@cloudrise/openclaw-channel-rocketchat 0.4.1 → 0.6.0

package/CHANGELOG.md

@@ -1,10 +1,50 @@
 # Changelog
 
-## [0.4.1] - 2026-02-15
+## [0.6.0] - 2026-02-15
+
+> ⚠️ **Beta Features**: The approval flows (owner-approval, per-room ACL) in 0.5.0+ are functional but should be considered beta. Additional testing recommended before production use.
+
+### Added
+
+- **Per-Room User Access Control**: Fine-grained control over who can interact with the bot in each room
+  - `rooms.<roomId>.canInteract` — static list of users/roles who can interact
+  - `rooms.<roomId>.roomApprovers` — who can approve others for this room
+  - `rooms.<roomId>.responseMode` — "always" or "mention-only" for approved users
+  - `rooms.<roomId>.onMentionUnauthorized` — "ignore" or "reply" when unauthorized user @mentions bot
+- **Room-level commands** for roomApprovers:
+  - `room-approve @user` — approve user for current room only
+  - `room-deny @user` — remove user from room's approved list
+  - `room-list` — list approved users for current room
+- **Dynamic room user storage**: `~/.openclaw/credentials/rocketchat-room-users.json`
+
+### Example Config
+
+```yaml
+rooms:
+  GENERAL:
+    responseMode: "mention-only"   # Only respond when @mentioned
+    canInteract:                   # Static approved users
+      - "role:admin"
+      - "@marshal"
+    roomApprovers:                 # Who can approve others
+      - "role:owner"
+      - "role:moderator"
+    onMentionUnauthorized: "ignore"
+```
+
+## [0.5.0] - 2026-02-15
+
+### Added
+
+- **Channel/Room Approval**: New `groupPolicy: "owner-approval"` for controlling which channels the bot responds in
+  - Bot sends "pending approval" message on first message in unapproved channels
+  - Approve with `approve room:ROOMID`, deny with `deny room:ROOMID`
+  - Separate allowlist for rooms (`groupAllowFrom` config or `rocketchat-rooms-allowFrom.json`)
+- **Bootstrapping documentation**: Clear instructions to pre-approve approvers and main channels to avoid lockout
 
 ### Fixed
 
-- **Approver bypass**: Approvers are now correctly allowed through the DM access gate to send approval commands. Previously, approvers would get stuck in the "pending approval" flow when DMing the bot.
+- **Approver bypass**: Approvers are now correctly allowed through both DM and group access gates. Previously, approvers would get stuck in the "pending approval" flow.
 
