When fetching a JWT from the server, the client needs to supply the
session CSRF token in order to prevent third-party pages from being able
to fetch and use tokens without the user's permission.

Previously, it was necessary to supply this token in the "assertion" GET
parameter -- in an attempt to make this look a bit like an OAuth token
issuance API -- but in Pyramid 1.7 this isn't allowed, and it turns out
not to be necessary, because Angular's CSRF support retrieves the token
from an XSRF-TOKEN cookie set in earlier requests and sets the
X-CSRF-Token request header automatically.

When receiving annotation updates via the WebSocket, merge the updated
annotation with the existing local annotation, preserving the local tag
and anchoring status flags.

This fixes a problem where Annotations would be shown as Orphans after
an update was received via the WebSocket

 * When an annotation update is received, merge the current/new
   versions rather than removing the current version and replacing
   it with the new one.

 * Remove mutation of existing annotation in `loadAnnotations()`,
   since the reducer function is now responsible for merging changes
   and triggering UI updates

Do not hide annotation thread when annotations are waiting to anchor.

When an annotation is created or updated the sidebar briefly transitions into the
`waitingToAnchor` state and hides the entire thread list, losing the user's scroll
position as a result.
Instead of hiding the entire thread, filter out the annotations which are waiting to
anchor.

https://trello.com/c/hQRpsUPj/444-avoid-hiding-thread-list-while-new-annotations-received-over-ws-are-being-anchored

Document the default values of client config keys

Document the `showHighlights` config option

On group change, reset tab selection to annotations if the selected t…

This is not used by the client. The client does use the [Angular
Bootstrap](http://angular-ui.github.io/bootstrap/) 3rd-party module for
dropdown menus but that does not use the Bootstrap build's JS or CSS.

Remove unused CSS

This file is used only by the H service

Remove unused CSS rules. These were found by using used-css-classes [1]
and find-unused-css-classes [2]:

  used-css-classes h/templates/client/*.html > used-classes.txt
  find-unused-css-classes used-classes.txt build/styles/app.css > unused-css-classes

And then manually checking classes in `unused-css-classes` to verify
that the classes were not referenced in first or third-party code, since
the tools only extract used class names from templates.

[1] https://github.com/robertknight/used-css-classes
[2] https://github.com/robertknight/find-unused-css-classes

This caused a parsing exception in BeautifulSoup when gathering the
set of used CSS classes with https://github.com/robertknight/used-css-classes

- #!/bin/sh is in POSIX, no need for env
- `set -eu` to explode if something fails or a var isn't defined
- a simpler way of ensuring we're in the right place to run the releaser
  script.
- "git push --follow-tags" will push pending commits and annotated tags
  attached to them in a single command

Avoid an issue where trying to create a GH release immediately after
pushing the tag often fails.

In browsers that support Shadow DOM (currently only Chrome, plus Firefox
behind a feature flag), use it to isolate the adder from the host page's
CSS.

This fixes various problems where very generic CSS on the page could
affect the adder's styling.

- Only mark annotations as orphans after a timeout in the sidebar,
   not in the stream where anchoring does not happen.
 - Do not filter annotations by type on the stream, where annotation
   tabs are not displayed.

When the orphans feature flag is not set, do not indicate orphans in
annotation cards by striking through their quotes.

The feature flag is hoisted outside of the `isOrphan` call because I
recall that `flagEnabled` was actually quite an expensive call in the
past so we want to avoid invoking it during every digest cycle.

If an annotation is loaded and then quickly removed before the anchoring
timeout expires, the call to `findByID()` will return null, causing an
error when trying to check the `$orphan` flag in `isWaitingToAnchor`.

Fix this by ignoring annotations which no longer exist when the timeout
expires.

If anchoring an annotation fails to complete within 500ms then assume
that an error occurred during anchoring and that the annotation is
therefore an orphan.

If it later turns out that anchoring just took a long time then the
annotation will simply move from the Orphans tab to the Annotations tab
once anchoring completes.

A timeout within the sidebar app is used rather than relying on the page
code to send back a message if an error occurs during anchoring because
the code that runs in the page context could fail in arbitrary ways due
to interactions with JavaScript on the page.

Remove the 'selection_tabs' feature flag

This is now enabled for all users.

Separate anchored and unanchored annotations into tabs.

Avoid problems due to loss of type information when passing config
options from the page to the sidebar app by serializing the app config
object as a JSON string and then de-serializing it in app.js

When there are no orphans, the Orphans tab is not shown, so we need to
switch back to the Annotations tab in that case.

Refactor some repetition in the functions that produced the counts for
the Annotations, Page Notes and Orphans tabs and extract it into a
separate module where it is easier to test.

Moving this into a single function also makes it easier to memoize
later, so we can avoid recalculating it when the list of annotations has
not changed between two app states.