Prerequisites: This guide assumes familiarity with declarative environment configuration. See Declarative environment configuration for an introduction.
The blueprint hierarchy
Devin’s environment configuration follows a three-tier hierarchy. Each tier builds on the one above it:| Tier | Who manages it | Scope |
|---|---|---|
| Enterprise | Enterprise admins | All organizations, all repositories |
| Organization | Org admins | All repositories in the org |
| Repository | Org admins or repo config | A single repository |
Configuring the enterprise blueprint
Navigate to Settings > Devin’s base environment to define the enterprise blueprint. This uses the same format as org and repo blueprints, withinitialize, maintenance, and knowledge sections. Enterprise and org blueprints also support a post-build section for commands that run after all repos are cloned and set up.
The enterprise blueprint runs first during every build, before org and repo blueprints. This means tools and runtimes installed at the enterprise level are available to all downstream blueprints.
What to put in the enterprise blueprint
The enterprise blueprint is for tools and configuration that every organization needs. Common use cases:Standard language runtimes
Pin language versions across the enterprise so every team works with the same toolchain:Security tools and compliance scanning
Install scanners and audit tools that every project must use:Internal CLI tools and utilities
Distribute company-specific tools to every environment:Shared package registry configuration
Point package managers at your internal registries:Corporate proxy and certificate setup
Install corporate CA certificates and configure proxy settings:How tiers interact
During a build, each tier’s steps run in a fixed sequence. The output of earlier tiers is available to later ones. Tools installed at the enterprise level are ready to use in org and repo blueprints without reinstallation. A build creates a new snapshot in this order:post-build steps run after every repo has been cloned and set up, so they can validate the fully assembled environment. A non-zero exit code from a post-build step fails the build and no snapshot is produced. See post-build in the blueprint reference.
Tiers are additive: repo blueprints can use tools installed by the org or enterprise blueprint. Lower tiers cannot override what a higher tier set up. Builds typically take 5–15 minutes. Individual commands time out after 1 hour.
knowledge items from all tiers are collected and made available to Devin. If multiple tiers define a knowledge item with the same name, all of them are included. They don’t overwrite each other.
Enterprise secrets
Enterprise admins can define secrets at the enterprise level. These secrets are available as environment variables during every build and every session across all organizations, in enterprise, org, and repo blueprint steps alike. Use enterprise secrets for credentials that are shared across the entire company:- Internal package registry tokens
- Corporate proxy authentication
- Shared API keys for internal services
- License keys for enterprise tools
Managing enterprise secrets requires the ManageAccountResources permission.
Enterprise-wide rebuilds
Enterprise admins can trigger a rebuild that cascades to all organizations. This is useful when:- You update the enterprise blueprint (e.g., upgrade Python from 3.11 to 3.12)
- You rotate an enterprise secret
- You need to refresh all environments after a security patch
Enterprise-wide rebuilds respect each org’s build queue. If an org already has a build in progress, the enterprise-triggered rebuild queues behind it. If a build is already queued, it gets cancelled and replaced by the enterprise-triggered one.