 ## [0.4.0] - 2026-02-15
 

package/README.md

@@ -424,6 +424,146 @@ pending                    # list pending requests
 
 ---
 
+### Channel/Room Approval (groupPolicy)
+
+Control which channels the bot responds in:
+
+```yaml
+channels:
+  rocketchat:
+    groupPolicy: "owner-approval"  # or "open" | "allowlist" | "disabled"
+```
+
+| Policy | Behavior |
+|--------|----------|
+| `open` | **(Default)** Bot responds in any channel it's added to. |
+| `owner-approval` | Bot sends "pending approval" on first message in new channels. |
+| `allowlist` | Only channels in `groupAllowFrom` receive responses. |
+| `disabled` | Bot ignores all channel messages. |
+
+**With `groupPolicy: "owner-approval"`:**
+- When invited to a new channel, first message triggers approval request
+- Approvers receive: `"🔔 Bot invited to #channel-name by @user"`
+- Approve with: `approve room:ROOMID`
+
+---
+
+### 🔑 Auto-Approval (Important!)
+
+**Approvers and notify channels are automatically allowed through access gates** — no manual pre-approval needed!
+
+| `ownerApproval` Entry | DM Gate | Channel/Group Gate |
+|-----------------------|---------|-------------------|
+| `approvers: ["@user"]` | ✅ Auto-allowed | ✅ Auto-allowed (in any room) |
+| `notifyChannels: ["room:ID"]` | N/A | ✅ Auto-allowed |
+
+**Minimal recommended config (no lockout risk):**
+
+```yaml
+channels:
+  rocketchat:
+    dmPolicy: "owner-approval"
+    groupPolicy: "owner-approval"
+    
+    ownerApproval:
+      enabled: true
+      approvers:
+        - "@yourusername"           # You can DM the bot + approve in any room
+      notifyChannels:
+        - "room:YOUR_MAIN_ROOM_ID"  # This room is auto-approved
+      notifyOnApprove: true
+      notifyOnDeny: true
+```
+
+That's it! With this config:
+- ✅ You can DM the bot (you're an approver)
+- ✅ Your main room works (it's a notify channel)
+- ✅ Approval commands work in your main room
+- 🔒 Everyone else needs approval
+
+---
+
+### Manual Pre-Approval (Optional)
+
+If you need to pre-approve additional users or rooms that aren't approvers/notifyChannels:
+
+**In config:**
+```yaml
+channels:
+  rocketchat:
+    allowFrom:           # Pre-approved DM users
+      - "@alice"
+      - "@bob"
+    groupAllowFrom:      # Pre-approved rooms
+      - "room:GENERAL"
+      - "#support"
+```
+
+**Or via files:**
+```bash
+# Pre-approve DM users
+echo '{"version":1,"entries":["alice","bob"]}' > ~/.openclaw/credentials/rocketchat-allowFrom.json
+
+# Pre-approve rooms
+echo '{"version":1,"entries":["GENERAL"]}' > ~/.openclaw/credentials/rocketchat-rooms-allowFrom.json
+```
+
+---
+
+### Per-Room User Access Control
+
+Control which users can interact with the bot **within each approved room**:
+
+```yaml
+channels:
+  rocketchat:
+    rooms:
+      GENERAL:
+        # Response mode for approved users
+        responseMode: "mention-only"  # or "always" (default)
+        
+        # Who can interact (static list)
+        canInteract:
+          - "@alice"
+          - "@bob"
+          - "role:admin"
+          - "role:moderator"
+        
+        # Who can approve/deny users for THIS room
+        roomApprovers:
+          - "role:owner"          # Room owners
+          - "role:moderator"
+          - "@marshal"
+        
+        # When non-approved user @mentions bot
+        onMentionUnauthorized: "ignore"  # or "reply" (sends "not authorized")
+      
+      SUPPORT:
+        # No restrictions - everyone in the room can interact
+        responseMode: "always"
+```
+
+**Room-level commands** (usable by `roomApprovers`):
+```
+room-approve @alice     # Approve alice for THIS room only
+room-deny @alice        # Remove alice from this room's approved list
+room-list               # Show who's approved in this room
+```
+
+**How it works:**
+1. Room gets global approval (via `groupPolicy`)
+2. Per-room user check: is sender in `canInteract`, `roomApprovers`, or dynamically approved?
+3. If not approved:
+   - Silent ignore (unless `onMentionUnauthorized: "reply"`)
+4. If approved:
+   - Check `responseMode` — respond always or only when @mentioned
+
+**Storage:** `~/.openclaw/credentials/rocketchat-room-users.json`
+
+**Note:** Global approvers (`ownerApproval.approvers`) can interact in ANY room, regardless of per-room settings.
+
+---
+
 ### CLI-Based Pairing
 
 If you prefer CLI-based approval:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cloudrise/openclaw-channel-rocketchat",
-  "version": "0.4.1",
+  "version": "0.6.0",
   "description": "Rocket.Chat channel plugin for OpenClaw (Cloudrise)",
   "license": "MIT",
   "type": "module",

package/src/rocketchat/accounts.ts

@@ -10,6 +10,20 @@ type RocketChatRoomConfig = {
   requireMention?: boolean;
   /** Optional per-room override. Use the room rid (e.g. GENERAL), not the channel name. */
   replyMode?: RocketChatReplyMode;
+  
+  // === Per-Room User Access Control ===
+  
+  /** Response mode: "always" responds to all approved users, "mention-only" only when @mentioned */
+  responseMode?: "always" | "mention-only";
+  
+  /** Who can interact with the bot in this room (static config) */
+  canInteract?: string[];
+  
+  /** Who can approve/deny users for THIS room (room-level approvers) */
+  roomApprovers?: string[];
+  
+  /** What happens when non-approved user @mentions bot: "ignore" or "reply" with unauthorized message */
+  onMentionUnauthorized?: "ignore" | "reply";
 };
 
 export type OwnerApprovalConfig = {

package/src/rocketchat/approval-commands.ts

@@ -7,6 +7,11 @@
  * - approve room:GENERAL
  * - list pending
  * - pending
+ * 
+ * Room-level commands:
+ * - room-approve @user123
+ * - room-deny @user123
+ * - room-list
  */
 
 export type ApprovalCommand = 
@@ -15,6 +20,12 @@ export type ApprovalCommand =
   | { action: "list" }
   | null;
 
+export type RoomCommand =
+  | { action: "room-approve"; targets: string[] }
+  | { action: "room-deny"; targets: string[] }
+  | { action: "room-list" }
+  | null;
+
 /**
  * Parse an approval command from a message.
  * Returns null if the message is not a command.
@@ -208,3 +219,98 @@ export function buildDeniedMessage(target: string, type: "dm" | "room"): string
     return `❌ This room was not approved. Goodbye!`;
   }
 }
+
+// === Room-Level Commands ===
+
+/**
+ * Parse a room-level command from a message.
+ * These control per-room user access (not global approval).
+ * 
+ * Commands:
+ * - room-approve @user
+ * - room-deny @user
+ * - room-list
+ */
+export function parseRoomCommand(text: string): RoomCommand {
+  const trimmed = text.trim();
+  const lower = trimmed.toLowerCase();
+  
+  // room-list
+  if (lower === "room-list" || lower === "room list") {
+    return { action: "room-list" };
+  }
+  
+  // room-approve @user
+  const approveMatch = trimmed.match(/^room[- ]?approve\s+(.+)$/i);
+  if (approveMatch) {
+    const targets = parseUserTargets(approveMatch[1]);
+    if (targets.length > 0) {
+      return { action: "room-approve", targets };
+    }
+  }
+  
+  // room-deny @user
+  const denyMatch = trimmed.match(/^room[- ]?deny\s+(.+)$/i);
+  if (denyMatch) {
+    const targets = parseUserTargets(denyMatch[1]);
+    if (targets.length > 0) {
+      return { action: "room-deny", targets };
+    }
+  }
+  
+  // room-remove @user (alias for deny)
+  const removeMatch = trimmed.match(/^room[- ]?remove\s+(.+)$/i);
+  if (removeMatch) {
+    const targets = parseUserTargets(removeMatch[1]);
+    if (targets.length > 0) {
+      return { action: "room-deny", targets };
+    }
+  }
+  
+  return null;
+}
+
+/**
+ * Parse user targets (for room commands - users only, not rooms).
+ */
+function parseUserTargets(input: string): string[] {
+  const parts = input.split(/[\s,]+/).filter(Boolean);
+  const targets: string[] = [];
+  
+  for (const part of parts) {
+    const trimmed = part.trim();
+    if (!trimmed) continue;
+    
+    // @username
+    if (trimmed.startsWith("@")) {
+      targets.push(trimmed);
+      continue;
+    }
+    
+    // Plain username
+    targets.push(`@${trimmed}`);
+  }
+  
+  return targets;
+}
+
+/**
+ * Build the "not authorized" message for non-approved users who @mention the bot.
+ */
+export function buildNotAuthorizedMessage(): string {
+  return `🔒 You're not authorized to interact with me in this room. Ask a room admin to approve you.`;
+}
+
+/**
+ * Build the room user approved message.
+ */
+export function buildRoomUserApprovedMessage(username: string): string {
+  return `✅ @${username} can now interact with me in this room.`;
+}
+
+/**
+ * Build the room user denied/removed message.
+ */
+export function buildRoomUserDeniedMessage(username: string): string {
+  return `❌ @${username} has been removed from this room's approved users.`;
+}

package/src/rocketchat/client.ts

@@ -149,6 +149,33 @@ export async function fetchRocketChatChannels(
   return res.channels;
 }
 
+/**
+ * Fetch a channel's info by name (for resolving room ID).
+ */
+export async function fetchRocketChatChannelByName(
+  client: RocketChatClient,
+  channelName: string
+): Promise<RocketChatRoom | null> {
+  try {
+    const res = await rcFetch<{ channel: RocketChatRoom; success: boolean }>(
+      client,
+      `/api/v1/channels.info?roomName=${encodeURIComponent(channelName)}`
+    );
+    return res.channel ?? null;
+  } catch {
+    // Try groups (private channels) if channel lookup fails
+    try {
+      const res = await rcFetch<{ group: RocketChatRoom; success: boolean }>(
+        client,
+        `/api/v1/groups.info?roomName=${encodeURIComponent(channelName)}`
+      );
+      return res.group ?? null;
+    } catch {
+      return null;
+    }
+  }
+}
+
 export type RocketChatSubscription = {
   _id: string;
   rid: string;

package/src/rocketchat/monitor.ts

@@ -33,18 +33,31 @@ import {
 
 import {
   parseApprovalCommand,
+  parseRoomCommand,
   buildApprovalRequestMessage,
   buildWaitingMessage,
   buildApprovedMessage,
   buildDeniedMessage,
+  buildNotAuthorizedMessage,
+  buildRoomUserApprovedMessage,
+  buildRoomUserDeniedMessage,
   formatApprovalRequest,
 } from "./approval-commands.js";
 
+import {
+  getRoomApprovedUsers,
+  isRoomUserApproved,
+  addRoomUser,
+  removeRoomUser,
+  formatRoomUsersList,
+} from "./room-users.js";
+
 import {
   isApprover,
   isNotifyChannel,
   getDmNotifyTargets,
   fetchUserRoles,
+  fetchUserByUsername,
 } from "./roles.js";
 
 import { getRocketChatRuntime } from "../runtime.js";
@@ -593,6 +606,328 @@ async function handleIncomingMessage(
     }
   }
 
