fix: move v2 pkgs (#1331)

* fix: move eventstore pkgs * fix: move eventstore pkgs * fix: remove v2 view * fix: remove v2 view
2025-08-11 19:17:32 +00:00 · 2021-02-23 15:13:04 +01:00
parent 57b277bc7c
commit d8e42744b4
797 changed files with 2116 additions and 2224 deletions
--- a/internal/repository/project/aggregate.go
+++ b/internal/repository/project/aggregate.go
@@ -0,0 +1,14 @@
+package project
+
+import (
+	"github.com/caos/zitadel/internal/eventstore"
+)
+
+const (
+	AggregateType    = "project"
+	AggregateVersion = "v1"
+)
+
+type Aggregate struct {
+	eventstore.Aggregate
+}
--- a/internal/repository/project/api_config.go
+++ b/internal/repository/project/api_config.go
@@ -0,0 +1,261 @@
+package project
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	APIConfigAddedType                = applicationEventTypePrefix + "config.api.added"
+	APIConfigChangedType              = applicationEventTypePrefix + "config.api.changed"
+	APIConfigSecretChangedType        = applicationEventTypePrefix + "config.api.secret.changed"
+	APIClientSecretCheckSucceededType = applicationEventTypePrefix + "api.secret.check.succeeded"
+	APIClientSecretCheckFailedType    = applicationEventTypePrefix + "api.secret.check.failed"
+)
+
+type APIConfigAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID          string                   `json:"appId"`
+	ClientID       string                   `json:"clientId,omitempty"`
+	ClientSecret   *crypto.CryptoValue      `json:"clientSecret,omitempty"`
+	AuthMethodType domain.APIAuthMethodType `json:"authMethodType,omitempty"`
+}
+
+func (e *APIConfigAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *APIConfigAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewAPIConfigAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID,
+	clientID string,
+	clientSecret *crypto.CryptoValue,
+	authMethodType domain.APIAuthMethodType,
+) *APIConfigAddedEvent {
+	return &APIConfigAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			APIConfigAddedType,
+		),
+		AppID:          appID,
+		ClientID:       clientID,
+		ClientSecret:   clientSecret,
+		AuthMethodType: authMethodType,
+	}
+}
+
+func APIConfigAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &APIConfigAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "API-BFd15", "unable to unmarshal api config")
+	}
+
+	return e, nil
+}
+
+type APIConfigChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID          string                    `json:"appId"`
+	ClientSecret   *crypto.CryptoValue       `json:"clientSecret,omitempty"`
+	AuthMethodType *domain.APIAuthMethodType `json:"authMethodType,omitempty"`
+}
+
+func (e *APIConfigChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *APIConfigChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewAPIConfigChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+	changes []APIConfigChanges,
+) (*APIConfigChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, errors.ThrowPreconditionFailed(nil, "API-i8idç", "Errors.NoChangesFound")
+	}
+
+	changeEvent := &APIConfigChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			APIConfigChangedType,
+		),
+		AppID: appID,
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type APIConfigChanges func(event *APIConfigChangedEvent)
+
+func ChangeAPIAuthMethodType(authMethodType domain.APIAuthMethodType) func(event *APIConfigChangedEvent) {
+	return func(e *APIConfigChangedEvent) {
+		e.AuthMethodType = &authMethodType
+	}
+}
+
+func APIConfigChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &APIConfigChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "API-BFd15", "unable to unmarshal api config")
+	}
+
+	return e, nil
+}
+
+type APIConfigSecretChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID        string              `json:"appId"`
+	ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
+}
+
+func (e *APIConfigSecretChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *APIConfigSecretChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewAPIConfigSecretChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+	clientSecret *crypto.CryptoValue,
+) *APIConfigSecretChangedEvent {
+	return &APIConfigSecretChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			APIConfigSecretChangedType,
+		),
+		AppID:        appID,
+		ClientSecret: clientSecret,
+	}
+}
+
+func APIConfigSecretChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &APIConfigSecretChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "API-M893d", "unable to unmarshal api config")
+	}
+
+	return e, nil
+}
+
+type APIConfigSecretCheckSucceededEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID string `json:"appId"`
+}
+
+func (e *APIConfigSecretCheckSucceededEvent) Data() interface{} {
+	return e
+}
+
+func (e *APIConfigSecretCheckSucceededEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewAPIConfigSecretCheckSucceededEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+) *APIConfigSecretCheckSucceededEvent {
+	return &APIConfigSecretCheckSucceededEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			APIClientSecretCheckSucceededType,
+		),
+		AppID: appID,
+	}
+}
+
+func APIConfigSecretCheckSucceededEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &APIConfigSecretCheckSucceededEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "API-837gV", "unable to unmarshal api config")
+	}
+
+	return e, nil
+}
+
+type APIConfigSecretCheckFailedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID string `json:"appId"`
+}
+
+func (e *APIConfigSecretCheckFailedEvent) Data() interface{} {
+	return e
+}
+
+func (e *APIConfigSecretCheckFailedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewAPIConfigSecretCheckFailedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+) *APIConfigSecretCheckFailedEvent {
+	return &APIConfigSecretCheckFailedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			APIClientSecretCheckFailedType,
+		),
+		AppID: appID,
+	}
+}
+
+func APIConfigSecretCheckFailedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &APIConfigSecretCheckFailedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "API-987g%", "unable to unmarshal api config")
+	}
+
+	return e, nil
+}
--- a/internal/repository/project/application.go
+++ b/internal/repository/project/application.go
@@ -0,0 +1,268 @@
+package project
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	UniqueAppNameType          = "appname"
+	applicationEventTypePrefix = projectEventTypePrefix + "application."
+	ApplicationAddedType       = applicationEventTypePrefix + "added"
+	ApplicationChangedType     = applicationEventTypePrefix + "changed"
+	ApplicationDeactivatedType = applicationEventTypePrefix + "deactivated"
+	ApplicationReactivatedType = applicationEventTypePrefix + "reactivated"
+	ApplicationRemovedType     = applicationEventTypePrefix + "removed"
+)
+
+func NewAddApplicationUniqueConstraint(name, projectID string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		UniqueAppNameType,
+		fmt.Sprintf("%s:%s", name, projectID),
+		"Errors.Project.App.AlreadyExists")
+}
+
+func NewRemoveApplicationUniqueConstraint(name, projectID string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewRemoveEventUniqueConstraint(
+		UniqueAppNameType,
+		fmt.Sprintf("%s:%s", name, projectID))
+}
+
+type ApplicationAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID     string `json:"appId,omitempty"`
+	Name      string `json:"name,omitempty"`
+	projectID string
+}
+
+func (e *ApplicationAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *ApplicationAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddApplicationUniqueConstraint(e.Name, e.projectID)}
+}
+
+func NewApplicationAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID,
+	name,
+	projectID string,
+) *ApplicationAddedEvent {
+	return &ApplicationAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ApplicationAddedType,
+		),
+		AppID:     appID,
+		Name:      name,
+		projectID: projectID,
+	}
+}
+
+func ApplicationAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &ApplicationAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "APPLICATION-Nffg2", "unable to unmarshal application")
+	}
+
+	return e, nil
+}
+
+type ApplicationChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID     string `json:"appId,omitempty"`
+	Name      string `json:"name,omitempty"`
+	oldName   string
+	projectID string
+}
+
+func (e *ApplicationChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *ApplicationChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{
+		NewRemoveApplicationUniqueConstraint(e.oldName, e.projectID),
+		NewAddApplicationUniqueConstraint(e.Name, e.projectID),
+	}
+}
+
+func NewApplicationChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID,
+	oldName,
+	newName,
+	projectID string,
+) *ApplicationChangedEvent {
+	return &ApplicationChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ApplicationChangedType,
+		),
+		AppID:     appID,
+		Name:      newName,
+		oldName:   oldName,
+		projectID: projectID,
+	}
+}
+
+func ApplicationChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &ApplicationChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "APPLICATION-9l0cs", "unable to unmarshal application")
+	}
+
+	return e, nil
+}
+
+type ApplicationDeactivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID string `json:"appId,omitempty"`
+}
+
+func (e *ApplicationDeactivatedEvent) Data() interface{} {
+	return e
+}
+
+func (e *ApplicationDeactivatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewApplicationDeactivatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+) *ApplicationDeactivatedEvent {
+	return &ApplicationDeactivatedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ApplicationDeactivatedType,
+		),
+		AppID: appID,
+	}
+}
+
+func ApplicationDeactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &ApplicationDeactivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "APPLICATION-0p9fB", "unable to unmarshal application")
+	}
+
+	return e, nil
+}
+
+type ApplicationReactivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID string `json:"appId,omitempty"`
+}
+
+func (e *ApplicationReactivatedEvent) Data() interface{} {
+	return e
+}
+
+func (e *ApplicationReactivatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewApplicationReactivatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+) *ApplicationReactivatedEvent {
+	return &ApplicationReactivatedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ApplicationReactivatedType,
+		),
+		AppID: appID,
+	}
+}
+
+func ApplicationReactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &ApplicationReactivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "APPLICATION-1m9e3", "unable to unmarshal application")
+	}
+
+	return e, nil
+}
+
+type ApplicationRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID     string `json:"appId,omitempty"`
+	name      string
+	projectID string
+}
+
+func (e *ApplicationRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *ApplicationRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewRemoveApplicationUniqueConstraint(e.name, e.projectID)}
+}
+
+func NewApplicationRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID,
+	name,
+	projectID string,
+) *ApplicationRemovedEvent {
+	return &ApplicationRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ApplicationRemovedType,
+		),
+		AppID:     appID,
+		name:      name,
+		projectID: projectID,
+	}
+}
+
+func ApplicationRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &ApplicationRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "APPLICATION-1m9e3", "unable to unmarshal application")
+	}
+
+	return e, nil
+}
--- a/internal/repository/project/eventstore.go
+++ b/internal/repository/project/eventstore.go
@@ -0,0 +1,43 @@
+package project
+
+import (
+	"github.com/caos/zitadel/internal/eventstore"
+)
+
+func RegisterEventMappers(es *eventstore.Eventstore) {
+	es.RegisterFilterEventMapper(ProjectAddedType, ProjectAddedEventMapper).
+		RegisterFilterEventMapper(ProjectChangedType, ProjectChangeEventMapper).
+		RegisterFilterEventMapper(ProjectDeactivatedType, ProjectDeactivatedEventMapper).
+		RegisterFilterEventMapper(ProjectReactivatedType, ProjectReactivatedEventMapper).
+		RegisterFilterEventMapper(ProjectRemovedType, ProjectRemovedEventMapper).
+		RegisterFilterEventMapper(MemberAddedType, MemberAddedEventMapper).
+		RegisterFilterEventMapper(MemberChangedType, MemberChangedEventMapper).
+		RegisterFilterEventMapper(MemberRemovedType, MemberRemovedEventMapper).
+		RegisterFilterEventMapper(RoleAddedType, RoleAddedEventMapper).
+		RegisterFilterEventMapper(RoleChangedType, RoleChangedEventMapper).
+		RegisterFilterEventMapper(RoleRemovedType, RoleRemovedEventMapper).
