release: promote 0.1.6 to main

[oscharko]

Summary

Release Keiko 0.1.6 from dev into main.

This includes the verified system-CA TLS fix for internal model gateways and the previously merged workspace card connection stabilization from dev.

Refs n/a

Scope

• In scope: promote current dev to main for release publication.
• Out of scope: additional code changes, npm publication before main checks pass, customer credentials, and internal customer artifacts.

Product Impact

• UI or user workflow
• CLI or developer workflow
• Core generation engine
• Evidence, audit, or compliance artifact
• Security or supply chain
• Packaging, release, or npm publication
• Documentation or repository hygiene
• No user-facing behavior change

Verification

Required:

• Required GitHub checks pass before merge.
• Local verification commands or rationale are listed below.

Local verification:

PR #140 into dev: all GitHub checks passed
npm test
npm run typecheck
npm run lint
npm run format:check
npm run prepack
npm pack --dry-run
customer macOS Keiko-fix emulation: /v1/models HTTP 200 and gpt-oss-120b chat/completions HTTP 200 with TLS enabled

Select only what applies:

• UI behavior manually verified or covered by tests.
• CLI behavior verified with command output or tests.
• Core logic covered by unit, integration, property, or fixture tests.
• Security-sensitive change reviewed for trust boundaries, secrets, external calls, and generated artifacts.
• Supply-chain or package-surface change verified with package, license, lockfile, SBOM, or npm dry-run checks.
• Documentation or Markdown change verified by the repository link check or a targeted local equivalent.
• Release-impacting change verified with npm run prepack and npm pack --dry-run.
• Not applicable items are explained below.

Not applicable rationale:

• No documentation change is included in this release integration.
• No customer material or credentials are committed.

Review And Closure

• The PR implements only the linked issue scope.
• Actionable review findings are fixed or explicitly dispositioned.
• Unresolved review threads are resolved before merge.
• Checks are repeated after the latest pushed fix.
• Issue acceptance criteria and closure evidence are updated only where evidence exists.
• Use Resolves #<issue_number> only when this PR should close the issue.

Risk Notes

Release integration risk only. dev has already passed the full PR gate for the code changes. main must pass CI before npm publication.

[Copilot]

Pull request overview

Promotes Keiko release 0.1.6 from dev to main, including the internal-gateway TLS trust-chain retry improvements and the workspace card connection stabilization.

Changes:

• Bump root/UI/SDK/harness versions to 0.1.6 (including lockfiles).
• Improve workspace “click-to-connect” reliability by confirming connections from a workspace-level capture handler and tagging window roots with data-window-id.
• Expand gateway CA fallback to include additional Node/system trust sources and broaden retry gating to recoverable TLS trust-chain errors, with accompanying tests.

Reviewed changes

Copilot reviewed 11 out of 13 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
ui/package.json	Bump UI package version to 0.1.6.
ui/package-lock.json	Align UI lockfile version metadata to 0.1.6.
ui/app/components/desktop/Workspace.tsx	Confirm connects via onPointerDownCapture using data-window-id to handle stopped bubbling.
ui/app/components/desktop/Workspace.test.tsx	Add regression test ensuring connect confirmation works even when a child stops bubbling.
ui/app/components/desktop/windows/WindowFrame.tsx	Add data-window-id attribute on window root for capture-based targeting.
ui/app/components/desktop/hooks/workspaceActions.ts	Keep connectingRef in sync and focus the target window after a successful confirmConnect.
ui/app/components/desktop/hooks/useWorkspace.ts	Wire focus into connect action creation.
tests/gateway/http.test.ts	Add tests for recoverable TLS error gating and for the expanded gateway CA bundle behavior.
src/sdk/index.ts	Bump SDK_VERSION to 0.1.6.
src/harness/session.ts	Bump HARNESS_VERSION to 0.1.6.
src/gateway/http.ts	Add recoverable TLS trust error detection + expanded CA bundle composition; use it for HTTPS fallback retries.
package.json	Bump package version to 0.1.6.
package-lock.json	Align root lockfile version metadata to 0.1.6.

Files not reviewed (1)

• ui/package-lock.json: Language not supported

Comments suppressed due to low confidence (1)

ui/app/components/desktop/windows/WindowFrame.tsx:343

• When connState is "valid", this handler calls api.confirmConnect(win.id, e) and then immediately calls api.focus(win.id). confirmConnect already calls focus(toId) (and stops propagation), so this results in two focus() calls for the same click, unnecessarily incrementing the z-counter twice and causing an extra state update/re-render.

      onPointerDown={(e) => {
        if (connState === "valid") api.confirmConnect(win.id, e);
        api.focus(win.id);
      }}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.