+  // === Access Control for Groups/Channels ===
+  // Check groupPolicy before processing messages from groups/channels
+  if (isGroup) {
+    const groupPolicy = account.config.groupPolicy ?? "open"; // Default to "open" for Rocket.Chat
+    const roomId = msg.rid;
+    const roomName = room?.name ?? room?.fname ?? roomId;
+    const senderId = msg.u._id;
+    const senderUsername = msg.u.username;
+    const senderName = msg.u.name ?? senderUsername;
+
+    // If disabled, silently drop all group messages
+    if (groupPolicy === "disabled") {
+      logger.debug?.(`[${account.accountId}] Group message from ${roomName} blocked (groupPolicy=disabled)`);
+      return;
+    }
+
+    // If not "open", check if room is allowed
+    if (groupPolicy !== "open") {
+      // Normalize helper
+      const normalizeRoomEntry = (entry: string): string =>
+        entry
+          .trim()
+          .replace(/^(rocketchat|room):/i, "")
+          .replace(/^#/, "")
+          .toLowerCase();
+
+      // Read allowed rooms from store + config
+      const storeAllowFrom = await readChannelAllowFromStore("rocketchat-rooms").catch(() => []);
+      const configAllowFrom = (account.config.groupAllowFrom ?? []).map(String).map(normalizeRoomEntry);
+      const allAllowFrom = [...new Set([...storeAllowFrom, ...configAllowFrom])];
+
+      // Check if room is allowed
+      const normalizedRoomId = normalizeRoomEntry(roomId);
+      const normalizedRoomName = roomName ? normalizeRoomEntry(roomName) : null;
+      
+      // Auto-allow notifyChannels (they need to receive approval notifications)
+      const ownerConfigForCheck = account.config.ownerApproval;
+      const notifyChannels = ownerConfigForCheck?.notifyChannels ?? [];
+      const isNotifyChannelRoom = isNotifyChannel(roomId, roomName, notifyChannels);
+      
+      const isAllowed = isNotifyChannelRoom || allAllowFrom.some(
+        (entry) =>
+          entry === "*" ||
+          entry === normalizedRoomId ||
+          (normalizedRoomName && entry === normalizedRoomName)
+      );
+
+      if (!isAllowed) {
+        // If "allowlist" mode, block without approval
+        if (groupPolicy === "allowlist") {
+          logger.debug?.(`[${account.accountId}] Group message from ${roomName} blocked (groupPolicy=allowlist, not in groupAllowFrom)`);
+          return;
+        }
+
+        // If "owner-approval" mode, create approval request
+        if (groupPolicy === "owner-approval") {
+          const ownerConfig = account.config.ownerApproval;
+          if (!ownerConfig?.enabled) {
+            logger.debug?.(`[${account.accountId}] Group message from ${roomName} blocked (groupPolicy=owner-approval but ownerApproval not enabled)`);
+            return;
+          }
+
+          // Approvers are allowed through in any room
+          const approvers = ownerConfig.approvers ?? [];
+          if (approvers.length > 0) {
+            const restClient = createRocketChatClient({
+              baseUrl: account.baseUrl!,
+              userId: account.userId!,
+              authToken: account.authToken!,
+            });
+            if (await isApprover(restClient, senderId, senderUsername, approvers)) {
+              logger.debug?.(`[${account.accountId}] Group message from ${roomName} allowed (sender ${senderUsername} is approver)`);
+              // Fall through to normal message processing
+            } else {
+              // Not an approver — check for pending room approval
+              try {
+                const existing = await findPendingApproval(roomId, "room");
+                if (existing?.status === "approved") {
+                  // Room was approved, add to allowed list
+                  await addToAllowFrom(roomId, "rocketchat-rooms");
+                  // Fall through to normal message processing
+                } else if (!existing) {
+                  // Create new approval request for this room
+                  const approval = await createApproval({
+                    type: "room",
+                    targetId: roomId,
+                    targetName: roomName,
+                    requesterId: senderId,
+                    requesterName: senderName,
+                    requesterUsername: senderUsername,
+                    replyRoomId: roomId,
+                    timeoutMs: ownerConfig.timeout ? ownerConfig.timeout * 1000 : undefined,
+                  });
+
+                  // Notify approvers
+                  const notifyChannels = ownerConfig.notifyChannels ?? [];
+                  const notifyMessage = buildApprovalRequestMessage({
+                    type: "room",
+                    targetId: roomId,
+                    targetName: roomName,
+                    requesterName: senderName,
+                    requesterUsername: senderUsername,
+                  });
+
+                  for (const channel of notifyChannels) {
+                    try {
+                      if (channel.startsWith("@")) {
+                        await sendMessageRocketChat(`user:${channel.slice(1)}`, notifyMessage, {
+                          accountId: account.accountId,
+                        });
+                      } else if (channel.startsWith("room:")) {
+                        await sendMessageRocketChat(channel, notifyMessage, {
+                          accountId: account.accountId,
+                        });
+                      } else {
+                        await sendMessageRocketChat(`room:${channel}`, notifyMessage, {
+                          accountId: account.accountId,
+                        });
+                      }
+                    } catch (err) {
+                      logger.error?.(`[${account.accountId}] Failed to send room approval notification to ${channel}: ${String(err)}`);
+                    }
+                  }
+
+                  // Notify the room that it's pending approval
+                  await sendMessageRocketChat(`room:${roomId}`, "⏳ This room is pending approval. The owner has been notified.", {
+                    accountId: account.accountId,
+                  });
+
+                  logger.info?.(`[${account.accountId}] Room approval request created for ${roomName}`);
+                }
+                // If pending, silently drop (already notified)
+                return;
+              } catch (err) {
+                logger.error?.(`[${account.accountId}] Failed to handle room approval flow: ${String(err)}`);
+                return;
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+
+  // === Per-Room User Access Control ===
+  // After room is approved, check if this specific user can interact
+  if (isGroup) {
+    const roomId = msg.rid;
+    const roomName = room?.name ?? room?.fname ?? roomId;
+    const senderId = msg.u._id;
+    const senderUsername = msg.u.username;
+    const senderName = msg.u.name ?? senderUsername;
+    
+    // Get room-specific config
+    const roomConfig = (account.config.rooms?.[roomId] ?? {}) as {
+      responseMode?: "always" | "mention-only";
+      canInteract?: string[];
+      roomApprovers?: string[];
+      onMentionUnauthorized?: "ignore" | "reply";
+    };
+    
+    // Check if room has per-user access control configured
+    const hasRoomAccessControl = roomConfig.canInteract?.length || roomConfig.roomApprovers?.length;
+    
+    if (hasRoomAccessControl) {
+      // Check if sender is a room approver (they always have access)
+      const roomApprovers = roomConfig.roomApprovers ?? [];
+      let isRoomApprover = false;
+      
+      if (roomApprovers.length > 0) {
+        const restClient = createRocketChatClient({
+          baseUrl: account.baseUrl!,
+          userId: account.userId!,
+          authToken: account.authToken!,
+        });
+        isRoomApprover = await isApprover(restClient, senderId, senderUsername, roomApprovers);
+      }
+      
+      // Check if sender is in canInteract list (static config)
+      const canInteract = roomConfig.canInteract ?? [];
+      let isInCanInteract = false;
+      
+      if (canInteract.length > 0) {
+        const restClient = createRocketChatClient({
+          baseUrl: account.baseUrl!,
+          userId: account.userId!,
+          authToken: account.authToken!,
+        });
+        isInCanInteract = await isApprover(restClient, senderId, senderUsername, canInteract);
+      }
+      
+      // Check if sender is in dynamic room users list
+      const isInRoomUsers = await isRoomUserApproved(roomId, senderId, senderUsername);
+      
+      // Also check if sender is a global approver (they can interact anywhere)
+      const globalApprovers = account.config.ownerApproval?.approvers ?? [];
+      let isGlobalApprover = false;
+      if (globalApprovers.length > 0) {
+        const restClient = createRocketChatClient({
+          baseUrl: account.baseUrl!,
+          userId: account.userId!,
+          authToken: account.authToken!,
+        });
+        isGlobalApprover = await isApprover(restClient, senderId, senderUsername, globalApprovers);
+      }
+      
+      const canUserInteract = isRoomApprover || isInCanInteract || isInRoomUsers || isGlobalApprover;
+      
+      // Check if this is a room command from a room approver
+      if (isRoomApprover || isGlobalApprover) {
+        const roomCommand = parseRoomCommand(msg.msg);
+        
+        if (roomCommand) {
+          logger.debug?.(`[${account.accountId}] Room command from ${senderUsername}: ${JSON.stringify(roomCommand)}`);
+          
+          if (roomCommand.action === "room-list") {
+            const users = await getRoomApprovedUsers(roomId);
+            await sendMessageRocketChat(`room:${roomId}`, formatRoomUsersList(users), {
+              accountId: account.accountId,
+            });
+            return;
+          }
+          
+          if (roomCommand.action === "room-approve") {
+            const results: string[] = [];
+            
+            for (const target of roomCommand.targets) {
+              const username = target.replace(/^@/, "");
+              
+              // Look up user by username
+              const restClient = createRocketChatClient({
+                baseUrl: account.baseUrl!,
+                userId: account.userId!,
+                authToken: account.authToken!,
+              });
+              
+              try {
+                const userInfo = await fetchUserByUsername(restClient, username);
+                if (userInfo) {
+                  const { added, existing } = await addRoomUser({
+                    roomId,
+                    userId: userInfo.userId,
+                    username: userInfo.username,
+                    approvedBy: senderUsername ?? senderId,
+                  });
+                  
+                  if (added) {
+                    results.push(buildRoomUserApprovedMessage(username));
+                  } else if (existing) {
+                    results.push(`ℹ️ @${username} is already approved for this room.`);
+                  }
+                } else {
+                  results.push(`⚠️ User not found: ${username}`);
+                }
+              } catch (err) {
+                results.push(`⚠️ Failed to approve ${username}: ${String(err)}`);
+              }
+            }
+            
+            await sendMessageRocketChat(`room:${roomId}`, results.join("\n"), {
+              accountId: account.accountId,
+            });
+            return;
+          }
+          
+          if (roomCommand.action === "room-deny") {
+            const results: string[] = [];
+            
+            for (const target of roomCommand.targets) {
+              const username = target.replace(/^@/, "");
+              
+              const { removed } = await removeRoomUser({
+                roomId,
+                username,
+              });
+              
+              if (removed) {
+                results.push(buildRoomUserDeniedMessage(username));
+              } else {
+                results.push(`⚠️ @${username} was not in this room's approved list.`);
+              }
+            }
+            
+            await sendMessageRocketChat(`room:${roomId}`, results.join("\n"), {
+              accountId: account.accountId,
+            });
+            return;
+          }
+        }
+      }
+      
+      // If user can't interact, check response mode and handle accordingly
+      if (!canUserInteract) {
+        const responseMode = roomConfig.responseMode ?? "always";
+        const onMentionUnauthorized = roomConfig.onMentionUnauthorized ?? "ignore";
+        
+        // Check if bot was @mentioned
+        const botUsername = account.userId; // This should be resolved to username
+        const wasMentioned = msg.mentions?.some((m: { _id: string }) => m._id === account.userId);
+        
+        if (wasMentioned && onMentionUnauthorized === "reply") {
+          await sendMessageRocketChat(`room:${roomId}`, buildNotAuthorizedMessage(), {
+            accountId: account.accountId,
+          });
+        }
+        
+        logger.debug?.(`[${account.accountId}] User ${senderUsername} not authorized in room ${roomName}`);
+        return;
+      }
+      
+      // User can interact - check responseMode
+      const responseMode = roomConfig.responseMode ?? "always";
+      if (responseMode === "mention-only") {
+        const wasMentioned = msg.mentions?.some((m: { _id: string }) => m._id === account.userId);
+        if (!wasMentioned) {
+          logger.debug?.(`[${account.accountId}] Ignoring message from ${senderUsername} in ${roomName} (mention-only mode)`);
+          return;
+        }
+      }
+    }
+  }
+
   // === Owner Approval Command Handling ===
   // Check if this message is an approval command from an approver
   const ownerConfig = account.config.ownerApproval;
@@ -661,7 +996,9 @@ async function handleIncomingMessage(
             if (approval) {
               // Add to allowlist if approved
               if (command.action === "approve") {
-                await addToAllowFrom(approval.targetId);
+                // Use different store for rooms vs users
+                const storeId = approval.type === "room" ? "rocketchat-rooms" : "rocketchat";
+                await addToAllowFrom(approval.targetId, storeId);
               }
 
