release: v0.9.0 — shimkit db --on-host

Charter-completion: opt-out from container-first on `shimkit db`.
Third and last of the deferred v0.5+ candidates from the
ubuntu-migration validation report (after `shimkit cron` in v0.6
and `shimkit framework laravel` in v0.7 and `shimkit tls` in
v0.8).

Surface (additive — every existing flag still works):

    shimkit db <engine> up     --on-host (MODERATE prompt)
    shimkit db <engine> down   --on-host (MODERATE)
    shimkit db <engine> status --on-host
    shimkit db <engine> shell  --on-host

When `--on-host` is set, `up`/`down`/`status` route through
`shimkit.core.HostService` (systemd on Linux, brew services on
macOS) and manage an *already-installed* engine rather than a
container. `shell` shells out to the host's CLI client
(`mysql -h 127.0.0.1`, `psql -h 127.0.0.1`) — exporting
`PGPASSWORD` for postgres so the existing password flow works
unchanged.

Available for mysql / mariadb / postgres only. mongo and
phpmyadmin are intentionally container-only — mongo's host-
packaging surface is messy and falls outside scope; phpmyadmin
has no host install at all. Both reject `--on-host` with a clear
"supported on-host engines: mysql, mariadb, postgres" message.

Security shape — the audit-completion bit:

  shimkit DOES NOT install packages in --on-host mode. If the
  engine's client binary isn't on PATH, the command refuses
  (with EX_UNAVAILABLE for shell, EX_FAIL for up/down). This is
  the redesign's core safety promise — the original ubuntu
  scripts had five Critical security flags from install-on-host
  patterns (0.0.0.0 binds, deprecated apt-key, curl|sh) and
  --on-host explicitly avoids reproducing any of them. Users
  who want mysql on the host install it themselves via apt /
  brew / dnf; shimkit just manages it.

Architecture additions:

- `shimkit.core.HostService` — new cross-platform service-
  manager facade. `HostService.detect(platform)` returns
  `SystemdHost()` on Linux, `BrewServicesHost()` on macOS,
  `None` elsewhere. Each subclass implements `state()` /
  `start()` / `stop()` returning a typed `HostServiceResult`.
  Built on top of the existing `Systemd` facade.
- `tools.db.host_services` config block — per-engine service-
  name mapping. mysql: `mysql` (both), mariadb: `mariadb`
  (both), postgres: `postgresql` on Linux / `postgresql@16`
  on macOS. Override in user config when your distro or
  homebrew formula diverges.
- `Engine.supports_on_host()` / `Engine.host_shell_argv()` /
  `Engine.host_client_binary()` — three new methods on the
  engine ABC. mysql / mariadb / postgres override
  `supports_on_host=True` and provide `-h 127.0.0.1 -u… -p…`
  argv; mongo / phpmyadmin keep the default False.
- `DbManager.boot(on_host=True)` skips the docker preflight
  entirely — useful for users with a host install who never
  installed Docker. Container-mode methods now assert
  `self._env is not None` at entry so a stray container call
  on an on-host manager fails loudly rather than `AttributeError`
  on None.

Tests: 21 new in tests/test_tools_db_on_host.py (609 → 630
total). Boot semantics (on_host skips docker preflight; default
still runs it), refusals (mongo / phpmyadmin / missing-binary /
unsupported-platform), up / down / status happy paths with both
Linux and macOS service-name resolution (mysql → mysql, postgres
→ postgresql vs postgresql@16), dry-run no-op, failed start
propagates exit 1, shell routes through CommandRunner with
PGPASSWORD-passthrough for postgres, engine driver layer
correctness (supports_on_host table; host_shell_argv targets
127.0.0.1; postgres uses psql as client).

Gates: pytest 630 passed, ruff clean, mypy strict clean. No new
optional dependency extras.

Author: imanimanyara

CHANGELOG.md

@@ -6,6 +6,68 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 
 ## [Unreleased]
 
+## [0.9.0] — 2026-05-15
+
+### Added
+
+- `shimkit db <engine> ... --on-host` — opt-out from container-
+  first. When `--on-host` is passed, `up` / `down` / `status` /
+  `shell` route through `HostService` (systemd on Linux, `brew
+  services` on macOS) and manage an already-installed host
+  engine rather than a container. Available for mysql / mariadb
+  / postgres; mongo and phpmyadmin are intentionally
+  container-only (mongo's host-packaging surface is messy;
+  phpmyadmin has no host install).
+
+  **shimkit does NOT install packages in --on-host mode** — if
+  the engine's client (`mysql`/`mariadb`/`psql`) isn't on PATH,
+  the command refuses with a clear remediation. This is the
+  redesign's core safety promise: the original ubuntu scripts
+  had five Critical security flags from install-on-host
+  patterns (0.0.0.0 binds, deprecated apt-key, curl|sh) and
+  shimkit's `--on-host` mode explicitly avoids reproducing
+  them.
+
+- `shimkit.core.HostService` — new abstraction with
+  `SystemdHost` (Linux) and `BrewServicesHost` (macOS) concrete
+  backends. `HostService.detect(platform)` returns the right
+  one or `None` for unsupported systems. Exposes `state()` /
+  `start()` / `stop()` returning a typed `HostServiceResult`.
+  Pairs with the existing `Systemd` facade — the new class is
+  the cross-platform layer above it.
+
+- `tools.db.host_services` config block — per-engine service-
+  name mapping for Linux + macOS. Defaults: `mysql` →
+  `mysql` (both), `mariadb` → `mariadb` (both), `postgres` →
+  `postgresql` on Linux / `postgresql@16` on macOS. Override
+  per-install in user config when your distro or homebrew
+  formula diverges.
+
+- `Engine.supports_on_host()` / `Engine.host_shell_argv()` /
+  `Engine.host_client_binary()` — three new methods on the
+  engine ABC. Mysql / mariadb / postgres override
+  `supports_on_host=True` and provide host-side argv targeting
+  `127.0.0.1`; mongo / phpmyadmin keep the default `False`.
+
+### Changed
+
+- `DbManager.boot(on_host=True)` — skips the docker preflight
+  entirely when the caller is using `--on-host`. Container-mode
+  methods now assert `self._env is not None` at entry; this
+  prevents a stray `up()` call on an on-host manager from
+  blowing up with `AttributeError` on a None DockerEnv.
+
+### Tests
+
+- 21 new tests in `tests/test_tools_db_on_host.py` (609 → 630
+  total). Boot semantics (on_host skips docker preflight;
+  default still runs it), refusals (mongo / phpmyadmin /
+  missing-binary / unsupported-platform), up / down / status
+  happy paths on both Linux and macOS service-name resolution,
+  dry-run no-op, failed start propagates exit 1, shell
+  routes through CommandRunner with PGPASSWORD for postgres,
+  engine driver layer correctness.
+
 ## [0.8.0] — 2026-05-15
 
 ### Added

docs/tools/db.md

@@ -28,7 +28,42 @@ Universal flags (before the subcommand): `--quiet`, `--verbose`,
 `--log-file PATH`, `--no-color`, `--color`, `--no-input`.
 Per-command flags (after the subcommand): `--json`, `--dry-run`,
 `--yes`, `--force`, `--name <id>`, `--port N`, `--bind HOST`,
-`--volume PATH`, `--ephemeral`, `--password PWD`, `--confirm TOKEN`.
+`--volume PATH`, `--ephemeral`, `--password PWD`, `--confirm TOKEN`,
+`--on-host` (see below).
+
+## --on-host (opt-out from container-first)
+
+The default path is containers — that's how shimkit dissolves
+the security flags from the original ubuntu provisioning scripts
+(0.0.0.0 binds, deprecated apt-key, etc). If you've installed
+mysql / mariadb / postgres on the host yourself (via apt, brew,
+dnf), pass `--on-host` to manage *that* engine rather than a
+container.
+
+| `--on-host` command | What it does |
+|---------------------|--------------|
+| `shimkit db <engine> up --on-host`        | `systemctl start <service>` (Linux) / `brew services start <name>` (macOS). |
+| `shimkit db <engine> down --on-host`      | `systemctl stop <service>` / `brew services stop <name>`. |
+| `shimkit db <engine> status --on-host`    | Reports `running` / `stopped` / `missing`. |
+| `shimkit db <engine> shell --on-host`     | `mysql -h 127.0.0.1 -uroot -p…` (or `psql`) directly against the host install. |
+
+Limits:
+
+- **mysql / mariadb / postgres only.** `mongo` and `phpmyadmin`
+  reject `--on-host` (mongo's host packaging surface is messy
+  and out of scope; phpmyadmin has no host install). Use the
+  container path for those.
+- **`shimkit` never installs the package.** If `mysql` (or
+  `mariadb`, `psql`) isn't on PATH, the command refuses — install
+  via your package manager first. This is deliberate: the
+  install-on-host scripts in the original ubuntu source had
+  five Critical security flags (0.0.0.0 binds, deprecated
+  apt-key, curl|sh), and shimkit's redesign explicitly avoids
+  reproducing them.
+- Service names live in config (`tools.db.host_services.<engine>.{service_linux,service_macos}`).
+  Override per-install if your distro or homebrew formula
+  diverges from the defaults (e.g. `postgresql@16` on macOS,
+  `postgresql` on Debian).
 
 ## Engines
 

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "shimkit"
-version = "0.8.0"
+version = "0.9.0"
 description = "A toolkit of developer utilities — Java version manager, shell upgrader, and more. Python tools, shimmed by bash."
 readme = "README.md"
 license = { file = "LICENSE" }

src/shimkit/__init__.py

@@ -3,5 +3,5 @@
 Python tools, shimmed by bash.
 """
 
-__version__ = "0.8.0"
+__version__ = "0.9.0"
 __all__ = ["__version__"]

src/shimkit/config/defaults.json

@@ -157,6 +157,11 @@
         "postgres":   {"image": "postgres:16",   "default_port": 15432},
         "mongo":      {"image": "mongo:7",       "default_port": 17017},
         "phpmyadmin": {"image": "phpmyadmin:5",  "default_port": 18080}
+      },
+      "host_services": {
+        "mysql":    {"service_linux": "mysql",      "service_macos": "mysql"},
+        "mariadb":  {"service_linux": "mariadb",    "service_macos": "mariadb"},
+        "postgres": {"service_linux": "postgresql", "service_macos": "postgresql@16"}
       }
     },
     "stack": {

src/shimkit/config/schema.py

@@ -275,6 +275,18 @@ class DbEngineEntry(_StrictModel):
     default_port: int = Field(ge=1, le=65535)
 
 
+class DbHostServiceEntry(_StrictModel):
+    """Per-engine service-name mapping for `--on-host` mode.
+
+    Linux assumes systemd unit names; macOS assumes the literal
+    `brew services` formula name. Override per-install when your
+    distro or formula uses a different name.
+    """
+
+    service_linux: str
+    service_macos: str
+
+
 class DbConfig(_StrictModel):
     """`shimkit db` — container-first database orchestration."""
 
@@ -295,6 +307,20 @@ class DbConfig(_StrictModel):
             "phpmyadmin": DbEngineEntry(image="phpmyadmin:5", default_port=18080),
         }
     )
+    # Per-engine service names used when --on-host is passed. Engines
+    # absent from this map cannot be managed --on-host (mongo and
+    # phpmyadmin are intentionally absent — phpmyadmin has no host
+    # install, mongo's host packaging surface is messy and falls
+    # outside shimkit's `db --on-host` scope).
+    host_services: dict[str, DbHostServiceEntry] = Field(
+        default_factory=lambda: {
+            "mysql": DbHostServiceEntry(service_linux="mysql", service_macos="mysql"),
+            "mariadb": DbHostServiceEntry(service_linux="mariadb", service_macos="mariadb"),
+            "postgres": DbHostServiceEntry(
+                service_linux="postgresql", service_macos="postgresql@16"
+            ),
+        }
+    )
 
 
 class VersionConstraint(_StrictModel):

src/shimkit/core/__init__.py

@@ -10,6 +10,13 @@
 
 from .command import CommandResult, CommandRunner, has_sudo_cached, is_root, sudo_prefix
 from .docker import DockerEnv, DockerNotAvailableError, ExecOutcome
+from .host_service import (
+    BrewServicesHost,
+    HostService,
+    HostServiceResult,
+    ServiceState,
+    SystemdHost,
+)
 from .json_event import Event, emit_json
 from .log import attach_file_handler, get_logger, set_verbose
 from .menu import AskResult, FallbackMenu, Menu
@@ -30,6 +37,7 @@
 __all__ = [
     "UI",
     "AskResult",
+    "BrewServicesHost",
     "CommandResult",
     "CommandRunner",
     "Detector",
@@ -38,14 +46,18 @@
     "Event",
     "ExecOutcome",
     "FallbackMenu",
+    "HostService",
+    "HostServiceResult",
     "Menu",
     "PackageManager",
     "Platform",
     "Result",
+    "ServiceState",
     "Shell",
     "ShellConfigWriter",
     "Status",
     "Systemd",
+    "SystemdHost",
     "ToolVersion",
     "UnitState",
     "VersionConstraint",

src/shimkit/core/host_service.py

@@ -0,0 +1,109 @@
+"""Cross-platform service-manager facade.
+
+Linux: shells out via the existing :class:`Systemd`.
+macOS:  shells out via `brew services`.
+
+Used by tools that need to talk to host-installed daemons rather
+than container ones — `shimkit db --on-host` is the first
+consumer.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Literal
+
+from .command import CommandResult, CommandRunner
+from .platform import Platform
+from .systemd import Systemd
+
+ServiceState = Literal["running", "stopped", "missing"]
+
+
+@dataclass(frozen=True)
+class HostServiceResult:
+    """Combined CommandResult-ish + state, returned by start/stop."""
+
+    ok: bool
+    state: ServiceState
+    stdout: str = ""
+    stderr: str = ""
+
+
+class HostService:
+    """Abstract interface implemented by SystemdHost / BrewServicesHost.
+
+    Tests mock the concrete subclasses directly. Producers ask for an
+    implementation via :meth:`detect`; ``None`` means the host has no
+    supported service manager.
+    """
+
+    @classmethod
+    def detect(cls, platform: Platform | None = None) -> HostService | None:
+        plat = platform or Platform.detect()
+        if plat.is_linux:
+            return SystemdHost()
+        if plat.is_macos:
+            return BrewServicesHost()
+        return None
+
+    def state(self, service: str) -> ServiceState:
+        raise NotImplementedError
+
+    def start(self, service: str) -> HostServiceResult:
+        raise NotImplementedError
+
+    def stop(self, service: str) -> HostServiceResult:
+        raise NotImplementedError
+
+
+class SystemdHost(HostService):
+    """Linux: shells out via :class:`Systemd`."""
+
+    def state(self, service: str) -> ServiceState:
+        unit = Systemd.state(service if service.endswith(".service") else f"{service}.service")
+        if not unit.exists:
+            return "missing"
+        return "running" if unit.active else "stopped"
+
+    def start(self, service: str) -> HostServiceResult:
+        r = Systemd.start(service)
+        return _wrap(r, self.state(service))
+
+    def stop(self, service: str) -> HostServiceResult:
+        r = Systemd.stop(service)
+        return _wrap(r, self.state(service))
+
+
+class BrewServicesHost(HostService):
+    """macOS: shells out via `brew services <action> <name>`."""
+
+    def state(self, service: str) -> ServiceState:
+        # `brew services list` output (whitespace columns):
+        #   Name      Status     User    File
+        #   mysql     started    you     ~/...
+        #   postgresql@16 none ...
+        r = CommandRunner.run(["brew", "services", "list"])
+        if not r.ok:
+            return "missing"
+        for line in r.stdout.splitlines():
+            parts = line.split()
+            if not parts or parts[0] != service:
+                continue
+            status = parts[1] if len(parts) > 1 else "none"
+            if status in {"started", "scheduled"}:
+                return "running"
+            return "stopped"
+        return "missing"
+
+    def start(self, service: str) -> HostServiceResult:
+        r = CommandRunner.run(["brew", "services", "start", service])
+        return _wrap(r, self.state(service))
+
+    def stop(self, service: str) -> HostServiceResult:
+        r = CommandRunner.run(["brew", "services", "stop", service])
+        return _wrap(r, self.state(service))
+
+
+def _wrap(r: CommandResult, state: ServiceState) -> HostServiceResult:
+    return HostServiceResult(ok=r.ok, state=state, stdout=r.stdout, stderr=r.stderr)