@aifabrix/builder 2.38.0 → 2.39.1

package/lib/app/show.js

@@ -418,6 +418,7 @@ function buildApplicationFromAppCfg(app, cfg, portalInputConfigurations) {
     build: formatBuildForDisplay(cfg.build ?? app.build),
     status: pickAppCfg('status', app, cfg, '—'),
     url: pickAppCfg('url', app, cfg, '—'),
+    internalUrl: pickAppCfg('internalUrl', app, cfg, '—'),
     roles: cfg.roles ?? app.roles,
     permissions: cfg.permissions ?? app.permissions,
     authentication: cfg.authentication ?? app.authentication,
@@ -485,9 +486,10 @@ function buildOnlineSummary(apiApp, controllerUrl, externalSystem) {
  * Run show in offline mode: generate manifest (same as aifabrix json) and use it; else fall back to variables.yaml.
  * @param {string} appKey - Application key
  * @param {boolean} json - Output as JSON
+ * @param {boolean} [permissionsOnly] - When true, output only permissions
  * @throws {Error} If variables.yaml not found or invalid YAML
  */
-async function runOffline(appKey, json) {
+async function runOffline(appKey, json, permissionsOnly) {
   let summary;
 
   try {
@@ -503,6 +505,16 @@ async function runOffline(appKey, json) {
   }
 
   if (json) {
+    if (permissionsOnly) {
+      const out = {
+        source: summary.source,
+        path: summary.path,
+        appKey: summary.appKey,
+        permissions: summary.permissions || []
+      };
+      logger.log(JSON.stringify(out, null, 2));
+      return;
+    }
     const out = {
       source: summary.source,
       path: summary.path,
@@ -519,7 +531,7 @@ async function runOffline(appKey, json) {
     logger.log(JSON.stringify(out, null, 2));
     return;
   }
-  displayShow(summary);
+  displayShow(summary, { permissionsOnly: !!permissionsOnly });
 }
 
 async function resolveOnlineAuth(controllerUrl) {
@@ -550,7 +562,17 @@ async function fetchExternalSystemForOnline(controllerUrl, appKey, authConfig) {
   }
 }
 
-function outputOnlineJson(summary) {
+function outputOnlineJson(summary, permissionsOnly) {
+  if (permissionsOnly) {
+    const out = {
+      source: summary.source,
+      controllerUrl: summary.controllerUrl,
+      appKey: summary.appKey,
+      permissions: summary.permissions || []
+    };
+    logger.log(JSON.stringify(out, null, 2));
+    return;
+  }
   const out = {
     source: summary.source,
     controllerUrl: summary.controllerUrl,
@@ -562,6 +584,7 @@ function outputOnlineJson(summary) {
       type: summary.application.type,
       status: summary.application.status,
       url: summary.application.url,
+      internalUrl: summary.application.internalUrl,
       port: summary.application.port,
       configuration: summary.application.configuration,
       roles: summary.application.roles,
@@ -583,9 +606,10 @@ function outputOnlineJson(summary) {
  * Run show in online mode: getApplication, optionally dataplane for external, display or JSON.
  * @param {string} appKey - Application key
  * @param {boolean} json - Output as JSON
+ * @param {boolean} [permissionsOnly] - When true, output only permissions
  * @throws {Error} On auth failure, 404, or API error
  */
-async function runOnline(appKey, json) {
+async function runOnline(appKey, json, permissionsOnly) {
   const controllerUrl = await resolveControllerUrl();
   if (!controllerUrl) {
     throw new Error('Controller URL is required for --online. Run aifabrix login to set the controller URL in config.yaml.');
@@ -599,10 +623,10 @@ async function runOnline(appKey, json) {
     : null;
   const summary = buildOnlineSummary(apiApp, authResult.actualControllerUrl, externalSystem);
   if (json) {
-    outputOnlineJson(summary);
+    outputOnlineJson(summary, permissionsOnly);
     return;
   }
-  displayShow(summary);
+  displayShow(summary, { permissionsOnly: !!permissionsOnly });
 }
 
 /**
@@ -612,6 +636,7 @@ async function runOnline(appKey, json) {
  * @param {Object} options - Options
  * @param {boolean} [options.online] - Fetch from controller
  * @param {boolean} [options.json] - Output as JSON
+ * @param {boolean} [options.permissions] - When true, output only permissions (app show --permissions)
  * @throws {Error} If file missing/invalid (offline) or API/auth error (online)
  */
 async function showApp(appKey, options = {}) {
@@ -621,11 +646,12 @@ async function showApp(appKey, options = {}) {
 
   const online = Boolean(options.online);
   const json = Boolean(options.json);
+  const permissions = Boolean(options.permissions);
 
   if (online) {
-    await runOnline(appKey, json);
+    await runOnline(appKey, json, permissions);
   } else {
-    await runOffline(appKey, json);
+    await runOffline(appKey, json, permissions);
   }
 }
 

package/lib/cli/index.js

@@ -21,6 +21,7 @@ const { setupExternalSystemCommands } = require('./setup-external-system');
 const { setupAppCommands: setupAppManagementCommands } = require('../commands/app');
 const { setupDatasourceCommands } = require('../commands/datasource');
 const { setupCredentialDeploymentCommands } = require('./setup-credential-deployment');
+const { setupServiceUserCommands } = require('./setup-service-user');
 
