chore: move the go code into a subfolder

apps/api/internal/repository/project/aggregate.go

@@ -0,0 +1,31 @@
+package project
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/eventstore"
+)
+
+const (
+	AggregateType    = "project"
+	AggregateVersion = "v1"
+)
+
+type Aggregate struct {
+	eventstore.Aggregate
+}
+
+func NewAggregate(id, resourceOwner string) *Aggregate {
+	return &Aggregate{
+		Aggregate: eventstore.Aggregate{
+			Type:          AggregateType,
+			Version:       AggregateVersion,
+			ID:            id,
+			ResourceOwner: resourceOwner,
+		},
+	}
+}
+
+func AggregateFromWriteModel(ctx context.Context, wm *eventstore.WriteModel) *eventstore.Aggregate {
+	return eventstore.AggregateFromWriteModelCtx(ctx, wm, AggregateType, AggregateVersion)
+}

apps/api/internal/repository/project/api_config.go

@@ -0,0 +1,237 @@
+package project
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+const (
+	APIConfigAddedType             = applicationEventTypePrefix + "config.api.added"
+	APIConfigChangedType           = applicationEventTypePrefix + "config.api.changed"
+	APIConfigSecretChangedType     = applicationEventTypePrefix + "config.api.secret.changed"
+	APIConfigSecretHashUpdatedType = applicationEventTypePrefix + "config.api.secret.updated"
+)
+
+type APIConfigAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID    string `json:"appId"`
+	ClientID string `json:"clientId,omitempty"`
+
+	// New events only use EncodedHash. However, the ClientSecret field
+	// is preserved to handle events older than the switch to Passwap.
+	ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
+	HashedSecret string              `json:"hashedSecret,omitempty"`
+
+	AuthMethodType domain.APIAuthMethodType `json:"authMethodType,omitempty"`
+}
+
+func (e *APIConfigAddedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *APIConfigAddedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func NewAPIConfigAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID,
+	clientID string,
+	hashedSecret string,
+	authMethodType domain.APIAuthMethodType,
+) *APIConfigAddedEvent {
+	return &APIConfigAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			APIConfigAddedType,
+		),
+		AppID:          appID,
+		ClientID:       clientID,
+		HashedSecret:   hashedSecret,
+		AuthMethodType: authMethodType,
+	}
+}
+
+func (e *APIConfigAddedEvent) Validate(cmd eventstore.Command) bool {
+	c, ok := cmd.(*APIConfigAddedEvent)
+	if !ok {
+		return false
+	}
+
+	if e.AppID != c.AppID {
+		return false
+	}
+	if e.ClientID != c.ClientID {
+		return false
+	}
+	if e.AuthMethodType != c.AuthMethodType {
+		return false
+	}
+
+	return true
+}
+
+func APIConfigAddedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &APIConfigAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "API-BFd15", "unable to unmarshal api config")
+	}
+
+	return e, nil
+}
+
+type APIConfigChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID          string                    `json:"appId"`
+	AuthMethodType *domain.APIAuthMethodType `json:"authMethodType,omitempty"`
+}
+
+func (e *APIConfigChangedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *APIConfigChangedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func NewAPIConfigChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+	changes []APIConfigChanges,
+) (*APIConfigChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, zerrors.ThrowPreconditionFailed(nil, "API-i8idç", "Errors.NoChangesFound")
+	}
+
+	changeEvent := &APIConfigChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			APIConfigChangedType,
+		),
+		AppID: appID,
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type APIConfigChanges func(event *APIConfigChangedEvent)
+
+func ChangeAPIAuthMethodType(authMethodType domain.APIAuthMethodType) func(event *APIConfigChangedEvent) {
+	return func(e *APIConfigChangedEvent) {
+		e.AuthMethodType = &authMethodType
+	}
+}
+
+func APIConfigChangedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &APIConfigChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "API-BFd15", "unable to unmarshal api config")
+	}
+
+	return e, nil
+}
+
+type APIConfigSecretChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID string `json:"appId"`
+
+	// New events only use EncodedHash. However, the ClientSecret field
+	// is preserved to handle events older than the switch to Passwap.
+	ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
+	HashedSecret string              `json:"hashedSecret,omitempty"`
+}
+
+func (e *APIConfigSecretChangedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *APIConfigSecretChangedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func NewAPIConfigSecretChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+	hashedSecret string,
+) *APIConfigSecretChangedEvent {
+	return &APIConfigSecretChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			APIConfigSecretChangedType,
+		),
+		AppID:        appID,
+		HashedSecret: hashedSecret,
+	}
+}
+
+func APIConfigSecretChangedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &APIConfigSecretChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "API-M893d", "unable to unmarshal api config")
+	}
+
+	return e, nil
+}
+
+type APIConfigSecretHashUpdatedEvent struct {
+	*eventstore.BaseEvent `json:"-"`
+
+	AppID        string `json:"appId"`
+	HashedSecret string `json:"hashedSecret,omitempty"`
+}
+
+func NewAPIConfigSecretHashUpdatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+	hashedSecret string,
+) *APIConfigSecretHashUpdatedEvent {
+	return &APIConfigSecretHashUpdatedEvent{
+		BaseEvent: eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			APIConfigSecretHashUpdatedType,
+		),
+		AppID:        appID,
+		HashedSecret: hashedSecret,
+	}
+}
+
+func (e *APIConfigSecretHashUpdatedEvent) SetBaseEvent(b *eventstore.BaseEvent) {
+	e.BaseEvent = b
+}
+
+func (e *APIConfigSecretHashUpdatedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *APIConfigSecretHashUpdatedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}

apps/api/internal/repository/project/application.go

@@ -0,0 +1,264 @@
+package project
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+const (
+	UniqueAppNameType          = "appname"
+	applicationEventTypePrefix = projectEventTypePrefix + "application."
+	ApplicationAddedType       = applicationEventTypePrefix + "added"
+	ApplicationChangedType     = applicationEventTypePrefix + "changed"
+	ApplicationDeactivatedType = applicationEventTypePrefix + "deactivated"
+	ApplicationReactivatedType = applicationEventTypePrefix + "reactivated"
+	ApplicationRemovedType     = applicationEventTypePrefix + "removed"
+)
+
+func NewAddApplicationUniqueConstraint(name, projectID string) *eventstore.UniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		UniqueAppNameType,
+		fmt.Sprintf("%s:%s", name, projectID),
+		"Errors.Project.App.AlreadyExists")
+}
+
+func NewRemoveApplicationUniqueConstraint(name, projectID string) *eventstore.UniqueConstraint {
+	return eventstore.NewRemoveUniqueConstraint(
+		UniqueAppNameType,
+		fmt.Sprintf("%s:%s", name, projectID))
+}
+
+type ApplicationAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID string `json:"appId,omitempty"`
+	Name  string `json:"name,omitempty"`
+}
+
+func (e *ApplicationAddedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *ApplicationAddedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return []*eventstore.UniqueConstraint{NewAddApplicationUniqueConstraint(e.Name, e.Aggregate().ID)}
+}
+
+func NewApplicationAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID,
+	name string,
+) *ApplicationAddedEvent {
+	return &ApplicationAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ApplicationAddedType,
+		),
+		AppID: appID,
+		Name:  name,
+	}
+}
+
+func ApplicationAddedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &ApplicationAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "APPLICATION-Nffg2", "unable to unmarshal application")
+	}
+
+	return e, nil
+}
+
+type ApplicationChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID   string `json:"appId,omitempty"`
+	Name    string `json:"name,omitempty"`
+	oldName string
+}
+
+func (e *ApplicationChangedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *ApplicationChangedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return []*eventstore.UniqueConstraint{
+		NewRemoveApplicationUniqueConstraint(e.oldName, e.Aggregate().ID),
+		NewAddApplicationUniqueConstraint(e.Name, e.Aggregate().ID),
+	}
+}
+
+func NewApplicationChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID,
+	oldName,
+	newName string,
+) *ApplicationChangedEvent {
+	return &ApplicationChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ApplicationChangedType,
+		),
+		AppID:   appID,
+		Name:    newName,
+		oldName: oldName,
+	}
+}
+
+func ApplicationChangedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &ApplicationChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "APPLICATION-9l0cs", "unable to unmarshal application")
+	}
+
+	return e, nil
+}
+
+type ApplicationDeactivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID string `json:"appId,omitempty"`
+}
+
+func (e *ApplicationDeactivatedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *ApplicationDeactivatedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func NewApplicationDeactivatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+) *ApplicationDeactivatedEvent {
+	return &ApplicationDeactivatedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ApplicationDeactivatedType,
+		),
+		AppID: appID,
+	}
+}
+
+func ApplicationDeactivatedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &ApplicationDeactivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "APPLICATION-0p9fB", "unable to unmarshal application")
+	}
+
+	return e, nil
+}
+
+type ApplicationReactivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID string `json:"appId,omitempty"`
+}
+
+func (e *ApplicationReactivatedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *ApplicationReactivatedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func NewApplicationReactivatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+) *ApplicationReactivatedEvent {
+	return &ApplicationReactivatedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ApplicationReactivatedType,
+		),
+		AppID: appID,
+	}
+}
+
+func ApplicationReactivatedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &ApplicationReactivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "APPLICATION-1m9e3", "unable to unmarshal application")
+	}
+
+	return e, nil
+}
+
+type ApplicationRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID    string `json:"appId,omitempty"`
+	name     string
+	entityID string
+}
+
+func (e *ApplicationRemovedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *ApplicationRemovedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	remove := []*eventstore.UniqueConstraint{NewRemoveApplicationUniqueConstraint(e.name, e.Aggregate().ID)}
+	if e.entityID != "" {
+		remove = append(remove, NewRemoveSAMLConfigEntityIDUniqueConstraint(e.entityID))
+	}
+	return remove
+}
+
+func NewApplicationRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID,
+	name string,
+	entityID string,
+) *ApplicationRemovedEvent {
+	return &ApplicationRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ApplicationRemovedType,
+		),
+		AppID:    appID,
+		name:     name,
+		entityID: entityID,
+	}
+}
+
+func ApplicationRemovedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &ApplicationRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "APPLICATION-1m9e3", "unable to unmarshal application")
+	}
+
+	return e, nil
+}

apps/api/internal/repository/project/eventstore.go

@@ -0,0 +1,47 @@
+package project
+
+import (
+	"github.com/zitadel/zitadel/internal/eventstore"
+)
+
+func init() {
+	eventstore.RegisterFilterEventMapper(AggregateType, ProjectAddedType, ProjectAddedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, ProjectChangedType, ProjectChangeEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, ProjectDeactivatedType, ProjectDeactivatedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, ProjectReactivatedType, ProjectReactivatedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, ProjectRemovedType, ProjectRemovedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, MemberAddedEventType, MemberAddedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, MemberChangedEventType, MemberChangedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, MemberRemovedEventType, MemberRemovedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, MemberCascadeRemovedEventType, MemberCascadeRemovedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, RoleAddedType, RoleAddedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, RoleChangedType, RoleChangedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, RoleRemovedType, RoleRemovedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, GrantAddedType, GrantAddedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, GrantChangedType, GrantChangedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, GrantCascadeChangedType, GrantCascadeChangedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, GrantDeactivatedType, GrantDeactivateEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, GrantReactivatedType, GrantReactivatedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, GrantRemovedType, GrantRemovedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, GrantMemberAddedType, GrantMemberAddedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, GrantMemberChangedType, GrantMemberChangedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, GrantMemberRemovedType, GrantMemberRemovedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, GrantMemberCascadeRemovedType, GrantMemberCascadeRemovedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, ApplicationAddedType, ApplicationAddedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, ApplicationChangedType, ApplicationChangedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, ApplicationRemovedType, ApplicationRemovedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, ApplicationDeactivatedType, ApplicationDeactivatedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, ApplicationReactivatedType, ApplicationReactivatedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, OIDCConfigAddedType, OIDCConfigAddedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, OIDCConfigChangedType, OIDCConfigChangedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, OIDCConfigSecretChangedType, OIDCConfigSecretChangedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, OIDCConfigSecretHashUpdatedType, eventstore.GenericEventMapper[OIDCConfigSecretHashUpdatedEvent])
+	eventstore.RegisterFilterEventMapper(AggregateType, APIConfigAddedType, APIConfigAddedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, APIConfigChangedType, APIConfigChangedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, APIConfigSecretChangedType, APIConfigSecretChangedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, APIConfigSecretHashUpdatedType, eventstore.GenericEventMapper[APIConfigSecretHashUpdatedEvent])
+	eventstore.RegisterFilterEventMapper(AggregateType, ApplicationKeyAddedEventType, ApplicationKeyAddedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, ApplicationKeyRemovedEventType, ApplicationKeyRemovedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, SAMLConfigAddedType, SAMLConfigAddedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, SAMLConfigChangedType, SAMLConfigChangedEventMapper)
+}

