feat: add signup email security controls

[HarshMN2345]

What does this PR do?

Test Plan

(Write your test plan here. If you changed any code, please provide us with clear instructions on how you verified your changes work.)

Related PRs and Issues

(If this PR is related to any other PR or resolves any issue or related to any issue link all related PR and issues here.)

Have you read the Contributing Guidelines on issues?

(Write your answer here.)

[greptile-apps]

Greptile Summary

This PR adds three new email-security policy controls (block free emails, require canonical emails, block disposable emails) to the auth security settings page, and broadly refactors all security, services, protocols, and auth-method components to read from dedicated policy objects (fetched via getPolicy()) rather than flat fields on the Models.Project model. It also migrates several SDK enum references to their renamed counterparts (ProjectServiceId, ProjectProtocolId, ProjectAuthMethodId, etc.) and restructures the onboarding progress tracking to use layout-level platform/key list fetches.

• New email-policy card (updateSignupEmailSecurity.svelte): uses onMount for state initialization (unlike sibling components that initialize directly in $state), always fires all three API calls on submit regardless of which setting changed, and hardcodes the first submit enum in error tracking — making it impossible to identify which of the three calls failed from analytics data.
• Security page load (+page.ts): fetches all 12 policies in a single Promise.all; the three new email-policy IDs are locally defined and force-cast as ProjectPolicyId, so a backend that doesn't yet serve them will cause the entire security page to fail to load.
• Org page (organization-[organization]/+page.ts): adds a sequential await listPlatforms() per project inside a for loop, replacing what was previously a zero-extra-request operation — an org with many projects now incurs N serial round-trips, and a single failing project tears down the entire overview.

Confidence Score: 2/5

Multiple functional regressions exist: the security page can fail entirely if any email-policy endpoint is unrecognized, the org overview can break if one project platform fetch fails, and service/protocol/auth-method toggles can silently appear as indeterminate if backend arrays are incomplete.

The security page's Promise.all over 12 policies — three of which use force-cast IDs not in the SDK enum — will reject and leave all security controls inaccessible if the backend doesn't serve the new endpoints. The org page's sequential per-project listPlatforms loop has no error isolation, so a single unavailable project region breaks the entire org overview.

The security page load (auth/security/+page.ts), the organization overview page load (organization-[organization]/+page.ts), and the three store files (project-services.ts, auth-methods.ts, project-protocols.ts) need the most attention before merging.

Important Files Changed

Filename	Overview
src/routes/(console)/project-[region]-[project]/auth/security/updateSignupEmailSecurity.svelte	New email-policy settings card with issues: onMount initialization creates a pre-hydration window where hasChanges is incorrectly true; partial-failure leaves server state inconsistent; error analytics always attribute to the canonical-email call; and EnabledPolicy type is duplicated from +page.ts.
src/routes/(console)/project-[region]-[project]/auth/security/+page.ts	New page-load function fetches all 12 policies in a single Promise.all; the three email-policy IDs are locally defined and force-cast as ProjectPolicyId, so if the backend doesn't serve them the entire security page fails to load.
src/routes/(console)/organization-[organization]/+page.ts	Adds sequential await listPlatforms() inside a for loop — N serial round-trips instead of one parallel batch; a single failing project tears down the entire org overview.
src/routes/(console)/project-[region]-[project]/+layout.ts	Switches project load from sdk.forConsole.projects.get to projectSdk.get(); adds parallel listPlatforms and listKeys fetches for the onboarding store and shell progress card.
src/routes/(console)/project-[region]-[project]/store.ts	Rewrites onboarding derived store from project-embedded arrays to page.data.platforms.total and page.data.keys.total, now sourced from layout-level fetches.
src/lib/stores/project-services.ts	Migrates from flat boolean fields to a Map built from project.services[]; missing entries now silently yield null instead of a clear boolean, which may render toggles as indeterminate.
src/lib/stores/auth-methods.ts	Same pattern as project-services.ts — migrates to ProjectAuthMethodId and a Map over project.authMethods[]; absent entries silently become null.
src/lib/stores/project-protocols.ts	Same Map-based migration for protocols; absent entries become null silently.
package.json	Pins @appwrite.io/console to a bare commit hash on pkg.vc without an integrity checksum, replacing the versioned npm release.

_{Reviews (14): Last reviewed commit: "Use project key scope type in selector" | Re-trigger Greptile}

[Meldiron]

Hmm, not good. Why two? What is differene between ProjectKeyScopes and Scopes?

DId you see anything else like this we should think about, from quality perspective in new SDK?

[Meldiron]

Why did we remove total? new list API should have proper pagination no problem

[Meldiron]

Not big fan of alias here, we could instead rename to new name.

Lets check for this in all files

[Meldiron]

Do we need platforms and keys for layout, or can layout render without it - and then we load those in releavnt +page.ts (for dashboard)?

[Meldiron]

Something here feels like a bug, notice two commas , ,

[Meldiron]

platforms platforms isnt correct I think 🤔 Why not just page.data.platforms?

I might be wrong tho. Is there other places where we have this double-name pattern? Maybe something iwth pagination?

[Meldiron]

Why do we need cusotm type, which also accepts anything on top of it?

[Meldiron]

we renamed, its aliased emails, not canonical emails

[Meldiron]

Interesting change here - before you got all, now you get a page.

People with 25+ platforms might complain its not working.

We need to introduce pagination.

Same for API keys, mock phone numbers

[Meldiron]

Curious why we added this

[Meldiron]

Project no longer has platforms, this wont work. Adding platforms forcefully to the type is like doing any - bad practice

[Meldiron]

Proper pagination might be needed here - diffrerenciating .length (current page)and.total` (total count)

[Meldiron]

Same comment as above - platforms are not available here, this wont work. Shouldnt.

[Meldiron]

Lets instead use listPolicies

[Meldiron]

Note for self, @Meldiron should double check copy

[Meldiron]

I would avoid alias, shouldnt be needed

[greptile-apps]

onboarding always evaluates to false

$page.data.keys is never populated by any page load function in this PR — no +page.ts or +layout.ts loads a key list into page.data.keys. Because of the && condition, keys?.total === 0 evaluates to undefined === 0 → false on every route, making the whole expression permanently false. As a result, create.svelte never calls invalidate(Dependencies.PROJECT) after a new API key is created on a fresh (zero-platforms, zero-keys) project, so the onboarding progress card does not advance when an API key is the qualifying action.

[greptile-apps]

Silent null fallback masks missing service entries

The same pattern applied across project-services.ts, auth-methods.ts, and project-protocols.ts: if project.services (or .authMethods / .protocols) is absent or doesn't contain an entry for a given ID, services.get(...) returns undefined and ?? null yields null for that toggle. Previously these read flat boolean fields (project?.serviceStatusForAccount), so null only occurred when the entire project was null. Now any service/method/protocol missing from the backend array silently renders as indeterminate — and any UI that treats null the same as false (disabled) would silently suppress what may actually be an enabled setting.