feat: Add notification system for scheduled triggers

Replace the single-tracking-issue approach with a provider-based notification
layer. Scheduled findings now route through configurable providers (GitHub Issues,
Slack) with suppression rules for false positive management.

- Add GitHub Issues provider with two-tier dedup (hash + semantic via Haiku)
- Add Slack provider with Block Kit webhook posting
- Add YAML-based suppression system (skill + glob paths + title matching)
- Add notification dispatcher to orchestrate suppression and provider execution
- Remove createOrUpdateIssue and issue-renderer (replaced by providers)
- Remove issueTitle from schedule config schema

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: dcramer

specs/notifications.md

@@ -0,0 +1,132 @@
+# Notification System for Scheduled Triggers
+
+## Problem
+
+Warden's scheduled triggers analyze the full codebase on a cron. Today, findings go to a single tracking issue per skill that gets overwritten each run. There's no way to:
+- Get notified in Slack when new findings appear
+- Mark findings as false positives so they don't recur
+- Track individual findings across runs
+
+## Goals
+
+1. Per-finding GitHub issues with semantic dedup across runs
+2. Slack webhook notifications for new findings
+3. Suppression file for false positives (rule-based pre-filtering)
+4. Replace the single-tracking-issue approach with a provider-based notification layer
+
+## Configuration
+
+### `warden.toml`
+
+```toml
+[[notifications]]
+type = "github-issues"
+labels = ["warden"]
+
+[[notifications]]
+type = "slack"
+webhookUrl = "$SLACK_WEBHOOK_URL"
+```
+
+Top-level `[[notifications]]` array. Each provider receives all non-suppressed findings independently. Environment variables expanded at runtime via `$VAR` syntax.
+
+### Migration
+
+The `[[notifications]]` section replaces the existing `schedule.issueTitle` tracking-issue approach. The `createOrUpdateIssue` code path and `schedule.issueTitle` config are removed. `schedule.createFixPR` and `schedule.fixBranchPrefix` remain (fix PRs are orthogonal to notifications).
+
+## Suppression File
+
+Located at `.agents/warden/suppressions.yaml`:
+
+```yaml
+suppressions:
+  - skill: "security-audit"
+    paths: ["src/legacy/**"]
+    reason: "Legacy code, not worth fixing"
+
+  - skill: "security-audit"
+    paths: ["src/admin/query.ts"]
+    title: "SQL injection"
+    reason: "Uses parameterized queries, false positive"
+```
+
+Rules match on:
+- **skill** (required): Exact skill name
+- **paths** (required): Glob patterns matched against finding location path
+- **title** (optional): Substring match against finding title
+- **reason** (required): Human-readable justification
+
+Loaded once per workflow run, applied before any provider receives findings.
+
+## Provider Interface
+
+```typescript
+interface NotificationProvider {
+  readonly name: string;
+  notify(context: NotificationContext): Promise<NotificationResult>;
+}
+
+interface NotificationContext {
+  findings: Finding[];
+  reports: SkillReport[];
+  repository: { owner: string; name: string };
+  commitSha: string;
+}
+
+interface NotificationResult {
+  provider: string;
+  sent: number;
+  skipped: number;
+  errors: string[];
+}
+```
+
+## Provider Flow
+
+```
+Skill Report -> Apply Suppressions -> All Providers (each gets same findings)
+                                       |-- github-issues (semantic dedup, creates/skips per finding)
+                                       |-- slack (sends all findings it receives)
+```
+
+## GitHub Issues Provider
+
+- Creates one issue per unique finding
+- Dedup: two-tier
+  1. Hash match via `<!-- warden:SHA256 -->` marker in issue body (cheap, catches identical text)
+  2. Semantic match via Haiku for same-file findings with no hash match (handles LLM variation)
+- Also checks closed issues with `warden:false-positive` label (treated as suppressed)
+- Issue title: `[Warden] {finding.title}`
+- Labels: configurable base labels + `warden:{skillName}`
+- Body: severity, description, location with code link, suggested fix, hash marker
+- Config: `labels` (string array, default `["warden"]`)
+
+## Slack Provider
+
+- Posts to incoming webhook URL using Block Kit formatting
+- Sends all non-suppressed findings it receives
+- Message: repo, commit, severity summary, up to 10 findings with details
+- Skips notification if findings array is empty
+- Config: `webhookUrl` (string, supports `$ENV_VAR` expansion)
+
+## Schedule Workflow Integration
+
+In `src/action/workflow/schedule.ts`, the `createOrUpdateIssue` call is replaced with:
+
+```typescript
+const dispatcher = new NotificationDispatcher(providers, suppressions);
+const result = await dispatcher.dispatch({
+  findings: report.findings,
+  reports: [report],
+  repository: { owner, name: repo },
+  commitSha: headSha,
+  skillName: resolved.name,
+});
+```
+
+## Future Work
+
+- Persistent storage for "previously seen" finding tracking across all providers
+- `autoClose` config flag on GitHub Issues provider (close issues when findings disappear)
+- CLI command for managing suppressions (`warden suppress add`)
+- PR trigger integration (generic enough, but PR comments already have sophisticated dedup)

