stacklok
diff --git a/‎docs/server/docs.go
Lines changed: 1 addition & 1 deletion b/‎docs/server/docs.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/server/swagger.json
Lines changed: 1 addition & 1 deletion b/‎docs/server/swagger.json
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/server/swagger.yaml
Lines changed: 6 additions & 4 deletions b/‎docs/server/swagger.yaml
Lines changed: 6 additions & 4 deletions
diff --git a/‎pkg/api/v1/workloads.go
Lines changed: 27 additions & 40 deletions b/‎pkg/api/v1/workloads.go
Lines changed: 27 additions & 40 deletions
diff --git a/‎pkg/runner/config.go
Lines changed: 4 additions & 0 deletions b/‎pkg/runner/config.go
Lines changed: 4 additions & 0 deletions
diff --git a/‎pkg/runner/config_builder.go
Lines changed: 15 additions & 2 deletions b/‎pkg/runner/config_builder.go
Lines changed: 15 additions & 2 deletions
diff --git a/‎pkg/runner/config_builder_test.go
Lines changed: 127 additions & 0 deletions b/‎pkg/runner/config_builder_test.go
Lines changed: 127 additions & 0 deletions
@@ -230,8 +230,8 @@ func (s *WorkloadRoutes) createWorkload(w http.ResponseWriter, r *http.Request)
 
 	// Mimic behavior of the CLI by defaulting to the "network" permission profile.
 	// TODO: Consider moving this into the run config creation logic.
-	if req.PermissionProfile == "" {
-		req.PermissionProfile = permissions.ProfileNetwork
+	if req.PermissionProfile != nil {
+		req.PermissionProfile = permissions.BuiltinNetworkProfile()
 	}
 
 	// Fetch or build the requested image
@@ -253,43 +253,28 @@ func (s *WorkloadRoutes) createWorkload(w http.ResponseWriter, r *http.Request)
 
 	// NOTE: None of the k8s-related config logic is included here.
 	runSecrets := secrets.SecretParametersToCLI(req.Secrets)
-	runConfig, err := runner.NewRunConfigFromFlags(
-		ctx,
-		s.containerRuntime,
-		req.CmdArguments,
-		req.Name,
-		imageURL,
-		imageMetadata,
-		req.Host,
-		s.debugMode,
-		req.Volumes,
-		runSecrets,
-		req.AuthzConfig,
-		"",    // req.AuditConfig not set - auditing not exposed through API yet.
-		false, // req.EnableAudit not set - auditing not exposed through API yet.
-		req.PermissionProfile,
-		transport.LocalhostIPv4, // Seems like a reasonable default for now.
-		req.Transport,
-		0, // Let the workloadManager figure out which port to use.
-		req.TargetPort,
-		req.EnvVars,
-		req.OIDC.Issuer,
-		req.OIDC.Audience,
-		req.OIDC.JwksURL,
-		req.OIDC.ClientID,
-		req.OIDC.AllowOpaqueTokens,
-		"",    // otelEndpoint - not exposed through API yet
-		"",    // otelServiceName - not exposed through API yet
-		0.0,   // otelSamplingRate - default value
-		nil,   // otelHeaders - not exposed through API yet
-		false, // otelInsecure - not exposed through API yet
-		false, // otelEnablePrometheusMetricsPath - not exposed through API yet
-		nil,   // otelEnvironmentVariables - not exposed through API yet
-		false, // isolateNetwork - not exposed through API yet
-		"",    // k8s patch - not relevant here.
-		&runner.DetachedEnvVarValidator{},
-		types.ProxyMode(req.ProxyMode),
-	)
+	runConfig, err := runner.NewRunConfigBuilder().
+		WithRuntime(s.containerRuntime).
+		WithCmdArgs(req.CmdArguments).
+		WithName(req.Name).
+		WithImage(imageURL).
+		WithHost(req.Host).
+		WithTargetHost(transport.LocalhostIPv4).
+		WithDebug(s.debugMode).
+		WithVolumes(req.Volumes).
+		WithSecrets(runSecrets).
+		WithAuthzConfigPath(req.AuthzConfig).
+		WithAuditConfigPath("").
+		WithPermissionProfile(req.PermissionProfile).
+		WithNetworkIsolation(req.NetworkIsolation).
+		WithK8sPodPatch("").
+		WithProxyMode(types.ProxyMode(req.ProxyMode)).
+		WithTransportAndPorts(req.Transport, 0, req.TargetPort).
+		WithAuditEnabled(false, "").
+		WithOIDCConfig(req.OIDC.Issuer, req.OIDC.Audience, req.OIDC.JwksURL, req.OIDC.ClientID, req.OIDC.AllowOpaqueTokens).
+		WithTelemetryConfig("", false, "", 0.0, nil, false, nil). // Not exposed through API yet.
+		Build(ctx, imageMetadata, req.EnvVars, &runner.DetachedEnvVarValidator{})
+
 	if err != nil {
 		logger.Errorf("Failed to create run config: %v", err)
 		http.Error(w, "Failed to create run config", http.StatusBadRequest)
@@ -504,9 +489,11 @@ type createRequest struct {
 	// OIDC configuration options
 	OIDC oidcOptions `json:"oidc"`
 	// Permission profile to apply
-	PermissionProfile string `json:"permission_profile"`
+	PermissionProfile *permissions.Profile `json:"permission_profile"`
 	// Proxy mode to use
 	ProxyMode string `json:"proxy_mode"`
+	// Whether network isolation is turned on. This applies the rules in the permission profile.
+	NetworkIsolation bool `json:"network_isolation"`
 }
 
