Why session recording matters for AI coding agents
When every AI‑generated code snippet is captured, teams can review exactly what the model suggested, replay the interaction, and prove compliance. Session recording turns a fleeting chat into a durable evidence trail that can be inspected during audits, incident investigations, or peer reviews.
Current practice and its blind spots
Most organizations that embed ChatGPT into their development pipelines do so by calling Azure OpenAI directly from a CI job or a developer’s IDE. The call typically uses a shared subscription key or a service principal that is stored in a secret manager. Because the request travels straight to the Azure endpoint, there is no intermediate observer that can capture the request‑response exchange. The result is a workflow that looks convenient but leaves three critical gaps:
- There is no reliable record of what prompt was sent and what code was returned.
- Any accidental leakage of proprietary snippets or secrets in the model’s output cannot be detected or redacted.
- Because the credential is static and widely distributed, revoking a single user’s access does not stop the key from being used elsewhere.
These gaps become especially painful when a security review asks for proof that a particular piece of generated code was reviewed before it entered production, or when a regulator demands evidence that no sensitive data left the organization via an AI service.
Introducing hoop.dev as the enforcement point
To close the gap, the architecture must place a control plane directly in the data path between the AI client and Azure OpenAI. That control plane can inspect each request, apply policies, and store a complete transcript. hoop.dev is built exactly for that role. It acts as a Layer 7 gateway that proxies the HTTP traffic used by ChatGPT, while remaining agnostic to the underlying identity provider.
How hoop.dev enables session recording
When a developer or an automated CI job wants to invoke ChatGPT, it authenticates to hoop.dev using an OIDC token issued by the organization’s IdP. hoop.dev validates the token, extracts group membership, and then forwards the request to Azure OpenAI. While the request is in flight, hoop.dev records the full HTTP exchange – the prompt, the model’s response, and any metadata such as timestamps and user identifiers. After the interaction completes, hoop.dev stores the full transcript in a log that can be queried later for audit or replay.
Because hoop.dev sits in the data path, it can also apply inline masking to any response that contains patterns matching secret formats. This masking happens before the response reaches the client, ensuring that sensitive values never appear in developer consoles or CI logs.
All of these enforcement outcomes – the reliable transcript, the optional masking, and the ability to replay a session – exist only because hoop.dev is the gateway that intercepts the traffic. Without that gateway, the Azure OpenAI endpoint would never see a policy enforcement layer.
Common pitfalls to avoid
- Relying on client‑side logging. Storing prompts locally on a developer’s machine does not provide a reliable audit trail; logs can be altered or lost. The gateway ensures a single source of truth.
- Using a single static key for all agents. Distribute identity‑based OIDC tokens instead, and let hoop.dev enforce per‑user attribution.
- Skipping masking policies. Even with session recording, unmasked secrets in model output can leak. Configure hoop.dev’s masking rules to redact patterns that match API keys, passwords, or tokens.
Getting started
Deploy the hoop.dev gateway in the same Azure virtual network where your CI runners or developer workstations reside. The quick‑start guide walks you through a Docker Compose deployment, OIDC configuration, and registering Azure OpenAI as a proxied target. Once the gateway is running, update your client libraries or CI scripts to point at the hoop.dev endpoint instead of the Azure endpoint. Detailed steps are available in the getting‑started documentation and the learn section for deeper policy examples.
The source code and contribution guidelines are hosted on GitHub. You can explore the repository, raise issues, or submit pull requests at https://github.com/hoophq/hoop.
FAQ
Is session recording mandatory for compliance?
Compliance frameworks often require evidence of who accessed a system and what actions were taken. hoop.dev’s recorded sessions provide that evidence for AI‑driven code generation, making it easier to satisfy audit requirements.
Can I still use my existing Azure OpenAI subscription?
Yes. hoop.dev does not replace Azure OpenAI; it simply proxies the calls. Your existing subscription remains the source of model inference, while hoop.dev adds the audit and masking layer.
What happens if a user tries to bypass hoop.dev?
Because hoop.dev sits in the network path, any direct request to Azure OpenAI that does not pass through the gateway will be blocked by network policies. This ensures that all traffic is subject to session recording.
