Patrick Bass Area: Integration / API (audit p13) · Surface: GET/POST/PUT /api/v1/xapi/statements, GET /api/v1/xapi/about · Dimension: documentation · Severity: major
External LMS tools (authoring tools, content packages, cmi5/xAPI activities) integrate by POSTing statements to this LRS. It is a credential-gated, scope-protected integration surface with no published reference at /api/docs and no mobieusKnow guide. A developer wiring up an xAPI activity has nothing to read — no base URL, no scopes, no statement shape, no auth header. This is the canonical example of a feature that ships in code but is invisible in docs (Law 7).
Evidence
The xAPI surface is a real developer-facing integration. Controller header at /home/patrick/mobieus-io/platform/src/Controllers/Api/V1/LearnXapiController.php:18-27 states: '/api/v1/xapi/* — the native xAPI 1.0.3 Learning Record Store surface. mobieusLearn IS the LRS … Auth — every endpoint requires one of: learn:xapi:read for GETs, learn:xapi:write for POST/PUT/DELETE'. But it appears NOWHERE in the published API reference: `curl -s https://support.mobieus.io/api/openapi.yaml | grep -ic xapi` returns `0`. And no wiki article exists: `curl https://support.mobieus.io/know/api-xapi` → 404, `/know/xapi` → 404, `/know/learn-xapi` → 404; wiki search for 'learning record store' and 'xAPI statements' returns only /know/index (no matching article).Suggested fix. Add the /api/v1/xapi/statements (GET/POST/PUT) and /api/v1/xapi/about paths to the OpenAPI spec served at /api/openapi.yaml, including the learn:xapi:read / learn:xapi:write scopes and statement request/response schemas. Add a mobieusKnow article (e.g. /know/api-xapi or extend /know/api-learn) covering the LRS base URL, API-key auth, scopes, and a curl example for emitting a statement.
Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.
Patrick Bass
@mobieus