 // oidcOptions represents OIDC configuration options
 
@@ -245,6 +245,10 @@ func (c *RunConfig) WithPorts(port, targetPort int) (*RunConfig, error) {
 
 // ParsePermissionProfile loads and sets the permission profile
 func (c *RunConfig) ParsePermissionProfile() (*RunConfig, error) {
+	if c.PermissionProfile != nil {
+		return c, nil
+	}
+
 	if c.PermissionProfileNameOrPath == "" {
 		return c, fmt.Errorf("permission profile name or path is required")
 	}
 
@@ -10,6 +10,7 @@ import (
 	"github.com/stacklok/toolhive/pkg/authz"
 	rt "github.com/stacklok/toolhive/pkg/container/runtime"
 	"github.com/stacklok/toolhive/pkg/logger"
+	"github.com/stacklok/toolhive/pkg/permissions"
 	"github.com/stacklok/toolhive/pkg/registry"
 	"github.com/stacklok/toolhive/pkg/telemetry"
 	"github.com/stacklok/toolhive/pkg/transport"
@@ -108,9 +109,21 @@ func (b *RunConfigBuilder) WithAuditConfigPath(path string) *RunConfigBuilder {
 	return b
 }
 
-// WithPermissionProfileNameOrPath sets the permission profile name or path
+// WithPermissionProfileNameOrPath sets the permission profile name or path.
+// If called multiple times or mixed with WithPermissionProfile,
+// the last call takes precedence.
 func (b *RunConfigBuilder) WithPermissionProfileNameOrPath(profile string) *RunConfigBuilder {
 	b.config.PermissionProfileNameOrPath = profile
+	b.config.PermissionProfile = nil // Clear any existing profile
+	return b
+}
+
+// WithPermissionProfile sets the permission profile directly.
+// If called multiple times or mixed with WithPermissionProfile,
+// the last call takes precedence.
+func (b *RunConfigBuilder) WithPermissionProfile(profile *permissions.Profile) *RunConfigBuilder {
+	b.config.PermissionProfile = profile
+	b.config.PermissionProfileNameOrPath = "" // Clear any existing name or path
 	return b
 }
 
@@ -290,7 +303,7 @@ func (b *RunConfigBuilder) validateConfig(imageMetadata *registry.ImageMetadata)
 	}
 
 	// If we are missing the permission profile, attempt to load one from the image metadata.
-	if c.PermissionProfileNameOrPath == "" && imageMetadata != nil {
+	if c.PermissionProfileNameOrPath == "" && c.PermissionProfile == nil && imageMetadata != nil {
 		permProfilePath, err := CreatePermissionProfileFile(c.Name, imageMetadata.Permissions)
 		if err != nil {
 			// Just log the error and continue with the default permission profile
 
