fix(web): read git SHA from .git in the image instead of SOURCE_COMMIT

Coolify v4 doesn't inject SOURCE_COMMIT (only COOLIFY_BRANCH,
COOLIFY_FQDN, COOLIFY_RESOURCE_UUID, COOLIFY_URL and the container
name). The previous build-arg approach always resolved to "dev".

Switch the web build context to the repo root so the Dockerfile can
COPY .git into a scratch path, parse HEAD → SHA with a small sh
snippet (handles both detached-HEAD and packed-refs), and stamp the
image with a /git_commit file. settings.py now prefers env GIT_COMMIT
(for local dev overrides) and falls back to /git_commit → "dev".

The .git copy is the last content layer, so only this thin layer
invalidates per commit; pip install stays cached.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

web/settings.py

@@ -61,6 +61,19 @@ ANTHROPIC_API_KEY: str = getenv("ANTHROPIC_API_KEY", "")
 ANTHROPIC_MODEL: str = getenv("ANTHROPIC_MODEL", "claude-haiku-4-5-20251001")
 
 # --- Build info --------------------------------------------------------------
-# Baked into the image at docker build time via the Dockerfile ARG; rendered in
-# the site footer so the running commit is visible at a glance.
-GIT_COMMIT: str = getenv("GIT_COMMIT", "dev")
+# The Dockerfile writes /git_commit at build time by parsing the repo's .git
+# dir (Coolify doesn't expose the SHA as an env var). Env GIT_COMMIT overrides
+# the file so local dev can fake a value. Rendered in the site footer so the
+# running commit is visible at a glance.
+def _read_git_commit() -> str:
+    env_val = getenv("GIT_COMMIT", "").strip()
+    if env_val:
+        return env_val
+    try:
+        with open("/git_commit") as _f:
+            return _f.read().strip() or "dev"
+    except OSError:
+        return "dev"
+
+
+GIT_COMMIT: str = _read_git_commit()