Add better support for behavioral contracts to capability combinators

Currently, it is difficult to specify a contract that checks a property of a capability before every call to an operation on it. I think this is mostly an issue of exposing more information to "if" predicates. It might also be helpful to allow additional contracts (not just permission sets) in the "with" clause of derived capabilities.
