Default Permission Behavior
Devin CLI uses a tiered permission system to balance power and safety. The default behavior depends on the current mode: Each cell shows whether that tool runs automatically (Auto, no prompt) or waits for your approval (Prompt) in that mode:
In Normal mode (the default), read-only operations are auto-approved while writes and shell commands require your explicit approval. Each time you approve an action, you can choose to allow it once, for the session, or permanently for the project.
In Accept Edits mode, file edits within the workspace are auto-approved, but shell commands and writes outside the workspace still prompt.
In Bypass mode, all tool calls are auto-approved without prompting.
In Autonomous mode, shell commands and network fetches auto-approve because the OS-level sandbox enforces what they can touch. Direct file edits via the
edit/write tools still prompt, because those tools operate outside the sandbox. Autonomous is only available when the OS-level sandbox is active.
Autonomous Mode
Autonomous is the permission mode that pairs with the--sandbox flag. Conceptually it is roughly “Accept Edits in the current workspace” plus the ability to run any shell command, with both behaviors contained by the OS-level sandbox. When sandbox is active:
- It is the only permission mode available. Normal, Accept Edits, and Bypass are hidden in sandbox sessions. Plan mode remains available.
- Shell commands and fetches auto-approve instead of prompting, because the sandbox enforces what they can read, write, and reach over the network.
- Direct file edits via the
editandwritetools still prompt. These tools run inside the CLI process rather than inside the sandbox, so they cannot be bounded by it. Granting aWrite(...)scope at the prompt dynamically expands the sandbox so subsequent shell commands can write there. - Scopes granted mid-session dynamically expand the sandbox for subsequent commands.
--sandbox (which selects Autonomous) when you want unattended execution with OS-enforced limits on filesystem and network access. See the sandbox configuration reference for details on writable/readable roots and domain filtering, and Team Settings → Sandbox Enforcement for enterprise controls.
How Permissions Work
When the agent calls a tool, the permission system checks your rules in priority order:- Deny rules — Checked first. If matched, the action is blocked immediately.
- Ask rules — Checked second. If matched, you’re always prompted (overrides any allow rules).
- Allow rules — Checked last. If matched, the action proceeds without prompting.
- Default — If no rule matches, you’re prompted for approval.
Because deny is checked before ask, and ask is checked before allow, a deny rule always wins. If the same scope matches both a deny and an ask rule, the deny takes effect.
Configuration
Add permissions to your config file’spermissions section:
On Windows, the user config path is
%APPDATA%\devin\config.json (typically C:\Users\<you>\AppData\Roaming\devin\config.json) rather than ~/.config/devin/config.json. See Configuration File for details.- Project config
- User config
- Local override
Permission Syntax
There are two types of permission matchers: scope-based (controlling what paths/commands/URLs are accessible) and tool-based (controlling which tools can be used).Scope-Based Permissions
Read(glob)
Read(glob)
Controls file read access. The glob pattern matches file paths.Directory paths automatically match all files within them.
Write(glob)
Write(glob)
Controls file write/edit access.
Exec(prefix)
Exec(prefix)
Controls shell command execution. Matches commands that start with the given prefix.
Exec(git) matches “git”, “git status”, “git commit -m ‘msg’” but NOT “gitk” or “github-cli”. The prefix must match as a complete word.Fetch(pattern)
Fetch(pattern)
Controls HTTP fetch access using URL patterns.URL patterns follow the WHATWG URL Pattern standard. The
domain: shorthand matches any path on the exact domain.Tool-Based Permissions
Match by tool name to control entire tools:read, edit, grep, glob, exec
MCP Tool Permissions
Control access to MCP server tools:Path Patterns
Glob patterns inRead() and Write() support:
Examples:
Use an absolute path prefix (e.g.,
Read(/**)) when you want to match all files on the system. A bare Read(**) without a leading / is resolved relative to your current working directory, so it only matches files under that directory — not files accessed via absolute paths elsewhere.Persistence Options
When the agent asks for permission during a session, you can choose how to save your decision:MCP Server-Level Grants
When prompted for a specific MCP tool (e.g.,list_issues on the Figma server), the permission prompt also offers broader server-level options:
This lets you quickly grant blanket access to a trusted MCP server without approving each tool individually.
Precedence
When multiple permission sources define rules, they’re merged with this precedence (highest first):- Organization/team settings (if enterprise)
- Session-level grants (interactive approvals)
- Project local config (
.devin/config.local.json) - Project config (
.devin/config.json) - User config (
~/.config/devin/config.json;%APPDATA%\devin\config.jsonon Windows)

