feat: Node.js SDK update for version 24.0.0

[ChiragAgg5k]

This PR contains updates to the Node.js SDK for version 24.0.0.

What's Changed

• [BREAKING] Renamed Webhook model fields: security → tls, httpUser → authUsername, httpPass → authPassword, signatureKey → secret
• [BREAKING] Renamed Webhook service parameters to match: security → tls, httpUser → authUsername, httpPass → authPassword
• [BREAKING] Renamed Webhooks.updateSignature() to Webhooks.updateSecret() with new optional secret parameter
• Added Client.getHeaders() method to retrieve request headers
• Added secret parameter to Webhook create and update methods
• Added x OAuth provider to OAuthProvider enum
• Added userType field to Log model
• Added purge parameter to updateCollection and updateTable for cache invalidation
• Added Project service: platform CRUD, key CRUD, protocol/service status management
• Added new models: Key, KeyList, Project, DevKey, MockNumber, AuthProvider, PlatformAndroid, PlatformApple, PlatformLinux, PlatformList, PlatformWeb, PlatformWindows, BillingLimits, Block
• Added new enums: PlatformType, ProtocolId, ServiceId
• Updated BuildRuntime, Runtime enums with dart-3.11 and flutter-3.41
• Updated Scopes enum with keysRead, keysWrite, platformsRead, platformsWrite
• Updated X-Appwrite-Response-Format header to 1.9.1
• Updated TTL description for list caching in Databases and TablesDB

[greptile-apps]

Greptile Summary

This PR upgrades the Node.js SDK to v24.0.0, applying a set of breaking renames to the Webhook service (security→tls, httpUser→authUsername, etc.), renaming updateSignature() to updateSecret(), and adding a brand-new Project service with full CRUD for API keys, platforms (Android/Apple/Linux/Web/Windows), and protocol/service status management. Alongside these, several new models, enums, and minor additive changes (e.g. purge on collection/table updates, userType on Log, X OAuth provider) are introduced.

• The new getHeaders() on Client returns all headers including live auth credentials (X-Appwrite-Key, X-Appwrite-JWT); the docstring says "Handle with care" but does not list the sensitive keys by name — consider redacting or naming them explicitly.
• The PR description says secret was added to "create and update methods" for webhooks, but Webhooks.update() does not include secret — clarify whether this is intentional or an oversight.

Confidence Score: 5/5

Safe to merge; all findings are P2 — a security documentation gap on getHeaders() and a possible discrepancy between the PR description and the Webhooks.update() implementation.

All breaking renames are consistently applied across service implementations, model types, example docs, and tests. The new Project service follows established SDK patterns correctly. Remaining comments are style/documentation concerns with no runtime impact.

src/client.ts (getHeaders credential exposure) and src/services/webhooks.ts (update() missing secret param vs PR description)

Security Review

• Credential exposure via getHeaders() (src/client.ts): The new getHeaders() method returns a shallow copy of all request headers, including X-Appwrite-Key, X-Appwrite-JWT, and X-Appwrite-Session. Callers who inadvertently log or forward this object will leak live credentials. The docstring warns "Handle with care" but does not name the sensitive keys.

Important Files Changed

Filename	Overview
src/client.ts	Added getHeaders() method that returns a copy of all request headers including sensitive auth tokens; SDK version bumped to 24.0.0 and response format updated to 1.9.1.
src/services/webhooks.ts	Renamed fields (security→tls, httpUser→authUsername, httpPass→authPassword), renamed updateSignature()→updateSecret(), added optional secret to create() but update() still lacks this parameter despite the PR description claiming it was added to both.
src/services/project.ts	New service: full CRUD for API keys, platforms (Android/Apple/Linux/Web/Windows), protocol/service status endpoints, and project variables; all parameter overloads follow established patterns correctly.
src/models.ts	Added new models: Project, Key, KeyList, DevKey, MockNumber, AuthProvider, platform types, PlatformList, BillingLimits, Block; Webhook fields renamed; Log gains userType field.
src/enums/scopes.ts	Added KeysRead, KeysWrite, PlatformsRead, PlatformsWrite scopes to support the new Project key/platform endpoints.
src/index.ts	Exports new Project service and new enums (PlatformType, ProtocolId, ServiceId); all other new models are accessible via the Models namespace.
.github/workflows/publish.yml	Updated to Node.js 24.14.1 and pinned npm to 11.10.0 for trusted publishing provenance; permissions and publish command are correct.

Comments Outside Diff (1)

1. src/client.ts, line 193-197 (link)

   getHeaders() returns sensitive credentials verbatim

   This method returns a shallow copy of this.headers, which includes X-Appwrite-Key, X-Appwrite-JWT, X-Appwrite-Session, and other auth tokens set via setKey(), setJWT(), setSession(), etc. Any caller who inadvertently passes the result to console.log, an error-reporting SDK, or an HTTP response body will leak live credentials.

   The docstring says "Handle with care," but that warning is easy to overlook. Consider redacting known sensitive header names before returning, or at minimum listing them explicitly in the JSDoc so callers know what they're receiving:

   /**
    * …
    * The returned copy contains authentication headers such as
    * `X-Appwrite-Key`, `X-Appwrite-JWT`, and `X-Appwrite-Session`.
    * Never log or transmit these values to untrusted parties.
    */
   getHeaders(): Headers {
       return { ...this.headers };
   }

_{Reviews (1): Last reviewed commit: "chore: update Node.js SDK to 24.0.0" | Re-trigger Greptile}

[greptile-apps]

Webhooks.update() is missing the secret parameter

The PR description states "Added secret parameter to Webhook create and update methods." create() correctly includes the optional secret parameter, but the update() signature does not. If the Appwrite v24 API's PUT /webhooks/{webhookId} endpoint accepts a secret field (consistent with create()), omitting it here means callers cannot update the secret through the standard update path and must rely solely on updateSecret().

If omitting secret from update() is an intentional design choice (i.e., secrets can only be set at creation or rotated via updateSecret()), the example file docs/examples/webhooks/update.md and the PR description should be updated to clarify this. If it was an oversight, the parameter and its payload assignment should be added here to match create().