Make seal/unseal commute with respect to wrap/unwrap
It's pretty clear that this is needed.
The method I propose for doing this, is have sealed capabilities keep a secret c-space. When a capability is sealed, the sealed capability object produced will be wrapped by any wrappers the capability that is being sealed was wrapped with, but the actual capability that is stored in the secret c-space of the object will be unwrapped at all times. Then according to #19 (closed) when the capability is unsealed the wraps will be re-applied. Additionally, because the "sealed" capability basically acts as the capability it seals in the CDT (because it remains wrapped), it will get revoked when a membrane is cleared. And when it gets revoked, the internal c-space will get destroyed, and the secret cptr will get killed off.