               // Notify the requester

package/src/rocketchat/pairing.ts

@@ -46,8 +46,8 @@ function resolvePairingPath(): string {
   return path.join(resolveCredentialsDir(), `${CHANNEL_ID}-pairing.json`);
 }
 
-function resolveAllowFromPath(): string {
-  return path.join(resolveCredentialsDir(), `${CHANNEL_ID}-allowFrom.json`);
+function resolveAllowFromPath(storeId: string = CHANNEL_ID): string {
+  return path.join(resolveCredentialsDir(), `${storeId}-allowFrom.json`);
 }
 
 function generatePairingCode(): string {
@@ -82,9 +82,9 @@ async function writePairingStore(store: PairingStore): Promise<void> {
   await fs.writeFile(filePath, JSON.stringify(store, null, 2), { mode: 0o600 });
 }
 
-async function readAllowFromStore(): Promise<AllowFromStore> {
+async function readAllowFromStore(storeId: string = CHANNEL_ID): Promise<AllowFromStore> {
   try {
-    const data = await fs.readFile(resolveAllowFromPath(), "utf-8");
+    const data = await fs.readFile(resolveAllowFromPath(storeId), "utf-8");
     const parsed = JSON.parse(data);
     return {
       version: parsed.version ?? 1,
@@ -95,17 +95,18 @@ async function readAllowFromStore(): Promise<AllowFromStore> {
   }
 }
 
-async function writeAllowFromStore(store: AllowFromStore): Promise<void> {
+async function writeAllowFromStore(store: AllowFromStore, storeId: string = CHANNEL_ID): Promise<void> {
   await ensureDir(resolveCredentialsDir());
-  const filePath = resolveAllowFromPath();
+  const filePath = resolveAllowFromPath(storeId);
   await fs.writeFile(filePath, JSON.stringify(store, null, 2), { mode: 0o600 });
 }
 
