Wallet: require public key for watchonly

[pinheadmz]

Addresses #636 in which a user creates private keys they could never access due to a wallet being watch-only.

This PR goes along with #637 and bcoin-org/bclient#15, maybe we can decide if we need all three safeties in place or which ones we do or don't need.

In this pull request, we prevent a watch-only wallet from ever generating a master (private) key which could lead to a user seeing addresses they can not spend from.

I think watchOnly should always require an accountKey. The reverse isn't necessarily required, for example in bclient, creating a wallet with accountKey automatically sets watchOnly to true. In bcoin wallet._createAccount(), accountKey is just ignored if watchOnly is false, but at least that doesn't lead to unrecoverable keys!

[codecov-io]

Codecov Report

Merging #639 into master will increase coverage by 0.02%.
The diff coverage is 100%.

@@            Coverage Diff            @@
##           master    #639      +/-   ##
=========================================
+ Coverage   53.18%   53.2%   +0.02%     
=========================================
  Files         104     104              
  Lines       27724   27724              
  Branches     4752    4752              
=========================================
+ Hits        14745   14751       +6     
+ Misses      12979   12973       -6

Impacted Files	Coverage Δ
lib/wallet/wallet.js	66.29% <100%> (+0.55%)	⬆️
lib/hd/hd.js	57.89% <0%> (+1.75%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7c64fd8...0dc0ad4. Read the comment docs.

[tuxcanfly]

OK. Needs a deprecation warning and API docs documenting this backward-incompatible change.

[pinheadmz]

Added note in changelog, will update API docs after merge

[nodech]

LGTM +1

[braydonf]

Merged in 375965c