Putting access controls around Claude: guardrails for AI coding agents (on Snowflake)

Many assume that giving an AI coding agent unrestricted access to a data warehouse is harmless because the model only reads schema. The reality is that Claude can issue INSERT, UPDATE, or DELETE statements, and without guardrails a single stray prompt can corrupt production tables or expose sensitive columns.

In most teams the practice today is to create a shared Snowflake user for the Claude integration, embed its credentials in the deployment pipeline, and let the agent connect directly. The same static key is used for every request, there is no per‑user audit, and the Snowflake role often grants read‑write access across the entire account. Engineers rarely see what the agent actually runs, and security teams have no evidence of which queries succeeded or failed.

This arrangement creates three concrete risks. First, accidental data loss: a malformed prompt can trigger a DELETE without anyone noticing. Second, data leakage: sensitive columns such as SSN or credit‑card numbers may be returned to the agent and logged elsewhere. Third, compliance gaps: auditors cannot trace who caused a change because the Snowflake logs only show the shared service account.

To mitigate those risks you need an identity‑aware proxy that sits between the AI agent and Snowflake. The proxy must be able to read the user’s OIDC token, map groups to fine‑grained policies, and enforce guardrails at the protocol level. It should be able to mask column values in result sets, block destructive commands unless a human approves them, and record the full session for later replay. Crucially, the enforcement point has to be in the data path, not in a downstream logging pipeline, because only a gateway that sees every packet can stop a command before it reaches the database.

hoop.dev provides exactly that data‑path enforcement layer. It acts as a Layer 7 gateway that terminates the Claude connection, validates the OIDC token against your identity provider, and then forwards the request to Snowflake using a credential that only the gateway knows. Because hoop.dev is the only component that can see the traffic, it is the sole place where guardrails can be applied.

When a Claude request arrives, hoop.dev checks the user’s groups and determines whether the query is allowed. If the query attempts to read a column marked as sensitive, hoop.dev masks the value in the response before it reaches the agent. If the request contains a DDL or DML statement that could alter data, hoop.dev either blocks it outright or routes it to a just‑in‑time approval workflow, requiring a designated approver to consent before execution. Every command, every response, and every approval decision is recorded by hoop.dev, creating a replayable audit trail that satisfies both internal governance and external auditors.

The setup respects the principle of least privilege. Your identity provider issues short‑lived tokens to engineers or automated pipelines. hoop.dev validates those tokens, maps them to a policy that grants read‑only access to specific schemas, and never exposes the Snowflake service account to the caller. The agent never sees the underlying credential, and the credential never leaves the gateway, eliminating credential sprawl.

Because hoop.dev is open source and MIT‑licensed, you can self‑host the gateway in your own VPC or on‑premises network. The official getting‑started guide walks you through deploying the Docker Compose stack, registering a Snowflake connection, and configuring OIDC authentication. The feature documentation explains how to define masking rules, set up approval policies, and query the audit logs.

Implementing guardrails for Claude does not require a separate security appliance or a custom proxy written from scratch. By placing hoop.dev in the data path, you gain a single point of control that enforces masking, command blocking, just‑in‑time approval, and session recording for every interaction with Snowflake.

Explore the hoop.dev repository on GitHub to get the source code, contribute, or file an issue.

FAQ

How does hoop.dev prevent accidental data deletion?

hoop.dev blocks destructive statements such as DELETE or DROP unless an approver explicitly authorizes them. The block happens before the command reaches Snowflake, so no data is lost.

Does hoop.dev store the raw data returned by Snowflake?

hoop.dev only streams the response through its masking engine. It never persists the unmasked data; it records the fact that a query ran and the masked result that was delivered.

Can I continue using existing Snowflake roles?

Yes. hoop.dev forwards the request using its own service identity, but you can map that identity to a Snowflake role that provides the baseline privileges you need. The guardrails layer adds an additional, enforceable policy on top of those role permissions.