Putting access controls around Cursor: production access for AI coding agents (on GCP)

Many assume that AI coding agents like Cursor can be given unfettered production privileges without any guardrails, but that approach leaves critical data exposed and audit trails invisible.

When a Cursor instance runs against live services on Google Cloud Platform, it can read configuration, write to databases, and trigger infrastructure changes. Without precise controls, a mis‑generated snippet or a malicious prompt could corrupt production workloads, leak secrets, or create compliance gaps.

Effective production access for an AI agent must satisfy four core requirements. First, the agent must prove its identity through a trusted OIDC provider so that only authorized services can initiate a connection. Second, the permission should be granted just‑in‑time, expiring as soon as the task completes, rather than relying on long‑lived credentials. Third, any operation that touches sensitive resources should be subject to an approval workflow that can pause execution for human review. Fourth, every request and response must be recorded, with the ability to redact secrets before they are stored, so that auditors can verify what the agent did without exposing the data itself.

Identity verification alone does not stop a privileged request from reaching a database or a Kubernetes cluster. The enforcement point must sit on the data path, between the agent and the target service, where the traffic can be inspected and altered. This is why a dedicated gateway is essential; it can apply policies consistently regardless of the underlying protocol.

Enter hoop.dev, an open‑source Layer 7 gateway that proxies connections to GCP resources such as Cloud SQL, GKE, and Cloud Storage. The gateway runs a network‑resident agent inside the same VPC as the target, holds the service credentials, and never exposes them to the AI process. When Cursor initiates a request, it routes through hoop.dev using the standard client libraries, allowing the gateway to inspect the wire‑protocol payload.

At this interception point hoop.dev enforces the production‑access policy stack. It checks the OIDC token presented by the agent, verifies group membership, and determines whether a short‑lived session may be created. If the request matches a rule that requires human sign‑off, such as a write to a production database, hoop.dev pauses the operation and forwards the request to an approval channel. Once an authorized reviewer approves, hoop.dev lets the command proceed for the remainder of the session.

Because hoop.dev generates the session token after approval, the AI agent never holds a standing credential that could be reused elsewhere. The token expires automatically when the session ends, satisfying the just‑in‑time requirement without additional cleanup steps.

The gateway creates a replayable log of the request, the response, and the outcome of any approval step. The retained log provides auditors with a reliable record of what the AI agent did in production.

Inline data masking is another built‑in capability. When a response contains fields marked as sensitive, such as API keys, passwords, or personal identifiers, hoop.dev redacts those values before they reach the Cursor process. The original values remain in the backend system, while the masked version is what the AI sees and what gets logged, protecting secret data from accidental leakage.

By placing hoop.dev in the data path, organizations gain a single control surface that delivers all four production‑access safeguards: identity verification, just‑in‑time token issuance, human approval, session recording, and inline masking. The approach eliminates the need for ad‑hoc scripts, scattered IAM policies, or custom code changes in the AI agent itself.

To try this architecture, start with the getting‑started guide. The documentation walks you through deploying the gateway, configuring OIDC authentication, and registering a GCP target. The open‑source repository on GitHub contains the compose file, Helm charts, and example policies you can adapt for your Cursor workloads.

For deeper insight into how hoop.dev masks data and routes approval requests, explore the learn section. It details the policy language, the audit log format, and best practices for securing AI agents in production environments.

FAQ

Can hoop.dev enforce policies on Cursor without modifying Cursor’s code?

Yes. hoop.dev operates at the protocol layer, so Cursor continues to use its native client libraries. The gateway intercepts traffic, applies masking and approvals, and returns the filtered response, all without requiring changes to Cursor’s source.

What audit evidence does hoop.dev generate for production access?

hoop.dev records a timestamped session log that includes the identity of the AI agent, the exact request sent, any approval actions taken, and the masked response. These logs can be exported for compliance reporting and provide a replayable view of every production interaction.

How does hoop.dev handle credential storage for GCP resources?

The gateway holds service credentials internally and presents them only to the target service. The AI agent never receives the raw credentials; it authenticates to hoop.dev with its OIDC token, and hoop.dev uses the stored secret to complete the backend connection.

Explore the open‑source code on GitHub to see how the gateway is built and to contribute improvements.