fix(group): bots always follow their owner — no exit/kick role exceptions, blacklist cascades to owner's bots (#355)

Fixes #354

Product decision: **a user's bots always follow the user — no role
exceptions.** When a user leaves, is kicked, or is blacklisted, every
bot they created and invited into the group must follow them. This
closes the two gaps left after the D-2 cascade (#1186 / #1189).

## Gap 1 — creator/manager exceptions on the exit/kick cascade

- **`groupExit`**: removed the `loginMember.Role != MemberRoleCreator`
guard. A group owner who exits (after ownership transfer to the
second-oldest member) now cascades exactly like a normal member: bot
members removed in the same transaction, plus the existing thread_member
/ IM subscription / pinned / conv_ext cleanup and the system tip.
- New-owner selection now uses `QuerySecondOldestMemberExcludingBotsOf`,
which excludes the leaving owner's own bots — otherwise a bot could be
promoted to creator and cascade-deleted in the same transaction, leaving
the group ownerless. Other users' bots keep the old selection semantics.
- **`RemoveGroupMembers`**: dropped the manager exception from the
removable filter and from the per-member cascade guard. A kicked manager
leaves together with their bots. Creator keeps the belt-and-suspenders
exemption (cannot be kicked; API-level `memberRemove` already restricts
manager removal to the owner).

## Gap 2 — blacklist had no cascade at all

Previously `blacklist add` only flipped the target user's member status
+ IM blacklist. Their bots stayed `status=Normal`, so a blacklisted user
could keep reading group/subchannel content **through their own bot**,
bypassing the entire `ExistMemberActive` hardening line (#343 / #345).

- On blacklist add/remove, the target list is expanded with the users'
in-group bots (`robot.creator_uid` match, same fail-closed ownership
semantics as the D-2 cascade: orphan/disabled bots are not anyone's
bot).
- The bots then go through the same pipeline as the user: member status
flip, IM blacklist add/remove, parent-group + subchannel subscription
teardown (YUJ-4185 line), and symmetric restore on un-blacklist.
- The ownership query intentionally does not filter
`group_member.status`, so un-blacklist finds the bots that are currently
in `Blacklist` state and restores them.

## Tests

- `TestQuitGroup_CreatorCascadesBots` — owner exits → ownership
transferred to a human (bot excluded from selection), owner's bot
cascade-removed.
- `TestQuerySecondOldestMemberExcludingBotsOf_OnlyBotsLeft` — no new
owner when only the leaver's bots remain; other users' bots unaffected.
- `TestRemoveGroupMembers_ManagerKickCascadesBots` — kicked manager +
their bot both removed; creator still unkickable.
- `TestQueryBotUIDsOwnedByUIDs_BasicMatch` /
`TestExpandBlacklistTargetsWithOwnedBots` — cascade target expansion
semantics (ownership scoping, orphan/disabled exclusion, dedupe).
- `TestBlacklistCascade_BotBlockedByExistMemberActive` — blacklisted
user's bot fails `ExistMemberActive` (subchannel read/write gate
denies); un-blacklist symmetrically restores; bystanders untouched.
- Existing D-2 cascade suites (`bot_cascade_test.go`,
`api_groupexit_cascade_thread_test.go`) pass unchanged except the
obsolete creator-skip case, which now asserts the new product decision.

Full `modules/group`, `modules/bot_api`, `modules/thread`,
`modules/message`, `modules/user`, `modules/robot`, `modules/webhook`
suites pass locally.
<!-- sprint-set-retrigger -->

Author: yujiawei

modules/bot_api/group_member_remove_guard_test.go

@@ -0,0 +1,141 @@
+package bot_api
+
+import (
+	"encoding/json"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/Mininglamp-OSS/octo-lib/pkg/util"
+	"github.com/Mininglamp-OSS/octo-lib/testutil"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// PR#355 review 守卫：bot_admin 与人类管理员同权，POST
+// /v1/bot/groups/:group_no/members/remove 不得移除群主/管理员。#354 把
+// service 层 RemoveGroupMembers 的 manager 豁免下沉移除后，目标角色校验由
+// 调用方负责——Web API memberRemove 有 creator/manager 守卫，这里验证 Bot
+// API 路径的对等守卫：
+//   - 目标含 manager → 403 cannot_remove_privileged，且整个请求拒绝（混合
+//     列表里的普通成员也不能被"顺带"移除）；
+//   - 目标含 creator → 403 cannot_remove_privileged；
+//   - 目标全为普通成员 → 正常移除（守卫不误伤）。
+
+const (
+	rmGuardGroupNo  = "g_rm_guard_1"
+	rmGuardBotID    = "bot_rm_guard"
+	rmGuardBotToken = "bf_rm_guard_token"
+	rmGuardCreator  = "u_rm_creator"
+	rmGuardManager  = "u_rm_manager"
+	rmGuardCommon   = "u_rm_common"
+)
+
+func setupRemoveGuardEnv(t *testing.T) http.Handler {
+	t.Helper()
+	s, ctx := testutil.NewTestServer()
+	require.NoError(t, testutil.CleanAllTables(ctx))
+
+	_, err := ctx.DB().InsertBySql(
+		"INSERT INTO robot (robot_id, status, creator_uid, bot_token) VALUES (?, 1, ?, ?)",
+		rmGuardBotID, rmGuardCreator, rmGuardBotToken).Exec()
+	require.NoError(t, err)
+
+	_, err = ctx.DB().InsertBySql(
+		"INSERT INTO `group` (group_no, name, status, version) VALUES (?, ?, 1, 1)",
+		rmGuardGroupNo, "remove guard group").Exec()
+	require.NoError(t, err)
+
+	// creator(role=1) / manager(role=2) / 普通成员(role=0) / bot 管理员(bot_admin=1)
+	for _, m := range []struct {
+		uid              string
+		role, robot, adm int
+	}{
+		{rmGuardCreator, 1, 0, 0},
+		{rmGuardManager, 2, 0, 0},
+		{rmGuardCommon, 0, 0, 0},
+		{rmGuardBotID, 0, 1, 1},
+	} {
+		_, err = ctx.DB().InsertBySql(
+			"INSERT INTO group_member (group_no, uid, role, robot, bot_admin, vercode, is_deleted, status, version) VALUES (?, ?, ?, ?, ?, ?, 0, 1, 1)",
+			rmGuardGroupNo, m.uid, m.role, m.robot, m.adm, util.GenerUUID()).Exec()
+		require.NoError(t, err)
+	}
+
+	return s.GetRoute()
+}
+
+func rmGuardIsActiveMember(t *testing.T, handler http.Handler, uid string) bool {
+	t.Helper()
+	w := doBot(handler, botReq(t, "GET", "/v1/bot/groups/"+rmGuardGroupNo+"/members", rmGuardBotToken, nil))
+	require.Equalf(t, http.StatusOK, w.Code, "list members body: %s", w.Body.String())
+	// GET /members 返回成员数组；uid 可能出现在响应的其他字段里，所以逐项
+	// 比对而不是对响应体做字符串包含判断。
+	var members []struct {
+		UID string `json:"uid"`
+	}
+	require.NoErrorf(t, json.Unmarshal(w.Body.Bytes(), &members), "list members body: %s", w.Body.String())
+	for _, m := range members {
+		if m.UID == uid {
+			return true
+		}
+	}
+	return false
+}
+
+func TestBotGroupMemberRemove_ManagerTargetForbidden(t *testing.T) {
+	handler := setupRemoveGuardEnv(t)
+
+	w := doBot(handler, botReq(t, "POST", "/v1/bot/groups/"+rmGuardGroupNo+"/members/remove", rmGuardBotToken,
+		map[string]interface{}{"members": []string{rmGuardManager}}))
+	assert.Equalf(t, http.StatusForbidden, w.Code, "body: %s", w.Body.String())
+	assert.Contains(t, w.Body.String(), "cannot be removed through the bot API")
+	assert.True(t, rmGuardIsActiveMember(t, handler, rmGuardManager), "manager must remain a member")
+}
+
+func TestBotGroupMemberRemove_CreatorTargetForbidden(t *testing.T) {
+	handler := setupRemoveGuardEnv(t)
+
+	w := doBot(handler, botReq(t, "POST", "/v1/bot/groups/"+rmGuardGroupNo+"/members/remove", rmGuardBotToken,
+		map[string]interface{}{"members": []string{rmGuardCreator}}))
+	assert.Equalf(t, http.StatusForbidden, w.Code, "body: %s", w.Body.String())
+	assert.Contains(t, w.Body.String(), "cannot be removed through the bot API")
+	assert.True(t, rmGuardIsActiveMember(t, handler, rmGuardCreator), "creator must remain a member")
+}
+
+func TestBotGroupMemberRemove_MixedListRejectedAtomically(t *testing.T) {
+	handler := setupRemoveGuardEnv(t)
+
+	// 混合列表（普通成员 + 管理员）→ 整个请求 403，普通成员也不能被顺带移除。
+	w := doBot(handler, botReq(t, "POST", "/v1/bot/groups/"+rmGuardGroupNo+"/members/remove", rmGuardBotToken,
+		map[string]interface{}{"members": []string{rmGuardCommon, rmGuardManager}}))
+	assert.Equalf(t, http.StatusForbidden, w.Code, "body: %s", w.Body.String())
+	assert.Contains(t, w.Body.String(), "cannot be removed through the bot API")
+	assert.True(t, rmGuardIsActiveMember(t, handler, rmGuardManager), "manager must remain a member")
+	assert.True(t, rmGuardIsActiveMember(t, handler, rmGuardCommon), "common member must not be removed when the request is rejected")
+}
+
+func TestBotGroupMemberRemove_ManagerTargetCaseVariantForbidden(t *testing.T) {
+	handler := setupRemoveGuardEnv(t)
+
+	// MySQL utf8mb4_*_ci collation 下 uid 匹配大小写不敏感：大小写变体在
+	// service 层仍会命中真实 manager 行，所以守卫必须按 DB 解析行的角色
+	// 拦截，而不是在 Go 里做大小写敏感的字符串比对（codex review P1 回归）。
+	w := doBot(handler, botReq(t, "POST", "/v1/bot/groups/"+rmGuardGroupNo+"/members/remove", rmGuardBotToken,
+		map[string]interface{}{"members": []string{strings.ToUpper(rmGuardManager)}}))
+	assert.Equalf(t, http.StatusForbidden, w.Code, "body: %s", w.Body.String())
+	assert.Contains(t, w.Body.String(), "cannot be removed through the bot API")
+	assert.True(t, rmGuardIsActiveMember(t, handler, rmGuardManager), "manager must remain a member")
+}
+
+func TestBotGroupMemberRemove_CommonTargetStillWorks(t *testing.T) {
+	handler := setupRemoveGuardEnv(t)
+
+	w := doBot(handler, botReq(t, "POST", "/v1/bot/groups/"+rmGuardGroupNo+"/members/remove", rmGuardBotToken,
+		map[string]interface{}{"members": []string{rmGuardCommon}}))
+	require.Equalf(t, http.StatusOK, w.Code, "body: %s", w.Body.String())
+	resp := decodeBody(t, w)
+	assert.Equal(t, true, resp["ok"])
+	assert.Equal(t, float64(1), resp["removed"])
+	assert.False(t, rmGuardIsActiveMember(t, handler, rmGuardCommon), "common member should be removed")
+}