 /**
  * Read the allowFrom list from the pairing store.
+ * @param storeId - Store identifier (default: "rocketchat", use "rocketchat-rooms" for room allowlist)
  */
-export async function readChannelAllowFromStore(): Promise<string[]> {
-  const store = await readAllowFromStore();
+export async function readChannelAllowFromStore(storeId: string = CHANNEL_ID): Promise<string[]> {
+  const store = await readAllowFromStore(storeId);
   return store.entries;
 }
 
@@ -189,12 +190,14 @@ export function buildPairingReply(params: {
 
 /**
  * Add an entry to the allowFrom store (called when pairing is approved).
+ * @param entry - The entry to add (user ID or room ID)
+ * @param storeId - Store identifier (default: "rocketchat", use "rocketchat-rooms" for room allowlist)
  */
-export async function addToAllowFrom(entry: string): Promise<void> {
-  const store = await readAllowFromStore();
+export async function addToAllowFrom(entry: string, storeId: string = CHANNEL_ID): Promise<void> {
+  const store = await readAllowFromStore(storeId);
   const normalized = entry.toLowerCase().trim();
   if (!store.entries.includes(normalized)) {
     store.entries.push(normalized);
-    await writeAllowFromStore(store);
+    await writeAllowFromStore(store, storeId);
   }
 }

package/src/rocketchat/roles.ts

@@ -16,6 +16,40 @@ export type UserRoles = {
 const roleCache = new Map<string, { roles: UserRoles; fetchedAt: number }>();
 const CACHE_TTL_MS = 5 * 60 * 1000;
 
+/**
+ * Fetch user info by username from Rocket.Chat.
+ */
+export async function fetchUserByUsername(
+  client: RocketChatClient,
+  username: string
+): Promise<UserRoles | null> {
+  try {
+    const response = await fetch(`${client.baseUrl}/api/v1/users.info?username=${encodeURIComponent(username)}`, {
+      headers: {
+        "X-Auth-Token": client.authToken,
+        "X-User-Id": client.userId,
+      },
+    });
+    
+    if (!response.ok) {
+      return null;
+    }
+    
+    const data = await response.json();
+    const user = data.user;
+    
+    if (!user) return null;
+    
+    return {
+      userId: user._id,
+      username: user.username,
+      roles: Array.isArray(user.roles) ? user.roles : [],
+    };
+  } catch {
+    return null;
+  }
+}
+
 /**
  * Fetch user info including roles from Rocket.Chat.
  */

