refactor: remove package-level caching to support dynamic installation

Remove package-level caching in cnr_utils and node_package modules to enable
proper dynamic custom node installation and version switching without ComfyUI
server restarts.

Key Changes:
- Remove @lru_cache decorators from version-sensitive functions
- Remove cached_property from NodePackage for dynamic state updates
- Add comprehensive test suite with parallel execution support
- Implement version switching tests (CNR ↔ Nightly)
- Add case sensitivity integration tests
- Improve error handling and logging

API Priority Rules (manager_core.py:1801):
- Enabled-Priority: Show only enabled version when both exist
- CNR-Priority: Show only CNR when both CNR and Nightly are disabled
- Prevents duplicate package entries in /v2/customnode/installed API
- Cross-match using cnr_id and aux_id for CNR ↔ Nightly detection

Test Infrastructure:
- 8 test files with 59 comprehensive test cases
- Parallel test execution across 5 isolated environments
- Automated test scripts with environment setup
- Configurable timeout (60 minutes default)
- Support for both master and dr-support-pip-cm branches

Bug Fixes:
- Fix COMFYUI_CUSTOM_NODES_PATH environment variable export
- Resolve test fixture regression with module-level variables
- Fix import timing issues in test configuration
- Register pytest integration marker to eliminate warnings
- Fix POSIX compliance in shell scripts (((var++)) → $((var + 1)))

Documentation:
- CNR_VERSION_MANAGEMENT_DESIGN.md v1.0 → v1.1 with API priority rules
- Add test guides and execution documentation (TESTING_PROMPT.md)
- Add security-enhanced installation guide
- Create CLI migration guides and references
- Document package version management