@@ -0,0 +1,127 @@
+package runner
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/stacklok/toolhive/pkg/logger"
+	"github.com/stacklok/toolhive/pkg/permissions"
+	"github.com/stacklok/toolhive/pkg/registry"
+)
+
+func TestRunConfigBuilder_Build_WithPermissionProfile(t *testing.T) {
+	t.Parallel()
+
+	// Needed to prevent a nil pointer dereference in the logger.
+	logger.Initialize()
+
+	// Create a mock environment variable validator
+	mockValidator := &mockEnvVarValidator{}
+
+	imageMetadata := &registry.ImageMetadata{
+		Name: "test-image",
+		Permissions: &permissions.Profile{
+			Network: &permissions.NetworkPermissions{
+				Outbound: &permissions.OutboundNetworkPermissions{
+					InsecureAllowAll: true,
+					AllowTransport:   []string{"http", "https"},
+				},
+			},
+			Read:  []permissions.MountDeclaration{permissions.MountDeclaration("/test/read")},
+			Write: []permissions.MountDeclaration{permissions.MountDeclaration("/test/write")},
+		},
+	}
+
+	testCases := []struct {
+		name                      string
+		setupBuilder              func(*RunConfigBuilder) *RunConfigBuilder
+		expectedPermissionProfile *permissions.Profile
+		imageMetadata             *registry.ImageMetadata
+	}{
+		{
+			name: "Build with direct permission profile",
+			setupBuilder: func(b *RunConfigBuilder) *RunConfigBuilder {
+				return b.WithPermissionProfile(permissions.BuiltinNetworkProfile())
+			},
+			imageMetadata:             imageMetadata,
+			expectedPermissionProfile: permissions.BuiltinNetworkProfile(),
+		},
+		{
+			name: "Build with permission profile name",
+			setupBuilder: func(b *RunConfigBuilder) *RunConfigBuilder {
+				return b.WithPermissionProfileNameOrPath(permissions.ProfileNetwork)
+			},
+			imageMetadata:             imageMetadata,
+			expectedPermissionProfile: permissions.BuiltinNetworkProfile(),
+		},
+		{
+			name: "Build after profile name overrides direct profile",
+			setupBuilder: func(b *RunConfigBuilder) *RunConfigBuilder {
+				return b.WithPermissionProfile(permissions.BuiltinNoneProfile()).
+					WithPermissionProfileNameOrPath(permissions.ProfileNetwork)
+			},
+			imageMetadata:             imageMetadata,
+			expectedPermissionProfile: permissions.BuiltinNetworkProfile(),
+		},
+		{
+			name: "Build after direct profile overrides profile name",
+			setupBuilder: func(b *RunConfigBuilder) *RunConfigBuilder {
+				return b.WithPermissionProfileNameOrPath(permissions.ProfileNetwork).
+					WithPermissionProfile(permissions.BuiltinNoneProfile())
+			},
+			imageMetadata:             imageMetadata,
+			expectedPermissionProfile: permissions.BuiltinNoneProfile(),
+		},
+		{
+			name: "Build with permissions from image metadata",
+			setupBuilder: func(b *RunConfigBuilder) *RunConfigBuilder {
+				return b.WithName("test-container")
+			},
+			imageMetadata: imageMetadata,
+			expectedPermissionProfile: &permissions.Profile{
+				Network: &permissions.NetworkPermissions{
+					Outbound: &permissions.OutboundNetworkPermissions{
+						InsecureAllowAll: true,
+						AllowTransport:   []string{"http", "https"},
+					},
+				},
+				Read:  []permissions.MountDeclaration{permissions.MountDeclaration("/test/read")},
+				Write: []permissions.MountDeclaration{permissions.MountDeclaration("/test/read")},
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			// Create a new builder and apply the setup
+			builder := tc.setupBuilder(NewRunConfigBuilder())
+			require.NotNil(t, builder, "Builder should not be nil")
+
+			// Build the configuration with required parameters
+			ctx := context.Background()
+			config, err := builder.Build(ctx, tc.imageMetadata, nil, mockValidator)
+			require.NoError(t, err, "Build should not return an error")
+			require.NotNil(t, config, "Built config should not be nil")
+
+			assert.NotNil(t, config.PermissionProfile, "Built config's PermissionProfile should not be nil")
+
+			// Compare specific fields of the permission profile
+			assert.Equal(t, tc.expectedPermissionProfile.Network.Outbound.InsecureAllowAll,
+				config.PermissionProfile.Network.Outbound.InsecureAllowAll,
+				"Network outbound setting allow all should match in built config")
+			assert.Equal(t, tc.expectedPermissionProfile.Network.Outbound.AllowTransport,
+				config.PermissionProfile.Network.Outbound.AllowTransport,
+				"Network outbound setting transport should match in built config")
+
+			assert.Equal(t, len(tc.expectedPermissionProfile.Read), len(config.PermissionProfile.Read),
+				"Number of read permissions should match in built config")
+			assert.Equal(t, len(tc.expectedPermissionProfile.Write), len(config.PermissionProfile.Write),
+				"Number of write permissions should match in built config")
+		})
+	}
+}