Fix PHPStan failure by only enforcing fullBaseUrl in web context

The security check was throwing an exception during PHPStan static
analysis because it runs with debug=false but no HTTP_HOST. Modified
the logic to only enforce the fullBaseUrl requirement when in a web
request context (HTTP_HOST is present). This allows CLI tools like
PHPStan to load the bootstrap without errors while still maintaining
the security check for actual web requests in production.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: dereuromark

config/bootstrap.php

@@ -158,7 +158,13 @@
  */
 $fullBaseUrl = Configure::read('App.fullBaseUrl');
 if (!$fullBaseUrl) {
-    if (!Configure::read('debug')) {
+    $httpHost = env('HTTP_HOST');
+
+    /*
+     * Only enforce fullBaseUrl requirement when we're in a web request context.
+     * This allows CLI tools (like PHPStan) to load the bootstrap without throwing.
+     */
+    if (!Configure::read('debug') && $httpHost) {
         throw new \Cake\Core\Exception\CakeException(
             'SECURITY: App.fullBaseUrl is not configured. ' .
             'This is required in production to prevent Host Header Injection attacks. ' .
@@ -170,13 +176,11 @@
      * Development mode fallback: Use HTTP_HOST for convenience.
      * WARNING: This is ONLY safe in development. Never use this pattern in production!
      */
-    $s = null;
-    if (env('HTTPS')) {
-        $s = 's';
-    }
-
-    $httpHost = env('HTTP_HOST');
     if ($httpHost) {
+        $s = null;
+        if (env('HTTPS')) {
+            $s = 's';
+        }
         $fullBaseUrl = 'http' . $s . '://' . $httpHost;
     }
     unset($httpHost, $s);