diff --git a/src/tool/builtin/bash/permissions.ts b/src/tool/builtin/bash/permissions.ts
index 4d41de77..5b8673ec 100644
--- a/src/tool/builtin/bash/permissions.ts
+++ b/src/tool/builtin/bash/permissions.ts
@@ -3,7 +3,8 @@ import type { PermissionResult } from "../../../permission/index.js";
 const DENY_PATTERNS: RegExp[] = [
   // Unix
   /\brm\s+-[^&|;]*r[^&|;]*f\s+\//,
-  /\bsudo\b/,
+  // sudo as a command (not inside quotes, e.g. `git log -S "sudo"`)
+  /(?:^|[;&|]\s*)sudo\b/,
   /\bchmod\s+-R\s+777\b/,
   /\bchown\s+-R\b/,
   /\bdd\s+if=/,