* LTS 11

* Address feedback

* Fix stack.yaml: drop redundant version pinning.

* Fix stack.yaml: drop outdated version pinning.

lts-11.13 has tasty-1.0.1.1, not 1.0.0.1.  weirdly, the older version
led to compilation errors in brig integration tests.  i have no
explanation for why this didn't show up in #478.

* Trigger CI

#481)

* Add Imports and migrate cargohold, gundeck, proxy

* Fix warnings

* Rebuild

- Implement binding users to sso identities.
- Fix: make public URLs of SP non-team-specific (this reverts part of #470).
- Fix: distinguish end-points initiate-login, initiate-bind.
- Fix: dynamic type error (which mysteriously went unnoticed for quite a while).
- Fix: derive SP Issuer from opts at start time, not in the request handler.
- Work on integration tests.
- Move a bunch of types from Spar.API to new Spar.API.Types.
- Move a bunch of types from Spar.Options to new Spar.Types.
- Restrict module exports.

* Simplify, clarify test email address construction.

  Document distinction between trusted and untrusted emails.  Make
  it harder for test authors to confuse the two.

  'registerUser': instead of taking an argument and requesting that
  the argument be "success@simulator.amazonzes.com"...  don't take
  the argument. :-)

* Make validateEmail both shorter and more helpful.

* Fix `make run-docker-build` rule.

  docker exited with non-0 here in situations where you didn't want to
  trigger a local build and then re-run.  now it's more manual, but also
  easier to understand what the rule does.

* alpine-builder stack config (Fixup dfbcd4f)

  Setting the stack-work inside docker is important for those of us
  who run integration tests interactively on this image.  Without it,
  running integration tests destroys the default `.stack-work` that is
  used from outside docker because it is faster.

* Explain alpine-builder Dockerfile better.

* Spar cleanup.

- separate config and idpconfig
- remove application logic from interface for storing requests / assertions.
- connect C* tests to C* directly, without going via internal api end-points.
- completely rewrite DataSpec.hs, factor out AppSpec.hs.
- add helpers to run Spar actions from inside TestSpar.
- replace microlens with lens (on recommendation of the author).
- bump saml2-web-sso dep.

nginz exposes the `/sso/` prefix without authentication, but the
bind end-point needs to be authenticated.  so we give it its own
prefix `/sso-initiate-bind/` prefix.

Upgrade to the lastest `cql-io`. 

There are multiple reasons for upgrading, see [the changelog](https://gitlab.com/twittner/cql-io/blob/develop/CHANGELOG#L1-23). 

One reason is to try out the changes from [this MR](https://gitlab.com/twittner/cql-io/merge_requests/14) relating to the problem described [here](https://gitlab.com/twittner/cql-io/issues/21). To this end, `initialContactsDNS` is no longer used, so that cql-io can re-resolve the DNS upon losing a control connection. (I tried this out locally by adding an entry to `/etc/hosts`, connecting via DNS, then changing the bind IP of the underlying cassandra - this works as advertised.)

One change done was to map the existing usage of `x1` to `defaultRetrySettings` and `x5` to `eagerRetrySettings`. As commented on `x5`, it is only safe to use this on idempotent queries. Upon inspection of our current queries using x5, it appears all of these queries are idempotent.

Side-effects:

* switch from `MonadBaseControl` and `Control.Concurrent.*` to `UnliftIO.*` everywhere (thanks @neongreen).

* Fix: re-authentication for password-less users.

* Fix: names.

* Add a roundtrip unit test.

* Fix: integration test behavior has changed.

* Add galley integration tests for password-less users.

* Add brig integration tests for password-less users.

* Spar: make it an error for the idp request uri to not be https.

* Fix: prometheus end-point must be `/metrics`.

* bump saml2-web-sso dep.

* Cleanup; add failing test case.

* Fix: spar https test.

* Fixup