fix(web): disable anonymous login by default (guest button removal)

claudemesh requires an account — mesh membership is tied to user.id.
e8ad7a5 flipped the config default but the env var override at
env.config.ts:43 still defaulted to true, keeping the button visible.

Fixed at env var level + example files. Needs Coolify rebuild since
NEXT_PUBLIC_* is build-time in Next standalone.

apps/web/.env.example

@@ -31,7 +31,7 @@ NEXT_PUBLIC_AUTH_MAGIC_LINK="false"
 NEXT_PUBLIC_AUTH_PASSKEY="true"
 
 # Use this variable to enable or disable anonymous authentication. If you set this to true, users will be able to proceed to your app without "traditional" authentication. If you set this to false, the anonymous login won't be available.
-NEXT_PUBLIC_AUTH_ANONYMOUS="true"
+NEXT_PUBLIC_AUTH_ANONYMOUS="false"
 
 # Auth server secret - used to sign the tokens
 BETTER_AUTH_SECRET="lT4GdPj3OSx00OcTRUdwywn1DNgBBuvK"

apps/web/env.config.ts

@@ -40,7 +40,7 @@ export default defineEnv({
     NEXT_PUBLIC_AUTH_PASSWORD: castStringToBool.optional().default(true),
     NEXT_PUBLIC_AUTH_MAGIC_LINK: castStringToBool.optional().default(false),
     NEXT_PUBLIC_AUTH_PASSKEY: castStringToBool.optional().default(true),
-    NEXT_PUBLIC_AUTH_ANONYMOUS: castStringToBool.optional().default(true),
+    NEXT_PUBLIC_AUTH_ANONYMOUS: castStringToBool.optional().default(false),
 
     NEXT_PUBLIC_PRODUCT_NAME: z.string().optional().default("claudemesh"),
     NEXT_PUBLIC_URL: z.string().url().optional().default("http://localhost:3000"),