All posts
June 18, 20263 min read

Putting access controls around Cursor: production access for AI coding agents (on Postgres)

A recently offboarded contractor’s CI pipeline still holds a hard‑coded Cursor API key that can spin up SQL against the production database. The key lives in a shared secret store, is used by an automated code‑generation agent, and anyone with repository access can trigger it. The result is a powerful AI coding assistant that can read or write production data without any human review, and the organization has no record of what queries were run. Why production access matters for Cursor Cursor’

Free White Paper

Cursor / AI IDE Security + Customer Support Access to Production: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

A recently offboarded contractor’s CI pipeline still holds a hard‑coded Cursor API key that can spin up SQL against the production database. The key lives in a shared secret store, is used by an automated code‑generation agent, and anyone with repository access can trigger it. The result is a powerful AI coding assistant that can read or write production data without any human review, and the organization has no record of what queries were run.

Why production access matters for Cursor

Cursor’s AI model excels at turning natural‑language prompts into SQL statements. In a development sandbox that capability is a productivity win, but in production the same convenience becomes a risk. Teams often grant the agent a static service account that has full production access to PostgreSQL. The service account is created once, never rotated, and is used by every instance of the AI agent. Because the connection goes straight from the agent to the database, there is no audit trail, no ability to mask sensitive columns, and no gate to stop destructive commands.

What the current setup fixes – and what it still leaves open

Most organizations solve the first part of the problem by moving to non‑human identities. They create a dedicated service account for the AI agent, limit its role to the smallest set of tables, and store the credential in a vault. This satisfies the principle of least privilege and makes the credential lifecycle manageable.

However, the request still travels directly from the agent to PostgreSQL. The data path contains no enforcement point. Without a gateway, the following gaps remain:

  • No real‑time approval workflow for risky queries.
  • No command‑level audit that ties each statement to the originating user or CI job.
  • No inline masking of columns that contain personally identifiable information.
  • No session recording that can be replayed for forensic analysis.

These gaps are exactly what a production‑grade access control system must close.

hoop.dev as the data‑path enforcement layer

Enter hoop.dev. It is a Layer 7 gateway that sits between the identity provider and PostgreSQL. The agent authenticates to hoop.dev via OIDC (using the same IdP that issued the service‑account token). hoop.dev validates the token, extracts group membership, and then proxies the connection to the database.

Because the gateway owns the network‑resident agent that talks to PostgreSQL, every packet passes through hoop.dev. This is the only place where enforcement can happen. The platform provides four core outcomes that directly address the missing controls:

  • hoop.dev records every query. Each statement is logged with the caller’s identity, timestamp, and result metadata, creating a complete audit trail.
  • hoop.dev masks sensitive fields inline. When a SELECT returns columns marked as confidential, the gateway redacts or tokenises the data before it reaches the AI agent.
  • hoop.dev routes high‑risk commands to a just‑in‑time approval workflow. A DELETE or ALTER statement triggers a human review step; the query is only forwarded after an approver signs off.
  • hoop.dev records the full session for replay. The entire interaction – from authentication through each query and response – is stored for later forensic review.

All of these outcomes exist because hoop.dev is positioned in the data path; removing it would instantly eliminate the audit, masking, and approval capabilities.

Putting the pieces together

The recommended architecture looks like this:

Continue reading? Get the full guide.

Cursor / AI IDE Security + Customer Support Access to Production: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
  • Identity provider (Okta, Azure AD, Google Workspace, etc.) issues short‑lived OIDC tokens to the CI job or the AI agent.
  • hoop.dev gateway validates the token, enforces the policy defined for the Cursor service account, and proxies the connection to PostgreSQL.
  • PostgreSQL receives traffic only from the gateway’s agent, never directly from the AI process.

With this layout, the organization gains:

  • Fine‑grained production access controls that are tied to identity rather than static secrets.
  • Real‑time visibility into every AI‑generated query, satisfying internal compliance and audit requirements.
  • Protection of sensitive data through inline masking, reducing the risk of accidental exposure.
  • Just‑in‑time approvals that prevent destructive operations from slipping through unattended.

Because hoop.dev is open source and MIT‑licensed, teams can self‑host the gateway, inspect the code, and extend the policy engine to match their own risk framework.

Getting started

To try this pattern, start with the official getting‑started guide, which walks you through deploying the gateway with Docker Compose, registering a PostgreSQL connection, and configuring OIDC authentication. The guide also shows how to define masking rules and approval policies for Cursor‑generated queries.

For deeper details on policy configuration, masking capabilities, and session replay, see the learning hub.

Getting started with hoop.dev

Learn more about hoop.dev features

FAQ

Q: Does hoop.dev replace the need for vault‑managed credentials?
A: No. hoop.dev still relies on a credential to talk to PostgreSQL, but that credential is stored only inside the gateway. Users and AI agents never see the password or IAM role, eliminating credential sprawl.

Q: Can I audit which developer triggered a specific AI‑generated query?
A: Yes. Because authentication is done via OIDC, hoop.dev logs the original token’s subject. The audit record therefore links each query back to the human or service account that initiated the request.

Q: Is masking configurable per table or column?
A: Masking rules are defined in the policy layer of hoop.dev. You can target individual columns, entire tables, or pattern‑based fields, and the gateway applies the redaction before any response leaves the data path.

Next steps

If you’re ready to prototype this control plane, clone the repository and explore the example deployment.

Explore the hoop.dev source code on GitHub

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot