All posts
June 18, 20263 min read

Putting access controls around Claude: audit trails for AI coding agents (on Postgres)

Many assume that simply giving an AI coding assistant a database password is enough to keep the work safe. In reality the assistant can read, write, and even drop tables without any trace, and there are no audit trails documenting its activity. Most teams today hand Claude a static Postgres credential, let it connect directly, and trust that the surrounding process will notice any misstep. The result is a blind spot: no record of which query the model issued, no way to hide sensitive columns, an

Free White Paper

AI Audit Trails + Single Sign-On (SSO): The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

Many assume that simply giving an AI coding assistant a database password is enough to keep the work safe. In reality the assistant can read, write, and even drop tables without any trace, and there are no audit trails documenting its activity. Most teams today hand Claude a static Postgres credential, let it connect directly, and trust that the surrounding process will notice any misstep. The result is a blind spot: no record of which query the model issued, no way to hide sensitive columns, and no chance to stop a destructive command before it runs.

Moving to a non‑human identity model, using OIDC or service‑account tokens for the AI, addresses the first problem. The token proves that the request originates from an authorized Claude instance, and it can be scoped to read‑only or limited‑time access. However, the request still travels straight to the PostgreSQL endpoint. The database sees a normal client connection, and there is still no audit trail, no inline masking of PII, and no approval workflow for risky statements. The gateway that could enforce those controls is missing.

Why audit trails matter for Claude agents

Audit trails give teams visibility into exactly what an autonomous coding agent does inside a database. They enable:

  • Forensic analysis after an unexpected data change.
  • Demonstrable compliance with internal policies that require every data‑access event to be recorded.
  • Real‑time detection of anomalous queries that could indicate a model drift or a prompt injection attack.
  • Selective redaction of columns that contain personally identifiable information, ensuring that downstream logs never expose raw values.

Without a dedicated control plane, these capabilities are unavailable. The database’s native logging can capture queries, but it cannot enforce masking, cannot require a human to approve a dangerous DDL statement, and cannot prevent the agent from seeing secret values in the first place.

Introducing hoop.dev as the enforcement layer

hoop.dev provides a Layer 7 gateway that sits between Claude’s client and the PostgreSQL server. The gateway terminates the connection, inspects the wire‑protocol traffic, and applies policy before the request reaches the database. Because hoop.dev is the only point where traffic is examined, it can deliver the enforcement outcomes that were missing in the direct‑connect model.

When Claude initiates a session, hoop.dev authenticates the OIDC token, validates the agent’s group membership, and then creates a short‑lived, scoped connection to Postgres. From that moment onward, hoop.dev records every command, masks any column marked as sensitive, and can pause execution of statements that match a risky‑query rule until a human reviewer approves them. The gateway also streams the full session to a secure store, enabling replay for audits or post‑incident investigations.

All of these controls are possible only because hoop.dev occupies the data path. The identity verification performed upstream merely decides who may start a session; hoop.dev is the place where the session is actually governed.

Continue reading? Get the full guide.

AI Audit Trails + Single Sign-On (SSO): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

How the architecture fits together

The high‑level flow looks like this:

  1. Claude obtains an OIDC access token from the organization’s identity provider.
  2. The token is presented to hoop.dev’s gateway.
  3. hoop.dev validates the token, checks group claims, and establishes a just‑in‑time connection to the PostgreSQL instance using a credential that only the gateway knows.
  4. Every SQL statement passes through hoop.dev, where policy modules can:
    • records each statement and its result for an audit trail.
    • apply inline masking to columns that contain PII.
    • block or route statements that match a dangerous‑query pattern to a manual approval queue.
    • terminate the session if a policy violation is detected.
  5. The session ends; hoop.dev finalises the audit record and makes it available for compliance reporting.

This design ensures that the only entity that can see raw data or execute commands is the gateway itself. Claude never receives the database password, and the database never sees an unaudited request.

Getting started with hoop.dev

To protect Claude‑driven workloads, start by deploying the hoop.dev gateway in the same network segment as your PostgreSQL cluster. The official getting‑started guide walks you through a Docker‑Compose deployment, OIDC configuration, and how to register a Postgres connection. Once the gateway is running, update Claude’s client configuration to point at the hoop.dev endpoint instead of the raw database host.

All of the policy rules, masking definitions, risky‑query patterns, and approval workflows, are defined in the learn section of the documentation. Because hoop.dev is open source, you can inspect the implementation, contribute improvements, or host the service entirely within your own infrastructure.

FAQ

Does hoop.dev store my database credentials?
hoop.dev holds the credential only inside the gateway process. Clients and AI agents never see the secret, and the credential is never written to disk.

Can I retroactively add audit trails to an existing Claude deployment?
Yes. By routing the existing client through the gateway, all future sessions are recorded without changing the underlying application code.

What happens if a statement is blocked?
hoop.dev returns a clear error to the client and, if configured, creates a ticket for a human reviewer to approve or reject the operation.

Next steps

Explore the open‑source repository on GitHub to see the full codebase, contribute, or fork the project for a fully self‑hosted deployment:

https://github.com/hoophq/hoop

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot