Open Multi-Agent v1.7.0 flipped the security default. Your agent can no longer exec bash without permission.

Your multi-agent framework just changed the rules.

Open Multi-Agent v1.7.0 (June 15) made every built-in tool opt-in by default.

That includes bash, file operations, grep, glob. Zero tools granted unless you explicitly list them.

The breaking change exists because tool output flows back to the model. Under prompt injection, an unsandboxed bash was a remotely triggerable exec + exfiltration path. That attack vector just closed.

v1.7.0 also shipped two features that matter more than the security fix:

Consensus verification. `runConsensus()` runs proposers against judges. A per-task verify hook puts each result through the same judge loop. You get adversarial verification without wiring a critic agent yourself.

Deterministic model routing. Opt-in `modelRouting` sends different orchestration phases (coordinator, synthesis, workers) to different models by match rules. A flagship model plans. A cheap model runs leaf tasks. First match wins. No model config mutations.

New default model: MiniMax-M3. Up to 1M-token context, 512K guaranteed, image input. M2.7 stays available if you pin it.

The framework is 6.4K stars, 2.4K forks, three runtime dependencies, TypeScript-native. LangGraph is graph-first (you enumerate nodes and edges). Open Multi-Agent is goal-first (you describe the outcome, the coordinator builds the task DAG at runtime).

Migration is one line: `defaultToolPreset: 'full'` on OrchestratorConfig restores the old allow-all. Or grant per agent via `tools` / `toolPreset`. Custom tools are unaffected.

Audit your agent configs today. Every agent that had implicit bash access just lost it. If you relied on the old behavior, your agents are running with zero tools right now.

SOURCE: https://github.com/open-multi-agent/open-multi-agent/releases/tag/v1.7.0
VERIFIED: GitHub release notes (June 15, 2026), GitHub repository (6.4K stars), README.md with architecture details
SIGNAL: Multi-agent frameworks are adopting security-by-default postures. The default-deny tool model eliminates an entire class of prompt injection attacks. This becomes the new baseline for agent frameworks shipping tool access.