Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.tolmo.com/llms.txt

Use this file to discover all available pages before exploring further.

Every node and edge in the Tolmo infrastructure graph carries two temporal attributes — firstSeenAt and lastSeenAt — stored as epoch milliseconds. These let you query the historical state of your infrastructure: what resources appeared recently, which ones have gone stale, and how relationships have changed over time. You can combine these queries with --json output and standard Unix tools to build lightweight change-detection workflows directly from the CLI.

Temporal Attributes

The Tolmo graph crawler stamps every resource and relationship it discovers with two timestamps:
AttributeTypeDescription
firstSeenAtepoch msWhen the resource was first discovered by a crawler
lastSeenAtepoch msWhen the resource was most recently observed by a crawler
Both attributes are available on:
  • GraphNode nodes — representing individual infrastructure resources such as EC2 instances, IAM roles, S3 buckets, and more.
  • GRAPH_EDGE relationships — representing the connections between resources, such as an IAM role attached to a Lambda function.

Example Queries

Use tolmo cypher to run Cypher queries directly against the infrastructure graph. The examples below demonstrate the most common time machine patterns. Resources added in the last 7 days: 
tolmo cypher "MATCH (n:GraphNode) WHERE n.firstSeenAt >= (timestamp() - 7*24*60*60*1000) RETURN n.resourceType, n.resourceKey ORDER BY n.firstSeenAt DESC"
Stale resources not seen in 48 hours: 
tolmo cypher "MATCH (n:GraphNode) WHERE n.lastSeenAt < (timestamp() - 48*60*60*1000) RETURN n.resourceType, n.resourceKey LIMIT 50"
New relationships established in the last 24 hours: 
tolmo cypher "MATCH ()-[r:GRAPH_EDGE]->() WHERE r.firstSeenAt >= (timestamp() - 24*60*60*1000) RETURN r.type, count(r) AS cnt ORDER BY cnt DESC"

Get JSON Output for Scripting

Add --json to any tolmo cypher command to receive machine-readable output instead of a formatted table. This is useful when you want to feed results into a script, a CI step, or a downstream tool: 
tolmo cypher --json "MATCH (n:GraphNode) WHERE n.firstSeenAt >= (timestamp() - 7*24*60*60*1000) RETURN n.resourceType, n.resourceKey ORDER BY n.firstSeenAt DESC"
Combine time machine queries with --json and pipe the output to jq for fast, in-terminal filtering of large result sets. For example: tolmo cypher --json "..." | jq '.[] | select(.resourceType == "aws_s3_bucket")'

Common Use Cases

Query firstSeenAt to catch resources that appeared after a deployment or infrastructure change event. Set the time window to match your deployment cadence — for example, resources created in the last hour — to surface anything that was provisioned unexpectedly or outside of your normal release process. This is especially useful after running Terraform, CDK, or other IaC tools to verify that only the expected resources were created.
Use lastSeenAt to identify resources the crawler has not seen recently. A resource with a lastSeenAt far in the past suggests it may have been deleted, shut down, or become unreachable since it was last observed. Filter by resource type — for example, EC2 instances or ECS services — to narrow down decommissioned compute before acting on it.
Query GRAPH_EDGE firstSeenAt to see when connections between resources were first established. For example, you can find when an IAM role gained access to an S3 bucket, or when a Lambda function was linked to a VPC. This gives you a lightweight audit trail of permission and connectivity changes without requiring a dedicated change-log system.