@cloudrise/openclaw-channel-rocketchat 0.3.0 → 0.4.1

package/CHANGELOG.md

@@ -1,5 +1,41 @@
 # Changelog
 
+## [0.4.1] - 2026-02-15
+
+### Fixed
+
+- **Approver bypass**: Approvers are now correctly allowed through the DM access gate to send approval commands. Previously, approvers would get stuck in the "pending approval" flow when DMing the bot.
+
+## [0.4.0] - 2026-02-15
+
+### Added
+
+- **Owner Channel Approval**: New `dmPolicy: "owner-approval"` mode for in-channel approval flow
+  - No CLI needed — approve/deny via Rocket.Chat messages
+  - Configure `ownerApproval.notifyChannels` for where to receive requests
+  - Configure `ownerApproval.approvers` with usernames or Rocket.Chat roles (`role:admin`, `role:moderator`)
+  - Commands: `approve @user`, `deny @user`, `approve room:ID`, `pending`
+  - Requester gets notified when approved/denied
+- **Rocket.Chat Role Integration**: Approvers can be defined by RC roles (admin, moderator, etc.)
+
+### Example Config
+
+```yaml
+channels:
+  rocketchat:
+    dmPolicy: "owner-approval"
+    ownerApproval:
+      enabled: true
+      notifyChannels:
+        - "@admin"
+        - "room:APPROVERS"
+      approvers:
+        - "@marshal"
+        - "role:admin"
+      notifyOnApprove: true
+      notifyOnDeny: true
+```
+
 ## [0.3.0] - 2026-02-15
 
 ### Added

package/README.md

@@ -354,35 +354,89 @@ npm publish
 
 (There is also a GitHub Actions workflow in `.github/workflows/publish.yml`.)
 
-## DM Access Control (Pairing)
+## DM Access Control
 
-The plugin supports OpenClaw's standard DM pairing flow for controlling who can message the bot.
+The plugin supports multiple DM access control modes, including a unique **Owner Channel Approval** flow.
 
 ### DM Policies
 
 ```yaml
 channels:
   rocketchat:
-    # DM access policy (default: "open")
-    dmPolicy: "pairing"  # or "open" | "allowlist" | "disabled"
-    
-    # Pre-approved users (used with "pairing" and "allowlist")
-    allowFrom:
-      - "@admin"
-      - "user123"
+    dmPolicy: "owner-approval"  # or "open" | "pairing" | "allowlist" | "disabled"
 ```
 
 | Policy | Behavior |
 |--------|----------|
 | `open` | **(Default)** All DMs allowed. Rocket.Chat server-level auth is the only gate. |
+| `owner-approval` | **🆕** Unknown senders trigger approval request to owner channel. No CLI needed! |
 | `pairing` | Unknown senders get a pairing code. Owner approves via CLI. |
 | `allowlist` | Only users in `allowFrom` can DM. Others are silently blocked. |
 | `disabled` | All DMs blocked. |
 
-### Pairing Flow
+---
+
+### Owner Channel Approval (Recommended)
+
+Approve or deny users **directly in Rocket.Chat** — no CLI needed!
+
+```yaml
+channels:
+  rocketchat:
+    dmPolicy: "owner-approval"
+    ownerApproval:
+      enabled: true
+      
+      # Where to send approval notifications
+      notifyChannels:
+        - "@admin"            # DM to specific user
+        - "room:APPROVERS"    # or a dedicated room
+      
+      # Who can approve (supports Rocket.Chat roles!)
+      approvers:
+        - "@marshal"          # specific username
+        - "role:admin"        # anyone with RC admin role
+        - "role:moderator"    # anyone with moderator role
+      
+      # Notify requester when decision is made
+      notifyOnApprove: true
+      notifyOnDeny: true
+      
+      # Optional timeout (seconds)
+      timeout: 3600
+      onTimeout: "pending"    # or "deny" or "remind"
+```
+
+**Flow:**
+1. Unknown user sends a DM
+2. Bot notifies owner channel: `"🔔 New DM request from @user123"`
+3. Owner replies: `approve @user123` or `deny @user123`
+4. Requester gets notified: `"✅ You've been approved!"`
+5. Future messages are processed normally
+
+**Commands (in owner channel or DM to bot):**
+```
+approve @user123           # approve a user
+deny @user123              # deny a user
+approve room:GENERAL       # approve a room
+pending                    # list pending requests
+```
+
+---
 
-When `dmPolicy: "pairing"`:
+### CLI-Based Pairing
+
+If you prefer CLI-based approval:
+
+```yaml
+channels:
+  rocketchat:
+    dmPolicy: "pairing"
+    allowFrom:
+      - "@admin"           # pre-approved users
+```
 
+**Flow:**
 1. Unknown user sends a DM
 2. Bot replies with a pairing code: `"Pairing required. Code: ABC12345"`
 3. Owner approves via CLI:
@@ -390,8 +444,9 @@ When `dmPolicy: "pairing"`:
    openclaw pairing list rocketchat
    openclaw pairing approve rocketchat ABC12345
    ```
-4. User is added to allowlist and notified: `"✅ You've been approved!"`
-5. Future messages are processed normally
+4. User is added to allowlist
+
+---
 
 ### Why is the default "open"?
 
@@ -400,7 +455,7 @@ Unlike public platforms (Telegram, WhatsApp, Signal), Rocket.Chat is typically:
 - Behind organizational access controls
 - Already requires user accounts to message
 
-So **server-level authentication acts as the primary gate**. Use `pairing` or `allowlist` if you need per-user approval on top of that.
+So **server-level authentication acts as the primary gate**. Use `owner-approval` or `pairing` if you need per-user approval on top of that.
 
 ## Security
 

package/openclaw.plugin.json

@@ -2,7 +2,7 @@
   "id": "openclaw-channel-rocketchat",
   "name": "Rocket.Chat",
   "description": "Rocket.Chat channel plugin for OpenClaw",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "channels": ["rocketchat"],
   "configSchema": {
     "type": "object",
@@ -15,9 +15,36 @@
       "authTokenFile": { "type": "string" },
       "dmPolicy": {
         "type": "string",
-        "enum": ["open", "pairing", "allowlist", "disabled"],
+        "enum": ["open", "pairing", "allowlist", "disabled", "owner-approval"],
         "default": "open",
-        "description": "DM access policy. 'open' allows all (server-level auth), 'pairing' requires approval, 'allowlist' requires pre-configured allowFrom, 'disabled' blocks all DMs."
+        "description": "DM access policy. 'open' allows all, 'pairing' requires CLI approval, 'owner-approval' requires owner channel approval, 'allowlist' requires pre-configured allowFrom, 'disabled' blocks all DMs."
+      },
+      "ownerApproval": {
+        "type": "object",
+        "properties": {
+          "enabled": { "type": "boolean", "default": false },
+          "notifyChannels": {
+            "type": "array",
+            "items": { "type": "string" },
+            "description": "Where to send approval notifications (e.g., '@admin', 'room:APPROVERS')"
+          },
+          "approvers": {
+            "type": "array",
+            "items": { "type": "string" },
+            "description": "Who can approve (e.g., '@marshal', 'role:admin', 'role:moderator')"
+          },
+          "timeout": { "type": "number", "description": "Timeout in seconds (0 = no timeout)" },
+          "onTimeout": { "type": "string", "enum": ["pending", "deny", "remind"], "default": "pending" },
+          "notifyOnDeny": { "type": "boolean", "default": false },
+          "notifyOnApprove": { "type": "boolean", "default": true },
+          "requireApproval": {
+            "type": "object",
+            "properties": {
+              "dm": { "type": "boolean", "default": true },
+              "roomInvite": { "type": "boolean", "default": true }
+            }
+          }
+        }
       },
       "allowFrom": {
         "type": "array",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cloudrise/openclaw-channel-rocketchat",
-  "version": "0.3.0",
+  "version": "0.4.1",
   "description": "Rocket.Chat channel plugin for OpenClaw (Cloudrise)",
   "license": "MIT",
   "type": "module",

package/src/rocketchat/accounts.ts

@@ -12,6 +12,34 @@ type RocketChatRoomConfig = {
   replyMode?: RocketChatReplyMode;
 };
 
+export type OwnerApprovalConfig = {
+  enabled?: boolean;
+  
+  /** Where to send approval notifications (e.g., "@admin", "room:APPROVERS") */
+  notifyChannels?: string[];
+  
+  /** Who can approve (e.g., "@marshal", "role:admin", "role:moderator") */
+  approvers?: string[];
+  
+  /** Timeout in seconds (0 = no timeout) */
+  timeout?: number;
+  
+  /** What to do on timeout: "pending" (keep waiting), "deny", "remind" */
+  onTimeout?: "pending" | "deny" | "remind";
+  
+  /** Notify requester when denied */
+  notifyOnDeny?: boolean;
+  
+  /** Notify requester when approved */
+  notifyOnApprove?: boolean;
+  
+  /** What requires approval */
+  requireApproval?: {
+    dm?: boolean;
+    roomInvite?: boolean;
+  };
+};
+
 export type RocketChatAccountConfig = {
   enabled?: boolean;
   name?: string;
@@ -19,12 +47,15 @@ export type RocketChatAccountConfig = {
   userId?: string;
   authToken?: string;
   authTokenFile?: string;
-  dmPolicy?: "pairing" | "allowlist" | "open" | "disabled";
+  dmPolicy?: "pairing" | "allowlist" | "open" | "disabled" | "owner-approval";
   allowFrom?: string[];
-  groupPolicy?: "allowlist" | "open" | "disabled";
+  groupPolicy?: "allowlist" | "open" | "disabled" | "owner-approval";
   groupAllowFrom?: string[];
   rooms?: Record<string, RocketChatRoomConfig>;
 