+		RegisterFilterEventMapper(GrantAddedType, GrantAddedEventMapper).
+		RegisterFilterEventMapper(GrantChangedType, GrantChangedEventMapper).
+		RegisterFilterEventMapper(GrantCascadeChangedType, GrantCascadeChangedEventMapper).
+		RegisterFilterEventMapper(GrantDeactivatedType, GrantDeactivateEventMapper).
+		RegisterFilterEventMapper(GrantReactivatedType, GrantReactivatedEventMapper).
+		RegisterFilterEventMapper(GrantRemovedType, GrantRemovedEventMapper).
+		RegisterFilterEventMapper(GrantMemberAddedType, GrantMemberAddedEventMapper).
+		RegisterFilterEventMapper(GrantMemberChangedType, GrantMemberChangedEventMapper).
+		RegisterFilterEventMapper(GrantMemberRemovedType, GrantMemberRemovedEventMapper).
+		RegisterFilterEventMapper(ApplicationAddedType, ApplicationAddedEventMapper).
+		RegisterFilterEventMapper(ApplicationChangedType, ApplicationChangedEventMapper).
+		RegisterFilterEventMapper(ApplicationRemovedType, ApplicationRemovedEventMapper).
+		RegisterFilterEventMapper(ApplicationDeactivatedType, ApplicationDeactivatedEventMapper).
+		RegisterFilterEventMapper(ApplicationReactivatedType, ApplicationReactivatedEventMapper).
+		RegisterFilterEventMapper(OIDCConfigAddedType, OIDCConfigAddedEventMapper).
+		RegisterFilterEventMapper(OIDCConfigChangedType, OIDCConfigChangedEventMapper).
+		RegisterFilterEventMapper(OIDCConfigSecretChangedType, OIDCConfigSecretChangedEventMapper).
+		RegisterFilterEventMapper(OIDCClientSecretCheckSucceededType, OIDCConfigSecretCheckSucceededEventMapper).
+		RegisterFilterEventMapper(OIDCClientSecretCheckFailedType, OIDCConfigSecretCheckFailedEventMapper).
+		RegisterFilterEventMapper(APIConfigAddedType, APIConfigAddedEventMapper).
+		RegisterFilterEventMapper(APIConfigChangedType, APIConfigChangedEventMapper).
+		RegisterFilterEventMapper(APIConfigSecretChangedType, APIConfigSecretChangedEventMapper).
+		RegisterFilterEventMapper(ApplicationKeyAddedEventType, ApplicationKeyAddedEventMapper).
+		RegisterFilterEventMapper(ApplicationKeyRemovedEventType, ApplicationKeyRemovedEventMapper)
+}
--- a/internal/repository/project/grant.go
+++ b/internal/repository/project/grant.go
@@ -0,0 +1,308 @@
+package project
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+var (
+	UniqueGrantType         = "project_grant"
+	grantEventTypePrefix    = projectEventTypePrefix + "grant."
+	GrantAddedType          = grantEventTypePrefix + "added"
+	GrantChangedType        = grantEventTypePrefix + "changed"
+	GrantCascadeChangedType = grantEventTypePrefix + "cascade.changed"
+	GrantDeactivatedType    = grantEventTypePrefix + "deactivated"
+	GrantReactivatedType    = grantEventTypePrefix + "reactivated"
+	GrantRemovedType        = grantEventTypePrefix + "removed"
+)
+
+func NewAddProjectGrantUniqueConstraint(grantedOrgID, projectID string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		UniqueRoleType,
+		fmt.Sprintf("%s:%s", grantedOrgID, projectID),
+		"Errors.Project.Grant.AlreadyExists")
+}
+
+func NewRemoveProjectGrantUniqueConstraint(grantedOrgID, projectID string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewRemoveEventUniqueConstraint(
+		UniqueRoleType,
+		fmt.Sprintf("%s:%s", grantedOrgID, projectID))
+}
+
+type GrantAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	GrantID      string   `json:"grantId,omitempty"`
+	GrantedOrgID string   `json:"grantedOrgId,omitempty"`
+	RoleKeys     []string `json:"roleKeys,omitempty"`
+	projectID    string
+}
+
+func (e *GrantAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *GrantAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddProjectGrantUniqueConstraint(e.GrantedOrgID, e.projectID)}
+}
+
+func NewGrantAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	grantID,
+	grantedOrgID,
+	projectID string,
+	roleKeys []string,
+) *GrantAddedEvent {
+	return &GrantAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GrantAddedType,
+		),
+		GrantID:      grantID,
+		GrantedOrgID: grantedOrgID,
+		RoleKeys:     roleKeys,
+		projectID:    projectID,
+	}
+}
+
+func GrantAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &GrantAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-mL0vs", "unable to unmarshal project grant")
+	}
+
+	return e, nil
+}
+
+type GrantChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	GrantID  string   `json:"grantId,omitempty"`
+	RoleKeys []string `json:"roleKeys,omitempty"`
+}
+
+func (e *GrantChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *GrantChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewGrantChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	grantID string,
+	roleKeys []string,
+) *GrantChangedEvent {
+	return &GrantChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GrantChangedType,
+		),
+		GrantID:  grantID,
+		RoleKeys: roleKeys,
+	}
+}
+
+func GrantChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &GrantChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-mL0vs", "unable to unmarshal project grant")
+	}
+
+	return e, nil
+}
+
+type GrantCascadeChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	GrantID  string   `json:"grantId,omitempty"`
+	RoleKeys []string `json:"roleKeys,omitempty"`
+}
+
+func (e *GrantCascadeChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *GrantCascadeChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewGrantCascadeChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	grantID string,
+	roleKeys []string,
+) *GrantCascadeChangedEvent {
+	return &GrantCascadeChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GrantCascadeChangedType,
+		),
+		GrantID:  grantID,
+		RoleKeys: roleKeys,
+	}
+}
+
+func GrantCascadeChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &GrantCascadeChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-9o0se", "unable to unmarshal project grant")
+	}
+
+	return e, nil
+}
+
+type GrantDeactivateEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	GrantID string `json:"grantId,omitempty"`
+}
+
+func (e *GrantDeactivateEvent) Data() interface{} {
+	return e
+}
+
+func (e *GrantDeactivateEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewGrantDeactivateEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	grantID string,
