@sanity/sdk 2.12.0 → 2.13.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sanity/sdk",
-  "version": "2.12.0",
+  "version": "2.13.0",
   "private": false,
   "description": "Sanity SDK",
   "keywords": [
@@ -57,32 +57,32 @@
     "@sanity/image-url": "^2.1.1",
     "@sanity/json-match": "^1.0.5",
     "@sanity/message-protocol": "^0.23.0",
-    "@sanity/mutate": "^0.16.1",
+    "@sanity/mutate": "^0.18.0",
     "@sanity/telemetry": "^1.1.0",
     "@sanity/types": "^5.26.0",
     "groq": "3.88.1-typegen-experimental.0",
-    "groq-js": "^1.30.1",
+    "groq-js": "^1.30.2",
     "reselect": "^5.1.1",
     "rxjs": "^7.8.2",
     "zustand": "^5.0.13"
   },
   "devDependencies": {
     "@sanity/browserslist-config": "^1.0.5",
-    "@sanity/pkg-utils": "^8.1.29",
+    "@sanity/pkg-utils": "^9.2.3",
     "@sanity/prettier-config": "^1.0.6",
     "@types/node": "^24.12.4",
-    "@vitest/coverage-v8": "4.1.6",
+    "@vitest/coverage-v8": "^4.1.8",
     "eslint": "^9.39.4",
     "prettier": "^3.8.3",
     "rollup-plugin-visualizer": "^5.14.0",
     "typescript": "^5.9.3",
-    "vite": "^7.3.3",
-    "vitest": "^4.1.6",
-    "@repo/package.bundle": "3.82.0",
-    "@repo/package.config": "0.0.1",
-    "@repo/tsconfig": "0.0.1",
+    "vite": "^7.3.5",
+    "vitest": "^4.1.8",
     "@repo/config-test": "0.0.1",
-    "@repo/config-eslint": "0.0.0"
+    "@repo/package.config": "0.0.1",
+    "@repo/config-eslint": "0.0.0",
+    "@repo/package.bundle": "3.82.0",
+    "@repo/tsconfig": "0.0.1"
   },
   "publishConfig": {
     "access": "public"

package/src/document/applyDocumentActions.test.ts

@@ -202,4 +202,28 @@ describe('applyDocumentActions', () => {
     childInstance.dispose()
     parentInstance.dispose()
   })
+
+  it('normalizes actions for the bound resource before queueing', async () => {
+    // A plain edit action with no `liveEdit` flag. Canvas forces liveEdit, so
+    // the queued action should come back with `liveEdit: true` — proving that
+    // `applyDocumentActions` runs `normalizeActionsForResource`.
+    const action: DocumentAction = {
+      type: 'document.edit',
+      documentId: 'doc1',
+      documentType: 'sanity.canvas.document',
+      patches: [{set: {foo: 'bar'}}],
+    }
+
+    // Don't await — we only need to inspect the synchronously-queued transaction.
+    applyDocumentActions(instance, {
+      actions: [action],
+      transactionId: 'txn-normalize',
+      resource: {canvasId: 'c'},
+    })
+
+    const queued = state.get().queued.find((t) => t.transactionId === 'txn-normalize')
+    expect(queued).toBeDefined()
+    const [queuedAction] = queued!.actions
+    expect(queuedAction).toMatchObject({type: 'document.edit', liveEdit: true})
+  })
 })

package/src/document/applyDocumentActions.ts

@@ -10,6 +10,7 @@ import {documentStore, type DocumentStoreState} from './documentStore'
 import {type DocumentTransactionSubmissionResult} from './events'
 import {type DocumentSet} from './processMutations'
 import {type AppliedTransaction, type QueuedTransaction, queueTransaction} from './reducers'
+import {normalizeActionsForResource} from './resourceRules'
 
