Fix default permission profile for API (#874)

This was ommitted from the API code. Need to figure out if this logic can be moved inside the runconfig creation code.

Author: dmjb

pkg/api/v1/workloads.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/stacklok/toolhive/pkg/container/runtime"
 	"github.com/stacklok/toolhive/pkg/logger"
+	"github.com/stacklok/toolhive/pkg/permissions"
 	"github.com/stacklok/toolhive/pkg/runner"
 	"github.com/stacklok/toolhive/pkg/runner/retriever"
 	"github.com/stacklok/toolhive/pkg/secrets"
@@ -223,6 +224,12 @@ func (s *WorkloadRoutes) createWorkload(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
+	// Mimic behavior of the CLI by defaulting to the "network" permission profile.
+	// TODO: Consider moving this into the run config creation logic.
+	if req.PermissionProfile == "" {
+		req.PermissionProfile = permissions.ProfileNetwork
+	}
+
 	// Fetch or build the requested image
 	// TODO: Make verification configurable and return errors over the API.
 	imageURL, imageMetadata, err := retriever.GetMCPServer(