feat(ses): Add XS variant of shim

[kriskowal]

Closes: #2251

Description

To take advantage of native XS compartments while retaining backward compatibility and parity with the SES shim, we introduce an xs specific Compartment adapter that requires two levels of opt-in.

1. The SES shim must be bundled with the xs package export/import condition.
2. The constructor of a Compartment must specify the __native__ option to sacrifice the ability to use precompiled module sources (as generated by @endo/module-source without the xs package export/import condition) and instead use adapted native ModuleSource (as generated by @endo/module-source with the xs package export/import condition). This allows @endo/import-bundle, for example, to use the JSON serialization of a precompiled module source that is captured in a bundle and also opt-in for __native__ treatment if the archive/bundle contains original sources.

This change introduces an XS-specific shim that is an adapter for Compartment and lockdown, and also papers over parity gaps like the XS Object.freeze second boolean argument. The adapter creates parallel native and shim (virtual) compartment trees, where any individual Compartment can elect to use the native or shim variant for a child Compartment.

We have not yet found a workable design that obviates the need for the __native__ opt-in. Such a design would need to create an adapter from precompiled module sources to XS’s virtual module source protocol. To do that would require native module to emit notifications for the mutation of exported live bindings and also require the native Compartment evaluate method to accept an argument like the shim’s __moduleGlobalLexicals__.

Security Considerations

Uncountably numerous. Among them, with the __native__ option, censorship does not occur, so dynamic import and direct eval are possible.

Scaling Considerations

The native ModuleSource makes it practical to defer module parsing to runtime, and should improve the performance of execution as well.

Documentation Considerations

The NEWS.md qualifies these changes as under "incubation". When the shape of these changes settles, the NEWS will need to reiterate the final user facing API in README.md and NEWS.md. With the __native__ option, censorship does not occur, so dynamic import and direct eval are possible.

Testing Considerations

This change contains a token of xst testing that is exercised in CI with test:xs. This demonstrates the use of @endo/compartment-mapper/bundle.js to thread the xs package export/import condition and generate a script that can xst can run directly. This gives us some modest confidence that lockdown works and demonstrates the __native__ feature but does not provide sufficient confidence of parity for the gamut of Compartment usage, both legacy and XS, for all of the accepted module descriptors and other Compartment features. This is an exercise that will begin with a subsequent change that introduces hardened262, a comprehensive parity checking framework for the full cross-product of [ SES on Node.js, SES on XS, and XS stand-alone ] ⨉ [ Lockdown, not Lockdown ] ⨉ [ Compartment, no Compartment ] ⨉ [ Sloppy, Strict, Module ].

Compatibility Considerations

This change preserves all existing usage and introduces an unstable alternate version of SES for XS that requires two layers of opt-in. The use of the xs condition introduces an adapter for Compartment that may not have full parity with the underlying implementation, and requires additional testing. The __native__ option elects to break some usage (precompiled moduels) in favor of others (dynamic import, direct eval, top-level-await).

Upgrade Considerations

In order to realize these changes on the Agoric chain will likely require a more recent version of XS and switching the bundle format for the lockdown/bootstrap script for xsnap swingset workers.