diff --git a/app/services/realtime_audit_service.py b/app/services/realtime_audit_service.py
index d4f98bf..5346c8a 100644
--- a/app/services/realtime_audit_service.py
+++ b/app/services/realtime_audit_service.py
@@ -246,19 +246,23 @@ def _run(client, cmd):
         err = stderr.read().decode("utf-8", errors="replace").strip()
 
         # Fallback sans sudo si sudoers refuse (detection robuste case/accent insensible)
+        SUDO_KW = ["pas autoris", "non autoris", "not allowed to execute",
+                   "is not allowed", "no tty present", "sudo:"]
         err_low = err.lower()
-        sudo_refused = any(kw in err_low for kw in [
-            "pas autoris", "non autoris", "not allowed to execute",
-            "is not allowed", "no tty present", "sudo:",
-        ])
+        sudo_refused = any(kw in err_low for kw in SUDO_KW)
         if (not out) and err and sudo_refused:
             _, stdout, stderr = client.exec_command(cmd, timeout=15)
             out = stdout.read().decode("utf-8", errors="replace").strip()
             err2 = stderr.read().decode("utf-8", errors="replace").strip()
-            if out:
-                err = ""
+            err2_low = err2.lower()
+            still_sudo_err = any(kw in err2_low for kw in SUDO_KW)
+            if still_sudo_err:
+                err = err2
             else:
-                err = err2 or err
+                # Retry sans sudo a abouti (sortie vide acceptable)
+                err = err2 if err2 else ""
+                if not out and not err:
+                    out = ""  # explicite : pas de containers / pas de services failed = OK
 
         result = out if out else err
         lines = [l for l in result.splitlines() if not any(b in l for b in BANNER_FILTERS) and l.strip()]