FFO TypeDB Ontology
Overview of the Federal Frontier Ontology — a TypeDB knowledge graph modeling 40 entity types and 48 relation types across infrastructure, security, identity, and storage.
FFO TypeDB Ontology
The Federal Frontier Ontology (FFO) is the knowledge graph at the center of the Federal Frontier AI Platform. It models your entire infrastructure — clusters, nodes, deployments, storage, identity, security findings, compliance controls — as a typed graph in TypeDB 3.x.
What FFO Does
FFO answers “what is X?” questions:
- What clusters exist and what are their attributes?
- What nodes belong to cluster geo-prod-01?
- What security findings affect this deployment?
- What NIST controls apply to this authorization boundary?
- What Ceph pools exist and how are they configured?
- What IAM roles does this principal hold?
FFO does not answer “can user Y do Z?” questions. Authorization decisions are handled by PostgreSQL per ADR-001. This separation is intentional: the ontology models the world as it is, while authorization logic enforces policy in a relational database optimized for fast permission checks.
Scale
| Metric | Count |
|---|---|
| Entity types | 40 |
| Relation types | 48 |
| Schema modules | 8 |
| Inference rules | Active (always on in TypeDB 3.x) |
The schema is organized into 8 modules covering distinct infrastructure domains:
- Compute — clusters, nodes, deployments, services, images, registries
- Storage — Ceph clusters, pools, OSDs, monitors, storage classes
- Security — findings, vulnerabilities, controls, frameworks, assessments
- Identity — principals, IAM roles, groups, service accounts
- Network — networks, authorization boundaries
- Operations — incidents, alerts, changes, work items, pipelines
- Cloud — cloud providers, regions
- Configuration — databases, secrets, configuration items
How FFO Is Queried
FFO is accessed through two paths:
1. FFO MCP Server (LLM and tool access)
The FFO MCP server (ffo-mcp-server) exposes 10 MCP tools that wrap TypeQL queries behind typed interfaces. The LLM calls these tools to query the ontology without needing to construct raw TypeQL.
| Tool | Purpose |
|---|---|
ffo.query |
Execute raw TypeQL fetch queries |
ffo.infer |
Query with inference (derived relationships) |
ffo.entity.get |
Retrieve a single entity by type and identifier |
ffo.entity.create |
Create a new entity with attributes |
ffo.entity.update |
Update attributes on an existing entity |
ffo.search |
Search entities with filters and pagination |
ffo.traverse |
Walk relationships from a starting entity |
ffo.relationship.create |
Create a relationship between entities |
ffo.write |
Execute raw TypeQL write transactions |
ffo.context.for_action |
Get operational context (classification, controls, baselines) for a permitted action |
2. Compass API (direct queries)
The Compass API server queries TypeDB directly using the TypeDB Python driver for template-based queries (list clusters, show findings, etc.). These bypass the LLM for speed.
TypeDB 3.x
FFO runs on TypeDB 3.x Community Edition (version 3.7.2). Key characteristics of TypeDB 3.x:
- Typed schema — every entity, relation, and attribute has a declared type
- Inference rules — TypeDB automatically derives relationships based on rules (e.g., if cluster A belongs to boundary B and boundary B requires control C, then control C applies to cluster A)
- TypeQL — a declarative query language purpose-built for knowledge graphs
- No sessions — TypeDB 3.x removed the session concept; transactions are opened directly on the driver
- Inference is always on — there is no toggle to disable inference in 3.x
Deployment
FFO TypeDB runs in the f3iai Kubernetes namespace:
| Property | Value |
|---|---|
| Namespace | f3iai |
| Image | harbor.vitro.lan/ffp/typedb:3.7.2 |
| Service type | ClusterIP (no NodePort) |
| gRPC port | 1729 |
| HTTP port (Studio) | 8000 |
| Database name | ffo |
| Default credentials | admin / password |
TypeDB is a ClusterIP service, meaning it is only accessible within the cluster. For local development access, tunnel to the pod IP:
# gRPC driver access
ssh -fN -L 1729:<pod-ip>:1729 ubuntu@texas-dell-04
# TypeDB Studio (HTTP) access
ssh -fN -L 8000:<pod-ip>:8000 ubuntu@texas-dell-04
TypeDB Studio connects via the HTTP port (8000), not the gRPC port (1729).
The FFO MCP server runs alongside TypeDB in the same namespace:
| Property | Value |
|---|---|
| Image | harbor.vitro.lan/ffp/ffo-mcp-server:v1.0.0 |
| Base image | python:3.11-slim |
| Port | 50060 |
| MCP endpoint | /mcp/sse |
| ArgoCD app | ffp-ffo-mcp |
| Health probe | /health |
| Readiness probe | /ready (verifies TypeDB connectivity) |
Data Flow
Operator question
|
v
Compass API or LLM
|
v
FFO MCP Server (ffo.query, ffo.search, ffo.traverse, etc.)
|
v
TypeDB 3.x (TypeQL query)
|
v
Knowledge graph results (entities, attributes, relationships)
|
v
Formatted response (table, graph, or natural language)
Related Pages
- FFO Schema Reference — complete entity and relation type documentation
- TypeDB 3.x Driver Guide — driver API and critical gotchas
- TypeQL Query Examples — common query patterns with explanations
- Platform Architecture — how FFO fits into the broader platform