+) *GrantDeactivateEvent {
+	return &GrantDeactivateEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GrantDeactivatedType,
+		),
+		GrantID: grantID,
+	}
+}
+
+func GrantDeactivateEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &GrantDeactivateEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-9o0se", "unable to unmarshal project grant")
+	}
+
+	return e, nil
+}
+
+type GrantReactivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	GrantID string `json:"grantId,omitempty"`
+}
+
+func (e *GrantReactivatedEvent) Data() interface{} {
+	return e
+}
+
+func (e *GrantReactivatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewGrantReactivatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	grantID string,
+) *GrantReactivatedEvent {
+	return &GrantReactivatedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GrantReactivatedType,
+		),
+		GrantID: grantID,
+	}
+}
+
+func GrantReactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &GrantReactivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-78f7D", "unable to unmarshal project grant")
+	}
+
+	return e, nil
+}
+
+type GrantRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	GrantID      string `json:"grantId,omitempty"`
+	grantedOrgID string
+	projectID    string
+}
+
+func (e *GrantRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *GrantRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewRemoveProjectGrantUniqueConstraint(e.grantedOrgID, e.projectID)}
+}
+
+func NewGrantRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	grantID,
+	grantedOrgID,
+	projectID string,
+) *GrantRemovedEvent {
+	return &GrantRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GrantRemovedType,
+		),
+		GrantID:      grantID,
+		projectID:    projectID,
+		grantedOrgID: grantedOrgID,
+	}
+}
+
+func GrantRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &GrantRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-28jM8", "unable to unmarshal project grant")
+	}
+
+	return e, nil
+}
--- a/internal/repository/project/grant_member.go
+++ b/internal/repository/project/grant_member.go
@@ -0,0 +1,180 @@
+package project
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/member"
+)
+
+var (
+	UniqueProjectGrantMemberType = "project_grant_member"
+	GrantMemberAddedType         = grantEventTypePrefix + member.AddedEventType
+	GrantMemberChangedType       = grantEventTypePrefix + member.ChangedEventType
+	GrantMemberRemovedType       = grantEventTypePrefix + member.RemovedEventType
+)
+
+func NewAddProjectGrantMemberUniqueConstraint(projectID, userID, grantID string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		UniqueProjectGrantMemberType,
+		fmt.Sprintf("%s:%s:%s", projectID, userID, grantID),
+		"Errors.Project.Member.AlreadyExists")
+}
+
+func NewRemoveProjectGrantMemberUniqueConstraint(projectID, userID, grantID string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewRemoveEventUniqueConstraint(
+		UniqueProjectGrantMemberType,
+		fmt.Sprintf("%s:%s:%s", projectID, userID, grantID),
+	)
+}
+
+type GrantMemberAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Roles     []string `json:"roles"`
+	UserID    string   `json:"userId"`
+	GrantID   string   `json:"grantId"`
+	projectID string
+}
+
+func (e *GrantMemberAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *GrantMemberAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddProjectGrantMemberUniqueConstraint(e.projectID, e.UserID, e.GrantID)}
+}
+
+func NewProjectGrantMemberAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	projectID,
+	userID,
+	grantID string,
+	roles ...string,
+) *GrantMemberAddedEvent {
+	return &GrantMemberAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GrantMemberAddedType,
+		),
+		projectID: projectID,
+		UserID:    userID,
+		GrantID:   grantID,
+		Roles:     roles,
+	}
+}
+
+func GrantMemberAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &GrantMemberAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-9f0sf", "unable to unmarshal label policy")
+	}
+
+	return e, nil
+}
+
+type GrantMemberChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Roles   []string `json:"roles"`
+	GrantID string   `json:"grantId"`
+	UserID  string   `json:"userId"`
+}
+
+func (e *GrantMemberChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *GrantMemberChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewProjectGrantMemberChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID,
+	grantID string,
+	roles ...string,
+) *GrantMemberChangedEvent {
+	return &GrantMemberChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GrantMemberAddedType,
+		),
+		UserID:  userID,
+		GrantID: grantID,
+		Roles:   roles,
+	}
+}
+
+func GrantMemberChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &GrantMemberChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-39fi8", "unable to unmarshal label policy")
+	}
+
+	return e, nil
+}
+
+type GrantMemberRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	UserID    string `json:"userId"`
+	GrantID   string `json:"grantId"`
+	projectID string
+}
+
+func (e *GrantMemberRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *GrantMemberRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewRemoveProjectGrantMemberUniqueConstraint(e.projectID, e.UserID, e.GrantID)}
+}
+
+func NewProjectGrantMemberRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	projectID,
+	userID,
+	grantID string,
+) *GrantMemberRemovedEvent {
+	return &GrantMemberRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GrantMemberRemovedType,
+		),
+		UserID:    userID,
+		GrantID:   grantID,
+		projectID: projectID,
+	}
+}
+
+func GrantMemberRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &GrantMemberRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-173fM", "unable to unmarshal label policy")
+	}
+
+	return e, nil
+}
--- a/internal/repository/project/key.go
+++ b/internal/repository/project/key.go
@@ -0,0 +1,116 @@
+package project
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+	"time"
+
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	applicationKeyEventPrefix      = applicationEventTypePrefix + "oidc.key."