src/action/workflow/__fixtures__/schedule-title/warden.toml

@@ -8,4 +8,4 @@ paths = ["src/**/*.ts"]
 type = "schedule"
 
 [skills.triggers.schedule]
-issueTitle = "Custom Issue Title"
+createFixPR = false

src/action/workflow/schedule.test.ts

@@ -52,12 +52,24 @@ vi.mock('../../event/schedule-context.js', () => ({
   buildScheduleEventContext: vi.fn(),
 }));
 
-// Mock GitHub issue/PR creation
+// Mock GitHub PR creation (createOrUpdateIssue removed; notifications handle issues now)
 vi.mock('../../output/github-issues.js', () => ({
-  createOrUpdateIssue: vi.fn(),
   createFixPR: vi.fn(),
 }));
 
+// Mock suppressions loader
+vi.mock('../../suppressions/loader.js', () => ({
+  loadSuppressions: vi.fn(() => []),
+}));
+
+// Mock notification system
+vi.mock('../../notifications/index.js', () => ({
+  NotificationDispatcher: vi.fn().mockImplementation(() => ({
+    dispatch: vi.fn(() => Promise.resolve({ suppressed: 0, results: [] })),
+  })),
+  buildProviders: vi.fn(() => []),
+}));
+
 // Mock skill loader — filesystem reads; keep clearSkillsCache real
 vi.mock('../../skills/loader.js', async () => {
   const actual = await vi.importActual('../../skills/loader.js');
@@ -76,7 +88,7 @@ vi.mock('../../skills/loader.js', async () => {
 // Import after mocks
 import { runSkill } from '../../sdk/runner.js';
 import { buildScheduleEventContext } from '../../event/schedule-context.js';
-import { createOrUpdateIssue, createFixPR } from '../../output/github-issues.js';
+import { createFixPR } from '../../output/github-issues.js';
 import { resolveSkillAsync } from '../../skills/loader.js';
 import { setFailed } from './base.js';
 import { runScheduleWorkflow } from './schedule.js';
@@ -85,7 +97,6 @@ import { clearSkillsCache } from '../../skills/loader.js';
 // Type the mocks
 const mockRunSkill = vi.mocked(runSkill);
 const mockBuildContext = vi.mocked(buildScheduleEventContext);
-const mockCreateOrUpdateIssue = vi.mocked(createOrUpdateIssue);
 const mockCreateFixPR = vi.mocked(createFixPR);
 const mockResolveSkillAsync = vi.mocked(resolveSkillAsync);
 const mockSetFailed = vi.mocked(setFailed);
@@ -195,11 +206,6 @@ describe('runScheduleWorkflow', () => {
     // Default mock: context with files, no findings
     mockBuildContext.mockResolvedValue(createScheduleContext());
     mockRunSkill.mockResolvedValue(createSkillReport());
-    mockCreateOrUpdateIssue.mockResolvedValue({
-      issueNumber: 1,
-      issueUrl: 'https://github.com/test-owner/test-repo/issues/1',
-      created: true,
-    });
     mockResolveSkillAsync.mockResolvedValue({
       name: 'test-skill',
       description: 'Test skill',
@@ -227,7 +233,6 @@ describe('runScheduleWorkflow', () => {
       await runScheduleWorkflow(mockOctokit, createDefaultInputs(), PR_ONLY_FIXTURES);
 
       expect(mockRunSkill).not.toHaveBeenCalled();
-      expect(mockCreateOrUpdateIssue).not.toHaveBeenCalled();
     });
 
     it('fails when GITHUB_REPOSITORY is not set', async () => {
@@ -270,33 +275,22 @@ describe('runScheduleWorkflow', () => {
   // ---------------------------------------------------------------------------
 
   describe('happy path', () => {
-    it('runs skill and creates issue when findings exist', async () => {
+    it('runs skill when findings exist', async () => {
       const finding = createFinding({ severity: 'high' });
       const report = createSkillReport({ findings: [finding] });
       mockRunSkill.mockResolvedValue(report);
 
       await runScheduleWorkflow(mockOctokit, createDefaultInputs(), SCHEDULE_FIXTURES);
 
       expect(mockRunSkill).toHaveBeenCalledTimes(1);
-      expect(mockCreateOrUpdateIssue).toHaveBeenCalledWith(
-        mockOctokit,
-        'test-owner',
-        'test-repo',
-        [report],
-        expect.objectContaining({
-          title: 'Warden: test-skill',
-          commitSha: 'abc123',
-        })
-      );
     });
 
-    it('creates issue even when no findings', async () => {
+    it('runs skill even when no findings', async () => {
       mockRunSkill.mockResolvedValue(createSkillReport({ findings: [] }));
 
       await runScheduleWorkflow(mockOctokit, createDefaultInputs(), SCHEDULE_FIXTURES);
 
       expect(mockRunSkill).toHaveBeenCalledTimes(1);
-      expect(mockCreateOrUpdateIssue).toHaveBeenCalledTimes(1);
     });
 
     it('skips skill run when no files match trigger', async () => {
@@ -319,15 +313,14 @@ describe('runScheduleWorkflow', () => {
       await runScheduleWorkflow(mockOctokit, createDefaultInputs(), SCHEDULE_FIXTURES);
 
       expect(mockRunSkill).not.toHaveBeenCalled();
-      expect(mockCreateOrUpdateIssue).not.toHaveBeenCalled();
     });
   });
 
   // ---------------------------------------------------------------------------
-  // Issue & PR Creation
+  // Fix PR Creation
   // ---------------------------------------------------------------------------
 
-  describe('issue and PR creation', () => {
+  describe('fix PR creation', () => {
     it('creates fix PR when schedule.createFixPR is enabled', async () => {
       const finding = createFinding({
         suggestedFix: { description: 'Fix it', diff: '--- a\n+++ b\n' },
@@ -369,25 +362,17 @@ describe('runScheduleWorkflow', () => {
       expect(mockCreateFixPR).not.toHaveBeenCalled();
     });
 
-    it('uses custom issue title from schedule config', async () => {
-      const report = createSkillReport({ findings: [] });
-      mockRunSkill.mockResolvedValue(report);
+    it('does not create fix PR for schedule-title fixture', async () => {
+      const finding = createFinding();
+      mockRunSkill.mockResolvedValue(createSkillReport({ findings: [finding] }));
 
       await runScheduleWorkflow(
         mockOctokit,
         createDefaultInputs(),
         SCHEDULE_TITLE_FIXTURES
       );
 
