security: remove hardcoded build-time DATABASE_URL and enforce environment-only configuration

Dockerfile

@@ -20,7 +20,6 @@ COPY . .
 # Environment variables must be present at build time for Next.js
 # Coolify will provide these, but we can set defaults
 ENV NEXT_TELEMETRY_DISABLED=1
-ENV DATABASE_URL="postgresql://dummy:dummy@localhost:5432/dummy"
 
 # Generate Prisma Client
 RUN npx prisma generate

src/lib/prisma.ts

@@ -4,21 +4,25 @@ import pg from "pg";
 
 const globalForPrisma = global as unknown as { prisma: PrismaClient };
 
-const connectionString = process.env.DATABASE_URL || "postgresql://dummy:dummy@localhost:5432/dummy";
+const connectionString = process.env.DATABASE_URL;
 
-// Only throw if we are actually trying to use the DB in a real production/dev runtime
-if (!process.env.DATABASE_URL && process.env.NODE_ENV === "production" && typeof window === "undefined" && !process.env.NEXT_PHASE) {
-   // However, Next.js build phase often needs this. 
-   // We'll let it pass with the dummy string above if it's just for static generation.
+// During Next.js build phase (NEXT_PHASE), we allow the connection string to be missing
+// to prevent the build from failing. In a real runtime, the Prisma client will
+// throw an error if the connection fails, which is the expected behavior.
+if (!connectionString && process.env.NODE_ENV === "production" && !process.env.NEXT_PHASE) {
+  throw new Error("DATABASE_URL is not set in the environment.");
 }
 
+const getAdapter = () => {
+  if (!connectionString) return undefined;
   const pool = new pg.Pool({ connectionString });
-const adapter = new PrismaPg(pool);
+  return new PrismaPg(pool);
+};
 
 export const prisma =
   globalForPrisma.prisma ||
   new PrismaClient({
-    adapter,
+    adapter: getAdapter(),
     log: ["query"],
   });