feat: invoice lifecycle, refunds, role-based views, security hardening

Invoice Lifecycle:
- Invoice ledger with status tracking (draft → sent → viewed → paid)
- Status badges with color coding in Invoices view
- Actions: Mark Sent, Mark Paid, Issue Refund, Cancel
- Filter invoices by status, account, period

Refunds:
- Refund modal with amount, reason, partial refund support
- Credit memo PDF generation (CREDIT MEMO header, negative amounts)
- Refund entries tracked per invoice with audit trail

Role-based Views:
- Role detection via cockpit.user() + config + sacctmgr
- Admin: full access, all accounts, rate editing, invoice management
- PI: their accounts, user breakdown, view invoices
- Member: personal usage, job history, efficiency tips
- Finance: read-only, view all, mark invoices paid
- Nav tabs filtered by role, data filtered by role

Role-specific Dashboards:
- Admin: cluster cost KPI, invoice status summary, top accounts, alerts
- PI: account cost, budget remaining, user breakdown
- Member: personal cost, recent jobs, efficiency metrics

Security:
- ReportLab input sanitization (strip HTML/XML tags)
- Logo upload 256KB size limit
- Pinned CI dependencies
- Release workflow gated on passing tests

Author: Sqoia Dev Agent

.github/workflows/ci.yml

@@ -16,7 +16,7 @@ jobs:
         with:
           python-version: '3.x'
       - name: Install Python lint deps
-        run: pip install flake8
+        run: pip install flake8==7.1.1
       - name: Python lint
         run: flake8 src test
       - name: Set up Node
@@ -26,7 +26,7 @@ jobs:
       - name: Install ESLint
         run: |
           npm init -y >/dev/null 2>&1
-          npm install eslint >/dev/null 2>&1
+          npm install eslint@9.0.0 >/dev/null 2>&1
       - name: JavaScript lint
         run: npx eslint src test --ext .js
 
@@ -40,7 +40,7 @@ jobs:
           python-version: '3.x'
       - name: Python unit tests
         run: |
-          pip install pytest >/dev/null 2>&1
+          pip install pytest==8.3.3 >/dev/null 2>&1
           PYTHONPATH=src python test/unit/slurmdb_validation.test.py
       - name: Set up Node
         uses: actions/setup-node@v4
@@ -73,6 +73,6 @@ jobs:
         with:
           python-version: '3.x'
       - name: Install Bandit
-        run: pip install bandit
+        run: pip install bandit==1.8.0
       - name: Run Bandit
         run: bandit -r src

.github/workflows/release.yml

@@ -8,8 +8,64 @@ on:
         required: true
 
 jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+      - name: Install Python lint deps
+        run: pip install flake8==7.1.1
+      - name: Python lint
+        run: flake8 src test
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18'
+      - name: Install ESLint
+        run: |
+          npm init -y >/dev/null 2>&1
+          npm install eslint@9.0.0 >/dev/null 2>&1
+      - name: JavaScript lint
+        run: npx eslint src test --ext .js
+
+  unit-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+      - name: Python unit tests
+        run: |
+          pip install pytest==8.3.3 >/dev/null 2>&1
+          PYTHONPATH=src python test/unit/slurmdb_validation.test.py
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18'
+      - name: Node unit tests
+        run: node test/unit/calculator.test.js
+
+  security-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+      - name: Install Bandit
+        run: pip install bandit==1.8.0
+      - name: Run Bandit
+        run: bandit -r src
+
   release:
     runs-on: ubuntu-latest
+    needs: [lint, unit-tests, security-scan]
     steps:
       - uses: actions/checkout@v4
       - name: Set up Node

src/invoice.py

@@ -13,6 +13,7 @@
 import io
 import json
 import os
+import re
 import sys
 import logging
 import tempfile
@@ -56,6 +57,14 @@
 CONTENT_W = PAGE_W - 2 * MARGIN
 
 
+# ---------------------------------------------------------------------------
+# Input sanitization
+# ---------------------------------------------------------------------------
+def sanitize_for_paragraph(text):
+    """Strip HTML/XML tags to prevent reportlab markup injection."""
+    return re.sub(r'<[^>]+>', '', str(text))
+
+
 # ---------------------------------------------------------------------------
 # Number formatting helpers
 # ---------------------------------------------------------------------------
@@ -195,13 +204,13 @@ def _build_header(invoice_data, styles, logo_path):
         except Exception as exc:
             logging.warning("Could not embed logo: %s", exc)
 
-    left_paras.append(Paragraph("<b>" + (dept or "Your Institution") + "</b>", styles["Normal"]))
+    left_paras.append(Paragraph("<b>" + sanitize_for_paragraph(dept or "Your Institution") + "</b>", styles["Normal"]))
     for line in address_lines:
         if line.strip():
-            left_paras.append(Paragraph(line, styles["Normal"]))
+            left_paras.append(Paragraph(sanitize_for_paragraph(line), styles["Normal"]))
     for line in contact_lines:
         if line.strip():
-            left_paras.append(Paragraph(line, styles["Small"]))
+            left_paras.append(Paragraph(sanitize_for_paragraph(line), styles["Small"]))
 
     # Right column: INVOICE title + meta
     inv_num = invoice_data.get("invoice_number", "")
@@ -210,8 +219,10 @@ def _build_header(invoice_data, styles, logo_path):
     period = invoice_data.get("period", "")
     payment_terms = invoice_data.get("payment_terms", "")
 
+    is_credit_memo = invoice_data.get("is_credit_memo", False)
+    title_text = "CREDIT MEMO" if is_credit_memo else "INVOICE"
     right_paras = [
-        Paragraph("INVOICE", styles["InvoiceTitle"]),
+        Paragraph(title_text, styles["InvoiceTitle"]),
         Spacer(1, 8),
     ]
 
@@ -224,6 +235,8 @@ def _build_header(invoice_data, styles, logo_path):
         meta_rows.append(("Period:", period))
     if payment_terms:
         meta_rows.append(("Terms:", payment_terms))
+    if invoice_data.get("original_invoice"):
+        meta_rows.append(("Original Invoice:", str(invoice_data["original_invoice"])))
 
     meta_label_style = ParagraphStyle(
         "MetaLabel",
@@ -242,7 +255,7 @@ def _build_header(invoice_data, styles, logo_path):
     for label, val in meta_rows:
         right_paras.append(
             Table(
-                [[Paragraph(label, meta_label_style), Paragraph(val, meta_val_style)]],
+                [[Paragraph(label, meta_label_style), Paragraph(sanitize_for_paragraph(val), meta_val_style)]],
                 colWidths=[0.9 * inch, 1.5 * inch],
                 style=TableStyle([
                     ("VALIGN", (0, 0), (-1, -1), "TOP"),
@@ -282,13 +295,13 @@ def _build_bill_to(invoice_data, styles):
 
     bill_to_lines = []
     name_parts = [contact.get("fullName", ""), contact.get("title", "")]
-    name_str = ", ".join(p for p in name_parts if p)
+    name_str = ", ".join(sanitize_for_paragraph(p) for p in name_parts if p)
     if name_str:
         bill_to_lines.append(name_str)
 
     dept = institution.get("department") or institution.get("name", "")
     if dept:
-        bill_to_lines.append(dept)
+        bill_to_lines.append(sanitize_for_paragraph(dept))
 
     address_parts = [
         institution.get("address", ""),
@@ -297,11 +310,11 @@ def _build_bill_to(invoice_data, styles):
     ]
     for p in address_parts:
         if p.strip():
-            bill_to_lines.append(p)
+            bill_to_lines.append(sanitize_for_paragraph(p))
 
     email = contact.get("email", "")
     if email:
-        bill_to_lines.append(email)
+        bill_to_lines.append(sanitize_for_paragraph(email))
 
     content_paras = [Paragraph("<b>BILL TO</b>", styles["SectionHead"])]
     for line in bill_to_lines:
@@ -369,7 +382,7 @@ def _build_items_table(invoice_data, styles):
         rate_str = _fmt_currency(rate) if isinstance(rate, (int, float)) else str(rate)
         amt_str = _fmt_currency(amount) if isinstance(amount, (int, float)) else str(amount)
         table_data.append([
-            Paragraph(item.get("description", ""), cell_style),
+            Paragraph(sanitize_for_paragraph(item.get("description", "")), cell_style),
             Paragraph(qty_str, num_style),
             Paragraph(rate_str, num_style),
             Paragraph(amt_str, num_style),
@@ -450,11 +463,11 @@ def _build_footer_sections(invoice_data, styles):
     left_col = [Paragraph("<b>PAYMENT INFORMATION</b>", styles["SectionHead"])]
     for line in bank_info:
         if line.strip():
-            left_col.append(Paragraph(line, styles["Normal"]))
+            left_col.append(Paragraph(sanitize_for_paragraph(line), styles["Normal"]))
 
     right_col = [Paragraph("<b>NOTES</b>", styles["SectionHead"])]
     if notes:
-        right_col.append(Paragraph(notes, styles["Normal"]))
+        right_col.append(Paragraph(sanitize_for_paragraph(notes), styles["Normal"]))
 
     foot_table = Table(
         [[left_col, right_col]],

src/slurmcostmanager.css

@@ -277,3 +277,26 @@ nav button:hover {
   font-size: 0.8em;
   margin-top: 0.2em;
 }
+
+/* Modal overlay for refunds and other dialogs */
+.modal-overlay {
+  position: fixed;
+  inset: 0;
+  background: rgba(0, 0, 0, 0.5);
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  z-index: 1000;
+}
+
+.modal {
+  background: #fff;
+  border-radius: 6px;
+  padding: 1.5em;
+  box-shadow: 0 8px 32px rgba(0, 0, 0, 0.2);
+}
+
+.modal h3 {
+  margin-top: 0;
+  margin-bottom: 1em;
+}