From ea926e0a8c43d9dc8f2bf4f687208be84ee6292b Mon Sep 17 00:00:00 2001
From: Matt Jenkinson <75292329+mattdjenkinson@users.noreply.github.com>
Date: Mon, 11 May 2026 11:17:03 +0200
Subject: [PATCH] feat: add MaxMind minFraud device tracking script

Add the MaxMind device.js snippet (account ID 1313245) to both site
layouts so the marketing-site browsing session contributes a device
fingerprint to the existing minFraud check that runs server-side on
signup. Token is collected per-domain by MaxMind via first-party
cookie plus their cross-site storage; this captures pre-conversion
visitors who later sign up at auth.datum.net.

Key features/changes:
- Add dns-prefetch hint for device.maxmind.com in both layouts
- Inject inline IIFE in Layout.astro and LayoutSimple.astro that
  sets window.__mmapiws.accountId and lazy-loads device.js via
  requestIdleCallback, following the existing HelpScout and
  Marker.io deferred-load pattern
- Production-gated via the existing isProduction toggle so dev and
  preview builds never hit MaxMind

Same account ID is already used server-side by the fraud service
when it submits minFraud queries, so browser fingerprints correlate
with backend scores without any additional configuration.
---
 src/layouts/Layout.astro       | 25 +++++++++++++++++++++++++
 src/layouts/LayoutSimple.astro | 25 +++++++++++++++++++++++++
 2 files changed, 50 insertions(+)

diff --git a/src/layouts/Layout.astro b/src/layouts/Layout.astro
index 4dd789e9..bb1263fc 100644
--- a/src/layouts/Layout.astro
+++ b/src/layouts/Layout.astro
@@ -117,6 +117,7 @@ const twitterImageUrl = toAbsoluteUrl(twitterImage?.src ?? imageContent.src);
     <link rel="dns-prefetch" href="https://api.github.com" />
     <link rel="dns-prefetch" href="https://hyperping.com" />
     <link rel="dns-prefetch" href="https://beacon-v2.helpscout.net" />
+    <link rel="dns-prefetch" href="https://device.maxmind.com" />
 
     <!-- Preconnect to critical external domains (loads within ~5s) -->
     <link rel="preconnect" href="https://cdn.usefathom.com" crossorigin />
@@ -367,6 +368,30 @@ const twitterImageUrl = toAbsoluteUrl(twitterImage?.src ?? imageContent.src);
         }
       })();
     </script>
+
+    {/* MaxMind minFraud device tracking - feeds fingerprint into signup fraud check */}
+    <script is:inline data-production={isProduction ? 'true' : 'false'} data-account-id="1313245">
+      (function () {
+        var isProduction = document.currentScript.getAttribute('data-production') === 'true';
+        if (!isProduction) return;
+
+        var accountId = document.currentScript.getAttribute('data-account-id');
+        var mmapiws = (window.__mmapiws = window.__mmapiws || {});
+        mmapiws.accountId = accountId;
+
+        function loadMaxMind() {
+          var script = document.createElement('script');
+          script.src = 'https://device.maxmind.com/js/device.js';
+          script.async = true;
+          document.body.appendChild(script);
+        }
+        if ('requestIdleCallback' in window) {
+          requestIdleCallback(loadMaxMind, { timeout: 4000 });
+        } else {
+          setTimeout(loadMaxMind, 3000);
+        }
+      })();
+    </script>
     {/* WebMCP — expose site tools to AI agents via the browser model context API */}
     <script is:inline>
       if (
diff --git a/src/layouts/LayoutSimple.astro b/src/layouts/LayoutSimple.astro
index 5d8c8efb..21d603e2 100644
--- a/src/layouts/LayoutSimple.astro
+++ b/src/layouts/LayoutSimple.astro
@@ -42,6 +42,7 @@ const descriptionValue =
     <!-- DNS Prefetch for external domains (low priority hints) -->
     <link rel="dns-prefetch" href="https://api.github.com" />
     <link rel="dns-prefetch" href="https://beacon-v2.helpscout.net" />
+    <link rel="dns-prefetch" href="https://device.maxmind.com" />
 
     <!-- Preconnect to critical external domains (loads within ~5s) -->
     <link rel="preconnect" href="https://cdn.usefathom.com" crossorigin />
@@ -236,5 +237,29 @@ const descriptionValue =
         }
       })();
     </script>
+
+    {/* MaxMind minFraud device tracking - feeds fingerprint into signup fraud check */}
+    <script is:inline data-production={isProduction ? 'true' : 'false'} data-account-id="1313245">
+      (function () {
+        var isProduction = document.currentScript.getAttribute('data-production') === 'true';
+        if (!isProduction) return;
+
+        var accountId = document.currentScript.getAttribute('data-account-id');
+        var mmapiws = (window.__mmapiws = window.__mmapiws || {});
+        mmapiws.accountId = accountId;
+
+        function loadMaxMind() {
+          var script = document.createElement('script');
+          script.src = 'https://device.maxmind.com/js/device.js';
+          script.async = true;
+          document.body.appendChild(script);
+        }
+        if ('requestIdleCallback' in window) {
+          requestIdleCallback(loadMaxMind, { timeout: 4000 });
+        } else {
+          setTimeout(loadMaxMind, 3000);
+        }
+      })();
+    </script>
   </body>
 </html>