fix(install): P0-2 Neo4j secrets path + P0-3 conditional + P0-4 MCP paths

P0-2 — Neo4j secrets paths
==========================
install_neo4j.sh already generated a per-install random password
(openssl rand -hex 16), but it wrote both the password file and the
env file under /root/.uaml/{keys,etc}/ — fine in the legacy layout,
broken after ecosystem-policy §5 (DB + state under /home/uaml/).

This rewrite:
 - Pass file moves to $UAML_HOME_DIR/keys/neo4j-pass (default
   /home/uaml/keys/neo4j-pass), owned by uaml:uaml mode 0750.
 - Env file written to TWO locations:
   * /home/uaml/etc/neo4j.env (legacy systemd EnvironmentFile path)
   * /etc/uaml/neo4j.env (host-wide so the bundled MCP server, which
     runs as uaml and cannot read /root/.uaml/, can pick it up)
 - Back-compat symlinks at /root/.uaml/{etc,keys}/ point at the new
   locations so any caller still hard-coding the legacy path keeps
   working.

EnvironmentFile= directives in install_steps.json (uaml-relationship-
builder + uaml-neo4j-import services) updated to /etc/uaml/neo4j.env.

The hardcoded `uaml2026secure` fallback in the bundled MCP server is
not reachable on a fresh install: NEO4J_PASS is sourced from
/etc/uaml/neo4j.env (or the env file the systemd unit loads), and the
fallback only fires when no env var and no env file is present —
i.e. when Neo4j was never installed, in which case the value doesn't
matter because no Cypher request will ever succeed.

P0-3 — Neo4j services conditional
=================================
uaml-relationship-builder.service and uaml-neo4j-import.timer were
enabled+started unconditionally. On any host without Neo4j (which is
the common case — Neo4j is heavyweight and most users do not need the
graph layer) both services land in `activating (auto-restart)` and
fill journalctl with `Wants=neo4j.service` failures forever.

Both `systemctl daemon-reload && systemctl enable --now <unit>`
invocations are now wrapped in:

  if command -v cypher-shell >/dev/null 2>&1 \
     || systemctl is-active --quiet neo4j; then
    systemctl enable --now <unit>
  else
    echo '  neo4j not present — leaving <unit> disabled (...)'
    systemctl disable <unit> 2>/dev/null
  fi

The unit files are still written so a later `apt install neo4j` +
`systemctl enable --now uaml-relationship-builder` works without
re-running smart-install.

P0-4 — MCP server openclaw workspace path remove
================================================
The bundled MCP server hard-coded
~/.openclaw/workspace/projects/_active/uaml-package
in two ways:
 - A module-level _UAML_PACKAGE_PATH constant prepended to sys.path
 - 7 inline copies of
   os.path.join(os.path.dirname(os.path.dirname(__file__)),
                "projects", "_active", "uaml-package")
   sprinkled through tool handlers, plus one inside the SSE POST
   handler that did `_sys.path.insert(0, ...openclaw...)` before
   `from uaml.auth.service import AuthService`.

In a clean smart-install layout (/opt/uaml-mcp-server/uaml_mcp_server.py
+ /opt/uaml-package), none of those paths exist; uaml.* imports
silently failed and the affected tools returned "module not found".

Replaced with a single robust block at the top of the module:

  _UAML_PACKAGE_CANDIDATES = [
      os.environ.get("UAML_PACKAGE_PATH", ""),
      "/opt/uaml-package",
      ~/.openclaw/...,           # legacy dev path
  ]
  for cand in candidates: if isdir, prepend to sys.path
  _UAML_PACKAGE_PATH = first existing candidate

All 7 inline derivations replaced with the constant. The SSE auth
block now imports AuthService directly (sys.path is already set up)
and gracefully falls back to "anonymous" sub when the import fails
(slim install without uaml.auth).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
