From 15ee2d6f04d4932cb57ed1b4f828e1f45b2a40a7 Mon Sep 17 00:00:00 2001
From: kshitijk4poor <82637225+kshitijk4poor@users.noreply.github.com>
Date: Thu, 25 Jun 2026 21:55:54 +0530
Subject: [PATCH] refactor: lightweight sudo count + drop chatty multi-sudo tip
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replace _count_real_sudo_invocations (which called
_rewrite_real_sudo_invocations and discarded the rewritten string) with
a lightweight token scan that reuses the same tokeniser but skips string
building. Remove the agent-facing tip about nested sudo in heredocs —
the cache-cleared warning is enough.
---
 tools/terminal_tool.py | 62 ++++++++++++++++++++++++++++++++++++------
 1 file changed, 53 insertions(+), 9 deletions(-)

diff --git a/tools/terminal_tool.py b/tools/terminal_tool.py
index c9ece83eefb..11b6ad7a86c 100644
--- a/tools/terminal_tool.py
+++ b/tools/terminal_tool.py
@@ -599,9 +599,59 @@ def _rewrite_real_sudo_invocations(command: str) -> tuple[str, int]:
 
 
 def _count_real_sudo_invocations(command: str) -> int:
-    """Return how many real sudo command words appear in *command*."""
-    _, sudo_count = _rewrite_real_sudo_invocations(command)
-    return sudo_count
+    """Return how many real sudo command words appear in *command*.
+
+    Lightweight scan that reuses the same tokeniser as
+    ``_rewrite_real_sudo_invocations`` but skips the string-building, so it
+    is cheap to call from the result-processing path.
+    """
+    count = 0
+    i = 0
+    n = len(command)
+    command_start = True
+
+    while i < n:
+        ch = command[i]
+
+        if ch.isspace():
+            if ch == "\n":
+                command_start = True
+            i += 1
+            continue
+
+        if ch == "#" and command_start:
+            comment_end = command.find("\n", i)
+            if comment_end == -1:
+                break
+            i = comment_end
+            continue
+
+        if command.startswith("&&", i) or command.startswith("||", i) or command.startswith(";;", i):
+            i += 2
+            command_start = True
+            continue
+
+        if ch in ";|&(":
+            i += 1
+            command_start = True
+            continue
+
+        if ch == ")":
+            i += 1
+            command_start = False
+            continue
+
+        token, next_i = _read_shell_token(command, i)
+        if command_start and token == "sudo":
+            count += 1
+
+        if command_start and _looks_like_env_assignment(token):
+            command_start = True
+        else:
+            command_start = False
+        i = next_i
+
+    return count
 
 
 def _sudo_nopasswd_works() -> bool:
@@ -2553,12 +2603,6 @@ def terminal_tool(
                         "cleared. You will be prompted again on the next sudo "
                         "command."
                     )
-            if sudo_auth_failed and _count_real_sudo_invocations(command) > 1:
-                output += (
-                    "\n\n💡 Tip: this command had multiple sudo invocations. "
-                    "Hermes pipes one password line per sudo; nested sudo inside "
-                    "heredocs/scripts may still need a single outer sudo wrapper."
-                )
 
             # Foreground terminal output canonicalization seam: plugins receive
             # the full output string before default truncation and may only