apps/api/internal/repository/project/grant.go

@@ -0,0 +1,523 @@
+package project
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+var (
+	UniqueGrantType         = "project_grant"
+	grantEventTypePrefix    = projectEventTypePrefix + "grant."
+	GrantAddedType          = grantEventTypePrefix + "added"
+	GrantChangedType        = grantEventTypePrefix + "changed"
+	GrantCascadeChangedType = grantEventTypePrefix + "cascade.changed"
+	GrantDeactivatedType    = grantEventTypePrefix + "deactivated"
+	GrantReactivatedType    = grantEventTypePrefix + "reactivated"
+	GrantRemovedType        = grantEventTypePrefix + "removed"
+
+	ProjectGrantSearchType              = "project_grant"
+	ProjectGrantGrantIDSearchField      = "grant_id"
+	ProjectGrantGrantedOrgIDSearchField = "granted_org_id"
+	ProjectGrantStateSearchField        = "state"
+	ProjectGrantRoleKeySearchField      = "role_key"
+	ProjectGrantObjectRevision          = uint8(1)
+)
+
+func NewAddProjectGrantUniqueConstraint(grantedOrgID, projectID string) *eventstore.UniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		UniqueGrantType,
+		fmt.Sprintf("%s:%s", grantedOrgID, projectID),
+		"Errors.Project.Grant.AlreadyExists")
+}
+
+func NewRemoveProjectGrantUniqueConstraint(grantedOrgID, projectID string) *eventstore.UniqueConstraint {
+	return eventstore.NewRemoveUniqueConstraint(
+		UniqueGrantType,
+		fmt.Sprintf("%s:%s", grantedOrgID, projectID))
+}
+
+type GrantAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	GrantID      string   `json:"grantId,omitempty"`
+	GrantedOrgID string   `json:"grantedOrgId,omitempty"`
+	RoleKeys     []string `json:"roleKeys,omitempty"`
+}
+
+func (e *GrantAddedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *GrantAddedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return []*eventstore.UniqueConstraint{NewAddProjectGrantUniqueConstraint(e.GrantedOrgID, e.Aggregate().ID)}
+}
+
+func (e *GrantAddedEvent) Fields() []*eventstore.FieldOperation {
+	fields := make([]*eventstore.FieldOperation, 0, len(e.RoleKeys)+3)
+	fields = append(fields,
+		eventstore.SetField(
+			e.Aggregate(),
+			grantSearchObject(e.GrantID),
+			ProjectGrantGrantIDSearchField,
+			&eventstore.Value{
+				Value:       e.GrantID,
+				ShouldIndex: true,
+			},
+			eventstore.FieldTypeInstanceID,
+			eventstore.FieldTypeResourceOwner,
+			eventstore.FieldTypeAggregateType,
+			eventstore.FieldTypeAggregateID,
+			eventstore.FieldTypeObjectType,
+			eventstore.FieldTypeObjectID,
+			eventstore.FieldTypeFieldName,
+		),
+		eventstore.SetField(
+			e.Aggregate(),
+			grantSearchObject(e.GrantID),
+			ProjectGrantGrantedOrgIDSearchField,
+			&eventstore.Value{
+				Value:       e.GrantedOrgID,
+				ShouldIndex: true,
+			},
+			eventstore.FieldTypeInstanceID,
+			eventstore.FieldTypeResourceOwner,
+			eventstore.FieldTypeAggregateType,
+			eventstore.FieldTypeAggregateID,
+			eventstore.FieldTypeObjectType,
+			eventstore.FieldTypeObjectID,
+			eventstore.FieldTypeFieldName,
+		),
+		eventstore.SetField(
+			e.Aggregate(),
+			grantSearchObject(e.GrantID),
+			ProjectGrantStateSearchField,
+			&eventstore.Value{
+				Value:       domain.ProjectGrantStateActive,
+				ShouldIndex: true,
+			},
+			eventstore.FieldTypeInstanceID,
+			eventstore.FieldTypeResourceOwner,
+			eventstore.FieldTypeAggregateType,
+			eventstore.FieldTypeAggregateID,
+			eventstore.FieldTypeObjectType,
+			eventstore.FieldTypeObjectID,
+			eventstore.FieldTypeFieldName,
+		),
+	)
+
+	for _, roleKey := range e.RoleKeys {
+		fields = append(fields,
+			eventstore.SetField(
+				e.Aggregate(),
+				grantSearchObject(e.GrantID),
+				ProjectGrantRoleKeySearchField,
+				&eventstore.Value{
+					Value:       roleKey,
+					ShouldIndex: true,
+				},
+			),
+		)
+	}
+
+	return fields
+}
+
+func NewGrantAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	grantID,
+	grantedOrgID string,
+	roleKeys []string,
+) *GrantAddedEvent {
+	return &GrantAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GrantAddedType,
+		),
+		GrantID:      grantID,
+		GrantedOrgID: grantedOrgID,
+		RoleKeys:     roleKeys,
+	}
+}
+
+func GrantAddedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &GrantAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "PROJECT-mL0vs", "unable to unmarshal project grant")
+	}
+
+	return e, nil
+}
+
+type GrantChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	GrantID  string   `json:"grantId,omitempty"`
+	RoleKeys []string `json:"roleKeys,omitempty"`
+}
+
+func (e *GrantChangedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *GrantChangedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func (e *GrantChangedEvent) Fields() []*eventstore.FieldOperation {
+	fields := make([]*eventstore.FieldOperation, 0, len(e.RoleKeys)+1)
+
+	fields = append(fields,
+		eventstore.RemoveSearchFieldsByAggregateAndObjectAndField(
+			e.Aggregate(),
+			grantSearchObject(e.GrantID),
+
+			ProjectGrantRoleKeySearchField,
+		),
+	)
+
+	for _, roleKey := range e.RoleKeys {
+		fields = append(fields,
+			eventstore.SetField(
+				e.Aggregate(),
+				grantSearchObject(e.GrantID),
+
+				ProjectGrantRoleKeySearchField,
+
+				&eventstore.Value{
+					Value:       roleKey,
+					ShouldIndex: true,
+				},
+			),
+		)
+	}
+
+	return fields
+}
+
+func NewGrantChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	grantID string,
+	roleKeys []string,
+) *GrantChangedEvent {
+	return &GrantChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GrantChangedType,
+		),
+		GrantID:  grantID,
+		RoleKeys: roleKeys,
+	}
+}
+
+func GrantChangedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &GrantChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "PROJECT-mL0vs", "unable to unmarshal project grant")
+	}
+
+	return e, nil
+}
+
+type GrantCascadeChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	GrantID  string   `json:"grantId,omitempty"`
+	RoleKeys []string `json:"roleKeys,omitempty"`
+}
+
+func (e *GrantCascadeChangedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *GrantCascadeChangedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func (e *GrantCascadeChangedEvent) Fields() []*eventstore.FieldOperation {
+	fields := make([]*eventstore.FieldOperation, 0, len(e.RoleKeys)+1)
+
+	fields = append(fields,
+		eventstore.RemoveSearchFieldsByAggregateAndObjectAndField(
+			e.Aggregate(),
+			grantSearchObject(e.GrantID),
+
+			ProjectGrantRoleKeySearchField,
+		),
+	)
+
+	for _, roleKey := range e.RoleKeys {
+		fields = append(fields,
+			eventstore.SetField(
+				e.Aggregate(),
+				grantSearchObject(e.GrantID),
+
+				ProjectGrantRoleKeySearchField,
+				&eventstore.Value{
+					Value:       roleKey,
+					ShouldIndex: true,
+				},
+				eventstore.FieldTypeInstanceID,
+				eventstore.FieldTypeResourceOwner,
+				eventstore.FieldTypeAggregateType,
+				eventstore.FieldTypeAggregateID,
+				eventstore.FieldTypeObjectType,
+				eventstore.FieldTypeObjectID,
+				eventstore.FieldTypeFieldName,
+			),
+		)
+	}
+
+	return fields
+}
+
+func NewGrantCascadeChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	grantID string,
+	roleKeys []string,
+) *GrantCascadeChangedEvent {
+	return &GrantCascadeChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GrantCascadeChangedType,
+		),
+		GrantID:  grantID,
+		RoleKeys: roleKeys,
+	}
+}
+
+func GrantCascadeChangedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &GrantCascadeChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "PROJECT-9o0se", "unable to unmarshal project grant")
+	}
+
+	return e, nil
+}
+
+type GrantDeactivateEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	GrantID string `json:"grantId,omitempty"`
+}
+
+func (e *GrantDeactivateEvent) Payload() interface{} {
+	return e
+}
+
+func (e *GrantDeactivateEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func (e *GrantDeactivateEvent) Fields() []*eventstore.FieldOperation {
+	return []*eventstore.FieldOperation{
+		eventstore.SetField(
+			e.Aggregate(),
+			grantSearchObject(e.GrantID),
+
+			ProjectGrantStateSearchField,
+			&eventstore.Value{
+				Value:       domain.ProjectGrantStateInactive,
+				ShouldIndex: true,
+			},
+
+			eventstore.FieldTypeInstanceID,
+			eventstore.FieldTypeResourceOwner,
+			eventstore.FieldTypeAggregateType,
+			eventstore.FieldTypeAggregateID,
+			eventstore.FieldTypeObjectType,
+			eventstore.FieldTypeObjectID,
+			eventstore.FieldTypeFieldName,
+		),
+	}
+}
+