+  /** Owner approval configuration */
+  ownerApproval?: OwnerApprovalConfig;
+
   /** Reply mode selection (thread | channel | auto). Default: thread (legacy behavior). */
   replyMode?: RocketChatReplyMode;
 

package/src/rocketchat/approval-commands.ts

@@ -0,0 +1,210 @@
+/**
+ * Approval Command Parser
+ * 
+ * Parses commands like:
+ * - approve @user123
+ * - deny @user123
+ * - approve room:GENERAL
+ * - list pending
+ * - pending
+ */
+
+export type ApprovalCommand = 
+  | { action: "approve"; targets: string[] }
+  | { action: "deny"; targets: string[] }
+  | { action: "list" }
+  | null;
+
+/**
+ * Parse an approval command from a message.
+ * Returns null if the message is not a command.
+ */
+export function parseApprovalCommand(text: string): ApprovalCommand {
+  const trimmed = text.trim();
+  const lower = trimmed.toLowerCase();
+  
+  // List commands
+  if (lower === "list pending" || lower === "pending" || lower === "list") {
+    return { action: "list" };
+  }
+  
+  // Approve command
+  const approveMatch = trimmed.match(/^approve\s+(.+)$/i);
+  if (approveMatch) {
+    const targets = parseTargets(approveMatch[1]);
+    if (targets.length > 0) {
+      return { action: "approve", targets };
+    }
+  }
+  
+  // Deny command
+  const denyMatch = trimmed.match(/^deny\s+(.+)$/i);
+  if (denyMatch) {
+    const targets = parseTargets(denyMatch[1]);
+    if (targets.length > 0) {
+      return { action: "deny", targets };
+    }
+  }
+  
+  // Short forms: yes/no with target
+  const yesMatch = trimmed.match(/^(yes|ok|y)\s+(.+)$/i);
+  if (yesMatch) {
+    const targets = parseTargets(yesMatch[2]);
+    if (targets.length > 0) {
+      return { action: "approve", targets };
+    }
+  }
+  
+  const noMatch = trimmed.match(/^(no|n|reject)\s+(.+)$/i);
+  if (noMatch) {
+    const targets = parseTargets(noMatch[2]);
+    if (targets.length > 0) {
+      return { action: "deny", targets };
+    }
+  }
+  
+  return null;
+}
+
+/**
+ * Parse target identifiers from a string.
+ * Supports: @username, room:NAME, user:ID, plain IDs
+ * Supports multiple targets separated by spaces or commas.
+ */
+function parseTargets(input: string): string[] {
+  // Split by comma or whitespace
+  const parts = input.split(/[\s,]+/).filter(Boolean);
+  
+  const targets: string[] = [];
+  for (const part of parts) {
+    const trimmed = part.trim();
+    if (!trimmed) continue;
+    
+    // Already prefixed
+    if (trimmed.startsWith("@") || trimmed.startsWith("room:") || trimmed.startsWith("user:")) {
+      targets.push(trimmed);
+      continue;
+    }
+    
+    // Plain identifier - could be username or room
+    targets.push(trimmed);
+  }
+  
+  return targets;
+}
+
+/**
+ * Format a pending approval for display.
+ */
+export function formatApprovalRequest(approval: {
+  id: string;
+  type: "dm" | "room";
+  targetId: string;
+  targetName?: string;
+  targetUsername?: string;
+  requesterName?: string;
+  requesterUsername?: string;
+  createdAt: number;
+}): string {
+  const age = formatAge(Date.now() - approval.createdAt);
+  
+  if (approval.type === "dm") {
+    const who = approval.targetUsername 
+      ? `@${approval.targetUsername}` 
+      : approval.targetName ?? approval.targetId;
+    return `• **DM** from ${who} (${age} ago) — \`approve ${approval.targetUsername ?? approval.targetId}\``;
+  } else {
+    const room = approval.targetName ?? approval.targetId;
+    const who = approval.requesterUsername 
+      ? `@${approval.requesterUsername}` 
+      : approval.requesterName ?? "someone";
+    return `• **Room** #${room} (invited by ${who}, ${age} ago) — \`approve room:${approval.targetId}\``;
+  }
+}
+
+/**
+ * Format age in human-readable form.
+ */
+function formatAge(ms: number): string {
+  const seconds = Math.floor(ms / 1000);
+  if (seconds < 60) return `${seconds}s`;
+  const minutes = Math.floor(seconds / 60);
+  if (minutes < 60) return `${minutes}m`;
+  const hours = Math.floor(minutes / 60);
+  if (hours < 24) return `${hours}h`;
+  const days = Math.floor(hours / 24);
+  return `${days}d`;
+}
+
+/**
+ * Build the approval request notification message.
+ */
+export function buildApprovalRequestMessage(params: {
+  type: "dm" | "room";
+  targetId: string;
+  targetName?: string;
+  targetUsername?: string;
+  requesterName?: string;
+  requesterUsername?: string;
+}): string {
+  if (params.type === "dm") {
+    const who = params.targetUsername 
+      ? `@${params.targetUsername}` 
+      : params.targetName ?? params.targetId;
+    return [
+      `🔔 **New DM request**`,
+      ``,
+      `User: ${who}`,
+      ``,
+      `Reply:`,
+      `• \`approve ${params.targetUsername ?? params.targetId}\` — allow this user`,
+      `• \`deny ${params.targetUsername ?? params.targetId}\` — block this user`,
+      `• \`pending\` — list all pending requests`,
+    ].join("\n");
+  } else {
+    const room = params.targetName ?? params.targetId;
+    const who = params.requesterUsername 
+      ? `@${params.requesterUsername}` 
+      : params.requesterName ?? "Someone";
+    return [
+      `🔔 **Bot invited to new room**`,
+      ``,
+      `Room: #${room}`,
+      `Invited by: ${who}`,
+      ``,
+      `Reply:`,
+      `• \`approve room:${params.targetId}\` — allow this room`,
+      `• \`deny room:${params.targetId}\` — leave this room`,
+      `• \`pending\` — list all pending requests`,
+    ].join("\n");
+  }
+}
+
+/**
+ * Build the "waiting for approval" message for requesters.
+ */
+export function buildWaitingMessage(): string {
+  return `⏳ Your request is pending approval. The owner has been notified.`;
+}
+
+/**
+ * Build the approval confirmation message.
+ */
+export function buildApprovedMessage(target: string, type: "dm" | "room"): string {
+  if (type === "dm") {
+    return `✅ You've been approved! You can now send messages.`;
+  } else {
+    return `✅ This room has been approved. I'm ready to help!`;
+  }
+}
+
+/**
+ * Build the denial message.
+ */
+export function buildDeniedMessage(target: string, type: "dm" | "room"): string {
+  if (type === "dm") {
+    return `❌ Your request was not approved.`;
+  } else {
+    return `❌ This room was not approved. Goodbye!`;
+  }
+}

