All posts
June 16, 20263 min read

Putting access controls around Cursor: audit trails for AI coding agents

Three failure modes show up over and over when teams try to build audit trails for an AI coding agent in Cursor. The trail is incomplete because the agent only logged what it decided to log. The trail is unattributed because everything ran under one shared service account. And the trail is untrustworthy because the agent's process could have changed it. Each one alone is enough to make the audit worthless. Name the failures first, because the fix follows directly from them. You do not need a be

Free White Paper

AI Audit Trails + Cursor / AI IDE Security: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

Three failure modes show up over and over when teams try to build audit trails for an AI coding agent in Cursor. The trail is incomplete because the agent only logged what it decided to log. The trail is unattributed because everything ran under one shared service account. And the trail is untrustworthy because the agent's process could have changed it. Each one alone is enough to make the audit worthless.

Name the failures first, because the fix follows directly from them. You do not need a better logging library inside the agent. You need to capture the record somewhere the agent cannot touch, which means moving it onto the connection.

The failure modes behind broken audit trails

Incomplete: a self-reporting agent records intent, skips the commands it never narrated, and loses data on a retry or crash. Unattributed: when the agent connects as a single shared credential, every action looks identical and you cannot answer who did what. Untrustworthy: a log the agent can write is a log it can be steered into truncating or rewriting.

An audit trail has to defeat all three at once. Fixing completeness while leaving attribution broken still leaves you unable to answer the auditor's first question. The only place all three get solved together is the boundary the commands cross on their way to the database.

The fix: capture audit trails at the boundary

hoop.dev is an open-source Layer 7 access gateway. The Cursor agent reaches a database or internal service through it, and the audit trail is produced there:

  • Capture is at the command level, recording the actual queries that crossed the connection, which closes the completeness gap.
  • Each session is attributed to the authenticated identity, which closes the attribution gap.
  • The record lives at the gateway, outside the agent, which closes the trust gap.

hoop.dev builds the trail from the infrastructure actions the agent takes. It does not log the model prompt or output, because the auditable event is the command, not the conversation that led to it. The gateway sees the query; the model's reasoning stays the agent's business. The broader approach is described on the hoop.dev site.

Continue reading? Get the full guide.

AI Audit Trails + Cursor / AI IDE Security: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Building the trail

  1. Run the hoop.dev agent beside the resource and register the connection.
  2. Give the agent a distinct identity so its actions are attributable, not merged into a shared account.
  3. Confirm session recording and event logging are on for the connection.
  4. Run a command, then export the session record and verify it shows identity, command, and outcome.

For evidence retention, point a webhook at your event sink so each session becomes a durable record alongside the rest of your logs, with who connected, which connection, the command run, and the approval status.

The trail is also continuous, which is the property auditors actually care about. It is not a report you generate the week before a review by scraping logs and hoping they line up. Each session becomes a record at the moment it happens, so the evidence accumulates on its own. When someone asks what an agent did against the database last quarter, the answer is already assembled rather than reconstructed after the fact, and reconstruction is where gaps and disputes come from.

Pitfalls to avoid

Do not reuse one service account across agents and humans; it destroys attribution. Do not store the trail where the audited process can edit it. And do not confuse a chat transcript with an audit trail. The transcript is what the agent said; the audit trail is what it actually ran. Those two diverge more often than people expect, because an agent narrates its plan and then revises mid-task without updating the narration.

FAQ

What is in the audit trail?

The command that ran, the identity that ran it, the connection used, approval status, and outcome, captured per session at the gateway.

Can the agent alter the trail?

No. The record lives outside the agent process, so the agent cannot edit or delete it.

Is hoop.dev open source?

Yes, it is MIT licensed, so you can verify how the trail is captured.

Build an audit trail the agent cannot rewrite. Start at the hoop.dev GitHub repository and wire up recording and event export with the getting started guide.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot