fix(robustness): guard malformed RPC error JSON + send single-flight (audit #7-8)

- rpc_client::callRaw: a daemon error object is no longer assumed to carry a string
  "message" — a malformed error now yields a clean "RPC error: <dump>" instead of throwing
  a json type-exception from .get<std::string>().
- sendTransaction (full-node): add a single-flight guard so a rapid double-click can't issue
  two z_sendmany before the first returns its opid. The lite path already guarded this; the
  send form guards it in the UI, but the controller entry point now does too.

(#9 from the audit was mostly false positives on verification — all popen sites already
null-check and the xmrig download FILE* path has no throwing calls. The payment-URI
checksum idea was dropped: the send flow already checksum-validates the recipient before
broadcasting, and tightening the parser would reject the placeholder addresses the existing
test relies on; added a comment noting this is format-only by design.)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

src/rpc/rpc_client.cpp

@@ -470,7 +470,14 @@ std::string RPCClient::callRaw(const std::string& method, const json& params)
     // Parse with ordered_json to preserve the daemon's original key order
     nlohmann::ordered_json oj = nlohmann::ordered_json::parse(response_data);
     if (oj.contains("error") && !oj["error"].is_null()) {
-        std::string err_msg = oj["error"]["message"].get<std::string>();
+        // A daemon error object normally has a string "message", but don't assume it — a malformed
+        // error (missing/non-string message) must yield a clean RPC error, not a json type-exception.
+        const auto& err = oj["error"];
+        std::string err_msg;
+        if (err.is_object() && err.contains("message") && err["message"].is_string())
+            err_msg = err["message"].get<std::string>();
+        else
+            err_msg = err.dump();
         throw std::runtime_error("RPC error: " + err_msg);
     }