Merge 9b30a87de9 into bba55d4d5a

* Improve comfyui version listing

* Fix ComfyUI semver selection and stable update

* Fix nightly current detection on default branch

* Fix: use tag_ref.name explicitly and cache get_remote_name result

- Use tag_ref.name instead of tag_ref object for checkout
- Cache get_remote_name() result to avoid duplicate calls

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Dr.Lt.Data <dr.lt.data@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

README.md

@@ -5,6 +5,7 @@
 ![menu](https://raw.githubusercontent.com/ltdrdata/ComfyUI-extension-tutorials/refs/heads/Main/ComfyUI-Manager/images/dialog.jpg)
 
 ## NOTICE
+* V3.38: **Security patch** - Manager data migrated to protected path. See [Migration Guide](docs/en/v3.38-userdata-security-migration.md).
 * V3.16: Support for `uv` has been added. Set `use_uv` in `config.ini`.
 * V3.10: `double-click feature` is removed
   * This feature has been moved to https://github.com/ltdrdata/comfyui-connection-helper
@@ -140,20 +141,27 @@ This repository provides Colab notebooks that allow you to install and use Comfy
 
 
 ## Paths
-In `ComfyUI-Manager` V3.0 and later, configuration files and dynamically generated files are located under `<USER_DIRECTORY>/default/ComfyUI-Manager/`.
+Starting from V3.38, Manager uses a protected system path for enhanced security.
 
-* <USER_DIRECTORY>  
-  * If executed without any options, the path defaults to ComfyUI/user.  
-  * It can be set using --user-directory <USER_DIRECTORY>.  
+* <USER_DIRECTORY>
+  * If executed without any options, the path defaults to ComfyUI/user.
+  * It can be set using --user-directory <USER_DIRECTORY>.
 
-* Basic config files: `<USER_DIRECTORY>/default/ComfyUI-Manager/config.ini`
-* Configurable channel lists: `<USER_DIRECTORY>/default/ComfyUI-Manager/channels.ini`
-* Configurable pip overrides: `<USER_DIRECTORY>/default/ComfyUI-Manager/pip_overrides.json`
-* Configurable pip blacklist: `<USER_DIRECTORY>/default/ComfyUI-Manager/pip_blacklist.list`
-* Configurable pip auto fix: `<USER_DIRECTORY>/default/ComfyUI-Manager/pip_auto_fix.list`
-* Saved snapshot files: `<USER_DIRECTORY>/default/ComfyUI-Manager/snapshots`
-* Startup script files: `<USER_DIRECTORY>/default/ComfyUI-Manager/startup-scripts`
-* Component files: `<USER_DIRECTORY>/default/ComfyUI-Manager/components`
+| ComfyUI Version | Manager Path |
+|-----------------|--------------|
+| v0.3.76+ (with System User API) | `<USER_DIRECTORY>/__manager/` |
+| Older versions | `<USER_DIRECTORY>/default/ComfyUI-Manager/` |
+
+* Basic config files: `config.ini`
+* Configurable channel lists: `channels.list`
+* Configurable pip overrides: `pip_overrides.json`
+* Configurable pip blacklist: `pip_blacklist.list`
+* Configurable pip auto fix: `pip_auto_fix.list`
+* Saved snapshot files: `snapshots/`
+* Startup script files: `startup-scripts/`
+* Component files: `components/`
+
+> **Note**: See [Migration Guide](docs/en/v3.38-userdata-security-migration.md) for upgrade details.
 
 
 ## `extra_model_paths.yaml` Configuration

docs/en/v3.38-userdata-security-migration.md

@@ -0,0 +1,230 @@
+# ComfyUI-Manager V3.38: Userdata Security Migration Guide
+
+## Introduction
+
+ComfyUI-Manager V3.38 introduces a **security patch** that migrates Manager's configuration and data to a protected system path. This change leverages ComfyUI's new System User Protection API (PR #10966) to provide enhanced security isolation.
+
+This guide explains what happens during the migration and how to handle various situations.
+
+---
+
+## What Changed
+
+### Finding Your Paths
+
+When ComfyUI starts, it displays the full paths in the terminal:
+
+```
+** User directory: /path/to/ComfyUI/user
+** ComfyUI-Manager config path: /path/to/ComfyUI/user/__manager/config.ini
+```
+
+Look for these lines in your startup log to find the exact location on your system. In this guide, paths are shown relative to the `user` directory.
+
+### Path Migration
+
+| Data | Legacy Path | New Path |
+|------|-------------|----------|
+| Configuration | `user/default/ComfyUI-Manager/` | `user/__manager/` |
+| Snapshots | `user/default/ComfyUI-Manager/snapshots/` | `user/__manager/snapshots/` |
+
+### Why This Change
+
+In older ComfyUI versions, the `default/` directory was **unprotected** and accessible via web APIs. If you ran ComfyUI with `--listen 0.0.0.0` or similar options to allow external connections, this data **may have been tampered with** by malicious actors.
+
+**Note:** If you only used ComfyUI locally (without `--listen` or with `--listen 127.0.0.1`), your data was not exposed to this vulnerability.
+
+The new `__manager` path uses ComfyUI's protected system directory, which:
+- **Cannot be accessed** from outside (protected by ComfyUI)
+- Isolates system settings from user data
+- Enables stricter security for remote access
+
+**This is why only `config.ini` is automatically migrated** - other files (snapshots) may have been compromised and should be manually verified before copying.
+
+---
+
+## Automatic Migration
+
+When you start ComfyUI with the new System User Protection API, Manager automatically handles the migration:
+
+### Step 1: Configuration Migration
+
+Only `config.ini` is migrated automatically.
+
+**Important**: Snapshots are **NOT** automatically migrated. You must copy them manually if needed.
+
+### Step 2: Security Level Check
+
+During migration, if your security level is below `normal` (i.e., `weak` or `normal-`), it will be automatically raised to `normal`. This is a safety measure because the security level setting itself may have been tampered with in the old version.
+
+```
+======================================================================
+[ComfyUI-Manager] WARNING: Security level adjusted
+  - Previous: 'weak' → New: 'normal'
+  - Raised to prevent unauthorized remote access.
+======================================================================
+```
+
+If you need a lower security level, you can manually edit the config after migration.
+
+### Step 3: Legacy Backup
+
+Your entire legacy directory is moved to a backup location:
+```
+user/__manager/.legacy-manager-backup/
+```
+
+This backup is preserved until you manually delete it.
+
+---
+
+## Persistent Backup Notification
+
+As long as the backup exists, Manager will remind you on **every startup**:
+
+```
+----------------------------------------------------------------------
+[ComfyUI-Manager] NOTICE: Legacy backup exists
+  - Your old Manager data was backed up to:
+      /path/to/ComfyUI/user/__manager/.legacy-manager-backup
+  - Please verify and remove it when no longer needed.
+----------------------------------------------------------------------
+```
+
+**To stop this notification**: Delete the `.legacy-manager-backup` folder inside `user/__manager/` after confirming you don't need any data from it.
+
+---
+
+## Recovering Old Data
+
+### Snapshots
+
+If you need your old snapshots, copy the contents of `.legacy-manager-backup/snapshots/` to `user/__manager/snapshots/`.
+
+---
+
+## Outdated ComfyUI Warning
+
+If you're running an older version of ComfyUI without the System User Protection API, Manager will:
+
+1. **Force security level to `strong`** - All installations are blocked
+2. **Display warning message**:
+
+```
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+[ComfyUI-Manager] ERROR: ComfyUI version is outdated!
+  - Most operations are blocked for security.
+  - ComfyUI update is still allowed.
+  - Please update ComfyUI to use Manager normally.
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+```
+
+**Solution**: Update ComfyUI to v0.3.76 or later.
+
+---
+
+## Security Levels
+
+| Level | What's Allowed |
+|-------|----------------|
+| `strong` | ComfyUI update only. All other installations blocked. |
+| `normal` | Install/update/remove registered custom nodes and models. |
+| `normal-` | Above + Install via Git URL or pip (localhost only). |
+| `weak` | All operations allowed, including from remote connections. |
+
+**Notes:**
+- `strong` is forced on outdated ComfyUI versions.
+- `normal` is the default and recommended for most users.
+- `normal-` is for developers who need to install unregistered nodes locally.
+- `weak` should only be used in isolated development environments.
+
+### Changing Security Level
+
+Edit `user/__manager/config.ini`:
+```ini
+[default]
+security_level = normal
+```
+
+---
+
+## Error Messages
+
+### "comfyui_outdated" (HTTP 403)
+
+This error appears when:
+- Your ComfyUI doesn't have the System User Protection API
+- All installations are blocked until you update ComfyUI
+
+**Solution**: Update ComfyUI to the latest version.
+
+### "security_level" (HTTP 403)
+
+This error appears when:
+- Your security level blocks the requested operation
+- For example, `strong` level blocks all installations
+
+**Solution**: Lower your security level in config.ini if appropriate for your use case.
+
+---
+
+## Security Warning: Suspicious Path
+
+If you see this error on an **older** ComfyUI:
+
+```
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+[ComfyUI-Manager] ERROR: Suspicious path detected!
+  - '__manager' exists with low security level: 'weak'
+  - Please verify manually:
+      /path/to/ComfyUI/user/__manager/config.ini
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+```
+
+On older ComfyUI versions, the `__manager` directory is not normally created. If this directory exists, it may have been created externally. For safety, manually verify the contents of this directory before updating ComfyUI.
+
+---
+
+## Troubleshooting
+
+### All my installations are blocked
+
+**Check 1**: Is your ComfyUI updated?
+- Old ComfyUI forces `security_level = strong`
+- Update ComfyUI to resolve
+
+**Check 2**: What's your security level?
+- Check `user/__manager/config.ini`
+- `security_level = strong` blocks all installations
+
+### My snapshots are missing
+
+Snapshots are not automatically migrated. You need to manually copy the `snapshots` folder from inside `.legacy-manager-backup` to the `user/__manager/` directory.
+
+### I keep seeing the backup notification
+
+Delete the `.legacy-manager-backup` folder inside `user/__manager/` after confirming you don't need any data from it.
+
+### Snapshot restore is blocked
+
+On old ComfyUI (without System User API), snapshot restore is blocked because security is forced to `strong`. Update ComfyUI to enable snapshot restore.
+
+---
+
+## File Structure Reference
+
+```
+user/
+└── __manager/
+    ├── config.ini              # Manager configuration
+    ├── channels.list           # Custom node channels
+    ├── snapshots/              # Environment snapshots
+    └── .legacy-manager-backup/ # Backup of old Manager data (temporary)
+```
+
+---
+
+## Requirements
+
+- **ComfyUI**: v0.3.76 or later (with System User Protection API)
+- **ComfyUI-Manager**: V3.38 or later

git_helper.py

@@ -2,6 +2,7 @@ import subprocess
 import sys
 import os
 import traceback
+import time
 
 import git
 import json
@@ -219,7 +220,14 @@ def gitpull(path):
             repo.close()
             return
 
-        remote.pull()
+        try:
+            repo.git.pull('--ff-only')
+        except git.GitCommandError:
+            backup_name = f'backup_{time.strftime("%Y%m%d_%H%M%S")}'
+            repo.create_head(backup_name)
+            print(f"[ComfyUI-Manager] Cannot fast-forward. Backup created: {backup_name}")
+            repo.git.reset('--hard', f'{remote_name}/{branch_name}')
+            print(f"[ComfyUI-Manager] Reset to {remote_name}/{branch_name}")
 
         repo.git.submodule('update', '--init', '--recursive')
         new_commit_hash = repo.head.commit.hexsha

glob/manager_core.py

@@ -40,10 +40,11 @@ import cnr_utils
 import manager_util
 import git_utils
 import manager_downloader
+import manager_migration
 from node_package import InstalledNodePackage
 
 
-version_code = [3, 37, 2]
+version_code = [3, 38, 3]
 version_str = f"V{version_code[0]}.{version_code[1]}" + (f'.{version_code[2]}' if len(version_code) > 2 else '')
 
 
@@ -214,9 +215,10 @@ def update_user_directory(user_dir):
     global manager_pip_blacklist_path
     global manager_components_path
 
-    manager_files_path = os.path.abspath(os.path.join(user_dir, 'default', 'ComfyUI-Manager'))
+    manager_files_path = manager_migration.get_manager_path(user_dir)
     if not os.path.exists(manager_files_path):
         os.makedirs(manager_files_path)
+    manager_migration.run_migration_checks(user_dir, manager_files_path)
 
     manager_snapshot_path = os.path.join(manager_files_path, "snapshots")
     if not os.path.exists(manager_snapshot_path):
@@ -1719,7 +1721,7 @@ def read_config():
         manager_util.use_uv = default_conf['use_uv'].lower() == 'true' if 'use_uv' in default_conf else False
         manager_util.bypass_ssl = get_bool('bypass_ssl', False)
 
-        return {
+        result = {
                     'http_channel_enabled': get_bool('http_channel_enabled', False),
                     'preview_method': default_conf.get('preview_method', manager_funcs.get_current_preview_method()).lower(),
                     'git_exe': default_conf.get('git_exe', ''),
@@ -1739,6 +1741,8 @@ def read_config():
                     'security_level': default_conf.get('security_level', 'normal').lower(),
                     'db_mode': default_conf.get('db_mode', 'cache').lower(),
                }
+        manager_migration.force_security_level_if_needed(result)
+        return result
 
     except Exception:
         import importlib.util
@@ -1746,7 +1750,7 @@ def read_config():
         manager_util.use_uv = importlib.util.find_spec("uv") is not None and platform.system() != "Windows"
         manager_util.bypass_ssl = False
 
-        return {
+        result = {
             'http_channel_enabled': False,
             'preview_method': manager_funcs.get_current_preview_method(),
             'git_exe': '',
@@ -1766,6 +1770,8 @@ def read_config():
             'security_level': 'normal', # strong | normal | normal- | weak
             'db_mode': 'cache',         # local | cache | remote
         }
+        manager_migration.force_security_level_if_needed(result)
+        return result
 
 
 def get_config():
@@ -2247,9 +2253,17 @@ def git_pull(path):
 
         current_branch = repo.active_branch
         remote_name = current_branch.tracking_branch().remote_name
-        remote = repo.remote(name=remote_name)
 
