diff --git a/extensions/matrix/src/matrix/monitor/handler.test-helpers.ts b/extensions/matrix/src/matrix/monitor/handler.test-helpers.ts
index 00c740c7a16..fc150263e9d 100644
--- a/extensions/matrix/src/matrix/monitor/handler.test-helpers.ts
+++ b/extensions/matrix/src/matrix/monitor/handler.test-helpers.ts
@@ -115,6 +115,7 @@ export function createMatrixHandlerTestHarness(
       counts: { final: 0, block: 0, tool: 0 },
     }));
   const enqueueSystemEvent = options.enqueueSystemEvent ?? vi.fn();
+  const cfgForHandler = options.cfg ?? {};
 
   const handler = createMatrixRoomMessageHandler({
     client: {
@@ -123,6 +124,9 @@ export function createMatrixHandlerTestHarness(
       ...options.client,
     } as never,
     core: {
+      config: {
+        loadConfig: () => cfgForHandler,
+      },
       channel: {
         pairing: {
           readAllowFromStore,
@@ -193,7 +197,7 @@ export function createMatrixHandlerTestHarness(
         enqueueSystemEvent,
       },
     } as never,
-    cfg: (options.cfg ?? {}) as never,
+    cfg: cfgForHandler as never,
     accountId: options.accountId ?? "ops",
     runtime:
       options.runtime ??
diff --git a/extensions/matrix/src/matrix/monitor/handler.ts b/extensions/matrix/src/matrix/monitor/handler.ts
index 24ad2c9f79f..d5f415d23b4 100644
--- a/extensions/matrix/src/matrix/monitor/handler.ts
+++ b/extensions/matrix/src/matrix/monitor/handler.ts
@@ -14,6 +14,7 @@ import type {
   MatrixStreamingMode,
   ReplyToMode,
 } from "../../types.js";
+import { resolveMatrixAccountConfig } from "../account-config.js";
 import { formatMatrixErrorMessage } from "../errors.js";
 import { isMatrixMediaSizeLimitError } from "../media-errors.js";
 import {
@@ -638,10 +639,22 @@ export function createMatrixRoomMessageHandler(params: MatrixMonitorHandlerParam
         };
         const storeAllowFrom = isDirectMessage ? await readStoreAllowFrom() : [];
         const roomUsers = roomConfig?.users ?? [];
+        // Hot-reload: re-read raw allowlist entries from live config on each
+        // inbound message so additions to dm.allowFrom / groupAllowFrom take
+        // effect without restarting the gateway. Display-name resolution still
+        // only runs at startup, so new entries must be full Matrix IDs
+        // (@user:server). Merging with the closure values preserves any
+        // startup-time resolution work.
+        const liveAccountCfg = resolveMatrixAccountConfig({
+          cfg: core.config.loadConfig() as CoreConfig,
+          accountId,
+        });
+        const liveDmAllowFrom = (liveAccountCfg.dm?.allowFrom ?? []).map(String);
+        const liveGroupAllowFrom = (liveAccountCfg.groupAllowFrom ?? []).map(String);
         const accessState = resolveMatrixMonitorAccessState({
-          allowFrom,
+          allowFrom: [...allowFrom, ...liveDmAllowFrom],
           storeAllowFrom,
-          groupAllowFrom,
+          groupAllowFrom: [...groupAllowFrom, ...liveGroupAllowFrom],
           roomUsers,
           senderId,
           isRoom,