#
#
# patch "README.encapsulation"
#  from [47dd34f2a819d435a14fc79be8eb88ec7d5f7ebe]
#    to [36c609dc4f585cf0d10239391058d23ea0e46d80]
# 
# patch "annotate.cc"
#  from [7457a87da213a3d65992626f4aa149ec7eff228d]
#    to [5b24ddee7d5cb461f3697a6ea2717f995298f268]
# 
# patch "cert.cc"
#  from [8efdf5262106e9d115474197d131e3fe886953fa]
#    to [4dfcd5002bb3c18c3036bc51a9b17bb72446d1ff]
# 
# patch "cert.hh"
#  from [649b22d9e89e9a64a894ddb3b68c82db0b8f22f2]
#    to [4f90382d5837117659acaa5208a7561e7f8514b2]
# 
# patch "cmd_key_cert.cc"
#  from [5d8ada54b68b3ea0634beb8f1072644172c4dad0]
#    to [472b969d3c3e06e1131877ce3771af3879775bce]
# 
# patch "cmd_list.cc"
#  from [0ff9de55b90f18b284382b82ebfd43b405567a41]
#    to [187e20a29daae3301b12ff85f217743d3f713444]
# 
# patch "cmd_merging.cc"
#  from [e709fecf8e9cd9847e878812b6a33a69dee87dac]
#    to [b7558ceaad02dad729e56876b3df0952a587e4ad]
# 
# patch "database.cc"
#  from [bcde36ec95faacf3d986a0d3bc238a7bf8450ac2]
#    to [483e7dc2f1ae45d81a373c4d6550039add2c45ce]
# 
# patch "database.hh"
#  from [8cf8df8a906ef41ac779b7f1d2f54632ccc37fa4]
#    to [ce843d37f8ecddfd0ee6c99d2b1eb1dd402689cb]
# 
# patch "database_check.cc"
#  from [011488d738d65307ae76e194cb1da287077cd94f]
#    to [26c19a2845a93bb9a2985f338f9987afeaee4f88]
# 
# patch "key_store.cc"
#  from [70b97a9e2a06654ec641a1709c2a875cdfa603d5]
#    to [09ec38a786f4b9692b8aba5d602959bdcc5b0741]
# 
# patch "key_store.hh"
#  from [f8487eb86cc407c597623267abecfc807eb4dc12]
#    to [3add5fc4cc7026191dcabfc3401532881dec29d2]
# 
# patch "keys.cc"
#  from [248765402f735b03226c4ea08c0571b23ef211fa]
#    to [9fe5a0d2f0194c2e572256827981100740d0162e]
# 
# patch "keys.hh"
#  from [d0e0528c82f6d621c14e3dfb2e140a34bdf98464]
#    to [862ef6e6d3f733dac35cc0a041432d9bca518dc2]
# 
# patch "netsync.cc"
#  from [0f01e801b2652763d4f1b7b99b9fd5f227081b43]
#    to [38cc22dc4aa621786db59a627ee3d187d7c4e626]
# 
# patch "project.cc"
#  from [8f68f4af163a87d49ff95870e00f579f9e3212c4]
#    to [df1cb9edf0298e706d27a3416e872eba07f8994b]
# 
# patch "revision.cc"
#  from [d913e67ae0e33d090d98bab4998c46678f20f753]
#    to [21c7d94b857666978500059d9cb95d7c349b30ae]
#
============================================================
--- README.encapsulation	47dd34f2a819d435a14fc79be8eb88ec7d5f7ebe
+++ README.encapsulation	36c609dc4f585cf0d10239391058d23ea0e46d80
@@ -5,10 +5,8 @@ annotate.cc:
     # Why does this go via the project? It only calls
     # db.get_revision_certs()...
     app.get_project().get_revision_certs(*i, certs);
+    app.db..
 
-    needs: erase_bogus_certs()
-
-
 revision.cc:
 
   struct anc_graph still uses app_state, while most methods only need the
@@ -36,32 +34,15 @@ revision.cc:
     needs: anc_graph()
     needs: get_user_key()
     needs: require_password()
-    needs: erase_bogus_certs()
 
 
 cert.cc:
 
-  bogus_cert_p::is_bogus_cert():
-    needs: check_cert()
-
-  erase_bogus_certs():
-    app.db...
-    app.lua.hook_get_manifest_cert_trust
-
-  load_key_pair():
-    app.keys...
-    app.loa.hook
-
   calculate_cert():
     app.db...
     needs: load_key_pair()  (i.e. keys, lua.hook_persist_phrase_ok)
     needs: make_signature()
 
-  check_cert()
-    app.db...
-    app.lua.hook_persist_phrase_ok
-    needs: check_signature()
-
   get_user_key():
     app.keys...
     app.opts.signing_key
@@ -144,13 +125,12 @@ netsync.cc:
 
   session::process_auth_cmd():
     app.db...
-    app.keys.try_ensure_in_db()
+    app.keys...
     app.lua.hook_note_netsync_start()
     app.lua.hook_get_netsync_read_permitted()
     app.lua.hook_get_netsync_write_permitted()
     app.get_project().get_branch_list()
     needs: rebuild_merkle_trees()
-    needs: check_signature()
 
   session::begin_service():
     app.opts.use_transport_auth
@@ -188,37 +168,18 @@ keys.cc:
 
 
 keys.cc:
-  migrate_private_key():
-    needs: get_passphrase()
-
-  get_passphrase():
-    lua.hook_get_passphrase
-
   make_signature():
-    needs: get_passphrase()
-    app.opts.ssh_sign
     app.keys...
+    app.opts.ssh_sign
     app.agent
-    app.lua.hook_persist_phrase_ok()
-    needs: check_signature()
 
-  check_signature():
-    app.keys...
-    app.lua.hook_persist_phrase_ok
-
   encrypt_rsa():
-    (takes 'lua' argument, but doesn't use it??)
+    (now takes a key_store context, but doesn't use it..)
 
-  decrypt_rsa():
-    needs: get_private_key()
-
   require_password():
+    app.keys...
     needs: priv_key_exists()
-    app.keys.get_key_dir()
-    needs: load_key_pair()
-    app.lua.hook_persist_phrase_ok()
     needs: make_signature()
-    needs: check_signature()
 
 
 project.cc:
@@ -228,7 +189,6 @@ project.cc:
 
   project_t:
     app.db...
-    needs: erase_bogus_certs()
     needs: cert_revision_{in_branch,tag,changelog,date_time,author}()
       which in turn all need make_simple_cert()
     app.opts.date
@@ -255,9 +215,3 @@ cmd_diff_log.cc:
     needs: node_restriction()
 
     needs: complete()
-
-
-selectors.cc:
-  decode_selector():
-    app.lua.hook_expand_{selector,date}
-
============================================================
--- annotate.cc	7457a87da213a3d65992626f4aa149ec7eff228d
+++ annotate.cc	5b24ddee7d5cb461f3697a6ea2717f995298f268
@@ -392,7 +392,7 @@ annotate_context::build_revisions_to_ann
     {
       vector< revision<cert> > certs;
       app.get_project().get_revision_certs(*i, certs);
-      erase_bogus_certs(certs, app);
+      erase_bogus_certs(certs, app.db);
 
       string author(cert_string_value(certs, author_cert_name,
                                       true, false, "@< "));
============================================================
--- cert.cc	8efdf5262106e9d115474197d131e3fe886953fa
+++ cert.cc	4dfcd5002bb3c18c3036bc51a9b17bb72446d1ff
@@ -62,12 +62,12 @@ bogus_cert_p
 struct
 bogus_cert_p
 {
-  app_state & app;
-  bogus_cert_p(app_state & app) : app(app) {};
+  database & db;
+  bogus_cert_p(database & db) : db(db) {};
 
   bool cert_is_bogus(cert const & c) const
   {
-    cert_status status = check_cert(app, c);
+    cert_status status = check_cert(db, c);
     if (status == cert_ok)
       {
         L(FL("cert ok"));
@@ -104,10 +104,10 @@ erase_bogus_certs(vector< manifest<cert>
 
 void
 erase_bogus_certs(vector< manifest<cert> > & certs,
-                  app_state & app)
+                  database & db)
 {
   typedef vector< manifest<cert> >::iterator it;
-  it e = remove_if(certs.begin(), certs.end(), bogus_cert_p(app));
+  it e = remove_if(certs.begin(), certs.end(), bogus_cert_p(db));
   certs.erase(e, certs.end());
 
   vector< manifest<cert> > tmp_certs;
@@ -140,10 +140,10 @@ erase_bogus_certs(vector< manifest<cert>
     {
       cert_value decoded_value;
       decode_base64(get<2>(i->first), decoded_value);
-      if (app.lua.hook_get_manifest_cert_trust(*(i->second.first),
-                                               get<0>(i->first),
-                                               get<1>(i->first),
-                                               decoded_value))
+      if (db.hook_get_manifest_cert_trust(*(i->second.first),
+                                          get<0>(i->first),
+                                          get<1>(i->first),
+                                          decoded_value))
         {
           L(FL("trust function liked %d signers of %s cert on manifest %s")
             % i->second.first->size() % get<1>(i->first) % get<0>(i->first));
@@ -160,10 +160,10 @@ erase_bogus_certs(vector< revision<cert>
 
 void
 erase_bogus_certs(vector< revision<cert> > & certs,
-                  app_state & app)
+                  database & db)
 {
   typedef vector< revision<cert> >::iterator it;
-  it e = remove_if(certs.begin(), certs.end(), bogus_cert_p(app));
+  it e = remove_if(certs.begin(), certs.end(), bogus_cert_p(db));
   certs.erase(e, certs.end());
 
   vector< revision<cert> > tmp_certs;
@@ -197,10 +197,10 @@ erase_bogus_certs(vector< revision<cert>
     {
       cert_value decoded_value;
       decode_base64(get<2>(i->first), decoded_value);
-      if (app.lua.hook_get_revision_cert_trust(*(i->second.first),
-                                               get<0>(i->first),
-                                               get<1>(i->first),
-                                               decoded_value))
+      if (db.hook_get_revision_cert_trust(*(i->second.first),
+                                          get<0>(i->first),
+                                          get<1>(i->first),
+                                          decoded_value))
         {
           L(FL("trust function liked %d signers of %s cert on revision %s")
             % i->second.first->size() % get<1>(i->first) % get<0>(i->first));
@@ -371,26 +371,25 @@ void
 // in both with differing contents.
 
