hoop

hoop is an open-source layer 7 gateway that sits between users—engineers, AI agents, and service accounts—and production infrastructure including databases, Kubernetes clusters, SSH servers, and APIs. Every query and command passes through the gateway at the wire protocol level, where it can mask sensitive data in real time, block dangerous operations before they execute, route risky writes for human approval, and record every session with full fidelity. No agents are required on endpoints, no schema discovery, and no code changes to existing applications.

The gateway parses wire protocols natively: PostgreSQL, MySQL, MSSQL, MongoDB, Kubernetes exec and port-forward, SSH, HTTP/gRPC, and RDP. Tools connect through hoop transparently without SDKs or browser extensions. Identity is wired to OIDC/SAML providers like Okta, Azure AD, JumpCloud, and Google Workspace, with SSO included in the open-source license at no separate tier or seat charge.

hoop has expanded to become the infrastructure governance layer for AI agents. When Claude Code, Cursor, or any MCP-compatible client connects, it authenticates via OAuth 2.1, inherits the human user’s permissions and group memberships, and flows through the same policy engine as human sessions. Reviewers see the user’s name on approval requests, not an opaque agent identity, and audit logs record a single unified timeline for humans and agents alike.

Used by NYSE-listed companies and protecting over 5,000 databases, hoop addresses the gap between PAM tools (which stop at who connected) and what teams actually need: control over what data left the session and what commands ran inside it.

What You Get

• ML-powered data masking — Detects and masks PII, PHI, PCI data, and credentials inside database responses, API payloads, and terminal output using context-aware machine learning, not regex. A single rule covers thousands of resources without schema mapping or column labeling.
• Wire-level command guardrails — Blocks dangerous operations such as DROP TABLE, DELETE without WHERE, kubectl delete namespace, and rm -rf at the protocol layer before they reach the target system. Prevention, not detection.
• Slack and Teams approval workflows — Routes risky operations for human approval via Slack or Microsoft Teams. The operation waits until approved, denied, or scheduled for a maintenance window. Every decision is logged and time-bound.
• Full session recording and replay — Captures every command, every response, every approval and denial with full fidelity. Generates compliance evidence for SOC 2, GDPR, PCI DSS, and HIPAA automatically without additional tooling.
• AI agent governance with user identity — Claude Code, Cursor, and MCP clients authenticate via OAuth 2.1 and inherit the human user’s permissions, group memberships, and ABAC rules. Agents read freely with masked responses, write with approval, and all actions appear under the human’s name in audit logs.
• MCP gateway with sensitive data catalog — Inspects MCP payloads, masks PII in JSON responses before they reach the agent, blocks dangerous operations, and auto-generates a real-time catalog of sensitive data discovered from MCP traffic.

Common Use Cases

• Preventing AI agent data leaks in production — An engineering team connects Claude Code to a production PostgreSQL database; hoop masks card numbers and email addresses in every query response and blocks any DELETE without a WHERE clause before it executes.
• Eliminating DBA toil on access requests — A SaaS company automates database access for dozens of engineers through hoop’s approval workflows, replacing multi-day manual provisioning with same-session approvals while generating a complete audit trail for each request.
• Compliance evidence generation for SOC 2 and GDPR — A fintech company replaces manual audit preparation with hoop’s automatically generated session recordings and masked access records, providing auditors with searchable, replay-capable evidence without any engineering hours.
• Governing Kubernetes and SSH access at scale — A cloud-native platform team deploys hoop in front of 5,000 databases and Kubernetes clusters, blocking unauthorized kubectl delete commands, recording all kubectl exec sessions, and enforcing identity-based access policies across every environment.
• Securing AI coding assistants against destructive writes — A team running autonomous AI agents for 3AM incident response uses hoop to ensure the agent can read and debug freely but must wait for human approval on any schema change or production write.
• Unified audit trail for humans and AI agents — A regulated financial services team uses hoop to maintain a single audit log where human DBA sessions and AI agent queries appear on the same timeline under the same identity, satisfying auditors who need to trace every data access to a named individual.

Under The Hood

Architecture hoop is organized as a multi-module Go workspace with six modules: gateway, agent, client, tunnel, common, and libhoop. The gateway handles HTTP API routing via Gin, gRPC transport for agent connections, PostgreSQL persistence via GORM and SQL migrations, and a plugin system for audit, DLP, review, RBAC, webhooks, and Slack. Protocol-specific proxies for PostgreSQL, SSH, HTTP, and RDP live in a dedicated proxyproto layer. The Rust agent (agentrs) handles native protocol parsing and cross-compiles to Linux and Darwin targets. A ClojureScript webapp (webapp_v2) provides the administrative UI. The architecture cleanly separates concerns between the gateway’s policy enforcement plane, the agents that bridge infrastructure connections, and the client tools that engineers use directly.

Tech Stack The primary gateway is written in Go 1.26 with the Gin HTTP framework, gRPC for agent communication, and PostgreSQL as the persistence store with SQL migrations and Golang migration steps. The Rust agent handles low-level protocol parsing, compiled with Cargo and cross for multi-platform support. The administrative webapp is built in ClojureScript using Radix UI components. The Anthropic SDK is integrated for AI-assisted session analysis. AWS SDK v2 covers RDS discovery, SSM, IAM, and EC2 integrations. Deployment is via Docker Compose, Kubernetes Helm charts, or AWS, with multi-architecture binaries published for Linux and Darwin.

Code Quality The codebase includes extensive test coverage across more than 100 test files, using testify for assertions and mocking throughout. Error handling is explicit and context-rich, with Sentry integrated for production error capture and structured logging via a custom log package. OpenAPI documentation is generated via SWAG annotations on all HTTP handlers. The plugin architecture enforces a consistent lifecycle interface (OnStartup, OnConnect, OnReceive, OnDisconnect) across all transport plugins. Feature flag gating between OSS and Enterprise license types is applied consistently at the API and transport layers. Inline documentation is comprehensive in gateway packages, and an Architecture Decision Record exists in the docs directory.

What Makes It Unique hoop’s defining technical characteristic is wire-protocol enforcement at under 5ms latency—most policy systems operate at the application layer after data has already moved. The MCP gateway implementation follows the Model Context Protocol 2025-11-25 authorization profile with full OAuth 2.1 Resource Server semantics (RFC 9728 protected-resource metadata, RFC 8707 audience binding), propagating human user identity through AI agent sessions so every agent action is traceable to a named individual. The ML-powered data masking understands column context rather than applying static regex patterns, so a phone number column is treated differently from a build ID that happens to match the same digit format. The unified policy engine covers humans, AI agents, and service accounts with identical enforcement—no parallel stack for AI governance.

Self-Hosting

hoop is released under the MIT License, which is one of the most permissive open-source licenses available. You can use it commercially, modify the source, distribute it, and incorporate it into proprietary products without any copyleft obligations. There are no patent clauses, no network use provisions, and no restrictions on self-hosting for any purpose. The only requirement is that the copyright notice and license text appear in copies of the software.

Running hoop yourself requires a PostgreSQL database for persistence, a reverse proxy or load balancer if you want TLS termination (or you can provide TLS certificates directly), and either Docker Compose for single-host deployments or a Kubernetes cluster for production-scale operation. Helm charts are provided for Kubernetes. The gateway binary bundles the ClojureScript webapp, so there is no separate frontend deployment. You are responsible for database backups, gateway uptime, certificate rotation, and version upgrades—hoop releases frequently (often multiple releases per week), so you will need a process for staying current or pinning to tested versions. The Rust agent binary must be deployed alongside or bundled within the gateway depending on your configuration.

The self-hosted OSS build restricts a meaningful set of features behind an enterprise license key: ML-powered data masking, command guardrails, command approval workflows, webhooks, access request rules, AWS/RDS auto-discovery, and Jira issue templates are all gated to organizations that hold an enterprise license. The free OSS tier covers session recording, basic SSO integration, and agent connectivity. If you need the core security enforcement features—masking, guardrails, and approvals—you will need to contact hoop.dev for an enterprise license, which comes with SLA support, managed upgrade assistance, and high-availability deployment guidance. The managed cloud offering on hoop.dev handles all of this operationally, including backups, upgrades, and enterprise feature access without a separate license negotiation.