-        remote.pull()
+        try:
+            repo.git.pull('--ff-only')
+        except git.GitCommandError:
+            branch_name = current_branch.name
+            backup_name = f'backup_{time.strftime("%Y%m%d_%H%M%S")}'
+            repo.create_head(backup_name)
+            logging.info(f"[ComfyUI-Manager] Cannot fast-forward. Backup created: {backup_name}")
+            repo.git.reset('--hard', f'{remote_name}/{branch_name}')
+            logging.info(f"[ComfyUI-Manager] Reset to {remote_name}/{branch_name}")
+
         repo.git.submodule('update', '--init', '--recursive')
 
         repo.close()
@@ -2517,22 +2531,22 @@ def update_to_stable_comfyui(repo_path):
                 logging.error('\t'+branch.name)
             return "fail", None
 
-        versions, current_tag, _ = get_comfyui_versions(repo)
-        
-        if len(versions) == 0 or (len(versions) == 1 and versions[0] == 'nightly'):
+        versions, current_tag, latest_tag = get_comfyui_versions(repo)
+
+        if latest_tag is None:
             logging.info("[ComfyUI-Manager] Unable to update to the stable ComfyUI version.")
             return "fail", None
-            
-        if versions[0] == 'nightly':
-            latest_tag = versions[1]
-        else:
-            latest_tag = versions[0]
 
-        if current_tag == latest_tag:
+        tag_ref = next((t for t in repo.tags if t.name == latest_tag), None)
+        if tag_ref is None:
+            logging.info(f"[ComfyUI-Manager] Unable to locate tag '{latest_tag}' in repository.")
+            return "fail", None
+
+        if repo.head.commit == tag_ref.commit:
             return "skip", None
         else:
             logging.info(f"[ComfyUI-Manager] Updating ComfyUI: {current_tag} -> {latest_tag}")
-            repo.git.checkout(latest_tag)
+            repo.git.checkout(tag_ref.name)
             execute_install_script("ComfyUI", repo_path, instant_execution=False, no_deps=False)
             return 'updated', latest_tag
     except:
@@ -3356,36 +3370,80 @@ async def restore_snapshot(snapshot_path, git_helper_extras=None):
 
 
 def get_comfyui_versions(repo=None):
-    if repo is None:
-        repo = git.Repo(comfy_path)
+    repo = repo or git.Repo(comfy_path)
 
+    remote_name = None
     try:
-        remote = get_remote_name(repo)   
-        repo.remotes[remote].fetch()    
+        remote_name = get_remote_name(repo)
+        repo.remotes[remote_name].fetch()
     except:
         logging.error("[ComfyUI-Manager] Failed to fetch ComfyUI")
 
-    versions = [x.name for x in repo.tags if x.name.startswith('v')]
+    def parse_semver(tag_name):
+        match = re.match(r'^v(\d+)\.(\d+)\.(\d+)$', tag_name)
+        return tuple(int(x) for x in match.groups()) if match else None
 
-    # nearest tag
-    versions = sorted(versions, key=lambda v: repo.git.log('-1', '--format=%ct', v), reverse=True)
-    versions = versions[:4]
+    def normalize_describe(tag_name):
+        if not tag_name:
+            return None
+        base = tag_name.split('-', 1)[0]
+        return base if parse_semver(base) else None
 
-    current_tag = repo.git.describe('--tags')
+    # Collect semver tags and sort descending (highest first)
+    semver_tags = []
+    for tag in repo.tags:
+        semver = parse_semver(tag.name)
+        if semver:
+            semver_tags.append((semver, tag.name))
+    semver_tags.sort(key=lambda x: x[0], reverse=True)
+    semver_tags = [name for _, name in semver_tags]
 
-    if current_tag not in versions:
-        versions = sorted(versions + [current_tag], key=lambda v: repo.git.log('-1', '--format=%ct', v), reverse=True)
-        versions = versions[:4]
+    latest_tag = semver_tags[0] if semver_tags else None
 
-    main_branch = repo.heads.master
-    latest_commit = main_branch.commit
-    latest_tag = repo.git.describe('--tags', latest_commit.hexsha)
+    try:
+        described = repo.git.describe('--tags')
+    except Exception:
+        described = ''
 
-    if latest_tag != versions[0]:
-        versions.insert(0, 'nightly')
-    else:
-        versions[0] = 'nightly'
+    try:
+        exact_tag = repo.git.describe('--tags', '--exact-match')
+    except Exception:
+        exact_tag = ''
+
+    head_is_default = False
+    if remote_name:
+        try:
+            default_head_ref = repo.refs[f'{remote_name}/HEAD']
+            default_commit = default_head_ref.reference.commit
+            head_is_default = repo.head.commit == default_commit
+        except Exception:
+            head_is_default = False
+
+    nearest_semver = normalize_describe(described)
+    exact_semver = exact_tag if parse_semver(exact_tag) else None
+
+    if head_is_default and not exact_tag:
         current_tag = 'nightly'
+    else:
+        current_tag = exact_tag or described or 'nightly'
+
+    # Prepare semver list for display: top 4 plus the current/nearest semver if missing
+    display_semver_tags = semver_tags[:4]
+    if exact_semver and exact_semver not in display_semver_tags:
+        display_semver_tags.append(exact_semver)
+    elif nearest_semver and nearest_semver not in display_semver_tags:
+        display_semver_tags.append(nearest_semver)
+
+    versions = ['nightly']
+
+    if current_tag and not exact_semver and current_tag not in versions and current_tag not in display_semver_tags:
+        versions.append(current_tag)
+
+    for tag in display_semver_tags:
+        if tag not in versions:
+            versions.append(tag)
+
+    versions = versions[:6]
 
     return versions, current_tag, latest_tag
 

glob/manager_migration.py

@@ -0,0 +1,356 @@
+"""
+ComfyUI-Manager migration module.
+Handles migration from legacy paths to new __manager path structure.
+"""
+
+import os
+import sys
+import subprocess
+import configparser
+
+# Startup notices for notice board
+startup_notices = []  # List of (message, level) tuples
+
+
+def add_startup_notice(message, level='warning'):
+    """Add a notice to be displayed on Manager notice board.
+
+    Args:
+        message: HTML-formatted message string
+        level: 'warning', 'error', 'info'
+    """
+    global startup_notices
+    startup_notices.append((message, level))
+
+
+# Cache for API check (computed once per session)
+_cached_has_system_user_api = None
+
+
+def has_system_user_api():
+    """Check if ComfyUI has the System User Protection API (PR #10966).
+
+    Result is cached for performance.
+    """
+    global _cached_has_system_user_api
+    if _cached_has_system_user_api is None:
+        try:
+            import folder_paths
+            _cached_has_system_user_api = hasattr(folder_paths, 'get_system_user_directory')
+        except Exception:
+            _cached_has_system_user_api = False
+    return _cached_has_system_user_api
+
+
+def get_manager_path(user_dir):
+    """Get the appropriate manager files path based on ComfyUI version.
+
+    Returns:
+        str: manager_files_path
+    """
+    if has_system_user_api():
+        return os.path.abspath(os.path.join(user_dir, '__manager'))
+    else:
+        return os.path.abspath(os.path.join(user_dir, 'default', 'ComfyUI-Manager'))
+
+
+def run_migration_checks(user_dir, manager_files_path):
+    """Run all migration and security checks.
+
+    Call this after get_manager_path() to handle:
+    - Legacy config migration (new ComfyUI)
+    - Legacy backup notification (every startup)
+    - Suspicious directory detection (old ComfyUI)
+    - Outdated ComfyUI warning (old ComfyUI)
+    """
+    if has_system_user_api():
+        migrated = migrate_legacy_config(user_dir, manager_files_path)
+        # Only check for legacy backup if migration didn't just happen
+        # (migration already shows backup location in its message)
+        if not migrated:
+            check_legacy_backup(manager_files_path)
+    else:
+        check_suspicious_manager(user_dir)
+        warn_outdated_comfyui()
+
+
+def check_legacy_backup(manager_files_path):
+    """Check for legacy backup and notify user to verify and remove it.
+
+    This runs on every startup to remind users about pending legacy backup.
+    """
+    backup_dir = os.path.join(manager_files_path, '.legacy-manager-backup')
+    if not os.path.exists(backup_dir):
+        return
+
+    # Terminal output
+    print("\n" + "-"*70)
+    print("[ComfyUI-Manager] NOTICE: Legacy backup exists")
+    print("  - Your old Manager data was backed up to:")
+    print(f"      {backup_dir}")
+    print("  - Please verify and remove it when no longer needed.")
+    print("-"*70 + "\n")
+
+    # Notice board output
+    add_startup_notice(
+        "Legacy ComfyUI-Manager data backup exists. Please verify and remove when no longer needed. See terminal for details.",
+        level='info'
+    )
+
+
+def check_suspicious_manager(user_dir):
+    """Check for suspicious __manager directory on old ComfyUI.
+
+    On old ComfyUI without System User API, if __manager exists with low security,
+    warn the user to verify manually.
+
+    Returns:
+        bool: True if suspicious setup detected
+    """
+    if has_system_user_api():
+        return False  # Not suspicious on new ComfyUI
+
+    suspicious_path = os.path.abspath(os.path.join(user_dir, '__manager'))
+    if not os.path.exists(suspicious_path):
+        return False
+
+    config_path = os.path.join(suspicious_path, 'config.ini')
+    if not os.path.exists(config_path):
+        return False
+
+    config = configparser.ConfigParser()
+    config.read(config_path)
+    sec_level = config.get('default', 'security_level', fallback='normal').lower()
+
+    if sec_level in ['weak', 'normal-']:
+        # Terminal output
+        print("\n" + "!"*70)
+        print("[ComfyUI-Manager] ERROR: Suspicious path detected!")
+        print(f"  - '__manager' exists with low security level: '{sec_level}'")
+        print("  - Please verify manually:")
+        print(f"      {config_path}")
+        print("!"*70 + "\n")
+
+        # Notice board output
+        add_startup_notice(
+            "[Security Alert] Suspicious path detected. See terminal log for details.",
+            level='error'
+        )
+        return True
+
+    return False
+
+
+def warn_outdated_comfyui():
+    """Warn user about outdated ComfyUI without System User API."""
+    if has_system_user_api():
+        return
+
+    # Terminal output
+    print("\n" + "!"*70)
+    print("[ComfyUI-Manager] ERROR: ComfyUI version is outdated!")
+    print("  - Most operations are blocked for security.")
+    print("  - ComfyUI update is still allowed.")
+    print("  - Please update ComfyUI to use Manager normally.")
+    print("!"*70 + "\n")
+
+    # Notice board output
+    add_startup_notice(
+        "[Security Alert] ComfyUI outdated. Installations blocked (update allowed).<BR>"
+        "Update ComfyUI for normal operation.",
+        level='error'
+    )
+
+
+def migrate_legacy_config(user_dir, manager_files_path):
+    """Migrate ONLY config.ini to new __manager path if needed.
+
+    IMPORTANT: Only config.ini is migrated. Other files (snapshots, cache, etc.)
+    are NOT migrated - users must recreate them.
+
+    Scenarios:
+    1. Legacy exists, New doesn't exist → Migrate config.ini
+    2. Legacy exists, New exists → First update after upgrade
+       - Run ComfyUI dependency installation
+       - Rename legacy to .backup
+    3. Legacy doesn't exist → No migration needed
+
+    Returns:
+        bool: True if migration was performed
+    """
+    if not has_system_user_api():
+        return False
+
+    legacy_dir = os.path.join(user_dir, 'default', 'ComfyUI-Manager')
+    legacy_config = os.path.join(legacy_dir, 'config.ini')
+    new_config = os.path.join(manager_files_path, 'config.ini')
+
+    if not os.path.exists(legacy_dir):
+        return False  # No legacy directory, nothing to migrate
+
+    # IMPORTANT: Check for config.ini existence, not just directory
+    # (because makedirs() creates __manager before this function is called)
+
+    # Case: Both configs exist (first update after ComfyUI upgrade)
+    # This means user ran new ComfyUI at least once, creating __manager/config.ini
+    if os.path.exists(legacy_config) and os.path.exists(new_config):
+        _handle_first_update_migration(user_dir, legacy_dir, manager_files_path)
+        return True
+
+    # Case: Legacy config exists but new config doesn't (normal migration)
+    # This is the first run after ComfyUI upgrade
+    if os.path.exists(legacy_config) and not os.path.exists(new_config):
+        pass  # Continue with normal migration below
+    else:
+        return False
+
+    # Terminal output
+    print("\n" + "-"*70)
+    print("[ComfyUI-Manager] NOTICE: Legacy config.ini detected")
+    print(f"  - Old: {legacy_config}")
+    print(f"  - New: {new_config}")
+    print("  - Migrating config.ini only (other files are NOT migrated).")
+    print("  - Security level below 'normal' will be raised.")
+    print("-"*70 + "\n")
+
+    _migrate_config_with_security_check(legacy_config, new_config)
+
+    # Move legacy directory to backup
+    _move_legacy_to_backup(legacy_dir, manager_files_path)
+
+    return True
+
+
+def _handle_first_update_migration(user_dir, legacy_dir, manager_files_path):
+    """Handle first ComfyUI update when both legacy and new directories exist.
+
+    This scenario happens when:
+    - User was on old ComfyUI (using default/ComfyUI-Manager)
+    - ComfyUI was updated (now has System User API)
+    - Manager already created __manager on first new run
+    - But legacy directory still exists
+
+    Actions:
+    1. Run ComfyUI dependency installation
+    2. Move legacy to __manager/.legacy-manager-backup
+    """
+    # Terminal output
+    print("\n" + "-"*70)
+    print("[ComfyUI-Manager] NOTICE: First update after ComfyUI upgrade detected")
+    print("  - Both legacy and new directories exist.")
+    print("  - Running ComfyUI dependency installation...")
+    print("-"*70 + "\n")
+
+    # Run ComfyUI dependency installation
+    # Path: glob/manager_migration.py → glob → comfyui-manager → custom_nodes → ComfyUI
+    try:
+        comfyui_path = os.path.dirname(os.path.dirname(os.path.dirname(os.path.dirname(__file__))))
+        requirements_path = os.path.join(comfyui_path, 'requirements.txt')
+        if os.path.exists(requirements_path):
+            subprocess.run([sys.executable, '-m', 'pip', 'install', '-r', requirements_path],
+                         capture_output=True, check=False)
+            print("[ComfyUI-Manager] ComfyUI dependencies installation completed.")
+    except Exception as e:
+        print(f"[ComfyUI-Manager] WARNING: Failed to install ComfyUI dependencies: {e}")
+
+    # Move legacy to backup inside __manager
+    _move_legacy_to_backup(legacy_dir, manager_files_path)
+
+
+def _move_legacy_to_backup(legacy_dir, manager_files_path):
+    """Move legacy directory to backup inside __manager.
+
+    Returns:
+        str: Path to backup directory if successful, None if failed
+    """
+    import shutil
+
+    backup_dir = os.path.join(manager_files_path, '.legacy-manager-backup')
+
+    try:
+        if os.path.exists(backup_dir):
+            shutil.rmtree(backup_dir)  # Remove old backup if exists
+        shutil.move(legacy_dir, backup_dir)
+
+        # Terminal output (full paths shown here only)
+        print("\n" + "-"*70)
+        print("[ComfyUI-Manager] NOTICE: Legacy settings migrated")
+        print(f"  - Old location: {legacy_dir}")
+        print(f"  - Backed up to: {backup_dir}")
+        print("  - Please verify and remove the backup when no longer needed.")
+        print("-"*70 + "\n")
+
+        # Notice board output (no full paths for security)
+        add_startup_notice(
+            "Legacy ComfyUI-Manager data migrated. See terminal for details.",
+            level='info'
+        )
+        return backup_dir
+    except Exception as e:
+        print(f"[ComfyUI-Manager] WARNING: Failed to backup legacy directory: {e}")
+        add_startup_notice(
+            f"[MIGRATION] Failed to backup legacy directory: {e}",
+            level='warning'
+        )
+        return None
+
+
+def _migrate_config_with_security_check(legacy_path, new_path):
+    """Migrate legacy config, raising security level only if below default."""
+    config = configparser.ConfigParser()
+    try:
+        config.read(legacy_path)
+    except Exception as e:
+        print(f"[ComfyUI-Manager] WARNING: Failed to parse config.ini: {e}")
+        print("  - Creating fresh config with default settings.")
+        add_startup_notice(
+            "[MIGRATION] Failed to parse legacy config. Using defaults.",
+            level='warning'
+        )
+        return  # Skip migration, let Manager create fresh config
+
+    # Security level hierarchy: strong > normal > normal- > weak
+    # Default is 'normal', only raise if below default
+    if 'default' in config:
+        current_level = config['default'].get('security_level', 'normal').lower()
+        below_default_levels = ['weak', 'normal-']
+
+        if current_level in below_default_levels:
+            config['default']['security_level'] = 'normal'
+
+            # Terminal output
+            print("\n" + "="*70)
+            print("[ComfyUI-Manager] WARNING: Security level adjusted")
+            print(f"  - Previous: '{current_level}' → New: 'normal'")
+            print("  - Raised to prevent unauthorized remote access.")
+            print("="*70 + "\n")
+
+            # Notice board output
+            add_startup_notice(
+                f"[MIGRATION] Security level raised: '{current_level}' → 'normal'.<BR>"
+                "To prevent unauthorized remote access.",
+                level='warning'
+            )
+        else:
+            print(f"  - Security level: '{current_level}' (no change needed)")
+
+    # Ensure directory exists
+    os.makedirs(os.path.dirname(new_path), exist_ok=True)
+
+    with open(new_path, 'w') as f:
+        config.write(f)
+
+
+def force_security_level_if_needed(config_dict):
+    """Force security level to 'strong' if on old ComfyUI.
+
+    Args:
+        config_dict: Configuration dictionary to modify in-place
+
+    Returns:
+        bool: True if security level was forced
+    """
+    if not has_system_user_api():
+        config_dict['security_level'] = 'strong'
+        return True
+    return False

glob/manager_server.py

@@ -22,6 +22,7 @@ import asyncio
 import queue
 
 import manager_downloader
+import manager_migration
 
 
 logging.info(f"### Loading: ComfyUI-Manager ({core.version_str})")
@@ -276,6 +277,13 @@ import zipfile
 import urllib.request
 
 
+def security_403_response():
+    """Return appropriate 403 response based on ComfyUI version."""
+    if not manager_migration.has_system_user_api():
+        return web.json_response({"error": "comfyui_outdated"}, status=403)
+    return web.json_response({"error": "security_level"}, status=403)
+
+
 def get_model_dir(data, show_log=False):
     if 'download_model_base' in folder_paths.folder_names_and_paths:
         models_base = folder_paths.folder_names_and_paths['download_model_base'][0][0]
@@ -732,7 +740,7 @@ async def fetch_updates(request):
 async def update_all(request):
     if not is_allowed_security_level('middle'):
         logging.error(SECURITY_MESSAGE_MIDDLE_OR_BELOW)
-        return web.Response(status=403)
+        return security_403_response()
 
     with task_worker_lock:
         is_processing = task_worker_thread is not None and task_worker_thread.is_alive()
@@ -965,7 +973,7 @@ async def get_snapshot_list(request):
 async def remove_snapshot(request):
     if not is_allowed_security_level('middle'):
         logging.error(SECURITY_MESSAGE_MIDDLE_OR_BELOW)
-        return web.Response(status=403)
+        return security_403_response()
 
     try:
         target = request.rel_url.query["target"]
@@ -983,7 +991,7 @@ async def remove_snapshot(request):
 async def restore_snapshot(request):
     if not is_allowed_security_level('middle'):
         logging.error(SECURITY_MESSAGE_MIDDLE_OR_BELOW)
-        return web.Response(status=403)
+        return security_403_response()
 
     try:
         target = request.rel_url.query["target"]
@@ -1302,7 +1310,7 @@ async def fix_custom_node(request):
 async def install_custom_node_git_url(request):
     if not is_allowed_security_level('high'):
         logging.error(SECURITY_MESSAGE_NORMAL_MINUS)
-        return web.Response(status=403)
+        return security_403_response()
 
     url = await request.text()
     res = await core.gitclone_install(url)
@@ -1322,7 +1330,7 @@ async def install_custom_node_git_url(request):
 async def install_custom_node_pip(request):
     if not is_allowed_security_level('high'):
         logging.error(SECURITY_MESSAGE_NORMAL_MINUS)
-        return web.Response(status=403)
+        return security_403_response()
 
     packages = await request.text()
     core.pip_install(packages.split(' '))
@@ -1594,6 +1602,16 @@ async def get_notice(request):
                     except:
                         pass
 
+                    # Prepend startup notices from manager_migration
+                    for message, level in reversed(manager_migration.startup_notices):
+                        if level == 'error':
+                            style = 'color:red; background-color:white; font-weight:bold'
+                        elif level == 'warning':
+                            style = 'color:orange; background-color:white; font-weight:bold'
+                        else:
+                            style = 'color:blue; background-color:white'
+                        markdown_content = f'<P style="{style}">{message}</P>' + markdown_content
+
                     return web.Response(text=markdown_content, status=200)
                 else:
                     return web.Response(text="Unable to retrieve Notice", status=200)
@@ -1601,11 +1619,35 @@ async def get_notice(request):
                 return web.Response(text="Unable to retrieve Notice", status=200)
 
 
+@routes.get("/manager/startup_alerts")
+async def get_startup_alerts(request):
+    """Return startup alerts for customAlert display on page load.
+
+    Returns JSON array of alerts that should be shown to user immediately.
+    All startup notices (error, warning, info) are returned.
+    """
+    alerts = []
+
+    # Return all startup notices for alert display
+    for message, level in manager_migration.startup_notices:
+        # Convert HTML BR to newlines for customAlert
+        text = message.replace('<BR>', '\n').replace('<br>', '\n')
+        # Add [ComfyUI-Manager] prefix for customAlert (notice board shows in Manager UI anyway)
+        text = text.replace('[Security Alert]', '[ComfyUI-Manager] Security Alert:')
+        text = text.replace('[MIGRATION]', '[ComfyUI-Manager] Migration:')
+        alerts.append({
+            'message': text,
+            'level': level
+        })
+
+    return web.json_response(alerts)
+
+
 @routes.get("/manager/reboot")
 def restart(self):
     if not is_allowed_security_level('middle'):
         logging.error(SECURITY_MESSAGE_MIDDLE_OR_BELOW)
-        return web.Response(status=403)
+        return security_403_response()
 
     try:
         sys.stdout.close_log()

glob/manager_util.py

@@ -55,7 +55,7 @@ def get_pip_cmd(force_uv=False):
             subprocess.check_output(test_cmd, stderr=subprocess.DEVNULL, timeout=5)
             return [sys.executable] + (['-s'] if embedded else []) + ['-m', 'pip']
         except Exception:
-            logging.warning("[ComfyUI-Manager] python -m pip not available. Falling back to uv.")
+            logging.warning("[ComfyUI-Manager] `python -m pip` not available. Falling back to `uv`.")
 
     # Try uv (either forced or pip failed)
     import shutil
@@ -64,19 +64,19 @@ def get_pip_cmd(force_uv=False):
     try:
         test_cmd = [sys.executable] + (['-s'] if embedded else []) + ['-m', 'uv', '--version']
         subprocess.check_output(test_cmd, stderr=subprocess.DEVNULL, timeout=5)
-        logging.info("[ComfyUI-Manager] Using uv as Python module for pip operations.")
+        logging.info("[ComfyUI-Manager] Using `uv` as Python module for pip operations.")
         return [sys.executable] + (['-s'] if embedded else []) + ['-m', 'uv', 'pip']
     except Exception:
         pass
 
     # Try standalone uv
     if shutil.which('uv'):
-        logging.info("[ComfyUI-Manager] Using standalone uv for pip operations.")
+        logging.info("[ComfyUI-Manager] Using standalone `uv` for pip operations.")
         return ['uv', 'pip']
 
     # Nothing worked
-    logging.error("[ComfyUI-Manager] Neither python -m pip nor uv are available. Cannot proceed with package operations.")
-    raise Exception("Neither pip nor uv are available for package management")
+    logging.error("[ComfyUI-Manager] Neither `python -m pip` nor `uv` are available. Cannot proceed with package operations.")
+    raise Exception("Neither `pip` nor `uv` are available for package management")
 
 
 def make_pip_cmd(cmd):

js/cm-api.js

@@ -1,6 +1,6 @@
 import { api } from "../../scripts/api.js";
 import { app } from "../../scripts/app.js";
-import { sleep, customConfirm, customAlert } from "./common.js";
+import { sleep, customConfirm, customAlert, handle403Response, show_message } from "./common.js";
 
 async function tryInstallCustomNode(event) {
 	let msg = '-= [ComfyUI Manager] extension installation request =-\n\n';
@@ -42,7 +42,7 @@ async function tryInstallCustomNode(event) {
 									});
 
 			if(response.status == 403) {
-				show_message('This action is not allowed with this security level configuration.');
+				await handle403Response(response);
 				return false;
 			}
 			else if(response.status == 400) {
@@ -54,7 +54,7 @@ async function tryInstallCustomNode(event) {
 
 		let response = await api.fetchApi("/manager/reboot");
 		if(response.status == 403) {
-			show_message('This action is not allowed with this security level configuration.');
+			await handle403Response(response);
 			return false;
 		}
 

js/comfyui-manager.js

@@ -14,7 +14,7 @@ import { OpenArtShareDialog } from "./comfyui-share-openart.js";
 import {
 	free_models, install_pip, install_via_git_url, manager_instance,
 	rebootAPI, setManagerInstance, show_message, customAlert, customPrompt,
-	infoToast, showTerminal, setNeedRestart
+	infoToast, showTerminal, setNeedRestart, handle403Response
 } from "./common.js";
 import { ComponentBuilderDialog, getPureName, load_components, set_component_policy } from "./components-manager.js";
 import { CustomNodesManager } from "./custom-nodes-manager.js";
@@ -753,9 +753,9 @@ async function onQueueStatus(event) {
 
 		const rebootButton = document.getElementById('cm-reboot-button5');
 		rebootButton?.addEventListener("click",
-			function() {
-				if(rebootAPI()) {
-					manager_dialog.close();
+			async function() {
+				if(await rebootAPI()) {
+					manager_instance.close();
 				}
 			});
 	}
@@ -780,8 +780,13 @@ async function updateAll(update_comfyui) {
 
 	const response = await api.fetchApi(`/manager/queue/update_all?mode=${mode}`);
 
-	if (response.status == 401) {
+	if (response.status == 403) {
+		await handle403Response(response);
+		reset_action_buttons();
+	}
+	else if (response.status == 401) {
 		customAlert('Another task is already in progress. Please stop the ongoing task first.');
+		reset_action_buttons();
 	}
 	else if(response.status == 200) {
 		is_updating = true;
@@ -1453,6 +1458,31 @@ app.registerExtension({
 
 		load_components();
 
+		// Fetch and show startup alerts (critical errors like outdated ComfyUI)
+		// Poll until extensionManager.toast is ready (set in Vue onMounted)
+		const showStartupAlerts = async () => {
+			let toastWaitCount = 0;
+			const waitForToast = () => {
+				if (window['app']?.extensionManager?.toast) {
+					fetch('/manager/startup_alerts')
+						.then(response => response.ok ? response.json() : [])
+						.then(alerts => {
+							for (const alert of alerts) {
+								customAlert(alert.message);
+							}
+						})
+						.catch(e => console.warn('[ComfyUI-Manager] Failed to fetch startup alerts:', e));
+				} else if (toastWaitCount < 300) {  // Max 30 seconds (300 * 100ms)
+					toastWaitCount++;
+					setTimeout(waitForToast, 100);
+				} else {
+					console.warn('[ComfyUI-Manager] Timeout waiting for toast. Startup alerts skipped.');
+				}
+			};
+			waitForToast();
+		};
+		showStartupAlerts();
+
 		const menu = document.querySelector(".comfy-menu");
 		const separator = document.createElement("hr");
 

js/common.js

@@ -100,6 +100,19 @@ export function show_message(msg) {
 	app.ui.dialog.element.style.zIndex = 1100;
 }
 
+export async function handle403Response(res, defaultMessage) {
+	try {
+		const data = await res.json();
+		if(data.error === 'comfyui_outdated') {
+			show_message('ComfyUI version is outdated.<BR>Please update ComfyUI to use Manager normally.');
+		} else {
+			show_message(defaultMessage || 'This action is not allowed with this security level configuration.');
+		}
+	} catch {
+		show_message(defaultMessage || 'This action is not allowed with this security level configuration.');
+	}
+}
+
 export async function sleep(ms) {
 	return new Promise(resolve => setTimeout(resolve, ms));
 }
@@ -163,20 +176,23 @@ export async function customPrompt(title, message) {
 }
 
 
-export function rebootAPI() {
+export async function rebootAPI() {
 	if ('electronAPI' in window) {
 			window.electronAPI.restartApp();
 			return true;
 	}
 
-	customConfirm("Are you sure you'd like to reboot the server?").then((isConfirmed) => {
-		if (isConfirmed) {
-			try {
-				api.fetchApi("/manager/reboot");
+	const isConfirmed = await customConfirm("Are you sure you'd like to reboot the server?");
+	if (isConfirmed) {
+		try {
+			const response = await api.fetchApi("/manager/reboot");
+			if (response.status == 403) {
+				await handle403Response(response);
+				return false;
 			}
-			catch(exception) {}
 		}
-	});
+		catch(exception) {}
+	}
 
 	return false;
 }
@@ -216,7 +232,7 @@ export async function install_pip(packages) {
 	});
 
 	if(res.status == 403) {
-		show_message('This action is not allowed with this security level configuration.');
+		await handle403Response(res);
 		return;
 	}
 
@@ -251,7 +267,7 @@ export async function install_via_git_url(url, manager_dialog) {
 	});
 
 	if(res.status == 403) {
-		show_message('This action is not allowed with this security level configuration.');
+		await handle403Response(res);
 		return;
 	}
 
@@ -262,9 +278,9 @@ export async function install_via_git_url(url, manager_dialog) {
 		const self = this;
 
 		rebootButton.addEventListener("click",
-			function() {
-				if(rebootAPI()) {
-					manager_dialog.close();
+			async function() {
+				if(await rebootAPI()) {
+					manager_instance.close();
 				}
 			});
 	}

js/custom-nodes-manager.js

@@ -7,7 +7,7 @@ import {
 	fetchData, md5, icons, show_message, customConfirm, customAlert, customPrompt,
 	sanitizeHTML, infoToast, showTerminal, setNeedRestart,
 	storeColumnWidth, restoreColumnWidth, getTimeAgo, copyText, loadCss,
-	showPopover, hidePopover
+	showPopover, hidePopover, handle403Response
 } from  "./common.js";
 
 // https://cenfun.github.io/turbogrid/api.html
@@ -1528,7 +1528,16 @@ export class CustomNodesManager {
 				errorMsg = `'${item.title}': `;
 
 				if(res.status == 403) {
-					errorMsg += `This action is not allowed with this security level configuration.\n`;
+					try {
+						const data = await res.json();
+						if(data.error === 'comfyui_outdated') {
+							errorMsg += `ComfyUI version is outdated. Please update ComfyUI to use Manager normally.\n`;
+						} else {
+							errorMsg += `This action is not allowed with this security level configuration.\n`;
+						}
+					} catch {
+						errorMsg += `This action is not allowed with this security level configuration.\n`;
+					}
 				} else if(res.status == 404) {
 					errorMsg += `With the current security level configuration, only custom nodes from the <B>"default channel"</B> can be installed.\n`;
 				} else {

js/model-manager.js

@@ -1,9 +1,9 @@
 import { app } from "../../scripts/app.js";
 import { $el } from "../../scripts/ui.js";
-import { 
-	manager_instance, rebootAPI, 
+import {
+	manager_instance, rebootAPI,
 	fetchData, md5, icons, show_message, customAlert, infoToast, showTerminal,
-	storeColumnWidth, restoreColumnWidth, loadCss
+	storeColumnWidth, restoreColumnWidth, loadCss, handle403Response
 } from  "./common.js";
 import { api } from "../../scripts/api.js";
 
@@ -477,7 +477,16 @@ export class ModelManager {
 				errorMsg = `'${item.name}': `;
 
 				if(res.status == 403) {
-					errorMsg += `This action is not allowed with this security level configuration.\n`;
+					try {
+						const data = await res.json();
+						if(data.error === 'comfyui_outdated') {
+							errorMsg += `ComfyUI version is outdated. Please update ComfyUI to use Manager normally.\n`;
+						} else {
+							errorMsg += `This action is not allowed with this security level configuration.\n`;
+						}
+					} catch {
+						errorMsg += `This action is not allowed with this security level configuration.\n`;
+					}
 				} else {
 					errorMsg += await res.text() + '\n';
 				}

js/snapshot.js

@@ -1,7 +1,7 @@
 import { app } from "../../scripts/app.js";
 import { api } from "../../scripts/api.js"
 import { ComfyDialog, $el } from "../../scripts/ui.js";
-import { manager_instance, rebootAPI, show_message } from  "./common.js";
+import { manager_instance, rebootAPI, show_message, handle403Response } from  "./common.js";
 
 
 async function restore_snapshot(target) {
@@ -10,7 +10,7 @@ async function restore_snapshot(target) {
 			const response = await api.fetchApi(`/snapshot/restore?target=${target}`, { cache: "no-store" });
 
 			if(response.status == 403) {
-				show_message('This action is not allowed with this security level configuration.');
+				await handle403Response(response);
 				return false;
 			}
 
@@ -38,7 +38,7 @@ async function remove_snapshot(target) {
 			const response = await api.fetchApi(`/snapshot/remove?target=${target}`, { cache: "no-store" });
 
 			if(response.status == 403) {
-				show_message('This action is not allowed with this security level configuration.');
+				await handle403Response(response);
 				return false;
 			}
 
@@ -145,8 +145,8 @@ export class SnapshotManager extends ComfyDialog {
 		if(btn_id) {
 			const rebootButton = document.getElementById(btn_id);
 			const self = this;
-			rebootButton.onclick = function() {
-				if(rebootAPI()) {
+			rebootButton.onclick = async function() {
+				if(await rebootAPI()) {
 					self.close();
 					self.manager_dialog.close();
 				}

json-checker.py

@@ -1,25 +1,264 @@
-import json
-import argparse
+#!/usr/bin/env python3
+"""JSON Entry Validator
 
-def check_json_syntax(file_path):
+Validates JSON entries based on content structure.
+
+Validation rules based on JSON content:
+- {"custom_nodes": [...]}: Validates required fields (author, title, reference, files, install_type, description)
+- {"models": [...]}: Validates JSON syntax only (no required fields)
+- Other JSON structures: Validates JSON syntax only
+
+Git repository URL validation (for custom_nodes):
+1. URLs must NOT end with .git
+2. URLs must follow format: https://github.com/{author}/{reponame}
+3. .py and .js files are exempt from this check
+
+Supported formats:
+- Array format: [{...}, {...}]
+- Object format: {"custom_nodes": [...]} or {"models": [...]}
+"""
+
+import json
+import re
+import sys
+from pathlib import Path
+from typing import Dict, List, Tuple
+
+
+# Required fields for each entry type
+REQUIRED_FIELDS_CUSTOM_NODE = ['author', 'title', 'reference', 'files', 'install_type', 'description']
+REQUIRED_FIELDS_MODEL = []  # model-list.json doesn't require field validation
+
+# Pattern for valid GitHub repository URL (without .git suffix)
+GITHUB_REPO_PATTERN = re.compile(r'^https://github\.com/[^/]+/[^/]+$')
+
+
+def get_entry_context(entry: Dict) -> str:
+    """Get identifying information from entry for error messages
+
+    Args:
+        entry: JSON entry
+
+    Returns:
+        String with author and reference info
+    """
+    parts = []
+    if 'author' in entry:
+        parts.append(f"author={entry['author']}")
+    if 'reference' in entry:
+        parts.append(f"ref={entry['reference']}")
+    if 'title' in entry:
+        parts.append(f"title={entry['title']}")
+
+    if parts:
+        return " | ".join(parts)
+    else:
+        # No identifying info - show actual entry content (truncated)
+        import json
+        entry_str = json.dumps(entry, ensure_ascii=False)
+        if len(entry_str) > 100:
+            entry_str = entry_str[:100] + "..."
+        return f"content={entry_str}"
+
+
+def validate_required_fields(entry: Dict, entry_index: int, required_fields: List[str]) -> List[str]:
+    """Validate that all required fields are present
+
+    Args:
+        entry: JSON entry to validate
+        entry_index: Index of entry in array (for error reporting)
+        required_fields: List of required field names
+
+    Returns:
+        List of error descriptions (without entry prefix/context)
+    """
+    errors = []
+
+    for field in required_fields:
+        if field not in entry:
+            errors.append(f"Missing required field '{field}'")
+        elif entry[field] is None:
+            errors.append(f"Field '{field}' is null")
+        elif isinstance(entry[field], str) and not entry[field].strip():
+            errors.append(f"Field '{field}' is empty")
+        elif field == 'files' and not entry[field]:  # Empty array
+            errors.append("Field 'files' is empty array")
+
+    return errors
+
+
+def validate_git_repo_urls(entry: Dict, entry_index: int) -> List[str]:
+    """Validate git repository URLs in 'files' array
+
+    Requirements:
+    - Git repo URLs must NOT end with .git
+    - Must follow format: https://github.com/{author}/{reponame}
+    - .py and .js files are exempt
+
+    Args:
+        entry: JSON entry to validate
+        entry_index: Index of entry in array (for error reporting)
+
+    Returns:
+        List of error descriptions (without entry prefix/context)
+    """
+    errors = []
+
+    if 'files' not in entry or not isinstance(entry['files'], list):
+        return errors
+
+    for file_url in entry['files']:
+        if not isinstance(file_url, str):
+            continue
+
+        # Skip .py and .js files - they're exempt from git repo validation
+        if file_url.endswith('.py') or file_url.endswith('.js'):
+            continue
+
+        # Check if it's a GitHub URL (likely a git repo)
+        if 'github.com' in file_url:
+            # Error if URL ends with .git
+            if file_url.endswith('.git'):
+                errors.append(f"Git repo URL must NOT end with .git: {file_url}")
+                continue
+
+            # Validate format: https://github.com/{author}/{reponame}
+            if not GITHUB_REPO_PATTERN.match(file_url):
+                errors.append(f"Invalid git repo URL format (expected https://github.com/author/reponame): {file_url}")
+
+    return errors
+
+
+def validate_entry(entry: Dict, entry_index: int, required_fields: List[str]) -> List[str]:
+    """Validate a single JSON entry
+
+    Args:
+        entry: JSON entry to validate
+        entry_index: Index of entry in array (for error reporting)
+        required_fields: List of required field names
+
+    Returns:
+        List of error messages (empty if valid)
+    """
+    errors = []
+
+    # Check required fields
+    errors.extend(validate_required_fields(entry, entry_index, required_fields))
+
+    # Check git repository URLs
+    errors.extend(validate_git_repo_urls(entry, entry_index))
+
+    return errors
+
+
+def validate_json_file(file_path: str) -> Tuple[bool, List[str]]:
+    """Validate JSON file containing entries
+
+    Args:
+        file_path: Path to JSON file
+
+    Returns:
+        Tuple of (is_valid, error_messages)
+    """
+    errors = []
+
+    # Check file exists
+    path = Path(file_path)
+    if not path.exists():
+        return False, [f"File not found: {file_path}"]
+
+    # Load JSON
     try:
-        with open(file_path, 'r', encoding='utf-8') as file:
-            json_str = file.read()
-            json.loads(json_str)
-            print(f"[ OK ] {file_path}")
-    except UnicodeDecodeError as e:
-        print(f"Unicode decode error: {e}")
+        with open(path, 'r', encoding='utf-8') as f:
+            data = json.load(f)
     except json.JSONDecodeError as e:
-        print(f"[FAIL] {file_path}\n\n       {e}\n")
-    except FileNotFoundError:
-        print(f"[FAIL] {file_path}\n\n       File not found\n")
+        return False, [f"Invalid JSON: {e}"]
+    except Exception as e:
+        return False, [f"Error reading file: {e}"]
+
+    # Determine required fields based on JSON content
+    required_fields = []
+
+    # Validate structure - support both array and object formats
+    entries_to_validate = []
+
+    if isinstance(data, list):
+        # Direct array format: [{...}, {...}]
+        entries_to_validate = data
+    elif isinstance(data, dict):
+        # Object format: {"custom_nodes": [...]} or {"models": [...]}
+        # Determine validation based on keys
+        if 'custom_nodes' in data and isinstance(data['custom_nodes'], list):
+            required_fields = REQUIRED_FIELDS_CUSTOM_NODE
+            entries_to_validate = data['custom_nodes']
+        elif 'models' in data and isinstance(data['models'], list):
+            required_fields = REQUIRED_FIELDS_MODEL
+            entries_to_validate = data['models']
+        else:
+            # Other JSON structures (extension-node-map.json, etc.) - just validate JSON syntax
+            return True, []
+    else:
+        return False, ["JSON root must be either an array or an object containing arrays"]
+
+    # Validate each entry
+    for idx, entry in enumerate(entries_to_validate, start=1):
+        if not isinstance(entry, dict):
+            # Show actual value for type errors
+            entry_str = json.dumps(entry, ensure_ascii=False) if not isinstance(entry, str) else repr(entry)
+            if len(entry_str) > 150:
+                entry_str = entry_str[:150] + "..."
+            errors.append(f"\n❌ Entry #{idx}: Must be an object, got {type(entry).__name__}")
+            errors.append(f"   Actual value: {entry_str}")
+            continue
+
+        entry_errors = validate_entry(entry, idx, required_fields)
+        if entry_errors:
+            # Group errors by entry with context
+            context = get_entry_context(entry)
+            errors.append(f"\n❌ Entry #{idx} ({context}):")
+            for error in entry_errors:
+                errors.append(f"   - {error}")
+
+    is_valid = len(errors) == 0
+    return is_valid, errors
+
 
 def main():
-    parser = argparse.ArgumentParser(description="JSON File Syntax Checker")
-    parser.add_argument("file_path", type=str, help="Path to the JSON file for syntax checking")
+    """Main entry point"""
+    if len(sys.argv) < 2:
+        print("Usage: python json-checker.py <json-file>")
+        print("\nValidates JSON entries based on content:")
+        print("  - {\"custom_nodes\": [...]}: Validates required fields (author, title, reference, files, install_type, description)")
+        print("  - {\"models\": [...]}: Validates JSON syntax only (no required fields)")
+        print("  - Other JSON structures: Validates JSON syntax only")
+        print("\nGit repo URL validation (for custom_nodes):")
+        print("  - URLs must NOT end with .git")
+        print("  - URLs must follow: https://github.com/{author}/{reponame}")
+        sys.exit(1)
 
-    args = parser.parse_args()
-    check_json_syntax(args.file_path)
+    file_path = sys.argv[1]
 
-if __name__ == "__main__":
+    is_valid, errors = validate_json_file(file_path)
+
+    if is_valid:
+        print(f"✅ {file_path}: Validation passed")
+        sys.exit(0)
+    else:
+        print(f"Validating: {file_path}")
+        print("=" * 60)
+        print("❌ Validation failed!\n")
+        print("Errors:")
+        # Count actual errors (lines starting with "   -")
+        error_count = sum(1 for e in errors if e.strip().startswith('-'))
+        for error in errors:
+            # Don't add ❌ prefix to grouped entries (they already have it)
+            if error.strip().startswith('❌'):
+                print(error)
+            else:
+                print(error)
+        print(f"\nTotal errors: {error_count}")
+        sys.exit(1)
+
+
+if __name__ == '__main__':
     main()

node_db/dev/custom-node-list.json

@@ -1,5 +1,296 @@
 {
     "custom_nodes": [
+        {
+            "author": "Nynxz",
+            "title": "ComfyUI_DiffsynthPause",
+            "reference": "https://github.com/Nynxz/ComfyUI_DiffsynthPause",
+            "files": [
+                "https://github.com/Nynxz/ComfyUI_DiffsynthPause"
+            ],
+            "install_type": "git-clone",
+            "description": "ComfyUI custom node for controlling Diffsynth checkpoint pausing behavior during image generation workflows. (Description by CC)"
+        },
+        {
+            "author": "binarystatic",
+            "title": "ComfyUI-BinarystaticMasterSeed",
+            "reference": "https://github.com/binarystatic/ComfyUI-BinarystaticMasterSeed",
+            "files": [
+                "https://github.com/binarystatic/ComfyUI-BinarystaticMasterSeed"
+            ],
+            "install_type": "git-clone",
+            "description": "BinarystaticMasterSeed node for ComfyUI. (Description by CC)"
+        },
+        {
+            "author": "Aruntd008",
+            "title": "[WIP] ComfyUI_SeamlessPattern",
+            "reference": "https://github.com/Aruntd008/ComfyUI_SeamlessPattern",
+            "files": [
+                "https://github.com/Aruntd008/ComfyUI_SeamlessPattern"
+            ],
+            "install_type": "git-clone",
+            "description": "SeamlessPatternNode for ComfyUI. (Description by CC)\nNOTE: The files in the repo are not organized."
+        },
+        {
+            "author": "SilentLuxRay",
+            "title": "[WIP] ComfyUI-Furrey-Super-Prompt",
+            "reference": "https://github.com/SilentLuxRay/ComfyUI-Furrey-Super-Prompt",
+            "files": [
+                "https://github.com/SilentLuxRay/ComfyUI-Furrey-Super-Prompt"
+            ],
+            "install_type": "git-clone",
+            "description": "A personalized all-in-one node for ComfyUI that simplifies prompt management and LoRA handling with automatic translation to English. (Description by CC)\nNOTE: The files in the repo are not organized."
+        },
+        {
+            "author": "Rayen21",
+            "title": "[WIP] ComfyUI-PromptLinePlus",
+            "reference": "https://github.com/Rayen21/ComfyUI-PromptLinePlus",
+            "files": [
+                "https://github.com/Rayen21/ComfyUI-PromptLinePlus"
+            ],
+            "install_type": "git-clone",
+            "description": "ComfyUI custom node that splits multi-line prompts by line, enabling batch image generation with each line triggering one execution and supporting custom prompt boxes. (Description by CC)\nNOTE: The files in the repo are not organized."
+        },
+        {
+            "author": "ashtar1984",
+            "title": "comfyui-switch-bypass-mute-by-group",
+            "reference": "https://github.com/ashtar1984/comfyui-switch-bypass-mute-by-group",
+            "files": [
+                "https://github.com/ashtar1984/comfyui-switch-bypass-mute-by-group"
+            ],
+            "install_type": "git-clone",
+            "description": "ComfyUI custom node for group-based node switching, bypassing, and muting control. (Description by CC)"
+        },
+        {
+            "author": "rookiestar28",
+            "title": "ComfyUI_Security_Audit",
+            "reference": "https://github.com/rookiestar28/ComfyUI_Security_Audit",
+            "files": [
+                "https://github.com/rookiestar28/ComfyUI_Security_Audit"
+            ],
+            "install_type": "git-clone",
+            "description": "A lightweight, dual-layer security extension for ComfyUI using AST-based static analysis and runtime monitoring to detect malicious code in custom nodes."
+        },
+        {
+            "author": "c1660181647-hash",
+            "title": "ComfyUI-MM-Visual-Encryption",
+            "reference": "https://github.com/c1660181647-hash/ComfyUI-MM-Visual-Encryption",
+            "files": [
+                "https://github.com/c1660181647-hash/ComfyUI-MM-Visual-Encryption"
+            ],
+            "install_type": "git-clone",
+            "description": "A visual noise encryption custom node for ComfyUI, supporting Image and Video privacy protection."
+        },
+        {
+            "author": "charlierz",
+            "title": "comfyui-charlierz",
+            "reference": "https://github.com/charlierz/comfyui-charlierz",
+            "files": [
+                "https://github.com/charlierz/comfyui-charlierz"
+            ],
+            "install_type": "git-clone",
+            "description": "NODES: BackgroundColor, ScaleDimensions"
+        },
+        {
+            "author": "lrzjason",
+            "title": "Comfyui-DiffusersUtils [WIP]",
+            "reference": "https://github.com/lrzjason/Comfyui-DiffusersUtils",
+            "files": [
+                "https://github.com/lrzjason/Comfyui-DiffusersUtils"
+            ],
+            "install_type": "git-clone",
+            "description": "A set of nodes which provide flexible inference using diffusers in comfyui env. (Description by CC)"
+        },
+        {
+            "author": "anilstream",
+            "title": "ComfyUI-NanoBananaPro",
+            "reference": "https://github.com/anilstream/ComfyUI-NanoBananaPro",
+            "files": [
+                "https://github.com/anilstream/ComfyUI-NanoBananaPro"
+            ],
+            "install_type": "git-clone",
+            "description": "ComfyUI node implementing basic functionality with NanoBananaBasicNode. (Description by CC)"
+        },
+        {
+            "author": "Toxic1228",
+            "title": "Eleven-labs-comfyui-sts",
+            "reference": "https://github.com/Toxic1228/Eleven-labs-comfyui-sts",
+            "files": [
+                "https://github.com/Toxic1228/Eleven-labs-comfyui-sts"
+            ],
+            "install_type": "git-clone",
+            "description": "ComfyUI integration node for Eleven Labs text-to-speech service (requires API key). (Description by CC)"
+        },
+        {
+            "author": "NeoTech",
+            "title": "comfyui-laserprep",
+            "reference": "https://github.com/NeoTech/comfyui-laserprep",
+            "files": [
+                "https://github.com/NeoTech/comfyui-laserprep"
+            ],
+            "install_type": "git-clone",
+            "description": "ComfyUI node implementing laser preparation functionality with LaserPrep node. (Description by CC)"
+        },        
+        {
+            "author": "Enferlain",
+            "title": "ComfyUI-extra-schedulers [WIP]",
+            "reference": "https://github.com/Enferlain/ComfyUI-extra-schedulers",
+            "files": [
+                "https://github.com/Enferlain/ComfyUI-extra-schedulers"
+            ],
+            "install_type": "git-clone",
+            "description": "ComfyUI custom nodes providing additional scheduler implementations for advanced sampling control. (Description by CC)\nNOTE: The files in the repo are not organized."
+        },
+        {
+            "author": "tiange-tree",
+            "title": "BLUEAI_ComfyUI_OpenAI",
+            "reference": "https://github.com/tiange-tree/BLUEAI_ComfyUI_OpenAI",
+            "files": [
+                "https://github.com/tiange-tree/BLUEAI_ComfyUI_OpenAI"
+            ],
+            "install_type": "git-clone",
+            "description": "NODES: BLUEAI_OpenAI_Node"
+        },
+        {
+            "author": "nestflow",
+            "title": "ComfyUI-WanPlus",
+            "reference": "https://github.com/nestflow/ComfyUI-WanPlus",
+            "files": [
+                "https://github.com/nestflow/ComfyUI-WanPlus"
+            ],
+            "install_type": "git-clone",
+            "description": "ComfyUI nodes for video frame manipulation and image-to-video conversion. (Description by CC)"
+        },
+        {
+            "author": "twdockery",
+            "title": "ComfyUI_Prompt_Batch_Generator",
+            "reference": "https://github.com/twdockery/ComfyUI_Prompt_Batch_Generator",
+            "files": [
+                "https://github.com/twdockery/ComfyUI_Prompt_Batch_Generator"
+            ],
+            "install_type": "git-clone",
+            "description": "Custom nodes for batch image generation with Stable Diffusion 1.5, optimized for low VRAM systems. (Description by CC)"
+        },
+        {
+            "author": "tuxiansheng-ld",
+            "title": "Comfyui-tuxiansheng-nodes",
+            "reference": "https://github.com/tuxiansheng-ld/Comfyui-tuxiansheng-nodes",
+            "files": [
+                "https://github.com/tuxiansheng-ld/Comfyui-tuxiansheng-nodes"
+            ],
+            "install_type": "git-clone",
+            "description": "NODES: StringToListNode"
+        },
+        {
+            "author": "krakenunbound",
+            "title": "Kraken Discord Bot",
+            "id": "kraken-discord-bot",
+            "reference": "https://github.com/krakenunbound/kraken-discord-bot",
+            "files": [
+                "https://github.com/krakenunbound/kraken-discord-bot"
+            ],
+            "install_type": "git-clone",
+            "description": "All-in-one Discord bot node for AI image generation. Simple setup - just add token, select model, and queue. Includes style presets, rate limiting, and queue management."
+        },
+        {
+            "author": "quinteroac",
+            "title": "comfyui_api_executor_nodes",
+            "reference": "https://github.com/quinteroac/comfyui_api_executor_nodes",
+            "files": [
+                "https://github.com/quinteroac/comfyui_api_executor_nodes"
+            ],
+            "install_type": "git-clone",
+            "description": "Custom nodes for ComfyUI that enable workflow execution via API (internal or external), as well as input/output handling and workflow selection."
+        },        
+        {
+            "author": "Chang-Jin-Lee",
+            "title": "ComfyUI-PromptMixer-AI [WIP]",
+            "reference": "https://github.com/Chang-Jin-Lee/ComfyUI-PromptMixer-AI",
+            "files": [
+                "https://github.com/Chang-Jin-Lee/ComfyUI-PromptMixer-AI"
+            ],
+            "install_type": "git-clone",
+            "description": "ComfyUI custom node collection for unified control of checkpoints, steps, CFG, samplers, LoRA and prompt parameters with local LLM integration. (Description by CC)\nNOTE: The files in the repo are not organized."
+        },        
+        {
+            "author": "leacvikas0",
+            "title": "ComfyUI-Presence [WIP]",
+            "reference": "https://github.com/leacvikas0/ComfyUI-Presence",
+            "files": [
+                "https://github.com/leacvikas0/ComfyUI-Presence"
+            ],
+            "install_type": "git-clone",
+            "description": "NODES: BeautifulTextNode, FluxAdaptiveInjector, InspectNode, PresenceDirector, PresenceDirectorFireworks, PresenceDirectorVertex, PresenceSaver, UnaliverBundlePreview, UnaliverNode, UnaliverPlanner, UnaliverStepIterato, ...\nNOTE: The files in the repo are not organized."
+        },        
+        {
+            "author": "Kraven1109",
+            "title": "ComfyUI-Llama [NAME CONFLICT]",
+            "reference": "https://github.com/Kraven1109/ComfyUI-Llama",
+            "files": [
+                "https://github.com/Kraven1109/ComfyUI-Llama"
+            ],
+            "install_type": "git-clone",
+            "description": "Lightweight ComfyUI plugin exposing llama.cpp-based one-shot Qwen VQA nodes."
+        },        
+        {
+            "author": "xiaoxidashen",
+            "title": "comfyui_my_utils",
+            "reference": "https://github.com/xiaoxidashen/comfyui_my_utils",
+            "files": [
+                "https://github.com/xiaoxidashen/comfyui_my_utils"
+            ],
+            "install_type": "git-clone",
+            "description": "Guide and utilities for creating ComfyUI custom nodes with image/video preview functionality. (Description by CC)"
+        },
+        {
+            "author": "agavesunset",
+            "title": "ComfyUI_LoRA_Tracker",
+            "reference": "https://github.com/agavesunset/ComfyUI_LoRA_Tracker",
+            "files": [
+                "https://github.com/agavesunset/ComfyUI_LoRA_Tracker"
+            ],
+            "install_type": "git-clone",
+            "description": "ComfyUI node for tracking and displaying LoRA parameters. (Description by CC)"
+        },
+        {
+            "author": "SleazySleaze",
+            "title": "aesthetic-persona-comfyui-node",
+            "reference": "https://github.com/SleazySleaze/aesthetic-persona-comfyui-node",
+            "files": [
+                "https://github.com/SleazySleaze/aesthetic-persona-comfyui-node"
+            ],
+            "install_type": "git-clone",
+            "description": "Node providing aesthetic persona parsing capabilities for ComfyUI. (Description by CC)"
+        },
+        {
+            "author": "xtanqn",
+            "title": "comfyui-xishen [WIP]",
+            "reference": "https://github.com/xtanqn/comfyui-xishen",
+            "files": [
+                "https://github.com/xtanqn/comfyui-xishen"
+            ],
+            "install_type": "git-clone",
+            "description": "A custom node for ComfyUI that generates random numbers as text output.\nNOTE: The files in the repo are not organized."
+        },
+        {
+            "author": "heyburns",
+            "title": "ComfyUI-Logic-Redux [WIP]",
+            "reference": "https://github.com/heyburns/ComfyUI-Logic-Redux",
+            "files": [
+                "https://github.com/heyburns/ComfyUI-Logic-Redux"
+            ],
+            "install_type": "git-clone",
+            "description": "Validation-friendly rewrite of ComfyUI Logic nodes with drop-in compatibility, featuring compare, int/float/bool/string pass-through, ternary logic, and debug nodes. (Description by CC)\nNOTE: The files in the repo are not organized."
+        },
+        {
+            "author": "Mohamed-Sakr",
+            "title": "ComfyUI-SimpleMarkdown [UNSAFE]",
+            "reference": "https://github.com/Mohamed-Sakr/ComfyUI-SimpleMarkdown",
+            "files": [
+                "https://github.com/Mohamed-Sakr/ComfyUI-SimpleMarkdown"
+            ],
+            "install_type": "git-clone",
+            "description": "A simple markdown node for ComfyUI[w/This nodepack has a frontend vulnerability.]"
+        },
         {
             "author": "starsFriday",
             "title": "ComfyUI-Tracker-Person [WIP]",
@@ -320,16 +611,6 @@
             "install_type": "git-clone",
             "description": "Integrated Qwen-Image node for ComfyUI with all-in-one model loading, 4 LoRA slots, memory optimization via BlockSwap reducing VRAM usage by 30-60%, and multiple quantization options.\nNOTE: The files in the repo are not organized."
         },
-        {
-            "author": "nohikomiso",
-            "title": "ComfyUI-ImageFolderPicker [UNSAFE]",
-            "reference": "https://github.com/nohikomiso/ComfyUI-ImageFolderPicker",
-            "files": [
-                "https://github.com/nohikomiso/ComfyUI-ImageFolderPicker"
-            ],
-            "install_type": "git-clone",
-            "description": "Custom ComfyUI node for browsing local server folders and selecting images via thumbnail display in a grid interface. (Description by CC)[w/This nodepack has a vulnerability that allows it to retrieve a list of files from arbitrary paths.]"
-        },
         {
             "author": "tori29umai0123",
             "title": "ComfyUI-SDXLGenerateFromTextFile [UNSAFE]",
@@ -1063,16 +1344,6 @@
             "install_type": "git-clone",
             "description": "ComfyUI-CC-ImageLoader is an enhanced image loading node designed for ComfyUI. It is developed based on two excellent projects: ComfyUI-Thumbnails and ComfyUI_Local_Media_Manager.[w/This nodepack includes an endpoint that access files from arbitrary paths.]"
         },
-        {
-            "author": "rzasharp79",
-            "title": "ComfyUI--SolarFlare",
-            "reference": "https://github.com/rzasharp79/ComfyUI--SolarFlare",
-            "files": [
-                "https://github.com/rzasharp79/ComfyUI--SolarFlare"
-            ],
-            "install_type": "git-clone",
-            "description": "NODES: Qwen Image, ..."
-        },
         {
             "author": "A1rCHAN",
             "title": "Eric's Prompt Enhancers for ComfyUI# Eric's Prompt Enhancers for ComfyUI",
@@ -1203,16 +1474,6 @@
             "install_type": "git-clone",
             "description": "NODES: Image Size Input, Date/Time based output path"
         },
-        {
-            "author": "octapus8085",
-            "title": "OpenAI-comfyui-O",
-            "reference": "https://github.com/Spicely/Comfyui-File-Utils",
-            "files": [
-                "https://github.com/Spicely/Comfyui-File-Utils"
-            ],
-            "install_type": "git-clone",
-            "description": "This plugin provides multiple file-handling and utility nodes for ComfyUI, including: image saving, audio saving, video saving, video composition, audio-to-subtitle conversion, and random number generation nodes. These nodes not only process files but also return their absolute file paths.\nNOTE: The files in the repo are not organized.[w/This nodepack contains a node that has a vulnerability allowing write to arbitrary file paths.]"
-        },
         {
             "author": "octapus8085",
             "title": "OpenAI-comfyui-O",
@@ -4618,7 +4879,8 @@
             "description": "NODES: Face Detector Selector, YC Human Parts Ultra(Advance), Color Match (YC)"
         },
         {
-            "author": "virallover",
+            "author": "maizerrr",
+            "title": "comfyui-code-nodes",
             "reference": "https://github.com/maizerrr/comfyui-code-nodes",
             "files": [
                 "https://github.com/maizerrr/comfyui-code-nodes"

node_db/legacy/custom-node-list.json

@@ -1,5 +1,165 @@
 {
     "custom_nodes": [
+        {
+            "author": "cdanielp",
+            "title": "COMFYUI_PROMPTMODELS [REMOVED]",
+            "reference": "https://github.com/cdanielp/COMFYUI_PROMPTMODELS",
+            "files": [
+                "https://github.com/cdanielp/COMFYUI_PROMPTMODELS"
+            ],
+            "install_type": "git-clone",
+            "description": "Custom nodes for ComfyUI by PROMPTMODELS."
+        },
+        {
+            "author": "mcrataobrabo",
+            "title": "comfyui-smart-lora-downloader - Automatically Fetch Missing LoRAs [REMOVED]",
+            "reference": "https://github.com/mcrataobrabo/comfyui-smart-lora-downloader",
+            "files": [
+                "https://github.com/mcrataobrabo/comfyui-smart-lora-downloader"
+            ],
+            "install_type": "git-clone",
+            "description": "Automatically detect and download missing LoRAs for ComfyUI workflows"
+        },
+        {
+            "author": "KANAsho34636",
+            "title": "ComfyUI-NaturalSort-ImageLoader [REMOVED]",
+            "reference": "https://github.com/KANAsho34636/ComfyUI-NaturalSort-ImageLoader",
+            "files": [
+                "https://github.com/KANAsho34636/ComfyUI-NaturalSort-ImageLoader"
+            ],
+            "install_type": "git-clone",
+            "description": "Custom image loader node supporting natural number sorting with multiple sort modes (natural, lexicographic, modification time, creation time, reverse natural). (Description by CC)"
+        },
+        {
+            "author": "johninthewinter",
+            "title": "comfyui-fal-flux-2-John [REMOVED]",
+            "reference": "https://github.com/johninthewinter/comfyui-fal-flux-2-John",
+            "files": [
+                "https://github.com/johninthewinter/comfyui-fal-flux-2-John"
+            ],
+            "install_type": "git-clone",
+            "description": "Custom nodes for ComfyUI that integrate with fal.ai's FLUX 2 and FLUX 1 LoRA APIs for text-to-image generation."
+        },
+        {
+            "author": "LargeModGames",
+            "title": "ComfyUI LoRA Auto Downloader [REMOVED]",
+            "reference": "https://github.com/LargeModGames/comfyui-smart-lora-downloader",
+            "files": [
+                "https://github.com/LargeModGames/comfyui-smart-lora-downloader"
+            ],
+            "install_type": "git-clone",
+            "description": "Automatically download missing LoRAs from CivitAI and detect missing LoRAs in workflows. Features smart directory detection and easy installation."
+        },
+        {
+            "author": "DiffusionWave",
+            "title": "PickResolution_DiffusionWave [DEPRECATED]",
+            "reference": "https://github.com/DiffusionWave/PickResolution_DiffusionWave",
+            "files": [
+                "https://github.com/DiffusionWave/PickResolution_DiffusionWave"
+            ],
+            "install_type": "git-clone",
+            "description": "A custom node for ComfyUI that allows selecting a base resolution, applying a custom scaling value based on FLOAT (up to 10 decimal places), and adding an extra integer value. Outputs include both INT and FLOAT resolutions, making it perfect for you to play around with."
+        },
+        {
+            "author": "geltz",
+            "title": "ComfyUI-geltz [REMOVED]",
+            "reference": "https://github.com/geltz/ComfyUI-geltz",
+            "files": [
+                "https://github.com/geltz/ComfyUI-geltz"
+            ],
+            "install_type": "git-clone",
+            "description": "Various custom nodes; guidance, latents, sampling, tokenization, etc."
+        },
+        {
+            "author": "anilsathyan7",
+            "title": "ComfyUI-Crystal-Upscaler [REMOVED]",
+            "reference": "https://github.com/anilsathyan7/ComfyUI-Crystal-Upscaler",
+            "files": [
+                "https://github.com/anilsathyan7/ComfyUI-Crystal-Upscaler"
+            ],
+            "install_type": "git-clone",
+            "description": "ComfyUI custom node for image upscaling using crystal upscaling technology. (Description by CC)"
+        },
+        {
+            "author": "nohikomiso",
+            "title": "ComfyUI-ImageFolderPicker [REMOVED/UNSAFE]",
+            "reference": "https://github.com/nohikomiso/ComfyUI-ImageFolderPicker",
+            "files": [
+                "https://github.com/nohikomiso/ComfyUI-ImageFolderPicker"
+            ],
+            "install_type": "git-clone",
+            "description": "Custom ComfyUI node for browsing local server folders and selecting images via thumbnail display in a grid interface. (Description by CC)[w/This nodepack has a vulnerability that allows it to retrieve a list of files from arbitrary paths.]"
+        },
+        {
+            "author": "rzasharp79",
+            "title": "ComfyUI--SolarFlare [REMOVED]",
+            "reference": "https://github.com/rzasharp79/ComfyUI--SolarFlare",
+            "files": [
+                "https://github.com/rzasharp79/ComfyUI--SolarFlare"
+            ],
+            "install_type": "git-clone",
+            "description": "NODES: Qwen Image, ..."
+        },
+        {
+            "author": "shinich39",
+            "title": "comfyui-no-one-above-me [REMOVED]",
+            "reference": "https://github.com/shinich39/comfyui-no-one-above-me",
+            "files": [
+                "https://github.com/shinich39/comfyui-no-one-above-me"
+            ],
+            "install_type": "git-clone",
+            "description": "Fix node to top."
+        },
+        {
+            "author": "octapus8085",
+            "title": "OpenAI-comfyui-O [REMOVED]",
+            "reference": "https://github.com/Spicely/Comfyui-File-Utils",
+            "files": [
+                "https://github.com/Spicely/Comfyui-File-Utils"
+            ],
+            "install_type": "git-clone",
+            "description": "This plugin provides multiple file-handling and utility nodes for ComfyUI, including: image saving, audio saving, video saving, video composition, audio-to-subtitle conversion, and random number generation nodes. These nodes not only process files but also return their absolute file paths.\nNOTE: The files in the repo are not organized.[w/This nodepack contains a node that has a vulnerability allowing write to arbitrary file paths.]"
+        },        
+        {
+            "author": "yemanou",
+            "title": "NABA Image (Gemini REST) Node [REMOVED]",
+            "reference": "https://github.com/yemanou/ComfyUI-NABA",
+            "files": [
+                "https://github.com/yemanou/ComfyUI-NABA"
+            ],
+            "install_type": "git-clone",
+            "description": "Simplified Gemini 2.5 Flash Image Preview node for ComfyUI. REST-only for stability, two optional reference images, padded aspect ratio resizing (no stretching), and basic sampling controls. All extra debug layers, SDK path, multi-seed, and legacy compatibility code removed to avoid crashes."
+        },
+        {
+            "author": "comrender",
+            "title": "ComfyUI-Nano-Banana-Resizer [REMOVED]",
+            "reference": "https://github.com/comrender/ComfyUI-Nano-Banana-Resizer",
+            "files": [
+                "https://github.com/comrender/ComfyUI-Nano-Banana-Resizer"
+            ],
+            "install_type": "git-clone",
+            "description": "A ComfyUI custom node that automatically calculates optimal output dimensions for Google's Nano Banana image editing model, supporting 22 aspect ratio buckets and ensuring pixel-perfect outputs without shifting or cropping."
+        },
+        {
+            "author": "comrender",
+            "title": "ComfyUI-edge-match-checker [REMOVED]",
+            "reference": "https://github.com/comrender/ComfyUI-edge-match-checker",
+            "files": [
+                "https://github.com/comrender/ComfyUI-edge-match-checker"
+            ],
+            "install_type": "git-clone",
+            "description": "Node comparing two image masks or images with adjustable overlap threshold (default 95%) for detecting minor shifts and mismatches in proportions, suitable for automated post-processing validation. (Description by CC)"
+        },
+        {
+            "author": "comrender",
+            "title": "ComfyUI-gpt5_image_text [REMOVED]",
+            "reference": "https://github.com/comrender/ComfyUI-gpt5_image_text",
+            "files": [
+                "https://github.com/comrender/ComfyUI-gpt5_image_text"
+            ],
+            "install_type": "git-clone",
+            "description": "A ComfyUI custom node for vision + text analysis using GPT-5 and GPT-4o with direct API key input, system prompt, temperature, max tokens, and multi-image support."
+        },
         {
             "author": "PozzettiAndrea",
             "title": "ComfyUI-CameraAnalysis [REMOVED]",

prestartup_script.py

@@ -85,7 +85,15 @@ cm_global.register_api('cm.is_import_failed_extension', is_import_failed_extensi
 comfyui_manager_path = os.path.abspath(os.path.dirname(__file__))
 
 custom_nodes_base_path = folder_paths.get_folder_paths('custom_nodes')[0]
-manager_files_path = os.path.abspath(os.path.join(folder_paths.get_user_directory(), 'default', 'ComfyUI-Manager'))
+
+# Check for System User API availability (PR #10966)
+_has_system_user_api = hasattr(folder_paths, 'get_system_user_directory')
+
+if _has_system_user_api:
+    manager_files_path = os.path.abspath(os.path.join(folder_paths.get_user_directory(), '__manager'))
+else:
+    manager_files_path = os.path.abspath(os.path.join(folder_paths.get_user_directory(), 'default', 'ComfyUI-Manager'))
+
 manager_pip_overrides_path = os.path.join(manager_files_path, "pip_overrides.json")
 manager_pip_blacklist_path = os.path.join(manager_files_path, "pip_blacklist.list")
 restore_snapshot_path = os.path.join(manager_files_path, "startup-scripts", "restore-snapshot.json")
@@ -516,7 +524,8 @@ check_bypass_ssl()
 