 void
-load_key_pair(app_state & app,
+load_key_pair(key_store & keys,
               rsa_keypair_id const & id,
               keypair & kp)
 {
+  static map<rsa_keypair_id, keypair> temp_keys;
+  bool persist_ok = (!temp_keys.empty()) || keys.hook_persist_phrase_ok();
 
-  static map<rsa_keypair_id, keypair> keys;
-  bool persist_ok = (!keys.empty()) || app.lua.hook_persist_phrase_ok();
-
-  if (persist_ok && keys.find(id) != keys.end())
+  if (persist_ok && temp_keys.find(id) != temp_keys.end())
     {
-      kp = keys[id];
+      kp = temp_keys[id];
     }
   else
     {
-      N(app.keys.key_pair_exists(id),
+      N(keys.key_pair_exists(id),
         F("no key pair '%s' found in key store '%s'")
-        % id % app.keys.get_key_dir());
-      app.keys.get_key_pair(id, kp);
+        % id % keys.get_key_dir());
+      keys.get_key_pair(id, kp);
       if (persist_ok)
-        keys.insert(make_pair(id, kp));
+        temp_keys.insert(make_pair(id, kp));
     }
 }
 
@@ -401,20 +400,19 @@ calculate_cert(app_state & app, cert & t
   keypair kp;
   cert_signable_text(t, signed_text);
 
-  load_key_pair(app, t.key, kp);
+  load_key_pair(app.keys, t.key, kp);
   app.db.put_key(t.key, kp.pub);
 
   make_signature(app, t.key, kp.priv, signed_text, t.sig);
 }
 
 cert_status
-check_cert(app_state & app, cert const & t)
+check_cert(database & db, cert const & t)
 {
-
   base64< rsa_pub_key > pub;
 
   static map<rsa_keypair_id, base64< rsa_pub_key > > pubkeys;
-  bool persist_ok = (!pubkeys.empty()) || app.lua.hook_persist_phrase_ok();
+  bool persist_ok = (!pubkeys.empty()) || db.get_key_store().hook_persist_phrase_ok();
 
   if (persist_ok
       && pubkeys.find(t.key) != pubkeys.end())
@@ -423,16 +421,16 @@ check_cert(app_state & app, cert const &
     }
   else
     {
-      if (!app.db.public_key_exists(t.key))
+      if (!db.public_key_exists(t.key))
         return cert_unknown;
-      app.db.get_key(t.key, pub);
+      db.get_key(t.key, pub);
       if (persist_ok)
         pubkeys.insert(make_pair(t.key, pub));
     }
 
   string signed_text;
   cert_signable_text(t, signed_text);
-  if (check_signature(app, t.key, pub, signed_text, t.sig))
+  if (check_signature(db.get_key_store(), t.key, pub, signed_text, t.sig))
     return cert_ok;
   else
     return cert_bad;
============================================================
--- cert.hh	649b22d9e89e9a64a894ddb3b68c82db0b8f22f2
+++ cert.hh	4f90382d5837117659acaa5208a7561e7f8514b2
@@ -25,6 +25,7 @@ class key_store;
 
 class app_state;
 class key_store;
+class database;
 
 struct cert
 {
@@ -63,9 +64,9 @@ void cert_signable_text(cert const & t,s
 typedef enum {cert_ok, cert_bad, cert_unknown} cert_status;
 
 void cert_signable_text(cert const & t,std::string & out);
-cert_status check_cert(app_state & app, cert const & t);
+cert_status check_cert(database & db, cert const & t);
 bool priv_key_exists(key_store & keys, rsa_keypair_id const & id);
-void load_key_pair(app_state & app,
+void load_key_pair(key_store & keys,
                    rsa_keypair_id const & id,
                    keypair & kp);
 
@@ -83,10 +84,10 @@ void erase_bogus_certs(std::vector< revi
                               app_state & app);
 
 void erase_bogus_certs(std::vector< revision<cert> > & certs,
-                       app_state & app);
+                       database & db);
 
 void erase_bogus_certs(std::vector< manifest<cert> > & certs,
-                       app_state & app);
+                       database & db);
 
 // Special certs -- system won't work without them.
 