+func NewGrantDeactivateEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	grantID string,
+) *GrantDeactivateEvent {
+	return &GrantDeactivateEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GrantDeactivatedType,
+		),
+		GrantID: grantID,
+	}
+}
+
+func GrantDeactivateEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &GrantDeactivateEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "PROJECT-9o0se", "unable to unmarshal project grant")
+	}
+
+	return e, nil
+}
+
+type GrantReactivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	GrantID string `json:"grantId,omitempty"`
+}
+
+func (e *GrantReactivatedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *GrantReactivatedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func (e *GrantReactivatedEvent) Fields() []*eventstore.FieldOperation {
+	return []*eventstore.FieldOperation{
+		eventstore.SetField(
+			e.Aggregate(),
+			grantSearchObject(e.GrantID),
+
+			ProjectGrantStateSearchField,
+			&eventstore.Value{
+				Value:       domain.ProjectGrantStateActive,
+				ShouldIndex: true,
+			},
+
+			eventstore.FieldTypeInstanceID,
+			eventstore.FieldTypeResourceOwner,
+			eventstore.FieldTypeAggregateType,
+			eventstore.FieldTypeAggregateID,
+			eventstore.FieldTypeObjectType,
+			eventstore.FieldTypeObjectID,
+			eventstore.FieldTypeFieldName,
+		),
+	}
+}
+
+func NewGrantReactivatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	grantID string,
+) *GrantReactivatedEvent {
+	return &GrantReactivatedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GrantReactivatedType,
+		),
+		GrantID: grantID,
+	}
+}
+
+func GrantReactivatedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &GrantReactivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "PROJECT-78f7D", "unable to unmarshal project grant")
+	}
+
+	return e, nil
+}
+
+type GrantRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	GrantID      string `json:"grantId,omitempty"`
+	grantedOrgID string
+}
+
+func (e *GrantRemovedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *GrantRemovedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return []*eventstore.UniqueConstraint{NewRemoveProjectGrantUniqueConstraint(e.grantedOrgID, e.Aggregate().ID)}
+}
+
+func (e *GrantRemovedEvent) Fields() []*eventstore.FieldOperation {
+	return []*eventstore.FieldOperation{
+		eventstore.SetField(
+			e.Aggregate(),
+			grantSearchObject(e.GrantID),
+
+			ProjectGrantStateSearchField,
+			&eventstore.Value{
+				Value:       domain.ProjectGrantStateRemoved,
+				ShouldIndex: true,
+			},
+
+			eventstore.FieldTypeInstanceID,
+			eventstore.FieldTypeResourceOwner,
+			eventstore.FieldTypeAggregateType,
+			eventstore.FieldTypeAggregateID,
+			eventstore.FieldTypeObjectType,
+			eventstore.FieldTypeObjectID,
+			eventstore.FieldTypeFieldName,
+		),
+	}
+}
+
+func NewGrantRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	grantID,
+	grantedOrgID string,
+) *GrantRemovedEvent {
+	return &GrantRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GrantRemovedType,
+		),
+		GrantID:      grantID,
+		grantedOrgID: grantedOrgID,
+	}
+}
+
+func GrantRemovedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &GrantRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "PROJECT-28jM8", "unable to unmarshal project grant")
+	}
+
+	return e, nil
+}
+
+func grantSearchObject(id string) eventstore.Object {
+	return eventstore.Object{
+		Type:     ProjectGrantSearchType,
+		Revision: 1,
+		ID:       id,
+	}
+}

apps/api/internal/repository/project/grant_member.go

@@ -0,0 +1,218 @@
+package project
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/repository/member"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+var (
+	UniqueProjectGrantMemberType  = "project_grant_member"
+	GrantMemberAddedType          = grantEventTypePrefix + member.AddedEventType
+	GrantMemberChangedType        = grantEventTypePrefix + member.ChangedEventType
+	GrantMemberRemovedType        = grantEventTypePrefix + member.RemovedEventType
+	GrantMemberCascadeRemovedType = grantEventTypePrefix + member.CascadeRemovedEventType
+)
+
+func NewAddProjectGrantMemberUniqueConstraint(projectID, userID, grantID string) *eventstore.UniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		UniqueProjectGrantMemberType,
+		fmt.Sprintf("%s:%s:%s", projectID, userID, grantID),
+		"Errors.Project.Member.AlreadyExists")
+}
+
+func NewRemoveProjectGrantMemberUniqueConstraint(projectID, userID, grantID string) *eventstore.UniqueConstraint {
+	return eventstore.NewRemoveUniqueConstraint(
+		UniqueProjectGrantMemberType,
+		fmt.Sprintf("%s:%s:%s", projectID, userID, grantID),
+	)
+}
+
+type GrantMemberAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Roles   []string `json:"roles"`
+	UserID  string   `json:"userId"`
+	GrantID string   `json:"grantId"`
+}
+
+func (e *GrantMemberAddedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *GrantMemberAddedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return []*eventstore.UniqueConstraint{NewAddProjectGrantMemberUniqueConstraint(e.Aggregate().ID, e.UserID, e.GrantID)}
+}
+
+func NewProjectGrantMemberAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID,
+	grantID string,
+	roles ...string,
+) *GrantMemberAddedEvent {
+	return &GrantMemberAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GrantMemberAddedType,
+		),
+		UserID:  userID,
+		GrantID: grantID,
+		Roles:   roles,
+	}
+}
+
+func GrantMemberAddedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &GrantMemberAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "PROJECT-9f0sf", "unable to unmarshal label policy")
+	}
+
+	return e, nil
+}
+
+type GrantMemberChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Roles   []string `json:"roles"`
+	GrantID string   `json:"grantId"`
+	UserID  string   `json:"userId"`
+}
+
+func (e *GrantMemberChangedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *GrantMemberChangedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func NewProjectGrantMemberChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID,
+	grantID string,
+	roles ...string,
+) *GrantMemberChangedEvent {
+	return &GrantMemberChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GrantMemberChangedType,
+		),
+		UserID:  userID,
+		GrantID: grantID,
+		Roles:   roles,
+	}
+}
+
+func GrantMemberChangedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &GrantMemberChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "PROJECT-39fi8", "unable to unmarshal label policy")
+	}
+
+	return e, nil
+}
+
+type GrantMemberRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	UserID  string `json:"userId"`
+	GrantID string `json:"grantId"`
+}
+
+func (e *GrantMemberRemovedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *GrantMemberRemovedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return []*eventstore.UniqueConstraint{NewRemoveProjectGrantMemberUniqueConstraint(e.Aggregate().ID, e.UserID, e.GrantID)}
+}
+
+func NewProjectGrantMemberRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID,
+	grantID string,
+) *GrantMemberRemovedEvent {
+	return &GrantMemberRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GrantMemberRemovedType,
+		),
+		UserID:  userID,
+		GrantID: grantID,
+	}
+}
+
+func GrantMemberRemovedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &GrantMemberRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "PROJECT-173fM", "unable to unmarshal label policy")
+	}
+
+	return e, nil
+}
+
+type GrantMemberCascadeRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	UserID  string `json:"userId"`
+	GrantID string `json:"grantId"`
+}
+
+func (e *GrantMemberCascadeRemovedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *GrantMemberCascadeRemovedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return []*eventstore.UniqueConstraint{NewRemoveProjectGrantMemberUniqueConstraint(e.Aggregate().ID, e.UserID, e.GrantID)}
+}
+
+func NewProjectGrantMemberCascadeRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID,
+	grantID string,
+) *GrantMemberCascadeRemovedEvent {
+	return &GrantMemberCascadeRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GrantMemberCascadeRemovedType,
+		),
+		UserID:  userID,
+		GrantID: grantID,
+	}
+}
+
+func GrantMemberCascadeRemovedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &GrantMemberCascadeRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "PROJECT-3kfs3", "unable to unmarshal label policy")
+	}
+
+	return e, nil
+}

apps/api/internal/repository/project/key.go

@@ -0,0 +1,114 @@
+package project
+
+import (
+	"context"
+	"time"
+
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+const (
+	applicationKeyEventPrefix      = applicationEventTypePrefix + "oidc.key."
+	ApplicationKeyAddedEventType   = applicationKeyEventPrefix + "added"
+	ApplicationKeyRemovedEventType = applicationKeyEventPrefix + "removed"
+)
+
+type ApplicationKeyAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID          string              `json:"applicationId"`
+	ClientID       string              `json:"clientId,omitempty"`
+	KeyID          string              `json:"keyId,omitempty"`
+	KeyType        domain.AuthNKeyType `json:"type,omitempty"`
+	ExpirationDate time.Time           `json:"expirationDate,omitempty"`
+	PublicKey      []byte              `json:"publicKey,omitempty"`
+}
+
+func (e *ApplicationKeyAddedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *ApplicationKeyAddedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func NewApplicationKeyAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID,
+	clientID,
+	keyID string,
+	keyType domain.AuthNKeyType,
+	expirationDate time.Time,
+	publicKey []byte,
+) *ApplicationKeyAddedEvent {
+	return &ApplicationKeyAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ApplicationKeyAddedEventType,
+		),
+		AppID:          appID,
+		ClientID:       clientID,
+		KeyID:          keyID,
+		KeyType:        keyType,
+		ExpirationDate: expirationDate,
+		PublicKey:      publicKey,
+	}
+}
+
+func ApplicationKeyAddedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &ApplicationKeyAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "API-BFd15", "unable to unmarshal api config")
+	}
+
+	return e, nil
+}
+
+type ApplicationKeyRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	KeyID string `json:"keyId,omitempty"`
+}
+
+func (e *ApplicationKeyRemovedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *ApplicationKeyRemovedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func NewApplicationKeyRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	keyID string,
+) *ApplicationKeyRemovedEvent {
+	return &ApplicationKeyRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ApplicationKeyRemovedEventType,
+		),
+		KeyID: keyID,
+	}
+}
+
+func ApplicationKeyRemovedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	applicationKeyRemoved := &ApplicationKeyRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := event.Unmarshal(applicationKeyRemoved)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "USER-cjLeA", "unable to unmarshal application key removed")
+	}
+
+	return applicationKeyRemoved, nil
+}

apps/api/internal/repository/project/member.go

@@ -0,0 +1,162 @@
+package project
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/repository/member"
+)
+
+var (
+	MemberAddedEventType          = projectEventTypePrefix + member.AddedEventType
+	MemberChangedEventType        = projectEventTypePrefix + member.ChangedEventType
+	MemberRemovedEventType        = projectEventTypePrefix + member.RemovedEventType
+	MemberCascadeRemovedEventType = projectEventTypePrefix + member.CascadeRemovedEventType
+)
+
+const (
+	fieldPrefix = "project"
+)
+
+type MemberAddedEvent struct {
+	member.MemberAddedEvent
+}
+
+func (e *MemberAddedEvent) Fields() []*eventstore.FieldOperation {
+	return e.FieldOperations(fieldPrefix)
+}
+
+func NewProjectMemberAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID string,
+	roles ...string,
+) *MemberAddedEvent {
+	return &MemberAddedEvent{
+		MemberAddedEvent: *member.NewMemberAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				MemberAddedEventType,
+			),
+			userID,
+			roles...,
+		),
+	}
+}
+
+func MemberAddedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e, err := member.MemberAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MemberAddedEvent{MemberAddedEvent: *e.(*member.MemberAddedEvent)}, nil
+}
+
+type MemberChangedEvent struct {
+	member.MemberChangedEvent
+}
+
+func (e *MemberChangedEvent) Fields() []*eventstore.FieldOperation {
+	return e.FieldOperations(fieldPrefix)
+}
+
+func NewProjectMemberChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID string,
+	roles ...string,
+) *MemberChangedEvent {
+
+	return &MemberChangedEvent{
+		MemberChangedEvent: *member.NewMemberChangedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				MemberChangedEventType,
+			),
+			userID,
+			roles...,
+		),
+	}
+}
+
+func MemberChangedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e, err := member.ChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MemberChangedEvent{MemberChangedEvent: *e.(*member.MemberChangedEvent)}, nil
+}
+
+type MemberRemovedEvent struct {
+	member.MemberRemovedEvent
+}
+
+func (e *MemberRemovedEvent) Fields() []*eventstore.FieldOperation {
+	return e.FieldOperations(fieldPrefix)
+}
+
+func NewProjectMemberRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID string,
+) *MemberRemovedEvent {
+
+	return &MemberRemovedEvent{
+		MemberRemovedEvent: *member.NewRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				MemberRemovedEventType,
+			),
+			userID,
+		),
+	}
+}
+
+func MemberRemovedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e, err := member.RemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MemberRemovedEvent{MemberRemovedEvent: *e.(*member.MemberRemovedEvent)}, nil
+}
+
+type MemberCascadeRemovedEvent struct {
+	member.MemberCascadeRemovedEvent
+}
+
+func (e *MemberCascadeRemovedEvent) Fields() []*eventstore.FieldOperation {
+	return e.FieldOperations(fieldPrefix)
+}
+
+func NewProjectMemberCascadeRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID string,
+) *MemberCascadeRemovedEvent {
+
+	return &MemberCascadeRemovedEvent{
+		MemberCascadeRemovedEvent: *member.NewCascadeRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				MemberCascadeRemovedEventType,
+			),
+			userID,
+		),
+	}
+}
+
+func MemberCascadeRemovedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e, err := member.CascadeRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MemberCascadeRemovedEvent{MemberCascadeRemovedEvent: *e.(*member.MemberCascadeRemovedEvent)}, nil
+}

apps/api/internal/repository/project/oidc_config.go

@@ -0,0 +1,495 @@
+package project
+
+import (
+	"context"
+	"time"
+
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+const (
+	OIDCConfigAddedType             = applicationEventTypePrefix + "config.oidc.added"
+	OIDCConfigChangedType           = applicationEventTypePrefix + "config.oidc.changed"
+	OIDCConfigSecretChangedType     = applicationEventTypePrefix + "config.oidc.secret.changed"
+	OIDCConfigSecretHashUpdatedType = applicationEventTypePrefix + "config.oidc.secret.updated"
+)
+
+type OIDCConfigAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Version  domain.OIDCVersion `json:"oidcVersion,omitempty"`
+	AppID    string             `json:"appId"`
+	ClientID string             `json:"clientId,omitempty"`
+
+	// New events only use EncodedHash. However, the ClientSecret field
+	// is preserved to handle events older than the switch to Passwap.
+	ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
+	HashedSecret string              `json:"hashedSecret,omitempty"`
+
+	RedirectUris             []string                   `json:"redirectUris,omitempty"`
+	ResponseTypes            []domain.OIDCResponseType  `json:"responseTypes,omitempty"`
+	GrantTypes               []domain.OIDCGrantType     `json:"grantTypes,omitempty"`
+	ApplicationType          domain.OIDCApplicationType `json:"applicationType,omitempty"`
+	AuthMethodType           domain.OIDCAuthMethodType  `json:"authMethodType,omitempty"`
+	PostLogoutRedirectUris   []string                   `json:"postLogoutRedirectUris,omitempty"`
+	DevMode                  bool                       `json:"devMode,omitempty"`
+	AccessTokenType          domain.OIDCTokenType       `json:"accessTokenType,omitempty"`
+	AccessTokenRoleAssertion bool                       `json:"accessTokenRoleAssertion,omitempty"`
+	IDTokenRoleAssertion     bool                       `json:"idTokenRoleAssertion,omitempty"`
+	IDTokenUserinfoAssertion bool                       `json:"idTokenUserinfoAssertion,omitempty"`
+	ClockSkew                time.Duration              `json:"clockSkew,omitempty"`
+	AdditionalOrigins        []string                   `json:"additionalOrigins,omitempty"`
+	SkipNativeAppSuccessPage bool                       `json:"skipNativeAppSuccessPage,omitempty"`
+	BackChannelLogoutURI     string                     `json:"backChannelLogoutURI,omitempty"`
+	LoginVersion             domain.LoginVersion        `json:"loginVersion,omitempty"`
+	LoginBaseURI             string                     `json:"loginBaseURI,omitempty"`
+}
+
+func (e *OIDCConfigAddedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *OIDCConfigAddedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func NewOIDCConfigAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	version domain.OIDCVersion,
+	appID string,
+	clientID string,
+	hashedSecret string,
+	redirectUris []string,
+	responseTypes []domain.OIDCResponseType,
+	grantTypes []domain.OIDCGrantType,
+	applicationType domain.OIDCApplicationType,
+	authMethodType domain.OIDCAuthMethodType,
+	postLogoutRedirectUris []string,
+	devMode bool,
+	accessTokenType domain.OIDCTokenType,
+	accessTokenRoleAssertion bool,
+	idTokenRoleAssertion bool,
+	idTokenUserinfoAssertion bool,
+	clockSkew time.Duration,
+	additionalOrigins []string,
+	skipNativeAppSuccessPage bool,
+	backChannelLogoutURI string,
+	loginVersion domain.LoginVersion,
+	loginBaseURI string,
+) *OIDCConfigAddedEvent {
+	return &OIDCConfigAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OIDCConfigAddedType,
+		),
+		Version:                  version,
+		AppID:                    appID,
+		ClientID:                 clientID,
+		HashedSecret:             hashedSecret,
+		RedirectUris:             redirectUris,
+		ResponseTypes:            responseTypes,
+		GrantTypes:               grantTypes,
+		ApplicationType:          applicationType,
+		AuthMethodType:           authMethodType,
+		PostLogoutRedirectUris:   postLogoutRedirectUris,
+		DevMode:                  devMode,
+		AccessTokenType:          accessTokenType,
+		AccessTokenRoleAssertion: accessTokenRoleAssertion,
+		IDTokenRoleAssertion:     idTokenRoleAssertion,
+		IDTokenUserinfoAssertion: idTokenUserinfoAssertion,
+		ClockSkew:                clockSkew,
+		AdditionalOrigins:        additionalOrigins,
+		SkipNativeAppSuccessPage: skipNativeAppSuccessPage,
+		BackChannelLogoutURI:     backChannelLogoutURI,
+		LoginVersion:             loginVersion,
+		LoginBaseURI:             loginBaseURI,
+	}
+}
+
+func (e *OIDCConfigAddedEvent) Validate(cmd eventstore.Command) bool {
+	c, ok := cmd.(*OIDCConfigAddedEvent)
+	if !ok {
+		return false
+	}
+
+	if e.Version != c.Version {
+		return false
+	}
+	if e.AppID != c.AppID {
+		return false
+	}
+	if e.ClientID != c.ClientID {
+		return false
+	}
+	if e.ClientSecret != c.ClientSecret {
+		return false
+	}
+	if len(e.RedirectUris) != len(c.RedirectUris) {
+		return false
+	}
+	for i, uri := range e.RedirectUris {
+		if uri != c.RedirectUris[i] {
+			return false
+		}
+	}
+	if len(e.ResponseTypes) != len(c.ResponseTypes) {
+		return false
+	}
+	for i, typ := range e.ResponseTypes {
+		if typ != c.ResponseTypes[i] {
+			return false
+		}
+	}
+	if len(e.GrantTypes) != len(c.GrantTypes) {
+		return false
+	}
+	for i, typ := range e.GrantTypes {
+		if typ != c.GrantTypes[i] {
+			return false
+		}
+	}
+	if e.ApplicationType != c.ApplicationType {
+		return false
+	}
+	if e.AuthMethodType != c.AuthMethodType {
+		return false
+	}
+	if len(e.PostLogoutRedirectUris) != len(c.PostLogoutRedirectUris) {
+		return false
+	}
+	for i, uri := range e.PostLogoutRedirectUris {
+		if uri != c.PostLogoutRedirectUris[i] {
+			return false
+		}
+	}
+	if e.DevMode != c.DevMode {
+		return false
+	}
+	if e.AccessTokenType != c.AccessTokenType {
+		return false
+	}
+	if e.AccessTokenRoleAssertion != c.AccessTokenRoleAssertion {
+		return false
+	}
+	if e.IDTokenRoleAssertion != c.IDTokenRoleAssertion {
+		return false
+	}
+	if e.IDTokenUserinfoAssertion != c.IDTokenUserinfoAssertion {
+		return false
+	}
+	if e.ClockSkew != c.ClockSkew {
+		return false
+	}
+	if len(e.AdditionalOrigins) != len(c.AdditionalOrigins) {
+		return false
+	}
+	for i, origin := range e.AdditionalOrigins {
+		if origin != c.AdditionalOrigins[i] {
+			return false
+		}
+	}
+	if e.SkipNativeAppSuccessPage != c.SkipNativeAppSuccessPage {
+		return false
+	}
+	if e.BackChannelLogoutURI != c.BackChannelLogoutURI {
+		return false
+	}
+	if e.LoginVersion != c.LoginVersion {
+		return false
+	}
+	return e.LoginBaseURI == c.LoginBaseURI
+}
+
+func OIDCConfigAddedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &OIDCConfigAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "OIDC-BFd15", "unable to unmarshal oidc config")
+	}
+
+	return e, nil
+}
+
+type OIDCConfigChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Version                  *domain.OIDCVersion         `json:"oidcVersion,omitempty"`
+	AppID                    string                      `json:"appId"`
+	RedirectUris             *[]string                   `json:"redirectUris,omitempty"`
+	ResponseTypes            *[]domain.OIDCResponseType  `json:"responseTypes,omitempty"`
+	GrantTypes               *[]domain.OIDCGrantType     `json:"grantTypes,omitempty"`
+	ApplicationType          *domain.OIDCApplicationType `json:"applicationType,omitempty"`
+	AuthMethodType           *domain.OIDCAuthMethodType  `json:"authMethodType,omitempty"`
+	PostLogoutRedirectUris   *[]string                   `json:"postLogoutRedirectUris,omitempty"`
+	DevMode                  *bool                       `json:"devMode,omitempty"`
+	AccessTokenType          *domain.OIDCTokenType       `json:"accessTokenType,omitempty"`
+	AccessTokenRoleAssertion *bool                       `json:"accessTokenRoleAssertion,omitempty"`
+	IDTokenRoleAssertion     *bool                       `json:"idTokenRoleAssertion,omitempty"`
+	IDTokenUserinfoAssertion *bool                       `json:"idTokenUserinfoAssertion,omitempty"`
+	ClockSkew                *time.Duration              `json:"clockSkew,omitempty"`
+	AdditionalOrigins        *[]string                   `json:"additionalOrigins,omitempty"`
+	SkipNativeAppSuccessPage *bool                       `json:"skipNativeAppSuccessPage,omitempty"`
+	BackChannelLogoutURI     *string                     `json:"backChannelLogoutURI,omitempty"`
+	LoginVersion             *domain.LoginVersion        `json:"loginVersion,omitempty"`
+	LoginBaseURI             *string                     `json:"loginBaseURI,omitempty"`
+}
+
+func (e *OIDCConfigChangedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *OIDCConfigChangedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func NewOIDCConfigChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+	changes []OIDCConfigChanges,
+) (*OIDCConfigChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, zerrors.ThrowPreconditionFailed(nil, "OIDC-i8idç", "Errors.NoChangesFound")
+	}
+
+	changeEvent := &OIDCConfigChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OIDCConfigChangedType,
+		),
+		AppID: appID,
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type OIDCConfigChanges func(event *OIDCConfigChangedEvent)
+
+func ChangeVersion(version domain.OIDCVersion) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.Version = &version
+	}
+}
+
+func ChangeRedirectURIs(uris []string) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		if uris == nil {
+			// explicitly set them to empty so we can differentiate "not set" in the event in case of no changes
+			uris = make([]string, 0)
+		}
+		e.RedirectUris = &uris
+	}
+}
+
+func ChangeResponseTypes(responseTypes []domain.OIDCResponseType) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.ResponseTypes = &responseTypes
+	}
+}
+
+func ChangeGrantTypes(grantTypes []domain.OIDCGrantType) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.GrantTypes = &grantTypes
+	}
+}
+
+func ChangeApplicationType(appType domain.OIDCApplicationType) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.ApplicationType = &appType
+	}
+}
+
+func ChangeAuthMethodType(authMethodType domain.OIDCAuthMethodType) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.AuthMethodType = &authMethodType
+	}
+}
+
+func ChangePostLogoutRedirectURIs(logoutRedirects []string) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		if logoutRedirects == nil {
+			// explicitly set them to empty so we can differentiate "not set" in the event in case of no changes
+			logoutRedirects = make([]string, 0)
+		}
+		e.PostLogoutRedirectUris = &logoutRedirects
+	}
+}
+
+func ChangeDevMode(devMode bool) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.DevMode = &devMode
+	}
+}
+
+func ChangeAccessTokenType(accessTokenType domain.OIDCTokenType) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.AccessTokenType = &accessTokenType
+	}
+}
+
+func ChangeAccessTokenRoleAssertion(accessTokenRoleAssertion bool) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.AccessTokenRoleAssertion = &accessTokenRoleAssertion
+	}
+}
+
+func ChangeIDTokenRoleAssertion(idTokenRoleAssertion bool) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.IDTokenRoleAssertion = &idTokenRoleAssertion
+	}
+}
+
+func ChangeIDTokenUserinfoAssertion(idTokenUserinfoAssertion bool) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.IDTokenUserinfoAssertion = &idTokenUserinfoAssertion
+	}
+}
+
+func ChangeClockSkew(clockSkew time.Duration) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.ClockSkew = &clockSkew
+	}
+}
+
+func ChangeAdditionalOrigins(additionalOrigins []string) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		if additionalOrigins == nil {
+			// explicitly set them to empty so we can differentiate "not set" in the event in case of no changes
+			additionalOrigins = make([]string, 0)
+		}
+		e.AdditionalOrigins = &additionalOrigins
+	}
+}
+
+func ChangeSkipNativeAppSuccessPage(skipNativeAppSuccessPage bool) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.SkipNativeAppSuccessPage = &skipNativeAppSuccessPage
+	}
+}
+
+func ChangeBackChannelLogoutURI(backChannelLogoutURI string) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.BackChannelLogoutURI = &backChannelLogoutURI
+	}
+}
+
+func ChangeOIDCLoginVersion(loginVersion domain.LoginVersion) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.LoginVersion = &loginVersion
+	}
+}
+
+func ChangeOIDCLoginBaseURI(loginBaseURI string) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.LoginBaseURI = &loginBaseURI
+	}
+}
+
+func OIDCConfigChangedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &OIDCConfigChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "OIDC-BFd15", "unable to unmarshal oidc config")
+	}
+
+	return e, nil
+}
+
+type OIDCConfigSecretChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID string `json:"appId"`
+
+	// New events only use EncodedHash. However, the ClientSecret field
+	// is preserved to handle events older than the switch to Passwap.
+	ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
+	HashedSecret string              `json:"hashedSecret,omitempty"`
+}
+
+func (e *OIDCConfigSecretChangedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *OIDCConfigSecretChangedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func NewOIDCConfigSecretChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+	hashedSecret string,
+) *OIDCConfigSecretChangedEvent {
+	return &OIDCConfigSecretChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OIDCConfigSecretChangedType,
+		),
+		AppID:        appID,
+		HashedSecret: hashedSecret,
+	}
+}
+
+func OIDCConfigSecretChangedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &OIDCConfigSecretChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "OIDC-M893d", "unable to unmarshal oidc config")
+	}
+
+	return e, nil
+}
+
+type OIDCConfigSecretHashUpdatedEvent struct {
+	*eventstore.BaseEvent `json:"-"`
+
+	AppID        string `json:"appId"`
+	HashedSecret string `json:"hashedSecret,omitempty"`
+}
+
+func NewOIDCConfigSecretHashUpdatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+	hashedSecret string,
+) *OIDCConfigSecretHashUpdatedEvent {
+	return &OIDCConfigSecretHashUpdatedEvent{
+		BaseEvent: eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OIDCConfigSecretHashUpdatedType,
+		),
+		AppID:        appID,
+		HashedSecret: hashedSecret,
+	}
+}
+
+func (e *OIDCConfigSecretHashUpdatedEvent) SetBaseEvent(b *eventstore.BaseEvent) {
+	e.BaseEvent = b
+}
+
+func (e *OIDCConfigSecretHashUpdatedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *OIDCConfigSecretHashUpdatedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}

apps/api/internal/repository/project/project.go

@@ -0,0 +1,403 @@
+package project
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+const (
+	UniqueProjectnameType  = "project_names"
+	projectEventTypePrefix = eventstore.EventType("project.")
+	ProjectAddedType       = projectEventTypePrefix + "added"
+	ProjectChangedType     = projectEventTypePrefix + "changed"
+	ProjectDeactivatedType = projectEventTypePrefix + "deactivated"
+	ProjectReactivatedType = projectEventTypePrefix + "reactivated"
+	ProjectRemovedType     = projectEventTypePrefix + "removed"
+	ProjectOwnerCorrected  = projectEventTypePrefix + "owner.corrected"
+
+	ProjectSearchType       = "project"
+	ProjectObjectRevision   = uint8(1)
+	ProjectNameSearchField  = "name"
+	ProjectStateSearchField = "state"
+)
+
+func NewAddProjectNameUniqueConstraint(projectName, resourceOwner string) *eventstore.UniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		UniqueProjectnameType,
+		projectName+resourceOwner,
+		"Errors.Project.AlreadyExists")
+}
+
+func NewRemoveProjectNameUniqueConstraint(projectName, resourceOwner string) *eventstore.UniqueConstraint {
+	return eventstore.NewRemoveUniqueConstraint(
+		UniqueProjectnameType,
+		projectName+resourceOwner)
+}
+
+type ProjectAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Name                   string                        `json:"name,omitempty"`
+	ProjectRoleAssertion   bool                          `json:"projectRoleAssertion,omitempty"`
+	ProjectRoleCheck       bool                          `json:"projectRoleCheck,omitempty"`
+	HasProjectCheck        bool                          `json:"hasProjectCheck,omitempty"`
+	PrivateLabelingSetting domain.PrivateLabelingSetting `json:"privateLabelingSetting,omitempty"`
+}
+
+func (e *ProjectAddedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *ProjectAddedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return []*eventstore.UniqueConstraint{NewAddProjectNameUniqueConstraint(e.Name, e.Aggregate().ResourceOwner)}
+}
+
+func (e *ProjectAddedEvent) Fields() []*eventstore.FieldOperation {
+	return []*eventstore.FieldOperation{
+		eventstore.SetField(
+			e.Aggregate(),
+			projectSearchObject(e.Aggregate().ID),
+			ProjectNameSearchField,
+			&eventstore.Value{
+				Value:       e.Name,
+				ShouldIndex: true,
+			},
+			eventstore.FieldTypeInstanceID,
+			eventstore.FieldTypeResourceOwner,
+			eventstore.FieldTypeAggregateID,
+			eventstore.FieldTypeAggregateType,
+			eventstore.FieldTypeObjectType,
+			eventstore.FieldTypeObjectID,
+			eventstore.FieldTypeObjectRevision,
+			eventstore.FieldTypeFieldName,
+		),
+		eventstore.SetField(
+			e.Aggregate(),
+			projectSearchObject(e.Aggregate().ID),
+			ProjectStateSearchField,
+			&eventstore.Value{
+				Value:       domain.ProjectStateActive,
+				ShouldIndex: true,
+			},
+			eventstore.FieldTypeInstanceID,
+			eventstore.FieldTypeResourceOwner,
+			eventstore.FieldTypeAggregateID,
+			eventstore.FieldTypeAggregateType,
+			eventstore.FieldTypeObjectType,
+			eventstore.FieldTypeObjectID,
+			eventstore.FieldTypeObjectRevision,
+			eventstore.FieldTypeFieldName,
+		),
+	}
+}
+
+func NewProjectAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	name string,
+	projectRoleAssertion,
+	projectRoleCheck,
+	hasProjectCheck bool,
+	privateLabelingSetting domain.PrivateLabelingSetting,
+) *ProjectAddedEvent {
+	return &ProjectAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ProjectAddedType,
+		),
+		Name:                   name,
+		ProjectRoleAssertion:   projectRoleAssertion,
+		ProjectRoleCheck:       projectRoleCheck,
+		HasProjectCheck:        hasProjectCheck,
+		PrivateLabelingSetting: privateLabelingSetting,
+	}
+}
+
+func ProjectAddedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &ProjectAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "PROJECT-Bfg2f", "unable to unmarshal project")
+	}
+
+	return e, nil
+}
+
+type ProjectChangeEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Name                   *string                        `json:"name,omitempty"`
+	ProjectRoleAssertion   *bool                          `json:"projectRoleAssertion,omitempty"`
+	ProjectRoleCheck       *bool                          `json:"projectRoleCheck,omitempty"`
+	HasProjectCheck        *bool                          `json:"hasProjectCheck,omitempty"`
+	PrivateLabelingSetting *domain.PrivateLabelingSetting `json:"privateLabelingSetting,omitempty"`
+	oldName                string
+}
+
+func (e *ProjectChangeEvent) Payload() interface{} {
+	return e
+}
+
+func (e *ProjectChangeEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	if e.Name != nil {
+		return []*eventstore.UniqueConstraint{
+			NewRemoveProjectNameUniqueConstraint(e.oldName, e.Aggregate().ResourceOwner),
+			NewAddProjectNameUniqueConstraint(*e.Name, e.Aggregate().ResourceOwner),
+		}
+	}
+	return nil
+}
+
+func (e *ProjectChangeEvent) Fields() []*eventstore.FieldOperation {
+	if e.Name == nil {
+		return nil
+	}
+	return []*eventstore.FieldOperation{
+		eventstore.SetField(
+			e.Aggregate(),
+			projectSearchObject(e.Aggregate().ID),
+			ProjectNameSearchField,
+			&eventstore.Value{
+				Value:       *e.Name,
+				ShouldIndex: true,
+			},
+			eventstore.FieldTypeInstanceID,
+			eventstore.FieldTypeResourceOwner,
+			eventstore.FieldTypeAggregateType,
+			eventstore.FieldTypeAggregateID,
+			eventstore.FieldTypeObjectType,
+			eventstore.FieldTypeObjectID,
+			eventstore.FieldTypeFieldName,
+		),
+	}
+}
+
+func NewProjectChangeEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	oldName string,
+	changes []ProjectChanges,
+) *ProjectChangeEvent {
+	changeEvent := &ProjectChangeEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ProjectChangedType,
+		),
+		oldName: oldName,
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent
+}
+
+type ProjectChanges func(event *ProjectChangeEvent)
+
+func ChangeName(name string) func(event *ProjectChangeEvent) {
+	return func(e *ProjectChangeEvent) {
+		e.Name = &name
+	}
+}
+
+func ChangeProjectRoleAssertion(projectRoleAssertion bool) func(event *ProjectChangeEvent) {
+	return func(e *ProjectChangeEvent) {
+		e.ProjectRoleAssertion = &projectRoleAssertion
+	}
+}
+
+func ChangeProjectRoleCheck(projectRoleCheck bool) func(event *ProjectChangeEvent) {
+	return func(e *ProjectChangeEvent) {
+		e.ProjectRoleCheck = &projectRoleCheck
+	}
+}
+
+func ChangeHasProjectCheck(ChangeHasProjectCheck bool) func(event *ProjectChangeEvent) {
+	return func(e *ProjectChangeEvent) {
+		e.HasProjectCheck = &ChangeHasProjectCheck
+	}
+}
+
+func ChangePrivateLabelingSetting(ChangePrivateLabelingSetting domain.PrivateLabelingSetting) func(event *ProjectChangeEvent) {
+	return func(e *ProjectChangeEvent) {
+		e.PrivateLabelingSetting = &ChangePrivateLabelingSetting
+	}
+}
+
+func ProjectChangeEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &ProjectChangeEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "PROJECT-M9osd", "unable to unmarshal project")
+	}
+
+	return e, nil
+}
+
+type ProjectDeactivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *ProjectDeactivatedEvent) Payload() interface{} {
+	return nil
+}
+
+func (e *ProjectDeactivatedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func (e *ProjectDeactivatedEvent) Fields() []*eventstore.FieldOperation {
+	return []*eventstore.FieldOperation{
+		eventstore.SetField(
+			e.Aggregate(),
+			projectSearchObject(e.Aggregate().ID),
+			ProjectStateSearchField,
+			&eventstore.Value{
+				Value:       domain.ProjectStateInactive,
+				ShouldIndex: true,
+			},
+
+			eventstore.FieldTypeInstanceID,
+			eventstore.FieldTypeResourceOwner,
+			eventstore.FieldTypeAggregateType,
+			eventstore.FieldTypeAggregateID,
+			eventstore.FieldTypeObjectType,
+			eventstore.FieldTypeObjectID,
+			eventstore.FieldTypeFieldName,
+		),
+	}
+}
+
+func NewProjectDeactivatedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *ProjectDeactivatedEvent {
+	return &ProjectDeactivatedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ProjectDeactivatedType,
+		),
+	}
+}
+
+func ProjectDeactivatedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	return &ProjectDeactivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
+
+type ProjectReactivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *ProjectReactivatedEvent) Payload() interface{} {
+	return nil
+}
+
+func (e *ProjectReactivatedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func (e *ProjectReactivatedEvent) Fields() []*eventstore.FieldOperation {
+	return []*eventstore.FieldOperation{
+		eventstore.SetField(
+			e.Aggregate(),
+			projectSearchObject(e.Aggregate().ID),
+			ProjectStateSearchField,
+			&eventstore.Value{
+				Value:       domain.ProjectStateRemoved,
+				ShouldIndex: true,
+			},
+
+			eventstore.FieldTypeInstanceID,
+			eventstore.FieldTypeResourceOwner,
+			eventstore.FieldTypeAggregateType,
+			eventstore.FieldTypeAggregateID,
+			eventstore.FieldTypeObjectType,
+			eventstore.FieldTypeObjectID,
+			eventstore.FieldTypeFieldName,
+		),
+	}
+}
+
+func NewProjectReactivatedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *ProjectReactivatedEvent {
+	return &ProjectReactivatedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ProjectReactivatedType,
+		),
+	}
+}
+
+func ProjectReactivatedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	return &ProjectReactivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
+
+type ProjectRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Name                     string
+	entityIDUniqueContraints []*eventstore.UniqueConstraint
+}
+
+func (e *ProjectRemovedEvent) Payload() interface{} {
+	return nil
+}
+
+func (e *ProjectRemovedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	constraints := []*eventstore.UniqueConstraint{NewRemoveProjectNameUniqueConstraint(e.Name, e.Aggregate().ResourceOwner)}
+	if e.entityIDUniqueContraints != nil {
+		for _, constraint := range e.entityIDUniqueContraints {
+			constraints = append(constraints, constraint)
+		}
+	}
+	return constraints
+}
+
+func (e *ProjectRemovedEvent) Fields() []*eventstore.FieldOperation {
+	return []*eventstore.FieldOperation{
+		eventstore.RemoveSearchFieldsByAggregate(e.Aggregate()),
+	}
+}
+
+func NewProjectRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	name string,
+	entityIDUniqueContraints []*eventstore.UniqueConstraint,
+) *ProjectRemovedEvent {
+	return &ProjectRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ProjectRemovedType,
+		),
+		Name:                     name,
+		entityIDUniqueContraints: entityIDUniqueContraints,
+	}
+}
+
+func ProjectRemovedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	return &ProjectRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
+
+func projectSearchObject(id string) eventstore.Object {
+	return eventstore.Object{
+		Type:     ProjectSearchType,
+		Revision: ProjectObjectRevision,
+		ID:       id,
+	}
+}

