v2026.3.12 — Dashboard v2 + Fast Mode + 15 Security Advisories
Released: March 13, 2026 Theme: Heavyweight features + large-scale security fixes Breaking Changes: Multiple implicit changes (see below)
Overview
v2026.3.12 is a feature-and-security release. Two headline items: the new Control UI Dashboard v2 and cross-provider Fast Mode inference. It also fixes over 15 GHSA advisories, covering exec approval bypasses, plugin auto-load, device pairing token scope, and more. The provider-plugin architecture migration turns Ollama, vLLM, and SGLang into standalone modules.
Core Highlights
1. Control UI Dashboard v2
A full redesign of the gateway control panel:
| Feature | Description |
|---|---|
| Modular views | Overview / Chat / Config / Agent / Session |
| Command Palette | Fast command search and execution |
| Mobile | Bottom-tab adaptation |
| Chat tools | Slash commands, search, export, pinned messages |
2. Fast Mode Inference
New session-level fast mode, surfaced consistently across entry points:
/fastcommand, TUI, Control UI, ACP- OpenAI: via Codex request shaping
- Anthropic: mapped to
service_tierAPI parameter - Both include real-time validation
Fast Mode is not a model swap — it lets the same model respond faster. Ideal for rapid iteration during development.
3. Provider-Plugin Architecture Migration
Ollama, vLLM, and SGLang officially move to provider-plugin architecture:
- Each provider owns its onboarding, discovery, and model picker
- Post-selection hooks supported
- Core provider wiring becomes much more modular
- Adding a new provider becomes far easier
4. sessions_yield Sub-agent Directive
The orchestrator can now end the current turn immediately, skip queued work, and carry a hidden follow-up payload into the next session turn. Crucial for complex multi-agent orchestration.
5. Kubernetes Deployment Support
A starter K8s install path lands:
- Raw manifests + Kind setup
- Deployment documentation
- Makes containerized large-scale deployment practical
Security Fixes (15+ GHSA)
Many vulnerabilities fixed — notable categories below.
| Type | Description |
|---|---|
| Exec approval bypasses | Unicode invisible characters, shell payloads, pnpm/npm exec expansion |
| Workspace plugin auto-load | Implicit loading disabled; cloned repos require an explicit trust decision |
| Device pairing token scope | /pair and QR flows switch to short-lived bootstrap tokens |
| Slack/Teams routing | Requires stable channel/team ID by default |
| Sandbox write empty file | Missing mutation-helper stdin caused “success” reports with empty files |
Technical Direction
Cross-Provider Speed Standardization
A single /fast switch covers OpenAI and Anthropic — effectively a cross-provider inference-speed control layer.
Provider Modularization
Ollama / vLLM / SGLang migrating to the plugin architecture is a big step toward “provider as plugin”.
Systematic Security Sweep
15+ GHSA advisories indicate a thorough audit covering exec, plugin, auth, and channel attack surfaces.
Notable Fixes
- Gateway main-session routing: TUI sends were incorrectly inheriting Telegram/WhatsApp routes
- ACP client final message loss: last visible reply was dropped in terminal chat events
- Post-compaction double compaction: cache-TTL marker triggered an unnecessary second compaction
- Sandbox write empty file: sandbox mode reported success but created an empty file