Putting access controls around Claude: production access for AI coding agents (on on-prem)

Many assume that giving an AI coding assistant like Claude unrestricted production access is safe because the model only generates code. The reality is that Claude can invoke internal APIs, read files, and push changes directly to live services, so a mis‑generated command can corrupt production data in seconds.

In most on‑prem environments, teams hand the Claude agent a static service account credential and point it at the production cluster. The credential lives on the same host that runs the model, the connection bypasses any review step, and there is no central log of what the model actually executed. Engineers love the speed, but the lack of guardrails means a single rogue request can alter databases, redeploy containers, or expose secrets without any trace.

What organizations really need is a way to keep Claude’s convenience while ensuring that every production operation is vetted, recorded, and, when necessary, masked. The desired state is that Claude still talks to the same back‑ends, but the request must travel through a gate that can enforce just‑in‑time approval, block dangerous commands, and capture a replayable session. Without such a gate, the request still reaches the target directly, with no audit, no inline masking of sensitive fields, and no opportunity to intervene before execution.

hoop.dev provides that gate. It sits at Layer 7 between Claude’s runtime and the production resources it contacts. By acting as an identity‑aware proxy, hoop.dev inspects each protocol message, whether it is a SQL query, a kubectl command, or an SSH instruction, and applies the policies you define. The gateway can require a human approver for any command that matches a risk pattern, automatically mask credential fields in responses, and record the entire session for later replay. Because hoop.dev holds the credential, the Claude agent never sees the secret directly, eliminating the risk of credential leakage.

Why production access matters for Claude agents

Production access grants the ability to modify live state. When an AI model writes a configuration file or runs a migration script, a single typo can cascade into downtime. Moreover, Claude can be prompted to retrieve data that includes personally identifiable information; without masking, that data could be exposed to downstream logs or third‑party services. Enforcing production access therefore requires three technical guarantees: a review step before high‑impact actions, real‑time redaction of sensitive output, and a reliable audit log of every interaction.

How hoop.dev enforces production access

When a request originates from Claude, it is routed through hoop.dev’s gateway. The gateway validates the OIDC token that Claude presents, maps the token to a set of role‑based permissions, and then evaluates the payload against the policy engine. If the command matches a “dangerous” pattern, such as a database DROP, a Kubernetes delete, or an SSH command that modifies system files, hoop.dev pauses execution and triggers a just‑in‑time approval workflow. An authorized operator can approve or deny the request from a web UI, and hoop.dev forwards the command only after approval.

If the response contains fields marked as sensitive, API keys, passwords, or customer identifiers, hoop.dev masks those values before they reach Claude. The masking happens inline, so the model never sees the raw secret. At the same time, hoop.dev records the full request and response stream, timestamps each operation, and stores the session for audit purposes. The recorded session can be replayed later for forensic analysis or compliance reporting.

All of these enforcement outcomes, approval gating, inline masking, and session recording, are possible only because hoop.dev occupies the data path. The identity verification step alone cannot block a command; the gateway’s inspection layer is what actually enforces the policy.

Key policy components

• Just‑in‑time approval: Define risk patterns that require human sign‑off before execution.
• Inline data masking: Specify fields that must be redacted in responses to Claude.
• Session recording: Capture every request and response for replay and audit.
• Credential isolation: Store the production credential in the gateway so Claude never accesses it directly.

Getting started with hoop.dev for Claude

Begin by deploying the hoop.dev gateway in your on‑prem network. The quick‑start guide walks you through a Docker Compose deployment that includes OIDC authentication, masking configuration, and guardrails out of the box. Register your Claude runtime as a client, assign it the appropriate OIDC scope, and configure the production target (for example, a PostgreSQL database or a Kubernetes API server) as a connection in the gateway. The gateway will then mediate all traffic from Claude to that target.

For detailed steps, refer to the getting‑started documentation. The docs also cover how to define masking rules, set up approval workflows, and access recorded sessions. For an overview of all supported connectors and features, see the hoop.dev learn page.

For the full open‑source implementation, see the GitHub repository.

FAQ

Can hoop.dev block a command after it has started executing?

hoop.dev evaluates the command before it is sent to the target. If the policy marks the command as high‑risk, it is halted and sent to the approval workflow. Once approved, the command proceeds; otherwise it is rejected.

Does hoop.dev store the production credentials?

Yes, the gateway holds the credential securely and presents it to the target on behalf of Claude. The model never receives the raw secret.

How long are sessions retained?

Retention is configurable in the gateway settings. You can align the retention period with your organization’s audit requirements.