+	ApplicationKeyAddedEventType   = applicationKeyEventPrefix + "added"
+	ApplicationKeyRemovedEventType = applicationKeyEventPrefix + "removed"
+)
+
+type ApplicationKeyAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID          string              `json:"applicationId"`
+	ClientID       string              `json:"clientId,omitempty"`
+	KeyID          string              `json:"keyId,omitempty"`
+	KeyType        domain.AuthNKeyType `json:"type,omitempty"`
+	ExpirationDate time.Time           `json:"expirationDate,omitempty"`
+	PublicKey      []byte              `json:"publicKey,omitempty"`
+}
+
+func (e *ApplicationKeyAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *ApplicationKeyAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewApplicationKeyAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID,
+	clientID,
+	keyID string,
+	keyType domain.AuthNKeyType,
+	expirationDate time.Time,
+	publicKey []byte,
+) *ApplicationKeyAddedEvent {
+	return &ApplicationKeyAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ApplicationKeyAddedEventType,
+		),
+		AppID:          appID,
+		ClientID:       clientID,
+		KeyID:          keyID,
+		KeyType:        keyType,
+		ExpirationDate: expirationDate,
+		PublicKey:      publicKey,
+	}
+}
+
+func ApplicationKeyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &ApplicationKeyAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "API-BFd15", "unable to unmarshal api config")
+	}
+
+	return e, nil
+}
+
+type ApplicationKeyRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	KeyID string `json:"keyId,omitempty"`
+}
+
+func (e *ApplicationKeyRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *ApplicationKeyRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewApplicationKeyRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	keyID string,
+) *ApplicationKeyRemovedEvent {
+	return &ApplicationKeyRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ApplicationKeyRemovedEventType,
+		),
+		KeyID: keyID,
+	}
+}
+
+func ApplicationKeyRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	applicationKeyRemoved := &ApplicationKeyRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, applicationKeyRemoved)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-5Gm9s", "unable to unmarshal application key removed")
+	}
+
+	return applicationKeyRemoved, nil
+}
--- a/internal/repository/project/member.go
+++ b/internal/repository/project/member.go
@@ -0,0 +1,111 @@
+package project
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/member"
+)
+
+var (
+	MemberAddedType   = projectEventTypePrefix + member.AddedEventType
+	MemberChangedType = projectEventTypePrefix + member.ChangedEventType
+	MemberRemovedType = projectEventTypePrefix + member.RemovedEventType
+)
+
+type MemberAddedEvent struct {
+	member.MemberAddedEvent
+}
+
+func NewProjectMemberAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID string,
+	roles ...string,
+) *MemberAddedEvent {
+	return &MemberAddedEvent{
+		MemberAddedEvent: *member.NewMemberAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				MemberAddedType,
+			),
+			userID,
+			roles...,
+		),
+	}
+}
+
+func MemberAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := member.MemberAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MemberAddedEvent{MemberAddedEvent: *e.(*member.MemberAddedEvent)}, nil
+}
+
+type MemberChangedEvent struct {
+	member.MemberChangedEvent
+}
+
+func NewProjectMemberChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID string,
+	roles ...string,
+) *MemberChangedEvent {
+
+	return &MemberChangedEvent{
+		MemberChangedEvent: *member.NewMemberChangedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				MemberChangedType,
+			),
+			userID,
+			roles...,
+		),
+	}
+}
+
+func MemberChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := member.ChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MemberChangedEvent{MemberChangedEvent: *e.(*member.MemberChangedEvent)}, nil
+}
+
+type MemberRemovedEvent struct {
+	member.MemberRemovedEvent
+}
+
+func NewProjectMemberRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID string,
+) *MemberRemovedEvent {
+
+	return &MemberRemovedEvent{
+		MemberRemovedEvent: *member.NewRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				MemberRemovedType,
+			),
+			userID,
+		),
+	}
+}
+
+func MemberRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := member.RemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MemberRemovedEvent{MemberRemovedEvent: *e.(*member.MemberRemovedEvent)}, nil
+}
--- a/internal/repository/project/oidc_config.go
+++ b/internal/repository/project/oidc_config.go
@@ -0,0 +1,381 @@
+package project
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+	"time"
+
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	OIDCConfigAddedType                = applicationEventTypePrefix + "config.oidc.added"
+	OIDCConfigChangedType              = applicationEventTypePrefix + "config.oidc.changed"
+	OIDCConfigSecretChangedType        = applicationEventTypePrefix + "config.oidc.secret.changed"
+	OIDCClientSecretCheckSucceededType = applicationEventTypePrefix + "oidc.secret.check.succeeded"
+	OIDCClientSecretCheckFailedType    = applicationEventTypePrefix + "oidc.secret.check.failed"
+)
+
+type OIDCConfigAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Version                  domain.OIDCVersion         `json:"oidcVersion,omitempty"`
+	AppID                    string                     `json:"appId"`
+	ClientID                 string                     `json:"clientId,omitempty"`
+	ClientSecret             *crypto.CryptoValue        `json:"clientSecret,omitempty"`
+	RedirectUris             []string                   `json:"redirectUris,omitempty"`
+	ResponseTypes            []domain.OIDCResponseType  `json:"responseTypes,omitempty"`
+	GrantTypes               []domain.OIDCGrantType     `json:"grantTypes,omitempty"`
+	ApplicationType          domain.OIDCApplicationType `json:"applicationType,omitempty"`
+	AuthMethodType           domain.OIDCAuthMethodType  `json:"authMethodType,omitempty"`
+	PostLogoutRedirectUris   []string                   `json:"postLogoutRedirectUris,omitempty"`
