feat: add termly cookie consent banner with cross-subdomain sync

[AlexKantor87]

Summary

• Adds termly.js at the content root. Mintlify auto-includes any .js file there on every page, so this loads the Termly banner across all of docs.kosli.com.
• Adds an integrations.cookies block in docs.json pointing at the kosli_consent localStorage flag — Mintlify gates its own telemetry on this, so their analytics doesn't fire pre-consent (per https://www.mintlify.com/docs/integrations/privacy/overview#cookie-consent-and-disabling-telemetry).
• Termly embed uses the same data-website-uuid as www.kosli.com (single Termly property) plus data-master-consents-origin="https://www.kosli.com" to read consent from the parent.
• Hidden iframe → https://www.kosli.com/consent-sync.html provides Termly's documented cross-subdomain consent sharing, so users who already consented on the marketing site aren't re-prompted on docs.
• TERMLY_CUSTOM_BLOCKING_MAP includes "kosli.com": "essential" so Termly's auto-blocker doesn't sandbox the consent-sync iframe and break the handshake.
• SPA-execution guard (window.__kosliTermlyLoaded) prevents duplicate iframes on Mintlify client-side route changes.
• A termly.consent event listener mirrors Termly's consent state to the kosli_consent localStorage flag that Mintlify reads.

Why

Termly currently runs only on www.kosli.com. Visitors landing directly on docs.kosli.com are never prompted, which is a GDPR/ePrivacy gap. Mintlify doesn't expose <head> injection, so this uses the documented .js-in-content-root path plus the privacy integration.

Dependencies

Land in this order:

1. https://github.com/kosli-dev/www.kosli.com/pull/1787 — relaxes frame-ancestors / X-Frame-Options on /consent-sync.html so this iframe isn't blocked.
2. This PR.

Out-of-band setup (issue tracks): add docs.kosli.com to Termly Scan Settings, confirm cookie domain is .kosli.com.

Tracking issue: https://github.com/kosli-dev/server/issues/5551

Known limitation (documented in tracking issue)

Mintlify content-dir JS executes after hydration, so data-auto-block only catches scripts that fire after Termly mounts. Mintlify's own telemetry is now gated by integrations.cookies so that's covered. Anything we embed in MDX that fires earlier (YouTube, Loom, etc.) is the residual risk — worth a network-tab audit before merge.

Test plan

• Mintlify deploy preview builds without docs.json schema errors.
• Visit a deploy-preview page: Termly banner appears.
• Hidden iframe to https://www.kosli.com/consent-sync.html loads without CSP / X-Frame-Options errors in browser console (requires PR 1787 deployed first).
• Accept cookies on the docs preview → localStorage.kosli_consent === "accepted".
• Reload docs preview after consenting on www.kosli.com → banner does not re-appear (cross-subdomain sync working).
• Network tab: confirm Mintlify telemetry endpoints are not called before consent.
• Navigate between pages: only one Termly script tag and one consent-sync iframe in the DOM (SPA guard working).

🤖 Generated with Claude Code

closes #86

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
kosli	🟢 Ready	View Preview	Apr 30, 2026, 8:42 AM

[dangrondahl]

Code review

Found 1 issue:

1. The event listener on line 39 listens for "termly.consent" (dot separator), but Termly's documented consent event name is "termly:consent" (colon separator). Browser custom event names must match exactly. If the event name is wrong, the listener will never fire, kosli_consent will never be set in localStorage, and Mintlify telemetry will remain permanently blocked regardless of the user's consent choice. Worth verifying in a browser that localStorage["kosli_consent"] is actually set after accepting cookies.

docs/termly.js

Lines 38 to 46 in c480f64

	}
	window.addEventListener("termly.consent", function (e) {
	const analytics = e && e.detail && e.detail.analytics;
	if (analytics) {
	localStorage.setItem("kosli_consent", "accepted");
	} else {
	localStorage.removeItem("kosli_consent");
	}

🤖 Generated with Claude Code

_{- If this code review was useful, please react with 👍. Otherwise, react with 👎.}

[dangrondahl]

Fix: use current Termly Event API (01dffa9)

The original code used window.addEventListener("termly.consent", ...) which is not part of Termly's API — the event never fires, so kosli_consent was never set in localStorage.

Changes:

• Updated embed script from deprecated embed.min.js (2021) to current resource-blocker/UUID?autoBlock=on
• Replaced the non-functional event listener with Termly's documented Termly.on("consent", callback) pattern via an onload handler
• Fixed consent data check from e.detail.analytics to data.categories.includes("analytics")

Tested on preview environment:

1. Loaded docs preview — Termly banner appears, no more "outdated CMP script" console warning
2. Before accepting: localStorage.getItem("kosli_consent") returns null
3. After accepting cookies: localStorage.getItem("kosli_consent") returns "accepted"

Ref: Termly Event API docs, Embed script versions

[dangrondahl]

Remaining console warnings after fix

Two warnings remain in the preview environment:

1. "Termly ResourceBlocker is not the first script on the page" — Mintlify injects its own scripts before termly.js loads, so Termly's auto-blocking may miss scripts that run earlier. This is a Termly best-practice warning, not an error. Not actionable on a Mintlify-hosted site since we don't control script injection order.

2. "frame-ancestors 'self'" / "Unsafe attempt to load consent-sync.html" — Expected until the companion PR (https://github.com/kosli-dev/www.kosli.com/pull/1787) is merged and deployed. That PR relaxes X-Frame-Options on /consent-sync.html to allow cross-subdomain framing from docs.kosli.com.

Neither warning affects the core consent flow — localStorage.kosli_consent is correctly set after accepting cookies.