Patrick Bass Area: mobieusLearn (audit p8) · Surface: API /api/v1/learn/live-sessions* (documented at /api/docs but not implemented) · Dimension: documentation · Severity: major
A developer reading /api/docs will see four documented REST endpoints for managing live sessions (list, schedule, get, cancel, attach recording) with full request bodies, but every one returns 404 because no Api\V1\LearnController method or route exists. The spec even versions them ('added 1.4.0'), making the false documentation look authoritative. Live sessions are only manageable via the HTML cohort surfaces (/learn/my/cohorts/{slug}/live-sessions/...), not the JSON API.
Evidence
openapi.yaml documents 4 live-session API paths: lines 1519-1528 declare `/api/v1/learn/live-sessions` (GET list, POST schedule), `/api/v1/learn/live-sessions/{id}` (GET), `/api/v1/learn/live-sessions/{id}/cancel` (POST), `/api/v1/learn/live-sessions/{id}/recording` (POST), under comment `# ── mobieusLearn — live sessions (added 1.4.0) ──`. None of these are registered as Api\V1\LearnController routes: `grep -niE 'live-session|liveSession' /home/patrick/mobieus-io/platform/src/routes.php` shows the only live-session routes are HTML/learner surfaces on `Learn\LearnLiveSessionsController` (routes.php:693,696,817-820), and `grep -niE 'liveSession' /home/patrick/mobieus-io/platform/src/Controllers/Api/V1/LearnController.php` returns NOTHING. `comm -13 code-paths spec-paths` confirms /learn/live-sessions, /learn/live-sessions/{id}, .../cancel, .../recording are in-spec-but-not-in-code.Suggested fix. Either implement the live-sessions API in Api\V1\LearnController and register the routes, or remove the 4 phantom paths (openapi.yaml lines 1519-1528) and the matching reference in the API description (openapi.yaml line 22 mentions '(1.4.0) live sessions on Meet / Zoom / Webex').
Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.
Patrick Bass
@mobieus
