Skip to content

CLI Reference

Authentication

Command Description
hawk login Authenticate via browser/PKCE; --device for the Device flow (not supported by the default Cognito auth)
hawk auth access-token Print a valid access token to stdout
hawk auth refresh-token Print the current refresh token

Evaluations

Command Description
hawk eval-set CONFIG Submit an evaluation set
hawk eval-set resume [ID] Resume a crashed eval set from its last checkpoint
hawk local eval-set CONFIG Run eval locally

hawk eval-set options:

Option Description
--image URI Full container image URI for the runner
--image-tag TAG Specify runner image tag (within the default repo)
--secrets-file FILE Load secrets from file (repeatable)
--secret NAME Pass env var as secret (repeatable)
--skip-confirm Skip unknown field warnings
--log-dir-allow-dirty Allow dirty log directory

hawk eval-set resume additionally accepts --config FILE — resume with an updated, checkpoint-compatible config (e.g. to fix a crashing scorer); requires an explicit ID. Compatibility is not validated — see Checkpointing & Resume for what's safe to change. If the previous run has finished (or crashed), resume clears its leftover release automatically. It refuses (409) only when that run is still running — stop it first (hawk stop or hawk delete) — or when its state can't be confirmed, in which case clear it with hawk delete and retry.

Eval Set Configuration

Checkpointing

Eval sets can periodically snapshot in-progress samples to durable storage, allowing resumption after crashes. See Checkpointing & Resume for requirements, configuration options, and the resume workflow. Checkpoints fire only for agents or solvers that integrate Inspect's checkpointer (e.g. a checkpoint-aware react agent) and require the sandbox to permit root exec for in-sandbox capture.

Scans

Command Description
hawk scan run CONFIG Start a Scout scan
hawk scan resume [ID] Resume an interrupted scan
hawk scan import PATH Import a locally-produced scan directory, or a folder of scan directories, into the warehouse under one run (--name NAME)
hawk local scan CONFIG Run scan locally

Monitoring

Command Description
hawk logs [JOB_ID] View logs (-f to follow, -n for line count)
hawk status [JOB_ID] Status report, always emitted as JSON — no flag needed (--hours for log window)
hawk watch [JOB_ID] Live per-task / per-sample status (streams until the run finishes; --json for a raw single snapshot)
hawk trace [JOB_ID] View the Inspect trace log from a running runner pod
hawk stacktrace [JOB_ID] Capture a live py-spy stack dump of the runner process (live only)

hawk watch shows the same live view as the web viewer's status page — per-task progress bars, retries, limits, scores, and scheduling/pod trouble — streamed over SSE with an automatic polling fallback.

Option Description
--no-follow Print a single snapshot and exit instead of streaming
--json Output the raw status JSON (implies a single snapshot)

hawk logs options:

Option Description
-n, --lines INT Number of lines to show (default: 100)
-f, --follow Follow mode — continuously poll for new logs
--hours INT Hours of data to search (default: 5 years)
--poll-interval FLOAT Seconds between polls in follow mode (default: 3.0)

hawk trace options:

Option Description
-n, --lines INT Number of lines from the end of the trace (default: 100)
--full Fetch the entire trace file instead of just the tail
-f, --follow Follow the trace, printing new lines as the eval appends them (Ctrl-C to stop)
--poll-interval FLOAT Seconds between polls in --follow mode (default: 3.0)
--raw Output the unmodified JSON-lines trace records instead of formatted lines

The trace log records enter/exit events for model calls, subprocesses, and other long-running actions — useful for diagnosing a stuck or in-progress eval. Records are formatted like hawk logs output; use --raw to get the underlying JSON-lines for tooling. Access requires the same model-group permissions as viewing the eval's results. Only available while the runner pod is still running.

hawk trace abc123 -f                            # Follow new trace lines live (Ctrl-C to stop)
hawk trace abc123 --full --raw > trace.log      # Raw trace for: inspect trace anomalies trace.log

hawk stacktrace options:

Option Description
--native Include native (C-extension) stack frames
--json Output py-spy's JSON instead of the formatted text dump

Captures a live py-spy stack dump of the runner process (PID 1) inside the runner pod. Useful for diagnosing a stuck eval — shows exactly where each thread is blocked right now. Live only (runner pod must be running).

Viewing Results

Command Description
hawk web [EVAL_SET_ID] Open eval set in browser
hawk view-sample UUID Open a specific sample in browser
hawk list jobs List your launched jobs (eval-sets and scans); --all for all visible jobs
hawk list eval-sets List all eval sets
hawk list evals [ID] List evals in an eval set
hawk list samples [ID] List samples in an eval set
hawk transcript UUID Download a sample transcript
hawk transcripts [ID] Download all transcripts for an eval set
hawk download-artifacts [ID] Download sample artifact files for an eval set

hawk list samples options:

Option Description
--eval TEXT Filter to a specific eval file
--limit INT Max samples to show (default: 50)

hawk transcript / hawk transcripts options:

Option Description
--output-dir DIR Write to files instead of stdout
--raw Raw JSON instead of markdown
--limit INT Limit number of transcripts

hawk download-artifacts options:

Option Description
--sample UUID Download artifacts for one sample only
--output-dir DIR / -o DIR Output directory (default: artifacts/<eval-set-id>)

Artifacts are written as <output-dir>/<sample-uuid>/<artifact-path>. When --output-dir is omitted, the output directory is artifacts/<eval-set-id>. Existing files are overwritten.

When EVAL_SET_ID is omitted, Hawk uses the last eval set from the current session.

Management

Command Description
hawk stop [EVAL_SET_ID] Stop eval gracefully, scoring partial work (--error, --sample UUID)
hawk delete [EVAL_SET_ID] Delete eval set's Kubernetes resources (logs are kept)
hawk edit-samples FILE Submit sample edits (JSON or JSONL)
hawk import PATH Import locally-produced .eval files into the warehouse (--name NAME)

Other

Command Description
hawk config Print the current CLI configuration
hawk version Print the local CLI version and the deployed server version
hawk models List models accessible via the LLM proxy
hawk scan-export SCANNER_RESULT_UUID Export scan results as CSV

Human Registry

Manage external participants and their SSH public keys. This feature allows humans to perform an evaluation, for example to create human baselines.

Command Description
hawk human register --name NAME --ssh-key KEY Register a new human
hawk human list List all registered humans
hawk human update NAME --ssh-key KEY Update a human's SSH public key
hawk human delete NAME Remove a human from the registry

Human Evaluations

Run evaluations where a registered human does the work inside the sandbox instead of an LLM agent.

Command Description
hawk human eval start CONFIG --human NAME Start a human evaluation. Accepts any eval-set YAML — the server swaps in the configured human-agent solver and clamps epochs=1 / limit=1. Add human_eval.agent_args to the config to set args on the installed agent (e.g., user, record_session). Same secrets/image flags as hawk eval-set, plus --no-rewrite to pass the config through unchanged
hawk human eval ssh-command [EVAL_SET_ID] Print a copy-paste-ready SSH command for the sandbox (defaults to the most recently started eval-set)

ssh-command polls the eval logs for the agent's SSH connection details and prints a ssh -J command that hops through the shared jumphost to reach the sandbox pod. Pass --timeout SECONDS (default 600) to bound how long it waits for the sandbox to come up.