Regarding the second point, I have a half-ready Python script to post the notice on Stewards' noticeboard

Could we please create a paste for this beforehand for the stews, so that we know which users are affected?

In T420214#11714100, @EPIC wrote:

Could we please create a paste for this beforehand for the stews, so that we know which users are affected?

These are the users as of now:
{P89864}

In practice they still have a week before the demotion for these groups will start

The paste seems to be restricted (even to me as a steward).

I did set WMF-NDA as the type of the paste (I thought stewards have access to those by default). I hope it's fixed now.

Thank you! I was slightly surprised I did not have access to WMF-NDA since I signed the volunteer NDA last year, but perhaps I don't qualify.

FYI, today I demoted CN admins without 2FA (two in total), and this is how it looks like in the log: https://test.wikipedia.org/w/index.php?title=Special:Log&logid=458067

If it was a demotion of CU/OS, the log entry would be copied over to Meta-Wiki as well (with testwiki>Maintenance script as performer). A notice about that would be also posted on Stewards' noticeboard then.

Perhaps that log summary should link to a documentation page?

In T420214#11723886, @Xaosflux wrote:

Perhaps that log summary should link to a documentation page?

We've had a discussion within PSI about how detailed the log summary should be. While there were different opinions on what to include there, a dominating view was that it shouldn't give too much information explicitly (in other conditions the users' 2FA status is non-public).

Of course, it's impossible to completely hide the fact that lack of 2FA was the reason for demotion for the users, but the in the discussion it was stressed that it shouldn't rather be advertised too broadly.

This is how I expect the notice about autodemotion look like: https://test.wikipedia.org/w/index.php?title=User:MszBot/sandbox&diff=prev&oldid=734224 (For testing, I used EPIC, instead of Maintenance script as the performer to look for).

The notifications are going to be very rare. Even though the bot will run daily, I expect that autodemotions will happen very rarily, primarily when new groups are configured with 2FA requirement.

In case anybody would like to look at, the source code is available on GitLab: https://gitlab.wikimedia.org/toolforge-repos/autodemote-notifier

In T420214#11728317, @mszwarc wrote:

This is how I expect the notice about autodemotion look like: https://test.wikipedia.org/w/index.php?title=User:MszBot/sandbox&diff=prev&oldid=734224 (For testing, I used EPIC, instead of Maintenance script as the performer to look for).

The notifications are going to be very rare. Even though the bot will run daily, I expect that autodemotions will happen very rarily, primarily when new groups are configured with 2FA requirement.

In case anybody would like to look at, the source code is available on GitLab: https://gitlab.wikimedia.org/toolforge-repos/autodemote-notifier

Looks good to me, thank you!

A list of users at risk of demotion, which includes also interface admins is available to stewards here:

(format: username \t group1 \t wiki1 \t group2 \t wiki2 \t ... )

{P89901}