Putting access controls around Cursor: audit trails for AI coding agents (on GCP)

AI coding assistants that can write, modify, or delete code on production environments pose a hidden compliance risk.

Many teams currently let the Cursor agent run with a static service‑account key that is baked into CI pipelines or stored in a secret manager. The agent talks directly to Google Cloud services, bypassing any central control point. Because the connection is direct, there is no immutable record of which prompts caused which API calls, no way to prove that a change was reviewed, and no mechanism to prevent the model from exfiltrating secrets.

What organizations really need is an audit trail that captures every request the AI makes, but simply adding logging inside the agent does not solve the problem. The request still reaches the target service unchanged, and the logs live on the same host that the agent controls. Without a dedicated enforcement layer, you cannot enforce just‑in‑time approvals, mask sensitive responses, or guarantee that a privileged operation was reviewed before execution.

hoop.dev provides the missing enforcement layer. It is a Layer 7 gateway that sits between the Cursor agent and Google Cloud APIs. All traffic flows through the gateway, which inspects the protocol, records the full session, and can require an approval step before a destructive call proceeds. Because hoop.dev is the active component in the data path, it is the source of every enforcement outcome.

In practice, the architecture looks like this: the Cursor agent authenticates to an identity provider (OIDC or SAML). hoop.dev, acting as a relying party, validates the token and extracts group membership. The gateway then forwards the request to the GCP endpoint using its own service‑account credential, never exposing the credential to the agent. While forwarding, hoop.dev records each request and response, applies inline masking to hide secrets that appear in API payloads, and can pause the flow for a human approver when a policy rule matches (for example, any request that creates a new Cloud Function). The recorded session is stored in an audit log that can be replayed for investigations.

This approach delivers three concrete benefits. First, every interaction is captured, giving you a complete audit trail that satisfies internal governance and external audit requirements. Second, because the gateway can block or mask operations in real time, you reduce the blast radius of a mis‑prompted AI command. Third, the separation of identity verification (setup) from enforcement (data path) means you can rotate service‑account keys on the gateway without touching the AI agent, preserving least‑privilege principles.

Why audit trails matter for Cursor

Without an immutable record, a single erroneous prompt can silently create, modify, or delete resources, leaving no evidence of who caused the change. Auditing each request provides traceability, supports post‑incident forensics, and demonstrates compliance with governance policies that require visibility into AI‑driven actions.

Common mistakes to avoid

• Giving the AI agent direct access to a long‑lived service‑account key. This defeats any downstream audit because the agent can bypass the gateway entirely.
• Relying on logs generated by the target service. Those logs are written after the fact and can be altered by the same identity that performed the action.
• Deploying the gateway outside the network segment that hosts the GCP resources. If traffic does not flow through hoop.dev, enforcement rules never see the request.
• Neglecting just‑in‑time approval policies for high‑impact actions. Without an approval step, a single errant prompt can create or delete critical infrastructure.

High‑level implementation steps

1. Deploy the hoop.dev gateway in the same VPC or network where your GCP services reside. The quick‑start guide walks you through a Docker Compose deployment that includes OIDC authentication out of the box.
2. Register the Cursor connection in hoop.dev, specifying the target GCP API endpoint and the service‑account credential that the gateway will use.
3. Configure identity federation so that the Cursor agent receives an OIDC token from your corporate IdP. hoop.dev will validate this token on each request.
4. Enable the audit‑trail feature in the gateway’s policy configuration. Define masking rules for fields such as access_token or private_key, and set approval thresholds for operations like cloudfunctions.deploy.
5. Test the flow by issuing a benign API call from Cursor and confirming that the session appears in the gateway’s audit UI, that the response was masked, and that an approval request was generated for a simulated high‑risk call.

All of these steps are described in the getting‑started guide and the broader feature documentation. The repository contains the full Docker Compose file and Helm charts you need to get the gateway running in your environment.

Explore the source code on GitHub to see how the gateway implements session recording, masking, and approval workflows.

FAQ

Does hoop.dev store the AI agent’s credentials?

No. The agent authenticates to the identity provider and never sees the service‑account key that hoop.dev uses to talk to GCP. This separation prevents credential leakage.

Can I retroactively add audit trails to existing Cursor workloads?

Yes. By routing existing traffic through hoop.dev you instantly gain a recorded session for every request, without changing the Cursor code base.

Is the audit data itself protected?

hoop.dev stores audit records in an audit log that is only readable by authorized auditors. The gateway enforces access controls on the log, ensuring that only designated personnel can retrieve or replay sessions.