User:Risker/Risker's checklist for content-creation extensions

This checklist is created based on my experience as a CheckUser, Oversighter, administrator and editor. I have, in the past, identified and communicated most of the points below, but mainly in relation to specific extensions, or in non-documented discussions.

During the past 10 years, there have been multiple extensions created and activated on live "production" wikis that permitted users to create publicly visible content that was not able to be curated by the community of the host project. While in almost all cases the intention behind the extension has been good, the lack of consistent administration/moderation/curation standards on what constitutes a minimal viable product for an active, public project has resulted in the publicly-visible addition of materials that cannot be removed or otherwise curated by the host project community, including:


 * Major biographies of living persons violations ranging all the way to material that is clearly and obviously libellous, seriously insulting or otherwise harmful
 * Often unintended disclosure of non-public personal information such as telephone numbers, identification numbers, email addresses, health conditions, and other material, or intentional disclosure of non-public personal information of a third party
 * Spam
 * Threats of violence
 * Copyright violations and violations of the project's licensing requirements
 * Otherwise unsuitable materials and materials that are otherwise violations of the terms of use

Minimum viable product
The following are in addition to any product-specific minimum expectations. Note that these apply only to the production wikis, not to test wikis. These apply to products used on any interface to the production wikis (desktop, mobile, mobile app, application programming interfaces, and any other interfaces).

Visibility

 * All actions must show up in the appropriate project logs: recent changes, new pages, etc. In some cases, an extension-specific log will be needed; it should be included in the publicly viewable logs absent a legal or security reason to make it non-public.
 * All actions must show up in the appropriate user-specific logs: user contribution history, upload log, etc.
 * All actions (including actions related to moderating the content) must show up in non-public logs and tables: CheckUser tables and logs, suppression log.

Curation

 * All content must be able to be edited by others.
 * All content must be able to be deleted (both revision deletion and full-page deletion).
 * NOTE: This is not the same thing as HIDING content, which has never been properly effective on any extension it's been used for.

Moderation

 * It must be straightforward to be able to review all logs, including contributions logs, recent changes, etc.
 * All content must be able to be suppressed (either as suppression of individual revisions or by suppression-deletion of the full page).
 * All contributions and actions must show up in the CheckUser tables.

Do no harm, and be prepared to reverse implementation

 * If the presence of an extension on a production wiki harms the actual content of the project, revert unless it is possible to immediately implement a properly tested fix or patch. There should be no shame in reverting.  Many errors don't surface until the software is used at a rate higher than is common on test wiki, and it is not always possible to completely duplicate the production wiki editing environment on a test wiki.
 * Start implementation very small, and wherever possible give the users options to revert to alternatives. The first level of implementation should be small enough that the responsible development team can review ALL edits or actions taken using the extension for unplanned or unexpected errors.
 * Any implementation that results in a significant error rate (e.g., 1% of actions, although for high frequency actions the "significant" rate would be much smaller, closer to 0.01%) should be rolled back until a tested fix or patch can be implemented.
 * If making a content edit using an extension results in an *unplanned* warning message, addition/removal of material, or change in markup, consider early rollback until the problem is identified. Many projects do not have sufficient volunteer editors to clean up these errors, and on high activity wikis the result can be overwhelming to editorial volunteers (q.v., initial implementation of VisualEditor to the English Wikipedia as the default editing interface for all users).

Publicly visible

 * Anything that is visible to a third party. This covers every type of page or content on a project, and is not limited to content. Most logs and pages in the Special namespace are publicly visible.
 * Pages and logs that are visible only to users with at least administrator permissions are not considered publicly visible. This category includes deleted/revision deleted content, suppressed content, CheckUser and suppression logs, and a few pages in the Special namespace.
 * Watchlists, as of January 2017, are not considered publicly visible. Users may create a watchlist and then voluntarily share their user-specific watchlist token, which will permit a web feed that logs activity on the pages the user has watchlisted; however, the web feed itself is not hosted on a Wikimedia project and thus is not publicly visible here.

Content

 * Any material added, removed, altered, revised, edited, deleted, or otherwise modified by a registered or unregistered user using any user interface that creates a change to any aspect of the Wikimedia project.
 * This excludes emails sent using the "Email this user" feature.
 * This includes all wiki namespaces.