Add billing receipt privacy guard

[KoiosSG]

Portfolio Comparison Refresh (2026-06-27)

• Current live state: open, non-draft, clean mergeability on head d8fa451; no GitHub check runs or status contexts are attached, and Algora remains Pending with Total paid $0.
• Same-issue distinction: newer PRs Add payment dispute evidence guard #595 and Add embargoed data license guard #596 cover payment-dispute evidence and embargoed data-license release control, while this PR protects customer-facing invoices, receipts, and payment-provider metadata before billing artifacts leave SCIBASE.
• Reviewer evidence advantage: this PR already covers private research context, restricted dataset references, collaborator identifiers, grant-sensitive phrases, unsafe receipt/customer fields, malformed or negative amounts/quantities, unsafe metadata key names, nested metadata values, settlement/receipt metadata redaction, reviewer-safe handles, and deterministic finance-review artifacts.

/claim #20 ## Summary Adds a distinct billing-receipt-privacy-guard/ slice for Revenue Infrastructure issue #20. The guard validates customer-facing invoices, receipts, and payment-provider metadata before billing artifacts leave SCIBASE. It detects private research project context, restricted dataset references, collaborator identifiers, grant-sensitive phrases, unsafe receipt identifiers, unsafe customer-facing envelope fields, malformed monetary/quantity fields, malformed top-level billing batches, malformed line-item entries, unsafe line-item fields, unsafe provider metadata values, unsafe provider metadata key names, and sparse billing provider batches. Safe receipts remain deliverable, while unsafe receipts are held for finance review with redacted replacement identifiers, safe currency labels, replacement line items, redacted metadata-key handles, malformed-field repair actions, and deterministic audit evidence. ## Hardening Updates - Holds malformed top-level billing batches as malformed-billing-batch finance-repair evidence instead of crashing receipt review before any reviewer packet can be generated. - Holds malformed line-item entries as malformed-line-item finance-repair evidence instead of crashing sparse billing provider payload review. - Holds receipts with malformed or negative customer-facing totals, quantities, or line-item amounts even when those fields do not contain private research text. - Redacts malformed customer-facing numeric fields to null and emits invalid-billing-amount / invalid-billing-quantity findings. - Redacts unsafe provider metadata key names when the key itself carries restricted dataset or private research context, preserving reviewer-safe handles such as metadata-key-redacted-1. - Scans structured/nested allowed provider metadata values so private project context cannot hide behind safe metadata keys. - Redacts customer-facing line-item identifiers and units when they contain restricted dataset context. - Redacts receipt, invoice, and customer identifiers when they expose private project, dataset, or collaborator context while keeping distinct redacted handles for finance review correlation. - Treats missing provider metadata as an empty provider packet instead of crashing receipt review. - Treats omitted receipt and line-item collections as empty billing evidence instead of crashing receipt review. - Redacts unsafe customer-facing currency labels to XXX when malformed receipt envelope data carries restricted dataset context. - Redacts unsafe customer-facing totals, quantities, and line-item amounts to null when billing fields carry restricted dataset context. ## Non-overlap This is scoped to privacy-safe billing artifacts before invoice, receipt, or payment-provider delivery. It does not duplicate subscription entitlement or renewal guards, usage metering, tax controls, dispute evidence, procurement controls, pricing experiments, payment rail failover, webhook entitlement, invoice acceptance, storage overage, analytics licensing, credit breakage, FX/reconciliation, or revenue-recognition slices. ## Validation - Added a red regression for a null top-level billing batch; before the fix evaluateReceiptPrivacy(null) crashed at batch.receipts. - Added reports/malformed-batch-privacy-packet.json so reviewers can inspect the held malformed-batch path. - cd billing-receipt-privacy-guard && npm run check passed: 18 tests plus deterministic demo and video generation. - node --check passed for index.js, test.js, and demo.js. - Parsed all report JSON successfully: malformed batch packet 1 held receipt, 1 remediation action, digest sha256:163469712907. - ffprobe verified billing-receipt-privacy-guard/reports/demo.mp4 as H.264, 1280x720, 4s, 30fps, 120 frames, 56,900 bytes. - git diff --check, git diff --cached --check, billing-guard-only staging, restricted-string scan, and generated report private-fixture scan passed. - GitHub PR merge state after push: CLEAN; no checks are reported for this branch. ## Demo Artifacts - billing-receipt-privacy-guard/reports/receipt-privacy-packet.json - billing-receipt-privacy-guard/reports/empty-receipt-privacy-packet.json - billing-receipt-privacy-guard/reports/malformed-receipt-privacy-packet.json - billing-receipt-privacy-guard/reports/malformed-line-item-privacy-packet.json - billing-receipt-privacy-guard/reports/malformed-batch-privacy-packet.json - billing-receipt-privacy-guard/reports/receipt-privacy-report.md - billing-receipt-privacy-guard/reports/summary.svg - billing-receipt-privacy-guard/reports/demo.mp4 Synthetic data only. No credentials, payment processors, customer systems, private workspaces, institutional finance tools, payout systems, or external APIs are used. AI-assisted with OpenAI Codex; I reviewed and locally verified the diff before submitting.

