Ensure that when a user verifies in a different browser than what they reset their password with, they must authenticate to complete the verification

Allow assertions issued by person to be used to authenticate.  This makes it possible for "proxy idps" to work without the implementation details leaking out into others verifier implementations.

add test coverage of origins that start with digits, and relax validation regex a bit - closes #2042

extensive testing of i18n mechanism - including english fallback, string substition from .json files, and debug locale

perform rigorous validation on all API parameters, cleanup redundancy in sanitize.js and validate.js - issue #1526

Signed-off-by: Lloyd Hilaiel <lloyd@hilaiel.com>

rename the 'add email' email we send out to 'confirm', and use it in both the email addition case, and the email reverification case.  This is more about semantics than behavior change

fix issue GH-1958; add '/production/authenticate_with_primary.js' to items to exclude and reformat the single line array

add tests of email_for_token in the context of password reset, remove old transitional code, fix exception in complete_reset api that was preventing authentication of user.

Add the "verified" bit to emails.
Start shells for the reset_password and confirm pages.

implement complete_reset, stage_reset and refactor database code to support this addition, add tests

The `static` process has been added to handle cachable resources and views, so
code relevant to serving those resources has been removed from `browserid`.

The `router` heartbeat now depends on both `browserid` and `static` processes being ok.
`router` now forwards wsapi writes to `dbwriter`, reads to `browserid`, and errors on unkown
or internal wsapi requests. The wsapi setup for `browserid` no longer handles forwards, though
some wsapi operations may trigger a forward to `dbwriter`.

issue #1793

issue #1794

optimize backend unit tests by starting all daemons in parallel, and then starting router.  issue #1803

add unit tests for __heartbeat__, includes exposing PIDs of all running daemons so tests may do stuff with them (like kill SIGSTOP)

fix the fragile static-resource-test - when adding keys to lib/static_resources.js all indexes get shuffled.  broken with addition of relay.js.