-      expect(mockCreateOrUpdateIssue).toHaveBeenCalledWith(
-        mockOctokit,
-        'test-owner',
-        'test-repo',
-        [report],
-        expect.objectContaining({
-          title: 'Custom Issue Title',
-        })
-      );
+      expect(mockCreateFixPR).not.toHaveBeenCalled();
     });
   });
 

src/action/workflow/schedule.ts

@@ -7,12 +7,13 @@
 import { dirname, join } from 'node:path';
 import type { Octokit } from '@octokit/rest';
 import { loadWardenConfig, resolveSkillConfigs } from '../../config/loader.js';
-import type { ScheduleConfig } from '../../config/schema.js';
 import { buildScheduleEventContext } from '../../event/schedule-context.js';
 import { runSkill } from '../../sdk/runner.js';
-import { createOrUpdateIssue, createFixPR } from '../../output/github-issues.js';
+import { createFixPR } from '../../output/github-issues.js';
 import { shouldFail, countFindingsAtOrAbove, countSeverity } from '../../triggers/matcher.js';
 import { resolveSkillAsync } from '../../skills/loader.js';
+import { loadSuppressions } from '../../suppressions/loader.js';
+import { NotificationDispatcher, buildProviders } from '../../notifications/index.js';
 import type { SkillReport } from '../../types/index.js';
 import type { ActionInputs } from '../inputs.js';
 import {
@@ -70,6 +71,13 @@ export async function runScheduleWorkflow(
 
   const defaultBranch = await getDefaultBranchFromAPI(octokit, owner, repo);
 
+  // Load suppressions and build notification providers
+  const suppressions = loadSuppressions(repoPath);
+  const providers = config.notifications
+    ? buildProviders({ configs: config.notifications, octokit, apiKey: inputs.anthropicApiKey })
+    : [];
+  const dispatcher = new NotificationDispatcher(providers, suppressions);
+
   logGroup('Processing schedule triggers');
   for (const trigger of scheduleTriggers) {
     console.log(`- ${trigger.name}: ${trigger.skill}`);
@@ -127,24 +135,27 @@ export async function runScheduleWorkflow(
       allReports.push(report);
       totalFindings += report.findings.length;
 
-      // Create/update issue with findings
-      const scheduleConfig: Partial<ScheduleConfig> = resolved.schedule ?? {};
-      const issueTitle = scheduleConfig.issueTitle ?? `Warden: ${resolved.name}`;
-
-      const issueResult = await createOrUpdateIssue(octokit, owner, repo, [report], {
-        title: issueTitle,
-        commitSha: headSha,
-      });
+      // Dispatch notifications for findings
+      if (providers.length > 0) {
+        const dispatchResult = await dispatcher.dispatch({
+          findings: report.findings,
+          reports: [report],
+          repository: { owner, name: repo },
+          commitSha: headSha,
+          skillName: resolved.name,
+        });
 
-      if (issueResult) {
-        console.log(`${issueResult.created ? 'Created' : 'Updated'} issue #${issueResult.issueNumber}`);
-        console.log(`Issue URL: ${issueResult.issueUrl}`);
+        for (const r of dispatchResult.results) {
+          if (r.sent > 0) {
+            console.log(`${r.provider}: ${r.sent} notification${r.sent === 1 ? '' : 's'} sent`);
+          }
+        }
       }
 
       // Create fix PR if enabled and there are fixable findings
-      if (scheduleConfig.createFixPR) {
+      if (resolved.schedule?.createFixPR) {
         const fixResult = await createFixPR(octokit, owner, repo, report.findings, {
-          branchPrefix: scheduleConfig.fixBranchPrefix ?? 'warden-fix',
+          branchPrefix: resolved.schedule.fixBranchPrefix ?? 'warden-fix',
           baseBranch: defaultBranch,
           baseSha: headSha,
           repoPath,