============================================================
--- cmd_key_cert.cc	5d8ada54b68b3ea0634beb8f1072644172c4dad0
+++ cmd_key_cert.cc	472b969d3c3e06e1131877ce3771af3879775bce
@@ -49,7 +49,7 @@ CMD(genkey, N_("key and cert"), N_("KEYI
 
   keypair kp;
   P(F("generating key-pair '%s'") % ident);
-  generate_key_pair(app.lua, ident, kp);
+  generate_key_pair(app.keys, ident, kp);
   P(F("storing key-pair '%s' in %s/") 
     % ident % app.keys.get_key_dir());
   app.keys.put_key_pair(ident, kp);
@@ -110,7 +110,7 @@ CMD(passphrase, N_("key and cert"), N_("
 
   keypair key;
   app.keys.get_key_pair(ident, key);
-  change_key_passphrase(app.lua, ident, key.priv);
+  change_key_passphrase(app.keys, ident, key.priv);
   app.keys.delete_key(ident);
   app.keys.put_key_pair(ident, key);
   P(F("passphrase changed"));
@@ -129,9 +129,9 @@ CMD(ssh_agent_export, N_("key and cert")
   get_user_key(id, app);
   N(priv_key_exists(app.keys, id), F("the key you specified cannot be found"));
   app.keys.get_key_pair(id, key);
-  shared_ptr<RSA_PrivateKey> priv = get_private_key(app.lua, id, key.priv);
+  shared_ptr<RSA_PrivateKey> priv = get_private_key(app.keys, id, key.priv);
   utf8 new_phrase;
-  get_passphrase(app.lua, id, new_phrase, true, true, "enter new passphrase");
+  get_passphrase(app.keys, id, new_phrase, true, true, "enter new passphrase");
   Pipe p;
   p.start_msg();
   if (new_phrase().length())
@@ -167,7 +167,7 @@ CMD(ssh_agent_add, N_("key and cert"), "
   get_user_key(id, app);
   N(priv_key_exists(app.keys, id), F("the key you specified cannot be found"));
   app.keys.get_key_pair(id, key);
-  shared_ptr<RSA_PrivateKey> priv = get_private_key(app.lua, id, key.priv);
+  shared_ptr<RSA_PrivateKey> priv = get_private_key(app.keys, id, key.priv);
   app.agent.add_identity(*priv, id());
 }
 
============================================================
--- cmd_list.cc	0ff9de55b90f18b284382b82ebfd43b405567a41
+++ cmd_list.cc	187e20a29daae3301b12ff85f217743d3f713444
@@ -92,7 +92,7 @@ ls_certs(string const & name, app_state 
 
   for (size_t i = 0; i < certs.size(); ++i)
     {
-      cert_status status = check_cert(app, idx(certs, i));
+      cert_status status = check_cert(app.db, idx(certs, i));
       cert_value tv;
       decode_base64(idx(certs, i).value, tv);
       string washed;
@@ -714,7 +714,7 @@ AUTOMATE(certs, N_("REV"), options::opts
   for (size_t i = 0; i < certs.size(); ++i)
     {
       basic_io::stanza st;
-      cert_status status = check_cert(app, idx(certs, i));
+      cert_status status = check_cert(app.db, idx(certs, i));
       cert_value tv;
       cert_name name = idx(certs, i).name;
       set<rsa_keypair_id> signers;
============================================================
--- cmd_merging.cc	e709fecf8e9cd9847e878812b6a33a69dee87dac
+++ cmd_merging.cc	b7558ceaad02dad729e56876b3df0952a587e4ad
@@ -81,7 +81,7 @@ pick_branch_for_update(revision_id chose
   // figure out which branches the target is in
   vector< revision<cert> > certs;
   app.db.get_revision_certs(chosen_rid, branch_cert_name, certs);
-  erase_bogus_certs(certs, app);
+  erase_bogus_certs(certs, app.db);
 
   set< branch_name > branches;
   for (vector< revision<cert> >::const_iterator i = certs.begin();
============================================================
--- database.cc	bcde36ec95faacf3d986a0d3bc238a7bf8450ac2
+++ database.cc	483e7dc2f1ae45d81a373c4d6550039add2c45ce
@@ -3482,6 +3482,26 @@ database::hook_expand_date(std::string c
   return __app->lua.hook_expand_date(sel, exp);
 };
 
+bool
+database::hook_get_manifest_cert_trust(set<rsa_keypair_id> const & signers,
+    hexenc<id> const & id, cert_name const & name, cert_value const & val)
+{
+  return __app->lua.hook_get_manifest_cert_trust(signers, id, name, val);
+};
+
+bool
+database::hook_get_revision_cert_trust(set<rsa_keypair_id> const & signers,
+    hexenc<id> const & id, cert_name const & name, cert_value const & val)
+{
+  return __app->lua.hook_get_revision_cert_trust(signers, id, name, val);
+};
+
+key_store &
+database::get_key_store()
+{
+  return __app->keys;
+}
+
 // transaction guards
 
 transaction_guard::transaction_guard(database & d, bool exclusive,
============================================================
--- database.hh	8cf8df8a906ef41ac779b7f1d2f54632ccc37fa4
+++ database.hh	ce843d37f8ecddfd0ee6c99d2b1eb1dd402689cb
@@ -72,6 +72,7 @@ class app_state;
 
 class transaction_guard;
 class app_state;
+class key_store;
 struct revision_t;
 struct query;
 class rev_height;
@@ -594,9 +595,15 @@ public:
   void put_roster_for_revision(revision_id const & new_id,
                                revision_t const & rev);
 