modules/bot_api/groups.go

@@ -656,6 +656,35 @@ func (ba *BotAPI) botGroupMemberRemove(c *wkhttp.Context) {
 		return
 	}
 
+	// PR#355 review: bot_admin 与人类管理员同权，不能踢群主/管理员——对齐
+	// Web API memberRemove 的角色守卫（manager 不可移除 manager/creator）。
+	// #354 把 service 层 RemoveGroupMembers 的 manager 豁免去掉后，目标角色
+	// 校验完全由调用方负责；不在这里拦截的话，bot_admin=1 的 bot 可以越权
+	// 踢任意管理员并级联带走其 bot。
+	//
+	// 角色校验必须基于 DB 解析后的目标行：WHERE 条件与 service 层
+	// QueryMembersWithUids 完全一致，由 MySQL collation 决定 uid 匹配
+	// （utf8mb4_*_ci 大小写不敏感）。如果改在 Go 里做大小写敏感的字符串
+	// 比对，请求方用 uid 的大小写变体即可绕过守卫、却仍命中 service 层的
+	// 真实 manager 行。
+	var targetRows []struct {
+		UID  string `db:"uid"`
+		Role int    `db:"role"`
+	}
+	_, err = ba.db.session.Select("uid", "role").From("group_member").
+		Where("uid in ? and group_no=? and is_deleted=0", filteredMembers, groupNo).Load(&targetRows)
+	if err != nil {
+		ba.Error("query target members failed", zap.Error(err), zap.String("groupNo", groupNo))
+		httperr.ResponseErrorL(c, errcode.ErrBotAPIQueryFailed, nil, nil)
+		return
+	}
+	for _, row := range targetRows {
+		if row.Role != group.MemberRoleCommon {
+			httperr.ResponseErrorLWithStatus(c, errcode.ErrBotAPICannotRemovePrivileged, nil, i18n.Details{"uid": row.UID})
+			return
+		}
+	}
+
 	removeResp, err := ba.groupService.RemoveGroupMembers(&group.RemoveGroupMembersServiceReq{
 		GroupNo:      groupNo,
 		Members:      filteredMembers,

modules/botfather/api_bot_group_test.go

@@ -351,9 +351,14 @@ func TestBotGroupMemberRemove_CannotRemoveCreator(t *testing.T) {
 		"members": []string{testutil.UID},
 	}))
 
