Exo kit power to obtain other facet

[mhofman]

What is the Problem Being Solved?

Exo classes have private state, which is instance private, meaning even the implementation of the exo does not have access to another instance's private (e.g. one passed as argument). This has interesting properties, such as guarantees that each instance is truly isolated from each other.

However sometimes you do need the ability to perform "internal" operations on another instance. One way to do so is to hold the state necessary in a separate collection keyed on the instance.

While with an exo kits you can have an internal/admin facet, the program would still need to associate the internal facet to the public one to allow cross instance cooperation.

There are 2 problems with this approach:

• this kind of rights amplification would be defined separately from the definition of the exo kit, making audit more opaque
• a separate weak collection is inefficient from a memory management perspective, especially for virtual/durable exos.

Description of the Design

Like https://github.com/endojs/endo/pull/1666, an option passed when defining the exo to declaratively receive a power to obtain a specified facet from another one.

Security Considerations

This makes the pattern of right amplification more auditable

Scaling Considerations

For virtual/durable exos, this can use the internal cohort logic, avoiding a separate WeakMap.

Test Plan

TBD

Upgrade Considerations

This is a new option for Exo and as such requires a liveslots and vat upgrade, but should be backwards compatible with code that doesn't use the option.

[erights]

https://github.com/endojs/endo/pull/1902 would fix the endo portion of this. After an endo release incorporating that PR followed by an agoric-sdk-endo sync, we will be able to start on the agoric-sdk portion of this: implementing this feature for virtual and durable class kits.