package/src/rocketchat/approval-queue.ts

@@ -0,0 +1,256 @@
+/**
+ * Approval Queue for Owner Approval Flow
+ * 
+ * Manages pending approval requests with memory + file persistence.
+ * Survives gateway restarts.
+ */
+
+import * as fs from "node:fs/promises";
+import * as path from "node:path";
+import * as os from "node:os";
+import * as crypto from "node:crypto";
+
+export type ApprovalType = "dm" | "room";
+
+export type PendingApproval = {
+  id: string;
+  type: ApprovalType;
+  
+  // For DMs: the user requesting access
+  // For rooms: the room the bot was invited to
+  targetId: string;
+  targetName?: string;
+  targetUsername?: string;
+  
+  // Who triggered the approval (user who DM'd or invited bot)
+  requesterId: string;
+  requesterName?: string;
+  requesterUsername?: string;
+  
+  // Where to reply to the requester
+  replyRoomId: string;
+  
+  // Timestamps
+  createdAt: number;
+  lastNotifiedAt: number;
+  expiresAt?: number;
+  
+  // State
+  status: "pending" | "approved" | "denied" | "expired";
+  decidedBy?: string;
+  decidedAt?: number;
+};
+
+type ApprovalStore = {
+  version: number;
+  pending: PendingApproval[];
+};
+
+// In-memory cache
+let cache: ApprovalStore | null = null;
+
+function resolveStorePath(): string {
+  return path.join(os.homedir(), ".openclaw", "credentials", "rocketchat-approval-queue.json");
+}
+
+async function ensureDir(dirPath: string): Promise<void> {
+  await fs.mkdir(dirPath, { recursive: true, mode: 0o700 });
+}
+
+async function loadStore(): Promise<ApprovalStore> {
+  if (cache) return cache;
+  
+  try {
+    const data = await fs.readFile(resolveStorePath(), "utf-8");
+    const parsed = JSON.parse(data);
+    cache = {
+      version: parsed.version ?? 1,
+      pending: Array.isArray(parsed.pending) ? parsed.pending : [],
+    };
+    return cache;
+  } catch {
+    cache = { version: 1, pending: [] };
+    return cache;
+  }
+}
+
+async function saveStore(store: ApprovalStore): Promise<void> {
+  cache = store;
+  await ensureDir(path.dirname(resolveStorePath()));
+  await fs.writeFile(resolveStorePath(), JSON.stringify(store, null, 2), { mode: 0o600 });
+}
+
+/**
+ * Create a new pending approval request.
+ */
+export async function createApproval(params: {
+  type: ApprovalType;
+  targetId: string;
+  targetName?: string;
+  targetUsername?: string;
+  requesterId: string;
+  requesterName?: string;
+  requesterUsername?: string;
+  replyRoomId: string;
+  timeoutMs?: number;
+}): Promise<PendingApproval> {
+  const store = await loadStore();
+  const now = Date.now();
+  
+  // Check for existing pending approval for same target
+  const existing = store.pending.find(
+    (p) => p.targetId === params.targetId && p.type === params.type && p.status === "pending"
+  );
+  
+  if (existing) {
+    // Update last notified time
+    existing.lastNotifiedAt = now;
+    await saveStore(store);
+    return existing;
+  }
+  
+  const approval: PendingApproval = {
+    id: crypto.randomUUID().slice(0, 8),
+    type: params.type,
+    targetId: params.targetId,
+    targetName: params.targetName,
+    targetUsername: params.targetUsername,
+    requesterId: params.requesterId,
+    requesterName: params.requesterName,
+    requesterUsername: params.requesterUsername,
+    replyRoomId: params.replyRoomId,
+    createdAt: now,
+    lastNotifiedAt: now,
+    expiresAt: params.timeoutMs ? now + params.timeoutMs : undefined,
+    status: "pending",
+  };
+  
+  store.pending.push(approval);
+  await saveStore(store);
+  return approval;
+}
+
+/**
+ * Get all pending approvals.
+ */
+export async function listPendingApprovals(): Promise<PendingApproval[]> {
+  const store = await loadStore();
+  return store.pending.filter((p) => p.status === "pending");
+}
+
+/**
+ * Find a pending approval by target (user ID, username, or room ID).
+ */
+export async function findPendingApproval(
+  target: string,
+  type?: ApprovalType
+): Promise<PendingApproval | null> {
+  const store = await loadStore();
+  const normalized = target.toLowerCase().replace(/^@/, "");
+  
+  return store.pending.find((p) => {
+    if (p.status !== "pending") return false;
+    if (type && p.type !== type) return false;
+    
+    // Match by ID
+    if (p.targetId === target) return true;
+    if (p.id === target) return true;
+    
+    // Match by username (case-insensitive)
+    if (p.targetUsername?.toLowerCase() === normalized) return true;
+    
+    // Match by room name for room approvals
+    if (p.type === "room" && p.targetName?.toLowerCase() === normalized) return true;
+    
+    return false;
+  }) ?? null;
+}
+
+/**
+ * Approve a pending request.
+ */
+export async function approveRequest(
+  target: string,
+  decidedBy: string,
+  type?: ApprovalType
+): Promise<PendingApproval | null> {
+  const store = await loadStore();
+  const approval = await findPendingApproval(target, type);
+  
+  if (!approval) return null;
+  
+  approval.status = "approved";
+  approval.decidedBy = decidedBy;
+  approval.decidedAt = Date.now();
+  
+  await saveStore(store);
+  return approval;
+}
+
+/**
+ * Deny a pending request.
+ */
+export async function denyRequest(
+  target: string,
+  decidedBy: string,
+  type?: ApprovalType
+): Promise<PendingApproval | null> {
+  const store = await loadStore();
+  const approval = await findPendingApproval(target, type);
+  
+  if (!approval) return null;
+  
+  approval.status = "denied";
+  approval.decidedBy = decidedBy;
+  approval.decidedAt = Date.now();
+  
+  await saveStore(store);
+  return approval;
+}
+
+/**
+ * Check if a user/room is already approved (in allowlist).
+ */
+export async function isApproved(targetId: string): Promise<boolean> {
+  const store = await loadStore();
+  return store.pending.some(
+    (p) => p.targetId === targetId && p.status === "approved"
+  );
+}
+
+/**
+ * Get expired approvals and mark them.
+ */
+export async function processExpiredApprovals(): Promise<PendingApproval[]> {
+  const store = await loadStore();
+  const now = Date.now();
+  const expired: PendingApproval[] = [];
+  
+  for (const approval of store.pending) {
+    if (approval.status === "pending" && approval.expiresAt && approval.expiresAt < now) {
+      approval.status = "expired";
+      expired.push(approval);
+    }
+  }
+  
+  if (expired.length > 0) {
+    await saveStore(store);
+  }
+  
+  return expired;
+}
+
+/**
+ * Clean up old completed/expired approvals (keep last 100).
+ */
+export async function cleanupOldApprovals(): Promise<void> {
+  const store = await loadStore();
+  const pending = store.pending.filter((p) => p.status === "pending");
+  const completed = store.pending
+    .filter((p) => p.status !== "pending")
+    .sort((a, b) => (b.decidedAt ?? b.createdAt) - (a.decidedAt ?? a.createdAt))
+    .slice(0, 100);
+  
+  store.pending = [...pending, ...completed];
+  await saveStore(store);
+}

