#!/usr/bin/env bash
# Enforces INFRA-01 SC#2 / D-09: no literal *library/plugin* version strings outside catalog.
# Scans every *.gradle.kts for numeric version literals (e.g. version = "1.2.3") that would
# represent a library or plugin pin leaking out of the catalog.
#
# Exclusions (all semantic, not loopholes):
#   - build-logic/build.gradle.kts needs literal plugin-dependency coordinates (`asDependency()`)
#   - Top-level project-version assignments (unindented `^version = "x.y.z"`) are Gradle project
#     metadata (artifact name) — NOT a library version pin. D-09 guards dependency versions,
#     not project identity.
set -euo pipefail
VIOLATIONS=$(grep -rn -E 'version[[:space:]]*=[[:space:]]*"[0-9]' --include='*.gradle.kts' . 2>/dev/null \
    | grep -v 'build-logic/build.gradle.kts' \
    | grep -vE ':[0-9]+:version[[:space:]]*=[[:space:]]*"[0-9]' \
    || true)
if [ -n "$VIOLATIONS" ]; then
    echo "ERROR: version literals found outside catalog:" >&2
    echo "$VIOLATIONS" >&2
    exit 1
fi
echo "OK: no version literals outside catalog."