The Scenario

OpenTofu apply: 14 resources, 0 drift.
17.90 joules.

Utility account, NEM 3.0 interconnection, EV-charger circuit. MCP tool calls audited by an LSP-driven policy check. Plan hash matches apply hash. Drift detector watches forever. 18 joules.

Start the walkthrough Skip to the artifact

Edit

LSP

0.21 J

An engineer edits utility.tf; the LSP catches an invalid NEM tier inline.

The OpenTofu language server (terraform-ls 0.34 via LSP 3.17) flags `nem_tier = "2.0"` as a deprecated enum at column 14 — NEM 3.0 took effect 2023-04-15. Autocomplete suggests `"3.0"` and surfaces the CPUC decision D.22-12-056 as the citation in hover.

JWP ReceiptPayload

kind "eng.lsp.diagnostic"

diagnostic invalid enum: nem_tier

fix quickfix:nem_3_0

joules 0.21

cite "LSP 3.17 · terraform-ls 0.34"

sig "ed25519:0x4f...c1a"

Plan

OpenTofu

4.10 J

tofu plan -out=tfplan resolves 14 resources with a stable hash.

Plan covers a PG&E utility account, a NEM 3.0 interconnection record, a 60A EV charger circuit on subpanel B, smart-meter registration, and 10 supporting resources. Planfile is serialized to HCL2 + JSON form (RFC 8259-shaped) and hashed: blake3:88ee2c47…001a. No provider drift detected during refresh.

JWP ReceiptPayload

kind "eng.iac.plan"

plan_hash blake3:88ee2c47…001a

resources +14 ~0 -0

joules 4.1

cite "OpenTofu 1.8 · HCL2 spec"

sig "ed25519:0x4f...c1a"

Sign

Sigstore

0.34 J

Plan artifact is signed with cosign keyless OIDC.

cosign 2.4 fetches a Fulcio cert via GitHub OIDC, signs the planfile, and writes the signature + Rekor transparency-log entry (index 17,420,338). The plan_hash is now anchored — any tampering between plan and apply breaks the cosign verify gate.

JWP ReceiptPayload

kind "eng.artifact.signed"

rekor_index 17420338

fulcio_cert_sha sha256:7d12…0a91

joules 0.34

cite "Sigstore cosign 2.4 · Rekor v1"

sig "ed25519:0x4f...c1a"

Gate

MCP

0.18 J

MCP tool call tofu/apply is admitted by a Cedar policy gate.

Per MCP 2025-11 draft, the agent issues `tools/call` with name="tofu/apply" and the planfile URI. A Cedar predicate evaluates principal.role=="site-reliability" && resource.cost_estimate_usd < 200 — both true — and returns admit:true. The call's audit_id is sealed before invocation.

JWP ReceiptPayload

kind "eng.mcp.tool.admitted"

tool tofu/apply

predicate sre-prod-low-cost.cedar

joules 0.18

cite "MCP 2025-11 §6.2 · Cedar 4.0"

sig "ed25519:0x4f...c1a"

Apply

OpenTofu

11.60 J

tofu apply tfplan creates 14 resources; apply_hash == plan_hash.

Apply executes serially against the PG&E provider (rate-limited to 4 rps) and the utility's smart-meter API. All 14 resources reach state=created in 6m12s; the state file is encrypted at rest with AES-256-GCM and uploaded to the backend with `lock_id` 9a4c-...-c0e2. Apply_hash matches plan_hash byte-for-byte.

JWP ReceiptPayload

kind "eng.iac.apply"

apply_hash blake3:88ee2c47…001a

duration_s 372

joules 11.6

cite "OpenTofu 1.8 · HCL2 spec"

sig "ed25519:0x4f...c1a"

Attest

in-toto

0.27 J

An in-toto v1.0 attestation links plan → apply → state.

Predicate type `https://in-toto.io/Statement/v1` with subject = state file sha256, materials = {planfile hash, provider versions, git commit}, products = {14 resource IDs}. Signed and pushed to the Rekor log alongside the cosign signature.

JWP ReceiptPayload

kind "eng.attestation.intoto"

predicate_type https://in-toto.io/Statement/v1

materials 3

joules 0.27

cite "in-toto Attestation Framework v1.0"

sig "ed25519:0x4f...c1a"

Tag

FinOps

0.42 J

Every resource is tagged with cost-center + joule-budget.

FOCUS 1.1 spec tags applied: `cost_center=cc-9241`, `service=interconnect-residential`, `joule_budget_per_day=240`. Cloud-cost API will roll up the spend by these dimensions; the joule_budget is read by Insights to alarm when daily energy crosses threshold.

JWP ReceiptPayload

kind "eng.finops.tagged"

tags_applied 3

joule_budget_per_day 240

joules 0.42

cite "FOCUS 1.1 · FinOps Foundation"

sig "ed25519:0x4f...c1a"

Watch

Drift

0.78 J

Drift detector runs every 15 min; current drift = 0.

A background loop re-runs `tofu plan -refresh-only` against the state and diffs the result. 96 checks per day; if drift ≠ 0, a `eng.drift.detected` receipt fires and the on-call channel gets the resource path. Last 30-day median drift: 0.

JWP ReceiptPayload

kind "eng.drift.watch"

interval_min 15

drift_count_30d 0

joules 0.78

cite "OpenTofu 1.8 -refresh-only"

sig "ed25519:0x4f...c1a"

EngineeringOS, in one line

17.90 joules. One receipt.

EngineeringOS handles build as a typed, signed, energy-metered operation. The whole pillar is one shape: take a claim, do the work, sign the receipt.

Open the artifact → See the receipt format →

OpenTofu apply: 14 resources, 0 drift. 17.90 joules.

An engineer edits utility.tf; the LSP catches an invalid NEM tier inline.

tofu plan -out=tfplan resolves 14 resources with a stable hash.

Plan artifact is signed with cosign keyless OIDC.

MCP tool call tofu/apply is admitted by a Cedar policy gate.

tofu apply tfplan creates 14 resources; apply_hash == plan_hash.

An in-toto v1.0 attestation links plan → apply → state.

Every resource is tagged with cost-center + joule-budget.

Drift detector runs every 15 min; current drift = 0.

17.90 joules. One receipt.

OpenTofu apply: 14 resources, 0 drift.
17.90 joules.