Skip to main content

Overview

Team-wide settings allow you to control your users’ Devin for Terminal usage through the Cognition web app. These settings apply across your entire organization. Regardless of whether you authenticate via Devin or Windsurf, the Devin for Terminal team settings are located in the same place: https://windsurf.com/team/cli-settings
Only the settings listed on the Devin for Terminal Settings page apply to Devin for Terminal. The settings on the Windsurf Team Settings apply to Windsurf and do not necessarily apply to Devin for Terminal unless also listed on the Devin for Terminal settings page.

Available Settings

Models

Control which models your users can access through Devin for Terminal. You can:
  • Whitelist specific models — Restrict users to a curated list of approved models
  • Allow all models — Give users access to all available models
Click Configure to manage model access for each category. Allow the Devin for Terminal agent to search the web for relevant information. This tool is disabled by default for enterprise teams.

MCP Servers

Control whether your users can use MCP (Model Context Protocol) tools.
  • Toggle on/off — Enable or disable MCP server usage entirely
  • Whitelisted MCP Servers — Specify which MCP servers users are allowed to connect to. If no servers are added, all servers are whitelisted by default. Click Add Server to restrict access to specific servers.

Terminal Permissions

Configure team-enforced permission rules for Devin for Terminal usage. These rules have the highest precedence and cannot be overridden by individual users’ local or project configurations. Click Configure to open the permissions editor. The configuration requires a JSON object with three fields: 
{
  "deny": [
    "exec"
  ],
  "ask": [],
  "allow": [
    "Read(~/my-repository/**)"
  ],
}
  • deny — Actions that are blocked entirely (takes highest priority)
  • ask — Actions that always prompt the user for approval
  • allow — Actions that are automatically approved without prompting
Permissions can be scope-based or tool-based:
TypeFormatExample
File readRead(/path)Read(~/sensitive/**)
File writeWrite(/path)Write(.env*)
Command executionExec(cmd)Exec(rm), Exec(sudo)
HTTP fetchFetch(url)Fetch(https://internal.api/*)
Tool-basedTool nameread, edit, exec
Use team-enforced deny rules to prevent actions across your entire organization, such as blocking access to sensitive directories or dangerous commands like rm -rf or sudo.
For detailed information on permission syntax, glob patterns, and configuration examples, see the Permissions documentation.

Further Reading

To understand how to configure Devin for Terminal further, see the Configuration documentation.