fix: harden install.sh against inherited Python env leakage

[teknium1]

Salvages the install.sh portion of #20466 onto current main. PR #20466 bundled three unrelated changes under a misleading title; this PR is the install.sh piece alone. The UI padding changes will come in a separate PR.

Summary

Sanitize inherited PYTHONPATH / PYTHONHOME during install, and replace the hermes symlink with a small launcher wrapper that clears them before exec. Prevents a fresh install from being silently overridden when the installer is run from a Python-driven session that has PYTHONPATH set.

Changes

• scripts/install.sh: early unset PYTHONPATH / unset PYTHONHOME; replace ln -sf shim with a tiny bash wrapper that unsets both before exec "$HERMES_BIN" "\$@".
• tests/test_install_sh_pythonpath_sanitization.py: grep-style regression tests covering install-time unset + wrapper contents.

Validation

• bash -n scripts/install.sh — OK
• scripts/run_tests.sh tests/test_install_sh_pythonpath_sanitization.py — 2/2 pass
• Local E2E: generated the wrapper as install.sh does, invoked it with PYTHONPATH=/stale + PYTHONHOME=/fake set; fake HERMES_BIN saw both as unset and args were forwarded verbatim.

Notes

• hermes doctor already tolerates a non-symlink at the command-link path (line 854 treats it as "exists (non-symlink)"), so the switch from symlink to wrapper doesn't break the existing doctor check.
• hermes doctor --fix only re-creates symlinks, so a stale wrapper pointing to a moved venv wouldn't self-heal — same failure mode as a stale symlink, different error text. Not addressed here.

Credits @adybag14-cyber — cherry-picked onto current main with authorship preserved.

Closes part of #20466.