Wire project infrastructure

tools/verify-no-version-literals.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+# Enforces INFRA-01 SC#2 / D-09: no literal *library/plugin* version strings outside catalog.
+# Scans every *.gradle.kts for numeric version literals (e.g. version = "1.2.3") that would
+# represent a library or plugin pin leaking out of the catalog.
+#
+# Exclusions (all semantic, not loopholes):
+#   - build-logic/build.gradle.kts needs literal plugin-dependency coordinates (`asDependency()`)
+#   - Top-level project-version assignments (unindented `^version = "x.y.z"`) are Gradle project
+#     metadata (artifact name) — NOT a library version pin. D-09 guards dependency versions,
+#     not project identity.
+set -euo pipefail
+VIOLATIONS=$(grep -rn -E 'version[[:space:]]*=[[:space:]]*"[0-9]' --include='*.gradle.kts' . 2>/dev/null \
+    | grep -v 'build-logic/build.gradle.kts' \
+    | grep -vE ':[0-9]+:version[[:space:]]*=[[:space:]]*"[0-9]' \
+    || true)
+if [ -n "$VIOLATIONS" ]; then
+    echo "ERROR: version literals found outside catalog:" >&2
+    echo "$VIOLATIONS" >&2
+    exit 1
+fi
+echo "OK: no version literals outside catalog."