PII/PHI redaction for AI coding agents on Postgres

An AI coding assistant that writes SQL queries for a health‑tech platform must enforce pii/phi redaction when accessing Postgres. The engineer trusts the model to generate useful analytics, but the agent runs with a static database password stored in a CI secret. When the assistant returns query results, any column that holds names, social security numbers, or diagnostic codes is sent straight to the downstream tool, exposing pii/phi without any review. In this configuration the organization relies on a single credential, offers no per‑query audit, and lacks any mechanism to hide sensitive fields. The result is a convenient development flow that silently violates privacy regulations and inflates the blast radius of a compromised token.

Why pii/phi redaction matters for AI agents

AI agents are valuable because they can synthesize data, suggest optimizations, and even generate code on the fly. The same capability, however, becomes a liability when the agent can read raw patient data. Regulations such as HIPAA require that any protected health information be masked or redacted before it leaves a trusted environment. Moreover, developers need evidence that each query was authorized and that no accidental leakage occurred. Without a dedicated control point, the organization cannot guarantee that the AI respects these obligations.

The missing enforcement layer

Most teams address the problem by tightening the initial credential: they rotate passwords, enforce short‑lived tokens, or grant the AI a role with limited privileges. Those steps constitute the setup, they decide who may start a session and what baseline rights the identity possesses. What they do not provide is a place where the request can be examined, altered, or blocked before it reaches the database. The connection still travels directly to PostgreSQL, meaning there is no real‑time audit, no inline masking, and no ability to require an analyst’s approval for a risky query. In other words, the enforcement outcomes remain absent.

hoop.dev as the data‑path gateway

Placing hoop.dev between the AI agent and PostgreSQL creates the missing enforcement layer. hoop.dev is a Layer 7 gateway that proxies the wire‑protocol connection, inspects every statement, and applies policy before the database sees the request. Because the gateway sits in the data path, it is the only component that can reliably enforce masking, record activity, and intervene on dangerous commands.

How inline masking works for PostgreSQL

When an AI‑generated query reaches hoop.dev, the gateway terminates TLS, authenticates the user’s OIDC token, and then evaluates the statement against the configured masking rules. If the query requests columns that contain personally identifiable information, such as patient_name or ssn, hoop.dev redacts those fields in the result set before forwarding the rows to the client. The masking happens at the protocol level, so the AI never sees the raw values and downstream tools only receive the sanitized data.

In addition to masking, hoop.dev records each SQL statement with the associated user identity, timestamp, and outcome. This command‑level audit provides the evidence needed for compliance reviews and forensic investigations. The gateway also offers guardrails that can block statements deemed destructive, such as DROP TABLE or ALTER SYSTEM, unless an explicit approval workflow is satisfied.

Putting the policy in place

The policy definition lives in the gateway’s configuration. Administrators declare which columns are considered sensitive, the redaction technique (for example, replacing values with a placeholder), and any conditional rules that depend on the requestor’s role. Because hoop.dev holds the database credentials, the AI agent never receives them; the gateway presents its own service identity to PostgreSQL, preserving secret hygiene.

Just‑in‑time access is enforced by requiring a fresh OIDC token for each session. If a developer or automated job needs elevated privileges for a one‑off investigation, an approval request can be routed to a designated reviewer. Once approved, hoop.dev grants the temporary scope, records the decision, and revokes it automatically after the session ends.

Getting started

To try this pattern, follow the getting started guide which walks you through deploying the gateway, registering a PostgreSQL connection, and defining a simple masking rule. The full documentation of masking capabilities and guardrails is available in the learn section. All of the components are open source under the MIT license, and the reference implementation can be inspected or extended on GitHub.

FAQ

• Does hoop.dev store database passwords? The gateway stores the credential in its own runtime, never exposing it to the AI agent or the end user.
• Can I see which queries accessed sensitive columns? Yes. hoop.dev records every statement and the masking actions applied, giving you a searchable audit trail.
• Is the masking reversible? The redaction is performed in‑flight; the original values remain only inside PostgreSQL and are never written to logs or returned to the client.

Explore the source code and contribute on GitHub.