-  // quick hack to make these hooks available via the database context
+  // FIXME: quick hack to make these hooks available via the database context
   bool hook_expand_selector(std::string const & sel, std::string & exp);
   bool hook_expand_date(std::string const & sel, std::string & exp);
+  bool hook_get_manifest_cert_trust(std::set<rsa_keypair_id> const & signers,
+    hexenc<id> const & id, cert_name const & name, cert_value const & val);
+  bool hook_get_revision_cert_trust(std::set<rsa_keypair_id> const & signers,
+    hexenc<id> const & id, cert_name const & name, cert_value const & val);
+
+  key_store & get_key_store();
 };
 
 // Parent maps are used in a number of places to keep track of all the
============================================================
--- database_check.cc	011488d738d65307ae76e194cb1da287077cd94f
+++ database_check.cc	26c19a2845a93bb9a2985f338f9987afeaee4f88
@@ -474,7 +474,7 @@ check_certs(app_state & app,
         {
           string signed_text;
           cert_signable_text(i->inner(), signed_text);
-          checked.good_sig = check_signature(app, i->inner().key,
+          checked.good_sig = check_signature(app.keys, i->inner().key,
                                              checked_keys[i->inner().key].pub_encoded,
                                              signed_text, i->inner().sig);
         }
============================================================
--- key_store.cc	70b97a9e2a06654ec641a1709c2a875cdfa603d5
+++ key_store.cc	09ec38a786f4b9692b8aba5d602959bdcc5b0741
@@ -268,6 +268,18 @@ key_store::delete_key(rsa_keypair_id con
   delete_file(file);
 }
 
+bool
+key_store::hook_get_passphrase(rsa_keypair_id const & k, std::string & phrase)
+{
+  return app.lua.hook_get_passphrase(k, phrase);
+}
+
+bool
+key_store::hook_persist_phrase_ok()
+{
+  return app.lua.hook_persist_phrase_ok();
+}
+
 // Local Variables:
 // mode: C++
 // fill-column: 76
============================================================
--- key_store.hh	f8487eb86cc407c597623267abecfc807eb4dc12
+++ key_store.hh	3add5fc4cc7026191dcabfc3401532881dec29d2
@@ -72,6 +72,10 @@ public:
   std::map<rsa_keypair_id,
     std::pair<boost::shared_ptr<Botan::PK_Verifier>,
         boost::shared_ptr<Botan::RSA_PublicKey> > > verifiers;
+
+  // FIXME: quick hack to make these hooks available via the key_store context
+  bool hook_get_passphrase(rsa_keypair_id const & k, std::string & phrase);
+  bool hook_persist_phrase_ok();
 };
 
 // Local Variables:
============================================================
--- keys.cc	248765402f735b03226c4ea08c0571b23ef211fa
+++ keys.cc	9fe5a0d2f0194c2e572256827981100740d0162e
@@ -75,7 +75,7 @@ void
 // 'force_from_user' means that we don't use the passphrase cache, and we
 // don't use the get_passphrase hook.
 void
-get_passphrase(lua_hooks & lua,
+get_passphrase(key_store & keys,
                rsa_keypair_id const & keyid,
                utf8 & phrase,
                bool confirm_phrase,
@@ -87,7 +87,7 @@ get_passphrase(lua_hooks & lua,
   // they permit it) through the life of a program run. this helps when
   // you're making a half-dozen certs during a commit or merge or
   // something.
-  bool persist_phrase = lua.hook_persist_phrase_ok();
+  bool persist_phrase = keys.hook_persist_phrase_ok();
   static map<rsa_keypair_id, utf8> phrases;
 
   if (!force_from_user && phrases.find(keyid) != phrases.end())
@@ -97,7 +97,7 @@ get_passphrase(lua_hooks & lua,
     }
 
   string lua_phrase;
-  if (!force_from_user && lua.hook_get_passphrase(keyid, lua_phrase))
+  if (!force_from_user && keys.hook_get_passphrase(keyid, lua_phrase))
     {
       // user is being a slob and hooking lua to return his passphrase
       phrase = utf8(lua_phrase);
@@ -158,12 +158,12 @@ void
 
 
 void
-generate_key_pair(lua_hooks & lua,              // to hook for phrase
+generate_key_pair(key_store & keys,             // to hook for phrase
                   rsa_keypair_id const & id,    // to prompting user for phrase
                   keypair & kp_out)
 {
   utf8 phrase;
-  get_passphrase(lua, id, phrase, true, true);
+  get_passphrase(keys, id, phrase, true, true);
   generate_key_pair(kp_out, phrase);
 }
 
