Add default-external network for standalone services with listen ports

[richardkiene]

Problem

When running a standalone service via fabricks service run ./my-service, the service binds to a port but external access is denied because the service is not on any network.

Currently, services must be part of a mortar composition with explicitly defined networks to allow external access. This makes standalone service testing difficult.

Expected Behavior

Standalone services (not part of a mortar composition) that declare listen ports in their capabilities should be accessible externally by default.

Proposed Solution

When a service is deployed without a mortar context and has capabilities.network.listen ports defined:

1. Automatically create a "default-external" network
2. Add the standalone service to this network
3. The network should have access: external to allow ingress

This maintains the secure-by-default model (services without listen ports remain internal) while making standalone development/testing practical.

Implementation Notes

• Modify fabricksd/src/service/manager.rs in run_fabrickfile() to detect standalone services
• Create/use a singleton "default-external" network for these services
• Only apply to services with listen ports defined

Related

• Network access control: fabricksd/src/network/manager.rs:service_allows_external_access()
• Ingress validation: fabricksd/src/network/validation.rs:validate_ingress()