Describe the bug

The deprecated --guest-only-loopback=false CLI flag (and the corresponding INI option guest_only_loopback) no longer has any effect. It sets @guest_only_loopback but the auth code only checks @default_user_only_loopback, which remains true (the default).

This means anyone relying on the deprecated flag to allow remote guest login is silently locked out with a 401.

Describe your setup

Affects the main branch. Introduced in commit 5ae8bf7 ("Rewrite config with annotations and macros (#917)").

Prior to that commit, 8b1ac0c5 ("Configurable default user & password (#919)") correctly wired --guest-only-loopback to set @default_user_only_loopback. The config rewrite replaced the hand-written CLI/INI parsing with annotation macros, and in doing so guest_only_loopback became an independent property that no longer propagates to default_user_only_loopback.

How to reproduce

1. Start LavinMQ with --guest-only-loopback=false
2. Attempt to connect as guest from a non-loopback address (or via the HTTP API through Docker port mapping)
3. Connection is rejected with 401

Expected behavior

--guest-only-loopback=false should disable loopback-only enforcement for the default user, matching the behavior of --default-user-only-loopback=false.