+	DevMode                  bool                       `json:"devMode,omitempty"`
+	AccessTokenType          domain.OIDCTokenType       `json:"accessTokenType,omitempty"`
+	AccessTokenRoleAssertion bool                       `json:"accessTokenRoleAssertion,omitempty"`
+	IDTokenRoleAssertion     bool                       `json:"idTokenRoleAssertion,omitempty"`
+	IDTokenUserinfoAssertion bool                       `json:"idTokenUserinfoAssertion,omitempty"`
+	ClockSkew                time.Duration              `json:"clockSkew,omitempty"`
+}
+
+func (e *OIDCConfigAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *OIDCConfigAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewOIDCConfigAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	version domain.OIDCVersion,
+	appID string,
+	clientID string,
+	clientSecret *crypto.CryptoValue,
+	redirectUris []string,
+	responseTypes []domain.OIDCResponseType,
+	grantTypes []domain.OIDCGrantType,
+	applicationType domain.OIDCApplicationType,
+	authMethodType domain.OIDCAuthMethodType,
+	postLogoutRedirectUris []string,
+	devMode bool,
+	accessTokenType domain.OIDCTokenType,
+	accessTokenRoleAssertion bool,
+	idTokenRoleAssertion bool,
+	idTokenUserinfoAssertion bool,
+	clockSkew time.Duration,
+) *OIDCConfigAddedEvent {
+	return &OIDCConfigAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OIDCConfigAddedType,
+		),
+		Version:                  version,
+		AppID:                    appID,
+		ClientID:                 clientID,
+		ClientSecret:             clientSecret,
+		RedirectUris:             redirectUris,
+		ResponseTypes:            responseTypes,
+		GrantTypes:               grantTypes,
+		ApplicationType:          applicationType,
+		AuthMethodType:           authMethodType,
+		PostLogoutRedirectUris:   postLogoutRedirectUris,
+		DevMode:                  devMode,
+		AccessTokenType:          accessTokenType,
+		AccessTokenRoleAssertion: accessTokenRoleAssertion,
+		IDTokenRoleAssertion:     idTokenRoleAssertion,
+		IDTokenUserinfoAssertion: idTokenUserinfoAssertion,
+		ClockSkew:                clockSkew,
+	}
+}
+
+func OIDCConfigAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &OIDCConfigAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "OIDC-BFd15", "unable to unmarshal oidc config")
+	}
+
+	return e, nil
+}
+
+type OIDCConfigChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Version                  *domain.OIDCVersion         `json:"oidcVersion,omitempty"`
+	AppID                    string                      `json:"appId"`
+	RedirectUris             *[]string                   `json:"redirectUris,omitempty"`
+	ResponseTypes            *[]domain.OIDCResponseType  `json:"responseTypes,omitempty"`
+	GrantTypes               *[]domain.OIDCGrantType     `json:"grantTypes,omitempty"`
+	ApplicationType          *domain.OIDCApplicationType `json:"applicationType,omitempty"`
+	AuthMethodType           *domain.OIDCAuthMethodType  `json:"authMethodType,omitempty"`
+	PostLogoutRedirectUris   *[]string                   `json:"postLogoutRedirectUris,omitempty"`
+	DevMode                  *bool                       `json:"devMode,omitempty"`
+	AccessTokenType          *domain.OIDCTokenType       `json:"accessTokenType,omitempty"`
+	AccessTokenRoleAssertion *bool                       `json:"accessTokenRoleAssertion,omitempty"`
+	IDTokenRoleAssertion     *bool                       `json:"idTokenRoleAssertion,omitempty"`
+	IDTokenUserinfoAssertion *bool                       `json:"idTokenUserinfoAssertion,omitempty"`
+	ClockSkew                *time.Duration              `json:"clockSkew,omitempty"`
+}
+
+func (e *OIDCConfigChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *OIDCConfigChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewOIDCConfigChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+	changes []OIDCConfigChanges,
+) (*OIDCConfigChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, errors.ThrowPreconditionFailed(nil, "OIDC-i8idç", "Errors.NoChangesFound")
+	}
+
+	changeEvent := &OIDCConfigChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OIDCConfigChangedType,
+		),
+		AppID: appID,
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type OIDCConfigChanges func(event *OIDCConfigChangedEvent)
+
+func ChangeVersion(version domain.OIDCVersion) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.Version = &version
+	}
+}
+
+func ChangeRedirectURIs(uris []string) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.RedirectUris = &uris
+	}
+}
+
+func ChangeResponseTypes(responseTypes []domain.OIDCResponseType) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.ResponseTypes = &responseTypes
+	}
+}
+
+func ChangeGrantTypes(grantTypes []domain.OIDCGrantType) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.GrantTypes = &grantTypes
+	}
+}
+
+func ChangeApplicationType(appType domain.OIDCApplicationType) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.ApplicationType = &appType
+	}
+}
+
+func ChangeAuthMethodType(authMethodType domain.OIDCAuthMethodType) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.AuthMethodType = &authMethodType
+	}
+}
+
+func ChangePostLogoutRedirectURIs(logoutRedirects []string) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.PostLogoutRedirectUris = &logoutRedirects
+	}
+}
+
+func ChangeDevMode(devMode bool) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.DevMode = &devMode
+	}
+}
+
+func ChangeAccessTokenType(accessTokenType domain.OIDCTokenType) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.AccessTokenType = &accessTokenType
+	}
+}
+
+func ChangeAccessTokenRoleAssertion(accessTokenRoleAssertion bool) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.AccessTokenRoleAssertion = &accessTokenRoleAssertion
+	}
+}
+
+func ChangeIDTokenRoleAssertion(idTokenRoleAssertion bool) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.IDTokenRoleAssertion = &idTokenRoleAssertion
+	}
+}
+
+func ChangeIDTokenUserinfoAssertion(idTokenUserinfoAssertion bool) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.IDTokenUserinfoAssertion = &idTokenUserinfoAssertion
+	}
+}
+
+func ChangeClockSkew(clockSkew time.Duration) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.ClockSkew = &clockSkew
+	}
+}
+
+func OIDCConfigChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &OIDCConfigChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "OIDC-BFd15", "unable to unmarshal oidc config")
+	}
+
+	return e, nil
+}
+
+type OIDCConfigSecretChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID        string              `json:"appId"`
+	ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
+}
+
+func (e *OIDCConfigSecretChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *OIDCConfigSecretChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewOIDCConfigSecretChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+	clientSecret *crypto.CryptoValue,
+) *OIDCConfigSecretChangedEvent {
+	return &OIDCConfigSecretChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OIDCConfigSecretChangedType,
+		),
+		AppID:        appID,
+		ClientSecret: clientSecret,
+	}
+}
+
+func OIDCConfigSecretChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &OIDCConfigSecretChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "OIDC-M893d", "unable to unmarshal oidc config")
+	}
+
+	return e, nil
+}
+
+type OIDCConfigSecretCheckSucceededEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID string `json:"appId"`
+}
+
+func (e *OIDCConfigSecretCheckSucceededEvent) Data() interface{} {
+	return e
+}
+
+func (e *OIDCConfigSecretCheckSucceededEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewOIDCConfigSecretCheckSucceededEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+) *OIDCConfigSecretCheckSucceededEvent {
+	return &OIDCConfigSecretCheckSucceededEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OIDCClientSecretCheckSucceededType,
+		),
+		AppID: appID,
+	}
+}
+
+func OIDCConfigSecretCheckSucceededEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &OIDCConfigSecretCheckSucceededEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "OIDC-837gV", "unable to unmarshal oidc config")
+	}
+
+	return e, nil
+}
+
+type OIDCConfigSecretCheckFailedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID string `json:"appId"`
+}
+
+func (e *OIDCConfigSecretCheckFailedEvent) Data() interface{} {
+	return e
+}
+
+func (e *OIDCConfigSecretCheckFailedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewOIDCConfigSecretCheckFailedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+) *OIDCConfigSecretCheckFailedEvent {
+	return &OIDCConfigSecretCheckFailedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OIDCClientSecretCheckFailedType,
+		),
+		AppID: appID,
+	}
+}
+
+func OIDCConfigSecretCheckFailedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &OIDCConfigSecretCheckFailedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "OIDC-987g%", "unable to unmarshal oidc config")
+	}
+
+	return e, nil
+}
--- a/internal/repository/project/project.go
+++ b/internal/repository/project/project.go
@@ -0,0 +1,247 @@
+package project
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	UniqueProjectnameType  = "project_names"
+	projectEventTypePrefix = eventstore.EventType("project.")
+	ProjectAddedType       = projectEventTypePrefix + "added"
+	ProjectChangedType     = projectEventTypePrefix + "changed"
+	ProjectDeactivatedType = projectEventTypePrefix + "deactivated"
+	ProjectReactivatedType = projectEventTypePrefix + "reactivated"
+	ProjectRemovedType     = projectEventTypePrefix + "removed"
+)
+
+func NewAddProjectNameUniqueConstraint(projectName, resourceOwner string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		UniqueProjectnameType,
+		projectName+resourceOwner,
+		"Errors.Project.AlreadyExists")
+}
+
+func NewRemoveProjectNameUniqueConstraint(projectName, resourceOwner string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewRemoveEventUniqueConstraint(
+		UniqueProjectnameType,
+		projectName+resourceOwner)
+}
+
+type ProjectAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Name                 string `json:"name,omitempty"`
+	ProjectRoleAssertion bool   `json:"projectRoleAssertion,omitempty"`
+	ProjectRoleCheck     bool   `json:"projectRoleCheck,omitempty"`
+}
+
+func (e *ProjectAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *ProjectAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddProjectNameUniqueConstraint(e.Name, e.Aggregate().ResourceOwner)}
+}
+
+func NewProjectAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	name string,
+) *ProjectAddedEvent {
+	return &ProjectAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ProjectAddedType,
+		),
+		Name: name,
+	}
+}
+
+func ProjectAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &ProjectAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-Bfg2f", "unable to unmarshal project")
+	}
+
+	return e, nil
+}
+
+type ProjectChangeEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Name                 *string `json:"name,omitempty"`
+	ProjectRoleAssertion *bool   `json:"projectRoleAssertion,omitempty"`
+	ProjectRoleCheck     *bool   `json:"projectRoleCheck,omitempty"`
+	oldName              string
+}
+
+func (e *ProjectChangeEvent) Data() interface{} {
+	return e
+}
+
+func (e *ProjectChangeEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	if e.oldName != "" {
+		return []*eventstore.EventUniqueConstraint{
+			NewRemoveProjectNameUniqueConstraint(e.oldName, e.Aggregate().ResourceOwner),
+			NewAddProjectNameUniqueConstraint(*e.Name, e.Aggregate().ResourceOwner),
+		}
+	}
+	return nil
+}
+
+func NewProjectChangeEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	oldName string,
+	changes []ProjectChanges,
+) (*ProjectChangeEvent, error) {
+	if len(changes) == 0 {
+		return nil, errors.ThrowPreconditionFailed(nil, "PROJECT-mV9xc", "Errors.NoChangesFound")
+	}
+	changeEvent := &ProjectChangeEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ProjectChangedType,
+		),
+		oldName: oldName,
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type ProjectChanges func(event *ProjectChangeEvent)
+
+func ChangeName(name string) func(event *ProjectChangeEvent) {
+	return func(e *ProjectChangeEvent) {
+		e.Name = &name
+	}
+}
+
+func ChangeProjectRoleAssertion(projectRoleAssertion bool) func(event *ProjectChangeEvent) {
+	return func(e *ProjectChangeEvent) {
+		e.ProjectRoleAssertion = &projectRoleAssertion