package/src/rocketchat/monitor.ts

@@ -19,8 +19,34 @@ import {
   readChannelAllowFromStore,
   upsertChannelPairingRequest,
   buildPairingReply,
+  addToAllowFrom,
 } from "./pairing.js";
 
+import {
+  createApproval,
+  listPendingApprovals,
+  findPendingApproval,
+  approveRequest,
+  denyRequest,
+  type PendingApproval,
+} from "./approval-queue.js";
+
+import {
+  parseApprovalCommand,
+  buildApprovalRequestMessage,
+  buildWaitingMessage,
+  buildApprovedMessage,
+  buildDeniedMessage,
+  formatApprovalRequest,
+} from "./approval-commands.js";
+
+import {
+  isApprover,
+  isNotifyChannel,
+  getDmNotifyTargets,
+  fetchUserRoles,
+} from "./roles.js";
+
 import { getRocketChatRuntime } from "../runtime.js";
 import { resolveRocketChatAccount, type ResolvedRocketChatAccount } from "./accounts.js";
 import {
@@ -460,7 +486,6 @@ async function handleIncomingMessage(
         if (dmPolicy === "pairing") {
           try {
             const { code, created } = await upsertChannelPairingRequest({
-              channel: "rocketchat",
               id: senderId,
               meta: {
                 name: senderName ?? undefined,
@@ -471,7 +496,6 @@ async function handleIncomingMessage(
             if (created) {
               logger.info?.(`[${account.accountId}] Pairing request created for ${senderUsername ?? senderId}, code: ${code}`);
               const reply = buildPairingReply({
-                channel: "rocketchat",
                 idLine: `Rocket.Chat user: ${senderUsername ? `@${senderUsername}` : senderId}`,
                 code,
               });
@@ -486,6 +510,193 @@ async function handleIncomingMessage(
           }
           return;
         }
+
+        // If "owner-approval" mode, use owner channel approval flow
+        if (dmPolicy === "owner-approval") {
+          const ownerConfig = account.config.ownerApproval;
+          if (!ownerConfig?.enabled) {
+            logger.debug?.(`[${account.accountId}] DM from ${senderUsername ?? senderId} blocked (dmPolicy=owner-approval but ownerApproval not enabled)`);
+            return;
+          }
+
+          // Approvers are always allowed through — they need DM access
+          // to send approval commands (approve/deny/list) and to chat.
+          const approvers = ownerConfig.approvers ?? [];
+          if (approvers.length > 0) {
+            const restClient = createRocketChatClient({
+              baseUrl: account.baseUrl!,
+              userId: account.userId!,
+              authToken: account.authToken!,
+            });
+            if (await isApprover(restClient, senderId, senderUsername, approvers)) {
+              logger.debug?.(`[${account.accountId}] DM from ${senderUsername ?? senderId} allowed (sender is approver)`);
+              // Fall through to normal message processing (skip access control)
+            } else {
+              // Not an approver — run the approval request flow
+              try {
+                const existing = await findPendingApproval(senderId, "dm");
+                if (existing?.status === "approved") {
+                  await addToAllowFrom(senderId);
+                  // Fall through to normal message processing
+                } else {
+                  const approval = await createApproval({
+                    type: "dm",
+                    targetId: senderId,
+                    targetName: senderName,
+                    targetUsername: senderUsername,
+                    requesterId: senderId,
+                    requesterName: senderName,
+                    requesterUsername: senderUsername,
+                    replyRoomId: msg.rid,
+                    timeoutMs: ownerConfig.timeout ? ownerConfig.timeout * 1000 : undefined,
+                  });
+
+                  if (approval.createdAt === approval.lastNotifiedAt) {
+                    const notifyChannels = ownerConfig.notifyChannels ?? [];
+                    const notifyMessage = buildApprovalRequestMessage({
+                      type: "dm",
+                      targetId: senderId,
+                      targetName: senderName,
+                      targetUsername: senderUsername,
+                    });
+
+                    for (const channel of notifyChannels) {
+                      try {
+                        if (channel.startsWith("@")) {
+                          await sendMessageRocketChat(`user:${channel.slice(1)}`, notifyMessage, { accountId: account.accountId });
+                        } else if (channel.startsWith("room:")) {
+                          await sendMessageRocketChat(channel, notifyMessage, { accountId: account.accountId });
+                        } else if (channel.startsWith("#")) {
+                          await sendMessageRocketChat(`room:${channel.slice(1)}`, notifyMessage, { accountId: account.accountId });
+                        } else {
+                          await sendMessageRocketChat(`room:${channel}`, notifyMessage, { accountId: account.accountId });
+                        }
+                      } catch (err) {