[KoiosSG]

Hardening update pushed in 094ae6e: nested allowed provider metadata values now scan through structured objects, so private project context cannot hide inside an allowlisted metadata key. Validation refreshed locally: npm run check, npm test (6 tests), git diff --check, and sensitive-term scan returned no matches.

[KoiosSG]

Hardening update pushed in 25e1c08: customer-facing line-item identifiers and units are now scanned and redacted when they carry restricted dataset context, so private dataset labels cannot leak through receipt fields outside the description/projectRef path.

Verification refreshed:

• Red regression first: npm test failed on the new line-item field leak case (deliver-receipt vs hold-for-finance-review).
• Green: npm test passes with 7 billing receipt privacy guard tests.
• npm run check passes: tests, demo packet/report/SVG, and demo MP4 generation.
• node --check passes for index.js, test.js, and demo.js.
• ffprobe confirms reports/demo.mp4 is H.264, 1280x720, 30fps, 4s, 41,982 bytes.
• git diff --check and git diff --cached --check pass.
• Sensitive-term scan across changed code/docs/reports returned no matches.

[KoiosSG]

Follow-up competitive hardening pass for the billing receipt privacy guard.

What changed in 3408b06:

• Added red regressions for private receipt, invoice, and customer identifiers leaking into customer-facing billing artifacts.
• Redacts unsafe receipt/invoice/customer identifiers while keeping distinct redacted handles for finance-review correlation.
• Updated README, requirements map, and acceptance notes so identifier redaction is part of the reviewer-visible receipt privacy contract.

Validation:

• Confirmed the first regression failed before implementation: private identifiers incorrectly returned deliver-receipt instead of hold-for-finance-review.
• Confirmed the distinct-redacted-ID regression failed before indexing redacted identifiers: duplicate receipt-redacted-1 handles were produced.
• npm test -> 9 billing receipt privacy guard tests passed.
• npm run check -> tests, demo generation, and demo video generation passed.
• node --check on index/demo/test passed.
• ffprobe verified reports/demo.mp4 as H.264, 1280x720, 30 fps, 4.0s, 41,982 bytes.
• git diff --check and git diff --cached --check passed; only Git line-ending normalization warnings appeared on Windows.
• Sensitive-term scan of the assistant returned no payout or credential strings.

[KoiosSG]

Follow-up competitive hardening pass for the billing receipt privacy guard.

What changed in 768370e:

• Added a regression for receipts that omit provider metadata entirely.
• Missing provider metadata is now treated as an empty provider packet instead of crashing receipt privacy review.
• README, requirements map, and acceptance notes now explicitly cover optional provider metadata handling.

Validation refreshed locally:

• Confirmed the new regression failed before implementation with TypeError: Cannot convert undefined or null to object.
• npm test -> 10 billing receipt privacy guard tests passed.
• npm run check -> test, demo, and video passed.
• npm run demo -> regenerated packet/report/SVG artifacts.
• npm run video -> regenerated demo.mp4.
• ffprobe verified reports/demo.mp4 as H.264, 1280x720, 30 fps, 4.0s, 41,982 bytes.
• git diff --check and git diff --cached --check passed; only Git line-ending normalization warnings appeared on Windows.
• Sensitive-term scan returned no payout or credential strings.
• GitHub PR merge state after push: CLEAN.

