fix(web): take git SHA from Coolify's runtime SOURCE_COMMIT

The .git-COPY approach from a35e6c9 never actually deployed: BuildKit
rejected `COPY .git /tmp/.git` with "failed to calculate checks"
because Coolify's build context doesn't include .git, so deploy 86
failed and the stale 0144cb2 image kept serving "build dev" in the
footer.

Coolify v4 already injects SOURCE_COMMIT into the container env at
runtime by default (build-time only on opt-in, since it busts the
build cache by definition). Map SOURCE_COMMIT → GIT_COMMIT in
docker-compose, drop the build-time SHA stamping (and the repo-root
build context that only existed to reach .git), and shrink
_read_git_commit to a one-liner getenv.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docker-compose.yml

@@ -1,16 +1,15 @@
 services:
   web:
-    build:
-      # Context is the repo root so the Dockerfile can read .git for the
-      # SHA stamp — Coolify doesn't expose the commit as an env var.
-      context: .
-      dockerfile: web/Dockerfile
+    build: ./web
     container_name: lazyflat-web
     restart: unless-stopped
     depends_on:
       apply:
         condition: service_started
     environment:
+      # Coolify injects SOURCE_COMMIT at runtime on every deploy; settings.py
+      # reads GIT_COMMIT and renders it in the footer.
+      - GIT_COMMIT=${SOURCE_COMMIT:-dev}
       - AUTH_USERNAME=${AUTH_USERNAME}
       - AUTH_PASSWORD_HASH=${AUTH_PASSWORD_HASH}
       - SESSION_SECRET=${SESSION_SECRET}