+                        logger.error?.(`[${account.accountId}] Failed to send approval notification to ${channel}: ${String(err)}`);
+                      }
+                    }
+
+                    await sendMessageRocketChat(`room:${msg.rid}`, buildWaitingMessage(), { accountId: account.accountId });
+                    logger.info?.(`[${account.accountId}] Approval request created for ${senderUsername ?? senderId}`);
+                  }
+
+                  return; // Don't process the message yet
+                }
+              } catch (err) {
+                logger.error?.(`[${account.accountId}] Failed to handle owner-approval flow: ${String(err)}`);
+                return;
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+
+  // === Owner Approval Command Handling ===
+  // Check if this message is an approval command from an approver
+  const ownerConfig = account.config.ownerApproval;
+  if (ownerConfig?.enabled) {
+    const approvers = ownerConfig.approvers ?? [];
+    const notifyChannels = ownerConfig.notifyChannels ?? [];
+    
+    // Check if sender is an approver
+    const restClient = createRocketChatClient({
+      baseUrl: account.baseUrl!,
+      userId: account.userId!,
+      authToken: account.authToken!,
+    });
+    
+    const senderIsApprover = await isApprover(
+      restClient,
+      msg.u._id,
+      msg.u.username,
+      approvers
+    );
+
+    // Check if this room is a notify channel
+    const roomName = room?.name ?? room?.fname;
+    const roomIsNotifyChannel = isNotifyChannel(msg.rid, roomName, notifyChannels);
+    
+    // Also check if this is a DM with the bot (approvers can send commands via DM)
+    const isDmWithBot = !isGroup;
+
+    if (senderIsApprover && (roomIsNotifyChannel || isDmWithBot)) {
+      const command = parseApprovalCommand(msg.msg);
+      
+      if (command) {
+        logger.debug?.(`[${account.accountId}] Approval command from ${msg.u.username}: ${JSON.stringify(command)}`);
+        
+        if (command.action === "list") {
+          // List pending approvals
+          const pending = await listPendingApprovals();
+          if (pending.length === 0) {
+            await sendMessageRocketChat(`room:${msg.rid}`, "✅ No pending approvals.", {
+              accountId: account.accountId,
+            });
+          } else {
+            const lines = pending.map(formatApprovalRequest);
+            await sendMessageRocketChat(`room:${msg.rid}`, `📋 **Pending approvals (${pending.length})**\n\n${lines.join("\n")}`, {
+              accountId: account.accountId,
+            });
+          }
+          return; // Don't process as regular message
+        }
+
+        if (command.action === "approve" || command.action === "deny") {
+          const results: string[] = [];
+          
+          for (const target of command.targets) {
+            // Determine type from target format
+            const type = target.startsWith("room:") ? "room" : "dm";
+            const cleanTarget = target.replace(/^room:/, "").replace(/^@/, "");
+            
+            let approval: PendingApproval | null;
+            if (command.action === "approve") {
+              approval = await approveRequest(cleanTarget, msg.u._id, type === "room" ? "room" : "dm");
+            } else {
+              approval = await denyRequest(cleanTarget, msg.u._id, type === "room" ? "room" : "dm");
+            }
+
+            if (approval) {
+              // Add to allowlist if approved
+              if (command.action === "approve") {
+                await addToAllowFrom(approval.targetId);
+              }
+
+              // Notify the requester
+              const shouldNotify = command.action === "approve" 
+                ? ownerConfig.notifyOnApprove !== false
+                : ownerConfig.notifyOnDeny === true;
+              
+              if (shouldNotify) {
+                try {
+                  const message = command.action === "approve"
+                    ? buildApprovedMessage(approval.targetId, approval.type)
+                    : buildDeniedMessage(approval.targetId, approval.type);
+                  
+                  await sendMessageRocketChat(`room:${approval.replyRoomId}`, message, {
+                    accountId: account.accountId,
+                  });
+                } catch (err) {
+                  logger.error?.(`[${account.accountId}] Failed to notify requester: ${String(err)}`);
+                }
+              }
+
+              const targetLabel = approval.targetUsername 
+                ? `@${approval.targetUsername}` 
+                : approval.targetId;
+              results.push(`${command.action === "approve" ? "✅" : "❌"} ${targetLabel}`);
+            } else {
+              results.push(`⚠️ No pending request for: ${target}`);
+            }
+          }
+
+          await sendMessageRocketChat(`room:${msg.rid}`, results.join("\n"), {
+            accountId: account.accountId,
+          });
+          return; // Don't process as regular message
+        }
       }
     }
   }

