Hoop's MCP admin server: AI agents don’t get a governance exemption

Admin work is the part of infrastructure engineering nobody talks about loving. Provisioning the same database connection for the 200th time. Sifting through audit logs to answer one specific question that nobody built a dashboard for. Clicking through approval queues in a console you opened just for that. It’s the work that pulls you out of flow and into the ticket queue.

The pitch for AI agents was that you’d get some of that time back. For read-only questions, it’s mostly working. Ask the model a question about your data, get an answer. The minute the work requires writes or systematic action on infrastructure, you’re back to clicking buttons by hand.

Two places this gap is most expensive right now:

Reporting and analytics on data your tools already collect. Audit logs and session history pile up by the gigabyte. The only way to slice them is whatever dashboard the vendor decided to build. Want to know which queries your team runs every Tuesday morning but never on weekends? Want a weekly summary of the dangerous commands your engineers tried to run last week, grouped by user? Build a custom analytics application. Or wait six months for the feature request.

Bulk operations on resources. You have 5,000 databases to provision, or 200 guardrail rules to deploy across environments. You could write a script. You could build a CLI. Or you could keep doing it one console click at a time. Either way, the time cost falls on the engineer who already had something else to do.

Two reasons this gap stays open:

• Raw admin API tokens route the agent around your governance layer. Reads are fine. Writes don’t land in the same audit log as your humans’. Approval workflows skip the agent entirely. Role boundaries get enforced at the API gateway, not the policy engine.
• Human-in-the-loop on every write slows incident response back to ticket speed and stalls the AI productivity story you sold leadership.

Neither is the deal you signed up for.

Today we’re shipping the Hoop MCP admin server, an embedded Model Context Protocol implementation inside the Hoop gateway that closes both gaps.

What does MCP actually solve, and what doesn’t it solve?

Model Context Protocol gives agents a clean, standardized way to call tools. Claude Code, Cursor, and any MCP-compatible client can discover an MCP server, see what it can do, and call into it without bespoke integration work per platform.

What MCP does not do, on its own, is solve the governance problem. The protocol is a transport and a tool-description format. Auth, audit, and approval still live wherever you put them. Most agent admin integrations today put them nowhere.

How Hoop closes it

The MCP server runs at the policy engine, not at the API gateway. Same audit log, same approval gates, same role boundaries. Different transport, identical governance.

Hoop is the open-source access gateway between engineers, AI agents, and infrastructure. We embedded an MCP server inside the gateway itself, mounted at /api/mcp. That one design choice does the work:

• The agent connects with a bearer token tied to a Hoop user identity.
• Every call passes through the same Gin middleware that protects every other Hoop API route.
• AuditMiddleware records the call alongside human admin activity in the same log.
• RBAC, ABAC, and access request rules apply automatically. If your policy says engineers cannot delete production connections without approval, the agent inherits that policy the moment it picks up the token.

No parallel agent path. Agents run on the same rails your humans do, with the same boundaries enforced at the policy engine, not the API gateway.

Traditional REST API token vs Hoop MCP server

Traditional REST API token:

• Reads and writes hit the API gateway
• Audit log separate from human admin actions
• Approval workflows bypassed
• Role boundaries enforced at the gateway

Hoop MCP server inside the gateway:

• Reads and writes hit the policy engine
• Same audit log as human admin actions
• Approval workflows apply identically
• Role boundaries enforced at the policy engine

What this looks like day to day

Reporting nobody had time to build.

Your security lead wants a quarterly review of production activity. Top commands by frequency, which users ran them, what got blocked at the guardrail layer, what got routed through approval.

You ask Claude Code: “Pull every session against prod-postgres from the last 90 days, group by user, and show me the dangerous commands that were blocked or approved.” The agent calls the session and audit tools, groups the data, and writes the report. The data was always sitting there. Now you can ask it questions in plain language. The agent’s read access goes through the same policy boundaries your security team already approved.

Bulk setup without writing a script.

You’re standing up a new environment with 50 database connections. The names, types, hosts, and policies are in a CSV your platform team already maintains.

You drop the CSV into Claude Code and ask it to create each connection, apply the standard guardrails for your organization, and tag everything with the right environment. The agent makes the calls one by one. Every creation goes through the same policy engine your engineers use. If a name conflicts, you see it in chat. If an environment tag is missing, the agent asks before continuing. What would have been a weekend project is done before your second coffee.

Mid-incident response.

It’s 2am. The on-call engineer needs to add a guardrail blocking DROP TABLE on prod-postgres before someone makes the situation worse.

In Claude Code, the on-call asks the agent to add the rule. The change hits the policy engine. The audit log records who initiated it and through which client. The on-call goes back to the actual incident.

Every action runs through your existing auth check, your existing audit log, your existing approval workflow. The agent gets faster. Governance stays the same size it was.

Connect Claude Code

Add this to ~/.claude/settings.json or a project’s .mcp.json:

Restart Claude Code. It discovers the 36 tools. Ask it to “list my connections” or “create a guardrail that blocks DROP TABLE on prod-postgres” and it works. Cursor and other MCP clients connect the same way.

What ships in v1

36 admin tools across 10 resource domains:

• Connections (5 tools): list, get, create, update, delete
• Guardrails (5): full CRUD on dangerous-command rules
• Data masking (5): full CRUD on PII detection rules
• User groups (3) and users (2)
• Access request rules (5): full CRUD
• Reviews (3): list, get, approve/reject/revoke
• Runbook rules (5): full CRUD
• Sessions (2): list, get details
• Server info (1): version, license, uptime

The server uses the official github.com/modelcontextprotocol/go-sdk v1.5.0 over Streamable HTTP.

What’s next

Two more pieces ship in May:

• User-facing MCP tools so any developer’s agent can run queries and hit approval gates the same way humans do.
• OAuth 2.1 for teams that want short-lived JWTs instead of long-lived bearer tokens.

Both build on the same /api/mcp endpoint.

Run it

Hoop is open source under MIT. The MCP admin server is in the latest gateway release.

If your AI agent has more reach than your audit log, your governance has a hole in it. We gave you 36 tools to close it.