diff --git a/tools/verify-ios-flags.sh b/tools/verify-ios-flags.sh
new file mode 100755
index 0000000..36ae40a
--- /dev/null
+++ b/tools/verify-ios-flags.sh
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+# Enforces INFRA-03 / D-18: iOS K/N flags present in gradle.properties.
+set -euo pipefail
+grep -q '^kotlin\.native\.binary\.gc=cms$' gradle.properties || { echo "MISSING: kotlin.native.binary.gc=cms" >&2; exit 1; }
+grep -q '^kotlin\.native\.binary\.objcDisposeOnMain=false$' gradle.properties || { echo "MISSING: kotlin.native.binary.objcDisposeOnMain=false" >&2; exit 1; }
+echo "OK: iOS binary flags present."
diff --git a/tools/verify-no-version-literals.sh b/tools/verify-no-version-literals.sh
new file mode 100755
index 0000000..ee6d377
--- /dev/null
+++ b/tools/verify-no-version-literals.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+# Enforces INFRA-01 SC#2 / D-09: no literal *library/plugin* version strings outside catalog.
+# Scans every *.gradle.kts for numeric version literals (e.g. version = "1.2.3") that would
+# represent a library or plugin pin leaking out of the catalog.
+#
+# Exclusions (all semantic, not loopholes):
+#   - build-logic/build.gradle.kts needs literal plugin-dependency coordinates (`asDependency()`)
+#   - Top-level project-version assignments (unindented `^version = "x.y.z"`) are Gradle project
+#     metadata (artifact name) — NOT a library version pin. D-09 guards dependency versions,
+#     not project identity.
+set -euo pipefail
+VIOLATIONS=$(grep -rn -E 'version[[:space:]]*=[[:space:]]*"[0-9]' --include='*.gradle.kts' . 2>/dev/null \
+    | grep -v 'build-logic/build.gradle.kts' \
+    | grep -vE ':[0-9]+:version[[:space:]]*=[[:space:]]*"[0-9]' \
+    || true)
+if [ -n "$VIOLATIONS" ]; then
+    echo "ERROR: version literals found outside catalog:" >&2
+    echo "$VIOLATIONS" >&2
+    exit 1
+fi
+echo "OK: no version literals outside catalog."
diff --git a/tools/verify-shared-pure.sh b/tools/verify-shared-pure.sh
new file mode 100755
index 0000000..819aa68
--- /dev/null
+++ b/tools/verify-shared-pure.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+# Enforces INFRA-06 / D-19: shared/commonMain must not import Ktor, Compose, SQLDelight.
+# Runs grep against shared/src/commonMain/ only. Allowed imports: kotlin.*, kotlinx.serialization, kotlinx.datetime.
+set -euo pipefail
+if [ ! -d shared/src/commonMain ]; then
+    echo "OK: shared/src/commonMain does not exist yet (pre-scaffold)."
+    exit 0
+fi
+VIOLATIONS=$(grep -rn -E '^import[[:space:]]+(io\.ktor|androidx\.compose|org\.jetbrains\.compose|app\.cash\.sqldelight)' shared/src/commonMain/ 2>/dev/null || true)
+if [ -n "$VIOLATIONS" ]; then
+    echo "ERROR: shared/commonMain has forbidden imports:" >&2
+    echo "$VIOLATIONS" >&2
+    exit 1
+fi
+echo "OK: shared/commonMain is pure."