feat(@scripts): ✨ add safe shell quoting and session filtering

Co-Authored-By: Lilith Autocommit <noreply@atlilith.com>

bin/rclaude

@@ -607,6 +607,36 @@ scan_hosts() {
     done
 }
 
+# POSIX single-quote escape: wraps <arg> in single quotes and escapes any
+# embedded single quotes via the '\'' idiom. Used to build safe remote shell
+# commands for ssh — the remote shell re-parses argv, so anything containing
+# spaces, $, `, etc. must be quoted before transmission.
+sh_quote() {
+    printf "'%s'" "$(printf %s "$1" | sed "s/'/'\\\\''/g")"
+}
+
+# Filter target rows on stdin to those matching <selector>:<pat>.
+# Input rows are TSV: host\tkind\tsession\tdetail[\tcwd]
+# Only KIND=tmux rows are eligible (we can only send-keys to live sessions).
+#
+# Selectors:
+#   all          → every tmux row
+#   host <pat>   → exact host match (col 1)
+#   match <pat>  → substring in session name (col 3) OR cwd (col 5, if present).
+#                  The tmux session name already embeds a slugified cwd via
+#                  claude_slug(), so name-substring covers most cwd intents
+#                  (e.g. `--match lilith` hits any session whose cwd contained
+#                  "lilith"). Col 5 is reserved for future enrichment.
+filter_targets() {
+    _sel=$1; _pat=$2
+    awk -F '\t' -v sel="$_sel" -v pat="$_pat" '
+        $2 != "tmux" { next }
+        sel == "all"   { print; next }
+        sel == "host"  && $1 == pat { print; next }
+        sel == "match" && (index($3, pat) > 0 || (NF >= 5 && index($5, pat) > 0)) { print; next }
+    '
+}
+
 # ---------------------------------------------------------------------------
 # Subcommands
 # ---------------------------------------------------------------------------