package/src/rocketchat/roles.ts

@@ -0,0 +1,187 @@
+/**
+ * Rocket.Chat Role Checker
+ * 
+ * Fetches and checks user roles via the Rocket.Chat API.
+ */
+
+import type { RocketChatClient } from "./client.js";
+
+export type UserRoles = {
+  userId: string;
+  username?: string;
+  roles: string[];
+};
+
+// Cache user roles for 5 minutes
+const roleCache = new Map<string, { roles: UserRoles; fetchedAt: number }>();
+const CACHE_TTL_MS = 5 * 60 * 1000;
+
+/**
+ * Fetch user info including roles from Rocket.Chat.
+ */
+export async function fetchUserRoles(
+  client: RocketChatClient,
+  userId: string
+): Promise<UserRoles | null> {
+  // Check cache
+  const cached = roleCache.get(userId);
+  if (cached && Date.now() - cached.fetchedAt < CACHE_TTL_MS) {
+    return cached.roles;
+  }
+  
+  try {
+    const response = await fetch(`${client.baseUrl}/api/v1/users.info?userId=${encodeURIComponent(userId)}`, {
+      headers: {
+        "X-Auth-Token": client.authToken,
+        "X-User-Id": client.userId,
+      },
+    });
+    
+    if (!response.ok) {
+      return null;
+    }
+    
+    const data = await response.json();
+    const user = data.user;
+    
+    if (!user) return null;
+    
+    const roles: UserRoles = {
+      userId: user._id,
+      username: user.username,
+      roles: Array.isArray(user.roles) ? user.roles : [],
+    };
+    
+    // Cache the result
+    roleCache.set(userId, { roles, fetchedAt: Date.now() });
+    
+    return roles;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Check if a user matches any of the approver patterns.
+ * 
+ * Patterns:
+ * - @username — matches specific username
+ * - role:admin — matches anyone with "admin" role
+ * - role:moderator — matches anyone with "moderator" role
+ * - userId — matches specific user ID
+ */
+export async function isApprover(
+  client: RocketChatClient,
+  userId: string,
+  username: string | undefined,
+  approverPatterns: string[]
+): Promise<boolean> {
+  if (approverPatterns.length === 0) return false;
+  
+  const normalizedUsername = username?.toLowerCase();
+  
+  // Check each pattern
+  for (const pattern of approverPatterns) {
+    const trimmed = pattern.trim();
+    if (!trimmed) continue;
+    
+    // @username match
+    if (trimmed.startsWith("@")) {
+      const targetUsername = trimmed.slice(1).toLowerCase();
+      if (normalizedUsername === targetUsername) {
+        return true;
+      }
+      continue;
+    }
+    
+    // role:xxx match
+    if (trimmed.startsWith("role:")) {
+      const targetRole = trimmed.slice(5).toLowerCase();
+      const userRoles = await fetchUserRoles(client, userId);
+      if (userRoles?.roles.some(r => r.toLowerCase() === targetRole)) {
+        return true;
+      }
+      continue;
+    }
+    
+    // Direct user ID match
+    if (trimmed === userId) {
+      return true;
+    }
+    
+    // Username without @ prefix
+    if (normalizedUsername === trimmed.toLowerCase()) {
+      return true;
+    }
+  }
+  
+  return false;
+}
+
+/**
+ * Check if a room/channel is in the notify channels list.
+ */
+export function isNotifyChannel(
+  roomId: string,
+  roomName: string | undefined,
+  notifyChannels: string[]
+): boolean {
+  if (notifyChannels.length === 0) return false;
+  
+  const normalizedName = roomName?.toLowerCase();
+  
+  for (const channel of notifyChannels) {
+    const trimmed = channel.trim();
+    if (!trimmed) continue;
+    
+    // @username (DM) — we check this separately
+    if (trimmed.startsWith("@")) {
+      continue;
+    }
+    
+    // room:ID or room:NAME
+    if (trimmed.startsWith("room:")) {
+      const target = trimmed.slice(5);
+      if (target === roomId) return true;
+      if (normalizedName && target.toLowerCase() === normalizedName) return true;
+      continue;
+    }
+    
+    // #channel
+    if (trimmed.startsWith("#")) {
+      const target = trimmed.slice(1).toLowerCase();
+      if (normalizedName === target) return true;
+      continue;
+    }
+    
+    // Plain room ID or name
+    if (trimmed === roomId) return true;
+    if (normalizedName && trimmed.toLowerCase() === normalizedName) return true;
+  }
+  
+  return false;
+}
+
+/**
+ * Get DM targets from notify channels.
+ * Returns usernames (without @) that should receive DM notifications.
+ */
+export function getDmNotifyTargets(notifyChannels: string[]): string[] {
+  const targets: string[] = [];
+  
+  for (const channel of notifyChannels) {
+    const trimmed = channel.trim();
+    if (trimmed.startsWith("@")) {
+      targets.push(trimmed.slice(1));
+    }
+  }
+  
+  return targets;
+}
+
+/**
+ * Clear the role cache (useful for testing or when roles change).
+ */
+export function clearRoleCache(): void {
+  roleCache.clear();
+}