[KoiosSG]

Follow-up competitive hardening pass for the billing receipt privacy guard.

What changed in 09859bd:

• Added a regression for malformed customer-facing receipt currency labels carrying restricted dataset context, e.g. USD GSE-private cohort.
• Receipt envelope currency is now scanned for private/restricted context and replaced with XXX before customer copy or audit output is emitted.
• The guard now holds the receipt for finance review instead of delivering a customer-facing artifact that leaks restricted dataset wording through an envelope field.
• README, requirements map, and acceptance notes now make customer-facing envelope-field redaction part of the reviewer-visible privacy contract.

Validation refreshed locally:

• Confirmed the new regression failed before implementation with deliver-receipt instead of hold-for-finance-review.
• npm test -> 11 billing receipt privacy guard tests passed.
• npm run check -> test, demo, and video generation passed.
• node --check on index/demo/test passed.
• ffprobe verified reports/demo.mp4 as H.264, 1280x720, 30 fps, 4.0s, 41,982 bytes.
• git diff --check and git diff --cached --check passed.
• Sensitive-term scan returned no payout or credential strings.

[KoiosSG]

Follow-up competitive hardening pass for the billing receipt privacy guard.

What changed in bbb8df7:

• Added a red-first regression for malformed customer-facing total, quantity, and line-item amount fields carrying restricted dataset context.
• The guard now scans those monetary/quantity fields, holds the receipt for finance review, and redacts unsafe customer-facing numeric fields to null instead of delivering private dataset wording.
• Summary aggregation now ignores redacted unsafe totals instead of concatenating malformed strings into finance evidence.
• README, requirements map, and acceptance notes now include unsafe monetary/quantity field redaction.

Why this matters:

• Receipt privacy is not only descriptions and metadata. Malformed amount/quantity fields are still customer-facing billing artifacts and can leak restricted dataset context if left unscanned.
• This keeps PR Add billing receipt privacy guard #424 focused on the distinct receipt-delivery privacy slice while strengthening the privacy contract against another concrete leakage path.

Validation refreshed locally:

• Confirmed the new regression failed before implementation with deliver-receipt instead of hold-for-finance-review.
• npm test -> 12 billing receipt privacy guard tests passed.
• npm run check -> test, demo, and video generation passed.
• node --check on index/demo/test passed.
• ffprobe verified reports/demo.mp4 as H.264, 1280x720, 30 fps, 4.0s, 41,982 bytes.
• git diff --check and git diff --cached --check passed; only Git line-ending normalization warnings appeared on Windows.
• Sensitive-term scan returned no payout or credential strings.
• GitHub PR merge state after push: CLEAN; no checks are reported for this branch.

[KoiosSG]

Follow-up competitive hardening pass for the billing receipt privacy guard.

What changed in c04d71f:

• Added a regression for unsafe provider metadata key names carrying restricted dataset context, e.g. GSE-private-cohort.
• Provider metadata keys are now scanned before they are reported as removed fields; private key names are replaced with metadata-key-redacted-N handles instead of leaking raw key text into finance/audit packets.
• README, requirements map, acceptance notes, and deterministic reviewer artifacts were refreshed to document provider metadata key-name redaction.

Validation refreshed locally:

• Confirmed the new regression failed before implementation because metadata key names were not scanned for restricted dataset findings.
• npm test -> 13 billing receipt privacy guard tests passed.
• npm run check -> test, demo generation, and demo video generation passed.
• node --check passed for index.js, test.js, and demo.js.
• ffprobe verified reports/demo.mp4 as H.264, 1280x720, 30 fps, 4.0s, 41,982 bytes.
• git diff --check and git diff --cached --check passed; only Windows line-ending normalization warnings appeared.
• Sensitive-term scan returned no payout, credential, or token strings.
• Generated report/doc scan found no private fixture terms from the new metadata-key leak case.
• GitHub PR merge state after push: CLEAN; no checks are reported for this branch.

[KoiosSG]

Follow-up competitive hardening pass for the billing receipt privacy guard.

