Putting access controls around Claude: audit trails for AI coding agents (on Kubernetes)

When a contract ends, the cloud‑native team often forgets to revoke the service account that powers an AI coding assistant. Without audit trails, the team cannot reconstruct the model’s actions. The Claude agent, still running inside a Kubernetes pod, can continue to issue API calls, push code, or read secrets without anyone noticing. In that moment there is no record of what the model asked the cluster to do, no way to prove whether a data leak occurred, and no mechanism to stop a rogue request before it reaches a database.

Claude agents are attractive because they can write code, refactor functions, and even open pull requests on behalf of developers. The convenience comes with a hidden risk: the model operates under a static credential that may be over‑privileged, and the Kubernetes network gives it unrestricted lateral movement. Without visibility, security teams cannot answer basic audit questions such as who triggered a particular change or what data was returned by a downstream service.

Most organizations already enforce least‑privilege for human users through OIDC or SAML providers. They assign short‑lived tokens, embed group membership, and require multi‑factor authentication. Extending that same identity fabric to Claude is a logical first step. The model can be given a dedicated service account that only allows read‑only access to a repository, for example. However, even with a scoped service account the request still travels directly to the target pod or database, bypassing any checkpoint that could log the interaction or intervene if the model tries to execute an unexpected command.

The missing piece is a control surface that sits on the data path itself. By placing a gateway between the Claude pod and the infrastructure it talks to, every request can be inspected, recorded, and, if necessary, blocked or routed for human approval. This approach satisfies the need for audit trails while preserving the benefits of a non‑human identity and a least‑privilege token.

hoop.dev provides exactly that Layer 7 gateway. It runs as a network‑resident agent alongside your Kubernetes cluster and proxies all traffic destined for the resources Claude needs to reach. Because hoop.dev operates at the protocol level, it can see each command, response, and error before they leave the cluster.

When Claude initiates a connection, whether it is a Kubernetes exec session, an HTTP request to an internal service, or a database query, hoop.dev intercepts the flow. The gateway authenticates the Claude service account via OIDC, validates group membership, and then enforces policy that you define centrally. Because the gateway is the only path to the target, any policy you attach is guaranteed to be applied.

Why audit trails matter for Claude agents

Audit trails are the forensic backbone for any system that automates code changes. hoop.dev records every session byte‑for‑byte, timestamps each request, and keeps the logs in a location isolated from the compute node running Claude. The result is a complete replayable history: you can see exactly which prompt caused a git push, which query retrieved a customer record, and how long the operation took. This level of visibility satisfies internal governance, supports incident response, and provides the evidence auditors expect when they ask for “who did what and when”.

Beyond simple logging, hoop.dev can enrich audit trails with contextual metadata such as the originating service account, the Kubernetes namespace, and any approval workflow that was triggered. That metadata makes it possible to filter logs by risk level, correlate events across services, and generate reports that highlight anomalous behavior.

Inline protections that complement audit trails

Recording is only half of the defense. hoop.dev can also mask sensitive fields in responses before they reach Claude, preventing the model from learning or leaking confidential values. If a command matches a pattern that is deemed dangerous, such as a destructive database operation or a privileged Kubernetes exec, hoop.dev can block the command outright or pause it for a manual approval step. These just‑in‑time approvals give security teams a chance to intervene on high‑impact actions without slowing down routine development work.

Because the gateway runs outside the Claude container, the model never sees the underlying credentials. The agent only receives a short‑lived token that grants the exact permissions required for the current session. Even if the model were compromised, the attacker would be limited to the scoped token and could not increase privileges without first passing through hoop.dev’s policy checks.

Deploying hoop.dev for Claude on Kubernetes

The deployment workflow follows the standard hoop.dev quick‑start pattern. First, you launch the gateway using the provided Docker Compose file or the Helm chart for Kubernetes. The gateway is configured with OIDC settings that point at your identity provider, and you register a new connection that represents the Claude service. In that connection you specify the target host (the internal API or database), the credential that hoop.dev will use, and any masking or approval policies you want to enforce.

Once the gateway is up, Claude connects through the hoop.dev CLI or via the built‑in MCP server, using its service account token. From the model’s perspective nothing changes, it still talks to the same endpoint, but every packet now traverses hoop.dev. All audit trails, masking, and approval logic happen transparently, and the session is recorded for later replay.

For detailed step‑by‑step guidance, see the getting‑started guide. The documentation walks you through installing the gateway, configuring OIDC, and registering a Claude connection. The open‑source repository on GitHub contains the Helm chart and Docker compose files you need to get going.

Key benefits at a glance

• Full, replayable audit trails for every Claude‑initiated request.
• Real‑time masking of secrets in responses.
• Just‑in‑time approvals for high‑risk commands.
• Credential isolation – the model never sees the underlying keys.
• Centralized policy management across all Claude deployments.

Frequently asked questions

Do I need to change my existing Claude deployment?

No. hoop.dev works as a transparent proxy. You only point Claude’s client endpoint to the gateway address; the rest of the deployment remains unchanged.

How long are audit logs retained?

Retention is configurable in the gateway’s storage settings. The default setup stores logs for 30 days, but you can extend that period to meet compliance requirements.

Can I use hoop.dev with other AI agents?

Yes. The same Layer 7 gateway model applies to any LLM that communicates over a network protocol, including Claude, Code Llama, or custom inference servers.

Ready to add audit trails and real‑time guardrails to your Claude workloads? View the open‑source repository on GitHub and start the quick‑start deployment today.

For a deeper dive into hoop.dev’s feature set, explore the learn page, where you’ll find examples of masking policies, approval workflows, and session replay tools.