package/test/approval-commands.test.mjs

@@ -0,0 +1,100 @@
+/**
+ * Test cases for approval command parsing
+ */
+
+import assert from "node:assert";
+
+// Simple test runner
+const tests = [];
+function test(name, fn) {
+  tests.push({ name, fn });
+}
+
+// Import the parseApprovalCommand function
+// Since this is a TypeScript project, we'll test the logic manually
+// In a real setup, you'd use ts-node or compile first
+
+// Test cases for parseApprovalCommand logic
+test("parse 'approve @user123' → approve action with target", () => {
+  const text = "approve @user123";
+  // Expected: { action: "approve", targets: ["@user123"] }
+  assert.ok(text.match(/^approve\s+(.+)$/i));
+  const match = text.match(/^approve\s+(.+)$/i);
+  assert.strictEqual(match[1], "@user123");
+});
+
+test("parse 'deny user456' → deny action with target", () => {
+  const text = "deny user456";
+  assert.ok(text.match(/^deny\s+(.+)$/i));
+  const match = text.match(/^deny\s+(.+)$/i);
+  assert.strictEqual(match[1], "user456");
+});
+
+test("parse 'approve room:GENERAL' → approve with room target", () => {
+  const text = "approve room:GENERAL";
+  const match = text.match(/^approve\s+(.+)$/i);
+  assert.strictEqual(match[1], "room:GENERAL");
+});
+
+test("parse 'pending' → list action", () => {
+  const text = "pending";
+  const lower = text.toLowerCase();
+  assert.ok(lower === "pending" || lower === "list pending" || lower === "list");
+});
+
+test("parse 'list pending' → list action", () => {
+  const text = "list pending";
+  const lower = text.toLowerCase();
+  assert.ok(lower === "pending" || lower === "list pending" || lower === "list");
+});
+
+test("parse 'approve @user1 @user2 @user3' → multiple targets", () => {
+  const text = "approve @user1 @user2 @user3";
+  const match = text.match(/^approve\s+(.+)$/i);
+  const targets = match[1].split(/[\s,]+/).filter(Boolean);
+  assert.deepStrictEqual(targets, ["@user1", "@user2", "@user3"]);
+});
+
+test("parse 'yes @user123' → approve (shorthand)", () => {
+  const text = "yes @user123";
+  const yesMatch = text.match(/^(yes|ok|y)\s+(.+)$/i);
+  assert.ok(yesMatch);
+  assert.strictEqual(yesMatch[2], "@user123");
+});
+
+test("parse 'no @user123' → deny (shorthand)", () => {
+  const text = "no @user123";
+  const noMatch = text.match(/^(no|n|reject)\s+(.+)$/i);
+  assert.ok(noMatch);
+  assert.strictEqual(noMatch[2], "@user123");
+});
+
+test("regular message 'hello' → not a command", () => {
+  const text = "hello";
+  assert.ok(!text.match(/^approve\s+(.+)$/i));
+  assert.ok(!text.match(/^deny\s+(.+)$/i));
+  assert.ok(!text.match(/^(yes|ok|y)\s+(.+)$/i));
+  assert.ok(!text.match(/^(no|n|reject)\s+(.+)$/i));
+  const lower = text.toLowerCase();
+  assert.ok(lower !== "pending" && lower !== "list pending" && lower !== "list");
+});
+
+// Run tests
+console.log("Running approval command tests...\n");
+let passed = 0;
+let failed = 0;
+
+for (const { name, fn } of tests) {
+  try {
+    fn();
+    console.log(`✅ ${name}`);
+    passed++;
+  } catch (err) {
+    console.log(`❌ ${name}`);
+    console.log(`   ${err.message}`);
+    failed++;
+  }
+}
+
+console.log(`\n${passed} passed, ${failed} failed`);
+process.exit(failed > 0 ? 1 : 0);