-	assert.Equal(t, http.StatusOK, w.Code)
-	result := jsonResult(t, w)
-	assert.Equal(t, float64(0), result["removed"])
+	// PR#355 review (Jerry-Xin): the bot member-remove role guard now rejects
+	// the request outright instead of silently skipping the creator. This
+	// mirrors the Web API memberRemove rule (a manager cannot kick the
+	// creator/managers) — see modules/bot_api/groups.go and the matching
+	// err.server.bot_api.cannot_remove_privileged 403 in
+	// modules/bot_api/group_member_remove_guard_test.go.
+	assert.Equalf(t, http.StatusForbidden, w.Code, "body: %s", w.Body.String())
+	assert.Contains(t, w.Body.String(), "cannot be removed through the bot API")
 }
 
 func TestBotGroupMemberRemove_NotBotAdmin(t *testing.T) {

modules/group/api.go

@@ -2833,8 +2833,9 @@ func (g *Group) groupExit(c *wkhttp.Context) {
 	**/
 	var newGrouper *MemberModel // 新群主
 	if loginMember.Role == MemberRoleCreator {
-		// 查询第二老成员
-		newGrouper, err = g.db.QuerySecondOldestMember(groupNo)
+		// 查询第二老成员。#354：排除退群群主名下的 bot——它们会在下方被级联带走，
+		// 不能被选为新群主（否则新群主在同一事务内即被删除）。
+		newGrouper, err = g.db.QuerySecondOldestMemberExcludingBotsOf(groupNo, loginUID)
 		if err != nil {
 			g.Error("查询第二元老成员失败！", zap.Error(err))
 			httperr.ResponseErrorL(c, errcode.ErrGroupQueryFailed, nil, nil)
@@ -2896,21 +2897,19 @@ func (g *Group) groupExit(c *wkhttp.Context) {
 	}
 
 	// D-2 · 级联带走 inviter 拉入的 bot（YUJ-49 / Mininglamp-OSS/octo-server#1186）。
-	// Edge case: 群主退群时此逻辑不触发（角色转让由上方 newGrouper 兜底；
-	//            若确要销群应走 DismissGroup）——保持 bot 跟随新群主留在群中。
+	// #354 产品决策：bot 永远跟随其主人，无角色例外——群主退群（角色已由上方
+	// newGrouper 完成转让）同样级联带走自己名下的 bot，和普通成员一致。
 	var cascadedBotUsers []*user.Model
-	if loginMember.Role != MemberRoleCreator {
-		cascadedUIDs, cerr := cascadeRemoveBotsInvitedByUIDTx(g.db, g.ctx, groupNo, loginUID, tx)
-		if cerr != nil {
-			tx.Rollback()
-			g.Error("级联移除 bot 成员失败", zap.Error(cerr))
-			httperr.ResponseErrorL(c, errcode.ErrGroupStoreFailed, nil, nil)
-			return
-		}
-		for _, botUID := range cascadedUIDs {
-			botUser, _ := g.userDB.QueryByUID(botUID)
-			cascadedBotUsers = append(cascadedBotUsers, botUser)
-		}
+	cascadedUIDs, cerr := cascadeRemoveBotsInvitedByUIDTx(g.db, g.ctx, groupNo, loginUID, tx)
+	if cerr != nil {
+		tx.Rollback()
+		g.Error("级联移除 bot 成员失败", zap.Error(cerr))
+		httperr.ResponseErrorL(c, errcode.ErrGroupStoreFailed, nil, nil)
+		return
+	}
+	for _, botUID := range cascadedUIDs {
+		botUser, _ := g.userDB.QueryByUID(botUID)
+		cascadedBotUsers = append(cascadedBotUsers, botUser)
 	}
 