apps/api/internal/repository/project/role.go

@@ -0,0 +1,310 @@
+package project
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+const (
+	UniqueRoleType      = "project_role"
+	roleEventTypePrefix = projectEventTypePrefix + "role."
+	RoleAddedType       = roleEventTypePrefix + "added"
+	RoleChangedType     = roleEventTypePrefix + "changed"
+	RoleRemovedType     = roleEventTypePrefix + "removed"
+
+	ProjectRoleSearchType             = "project_role"
+	ProjectRoleRevision               = uint8(1)
+	ProjectRoleKeySearchField         = "key"
+	ProjectRoleDisplayNameSearchField = "display_name"
+	ProjectRoleGroupSearchField       = "group"
+)
+
+func NewAddProjectRoleUniqueConstraint(roleKey, projectID string) *eventstore.UniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		UniqueRoleType,
+		fmt.Sprintf("%s:%s", roleKey, projectID),
+		"Errors.Project.Role.AlreadyExists")
+}
+
+func NewRemoveProjectRoleUniqueConstraint(roleKey, projectID string) *eventstore.UniqueConstraint {
+	return eventstore.NewRemoveUniqueConstraint(
+		UniqueRoleType,
+		fmt.Sprintf("%s:%s", roleKey, projectID))
+}
+
+type RoleAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Key         string `json:"key,omitempty"`
+	DisplayName string `json:"displayName,omitempty"`
+	Group       string `json:"group,omitempty"`
+}
+
+func (e *RoleAddedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *RoleAddedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return []*eventstore.UniqueConstraint{NewAddProjectRoleUniqueConstraint(e.Key, e.Aggregate().ID)}
+}
+
+func (e *RoleAddedEvent) Fields() []*eventstore.FieldOperation {
+	return []*eventstore.FieldOperation{
+		eventstore.SetField(
+			e.Aggregate(),
+			projectRoleSearchObject(e.Key),
+			ProjectRoleKeySearchField,
+			&eventstore.Value{
+				Value:       e.Key,
+				ShouldIndex: true,
+			},
+			eventstore.FieldTypeInstanceID,
+			eventstore.FieldTypeResourceOwner,
+			eventstore.FieldTypeAggregateType,
+			eventstore.FieldTypeAggregateID,
+			eventstore.FieldTypeObjectType,
+			eventstore.FieldTypeObjectID,
+			eventstore.FieldTypeFieldName,
+		),
+		eventstore.SetField(
+			e.Aggregate(),
+			projectRoleSearchObject(e.Key),
+			ProjectRoleDisplayNameSearchField,
+			&eventstore.Value{
+				Value:       e.DisplayName,
+				ShouldIndex: true,
+			},
+			eventstore.FieldTypeInstanceID,
+			eventstore.FieldTypeResourceOwner,
+			eventstore.FieldTypeAggregateType,
+			eventstore.FieldTypeAggregateID,
+			eventstore.FieldTypeObjectType,
+			eventstore.FieldTypeObjectID,
+			eventstore.FieldTypeFieldName,
+		),
+		eventstore.SetField(
+			e.Aggregate(),
+			projectRoleSearchObject(e.Key),
+			ProjectRoleGroupSearchField,
+			&eventstore.Value{
+				Value:       e.Group,
+				ShouldIndex: true,
+			},
+			eventstore.FieldTypeInstanceID,
+			eventstore.FieldTypeResourceOwner,
+			eventstore.FieldTypeAggregateType,
+			eventstore.FieldTypeAggregateID,
+			eventstore.FieldTypeObjectType,
+			eventstore.FieldTypeObjectID,
+			eventstore.FieldTypeFieldName,
+		),
+	}
+}
+
+func NewRoleAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	key,
+	displayName,
+	group string,
+) *RoleAddedEvent {
+	return &RoleAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			RoleAddedType,
+		),
+		Key:         key,
+		DisplayName: displayName,
+		Group:       group,
+	}
+}
+
+func RoleAddedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &RoleAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "PROJECT-2M0xy", "unable to unmarshal project role")
+	}
+
+	return e, nil
+}
+
+type RoleChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Key         string  `json:"key,omitempty"`
+	DisplayName *string `json:"displayName,omitempty"`
+	Group       *string `json:"group,omitempty"`
+}
+
+func (e *RoleChangedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *RoleChangedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func (e *RoleChangedEvent) Fields() []*eventstore.FieldOperation {
+	operations := make([]*eventstore.FieldOperation, 0, 2)
+	if e.DisplayName != nil {
+		operations = append(operations, eventstore.SetField(
+			e.Aggregate(),
+			projectRoleSearchObject(e.Key),
+			ProjectRoleDisplayNameSearchField,
+			&eventstore.Value{
+				Value:       *e.DisplayName,
+				ShouldIndex: true,
+			},
+
+			eventstore.FieldTypeInstanceID,
+			eventstore.FieldTypeResourceOwner,
+			eventstore.FieldTypeAggregateType,
+			eventstore.FieldTypeAggregateID,
+			eventstore.FieldTypeObjectType,
+			eventstore.FieldTypeObjectID,
+			eventstore.FieldTypeFieldName,
+		))
+	}
+	if e.Group != nil {
+		operations = append(operations, eventstore.SetField(
+			e.Aggregate(),
+			projectRoleSearchObject(e.Key),
+			ProjectRoleGroupSearchField,
+			&eventstore.Value{
+				Value:       *e.Group,
+				ShouldIndex: true,
+			},
+
+			eventstore.FieldTypeInstanceID,
+			eventstore.FieldTypeResourceOwner,
+			eventstore.FieldTypeAggregateType,
+			eventstore.FieldTypeAggregateID,
+			eventstore.FieldTypeObjectType,
+			eventstore.FieldTypeObjectID,
+			eventstore.FieldTypeFieldName,
+		))
+	}
+
+	return operations
+}
+
+func NewRoleChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	key string,
+	changes []RoleChanges,
+) (*RoleChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, zerrors.ThrowPreconditionFailed(nil, "PROJECT-eR9vx", "Errors.NoChangesFound")
+	}
+	changeEvent := &RoleChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			RoleChangedType,
+		),
+		Key: key,
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type RoleChanges func(event *RoleChangedEvent)
+
+func ChangeKey(key string) func(event *RoleChangedEvent) {
+	return func(e *RoleChangedEvent) {
+		e.Key = key
+	}
+}
+
+func ChangeDisplayName(displayName string) func(event *RoleChangedEvent) {
+	return func(e *RoleChangedEvent) {
+		e.DisplayName = &displayName
+	}
+}
+
+func ChangeGroup(group string) func(event *RoleChangedEvent) {
+	return func(e *RoleChangedEvent) {
+		e.Group = &group
+	}
+}
+func RoleChangedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &RoleChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "PROJECT-3M0vx", "unable to unmarshal project role")
+	}
+
+	return e, nil
+}
+
+type RoleRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Key string `json:"key,omitempty"`
+}
+
+func (e *RoleRemovedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *RoleRemovedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return []*eventstore.UniqueConstraint{NewRemoveProjectRoleUniqueConstraint(e.Key, e.Aggregate().ID)}
+}
+
+func (e *RoleRemovedEvent) Fields() []*eventstore.FieldOperation {
+	return []*eventstore.FieldOperation{
+		eventstore.RemoveSearchFieldsByAggregateAndObject(
+			e.Aggregate(),
+			projectRoleSearchObject(e.Key),
+		),
+	}
+}
+
+func NewRoleRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	key string) *RoleRemovedEvent {
+	return &RoleRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			RoleRemovedType,
+		),
+		Key: key,
+	}
+}
+
+func RoleRemovedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &RoleRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "PROJECT-1M0xs", "unable to unmarshal project role")
+	}
+
+	return e, nil
+}
+
+func projectRoleSearchObject(id string) eventstore.Object {
+	return eventstore.Object{
+		Type:     ProjectRoleSearchType,
+		Revision: ProjectRoleRevision,
+		ID:       id,
+	}
+}

apps/api/internal/repository/project/saml_config.go

@@ -0,0 +1,181 @@
+package project
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+const (
+	UniqueEntityIDType    = "entity_ids"
+	SAMLConfigAddedType   = applicationEventTypePrefix + "config.saml.added"
+	SAMLConfigChangedType = applicationEventTypePrefix + "config.saml.changed"
+)
+
+type SAMLConfigAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID        string              `json:"appId"`
+	EntityID     string              `json:"entityId"`
+	Metadata     []byte              `json:"metadata,omitempty"`
+	MetadataURL  string              `json:"metadata_url,omitempty"`
+	LoginVersion domain.LoginVersion `json:"loginVersion,omitempty"`
+	LoginBaseURI string              `json:"loginBaseURI,omitempty"`
+}
+
+func (e *SAMLConfigAddedEvent) Payload() interface{} {
+	return e
+}
+
+func NewAddSAMLConfigEntityIDUniqueConstraint(entityID string) *eventstore.UniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		UniqueEntityIDType,
+		entityID,
+		"Errors.Project.App.SAMLEntityIDAlreadyExists")
+}
+
+func NewRemoveSAMLConfigEntityIDUniqueConstraint(entityID string) *eventstore.UniqueConstraint {
+	return eventstore.NewRemoveUniqueConstraint(
+		UniqueEntityIDType,
+		entityID)
+}
+
+func (e *SAMLConfigAddedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return []*eventstore.UniqueConstraint{NewAddSAMLConfigEntityIDUniqueConstraint(e.EntityID)}
+}
+
+func NewSAMLConfigAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+	entityID string,
+	metadata []byte,
+	metadataURL string,
+	loginVersion domain.LoginVersion,
+	loginBaseURI string,
+) *SAMLConfigAddedEvent {
+	return &SAMLConfigAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			SAMLConfigAddedType,
+		),
+		AppID:        appID,
+		EntityID:     entityID,
+		Metadata:     metadata,
+		MetadataURL:  metadataURL,
+		LoginVersion: loginVersion,
+		LoginBaseURI: loginBaseURI,
+	}
+}
+
+func SAMLConfigAddedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &SAMLConfigAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "SAML-BDd15", "unable to unmarshal saml config")
+	}
+
+	return e, nil
+}
+
+type SAMLConfigChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID        string               `json:"appId"`
+	EntityID     string               `json:"entityId"`
+	Metadata     []byte               `json:"metadata,omitempty"`
+	MetadataURL  *string              `json:"metadata_url,omitempty"`
+	LoginVersion *domain.LoginVersion `json:"loginVersion,omitempty"`
+	LoginBaseURI *string              `json:"loginBaseURI,omitempty"`
+	oldEntityID  string
+}
+
+func (e *SAMLConfigChangedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *SAMLConfigChangedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	if e.EntityID != "" {
+		return []*eventstore.UniqueConstraint{
+			NewRemoveSAMLConfigEntityIDUniqueConstraint(e.oldEntityID),
+			NewAddSAMLConfigEntityIDUniqueConstraint(e.EntityID),
+		}
+	}
+	return nil
+}
+
+func NewSAMLConfigChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+	oldEntityID string,
+	changes []SAMLConfigChanges,
+) (*SAMLConfigChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, zerrors.ThrowPreconditionFailed(nil, "SAML-i8idç", "Errors.NoChangesFound")
+	}
+
+	changeEvent := &SAMLConfigChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			SAMLConfigChangedType,
+		),
+		AppID:       appID,
+		oldEntityID: oldEntityID,
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type SAMLConfigChanges func(event *SAMLConfigChangedEvent)
+
+func ChangeMetadata(metadata []byte) func(event *SAMLConfigChangedEvent) {
+	return func(e *SAMLConfigChangedEvent) {
+		e.Metadata = metadata
+	}
+}
+
+func ChangeMetadataURL(metadataURL string) func(event *SAMLConfigChangedEvent) {
+	return func(e *SAMLConfigChangedEvent) {
+		e.MetadataURL = &metadataURL
+	}
+}
+
+func ChangeEntityID(entityID string) func(event *SAMLConfigChangedEvent) {
+	return func(e *SAMLConfigChangedEvent) {
+		e.EntityID = entityID
+	}
+}
+
+func ChangeSAMLLoginVersion(loginVersion domain.LoginVersion) func(event *SAMLConfigChangedEvent) {
+	return func(e *SAMLConfigChangedEvent) {
+		e.LoginVersion = &loginVersion
+	}
+}
+func ChangeSAMLLoginBaseURI(loginBaseURI string) func(event *SAMLConfigChangedEvent) {
+	return func(e *SAMLConfigChangedEvent) {
+		e.LoginBaseURI = &loginBaseURI
+	}
+}
+
+func SAMLConfigChangedEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	e := &SAMLConfigChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := event.Unmarshal(e)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "SAML-BFd15", "unable to unmarshal saml config")
+	}
+
+	return e, nil
+}