 # Perform install
 processed_install = set()
-script_list_path = os.path.join(folder_paths.user_directory, "default", "ComfyUI-Manager", "startup-scripts", "install-scripts.txt")
+# Use manager_files_path for consistency (fixes path inconsistency bug)
+script_list_path = os.path.join(manager_files_path, "startup-scripts", "install-scripts.txt")
 pip_fixer = manager_util.PIPFixer(manager_util.get_installed_packages(), comfy_path, manager_files_path)
 
 
@@ -793,7 +802,11 @@ def execute_startup_script():
 
 
 # Check if script_list_path exists
-if os.path.exists(script_list_path):
+# Block startup-scripts on old ComfyUI (security measure)
+if not _has_system_user_api:
+    if os.path.exists(script_list_path):
+        print("[ComfyUI-Manager] Startup scripts blocked on old ComfyUI version.")
+elif os.path.exists(script_list_path):
     execute_startup_script()
 
 

pyproject.toml

@@ -1,7 +1,7 @@
 [project]
 name = "comfyui-manager"
 description = "ComfyUI-Manager provides features to install and manage custom nodes for ComfyUI, as well as various functionalities to assist with ComfyUI."
-version = "3.37.2"
+version = "3.38.3"
 license = { file = "LICENSE.txt" }
 dependencies = ["GitPython", "PyGithub", "matrix-nio", "transformers", "huggingface-hub>0.20", "typer", "rich", "typing-extensions", "toml", "uv", "chardet"]
 

scanner.py

@@ -16,6 +16,108 @@ import sys
 
 from urllib.parse import urlparse
 from github import Github, Auth
+from pathlib import Path
+from typing import Set, Dict, Optional
+
+# Scanner version for cache invalidation
+SCANNER_VERSION = "2.0.11"  # Multi-layer detection: class existence + display names
+
+# Cache for extract_nodes and extract_nodes_enhanced results
+_extract_nodes_cache: Dict[str, Set[str]] = {}
+_extract_nodes_enhanced_cache: Dict[str, Set[str]] = {}
+_file_mtime_cache: Dict[Path, float] = {}
+
+
+def _get_repo_root(file_path: Path) -> Optional[Path]:
+    """Find the repository root directory containing .git"""
+    current = file_path if file_path.is_dir() else file_path.parent
+    while current != current.parent:
+        if (current / ".git").exists():
+            return current
+        current = current.parent
+    return None
+
+
+def _get_repo_hash(repo_path: Path) -> str:
+    """Get git commit hash or fallback identifier"""
+    git_dir = repo_path / ".git"
+    if not git_dir.exists():
+        return ""
+
+    try:
+        # Read HEAD to get current commit
+        head_file = git_dir / "HEAD"
+        if head_file.exists():
+            head_content = head_file.read_text().strip()
+            if head_content.startswith("ref:"):
+                # HEAD points to a ref
+                ref_path = git_dir / head_content[5:].strip()
+                if ref_path.exists():
+                    commit_hash = ref_path.read_text().strip()
+                    return commit_hash[:16]  # First 16 chars
+            else:
+                # Detached HEAD
+                return head_content[:16]
+    except:
+        pass
+
+    return ""
+
+
+def _load_per_repo_cache(repo_path: Path) -> Optional[tuple]:
+    """Load nodes and metadata from per-repo cache
+
+    Returns:
+        tuple: (nodes_set, metadata_dict) or None if cache invalid
+    """
+    cache_file = repo_path / ".git" / "nodecache.json"
+
+    if not cache_file.exists():
+        return None
+
+    try:
+        with open(cache_file, 'r') as f:
+            cache_data = json.load(f)
+
+        # Verify scanner version
+        if cache_data.get('scanner_version') != SCANNER_VERSION:
+            return None
+
+        # Verify git hash
+        current_hash = _get_repo_hash(repo_path)
+        if cache_data.get('git_hash') != current_hash:
+            return None
+
+        # Return nodes and metadata
+        nodes = cache_data.get('nodes', [])
+        metadata = cache_data.get('metadata', {})
+        return (set(nodes) if nodes else set(), metadata)
+
+    except:
+        return None
+
+
+def _save_per_repo_cache(repo_path: Path, all_nodes: Set[str], metadata: dict = None):
+    """Save nodes and metadata to per-repo cache"""
+    cache_file = repo_path / ".git" / "nodecache.json"
+
+    if not cache_file.parent.exists():
+        return
+
+    git_hash = _get_repo_hash(repo_path)
+    cache_data = {
+        "scanner_version": SCANNER_VERSION,
+        "git_hash": git_hash,
+        "scanned_at": datetime.datetime.now().isoformat(),
+        "nodes": sorted(list(all_nodes)),
+        "metadata": metadata if metadata else {}
+    }
+
+    try:
+        with open(cache_file, 'w') as f:
+            json.dump(cache_data, f, indent=2)
+    except:
+        pass  # Silently fail - cache is optional
 
 
 def download_url(url, dest_folder, filename=None):
@@ -51,11 +153,12 @@ Examples:
   # Standard mode
   python3 scanner.py
   python3 scanner.py --skip-update
+  python3 scanner.py --skip-all --force-rescan
 
   # Scan-only mode
   python3 scanner.py --scan-only temp-urls-clean.list
   python3 scanner.py --scan-only urls.list --temp-dir /custom/temp
-  python3 scanner.py --scan-only urls.list --skip-update
+  python3 scanner.py --scan-only urls.list --skip-update --force-rescan
         '''
     )
 
@@ -69,6 +172,8 @@ Examples:
                        help='Skip GitHub stats collection')
     parser.add_argument('--skip-all', action='store_true',
                        help='Skip all update operations')
+    parser.add_argument('--force-rescan', action='store_true',
+                       help='Force rescan all nodes (ignore cache)')
 
     # Backward compatibility: positional argument for temp_dir
     parser.add_argument('temp_dir_positional', nargs='?', metavar='TEMP_DIR',
@@ -94,6 +199,11 @@ parse_cnt = 0
 def extract_nodes(code_text):
     global parse_cnt
 
+    # Check cache first
+    cache_key = hash(code_text)
+    if cache_key in _extract_nodes_cache:
+        return _extract_nodes_cache[cache_key].copy()
+
     try:
         if parse_cnt % 100 == 0:
             print(".", end="", flush=True)
@@ -128,12 +238,458 @@ def extract_nodes(code_text):
                     if key is not None and isinstance(key.value, str):
                         s.add(key.value.strip())
 
+            # Cache the result
+            _extract_nodes_cache[cache_key] = s
             return s
         else:
+            # Cache empty result
+            _extract_nodes_cache[cache_key] = set()
             return set()
+    except:
+        # Cache empty result on error
+        _extract_nodes_cache[cache_key] = set()
+        return set()
+
+def extract_nodes_from_repo(repo_path: Path, verbose: bool = False, force_rescan: bool = False) -> tuple:
+    """
+    Extract all nodes and metadata from a repository with per-repo caching.
+
+    Automatically caches results in .git/nodecache.json.
+    Cache is invalidated when:
+    - Git commit hash changes
+    - Scanner version changes
+    - force_rescan flag is True
+
+    Args:
+        repo_path: Path to repository root
+        verbose: If True, print UI-only extension detection messages
+        force_rescan: If True, ignore cache and force fresh scan
+
+    Returns:
+        tuple: (nodes_set, metadata_dict)
+    """
+    # Ensure path is absolute
+    repo_path = repo_path.resolve()
+
+    # Check per-repo cache first (unless force_rescan is True)
+    if not force_rescan:
+        cached_result = _load_per_repo_cache(repo_path)
+        if cached_result is not None:
+            return cached_result
+
+    # Cache miss - scan all .py files
+    all_nodes = set()
+    all_metadata = {}
+    py_files = list(repo_path.rglob("*.py"))
+
+    # Filter out __pycache__, .git, and other hidden directories
+    filtered_files = []
+    for f in py_files:
+        try:
+            rel_path = f.relative_to(repo_path)
+            # Skip __pycache__, .git, and any directory starting with .
+            if '__pycache__' not in str(rel_path) and not any(part.startswith('.') for part in rel_path.parts):
+                filtered_files.append(f)
+        except:
+            continue
+    py_files = filtered_files
+
+    for py_file in py_files:
+        try:
+            # Read file with proper encoding
+            with open(py_file, 'r', encoding='utf-8', errors='ignore') as f:
+                code = f.read()
+
+            if code:
+                # Extract nodes using SAME logic as scan_in_file
+                # V1 nodes (enhanced with fallback patterns)
+                nodes = extract_nodes_enhanced(code, py_file, visited=set(), verbose=verbose)
+                all_nodes.update(nodes)
+
+                # V3 nodes detection
+                v3_nodes = extract_v3_nodes(code)
+                all_nodes.update(v3_nodes)
+
+                # Dict parsing - exclude commented NODE_CLASS_MAPPINGS lines
+                pattern = r"_CLASS_MAPPINGS\s*(?::\s*\w+\s*)?=\s*(?:\\\s*)?{([^}]*)}"
+                regex = re.compile(pattern, re.MULTILINE | re.DOTALL)
+
+                for match_obj in regex.finditer(code):
+                    # Get the line where NODE_CLASS_MAPPINGS is defined
+                    match_start = match_obj.start()
+                    line_start = code.rfind('\n', 0, match_start) + 1
+                    line_end = code.find('\n', match_start)
+                    if line_end == -1:
+                        line_end = len(code)
+                    line = code[line_start:line_end]
+
+                    # Skip if line starts with # (commented)
+                    if re.match(r'^\s*#', line):
+                        continue
+
+                    match = match_obj.group(1)
+
+                    # Filter out commented lines from dict content
+                    match_lines = match.split('\n')
+                    match_filtered = '\n'.join(
+                        line for line in match_lines
+                        if not re.match(r'^\s*#', line)
+                    )
+
+                    # Extract key-value pairs with double quotes
+                    key_value_pairs = re.findall(r"\"([^\"]*)\"\s*:\s*([^,\n]*)", match_filtered)
+                    for key, value in key_value_pairs:
+                        all_nodes.add(key.strip())
+
+                    # Extract key-value pairs with single quotes
+                    key_value_pairs = re.findall(r"'([^']*)'\s*:\s*([^,\n]*)", match_filtered)
+                    for key, value in key_value_pairs:
+                        all_nodes.add(key.strip())
+
+                # Handle .update() pattern (AFTER comment removal)
+                code_cleaned = re.sub(r'^#.*?$', '', code, flags=re.MULTILINE)
+
+                update_pattern = r"_CLASS_MAPPINGS\.update\s*\(\s*{([^}]*)}\s*\)"
+                update_match = re.search(update_pattern, code_cleaned, re.DOTALL)
+                if update_match:
+                    update_dict_text = update_match.group(1)
+                    # Extract key-value pairs (double quotes)
+                    update_pairs = re.findall(r'"([^"]*)"\s*:\s*([^,\n]*)', update_dict_text)
+                    for key, value in update_pairs:
+                        all_nodes.add(key.strip())
+                    # Extract key-value pairs (single quotes)
+                    update_pairs_single = re.findall(r"'([^']*)'\s*:\s*([^,\n]*)", update_dict_text)
+                    for key, value in update_pairs_single:
+                        all_nodes.add(key.strip())
+
+                # Additional regex patterns (AFTER comment removal)
+                patterns = [
+                    r'^[^=]*_CLASS_MAPPINGS\["(.*?)"\]',
+                    r'^[^=]*_CLASS_MAPPINGS\[\'(.*?)\'\]',
+                    r'@register_node\("(.+)",\s*\".+"\)',
+                    r'"(\w+)"\s*:\s*{"class":\s*\w+\s*'
+                ]
+
+                for pattern in patterns:
+                    keys = re.findall(pattern, code_cleaned)
+                    all_nodes.update(key.strip() for key in keys)
+
+                # Extract metadata from this file
+                metadata = extract_metadata_only(str(py_file))
+                all_metadata.update(metadata)
+        except Exception:
+            # Silently skip files that can't be read
+            continue
+
+    # Save to per-repo cache
+    _save_per_repo_cache(repo_path, all_nodes, all_metadata)
+
+    return (all_nodes, all_metadata)
+
+
+def _verify_class_exists(node_name: str, code_text: str, file_path: Optional[Path] = None) -> tuple[bool, Optional[str], Optional[int]]:
+    """
+    Verify that a node class exists and has ComfyUI node structure.
+
+    Returns: (exists: bool, file_path: str, line_number: int)
+
+    A valid ComfyUI node must have:
+    - Class definition (not commented)
+    - At least one of: INPUT_TYPES, RETURN_TYPES, FUNCTION method/attribute
+    """
+    try:
+        with warnings.catch_warnings():
+            warnings.filterwarnings('ignore', category=SyntaxWarning)
+            tree = ast.parse(code_text)
+    except:
+        return (False, None, None)
+
+    for node in ast.walk(tree):
+        if isinstance(node, ast.ClassDef):
+            if node.name == node_name or node.name.replace('_', '') == node_name.replace('_', ''):
+                # Found class definition - check if it has ComfyUI interface
+                has_input_types = False
+                has_return_types = False
+                has_function = False
+
+                for item in node.body:
+                    # Check for INPUT_TYPES method
+                    if isinstance(item, ast.FunctionDef) and item.name == 'INPUT_TYPES':
+                        has_input_types = True
+                    # Check for RETURN_TYPES attribute
+                    elif isinstance(item, ast.Assign):
+                        for target in item.targets:
+                            if isinstance(target, ast.Name):
+                                if target.id == 'RETURN_TYPES':
+                                    has_return_types = True
+                                elif target.id == 'FUNCTION':
+                                    has_function = True
+                    # Check for FUNCTION method
+                    elif isinstance(item, ast.FunctionDef):
+                        has_function = True
+
+                # Valid if has any ComfyUI signature
+                if has_input_types or has_return_types or has_function:
+                    file_str = str(file_path) if file_path else None
+                    return (True, file_str, node.lineno)
+
+    return (False, None, None)
+
+
+def _extract_display_name_mappings(code_text: str) -> Set[str]:
+    """
+    Extract node names from NODE_DISPLAY_NAME_MAPPINGS.
+
+    Pattern:
+        NODE_DISPLAY_NAME_MAPPINGS = {
+            "node_key": "Display Name",
+            ...
+        }
+
+    Returns:
+        Set of node keys from NODE_DISPLAY_NAME_MAPPINGS
+    """
+    try:
+        with warnings.catch_warnings():
+            warnings.filterwarnings('ignore', category=SyntaxWarning)
+            tree = ast.parse(code_text)
     except:
         return set()
 
