fix: add OPTIONS handler for CORS preflight - Gemini consultation fix

THE CORS PREFLIGHT TRAP - solved by Gemini consultation.

ROOT CAUSE:
- Browser sends OPTIONS request BEFORE POST (CORS preflight)
- We only had cors() on router.post(), not router.options()
- Express had no OPTIONS handler, ignored CORS middleware
- Browser got response without Access-Control-Allow-Origin header
- Result: CORS error, POST request never sent

THE FIX (one line):
router.options('/create-checkout-session', cors(corsOptions));

This tells Express: 'When browser asks permission (OPTIONS),
say YES using CORS middleware.'

GEMINI INSIGHTS:
- fetch() with Content-Type triggers 'complex request' preflight
- OPTIONS request must be explicitly handled
- Added Cloudflare Pages preview domain to allowed origins

FILES MODIFIED:
- services/arbiter-3.0/src/routes/stripe.js (+4 lines)

DEPLOYMENT:
Copy to /opt/arbiter-3.0/src/routes/stripe.js and restart service

Signed-off-by: Claude (Chronicler #57) <claude@firefrostgaming.com>

services/arbiter-3.0/src/routes/stripe.js

@@ -12,12 +12,18 @@ const db = require('../database');
 
 // CORS configuration for checkout endpoint
 const corsOptions = {
-  origin: ['https://firefrostgaming.com', 'https://www.firefrostgaming.com'],
+  origin: [
+    'https://firefrostgaming.com',
+    'https://www.firefrostgaming.com',
+    'https://firefrost-website.pages.dev' // Cloudflare Pages preview domain
+  ],
   methods: ['POST', 'OPTIONS'],
-  credentials: false,
   optionsSuccessStatus: 200
 };
 
+// 👇 THE MAGIC LINE - Handle CORS preflight OPTIONS request
+router.options('/create-checkout-session', cors(corsOptions));
+
 /**
  * CREATE CHECKOUT SESSION
  * POST /stripe/create-checkout-session