Patrick Bass Area: Integration / API (audit p13) · Surface: /api/docs and /api/openapi.yaml (xAPI + cohort grant) · Dimension: Law 9 API + docs current · Severity: major
The public REST API (served at /api/docs via the openapi.yaml spec) is missing the native xAPI 1.0.3 LRS endpoints — POST/PUT/GET /api/v1/xapi/statements and GET /api/v1/xapi/about — and the POST /api/v1/learn/cohorts/grant endpoint. These are bearer-token, scoped, production endpoints (the LRS comment in routes.php notes mobieusLearn IS the LRS and persists to learn_xapi_statements). An LRS exists precisely so external authoring/reporting tools integrate against it; shipping it undocumented in the public spec means integrators can't discover the contract, scopes, or request/response shapes. Law 9 requires API and docs to stay current and the revision bumped.
Evidence
Routes registered in platform/src/routes.php:198-201 `$router->post('/xapi/statements', …); $router->put('/xapi/statements', …); $router->get('/xapi/statements', …); $router->get('/xapi/about', …);` (under the /api/v1 ApiKeyAuth group, scopes learn:xapi:read / learn:xapi:write) and line 272 `$router->post('/learn/cohorts/grant', 'Api\V1\LearnController@cohortsGrant');`. grep of platform/docs/api/openapi.yaml for `xapi`, `statements`, and `cohort` returns no path entries (only line 1521/1522 mention 'Meet/Zoom/Webex' live-session join URLs, unrelated). The spec documents 80 paths and is otherwise thorough, so these are genuine omissions.Suggested fix. Add path entries for /api/v1/xapi/statements (POST, PUT, GET), /api/v1/xapi/about (GET, note it is unauthenticated per xAPI §7.7), and /api/v1/learn/cohorts/grant to platform/docs/api/openapi.yaml, documenting the learn:xapi:read / learn:xapi:write scopes and the standard xAPI statement schema. Bump info.version (currently 1.4.0).
Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.
Patrick Bass
@mobieus