 /** @beta */
 export interface ActionsResult<TDocument extends SanityDocument = SanityDocument> {
@@ -73,13 +74,23 @@ const boundApplyDocumentActions = bindActionByResource(documentStore, _applyDocu
 /** @internal */
 async function _applyDocumentActions(
   {state}: StoreContext<DocumentStoreState>,
-  {actions, transactionId = crypto.randomUUID(), disableBatching}: ApplyDocumentActionsOptions,
+  {
+    actions,
+    resource,
+    transactionId = crypto.randomUUID(),
+    disableBatching,
+  }: ApplyDocumentActionsOptions,
 ): Promise<ActionsResult> {
   const {events} = state.get()
 
+  // Rewrite edit actions to match the bound resource's editing model (e.g.
+  // forcing liveEdit for Canvas, stripping unsupported release perspectives).
+  // Non-edit and release actions pass through unchanged.
+  const normalizedActions = normalizeActionsForResource(actions, resource)
+
   const transaction: QueuedTransaction = {
     transactionId,
-    actions,
+    actions: normalizedActions,
     ...(disableBatching && {disableBatching}),
   }
 

package/src/document/documentConstants.ts

@@ -8,3 +8,10 @@
 export const DOCUMENT_STATE_CLEAR_DELAY = 1000
 export const INITIAL_OUTGOING_THROTTLE_TIME = 1000
 export const API_VERSION = 'v2025-05-06'
+
+/**
+ * Base delay (ms) before retrying a document listener after an `OutOfSyncError`.
+ * Backoff doubles on each successive retry, capped at {@link OUT_OF_SYNC_RETRY_MAX_DELAY}.
+ */
+export const OUT_OF_SYNC_RETRY_BASE_DELAY = 500
+export const OUT_OF_SYNC_RETRY_MAX_DELAY = 10_000

package/src/document/documentStore.test.ts

@@ -42,6 +42,7 @@ import {
   subscribeDocumentEvents,
 } from './documentStore'
 import {type ActionErrorEvent, type TransactionRevertedEvent} from './events'
+import {DEFAULT_MAX_BUFFER_SIZE} from './listen'
 import {type DatasetAcl} from './permissions'
 import {type DocumentSet, processMutations} from './processMutations'
 import {type HttpAction} from './reducers'
@@ -1006,6 +1007,72 @@ it('version edits are isolated from draft state', async () => {
   unsubscribeDraft()
 })
 
+it('subscribeToSubscriptionsAndListenToDocuments recovers from an OutOfSyncError instead of failing the document store', async () => {
+  const documentId = DocumentId('doc-out-of-sync-recovery')
+  const doc = createDocumentHandle({documentId, documentType: 'article'})
+  const documentState = getDocumentState<TestDocument>(instance, doc)
+  const unsubscribe = documentState.subscribe()
+  const draftId = getDraftId(documentId)
+
+  // Establish a synced document so the listener has a base revision.
+  const created = await applyDocumentActions(instance, {
+    actions: [createDocument(doc), editDocument(doc, {set: {title: 'initial'}})],
+  })
+  await created.submitted()
+  expect(documentState.getCurrent()?.title).toBe('initial')
+
+  // Capture the fetchDocument spy so we can detect when the listener
+  // re-subscribes. (every frest subscription re-runs fetchDocument)
+  const fetchDocumentSpy = vi.mocked(createFetchDocument).mock.results.at(-1)?.value as ReturnType<
+    typeof vi.fn
+  >
+  const fetchCallsBefore = fetchDocumentSpy.mock.calls.filter(([id]) => id === draftId).length
+
+  // Inject DEFAULT_MAX_BUFFER_SIZE mutations whose previousRev doesn't chain
+  // to the base revision (basically forcing the error)
+  const sharedListener = (
+    createSharedListener as unknown as () => {events: Subject<ListenEvent<SanityDocument>>}
+  )()
+  for (let i = 0; i < DEFAULT_MAX_BUFFER_SIZE; i++) {
+    sharedListener.events.next({
+      type: 'mutation',
+      documentId: draftId,
+      eventId: `bad-${i}`,
+      identity: 'user',
+      mutations: [],
+      timestamp: new Date().toISOString(),
+      transactionId: `bad-tx-${i}`,
+      transactionCurrentEvent: 0,
+      transactionTotalEvents: 1,
+      previousRev: `dangling-rev-${i}`,
+      resultRev: `bad-rev-${i}`,
+      transition: 'update',
+      visibility: 'query',
+    })
+  }
+
+  // The above should have triggered a retry and re-subscribed to the listener
+  await vi.waitFor(() => {
+    expect(fetchDocumentSpy.mock.calls.filter(([id]) => id === draftId).length).toBeGreaterThan(
+      fetchCallsBefore,
+    )
+  })
+
+  // The store stayed healthy through the OutOfSyncError.
+  expect(() => documentState.getCurrent()).not.toThrow()
+  expect(() => getDocumentSyncStatus(instance, doc).getCurrent()).not.toThrow()
+
+  // A follow-up edit still propagates through the recovered listener.
+  const edited = await applyDocumentActions(instance, {
+    actions: [editDocument(doc, {set: {title: 'after-recovery'}})],
+    resource,
+  })
+  await edited.submitted()
+  expect(documentState.getCurrent()?.title).toBe('after-recovery')
+
+  unsubscribe()
+})
+
 vi.mock('../client/clientStore.ts', () => ({
   getClientState: vi.fn().mockReturnValue({observable: new ReplaySubject(1)}),
 }))
@@ -1039,6 +1106,8 @@ vi.mock('./documentConstants.ts', async (importOriginal) => {
     ...original,
     INITIAL_OUTGOING_THROTTLE_TIME: 0,
     DOCUMENT_STATE_CLEAR_DELAY: 25,
+    OUT_OF_SYNC_RETRY_BASE_DELAY: 0,
+    OUT_OF_SYNC_RETRY_MAX_DELAY: 0,
   }
 })
 

package/src/document/documentStore.ts

@@ -17,15 +17,18 @@ import {
   Observable,
   of,
   pairwise,
+  retry,
   startWith,
   Subject,
   switchMap,
   tap,
   throttle,
+  throwError,
   timer,
   withLatestFrom,
 } from 'rxjs'
 
+import {getCurrentUserState} from '../auth/authStore'
 import {type ClientOptions, getClientState} from '../client/clientStore'
 import {
   type DocumentHandle,
@@ -44,7 +47,12 @@ import {type SanityInstance} from '../store/createSanityInstance'
 import {createStateSourceAction, type StateSource} from '../store/createStateSourceAction'
 import {defineStore, type StoreContext} from '../store/defineStore'
 import {type DocumentAction} from './actions'
-import {API_VERSION, INITIAL_OUTGOING_THROTTLE_TIME} from './documentConstants'
+import {
+  API_VERSION,
+  INITIAL_OUTGOING_THROTTLE_TIME,
+  OUT_OF_SYNC_RETRY_BASE_DELAY,
+  OUT_OF_SYNC_RETRY_MAX_DELAY,
+} from './documentConstants'
 import {
   type DocumentEvent,
   type DocumentTransactionSubmissionResult,
@@ -82,6 +90,10 @@ export interface DocumentStoreState {
   applied: AppliedTransaction[]
   outgoing?: OutgoingTransaction
   grants?: Record<Grant, ExprNode>
+  /**
+   * The current user's identity (their user ID).
+   */
+  identity?: string
   error?: unknown
   sharedListener: SharedListener
   fetchDocument: (documentId: string) => Observable<SanityDocument | null>
@@ -141,6 +153,7 @@ export const documentStore = defineStore<DocumentStoreState, BoundResourceKey>({
       subscribeToSubscriptionsAndListenToDocuments(context),
       subscribeToAppliedAndSubmitNextTransaction(context),
       subscribeToClientAndFetchDatasetAcl(context),
+      subscribeToCurrentUserAndSetIdentity(context),
     ]
 
     return () => {
@@ -497,10 +510,15 @@ const subscribeToSubscriptionsAndListenToDocuments = (
           switchMap((e) => {
             if (!e.add) return EMPTY
             return listen(context, e.id).pipe(
-              catchError((error) => {
-                // retry on `OutOfSyncError`
-                if (error instanceof OutOfSyncError) listen(context, e.id)
-                throw error
+              retry({
+                delay: (error, retryCount) => {
+                  if (!(error instanceof OutOfSyncError)) return throwError(() => error)
+                  const backoff = Math.min(
+                    OUT_OF_SYNC_RETRY_BASE_DELAY * 2 ** (retryCount - 1),
+                    OUT_OF_SYNC_RETRY_MAX_DELAY,
+                  )
+                  return timer(backoff)
+                },
               }),
               tap((remote) =>
                 state.set('applyRemoteDocument', (prev) =>
@@ -548,3 +566,16 @@ const subscribeToClientAndFetchDatasetAcl = ({
       error: (error) => state.set('setError', {error}),
     })
 }
+
+const subscribeToCurrentUserAndSetIdentity = ({
+  instance,
+  state,
+}: StoreContext<DocumentStoreState, BoundResourceKey>) =>
+  getCurrentUserState(instance).observable.subscribe({
+    next: (currentUser) => state.set('setIdentity', {identity: currentUser?.id}),
+    // A transient identity-fetch failure (network blip, expired token, or a
+    // normal logout/re-login transition) should not brick all document
+    // operations. Reset the identity to `undefined` and keep going — GROQ's
+    // `identity()` then evaluates to null, matching the unauthenticated state.
+    error: () => state.set('setIdentity', {identity: undefined}),
+  })

package/src/document/listen.ts

@@ -20,7 +20,7 @@ import {type StoreContext} from '../store/defineStore'
 import {type DocumentStoreState} from './documentStore'
 import {processMutations} from './processMutations'
 
-const DEFAULT_MAX_BUFFER_SIZE = 20
+export const DEFAULT_MAX_BUFFER_SIZE = 20
 const DEFAULT_DEADLINE_MS = 30000
 
 export interface RemoteDocument {

package/src/document/permissions.test.ts

@@ -32,9 +32,11 @@ const alwaysDeny = parse('false')
 const createState = (
   docStates: Record<string, {local: unknown}>,
   grants?: Record<Grant, ExprNode>,
+  identity?: string,
 ): SyncTransactionState => ({
   documentStates: docStates as SyncTransactionState['documentStates'],
   grants,
+  identity,
   queued: [],
   applied: [],
 })
@@ -52,6 +54,18 @@ describe('createGrantsLookup', () => {
       expect(evaluateSync(grants[key], {params: {document: dummyDoc}}).data).toBe(true)
     })
   })
+
+  it('should ignore unknown permissions like "manage"', () => {
+    const datasetAcl = [
+      {filter: '_id != null', permissions: ['history', 'read', 'update', 'create', 'manage']},
+    ] as DatasetAcl
+    const grants = createGrantsLookup(datasetAcl)
+    const dummyDoc = {_id: 'doc1'}
+    ;(['read', 'update', 'create', 'history'] as Grant[]).forEach((key) => {
+      expect(grants[key]).toBeDefined()
+      expect(evaluateSync(grants[key], {params: {document: dummyDoc}}).data).toBe(true)
+    })
+  })
 })
 
