All posts
June 16, 20263 min read

Putting access controls around GitHub Copilot: session recording for AI coding agents

You can have session recording on a GitHub Copilot agent's infrastructure commands in the time it takes to drink a coffee. This is the short version: one connection, one identity, and every query and command the agent runs is captured outside the agent. Quick scope note before the steps. hoop.dev does not record what GitHub Copilot generates, the prompt, or the model output. It records the commands the agent runs against your infrastructure, the SQL, the kubectl call, the shell session. That is

Free White Paper

AI Session Recording + GCP VPC Service Controls: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

You can have session recording on a GitHub Copilot agent's infrastructure commands in the time it takes to drink a coffee. This is the short version: one connection, one identity, and every query and command the agent runs is captured outside the agent.

Quick scope note before the steps. hoop.dev does not record what GitHub Copilot generates, the prompt, or the model output. It records the commands the agent runs against your infrastructure, the SQL, the kubectl call, the shell session. That is the thing that matters for an audit, and it is the thing the agent cannot suppress.

Why recording has to live outside the agent

If the log lives in the agent's own runtime, the agent can rotate it, drop it, or never write it. A record only counts as evidence if the process under audit cannot edit it. So the recording happens at the gateway the agent connects through, not inside the agent.

hoop.dev is an open-source Layer 7 gateway. The agent reaches infrastructure through it, and each session is captured on the wire, tied to the agent's identity. Because the capture happens at the protocol level, you do not instrument the agent or change its code. The recording is a property of the connection, so it applies the same way whether the commands come from a person, a script, or a coding agent.

Continue reading? Get the full guide.

AI Session Recording + GCP VPC Service Controls: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

What you can do with a recorded session later

The value of session recording shows up after the fact, in the moments you did not plan for. An incident review needs to know exactly what touched a table before it went wrong, in order, with timestamps. A security question needs to confirm whether an agent ever read a particular dataset. A compliance request needs evidence that a given identity's access was bounded and logged. Each of these is trivial when the record exists outside the agent and impossible when it lives in a process you no longer trust. Recording is cheap to turn on and expensive to wish you had, which is the whole reason to do it on the first connection rather than the day after an incident.

First connection, fast

  1. Install the gateway and an agent near the resource you want recorded. The agent dials out to the gateway, so nothing on the resource is exposed inbound.
  2. Add one connection, say a Postgres database, with a least-privilege credential.
  3. Give the Copilot agent an identity through your OIDC provider so sessions attribute to it.
  4. Point the agent at the gateway instead of the database.
  5. Run a query and open the session record. You should see who connected, what ran, and the outcome.
# run one command through the gateway
psql -h gateway.internal -U copilot-agent -d app -c "select count(*) from orders;"
# the session is now recorded: identity, command, timestamp, result status

What a recorded session gives you

  • Command-level detail: not just that the agent connected, but what it ran.
  • Attribution: the named identity behind each session, even when several agents share infrastructure.
  • An external record: stored outside the agent, so it holds up as evidence.

Pitfalls

  • Recording connections but not commands. Knowing the agent opened a session is weak. You want the command-level trail.
  • Shared identity. If every agent uses one account, the recording cannot tell them apart. Give each its own.
  • Local logs only. A log the agent can reach is not an audit trail. Keep it external.

FAQ

Does session recording capture GitHub Copilot's prompts?

No. hoop.dev records the infrastructure commands the agent executes, not the model prompt, output, or reasoning.

How fast is the first recorded session?

Once the gateway and one connection are up, the next command the agent runs is recorded. The setup is the connection, not per-command work.

Do I have to change the agent to enable recording?

No. Recording happens at the connection, so the agent only needs to point at the gateway instead of the resource. There is no SDK to add and no code change in the agent or the protected system.

Get the first recorded session running from the open-source project on GitHub. The getting started guide is the fastest path, and hoop.dev learn covers what the records contain.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot