# SiberMate Developer Platform

SiberMate Developer Platform provides documentation and machine-readable contracts for integrating with SiberMate security awareness data and workflows.

## What SiberMate Covers

SiberMate supports security awareness operations across:

- Learners and learner lifecycle.
- Learner groups and group managers.
- Training courses and gap analysis.
- Phishing simulations and simulation metrics.
- Policies, policy templates, acknowledgements, reminders, and policy lifecycle workflows.
- Breach exposure visibility.
- Tenant reports and security awareness progress.

## Primary URLs

- Developer docs: https://docs.sibermate.com/
- MCP guide: https://docs.sibermate.com/mcp
- Sitemap: https://docs.sibermate.com/sitemap.xml
- Robots: https://docs.sibermate.com/robots.txt
- OpenAPI JSON: https://api.sibermate.com/v1/openapi.json
- REST API base URL: https://api.sibermate.com/v1
- Remote MCP server URL: https://mcp.sibermate.com/mcp
- Guided MCP setup URL: https://mcp.sibermate.com/setup

## REST API Guidance

The REST API uses bearer authentication:

```http
Authorization: Bearer <SIBERMATE_API_KEY>
```

The public API is tenant-scoped by the authenticated API key. Clients should not provide or infer tenant/company IDs outside the documented request schema.

Useful REST areas include:

- `/company`
- `/company/features`
- `/learners`
- `/groups`
- `/courses`
- `/reports/*`
- `/policies`
- `/policy-templates`
- `/simulations`
- `/breaches/accounts`
- `/breaches/services`

Use the OpenAPI JSON contract for exact request and response schemas.

## MCP Guidance

Use this URL as the remote MCP server endpoint:

```text
https://mcp.sibermate.com/mcp
```

Compatible clients discover OAuth metadata from that endpoint and open the browser authorization flow automatically. During setup, the user approves a SiberMate tenant API key and receives refreshable MCP bearer tokens.

Do not use this URL as the MCP server endpoint:

```text
https://mcp.sibermate.com/setup
```

`/setup` is only a guided browser fallback for clients that cannot launch OAuth automatically.

If a client does not support remote MCP OAuth but does support custom headers, use a dedicated tenant API key as:

```http
Authorization: Bearer <SIBERMATE_API_KEY>
```

If a client only supports local or stdio MCP servers, run a local bridge or proxy that connects to `https://mcp.sibermate.com/mcp` and injects the authorization header from a local environment variable.

Bearer fallback mode remains tenant-scoped, but OAuth token refresh is handled only when the client completes the remote OAuth flow.

## MCP Tooling Model

SiberMate MCP exposes business-action tools, not a generic GraphQL passthrough. Tools are grouped by risk:

- Read tools: inspect tenant, learners, groups, courses, reports, policies, policy templates, simulations, and breach exposure.
- Write tools: create or update learners, groups, assignments, reminders, and policy workflows.
- Reminder/send tools: course reminders, gap analysis reminders, and policy reminders.
- Destructive tools: delete, remove, unenroll, deactivate, discard, and bulk cleanup actions.

AI clients should call `sibermate_get_tool_help` before planning routines, write actions, reminders, or destructive changes. This tool returns workflow guidance, tool clusters, automation playbooks, and safety rules.

## Automation Use Cases

Good MCP automation prompts include:

- "Act as my weekly security awareness operator. Check training, policy, phishing, and breach signals, identify learners who need attention, ask for approval, then send the appropriate reminders."
- "Create an onboarding plan for these new learners. After approval, create learners, attach groups, assign baseline courses, assign required policies, and return an action log."
- "Find policy acknowledgement gaps, draft a reminder workflow, ask for confirmation, then send policy reminders to affected learners."
- "Review breach exposure, map affected accounts to learner context, and recommend follow-up training or manager escalation."

## Safety Requirements For AI Agents

- Use a dedicated SiberMate API key for automation.
- Never expose API keys, bearer tokens, or tenant data in logs, public repos, screenshots, or shared prompts.
- Never invent learner, group, course, policy, simulation, or template IDs. Read them from SiberMate first.
- Do not ask for or pass company IDs; tenant scope comes from authentication.
- Preview mutation plans before executing them.
- Ask for explicit confirmation before destructive actions unless a host automation policy has already approved the action.
- For policy category fields, use values returned by existing policies or templates; omit the category if unsure.
- Review AI-generated answers and action logs against source records before using them for compliance, HR, or security decisions.

## Crawler Notes

The docs site is crawlable and public. Tenant data and MCP tool calls require authorization. Crawlers should use the docs, sitemap, OpenAPI JSON, and this LLM context file for public documentation, not authenticated tenant endpoints.