All posts
June 16, 20263 min read

Putting access controls around Devin: data masking for AI coding agents

The quickest way to keep Devin from ever seeing production PII is to turn on data masking on the connection it queries through, before you connect the agent at all. Done in that order, the first query Devin runs already comes back redacted, and the raw values never enter the agent's context. This is a fast first-connection walkthrough. The goal is a working masked connection you can verify in one query, then trust for real work without second-guessing it. The first masked connection with data

Free White Paper

AI Model Access Control + Data Masking (Static): The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

The quickest way to keep Devin from ever seeing production PII is to turn on data masking on the connection it queries through, before you connect the agent at all. Done in that order, the first query Devin runs already comes back redacted, and the raw values never enter the agent's context.

This is a fast first-connection walkthrough. The goal is a working masked connection you can verify in one query, then trust for real work without second-guessing it.

The first masked connection with data masking on

hoop.dev is an open-source Layer 7 access gateway. Devin reaches the database through it, and masking runs on the return path, redacting before results leave the gateway.

  1. Run the hoop.dev agent next to your database and register it as a connection.
  2. Configure a DLP provider such as Presidio so the gateway can classify fields like email, phone, and card number.
  3. Enable masking on the connection.
  4. Connect Devin through the connection and run SELECT id, email FROM users LIMIT 1.
  5. Confirm the email returns redacted while the id returns normally.

If the email comes back as [redacted], masking is working and you can let the agent loose on real queries. You verified the control before you trusted it, which is the right order. The provider setup is covered on the hoop.dev site.

Why masking has to live on the connection

The instant a raw email or token reaches Devin, it is in a process you do not control and may be forwarded to a model or written to a scratch file. Masking that happens later cannot un-send that value. The only point that actually protects the data is the boundary the result crosses on its way to the agent.

  • Masking runs at the protocol layer on the streaming result, so redaction happens before the row leaves the gateway.
  • Classification uses the configured DLP provider, not a fragile regex you maintain by hand and forget to update.
  • The session is recorded too, so you can confirm what ran and that it was masked.

hoop.dev acts on the query results Devin receives over the connection. It does not read the model prompt or completion; it redacts the data, which is where the exposure is. The agent can reason about a redacted value just fine; what it cannot do is leak one it never received.

Continue reading? Get the full guide.

AI Model Access Control + Data Masking (Static): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Pitfalls to avoid

Masking support is per connection, native on databases like Postgres and MySQL, configured per case elsewhere, and not available on SSH or RDP. Verify it on the exact connection Devin uses. Do not point the agent at an unmasked replica as a workaround; replicated PII is still PII. And test masking with a real query before you trust it, not just by reading the config.

It helps to think about what masking buys you that access control alone does not. Scoping Devin to read-only on a table still lets it read every value in that table, PII included. Read access and PII exposure are different problems, and a role grant only solves the first. Masking solves the second, on the same connection, without forcing you to choose between giving the agent the data it needs to do the work and keeping sensitive fields out of its context. The agent sees the shape of the row, the non-sensitive columns, and a redaction where the sensitive value would be, which is usually everything a coding task actually requires.

That is why placement on the connection matters so much. If masking lived in the application, you would be protecting one consumer and leaving the database open to the next tool that connects. On the connection, the protection travels with the data path itself, so any client reaching that database through the gateway, agent or human, gets the same redaction without anyone wiring it up again.

FAQ

Does masking alter the stored data?

No. It redacts results in flight. The database is unchanged; Devin just receives a masked view.

Can Devin get around masking?

Not over the gateway connection. Redaction happens before the result returns, outside the agent's control.

Is hoop.dev open source?

Yes, it is MIT licensed.

Stand up a masked connection for Devin in minutes. Pull the code from the hoop.dev GitHub repository and configure your DLP provider with the getting started guide.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot