
+    // 404 mid-burst. Re-check org membership against the buffer entry's
+    // orgId so direct URL access can't confirm runId existence across
+    // orgs (loader-based check on the calling page doesn't apply here).
     const buffer = getMollifierBuffer();
     if (buffer) {
       try {
         const entry = await buffer.getEntry(parsedParams.runParam);
         if (entry) {
+          const member = await prisma.orgMember.findFirst({
+            where: { userId: user.id, organizationId: entry.orgId },
+            select: { id: true },
+          });
+          if (!member) {
+            return new Response("Not found", { status: 404 });
+          }
           const placeholder = new Readable({
             read() {
               this.push(

apps/webapp/app/routes/resources.taskruns.$runParam.debug.ts

@@ -54,6 +54,16 @@ export async function loader({ request, params }: LoaderFunctionArgs) {
       try {
         const entry = await buffer.getEntry(runParam);
         if (entry) {
+          // Same org-membership gate as the PG path above. Without it,
+          // any authenticated user who knows a runId could read the
+          // buffered run's queue/concurrencyKey snapshot across orgs.
+          const member = await $replica.orgMember.findFirst({
+            where: { userId, organizationId: entry.orgId },
+            select: { id: true },
+          });
+          if (!member) {
+            throw new Response("Not Found", { status: 404 });
+          }
           const snapshot = deserialiseSnapshot<{
             taskIdentifier?: string;
             queue?: string;

apps/webapp/app/v3/mollifier/mollifierTelemetry.server.ts

@@ -31,9 +31,9 @@ export const realtimeBufferedSubscriptionsCounter = meter.createCounter(
 
 // No `envId` attribute — `envId` is a banned high-cardinality metric
 // label per the repo's OTel rules. The structured warn log emitted
-// alongside the counter tick (in `mollifierStaleSweep.server.ts`)
-// carries the envId / orgId / runId for forensic drill-down; the
-// metric stays an aggregate.
+// alongside the counter tick (in `mollifierStaleSweep.server.ts` and
+// the realtime route's `logger.info`) carries the envId / orgId /
+// runId for forensic drill-down; the metric stays an aggregate.
 export function recordRealtimeBufferedSubscription(): void {
   realtimeBufferedSubscriptionsCounter.add(1);
 }