Consolidate and style the admin interface

While the URL object stringifies nicely, meaning this does work,
it is liable to confuse request interceptors that expect a string.

This commit brings together "administrator" views into one place -- the
Hypothesis admin console, found at /admin.

So far, the only to admin views we have are for flagging/unflagging
users as NIPSA, and for administering administrative user status. In the
near future, we may also have a feature flag console in here.

- I've moved all the admin views into `h.admin` so that we don't
  confused business logic view functions with administrative view
  functions, and so that in future it is easier to treat the `/admin`
  tree as a single entity for the purposes of permissions, etc.
- I've added an "admin" page layout, which uses Twitter Bootstrap for
  basic styling.
- I've rejigged both the NIPSA and the administrator users pages to make
  use of bootstrap.

Update Firefox extension for Jetpack Manager tool

Simpler session service

Rather than using a separate named value to keep track of the current
CSRF token, simply treat this as part of the session state.

This commit does three things. In order of importance:

- wraps the ngResource for managing session state in a service, which
  allows us to expose current session state as `session.state` on that
  instance. This means that components of the application that don't
  want to alter or explicitly fetch session state, but wish to display
  some part of it (such as the current authenticated userid, etc.) can
  do so more easily.
- moves configuration of the session resources into the session service
  rather than requiring configuration from outside via a
  sessionProvider.
- translates the session service to JavaScript from CoffeeScript.

Fix infinite digest cycle caused by feature flag client

This was a fun bug. If multiple feature checks are done in rapid
succession when the features cache is empty (such as, for example,
during the first digest cycle at application boot time) then the
features client would keep kicking off HTTP requests until the first one
returned.

This would clearly be a misfeature, but wouldn't actually have caused
any problems but for the fact that the spinner in
`h/directives/simple-search.coffee` does this to determine whether to
spin:

    scope.$watch (-> $http.pendingRequests.length), (pending) ->
      scope.loading = (pending > 0)

This means that kicking off dozens of requests at a time keeps
invalidating the digest cycle (because the value of
`$http.pendingRequests.length` keeps changing), so it never ends. The
result is the ever-horrible `infdig` (infinite digest cycle) error from
Angular: https://docs.angularjs.org/error/$rootScope/infdig.

The angular $httpBackend mocking service supports two primary means of
usage:

   .expect(...).respond(...)

and

   .when(...).respond(...)

The latter pattern allows a single handler to respond to multiple
requests, in any order. The latter is precise -- one .expect() must be
matched by one request, in the correct order.

This commit changes the tests for the "features" service to use this
more precise form of testing.

PDF usages might want to specify relative URLs to get around proxy
restrictions with a custom viewer. Even link tags support relative
URLs for rel=canonical though it's probably a bad idea as a publisher.
In any case, we should clearly just do this.

Make Makefile more dumb

Add support for flagging user accounts as "not in public site areas"

Getting picky with our code styles

Added use strict.
Removed unused `attrs` var;

Docs URL line length is a bit too long...

The single it() in this test module was not being run (it was indented
inside a beforeEach()) and dedenting it reveals that the beforeEach() is
actually crashing anyway (controller somehow not registering with the
$controller service, looks like).

Rewrite the module to work and be clearer.

Stop two sources of dangling transactions

Add angular-csp.css

When on individual annotation pages like /a/<annotation_id> make an API
request to /api/annotations/<annotaion_id> instead of to the search API.
This bypasses the search API's NIPSA-filtering.

If you have a direct link to an annotations individual page, then you
can see the annotation (and all its replies) regardless of whether
anything is NIPSA'd or any user is logged-in.

Decaffeinate config/accounts.coffee & accounts/*.coffee

Add .jscrc for JavaScript Code Style help

JSCS is like JSHint, but specifically for Code Style.

It comes with a Google Code Style (which we use currently)
pre-set. This config file sets that and can be extended
later for any departures we make (if any) from that style
guide.

Replace pyramid_layout with basic template inheritance

Don't via via

Fixes #2371
Adds test.