Putting access controls around Claude: data masking for AI coding agents (on on-prem)

An unmasked Claude response can expose proprietary code in a single line, making data masking essential.

AI coding agents such as Claude are powerful assistants, but they also become inadvertent exfiltration channels. When a developer asks the model to generate a snippet, the model may pull in API keys, database passwords, or customer PII that exist in the code base. On‑premises deployments amplify the risk because the organization assumes that nothing ever leaves the data center; a stray secret in an AI reply can be copied to a clipboard, logged, or sent to downstream tools without any oversight.

Teams often make three predictable mistakes. First, they trust the model’s output as if it were a vetted code review, assuming that the LLM will not surface anything sensitive. Second, they grant the Claude service account broad read access to all repositories, giving the agent the ability to retrieve any secret stored in the code. Third, they rely on perimeter firewalls or network segmentation alone, forgetting that the data path between the user and the LLM is not monitored for content leakage. The result is a blind spot where sensitive strings can appear in plain text, be copied by a developer, and later appear in logs or tickets.

Most organizations have already solved the identity piece. They federate their on‑prem IdP with OIDC or SAML, issue short‑lived tokens to users, and configure the Claude MCP server to accept those tokens. This setup ensures that only authenticated engineers can invoke the model, and that each request carries a verifiable identity. However, the request still travels straight to Claude’s inference endpoint, and the response returns to the client unchanged. No inline masking, no approval workflow, and no immutable audit record exist at that point. The gateway that could enforce policy is missing.

The missing piece is a data‑path enforcement point that can inspect, transform, and record every LLM interaction before it reaches the user. Without such a point, the organization cannot guarantee that secrets are filtered out, nor can it produce evidence that a particular piece of code was never exposed.

hoop.dev provides that enforcement point. It sits between the authenticated user and the Claude MCP server, acting as an identity‑aware proxy that inspects the LLM protocol at layer 7. Because hoop.dev is the only component that sees the traffic, it can apply masking policies in real time, block responses that violate rules, and trigger just‑in‑time approval workflows for high‑risk queries.

When a developer issues a request, hoop.dev validates the OIDC token, checks the user’s group membership, and then forwards the request to Claude. As Claude streams its answer back, hoop.dev scans each fragment against the configured data‑masking rules. hoop.dev masks any string that matches the secret pattern before it reaches the client, ensuring that credentials or PII never appear on the screen. If a response contains a high‑risk pattern, hoop.dev can pause the stream and route the fragment to an approver for manual review.

Because hoop.dev is the data path, it also records every session. hoop.dev stores a replayable log that includes the original request, the masked response, and the identity of the requester. This log can be exported for audit or compliance purposes, and it provides a definitive evidence trail that the organization never exposed the raw secret. The agent never sees the unmasked data, satisfying the “agent never sees the credential” guarantee.

Deploying this architecture follows a clear, high‑level flow. First, provision the hoop.dev gateway on the same network segment as the Claude MCP server. Next, register Claude as a connection in hoop.dev, supplying the service credentials that the gateway will use to talk to the model. Then, define masking policies in the hoop.dev UI or configuration – for example, regexes that match AWS keys, JWTs, or custom token formats. Finally, enable just‑in‑time access so that developers receive a short‑lived session token that is validated by hoop.dev on each request.

All of these steps are described in the getting‑started guide and the broader learn section. The repository on GitHub contains the Docker Compose file and Helm charts needed for a quick on‑prem deployment.

Common pitfalls and how data masking with hoop.dev avoids them

• Relying on post‑hoc log analysis. Without a data‑path proxy, logs capture only what the client chooses to record. hoop.dev records the raw interaction before any transformation, guaranteeing completeness.
• Hard‑coding masking logic in application code. Embedding regexes in services leads to drift and maintenance overhead. hoop.dev centralizes the rules, so updates apply instantly to all sessions.
• Granting blanket read access to the LLM. Even with least‑privilege IAM roles, the model can still surface secrets it reads from code. hoop.dev enforces fine‑grained policies regardless of the underlying credential scope.

FAQ

Does hoop.dev store the original, unmasked Claude output?

No. hoop.dev records the interaction after masking has been applied. The raw response never leaves the gateway, satisfying the requirement that the agent never sees the credential.

Can I apply different masking policies per team?

Yes. Because hoop.dev evaluates policies at the data path, you can scope rules by user group, project tag, or request context, giving each team a tailored protection set.

Is this approach compatible with existing CI pipelines?

Absolutely. CI jobs can obtain short‑lived session tokens from the identity provider and then invoke Claude through hoop.dev, gaining the same masking and audit guarantees without any code changes.

Ready to see the code and contribute? Explore the open‑source repository on GitHub and follow the deployment instructions.

For a complete overview of what hoop.dev fronts and how it fits into an on‑prem security stack, visit the product page.