+    nodes = set()
+
+    for node in tree.body:
+        if isinstance(node, ast.Assign):
+            for target in node.targets:
+                if isinstance(target, ast.Name) and target.id == 'NODE_DISPLAY_NAME_MAPPINGS':
+                    if isinstance(node.value, ast.Dict):
+                        for key in node.value.keys:
+                            if isinstance(key, ast.Constant) and isinstance(key.value, str):
+                                nodes.add(key.value.strip())
+
+    return nodes
+
+
+def extract_nodes_enhanced(
+    code_text: str,
+    file_path: Optional[Path] = None,
+    visited: Optional[Set[Path]] = None,
+    verbose: bool = False
+) -> Set[str]:
+    """
+    Enhanced node extraction with multi-layer detection system.
+
+    Scanner 2.0.11 - Comprehensive detection strategy:
+    - Phase 1: NODE_CLASS_MAPPINGS dict literal
+    - Phase 2: Class.NAME attribute access (e.g., FreeChat.NAME)
+    - Phase 3: Item assignment (NODE_CLASS_MAPPINGS["key"] = value)
+    - Phase 4: Class existence verification (detects active classes even if registration commented)
+    - Phase 5: NODE_DISPLAY_NAME_MAPPINGS cross-reference
+    - Phase 6: Empty dict detection (UI-only extensions, logging only)
+
+    Fixed Bugs:
+    - Scanner 2.0.9: Fallback cascade prevented Phase 3 execution
+    - Scanner 2.0.10: Missed active classes with commented registrations (15 false negatives)
+
+    Args:
+        code_text: Python source code
+        file_path: Path to file (for logging and caching)
+        visited: Visited paths (for circular import prevention)
+        verbose: If True, print UI-only extension detection messages
+
+    Returns:
+        Set of node names (union of all detected patterns)
+    """
+    # Check file-based cache if file_path provided
+    if file_path is not None:
+        try:
+            file_path_obj = Path(file_path) if not isinstance(file_path, Path) else file_path
+            if file_path_obj.exists():
+                current_mtime = file_path_obj.stat().st_mtime
+
+                # Check if we have cached result with matching mtime and scanner version
+                if file_path_obj in _file_mtime_cache:
+                    cached_mtime = _file_mtime_cache[file_path_obj]
+                    cache_key = (str(file_path_obj), cached_mtime, SCANNER_VERSION)
+
+                    if current_mtime == cached_mtime and cache_key in _extract_nodes_enhanced_cache:
+                        return _extract_nodes_enhanced_cache[cache_key].copy()
+        except:
+            pass  # Ignore cache errors, proceed with normal execution
+
+    # Suppress warnings from AST parsing
+    with warnings.catch_warnings():
+        warnings.filterwarnings('ignore', category=SyntaxWarning)
+        warnings.filterwarnings('ignore', category=DeprecationWarning)
+
+        # Phase 1: Original extract_nodes() - dict literal
+        phase1_nodes = extract_nodes(code_text)
+
+    # Phase 2: Class.NAME pattern
+    if visited is None:
+        visited = set()
+    phase2_nodes = _fallback_classname_resolver(code_text, file_path)
+
+    # Phase 3: Item assignment pattern
+    phase3_nodes = _fallback_item_assignment(code_text)
+
+    # Phase 4: NODE_DISPLAY_NAME_MAPPINGS cross-reference (NEW in 2.0.11)
+    # This catches nodes that are in display names but not in NODE_CLASS_MAPPINGS
+    phase4_nodes = _extract_display_name_mappings(code_text)
+
+    # Phase 5: Class existence verification ONLY for display name candidates (NEW in 2.0.11)
+    # This phase is CONSERVATIVE - only verify classes that appear in display names
+    # This catches the specific Scanner 2.0.10 bug pattern:
+    #   - NODE_CLASS_MAPPINGS registration is commented
+    #   - NODE_DISPLAY_NAME_MAPPINGS still has the entry
+    #   - Class implementation exists
+    # Example: Bjornulf_ollamaLoader in Bjornulf_custom_nodes
+    phase5_nodes = set()
+    for node_name in phase4_nodes:
+        # Only check classes that appear in display names but not in registrations
+        if node_name not in (phase1_nodes | phase2_nodes | phase3_nodes):
+            exists, _, _ = _verify_class_exists(node_name, code_text, file_path)
+            if exists:
+                phase5_nodes.add(node_name)
+
+    # Union all results (FIX: Scanner 2.0.9 bug + Scanner 2.0.10 bug)
+    # 2.0.9: Used early return which missed Phase 3 nodes
+    # 2.0.10: Only checked registrations, missed classes referenced in display names
+    all_nodes = phase1_nodes | phase2_nodes | phase3_nodes | phase4_nodes | phase5_nodes
+
+    # Phase 6: Empty dict detector (logging only, doesn't add nodes)
+    if not all_nodes:
+        _fallback_empty_dict_detector(code_text, file_path, verbose)
+
+    # Cache the result
+    if file_path is not None:
+        try:
+            file_path_obj = Path(file_path) if not isinstance(file_path, Path) else file_path
+            if file_path_obj.exists():
+                current_mtime = file_path_obj.stat().st_mtime
+                cache_key = (str(file_path_obj), current_mtime, SCANNER_VERSION)
+                _extract_nodes_enhanced_cache[cache_key] = all_nodes
+                _file_mtime_cache[file_path_obj] = current_mtime
+        except:
+            pass
+
+    return all_nodes
+
+
+def _fallback_classname_resolver(code_text: str, file_path: Optional[Path]) -> Set[str]:
+    """
+    Detect Class.NAME pattern in NODE_CLASS_MAPPINGS.
+
+    Pattern:
+        NODE_CLASS_MAPPINGS = {
+            FreeChat.NAME: FreeChat,
+            PaidChat.NAME: PaidChat
+        }
+    """
+    try:
+        with warnings.catch_warnings():
+            warnings.filterwarnings('ignore', category=SyntaxWarning)
+            parsed = ast.parse(code_text)
+    except:
+        return set()
+    
+    nodes = set()
+    
+    for node in parsed.body:
+        if isinstance(node, ast.Assign):
+            for target in node.targets:
+                if isinstance(target, ast.Name) and target.id == 'NODE_CLASS_MAPPINGS':
+                    if isinstance(node.value, ast.Dict):
+                        for key in node.value.keys:
+                            # Detect Class.NAME pattern
+                            if isinstance(key, ast.Attribute):
+                                if isinstance(key.value, ast.Name):
+                                    # Use class name as node name
+                                    nodes.add(key.value.id)
+                            # Also handle literal strings
+                            elif isinstance(key, ast.Constant) and isinstance(key.value, str):
+                                nodes.add(key.value.strip())
+    
+    return nodes
+
+
+def _fallback_item_assignment(code_text: str) -> Set[str]:
+    """
+    Detect item assignment pattern.
+    
+    Pattern:
+        NODE_CLASS_MAPPINGS = {}
+        NODE_CLASS_MAPPINGS["MyNode"] = MyNode
+    """
+    try:
+        with warnings.catch_warnings():
+            warnings.filterwarnings('ignore', category=SyntaxWarning)
+            parsed = ast.parse(code_text)
+    except:
+        return set()
+    
+    nodes = set()
+    
+    for node in ast.walk(parsed):
+        if isinstance(node, ast.Assign):
+            for target in node.targets:
+                if isinstance(target, ast.Subscript):
+                    if (isinstance(target.value, ast.Name) and
+                        target.value.id in ['NODE_CLASS_MAPPINGS', 'NODE_CONFIG']):
+                        # Extract key
+                        if isinstance(target.slice, ast.Constant):
+                            if isinstance(target.slice.value, str):
+                                nodes.add(target.slice.value)
+    
+    return nodes
+
+
+def _extract_repo_name(file_path: Path) -> str:
+    """
+    Extract repository name from file path.
+
+    Path structure: /home/rho/.tmp/analysis/temp/{author}_{reponame}/{path/to/file.py}
+    Returns: {author}_{reponame} or filename if extraction fails
+    """
+    try:
+        parts = file_path.parts
+        # Find 'temp' directory in path
+        if 'temp' in parts:
+            temp_idx = parts.index('temp')
+            if temp_idx + 1 < len(parts):
+                # Next part after 'temp' is the repo directory
+                return parts[temp_idx + 1]
+    except (ValueError, IndexError):
+        pass
+
+    # Fallback to filename if extraction fails
+    return file_path.name if hasattr(file_path, 'name') else str(file_path)
+
+
+def _fallback_empty_dict_detector(code_text: str, file_path: Optional[Path], verbose: bool = False) -> None:
+    """
+    Detect empty NODE_CLASS_MAPPINGS (UI-only extensions).
+    Logs for documentation purposes only (when verbose=True).
+
+    Args:
+        code_text: Python source code to analyze
+        file_path: Path to the file being analyzed
+        verbose: If True, print detection messages
+    """
+    empty_patterns = [
+        'NODE_CLASS_MAPPINGS = {}',
+        'NODE_CLASS_MAPPINGS={}',
+    ]
+
+    code_normalized = code_text.replace(' ', '').replace('\n', '')
+
+    for pattern in empty_patterns:
+        pattern_normalized = pattern.replace(' ', '')
+        if pattern_normalized in code_normalized:
+            if file_path and verbose:
+                repo_name = _extract_repo_name(file_path)
+                print(f"Info: UI-only extension (empty NODE_CLASS_MAPPINGS): {repo_name}")
+            return
 
 def has_comfy_node_base(class_node):
     """Check if class inherits from io.ComfyNode or ComfyNode"""
@@ -229,6 +785,25 @@ def extract_v3_nodes(code_text):
 
 
 # scan
+def extract_metadata_only(filename):
+    """Extract only metadata (@author, @title, etc) without node scanning"""
+    try:
+        with open(filename, encoding='utf-8', errors='ignore') as file:
+            code = file.read()
+
+        metadata = {}
+        lines = code.strip().split('\n')
+        for line in lines:
+            if line.startswith('@'):
+                if line.startswith("@author:") or line.startswith("@title:") or line.startswith("@nickname:") or line.startswith("@description:"):
+                    key, value = line[1:].strip().split(':', 1)
+                    metadata[key.strip()] = value.strip()
+
+        return metadata
+    except:
+        return {}
+
+
 def scan_in_file(filename, is_builtin=False):
     global builtin_nodes
 
@@ -242,8 +817,8 @@ def scan_in_file(filename, is_builtin=False):
     nodes = set()
     class_dict = {}
 
-    # V1 nodes detection
-    nodes |= extract_nodes(code)
+    # V1 nodes detection (enhanced with fallback patterns)
+    nodes |= extract_nodes_enhanced(code, file_path=Path(filename), visited=set())
 
     # V3 nodes detection
     nodes |= extract_v3_nodes(code)
@@ -620,13 +1195,14 @@ def update_custom_nodes(scan_only_mode=False, url_list_file=None):
     return node_info
 
 
-def gen_json(node_info, scan_only_mode=False):
+def gen_json(node_info, scan_only_mode=False, force_rescan=False):
     """
     Generate extension-node-map.json from scanned node information
 
     Args:
         node_info (dict): Repository metadata mapping
         scan_only_mode (bool): If True, exclude metadata from output
+        force_rescan (bool): If True, ignore cache and force rescan all nodes
     """
     # scan from .py file
     node_files, node_dirs = get_nodes(temp_dir)
@@ -642,13 +1218,17 @@ def gen_json(node_info, scan_only_mode=False):
         py_files = get_py_file_paths(dirname)
         metadata = {}
 
-        nodes = set()
-        for py in py_files:
-            nodes_in_file, metadata_in_file = scan_in_file(py, dirname == "ComfyUI")
-            nodes.update(nodes_in_file)
-            # Include metadata from .py files in both modes
-            metadata.update(metadata_in_file)
-        
+        # Use per-repo cache for node AND metadata extraction
+        try:
+            nodes, metadata = extract_nodes_from_repo(Path(dirname), verbose=False, force_rescan=force_rescan)
+        except:
+            # Fallback to file-by-file scanning if extract_nodes_from_repo fails
+            nodes = set()
+            for py in py_files:
+                nodes_in_file, metadata_in_file = scan_in_file(py, dirname == "ComfyUI")
+                nodes.update(nodes_in_file)
+                metadata.update(metadata_in_file)
+
         dirname = os.path.basename(dirname)
 
         if 'Jovimetrix' in dirname:
@@ -810,11 +1390,14 @@ if __name__ == "__main__":
     print("\n# Generating 'extension-node-map.json'...\n")
 
     # Generate extension-node-map.json
-    gen_json(updated_node_info, scan_only_mode)
+    force_rescan = args.force_rescan if hasattr(args, 'force_rescan') else False
+    if force_rescan:
+        print("⚠️  Force rescan enabled - ignoring all cached results\n")
+    gen_json(updated_node_info, scan_only_mode, force_rescan)
 
     print("\n✅ DONE.\n")
 
     if scan_only_mode:
         print("Output: extension-node-map.json (node mappings only)")
     else:
-        print("Output: extension-node-map.json (full metadata)")
+        print("Output: extension-node-map.json (full metadata)")