@@ -209,7 +209,7 @@ shared_ptr<RSA_PrivateKey>
 
 // ask for passphrase then decrypt a private key.
 shared_ptr<RSA_PrivateKey>
-get_private_key(lua_hooks & lua,
+get_private_key(key_store & keys,
                 rsa_keypair_id const & id,
                 base64< rsa_priv_key > const & priv,
                 bool force_from_user)
@@ -235,7 +235,7 @@ get_private_key(lua_hooks & lua,
     {
       for (int i = 0; i < 3; ++i)
         {
-          get_passphrase(lua, id, phrase, false, force);
+          get_passphrase(keys, id, phrase, false, force);
           L(FL("have %d-byte encrypted private key") % decoded_key().size());
 
           try
@@ -290,7 +290,7 @@ migrate_private_key(app_state & app,
     {
       decrypted_key.set(reinterpret_cast<Botan::byte const *>(decoded_key().data()),
                            decoded_key().size());
-      get_passphrase(app.lua, id, phrase, false, force);
+      get_passphrase(app.keys, id, phrase, false, force);
       SecureVector<Botan::byte> sym_key;
       sym_key.set(reinterpret_cast<Botan::byte const *>(phrase().data()), phrase().size());
       do_arc4(sym_key, decrypted_key);
@@ -338,14 +338,14 @@ void
 }
 
 void
-change_key_passphrase(lua_hooks & lua,
+change_key_passphrase(key_store & keys,
                       rsa_keypair_id const & id,
                       base64< rsa_priv_key > & encoded_key)
 {
-  shared_ptr<RSA_PrivateKey> priv = get_private_key(lua, id, encoded_key, true);
+  shared_ptr<RSA_PrivateKey> priv = get_private_key(keys, id, encoded_key, true);
 
   utf8 new_phrase;
-  get_passphrase(lua, id, new_phrase, true, true, "enter new passphrase");
+  get_passphrase(keys, id, new_phrase, true, true, "enter new passphrase");
 
   Pipe p;
   p.start_msg();
@@ -445,7 +445,7 @@ make_signature(app_state & app,         
 
       else
         {
-          priv_key = get_private_key(app.lua, id, priv);
+          priv_key = get_private_key(app.keys, id, priv);
           if (app.agent.connected()
               && app.opts.ssh_sign != "only"
               && app.opts.ssh_sign != "no") {
@@ -483,12 +483,12 @@ make_signature(app_state & app,         
   L(FL("make_signature: produced %d-byte signature") % sig_string.size());
   encode_base64(rsa_sha1_signature(sig_string), signature);
 
-  E(check_signature(app, id, key.pub, tosign, signature),
+  E(check_signature(app.keys, id, key.pub, tosign, signature),
     F("make_signature: signature is not valid"));
 }
 
 bool
-check_signature(app_state &app,
+check_signature(key_store & keys,
                 rsa_keypair_id const & id,
                 base64<rsa_pub_key> const & pub_encoded,
                 string const & alleged_text,
@@ -496,13 +496,13 @@ check_signature(app_state &app,
 {
   // examine pubkey
 
-  bool persist_phrase = (!app.keys.verifiers.empty()) || app.lua.hook_persist_phrase_ok();
+  bool persist_phrase = (!keys.verifiers.empty()) || keys.hook_persist_phrase_ok();
 
   shared_ptr<PK_Verifier> verifier;
   shared_ptr<RSA_PublicKey> pub_key;
   if (persist_phrase
-      && app.keys.verifiers.find(id) != app.keys.verifiers.end())
-    verifier = app.keys.verifiers[id].first;
+      && keys.verifiers.find(id) != keys.verifiers.end())
+    verifier = keys.verifiers[id].first;
 
   else
     {
@@ -525,7 +525,7 @@ check_signature(app_state &app,
        * away after we leave this scope. Hence we store a pair of
        * <verifier,key> so they both exist. */
       if (persist_phrase)
-        app.keys.verifiers.insert(make_pair(id, make_pair(verifier, pub_key)));
+        keys.verifiers.insert(make_pair(id, make_pair(verifier, pub_key)));
     }
 
   // examine signature
@@ -543,7 +543,7 @@ check_signature(app_state &app,
   return valid_sig;
 }
 
-void encrypt_rsa(lua_hooks & lua,
+void encrypt_rsa(key_store & keys,
                  rsa_keypair_id const & id,
                  base64<rsa_pub_key> & pub_encoded,
                  string const & plaintext,
@@ -568,13 +568,13 @@ void encrypt_rsa(lua_hooks & lua,
   ciphertext = rsa_oaep_sha_data(string(reinterpret_cast<char const *>(ct.begin()), ct.size()));
 }
 
-void decrypt_rsa(lua_hooks & lua,
+void decrypt_rsa(key_store & keys,
                  rsa_keypair_id const & id,
                  base64< rsa_priv_key > const & priv,
                  rsa_oaep_sha_data const & ciphertext,
                  string & plaintext)
 {
-  shared_ptr<RSA_PrivateKey> priv_key = get_private_key(lua, id, priv);
+  shared_ptr<RSA_PrivateKey> priv_key = get_private_key(keys, id, priv);
 
   shared_ptr<PK_Decryptor> decryptor;
   decryptor = shared_ptr<PK_Decryptor>(get_pk_decryptor(*priv_key, "EME1(SHA-1)"));
@@ -662,13 +662,13 @@ require_password(rsa_keypair_id const & 
     F("no key pair '%s' found in key store '%s'")
     % key % app.keys.get_key_dir());
   keypair kp;
-  load_key_pair(app, key, kp);
+  load_key_pair(app.keys, key, kp);
   if (app.lua.hook_persist_phrase_ok())
     {
       string plaintext("hi maude");
       base64<rsa_sha1_signature> sig;
       make_signature(app, key, kp.priv, plaintext, sig);
-      N(check_signature(app, key, kp.pub, plaintext, sig),
+      N(check_signature(app.keys, key, kp.pub, plaintext, sig),
         F("passphrase for '%s' is incorrect") % key);
     }
 }
@@ -721,11 +721,11 @@ UNIT_TEST(key, signature_round_trip)
   make_signature(app, key, kp.priv, plaintext, sig);
 
