Why session recording matters for AI-driven code generation
Imagine a contractor who left the company last week but whose automated Claude agent is still running nightly jobs that write data to a PostgreSQL instance. The agent has no human eyes on its activity, and the engineering team has no replayable log of what SQL statements were issued. When an unexpected row appears in a critical table, the root cause is hidden behind a black box.
Without a reliable audit trail, a team cannot answer three essential questions: who invoked the Claude agent, what data was read or written, and whether the operation complied with internal policy. The lack of visibility also makes it difficult to demonstrate compliance with standards that require evidence of data‑access controls.
Architectural ingredients for a trustworthy solution
The first ingredient is identity. An OIDC or SAML provider authenticates the service account that launches the Claude MCP server. The token tells the gateway who is making the request, but on its own it does not enforce any guardrails.
The second, and only place enforcement can actually happen, is the data path. By inserting a Layer 7 gateway between the Claude agent and PostgreSQL, every wire‑protocol exchange can be inspected, altered, or blocked. This gateway is the logical boundary where policy meets traffic.
The third ingredient is the enforcement outcome we care about: session recording. When the gateway sits in the data path, it can capture each request and response, store a replayable transcript, and tag it with the originating identity. Without the gateway, the Claude process would communicate directly with PostgreSQL and no immutable record would exist.
How hoop.dev provides session recording for Claude agents
hoop.dev is built exactly for this pattern. It runs a network‑resident agent alongside PostgreSQL and exposes a proxy endpoint that understands the PostgreSQL wire protocol. When the Claude MCP server connects through that endpoint, hoop.dev validates the OIDC token, determines the caller’s groups, and then streams the traffic through its inspection engine.
During the stream, hoop.dev records every packet, reconstructs the full SQL session, and stores the transcript in a secure store. The record is indexed by the user identity, the target database, and a timestamp, making it easy to retrieve a specific session for forensic analysis or compliance reporting. Because the recording happens inside the gateway, the Claude process never sees the underlying credential, and the organization retains a complete audit trail regardless of how the agent is programmed.
In addition to raw recording, hoop.dev can mask sensitive columns in query results, block destructive commands, or route risky statements to a human approver before they reach PostgreSQL. Those guardrails are optional, but the session‑recording capability is always present when the gateway is in the data path.
High-level steps to enable session recording
- Deploy the hoop.dev gateway using the Docker Compose quick-start or a Kubernetes manifest. The deployment includes the network‑resident agent that will sit next to PostgreSQL.
- Register the PostgreSQL instance as a connection in hoop.dev, supplying the host, port, and a service credential that the gateway will use to authenticate to the database.
- Configure the Claude MCP server to point its PostgreSQL client at the hoop.dev proxy endpoint instead of the database directly. The client continues to use standard PostgreSQL drivers, so no code changes are required.
- Enable OIDC authentication for the Claude service account. The token issued by your identity provider will be presented to hoop.dev on each connection attempt.
- Turn on session recording in the gateway’s policy configuration. The default installation already records every session; you can adjust retention or export settings in the UI.
All of these actions are described in the official getting-started guide and the feature documentation. For a step-by-step walkthrough, see the getting-started documentation and the broader learn section for deeper insights on policy design.
FAQ
Does session recording add latency to the database connection?
hoop.dev records traffic at the protocol layer and streams it to a local store. The overhead is minimal and comparable to a typical proxy; most teams see sub-millisecond impact, which is negligible for batch-style AI coding workloads.
Can I retrieve a specific Claude-generated query later?
Yes. Each recorded session is indexed by the caller’s identity and timestamp. The UI lets you search by database, user, or keyword, and you can replay the exact SQL statements that were executed.
What happens if the Claude agent crashes mid-session?
Because hoop.dev writes the transcript incrementally, the partial session is still persisted. You can examine what was sent before the crash, which is valuable for debugging and for understanding any incomplete data changes.
Next steps
Start by cloning the open-source repository and following the quick-start instructions. The codebase is on GitHub, where you can also contribute improvements or raise issues.
Explore hoop.dev on GitHub