 describe('calculatePermissions', () => {
@@ -234,4 +248,69 @@ describe('calculatePermissions', () => {
     const result2 = calculatePermissions({instance, state}, {actions: [{...action}]})
     expect(result1).toBe(result2)
   })
+
+  describe('identity-aware grants', () => {
+    // Mirrors the canvas ACL filter shape: only the document's creator may
+    // update it. Without an identity passed to groq, `identity()` is null and
+    // the expression collapses to null — which used to read as "denied".
+    const canvasUpdateAcl: DatasetAcl = [
+      {
+        filter: '_type == "sanity.canvas.document" && _system.createdBy == identity()',
+        permissions: ['read', 'update'],
+      },
+    ]
+
+    const canvasDoc = (createdBy: string): SanityDocument => ({
+      _id: 'canvas-1',
+      _type: 'sanity.canvas.document',
+      _createdAt: '2025-01-01T00:00:00.000Z',
+      _updatedAt: '2025-01-01T00:00:00.000Z',
+      _rev: 'rev-1',
+      _system: {createdBy},
+    })
+
+    const editAction: DocumentAction = {
+      documentId: 'canvas-1',
+      documentType: 'sanity.canvas.document',
+      type: 'document.edit',
+      liveEdit: true,
+    }
+
+    it('allows edits when identity matches the document creator', () => {
+      const state = createState(
+        {'canvas-1': {local: canvasDoc('user-A')}},
+        createGrantsLookup(canvasUpdateAcl),
+        'user-A',
+      )
+      expect(calculatePermissions({instance, state}, {actions: [editAction]})).toEqual({
+        allowed: true,
+      })
+    })
+
+    it('denies edits when identity does not match the document creator', () => {
+      const state = createState(
+        {'canvas-1': {local: canvasDoc('user-A')}},
+        createGrantsLookup(canvasUpdateAcl),
+        'user-B',
+      )
+      const result = calculatePermissions({instance, state}, {actions: [editAction]})
+      expect(result?.allowed).toBe(false)
+      expect(result?.reasons).toEqual(
+        expect.arrayContaining([expect.objectContaining({type: 'access', documentId: 'canvas-1'})]),
+      )
+    })
+
+    it('denies edits when identity is not yet loaded', () => {
+      const state = createState(
+        {'canvas-1': {local: canvasDoc('user-A')}},
+        createGrantsLookup(canvasUpdateAcl),
+        undefined,
+      )
+      const result = calculatePermissions({instance, state}, {actions: [editAction]})
+      expect(result?.allowed).toBe(false)
+      expect(result?.reasons).toEqual(
+        expect.arrayContaining([expect.objectContaining({type: 'access', documentId: 'canvas-1'})]),
+      )
+    })
+  })
 })

package/src/document/permissions.ts

@@ -1,6 +1,6 @@
 import {DocumentId, getDraftId, getPublishedId, getVersionId} from '@sanity/id-utils'
 import {type SanityDocument} from '@sanity/types'
-import {evaluateSync, type ExprNode, parse} from 'groq-js'
+import {type ExprNode, parse} from 'groq-js'
 import {createSelector} from 'reselect'
 
 import {isReleasePerspective} from '../releases/utils/isReleasePerspective'
@@ -8,6 +8,7 @@ import {type SelectorContext} from '../store/createStateSourceAction'
 import {MultiKeyWeakMap} from '../utils/MultiKeyWeakMap'
 import {type DocumentAction} from './actions'
 import {ActionError, PermissionActionError, processActions} from './processActions/processActions'
+import {checkGrant} from './processActions/shared'
 import {type DocumentSet} from './processMutations'
 import {type SyncTransactionState} from './reducers'
 
@@ -29,6 +30,8 @@ export function createGrantsLookup(datasetAcl: DatasetAcl): Record<Grant, ExprNo
   for (const entry of datasetAcl) {
     for (const grant of entry.permissions) {
       const set = filtersByGrant[grant]
+      // Ignore permissions we don't model (e.g. "manage")
+      if (!set) continue
       set.add(entry.filter)
       filtersByGrant[grant] = set
     }
@@ -140,11 +143,6 @@ const memoizedActionsSelector = createSelector(
   },
 )
 
-function checkGrant(grantExpr: ExprNode, document: SanityDocument): boolean {
-  const value = evaluateSync(grantExpr, {params: {document}})
-  return value.type === 'boolean' && value.data
-}
-
 /** @beta */
 export interface PermissionDeniedReason {
   type: 'precondition' | 'access'
@@ -172,11 +170,13 @@ export function calculatePermissions(
 const _calculatePermissions = createSelector(
   [
     ({state: {grants}}: SelectorContext<SyncTransactionState>) => grants,
+    ({state: {identity}}: SelectorContext<SyncTransactionState>) => identity,
     documentsSelector,
     memoizedActionsSelector,
   ],
   (
     grants: Record<Grant, ExprNode> | undefined,
+    identity: string | undefined,
     documents: DocumentSet | undefined,
     actions: DocumentAction[] | undefined,
   ): DocumentPermissionsResult | undefined => {
@@ -195,6 +195,7 @@ const _calculatePermissions = createSelector(
         base: documents,
         timestamp,
         grants,
+        identity,
       })
     } catch (error) {
       if (error instanceof PermissionActionError) {
@@ -244,7 +245,7 @@ const _calculatePermissions = createSelector(
               documentId: docId,
             })
           }
-        } else if (!checkGrant(grants.update, doc)) {
+        } else if (!checkGrant(grants.update, doc, identity)) {
           reasons.push({
             type: 'access',
             message: `You are not allowed to edit the document with ID "${docId}".`,

package/src/document/processActions/create.ts

@@ -16,7 +16,7 @@ export function handleCreate(
   action: CreateDocumentAction,
   ctx: ActionHandlerContext,
 ): ActionHandlerResult {
-  const {transactionId, timestamp, grants, outgoingActions, outgoingMutations} = ctx
+  const {transactionId, timestamp, grants, identity, outgoingActions, outgoingMutations} = ctx
   let {base, working} = ctx
 
   const documentId = getId(action.documentId)
@@ -51,7 +51,7 @@ export function handleCreate(
       timestamp,
     })
 
-    if (!checkGrant(grants.create, working[documentId] as SanityDocument)) {
+    if (!checkGrant(grants.create, working[documentId] as SanityDocument, identity)) {
       throw new PermissionActionError({
         documentId,
         transactionId,
@@ -111,13 +111,16 @@ export function handleCreate(
     timestamp,
   })
 
-  if (versionId && !checkGrant(grants.create, working[versionId] as SanityDocument)) {
+  if (versionId && !checkGrant(grants.create, working[versionId] as SanityDocument, identity)) {
     throw new PermissionActionError({
       documentId,
       transactionId,
       message: `You do not have permission to create a release version for document "${documentId}".`,
     })
-  } else if (!versionId && !checkGrant(grants.create, working[draftId] as SanityDocument)) {
+  } else if (
+    !versionId &&
+    !checkGrant(grants.create, working[draftId] as SanityDocument, identity)
+  ) {
     throw new PermissionActionError({
       documentId,
       transactionId,

package/src/document/processActions/delete.ts

@@ -16,7 +16,7 @@ export function handleDelete(
   action: DeleteDocumentAction,
   ctx: ActionHandlerContext,
 ): ActionHandlerResult {
-  const {transactionId, timestamp, grants, outgoingActions, outgoingMutations} = ctx
+  const {transactionId, timestamp, grants, identity, outgoingActions, outgoingMutations} = ctx
   let {base, working} = ctx
 
   const documentId = action.documentId
@@ -38,7 +38,7 @@ export function handleDelete(
       })
     }
 
-    if (!checkGrant(grants.update, working[documentId])) {
+    if (!checkGrant(grants.update, working[documentId], identity)) {
       throw new PermissionActionError({
         documentId,
         transactionId,
@@ -72,9 +72,9 @@ export function handleDelete(
     })
   }
 
-  const cantDeleteDraft = working[draftId] && !checkGrant(grants.update, working[draftId])
+  const cantDeleteDraft = working[draftId] && !checkGrant(grants.update, working[draftId], identity)
   const cantDeletePublished =
-    working[publishedId] && !checkGrant(grants.update, working[publishedId])
+    working[publishedId] && !checkGrant(grants.update, working[publishedId], identity)
 
   if (cantDeleteDraft || cantDeletePublished) {
     throw new PermissionActionError({

package/src/document/processActions/discard.ts

@@ -16,7 +16,7 @@ export function handleDiscard(
   action: DiscardDocumentAction,
   ctx: ActionHandlerContext,
 ): ActionHandlerResult {
-  const {transactionId, timestamp, grants, outgoingActions, outgoingMutations} = ctx
+  const {transactionId, timestamp, grants, identity, outgoingActions, outgoingMutations} = ctx
   let {base, working} = ctx
 
   const documentId = getId(action.documentId)
@@ -43,7 +43,7 @@ export function handleDiscard(
     })
   }
 