What changed in 4a1844a:

• Added sparse billing payload regressions for batches that omit receipts and receipts that omit lineItems.
• Missing receipt collections now produce deterministic empty review evidence instead of crashing on batch.receipts.map.
• Missing line-item collections now produce empty customer-copy/redacted line lists while preserving safe receipt totals.
• Demo/docs now include reports/empty-receipt-privacy-packet.json so reviewers can inspect the sparse-batch behavior directly.

Why this matters:

• Provider/export billing payloads can arrive partially populated during retries, previews, or empty billing periods. The privacy guard should produce auditable evidence rather than failing open or crashing before finance review.
• This keeps PR Add billing receipt privacy guard #424 focused on receipt-delivery privacy while making it more resilient than a happy-path redaction-only slice.

Validation refreshed locally:

• Confirmed the sparse-batch regression failed before implementation with TypeError: Cannot read properties of undefined (reading 'map') at batch.receipts.map.
• npm test -> 15 billing receipt privacy guard tests passed.
• npm run demo, npm run video, and npm run check passed.
• ffprobe verified reports/demo.mp4 as H.264, 1280x720, 30 fps, 4.0s, 48,322 bytes.
• git diff --check and git diff --cached --check passed; only Windows line-ending normalization warnings appeared.
• Sensitive-term scan returned no payout, credential, or token strings.
• Generated report/doc scan found no private fixture terms from the new sparse-batch cases.
• GitHub PR merge state after push: CLEAN; no checks are reported for this branch.

[KoiosSG]

Hardening update pushed in 5d6a272.

This tightens the customer-facing receipt gate: malformed or negative numeric fields now block delivery even when they do not contain private research text. The guard emits invalid-billing-amount / invalid-billing-quantity, redacts unsafe totals/quantities/amounts to null, and produces repair-malformed-billing-fields-before-delivery remediation.

Fresh validation from billing-receipt-privacy-guard/:

• Red/green regression: before implementation, the malformed numeric receipt returned deliver-receipt; after implementation it returns hold-for-finance-review.
• npm test passed: 16 tests.
• npm run check passed, including demo and video generation.
• npm run demo added reports/malformed-receipt-privacy-packet.json for reviewer inspection.
• ffprobe verified reports/demo.mp4 as H.264, 1280x720, 4s, 30fps, 48,322 bytes.
• Parsed all JSON reports successfully: main packet 1 held/1 deliverable, empty packet 0/0, malformed packet 1 held/0 deliverable.
• git diff --check and git diff --cached --check passed; only Windows line-ending normalization warnings appeared.
• Restricted-term scan of the module returned no matches, and generated reports do not include private fixture terms.

This keeps #424 distinct from #362: #424 protects customer-facing receipt/privacy delivery, while #362 focuses on analytics license seat roster renewal/true-up controls.

[KoiosSG]

Pushed a focused hardening commit for malformed sparse provider line items: 6caa2e9 now turns lineItems: [null] into a malformed-line-item finance-review hold instead of crashing receipt review.

Fresh verification from billing-receipt-privacy-guard/: npm test (17 tests), npm run check, npm run demo, npm run video, JSON parse checks including malformed-line-item-privacy-packet.json, ffprobe on reports/demo.mp4 (H.264 1280x720, 30 fps, 4s), git diff --check, git diff --cached --check, billing-guard-only staging, restricted-string scan, and generated report private-fixture scan all passed.

[KoiosSG]

Pushed a focused hardening commit for malformed top-level billing provider packets: 470aacb now turns evaluateReceiptPrivacy(null) into a malformed-billing-batch finance-review hold instead of crashing at batch.receipts before reviewer evidence can be generated.

Fresh verification from billing-receipt-privacy-guard/: red regression reproduced the crash first; npm run check passed with 18 tests plus demo/video generation; node --check passed for index/test/demo; all report JSON parsed including malformed-batch-privacy-packet.json; ffprobe verified reports/demo.mp4 as H.264 1280x720 30fps 4s; git diff --check, git diff --cached --check, allowlist staging, restricted-string scan, and generated report private-fixture scan passed.

[KoiosSG]

Hi, just checking in on this bounty submission. The billing receipt privacy guard is still open and merge-clean; the current package covers malformed billing batches/line items and redacts payment-routing metadata before delivery with regenerated reviewer artifacts. Is there anything specific you would like me to change, simplify, or clarify to make review/selection easier?