package/src/rocketchat/room-users.ts

@@ -0,0 +1,183 @@
+/**
+ * Per-Room User Access Control
+ * 
+ * Manages which users can interact with the bot in specific rooms.
+ * Separate from global approval — this is room-level granular control.
+ * 
+ * Storage: ~/.openclaw/credentials/rocketchat-room-users.json
+ */
+
+import * as fs from "node:fs/promises";
+import * as path from "node:path";
+import * as os from "node:os";
+
+export type RoomUserEntry = {
+  userId: string;
+  username?: string;
+  approvedBy: string;
+  approvedAt: string;
+};
+
+export type RoomUsersData = {
+  approved: RoomUserEntry[];
+};
+
+type RoomUsersStore = {
+  version: number;
+  rooms: Record<string, RoomUsersData>;
+};
+
+// In-memory cache
+let cache: RoomUsersStore | null = null;
+
+function resolveStorePath(): string {
+  return path.join(os.homedir(), ".openclaw", "credentials", "rocketchat-room-users.json");
+}
+
+async function ensureDir(dirPath: string): Promise<void> {
+  await fs.mkdir(dirPath, { recursive: true, mode: 0o700 });
+}
+
+async function loadStore(): Promise<RoomUsersStore> {
+  if (cache) return cache;
+  
+  try {
+    const data = await fs.readFile(resolveStorePath(), "utf-8");
+    const parsed = JSON.parse(data);
+    cache = {
+      version: parsed.version ?? 1,
+      rooms: parsed.rooms ?? {},
+    };
+    return cache;
+  } catch {
+    cache = { version: 1, rooms: {} };
+    return cache;
+  }
+}
+
+async function saveStore(store: RoomUsersStore): Promise<void> {
+  cache = store;
+  await ensureDir(path.dirname(resolveStorePath()));
+  await fs.writeFile(resolveStorePath(), JSON.stringify(store, null, 2), { mode: 0o600 });
+}
+
+/**
+ * Get all approved users for a room.
+ */
+export async function getRoomApprovedUsers(roomId: string): Promise<RoomUserEntry[]> {
+  const store = await loadStore();
+  return store.rooms[roomId]?.approved ?? [];
+}
+
+/**
+ * Check if a user is approved for a specific room.
+ */
+export async function isRoomUserApproved(
+  roomId: string,
+  userId: string,
+  username?: string
+): Promise<boolean> {
+  const approved = await getRoomApprovedUsers(roomId);
+  const normalizedUsername = username?.toLowerCase();
+  
+  return approved.some(
+    (entry) =>
+      entry.userId === userId ||
+      (normalizedUsername && entry.username?.toLowerCase() === normalizedUsername)
+  );
+}
+
+/**
+ * Add a user to a room's approved list.
+ */
+export async function addRoomUser(params: {
+  roomId: string;
+  userId: string;
+  username?: string;
+  approvedBy: string;
+}): Promise<{ added: boolean; existing: boolean }> {
+  const store = await loadStore();
+  
+  if (!store.rooms[params.roomId]) {
+    store.rooms[params.roomId] = { approved: [] };
+  }
+  
+  const room = store.rooms[params.roomId];
+  const normalizedUsername = params.username?.toLowerCase();
+  
+  // Check if already approved
+  const existing = room.approved.find(
+    (entry) =>
+      entry.userId === params.userId ||
+      (normalizedUsername && entry.username?.toLowerCase() === normalizedUsername)
+  );
+  
+  if (existing) {
+    return { added: false, existing: true };
+  }
+  
+  room.approved.push({
+    userId: params.userId,
+    username: params.username,
+    approvedBy: params.approvedBy,
+    approvedAt: new Date().toISOString(),
+  });
+  
+  await saveStore(store);
+  return { added: true, existing: false };
+}
+
+/**
+ * Remove a user from a room's approved list.
+ */
+export async function removeRoomUser(params: {
+  roomId: string;
+  userId?: string;
+  username?: string;
+}): Promise<{ removed: boolean; entry?: RoomUserEntry }> {
+  const store = await loadStore();
+  const room = store.rooms[params.roomId];
+  
+  if (!room) {
+    return { removed: false };
+  }
+  
+  const normalizedUsername = params.username?.toLowerCase();
+  const index = room.approved.findIndex(
+    (entry) =>
+      (params.userId && entry.userId === params.userId) ||
+      (normalizedUsername && entry.username?.toLowerCase() === normalizedUsername)
+  );
+  
+  if (index === -1) {
+    return { removed: false };
+  }
+  
+  const [removed] = room.approved.splice(index, 1);
+  await saveStore(store);
+  return { removed: true, entry: removed };
+}
+
+/**
+ * Format room users list for display.
+ */
+export function formatRoomUsersList(users: RoomUserEntry[]): string {
+  if (users.length === 0) {
+    return "No users approved for this room.";
+  }
+  
+  const lines = users.map((u) => {
+    const who = u.username ? `@${u.username}` : u.userId;
+    const when = new Date(u.approvedAt).toLocaleDateString();
+    return `• ${who} (by ${u.approvedBy}, ${when})`;
+  });
+  
+  return `**Approved users (${users.length})**\n${lines.join("\n")}`;
+}
+
+/**
+ * Clear the cache (useful for testing).
+ */
+export function clearRoomUsersCache(): void {
+  cache = null;
+}

package/src/rocketchat/send.ts

@@ -9,6 +9,7 @@ import { resolveRocketChatAccount } from "./accounts.js";
 import {
   createRocketChatClient,
   createRocketChatDirectMessage,
+  fetchRocketChatChannelByName,
   fetchRocketChatMe,
   fetchRocketChatUserByUsername,
   normalizeRocketChatBaseUrl,
@@ -203,9 +204,20 @@ export async function sendMessageRocketChat(
   let message = text?.trim() ?? "";
   const mediaUrl = opts.mediaUrl?.trim();
 
-  // Resolve room ID for uploads (channels need special handling)
+  // Resolve actual room ID for uploads (channels need to be looked up)
   const isChannel = target.kind === "channel";
-  const uploadRoomId = isChannel ? roomId : roomId;
+  let uploadRoomId = roomId;
+  
+  if (isChannel && mediaUrl && isLocalPath(mediaUrl)) {
+    // For channel uploads, we need the actual room _id, not the #name
+    const channelInfo = await fetchRocketChatChannelByName(client, target.name);
+    if (channelInfo?._id) {
+      uploadRoomId = channelInfo._id;
+      logger?.debug?.(`Resolved channel "${target.name}" to room ID: ${uploadRoomId}`);
+    } else {
+      logger?.warn?.(`Could not resolve channel "${target.name}" to room ID, upload may fail`);
+    }
+  }
 
   // Handle local file uploads
   if (mediaUrl && isLocalPath(mediaUrl)) {
@@ -214,7 +226,7 @@ export async function sendMessageRocketChat(
       const fileName = path.basename(mediaUrl);
       const mimeType = getMimeFromExt(mediaUrl);
       
-      logger?.debug?.(`Uploading file to Rocket.Chat: ${fileName} (${mimeType}, ${fileBuffer.length} bytes)`);
+      logger?.debug?.(`Uploading file to Rocket.Chat: ${fileName} (${mimeType}, ${fileBuffer.length} bytes) to room ${uploadRoomId}`);
       
       const upload = await uploadRocketChatFile(client, {
         roomId: uploadRoomId,