+	}
+}
+
+func ChangeProjectRoleCheck(projectRoleCheck bool) func(event *ProjectChangeEvent) {
+	return func(e *ProjectChangeEvent) {
+		e.ProjectRoleCheck = &projectRoleCheck
+	}
+}
+
+func ProjectChangeEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &ProjectChangeEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-M9osd", "unable to unmarshal project")
+	}
+
+	return e, nil
+}
+
+type ProjectDeactivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *ProjectDeactivatedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *ProjectDeactivatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewProjectDeactivatedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *ProjectDeactivatedEvent {
+	return &ProjectDeactivatedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ProjectDeactivatedType,
+		),
+	}
+}
+
+func ProjectDeactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &ProjectDeactivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
+
+type ProjectReactivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *ProjectReactivatedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *ProjectReactivatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewProjectReactivatedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *ProjectReactivatedEvent {
+	return &ProjectReactivatedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ProjectReactivatedType,
+		),
+	}
+}
+
+func ProjectReactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &ProjectReactivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
+
+type ProjectRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Name string
+}
+
+func (e *ProjectRemovedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *ProjectRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewRemoveProjectNameUniqueConstraint(e.Name, e.Aggregate().ResourceOwner)}
+}
+
+func NewProjectRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	name string,
+) *ProjectRemovedEvent {
+	return &ProjectRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ProjectRemovedType,
+		),
+		Name: name,
+	}
+}
+
+func ProjectRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &ProjectRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
--- a/internal/repository/project/role.go
+++ b/internal/repository/project/role.go
@@ -0,0 +1,196 @@
+package project
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+var (
+	UniqueRoleType      = "project_role"
+	roleEventTypePrefix = projectEventTypePrefix + "role."
+	RoleAddedType       = roleEventTypePrefix + "added"
+	RoleChangedType     = roleEventTypePrefix + "changed"
+	RoleRemovedType     = roleEventTypePrefix + "removed"
+)
+
+func NewAddProjectRoleUniqueConstraint(roleKey, projectID string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		UniqueRoleType,
+		fmt.Sprintf("%s:%s", roleKey, projectID),
+		"Errors.Project.Role.AlreadyExists")
+}
+
+func NewRemoveProjectRoleUniqueConstraint(roleKey, projectID string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewRemoveEventUniqueConstraint(
+		UniqueRoleType,
+		fmt.Sprintf("%s:%s", roleKey, projectID))
+}
+
+type RoleAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Key         string `json:"key,omitempty"`
+	DisplayName string `json:"displayName,omitempty"`
+	Group       string `json:"group,omitempty"`
+	projectID   string
+}
+
+func (e *RoleAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *RoleAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddProjectRoleUniqueConstraint(e.Key, e.projectID)}
+}
+
+func NewRoleAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	key,
+	displayName,
+	group,
+	projectID string,
+) *RoleAddedEvent {
+	return &RoleAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			RoleAddedType,
+		),
+		Key:         key,
+		DisplayName: displayName,
+		Group:       group,
+		projectID:   projectID,
+	}
+}
+
+func RoleAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &RoleAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-2M0xy", "unable to unmarshal project role")
+	}
+
+	return e, nil
+}
+
+type RoleChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Key         string  `json:"key,omitempty"`
+	DisplayName *string `json:"displayName,omitempty"`
+	Group       *string `json:"group,omitempty"`
+}
+
+func (e *RoleChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *RoleChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewRoleChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []RoleChanges,
+) (*RoleChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, errors.ThrowPreconditionFailed(nil, "PROJECT-eR9vx", "Errors.NoChangesFound")
+	}
+	changeEvent := &RoleChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			RoleChangedType,
+		),
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type RoleChanges func(event *RoleChangedEvent)
+
+func ChangeKey(key string) func(event *RoleChangedEvent) {
+	return func(e *RoleChangedEvent) {
+		e.Key = key
+	}
+}
+
+func ChangeDisplayName(displayName string) func(event *RoleChangedEvent) {
+	return func(e *RoleChangedEvent) {
+		e.DisplayName = &displayName
+	}
+}
+
+func ChangeGroup(group string) func(event *RoleChangedEvent) {
+	return func(e *RoleChangedEvent) {
+		e.Group = &group
+	}
+}
+func RoleChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &RoleChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-3M0vx", "unable to unmarshal project role")
+	}
+
+	return e, nil
+}
+
+type RoleRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Key       string `json:"key,omitempty"`
+	projectID string `json:"-"`
+}
+
+func (e *RoleRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *RoleRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewRemoveProjectRoleUniqueConstraint(e.Key, e.projectID)}
+}
+
+func NewRoleRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	key,
+	projectID string) *RoleRemovedEvent {
+	return &RoleRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			RoleRemovedType,
+		),
+		Key:       key,
+		projectID: projectID,
+	}
+}
+
+func RoleRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &RoleRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-1M0xs", "unable to unmarshal project role")
+	}
+
+	return e, nil
+}