All posts
June 16, 20263 min read

Putting access controls around Devin: database access for AI coding agents

Picture the end state you actually want for Devin and a production database, then work backward to it. In that end state, Devin holds no database password. Its database access is granted only when it needs it and scoped to one connection. Every query it runs is recorded somewhere Devin cannot touch. Sensitive columns come back redacted. And a destructive operation pauses for a human before it executes. That is the target. The rest of this post is how to reach it, and the order matters: define t

Free White Paper

AI Model Access Control + Vector Database Access Control: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

Picture the end state you actually want for Devin and a production database, then work backward to it. In that end state, Devin holds no database password. Its database access is granted only when it needs it and scoped to one connection. Every query it runs is recorded somewhere Devin cannot touch. Sensitive columns come back redacted. And a destructive operation pauses for a human before it executes.

That is the target. The rest of this post is how to reach it, and the order matters: define the end state, then pick the one control surface that delivers all of it instead of bolting on parts.

The target end state for database access, in detail

No standing access: there is no long-lived credential sitting in a config that Devin or anything else could exfiltrate. Scoped identity: Devin connects as itself, mapped to exactly the rights its task needs. Command-level record: the audit lives outside the agent, so a crash or a retry cannot erase it. Inline masking: PII never reaches the agent in the clear. Approval on risk: writes and deletes route to a person.

If you have all five, an autonomous agent can work against real data without becoming a standing liability. Miss any one and you have reopened a hole the others cannot cover. The reason teams assemble these as separate tools and still get burned is that the gaps between the tools are exactly where the agent slips through.

How to reach it through hoop.dev

hoop.dev is an open-source Layer 7 access gateway. An agent runs near your database and dials out to the gateway; Devin reaches the database through that gateway, never directly. That single hop is what delivers the end state as one integrated surface rather than five wired-together parts:

Continue reading? Get the full guide.

AI Model Access Control + Vector Database Access Control: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
  • The connection credential lives on the connection, not in Devin, so there is no standing secret to leak.
  • Access is granted just in time and scoped per connection.
  • Each command is recorded at the gateway with Devin's identity attached.
  • Results from supported databases like Postgres and MySQL are masked inline.
  • Risky operations route for approval.

hoop.dev governs the connection Devin uses to reach the database. It does not install into Devin, front the agent, or read its prompts. It controls the path to the data, which is the path that carries the risk. The model is described on the hoop.dev site.

Steps to stand it up

  1. Run the hoop.dev agent next to the database and register it as a connection.
  2. Put the database credential on the connection; give Devin none of it.
  3. Map Devin's identity to a least-scope role.
  4. Enable masking and set an approval rule on writes.
  5. Connect Devin through the gateway and run a read to confirm masked, recorded access.

Pitfalls to avoid

Do not seed Devin's environment with a raw connection string as a shortcut; that single step undoes the entire end state. Do not give it a broad role because scoping feels slow. And do not skip masking on the assumption that a coding task will not touch PII. A SELECT * does not know your intent, and the agent will run one eventually.

One more thing worth verifying as you stand this up: confirm the database credential never leaves the connection. The agent near the database holds it; the gateway brokers the session as the configured identity; Devin authenticates as itself and is attributed at the gateway. Devin should never be able to read the underlying password, even indirectly, because the moment it can, you are back to standing access with extra steps. Check this explicitly rather than assuming it, since it is the property the whole design rests on.

FAQ

Does hoop.dev sit inside Devin?

No. It governs the database connection Devin reaches through. It does not proxy or install into the agent itself.

What database access does Devin actually get?

Exactly what you scope on the connection, granted just in time, recorded per command, with sensitive fields masked on the way back.

Is hoop.dev open source?

Yes, it is MIT licensed.

Reach that end state for Devin's database access. Clone the hoop.dev GitHub repository and register your first connection with the getting started guide.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot