All posts
June 18, 20264 min read

Putting access controls around Cursor: audit trails for AI coding agents (on Postgres)

Many assume that AI coding assistants automatically generate audit trails when they run queries against a database, but the reality is far different. In practice, a Cursor‑driven AI agent often talks directly to PostgreSQL using a shared service account, and the connection leaves no per‑user trace. The result is a blind spot: security teams cannot tell which engineer prompted the agent, which statements were generated, or whether sensitive rows were exposed. Teams typically try to solve the vis

Free White Paper

AI Audit Trails + Cursor / AI IDE Security: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

Many assume that AI coding assistants automatically generate audit trails when they run queries against a database, but the reality is far different. In practice, a Cursor‑driven AI agent often talks directly to PostgreSQL using a shared service account, and the connection leaves no per‑user trace. The result is a blind spot: security teams cannot tell which engineer prompted the agent, which statements were generated, or whether sensitive rows were exposed.

Teams typically try to solve the visibility problem by adding an identity check before the AI request reaches the database. An OIDC token proves who is asking the AI to run a query, and the token maps to a role that can open a session. This step limits who can start a Cursor job, but the request still flows straight to PostgreSQL. No gateway sits between the token and the database, so there is no place to record the exact SQL statements, no way to mask returned credit‑card numbers, and no opportunity to pause a dangerous command for human review.

Because the enforcement point is missing, the audit trail remains incomplete. Even if the AI model is trained to obey policy, a rogue prompt can cause it to issue a DELETE or expose PII, and the organization would have no reliable log to investigate. The missing control surface also makes compliance reporting painful, as auditors expect per‑session evidence that ties an action back to an individual identity.

Why a dedicated data‑path gateway is required

To close the gap, the access control layer must sit on the data path, not just in the authentication front‑end. The gateway becomes the only place where traffic can be inspected, altered, or recorded before it reaches PostgreSQL. By placing a proxy at Layer 7, every Cursor request is forced through a single, policy‑enforced choke point.

This architecture satisfies three distinct responsibilities:

  • Setup: Identity providers (Okta, Azure AD, Google Workspace, etc.) issue OIDC tokens that identify the engineer or service account. The token proves who is asking the AI to run a query, but it does not enforce what the query can do.
  • The data path: The gateway intercepts the PostgreSQL wire protocol, allowing it to apply rules, mask fields, or require an approval before a statement is forwarded.
  • Enforcement outcomes: Because the gateway sits in the data path, it generates audit trails, blocks unsafe commands, and records session replay data for later analysis.

Introducing hoop.dev as the enforcement point

hoop.dev sits exactly where the data path must exist. It runs a network‑resident agent next to the PostgreSQL instance and proxies every Cursor connection. When an engineer triggers a Cursor job, the request first validates against the OIDC token, then hands off to hoop.dev. From that moment onward hoop.dev controls the session.

hoop.dev records each SQL statement, the originating identity, and the time of execution, creating a reliable audit trail that can be replayed whenever needed. If a statement matches a policy that requires human sign‑off, such as a DROP TABLE or a query that returns columns marked as sensitive, hoop.dev pauses the flow and routes the request to an approval workflow. Only after an authorized reviewer approves does the statement continue to PostgreSQL.

Continue reading? Get the full guide.

AI Audit Trails + Cursor / AI IDE Security: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

When a response contains data classified as PII, hoop.dev masks the fields in‑flight, ensuring that the AI agent never sees raw credit‑card numbers or Social Security numbers. The masking happens inside the gateway, so the downstream database and the upstream AI model never handle the clear data.

All of these actions, recording, approval, masking, and blocking, are possible because hoop.dev is the only component that sees the full protocol stream. No other piece of the stack, including the identity provider or the PostgreSQL server itself, provides the same level of granular, per‑statement evidence.

Getting started with Cursor and PostgreSQL

Implementing this pattern begins with the standard getting‑started guide. Deploy the hoop.dev gateway using Docker Compose or Kubernetes, configure the PostgreSQL connection, and enable the built‑in policy engine. Next, register Cursor as a client that authenticates via OIDC. The gateway automatically stores the database credentials, so the AI agent never sees them.

After deployment, define policies that reflect your organization’s risk appetite. For example, create a rule that requires approval for any DDL statement, and another rule that masks columns named ssn or credit_card. These policies are managed through the hoop.dev UI or API, and they take effect immediately because hoop.dev enforces them at the gateway.

Benefits of a gateway‑driven audit trail

  • Complete visibility: Every Cursor‑generated query logs with the user’s identity, giving security and compliance teams a reliable source of truth.
  • Risk reduction: Dangerous commands can be blocked or sent for manual approval before they touch production data.
  • Data protection: Sensitive fields are masked in real time, preventing accidental exposure to AI models.
  • Replay capability: Recorded sessions can be replayed to reproduce incidents or to demonstrate compliance during audits.

FAQ

Does hoop.dev replace the need for database‑level logging?

No. Database logs remain valuable, but hoop.dev adds an identity‑aware audit layer that captures the exact request before the database even sees it. This ensures the log includes the initiating user and any policy actions taken.

Can I use hoop.dev with other AI coding assistants besides Cursor?

Yes. The gateway works with any client that speaks the PostgreSQL wire protocol, so you can protect other LLM‑driven tools in the same way.

What happens if a policy‑blocked statement is retried?

hoop.dev evaluates each statement independently. If the underlying issue is resolved, such as an approval being granted, the next attempt passes through the gateway.

Next steps

Explore the open‑source repository to see how the gateway is built and to contribute improvements: https://github.com/hoophq/hoop. The documentation site also offers deeper coverage of policy syntax and deployment patterns at https://hoop.dev/learn.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot