Release QC — onboarding OAuth single-flight
Security
- Onboarding OAuth start is now single-flight per provider/profile (#3972). Repeated or concurrent unauthenticated
POST /api/onboarding/oauth/startfor the same provider/profile previously accumulated unbounded pending flows + daemon polling workers. The start path is now serialized per(provider, hermes_home)across the full check→device-code→insert→spawn sequence (atomic check-and-insert under the flows lock), so duplicates reuse the existing flow. Single-start behavior unchanged. Thanks @Hinotoi-agent.