Policy as Code for Agent Runtimes

How can you ensure that every automated script or AI‑driven agent respects your organization’s policy as code without hard‑coding rules into each runtime?

Today many teams hand agents static secrets, embed access checks in application code, or rely on ad‑hoc scripts that assume the right permissions are in place. The result is a sprawling set of policies that live in Git repos, CI pipelines, and individual Dockerfiles. When a credential is rotated, every agent must be updated, and the audit trail of who ran what command is often missing. Operators discover, after the fact, that a mis‑configured agent performed a destructive operation because the policy check never executed where it should have.

This reality creates three intertwined problems. First, the policy definition itself is version‑controlled, but there is no guaranteed point of enforcement. Second, agents still connect directly to the target database, Kubernetes cluster, or SSH host, bypassing any runtime guard. Third, because the connection path is uncontrolled, there is no reliable session recording or real‑time data masking, leaving sensitive fields exposed in logs or on‑screen.

Why a pure policy as code approach leaves a gap

Defining policies as code is a necessary foundation. You can express “agents may only read from tables that start with analytics_” or “no SSH session may execute rm -rf /”. However, without a consistent enforcement layer, those rules are merely documentation. The request still travels from the agent to the backend service over the network, and the backend sees only the agent’s identity and the raw command. The enforcement point, where the policy is evaluated, approved, or blocked, remains outside the data path.

In this pre‑condition, the setup stage (identity federation, OIDC tokens, least‑privilege service accounts) correctly identifies who is making the request. It does not, by itself, prevent a rogue command from reaching the target, nor does it capture the interaction for later review. The request still reaches the database or Kubernetes API directly, with no audit, no inline masking, and no opportunity for a human to approve a risky operation.

Putting the gateway in the data path

Enter hoop.dev, a Layer 7 gateway that sits between the agent runtime and the infrastructure it accesses. By deploying the gateway inside the same network segment as the target, every request must pass through it before reaching the backend. This placement makes the gateway the only place where enforcement can happen.

Because hoop.dev is the data path, it can enforce policy as code in real time. It evaluates each command against the defined rules, blocks disallowed operations, and routes questionable actions to an approval workflow. It also masks sensitive response fields before they reach the agent, ensuring that credentials or personal data never appear in logs. Finally, it records the entire session, providing replay capability for audits and post‑incident analysis.

Continue reading? Get the full guide.

Pulumi Policy as Code + Open Policy Agent (OPA): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

All of these outcomes exist only because hoop.dev sits in the data path. Without the gateway, the same policies would remain unenforced, and the session would be invisible to auditors.

How the enforcement flow works

Setup: Identities are provisioned via OIDC or SAML, and each agent receives a short‑lived token. The token tells the gateway who the caller is, but it does not grant direct access to the backend.
Data path: The agent’s request is intercepted by hoop.dev. The gateway parses the wire protocol (SQL, SSH, Kubernetes exec, etc.) and applies the policy as code rules.
Enforcement outcomes: If the command complies, it is forwarded; if not, hoop.dev blocks it or initiates a just‑in‑time approval. Every response is optionally masked, and the whole exchange is recorded for replay.

With hoop.dev in place, you get a guaranteed enforcement point and immutable evidence of what actually happened, completing the core requirements of an effective policy as code strategy.

Getting started with hoop.dev

To adopt this model, start with the getting‑started guide. Deploy the gateway using Docker Compose or Kubernetes, register your agent runtimes, and point your existing tools (psql, kubectl, ssh) at the gateway endpoint. The docs on the learn site walk through defining policies as code and configuring inline masking.

All of the heavy lifting, credential storage, token verification, and policy evaluation, remains open source, so you can inspect or extend the logic to match your compliance needs.

FAQ

Is hoop.dev a replacement for IAM roles?

No. IAM roles (or service‑account tokens) still determine who can request access. hoop.dev adds a mandatory enforcement layer on top of those identities.

Can I use hoop.dev with existing CI pipelines?

Yes. CI jobs can acquire an OIDC token, then connect through the gateway just like a human operator. The same policy as code rules apply, ensuring automated workloads cannot bypass controls.

What happens to data that is masked?

Masking occurs in the gateway before the response is sent to the agent. The original value stays in the backend system, while the agent only sees the redacted version, reducing accidental exposure in logs or screen captures.

Explore the source code and contribute on GitHub: https://github.com/hoophq/hoop.