-  if (!checkGrant(grants.update, working[versionId])) {
+  if (!checkGrant(grants.update, working[versionId], identity)) {
     throw new PermissionActionError({
       documentId,
       transactionId,

package/src/document/processActions/edit.ts

@@ -18,7 +18,7 @@ export function handleEdit(
   action: EditDocumentAction,
   ctx: ActionHandlerContext,
 ): ActionHandlerResult {
-  const {transactionId, timestamp, grants, outgoingActions, outgoingMutations} = ctx
+  const {transactionId, timestamp, grants, identity, outgoingActions, outgoingMutations} = ctx
   let {base, working} = ctx
 
   const documentId = getId(action.documentId)
@@ -32,6 +32,7 @@ export function handleEdit(
       transactionId,
       timestamp,
       grants,
+      identity,
     })
     // liveEdit documents use the mutation endpoint directly -- we don't send actions
     outgoingMutations.push(...result.workingMutations)
@@ -98,7 +99,7 @@ export function handleEdit(
   if (!isReleasePerspective(action.perspective) && !working[draftId] && working[publishedId]) {
     const newDraftFromPublished = {...working[publishedId], _id: draftId}
 
-    if (!checkGrant(grants.create, newDraftFromPublished)) {
+    if (!checkGrant(grants.create, newDraftFromPublished, identity)) {
       throw new PermissionActionError({
         documentId,
         transactionId,
@@ -111,7 +112,7 @@ export function handleEdit(
 
   // the first if statement should make this never be null or undefined
   const workingBefore = working[patchDocumentId] ?? working[publishedId]
-  if (!checkGrant(grants.update, workingBefore!)) {
+  if (!checkGrant(grants.update, workingBefore!, identity)) {
     throw new PermissionActionError({
       documentId,
       transactionId,

package/src/document/processActions/processActions.ts

@@ -65,6 +65,13 @@ interface ProcessActionsOptions {
    */
   grants: Record<Grant, ExprNode>
 
+  /**
+   * The current user's ID, passed to GROQ as the value of `identity()` when
+   * evaluating ACL filters. Optional because the user may not have loaded yet;
+   * filters that reference `identity()` will evaluate to null in that case.
+   */
+  identity?: string
+
   // // TODO: implement initial values from the schema?
   // initialValues?: {[TDocumentType in string]?: {_type: string}}
 }
@@ -116,6 +123,7 @@ export function processActions({
   base: initialBase,
   timestamp,
   grants,
+  identity,
 }: ProcessActionsOptions): ProcessActionsResult {
   let base: DocumentSet = {...initialBase}
   let working: DocumentSet = {...initialWorking}
@@ -148,6 +156,7 @@ export function processActions({
       transactionId,
       timestamp,
       grants,
+      identity,
       outgoingActions,
       outgoingMutations,
     })

package/src/document/processActions/publish.ts

@@ -17,7 +17,7 @@ export function handlePublish(
   action: PublishDocumentAction,
   ctx: ActionHandlerContext,
 ): ActionHandlerResult {
-  const {transactionId, timestamp, grants, outgoingActions, outgoingMutations} = ctx
+  const {transactionId, timestamp, grants, identity, outgoingActions, outgoingMutations} = ctx
   let {base, working} = ctx
 
   const documentId = getId(action.documentId)
@@ -58,7 +58,7 @@ export function handlePublish(
 
   const mutations: Mutation[] = [{delete: {id: draftId}}, {createOrReplace: newPublishedFromDraft}]
 
-  if (working[draftId] && !checkGrant(grants.update, working[draftId])) {
+  if (working[draftId] && !checkGrant(grants.update, working[draftId], identity)) {
     throw new PermissionActionError({
       documentId,
       transactionId,
@@ -66,13 +66,13 @@ export function handlePublish(
     })
   }
 
-  if (working[publishedId] && !checkGrant(grants.update, newPublishedFromDraft)) {
+  if (working[publishedId] && !checkGrant(grants.update, newPublishedFromDraft, identity)) {
     throw new PermissionActionError({
       documentId,
       transactionId,
       message: `Publish failed: You do not have permission to update the published version of "${documentId}".`,
     })
-  } else if (!working[publishedId] && !checkGrant(grants.create, newPublishedFromDraft)) {
+  } else if (!working[publishedId] && !checkGrant(grants.create, newPublishedFromDraft, identity)) {
     throw new PermissionActionError({
       documentId,
       transactionId,