 	// 若退群者是外部成员且当前群是外部群，检查是否需要恢复普通群
@@ -3128,6 +3127,16 @@ func (g *Group) blacklist(c *wkhttp.Context) {
 		httperr.ResponseErrorL(c, errcode.ErrGroupManagerOnly, nil, nil)
 		return
 	}
+	// #354 · Bot 跟人走：拉黑/解除拉黑级联到目标用户名下在群的 bot
+	// （robot.creator_uid 命中）。旧行为只动用户本人，其 bot 仍 status=Normal，
+	// 被拉黑用户可经自己的 bot 旁路读群/子区内容，绕过 ExistMemberActive
+	// 加固线（#343/#345）。解除拉黑走同一扩展，对称恢复。
+	targetUIDs, err := expandBlacklistTargetsWithOwnedBots(g.db, groupNo, req.Uids)
+	if err != nil {
+		g.Error("查询拉黑级联 bot 失败", zap.Error(err))
+		httperr.ResponseErrorL(c, errcode.ErrGroupQueryFailed, nil, nil)
+		return
+	}
 	status := 0
 	if action == "add" {
 		status = int(common.GroupMemberStatusBlacklist)
@@ -3141,14 +3150,14 @@ func (g *Group) blacklist(c *wkhttp.Context) {
 		httperr.ResponseErrorL(c, errcode.ErrGroupStoreFailed, nil, nil)
 		return
 	}
-	err = g.db.updateMembersStatus(version, groupNo, status, req.Uids)
+	err = g.db.updateMembersStatus(version, groupNo, status, targetUIDs)
 	if err != nil {
 		g.Error("添加或移除群成员黑名单错误", zap.Error(err))
 		httperr.ResponseErrorL(c, errcode.ErrGroupStoreFailed, nil, nil)
 		return
 	}
 	if status == int(common.GroupMemberStatusBlacklist) {
-		err = g.setGroupBlacklist(groupNo, req.Uids, status == int(common.GroupMemberStatusBlacklist))
+		err = g.setGroupBlacklist(groupNo, targetUIDs, status == int(common.GroupMemberStatusBlacklist))
 		if err != nil {
 			g.Error("添加IM黑名单错误", zap.Error(err))
 			httperr.ResponseErrorL(c, errcode.ErrGroupStoreFailed, nil, nil)
@@ -3158,18 +3167,19 @@ func (g *Group) blacklist(c *wkhttp.Context) {
 		// 仅靠 setGroupBlacklist(IMBlacklistAdd) 只挡“发送”，不断“接收”——被拉黑者仍
 		// 通过 WuKongIM WS 收子区/父群实时消息（越权读 P0）。子区订阅复用 #27/#332 统一
 		// helper；父群订阅显式 IMRemoveSubscriber。best-effort：失败只记日志、不回滚拉黑。
-		for _, uid := range req.Uids {
+		// #354：级联拉黑的 bot 同样摘除订阅（targetUIDs 已含 bot）。
+		for _, uid := range targetUIDs {
 			g.removeUserFromGroupThreads(groupNo, uid, group.SpaceID)
 		}
 		if rmErr := g.ctx.IMRemoveSubscriber(&config.SubscriberRemoveReq{
 			ChannelID:   groupNo,
 			ChannelType: common.ChannelTypeGroup.Uint8(),
-			Subscribers: req.Uids,
+			Subscribers: targetUIDs,
 		}); rmErr != nil {
 			g.Error("拉黑摘除父群IM订阅失败", zap.Error(rmErr), zap.String("groupNo", groupNo))
 		}
 	} else {
-		members, err := g.db.QueryMembersWithUids(req.Uids, groupNo)
+		members, err := g.db.QueryMembersWithUids(targetUIDs, groupNo)
 		if err != nil {
 			g.Error("查询移除黑名单成员错误", zap.Error(err))
 			httperr.ResponseErrorL(c, errcode.ErrGroupQueryFailed, nil, nil)
@@ -3222,7 +3232,7 @@ func (g *Group) blacklist(c *wkhttp.Context) {
 			return
 		}
 	} else {
-		for _, uid := range req.Uids {
+		for _, uid := range targetUIDs {
 			// 发送群成员更新命令
 			err = g.ctx.SendCMD(config.MsgCMDReq{
 				ChannelID:   groupNo,

modules/group/api_groupexit_cascade_thread_test.go

@@ -77,7 +77,7 @@ func TestGroupExit_CascadeBot_AlsoRemovesFromThread(t *testing.T) {
 	f := New(s.ctx)
 	ensureThreadTables(t, f)
 
-	// --- 1. 用户：群主 owner、退群者 leaver（非群主，cascade 前置条件）、bot 本体 ---
+	// --- 1. 用户：群主 owner、退群者 leaver（普通成员场景；#354 起群主退群同样 cascade）、bot 本体 ---
 	insertTestUsers(t, userDB, "owner", "leaver")
 	botUID := "yuj52_bot_by_leaver"
 	require.NoError(t, userDB.Insert(&user.Model{UID: botUID, Name: "bot-by-leaver", ShortNo: "sn_" + botUID, Robot: 1}))