> ## Documentation Index
> Fetch the complete documentation index at: https://docs.niteshift.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Automations

> Automations launch a Niteshift task on a schedule or when a webhook fires.

Use webhooks to respond to alerts, address tickets, or react to deploys. Use schedules to run
audits, triage dependencies, or send weekly reports.

## Examples

* **Datadog alerts, root-caused in Slack** — when a Datadog monitor fires, the agent investigates
  with the Datadog MCP and posts the root cause back to the alert's Slack thread.
* **Weekly flaky test fixes** — every Monday morning, the agent scans the last week of GitHub
  Actions runs for flaky tests and opens a PR with an attempted fix for each.
* **Nightly bug hunt** — every night, the agent reads the last 24 hours of commits, flags the
  riskiest changes, and opens a PR with fixes for any bugs it finds.

## Scheduled tasks

Use a schedule for recurring work like dependency bumps, periodic test runs, code-quality scans, or
weekly maintenance passes. Configure:

* **Repository**, **branch**, and **model**
* **Schedule and task**: describe in plain language what the agent should do and when it should run.
  Niteshift parses it into a task prompt, cron expression, timezone, and a human-readable schedule
  label.

## Webhook triggers

Use a webhook for event-driven work like CI failures, monitoring alerts, deploy notifications, or
anything else that emits an HTTP webhook. Configure:

* **Name**, **repository**, **branch**, and **model**
* **Task prompt template**: the instructions the agent gets each time a request hits the URL. Use
  `{{payload.field}}` (dot paths into the JSON) or `{{payload_json}}` / `{{payload}}` to insert the
  full request body as pretty-printed JSON.

### Authentication

Each trigger has a single shared secret. Incoming requests authenticate with one of:

* **HMAC (preferred)**: send `x-niteshift-signature` and `x-niteshift-timestamp` headers. The
  signature is `sha256=<hex>` where the HMAC is computed over `<timestamp>.<body>` using the trigger
  secret. Includes timestamp-based replay protection.
* **Bearer token**: send `Authorization: Bearer <secret>`. Use this for sources like Datadog that
  can set static custom headers but can't compute a per-request signature.

### Rate limiting

Each webhook URL is limited to **10 requests per rolling minute** and **100 per 24 hours**. The
burst rule runs first; a request only counts toward the daily cap if it would have passed the burst
check, so a flood of throttled calls does not use up the whole day.

`429` responses: JSON with `error` and `retryAfter` (seconds), plus the `Retry-After` and
`X-RateLimit-*` headers. Header values match whichever limit blocked you; `X-RateLimit-Reset` is a
Unix time in **seconds** for the end of that limit's current window.