   BOOST_CHECKPOINT("checking signature");
-  BOOST_CHECK(check_signature(app, key, kp.pub, plaintext, sig));
+  BOOST_CHECK(check_signature(app.keys, key, kp.pub, plaintext, sig));
 
   string broken_plaintext = plaintext + " ...with a lie";
   BOOST_CHECKPOINT("checking non-signature");
-  BOOST_CHECK(!check_signature(app, key, kp.pub, broken_plaintext, sig));
+  BOOST_CHECK(!check_signature(app.keys, key, kp.pub, broken_plaintext, sig));
   app.keys.delete_key(key);
 }
 
============================================================
--- keys.hh	d0e0528c82f6d621c14e3dfb2e140a34bdf98464
+++ keys.hh	862ef6e6d3f733dac35cc0a041432d9bca518dc2
@@ -18,24 +18,22 @@ using boost::shared_ptr;
 using Botan::RSA_PrivateKey;
 using boost::shared_ptr;
 
-class lua_hooks;
 class app_state;
+class key_store;
 
 // keys.{hh,cc} does all the "delicate" crypto (meaning: that which needs
 // to read passphrases and manipulate raw, decrypted private keys). it
 // could in theory be in transforms.cc too, but that file's already kinda
 // big and this stuff "feels" different, imho.
 
-class lua_hooks;
-
-void generate_key_pair(lua_hooks & lua,              // to hook for phrase
+void generate_key_pair(key_store & keys,             // to hook for phrase
                        rsa_keypair_id const & id,    // to prompting user for phrase
                        keypair & kp_out);
 
 void generate_key_pair(keypair & kp_out,
                        utf8 const phrase);
 
-void change_key_passphrase(lua_hooks & lua,       // to hook for phrase
+void change_key_passphrase(key_store & keys,          // to hook for phrase
                            rsa_keypair_id const & id, // to prompting user for phrase
                            base64< rsa_priv_key > & encoded_key);
 
@@ -50,7 +48,7 @@ void make_signature(app_state & app,    
                     std::string const & tosign,
                     base64<rsa_sha1_signature> & signature);
 
-bool check_signature(app_state & app,
+bool check_signature(key_store & keys,
                      rsa_keypair_id const & id,
                      base64<rsa_pub_key> const & pub,
                      std::string const & alleged_text,
@@ -59,20 +57,20 @@ void require_password(rsa_keypair_id con
 void require_password(rsa_keypair_id const & id,
                       app_state & app);
 
-void encrypt_rsa(lua_hooks & lua,
+void encrypt_rsa(key_store & keys,
                  rsa_keypair_id const & id,
                  base64<rsa_pub_key> & pub,
                  std::string const & plaintext,
                  rsa_oaep_sha_data & ciphertext);
 
-void decrypt_rsa(lua_hooks & lua,
+void decrypt_rsa(key_store & keys,
                  rsa_keypair_id const & id,
                  base64< rsa_priv_key > const & priv,
                  rsa_oaep_sha_data const & ciphertext,
                  std::string & plaintext);
 
 void
-get_passphrase(lua_hooks & lua,
+get_passphrase(key_store & keys,
                rsa_keypair_id const & keyid,
                utf8 & phrase,
                bool confirm_phrase = false,
@@ -80,7 +78,7 @@ shared_ptr<RSA_PrivateKey>
                std::string prompt_beginning = "enter passphrase");
 
 shared_ptr<RSA_PrivateKey>
-get_private_key(lua_hooks & lua,
+get_private_key(key_store & keys,
                 rsa_keypair_id const & id,
                 base64< rsa_priv_key > const & priv,
                 bool force_from_user = false);
============================================================
--- netsync.cc	0f01e801b2652763d4f1b7b99b9fd5f227081b43
+++ netsync.cc	38cc22dc4aa621786db59a627ee3d187d7c4e626
@@ -715,9 +715,9 @@ session::set_session_key(rsa_oaep_sha_da
   if (app.opts.use_transport_auth)
     {
       keypair our_kp;
-      load_key_pair(app, app.opts.signing_key, our_kp);
+      load_key_pair(app.keys, app.opts.signing_key, our_kp);
       string hmac_key;
-      decrypt_rsa(app.lua, app.opts.signing_key, our_kp.priv,
+      decrypt_rsa(app.keys, app.opts.signing_key, our_kp.priv,
                   hmac_key_encrypted, hmac_key);
       set_session_key(hmac_key);
     }
@@ -1097,7 +1097,7 @@ session::queue_anonymous_cmd(protocol_ro
   netcmd cmd;
   rsa_oaep_sha_data hmac_key_encrypted;
   if (app.opts.use_transport_auth)
-    encrypt_rsa(app.lua, remote_peer_key_name, server_key_encoded,
+    encrypt_rsa(app.keys, remote_peer_key_name, server_key_encoded,
                 nonce2(), hmac_key_encrypted);
   cmd.write_anonymous_cmd(role, include_pattern, exclude_pattern,
                           hmac_key_encrypted);
@@ -1118,7 +1118,7 @@ session::queue_auth_cmd(protocol_role ro
   netcmd cmd;
   rsa_oaep_sha_data hmac_key_encrypted;
   I(app.opts.use_transport_auth);
-  encrypt_rsa(app.lua, remote_peer_key_name, server_key_encoded,
+  encrypt_rsa(app.keys, remote_peer_key_name, server_key_encoded,
               nonce2(), hmac_key_encrypted);
   cmd.write_auth_cmd(role, include_pattern, exclude_pattern, client,
                      nonce1, hmac_key_encrypted, signature);
@@ -1320,7 +1320,7 @@ session::process_hello_cmd(rsa_keypair_i
     {
       // get our key pair
       keypair our_kp;
-      load_key_pair(app, app.opts.signing_key, our_kp);
+      load_key_pair(app.keys, app.opts.signing_key, our_kp);
 
       // get the hash identifier for our pubkey
       hexenc<id> our_key_hash;
@@ -1584,7 +1584,7 @@ session::process_auth_cmd(protocol_role 
   // Check the signature.
   base64<rsa_sha1_signature> sig;
   encode_base64(rsa_sha1_signature(signature), sig);
-  if (check_signature(app, their_id, their_key, nonce1(), sig))
+  if (check_signature(app.keys, their_id, their_key, nonce1(), sig))
     {
       // Get our private key and sign back.
       L(FL("client signature OK, accepting authentication"));
============================================================
--- project.cc	8f68f4af163a87d49ff95870e00f579f9e3212c4
+++ project.cc	df1cb9edf0298e706d27a3416e872eba07f8994b
@@ -66,7 +66,7 @@ namespace
                                 cert_name(branch_cert_name),
                                 branch_encoded,
                                 certs);
-      erase_bogus_certs(certs, app);
+      erase_bogus_certs(certs, app.db);
       return certs.empty();
     }
   };
@@ -107,7 +107,7 @@ project_t::revision_is_in_branch(revisio
 
   int num = certs.size();
 
-  erase_bogus_certs(certs, app);
+  erase_bogus_certs(certs, app.db);
 
   L(FL("found %d (%d valid) %s branch certs on revision %s")
     % num
@@ -146,7 +146,7 @@ project_t::get_revision_certs_by_name(re
                                       std::vector<revision<cert> > & certs)
 {
   outdated_indicator i = app.db.get_revision_certs(id, name, certs);
-  erase_bogus_certs(certs, app);
+  erase_bogus_certs(certs, app.db);
   return i;
 }
 
@@ -206,7 +206,7 @@ project_t::get_tags(set<tag_t> & tags)
 {
   std::vector<revision<cert> > certs;
   outdated_indicator i = app.db.get_revision_certs(tag_cert_name, certs);
-  erase_bogus_certs(certs, app);
+  erase_bogus_certs(certs, app.db);
   tags.clear();
   for (std::vector<revision<cert> >::const_iterator i = certs.begin();
        i != certs.end(); ++i)
============================================================
--- revision.cc	d913e67ae0e33d090d98bab4998c46678f20f753
+++ revision.cc	21c7d94b857666978500059d9cb95d7c349b30ae
@@ -1044,7 +1044,7 @@ anc_graph::add_node_for_old_manifest(man
       // load certs
       vector< manifest<cert> > mcerts;
       app.db.get_manifest_certs(man, mcerts);
-      erase_bogus_certs(mcerts, app);
+      erase_bogus_certs(mcerts, app.db);
       for(vector< manifest<cert> >::const_iterator i = mcerts.begin();
           i != mcerts.end(); ++i)
         {
@@ -1086,7 +1086,7 @@ u64 anc_graph::add_node_for_oldstyle_rev
       // load certs
       vector< revision<cert> > rcerts;
       app.db.get_revision_certs(rev, rcerts);
-      erase_bogus_certs(rcerts, app);
+      erase_bogus_certs(rcerts, app.db);
       for(vector< revision<cert> >::const_iterator i = rcerts.begin();
           i != rcerts.end(); ++i)
         {
@@ -1706,7 +1706,7 @@ build_changesets_from_manifest_ancestry(
 
   vector< manifest<cert> > tmp;
   app.db.get_manifest_certs(cert_name("ancestor"), tmp);
-  erase_bogus_certs(tmp, app);
+  erase_bogus_certs(tmp, app.db);
 
   for (vector< manifest<cert> >::const_iterator i = tmp.begin();
        i != tmp.end(); ++i)