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

docs/SECURITY_ENHANCED_INSTALLATION.md

@@ -0,0 +1,235 @@
+# Security-Enhanced URL Installation System
+
+## Overview
+
+Security constraints have been added to the `install_by_url` function to control URL-based installations according to the system's security level.
+
+## Security Level and Risk Level Framework
+
+### Security Levels (SecurityLevel)
+- **strong**: Most restrictive, only trusted sources allowed
+- **normal**: Standard security, most known platforms allowed
+- **normal-**: Relaxed security, additional allowances for personal cloud environments
+- **weak**: Most permissive security, for local development environments
+
+### Risk Levels (RiskLevel)
+- **block**: Complete block (always denied)
+- **high+**: Very high risk (only allowed in local mode + weak/normal-)
+- **high**: High risk (only allowed in local mode + weak/normal- or personal cloud + weak)
+- **middle+**: Medium-high risk (weak/normal/normal- allowed in local/personal cloud)
+- **middle**: Medium risk (weak/normal/normal- allowed in all environments)
+
+## URL Risk Assessment Logic
+
+### Low Risk (middle) - Trusted Platforms
+```
+- github.com
+- gitlab.com
+- bitbucket.org
+- raw.githubusercontent.com
+- gitlab.io
+```
+
+### High Risk (high+) - Suspicious/Local Hosting
+```
+- localhost, 127.0.0.1
+- Private IP ranges: 192.168.*, 10.0.*, 172.*
+- Temporary hosting: ngrok.io, herokuapp.com, repl.it, glitch.me
+```
+
+### Medium-High Risk (middle+) - Unknown Domains
+```
+- All domains not belonging to the above categories
+```
+
+### High Risk (high) - SSH Protocol
+```
+- URLs starting with ssh:// or git@
+```
+
+## Implemented Security Features
+
+### 1. Security Validation (`_validate_url_security`)
+```python
+async def install_by_url(self, url: str, ...):
+    # Security validation
+    security_result = self._validate_url_security(url)
+    if not security_result['allowed']:
+        return self._report_failed_install_security(url, security_result['reason'], custom_name)
+```
+
+**Features**:
+- Check current security level
+- Assess URL risk
+- Allow/block decision based on security policy
+
+### 2. Failure Reporting (`_report_failed_install_security`)
+```python
+def _report_failed_install_security(self, url: str, reason: str, custom_name=None):
+    # Security block logging
+    print(f"[SECURITY] Blocked URL installation: {url}")
+
+    # Record failed installation
+    self._record_failed_install_nodepack({
+        'type': 'url-security-block',
+        'url': url,
+        'package_name': pack_name,
+        'reason': reason,
+        'security_level': current_security_level,
+        'timestamp': timestamp
+    })
+```
+
+**Features**:
+- Log blocked installation attempts to console
+- Save failure information in structured format
+- Return failure result as ManagedResult
+
+### 3. Failed Installation Record Management (`_record_failed_install_nodepack`)
+```python
+def get_failed_install_reports(self) -> list:
+    return getattr(self, '_failed_installs', [])
+```
+
+**Features**:
+- Maintain recent 100 failure records
+- Prevent memory overflow
+- Provide API for monitoring and debugging
+
+## Usage Examples
+
+### Behavior by Security Setting
+
+#### Strong Security Level
+```python
+# Most URLs are blocked
+result = await manager.install_by_url("https://github.com/user/repo")
+# Result: Blocked (github is also middle risk, so blocked at strong level)
+
+result = await manager.install_by_url("https://suspicious-domain.com/repo.git")
+# Result: Blocked (middle+ risk)
+```
+
+#### Normal Security Level
+```python
+# Trusted platforms allowed
+result = await manager.install_by_url("https://github.com/user/repo")
+# Result: Allowed
+
+result = await manager.install_by_url("https://localhost/repo.git")
+# Result: Blocked (high+ risk)
+```
+
+#### Weak Security Level (Local Development Environment)
+```python
+# Almost all URLs allowed
+result = await manager.install_by_url("https://github.com/user/repo")
+# Result: Allowed
+
+result = await manager.install_by_url("https://192.168.1.100/repo.git")
+# Result: Allowed (in local mode)
+
+result = await manager.install_by_url("git@private-server.com:user/repo.git")
+# Result: Allowed
+```
+
+### Failure Monitoring
+```python
+manager = UnifiedManager()
+
+# Blocked installation attempt
+await manager.install_by_url("https://malicious-site.com/evil-nodes.git")
+
+# Check failure records
+failed_reports = manager.get_failed_install_reports()
+for report in failed_reports:
+    print(f"Blocked: {report['url']} - {report['reason']}")
+```
+
+## Security Policy Matrix
+
+| Risk Level | Strong | Normal | Normal- | Weak |
+|------------|--------|--------|---------|------|
+| **block**  | ❌ | ❌ | ❌ | ❌ |
+| **high+**  | ❌ | ❌ | 🔒* | 🔒* |
+| **high**   | ❌ | ❌ | 🔒*/☁️** | ✅ |
+| **middle+**| ❌ | ❌ | 🔒*/☁️** | ✅ |
+| **middle** | ❌ | ✅ | ✅ | ✅ |
+
+- 🔒* : Allowed only in local mode
+- ☁️** : Allowed only in personal cloud mode
+- ✅ : Allowed
+- ❌ : Blocked
+
+## Error Message Examples
+
+### Security Block
+```
+Installation blocked by security policy: URL installation blocked by security level: strong (risk: middle)
+Target: awesome-nodes@url-blocked
+```
+
+### Console Log
+```
+[SECURITY] Blocked URL installation: https://suspicious-domain.com/repo.git
+[SECURITY] Reason: URL installation blocked by security level: normal (risk: middle+)
+[SECURITY] Package: repo
+```
+
+## Configuration Recommendations
+
+### Production Environment
+```json
+{
+  "security_level": "strong",
+  "network_mode": "private"
+}
+```
+- Most restrictive settings
+- Only trusted sources allowed
+
+### Development Environment
+```json
+{
+  "security_level": "weak",
+  "network_mode": "local"
+}
+```
+- Permissive settings for development convenience
+- Allow local repositories and development servers
+
+### Personal Cloud Environment
+```json
+{
+  "security_level": "normal-",
+  "network_mode": "personal_cloud"
+}
+```
+- Balanced settings for personal use
+- Allow personal repository access
+
+## Security Enhancement Benefits
+
+### 1. Malware Prevention
+- Automatic blocking from unknown sources
+- Filter suspicious domains and IPs
+
+### 2. Network Security
+- Control private network access
+- Restrict SSH protocol usage
+
+### 3. Audit Trail
+- Record all blocked attempts
+- Log security events
+
+### 4. Flexible Policy
+- Customized security levels per environment
+- Distinguish between production/development environments
+
+## Backward Compatibility
+
+- Existing `install_by_id` function unchanged
+- No security validation applied to CNR-based installations
+- `install_by_id_or_url` applies security only to URLs
+
+This security enhancement significantly improves system security while maintaining the convenience of URL-based installations.