All posts
June 18, 20263 min read

Putting access controls around Claude: session recording for AI coding agents (on BigQuery)

Why session recording matters for Claude agents How can you be sure that every code suggestion generated by Claude and executed against BigQuery is traceable? Claude, when used as a coding assistant, translates natural‑language prompts into SQL statements that run directly on your data warehouse. The convenience is undeniable, but it also introduces a blind spot: a single mistaken suggestion can expose sensitive rows, overwrite tables, or trigger costly queries. Without a reliable audit trail,

Free White Paper

AI Session Recording + Single Sign-On (SSO): The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

Why session recording matters for Claude agents

How can you be sure that every code suggestion generated by Claude and executed against BigQuery is traceable?

Claude, when used as a coding assistant, translates natural‑language prompts into SQL statements that run directly on your data warehouse. The convenience is undeniable, but it also introduces a blind spot: a single mistaken suggestion can expose sensitive rows, overwrite tables, or trigger costly queries. Without a reliable audit trail, security teams struggle to answer basic questions such as who triggered a particular data export or whether a compliance‑critical column was read.

Most organizations already enforce strong identity controls. Engineers authenticate to an identity provider, receive OIDC tokens, and are granted the least‑privilege roles needed to query BigQuery. Those tokens prove who is connecting, but they do not capture what is sent over the wire. The request travels straight from the Claude process to the BigQuery endpoint, bypassing any central checkpoint that could record the interaction.

That gap is the precondition this guide addresses. Identity verification is necessary, yet it leaves the actual query path unobserved. To obtain true session recording you need a component that sits in the data path, inspects each request and response, and persists an audit record before the query reaches BigQuery.

Implementing session recording with hoop.dev

hoop.dev provides the required data‑path gateway. It runs a lightweight agent inside the same network as BigQuery and proxies every Claude‑initiated connection. Because the gateway terminates the protocol, it can capture the full request‑response cycle, apply inline masking if needed, and write an audit record for each session. In this architecture hoop.dev is the only system that creates the session‑recording evidence; the identity provider and the Claude process never produce that log on their own.

When Claude connects through the built‑in MCP server, the MCP client points to the hoop.dev endpoint instead of the raw BigQuery address. The gateway authenticates the user’s OIDC token, checks group membership, and then forwards the SQL statement. Before forwarding, hoop.dev stores the statement and the corresponding response in its audit backend, ensuring a complete replayable trace.

The benefits are threefold:

Continue reading? Get the full guide.

AI Session Recording + Single Sign-On (SSO): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
  • Compliance teams receive a ready‑to‑use log that shows who issued each query, when, and what data was returned.
  • Security analysts can replay a session to understand the context of a data‑leak incident without needing access to the original Claude instance.
  • Developers gain a safety net; if a generated query behaves unexpectedly they can review the exact command that was sent.

High‑level steps to enable session recording

1. Deploy the hoop.dev gateway using the getting‑started guide. The quick‑start runs the gateway in Docker Compose and configures OIDC verification out of the box.

2. Register BigQuery as a connection inside the gateway. Provide the target endpoint and the service‑account credential that the gateway will use; Claude never sees this secret.

3. Enable the session‑recording feature for the connection. hoop.dev will then store every request and response in its audit backend.

4. Configure Claude’s MCP client to point at the hoop.dev endpoint. From Claude’s perspective the workflow is unchanged – it still sends SQL over the same protocol – but the traffic now flows through the gateway.

5. Verify that recordings appear in the audit UI or export them for downstream analysis.

Next steps and resources

For a deeper dive into guardrails, masking, and approval workflows, explore the learn section. The open‑source repository contains the full implementation and example deployment files: Explore the repository on GitHub.

FAQ

Does session recording add latency to Claude’s responses? The gateway adds a small, network‑level hop. In practice the overhead is negligible compared to the time required for BigQuery to execute the query.

Can I retain recordings indefinitely? hoop.dev stores logs according to the retention policy you configure in the audit backend. You can keep them as long as required for compliance or forensic needs.

Is the recorded data encrypted? All traffic between Claude, the gateway, and BigQuery is encrypted in transit. The audit store can be backed by any encrypted storage solution you choose, following the guidance in the documentation.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot