v0.51.468

Release QC — onboarding OAuth single-flight

Security

• Onboarding OAuth start is now single-flight per provider/profile (#3972). Repeated or concurrent unauthenticated POST /api/onboarding/oauth/start for the same provider/profile previously accumulated unbounded pending flows + daemon polling workers. The start path is now serialized per (provider, hermes_home) across the full check→device-code→insert→spawn sequence (atomic check-and-insert under the flows lock), so duplicates reuse the existing flow. Single-start behavior unchanged. Thanks @Hinotoi-agent.