docs: add scheduled scanning documentation to README (#22)

bakayolo · ampcode-com · web-flow · commit 563473f93f04 · 2026-04-17T15:01:30.000-07:00
The Temporal schedule feature was merged in #4 but the README had no documentation for it. Adds: - `SCHEDULE_*` env vars to the configuration table - Usage examples for enabling and customizing the cron schedule - Verification commands (`temporal schedule list/describe`) - Note about the create-or-update pattern for safe restarts Co-authored-by: Amp <amp@ampcode.com>
diff --git a/README.md b/README.md
@@ -262,8 +262,34 @@ Version Guard is configured via environment variables or CLI flags:
 | `TAG_APP_KEYS` | Comma-separated AWS tag keys for app/service | `app,application,service` |
 | `TAG_ENV_KEYS` | Comma-separated AWS tag keys for environment | `environment,env` |
 | `TAG_BRAND_KEYS` | Comma-separated AWS tag keys for brand/business unit | `brand` |
+| `SCHEDULE_ENABLED` | Enable automatic scheduled scanning | `false` |
+| `SCHEDULE_CRON` | Cron expression for scan schedule | `0 6 * * *` (daily 06:00 UTC) |
+| `SCHEDULE_ID` | Temporal schedule ID (stable across restarts) | `version-guard-scan` |
+| `SCHEDULE_JITTER` | Random jitter to prevent thundering herd | `5m` |
 | `--verbose` / `-v` | Enable debug-level logging | `false` |
 
+**Scheduled Scanning:**
+
+Version Guard can automatically run scans on a cron schedule using the Temporal Schedule API. Disabled by default — enable with `SCHEDULE_ENABLED=true`:
+
+```bash
+# Enable daily scans at 06:00 UTC (default)
+export SCHEDULE_ENABLED=true
+
+# Or customize the schedule
+export SCHEDULE_ENABLED=true
+export SCHEDULE_CRON="*/30 * * * *"  # Every 30 minutes
+export SCHEDULE_JITTER="2m"
+```
+
+The schedule uses a create-or-update pattern — safe to restart the server without creating duplicate schedules. If the cron expression changes, the existing schedule is updated automatically.
+
+```bash
+# Verify the schedule
+temporal schedule list --namespace version-guard-dev
+temporal schedule describe --schedule-id version-guard-scan --namespace version-guard-dev
+```
+
 **Customizing AWS Tag Keys:**
 
 Version Guard extracts metadata (service name, environment, brand) from AWS resource tags. By default, it looks for tags like `app`, `application`, or `service`. You can customize these to match your organization's tagging conventions:
