Add x402 CORS preflight handling

[elianguitarra]

/claim #6

Payout if accepted: Base USDC 0x237664403f52A15142795f807ADB3524E8057909.

Summary

This handles the browser/agent cutover gap discussed on issue #6 and PR #5: x402-related endpoints currently return 405 method not allowed to browser preflight requests, which blocks cross-origin browser agents or marketplace clients before they can read the 402/payment metadata.

Changes:

• adds a shared CORS/preflight helper for public x402/product payment endpoints
• returns 204 for OPTIONS on:
  • /api/payment-request
  • /api/protected-resource
  • /api/x402-verify-receipt
• allows the payment/signature headers needed by browser clients (x-payment, x-awm-signature, x-awm-timestamp, etc.)
• exposes payment response headers (Link, x-ai-work-market-payment-required, x-payment-response, etc.)
• keeps the existing GET/POST payment and verification behavior unchanged
• extends the existing x402 smoke suite with preflight assertions

Verification

Ran with the bundled Node runtime available in this environment:

• node --check api/_cors.js
• node --check api/payment-request.js
• node --check api/protected-resource.js
• node --check api/x402-verify-receipt.js
• node --check scripts/test-x402-receipt-verifier.js
• focused helper check: cors helper checks passed
• git diff --check

I could not run the full existing scripts/test-x402-receipt-verifier.js locally in this fresh clone because node_modules is not installed and this Windows runtime has Node but no npm on PATH; the script imports ethers. I added the preflight coverage to that suite so it can run in the normal project environment/CI after dependencies are installed.

Scope note

This does not loosen fulfillment checks, receipt verification, HMAC, finality, or consumption behavior. It only makes the public payment/verifier endpoints reachable by browser-style clients that perform CORS preflight.