Harden extension add --from flow and align --dev/--from semantics

[Copilot]

This PR addresses all actionable comments in review thread pullrequestreview-4301684579 for PR #2582. The goal is to keep the path-traversal hardening while removing regressions in CLI behavior and URL-install handling.

• CLI option semantics

  • Rejects specify extension add ... --dev --from ... as mutually exclusive instead of letting --from side effects run on a code path where --dev takes precedence.

• URL install path hardening

  • Removes pathname-based ZIP staging for --from installs.
  • Downloads the archive into memory and installs from bytes, avoiding cache-path creation/cleanup races and path-based TOCTOU windows in this flow.

• Extension manager API refinement

  • Adds ExtensionManager.install_from_zip_bytes(...).
  • Refactors install_from_zip(path) into a thin file-read wrapper delegating to the bytes-based implementation.
  • Keeps ZIP extraction safeguards and adds clearer doc/error handling around ZIP file reads.

• Focused regression coverage

  • Adds tests for:
    • --dev + --from rejection.
    • --from using in-memory ZIP bytes install path.

# before: path-based staging + install
with _open_url(from_url, timeout=60) as response:
    zip_data = response.read()
zip_path.write_bytes(zip_data)
manifest = manager.install_from_zip(zip_path, speckit_version, priority=priority)

# after: in-memory install
with _open_url(from_url, timeout=60) as response:
    zip_bytes = response.read()
manifest = manager.install_from_zip_bytes(zip_bytes, speckit_version, priority=priority)