Putting access controls around Devin: production access for AI coding agents (on AWS)

When an AI coding agent can push changes straight into a live service, a single mistake can corrupt data, expose secrets, or trigger costly outages. Relying on unrestricted production access for such agents creates a massive risk that can quickly turn into financial loss and reputational damage. Organizations that let agents operate with the same unrestricted keys that human engineers use are effectively handing over the master switch without any guardrails.

In many teams today, the AI assistant – let’s call it Devin – authenticates with a static service account that has full‑read/write privileges across all production clusters. The credential lives in a CI secret store, is checked out by the agent, and then used to open direct connections to databases, Kubernetes APIs, and SSH endpoints. Because the connection bypasses any mediation layer, there is no real‑time visibility into what queries or commands Devin issues, no way to scrub sensitive fields from responses, and no approval step before a destructive operation runs. The result is a blind spot: the organization knows that Devin accessed the environment, but it cannot prove what was done, nor can it stop a harmful command before it executes.

Why production access matters for AI coding agents

Production access is the highest‑risk privilege set. It includes the ability to modify schemas, delete tables, restart services, and change network policies. When an autonomous agent holds that level of access, the risk profile changes dramatically. Human operators can be interrupted, questioned, or forced to justify a command. An AI agent, however, operates at speed and scale, often generating dozens of statements per minute. Without a boundary that enforces policy, a single logic error can cascade across dozens of services before anyone notices.

The missing control: what remains exposed

The current setup satisfies the setup requirement – the service account is provisioned, the identity is known, and the token is accepted by the target. But the data path is completely open. Because the request travels straight from Devin to the resource, there is no place to inject approval workflows, mask credit‑card numbers in query results, or record each command for later replay. Consequently, the organization cannot achieve auditability, inline data protection, or just‑in‑time approval – all of which are essential for true production access governance.

Architectural requirement: a gateway that sits in the data path

To close the gap, the enforcement point must be inserted between the AI agent and the target system. The gateway becomes the sole conduit for every protocol‑level request – whether it is a PostgreSQL query, a kubectl exec, or an SSH command. By sitting in the data path, the gateway can evaluate identity, consult policy, and apply controls before the request ever reaches the backend. This design satisfies the three attribution categories:

• Setup: identity and least‑privilege roles are still provisioned in the IdP and the service account.
• The data path: the gateway is the only place where enforcement logic runs.
• Enforcement outcomes: the gateway can record each session, mask sensitive fields, require approval for risky commands, and block disallowed operations.

Introducing hoop.dev as the production‑access gateway

hoop.dev fulfills exactly this architectural role. It is a Layer 7 gateway that proxies connections to databases, Kubernetes clusters, SSH servers, and HTTP services. When Devin initiates a connection, the request is routed through hoop.dev’s agent that lives inside the same network as the target. hoop.dev verifies the OIDC token issued by the organization’s identity provider, extracts group membership, and then enforces policy at the protocol layer.

Because hoop.dev sits in the data path, it can:

• Record every session so that security teams can replay a query or command exactly as it was issued.
• Apply inline masking to hide credit‑card numbers, personal identifiers, or API keys that appear in query results.
• Require just-in-time approval for high‑risk actions such as DROP TABLE, cluster‑admin kubectl commands, or privileged SSH operations.
• Block disallowed commands before they reach the backend, preventing accidental data loss.
• Scope access per request so that Devin only sees the resources it needs for a specific task.

All of these outcomes are only possible because hoop.dev is the active enforcement point. If the gateway were removed, the same identity and credential would still exist, but none of the audit, masking, or approval capabilities would be enforced.

How the model works for Devin

Devin authenticates to the organization’s IdP using a machine‑to‑machine client credential flow. The token is presented to hoop.dev, which validates it and maps the agent’s service account to a policy that grants production‑access only for the specific namespace or database schema required for the task. When Devin issues a SQL statement, hoop.dev inspects the command. If the statement matches a pattern marked as high‑risk, an approval workflow is triggered – a human reviewer receives a notification and can approve or deny the request. Approved commands are forwarded to the database; denied commands are blocked and logged.

For read‑only queries that might return sensitive columns, hoop.dev can mask those fields in the response stream, ensuring that downstream logs or downstream AI pipelines never see raw credit‑card numbers. Every interaction – whether approved, blocked, or masked – is stored in a secure audit log that can be replayed for forensic analysis or compliance reporting.

Getting started

Implementing this pattern begins with the getting‑started guide. Deploy the gateway using Docker Compose or Kubernetes, register the production resources that Devin must access, and define the policy that ties the AI service account to just‑in‑time approval rules. The learn section provides deeper explanations of masking, session replay, and approval workflow configuration.

FAQ

Does hoop.dev store my production credentials?

No. The gateway holds the credential only in memory for the duration of a session. The AI agent never sees the secret, and the credential is never written to disk.

Can I retroactively view what Devin did in production?

Yes. Because hoop.dev records each session, you can replay any command or query, see the exact response that was returned, and verify whether masking was applied.

Is this solution compatible with existing CI/CD pipelines?

Absolutely. The gateway works with standard client tools (psql, kubectl, ssh) so you can replace a direct connection string with a hoop.dev endpoint without changing your build scripts.

Explore the open‑source repository on GitHub to contribute, review the code, or start a self‑hosted deployment.