 /**
  * Sets up all CLI commands on the Commander program instance
@@ -35,6 +36,7 @@ function setupCommands(program) {
   setupDatasourceCommands(program);
   setupUtilityCommands(program);
   setupCredentialDeploymentCommands(program);
+  setupServiceUserCommands(program);
   setupExternalSystemCommands(program);
   setupDevCommands(program);
   setupSecretsCommands(program);

package/lib/cli/setup-app.js

@@ -229,6 +229,7 @@ See integration/hubspot/wizard-hubspot-e2e.yaml for an example.`)
 
   program.command('deploy <app>')
     .description('Deploy to Azure via Miso Controller')
+    .option('--deployment <target>', 'Deployment target: \'local\' (send manifest to controller, then run app locally) or \'cloud\' (deploy via Miso Controller only)', 'cloud')
     .option('--type <type>', 'Application type: external to deploy from integration/<app> (no app register needed)')
     .option('--client-id <id>', 'Client ID (overrides config)')
     .option('--client-secret <secret>', 'Client Secret (overrides config)')
@@ -236,7 +237,14 @@ See integration/hubspot/wizard-hubspot-e2e.yaml for an example.`)
     .option('--no-poll', 'Do not poll for status')
     .action(async(appName, options) => {
       try {
+        const target = (options.deployment || 'cloud').toLowerCase();
+        if (target !== 'local' && target !== 'cloud') {
+          throw new Error('Deployment target must be \'local\' or \'cloud\'');
+        }
         await app.deployApp(appName, options);
+        if (target === 'local') {
+          await app.runApp(appName, options);
+        }
       } catch (error) {
         handleCommandError(error, 'deploy');
         process.exit(1);

package/lib/cli/setup-infra.js

@@ -83,10 +83,10 @@ function setupInfraCommands(program) {
     });
 
   program.command('up-miso')
-    .description('Install keycloak, miso-controller, and dataplane from images (no build). Infra must be up. Uses auto-generated secrets for testing.')
+    .description('Install keycloak and miso-controller from images (no build). Infra must be up. For dataplane use up-dataplane. Uses auto-generated secrets for testing.')
     .option('-r, --registry <url>', 'Override registry for all apps (e.g. myacr.azurecr.io)')
     .option('--registry-mode <mode>', 'Override registry mode (acr|external)')
-    .option('-i, --image <key>=<value>', 'Override image (e.g. keycloak=myreg/k:v1, miso-controller=myreg/m:v1, dataplane=myreg/d:v1); can be repeated', (v, prev) => (prev || []).concat([v]))
+    .option('-i, --image <key>=<value>', 'Override image (e.g. keycloak=myreg/k:v1, miso-controller=myreg/m:v1); can be repeated', (v, prev) => (prev || []).concat([v]))
     .action(async(options) => {
       try {
         await handleUpMiso(options);
@@ -97,7 +97,7 @@ function setupInfraCommands(program) {
     });
 
   program.command('up-dataplane')
-    .description('Register and deploy dataplane app in dev (requires login, environment must be dev)')
+    .description('Register, deploy, then run dataplane app locally in dev (always local deployment; requires login, environment must be dev)')
     .option('-r, --registry <url>', 'Override registry for dataplane image')
     .option('--registry-mode <mode>', 'Override registry mode (acr|external)')
     .option('-i, --image <ref>', 'Override dataplane image reference (e.g. myreg/dataplane:latest)')

package/lib/cli/setup-service-user.js

@@ -0,0 +1,61 @@
+/**
+ * CLI service-user command setup.
+ * Command: service-user create (create service user, get one-time secret).
+ *
+ * @fileoverview Service user CLI definitions
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+const { handleCommandError } = require('../utils/cli-utils');
+const { runServiceUserCreate } = require('../commands/service-user');
+
+/**
+ * Sets up service-user commands
+ * @param {Command} program - Commander program instance
+ */
+function setupServiceUserCommands(program) {
+  const serviceUser = program
+    .command('service-user')
+    .description('Create and manage service users (API clients) for integrations and CI')
+    .addHelpText('after', `
+Service users are dedicated accounts for integrations, CI pipelines, or API clients.
+The controller returns a one-time clientSecret on create—save it immediately; it cannot be retrieved again.
+
+Example:
+  $ aifabrix service-user create -u api-client-001 -e api@example.com \\
+      --redirect-uris "https://app.example.com/callback" --group-names "AI-Fabrix-Developers"
+
+Required: permission service-user:create on the controller. Run "aifabrix login" first.`);
+
+  serviceUser
+    .command('create')
+    .description('Create a service user and receive a one-time clientSecret (save it now; it will not be shown again)')
+    .option('--controller <url>', 'Controller base URL (default: from config)')
+    .option('-u, --username <username>', 'Service user username (required)')
+    .option('-e, --email <email>', 'Email address (required)')
+    .option('--redirect-uris <uris>', 'Comma-separated OAuth2 redirect URIs (required)')
+    .option('--group-names <names>', 'Comma-separated group names to assign (required)')
+    .option('-d, --description <description>', 'Description for the service user')
+    .action(async(options) => {
+      try {
+        const opts = {
+          controller: options.controller,
+          username: options.username,
+          email: options.email,
+          redirectUris: options.redirectUris,
+          groupNames: options.groupNames,
+          description: options.description
+        };
+        await runServiceUserCreate(opts);
+      } catch (error) {
+        logger.error(chalk.red(`Error: ${error.message}`));
+        handleCommandError(error, 'service-user create');
+        process.exit(1);
+      }
+    });
+}
+
+module.exports = { setupServiceUserCommands };

package/lib/commands/app.js

@@ -74,9 +74,10 @@ function setupAppCommands(program) {
     .command('show <appKey>')
     .description('Show application from controller (online). Same as aifabrix show <appKey> --online')
     .option('--json', 'Output as JSON')
+    .option('--permissions', 'Show only list of permissions')
     .action(async(appKey, options) => {
       try {
-        await showApp(appKey, { online: true, json: !!options.json });
+        await showApp(appKey, { online: true, json: !!options.json, permissions: !!options.permissions });
       } catch (error) {
         logger.error(chalk.red(`Error: ${error.message}`));
         process.exit(1);

package/lib/commands/service-user.js

@@ -0,0 +1,199 @@
+/**
+ * Service user create command – create service user and get one-time secret
+ * POST /api/v1/service-users. Used by `aifabrix service-user create`.
+ *
+ * @fileoverview Service user create command implementation
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+const { resolveControllerUrl } = require('../utils/controller-url');
+const { getOrRefreshDeviceToken } = require('../utils/token-manager');
+const { normalizeControllerUrl } = require('../core/config');
+const { createServiceUser } = require('../api/service-users.api');
+
+const ONE_TIME_WARNING =
+  'Save this secret now; it will not be shown again.';
+
+/**
+ * Get auth token for service-user (device token from config)
+ * @async
+ * @param {string} controllerUrl - Controller base URL
+ * @returns {Promise<{token: string, controllerUrl: string}|null>}
+ */
+async function getServiceUserAuth(controllerUrl) {
+  const normalizedUrl = normalizeControllerUrl(controllerUrl);
+  const deviceToken = await getOrRefreshDeviceToken(normalizedUrl);
+  if (deviceToken && deviceToken.token) {
+    return {
+      token: deviceToken.token,
+      controllerUrl: deviceToken.controller || normalizedUrl
+    };
+  }
+  return null;
+}
+
+/**
+ * Extract clientId and clientSecret from API response.
+ * Controller returns { data: { user, clientSecret } }; API client puts body in response.data.
+ * So payload is at response.data.data. clientId may be on user.clientId or user.federatedIdentity.keycloakClientId.
+ * @param {Object} response - API response (success: true, data: body)
+ * @returns {{ clientId: string, clientSecret: string }}
+ */
+function extractCreateResponse(response) {
+  const payload = response?.data?.data ?? response?.data ?? response;
+  const user = payload?.user;
+  const clientId =
+    user?.clientId ??
+    user?.federatedIdentity?.keycloakClientId ??
+    payload?.clientId ??
+    '';
+  const clientSecret = payload?.clientSecret ?? '';
+  return { clientId, clientSecret };
+}
+
+/**
+ * Log error for failed create response and exit
+ * @param {Object} response - API response with success: false
+ */
+function handleCreateError(response) {
+  const status = response.status;
+  const msg = response.formattedError || response.error || 'Request failed';
+  if (status === 400) {
+    logger.error(chalk.red(`❌ Validation error: ${msg}`));
+  } else if (status === 401) {
+    logger.error(chalk.red('❌ Unauthorized. Run "aifabrix login" and try again.'));
+  } else if (status === 403) {
+    logger.error(chalk.red('❌ Missing permission: service-user:create'));
+    logger.error(chalk.gray('Your account needs the service-user:create permission on the controller.'));
+  } else {
+    logger.error(chalk.red(`❌ Failed to create service user: ${msg}`));
+  }
+  process.exit(1);
+}
+
+/**
+ * Display success output with clientId, clientSecret and one-time warning
+ * @param {string} clientId - Service user client ID
+ * @param {string} clientSecret - One-time client secret
+ */
+function displayCreateSuccess(clientId, clientSecret) {
+  logger.log(chalk.bold('\n✓ Service user created\n'));
+  logger.log(chalk.cyan('  clientId:    ') + clientId);
+  logger.log(chalk.cyan('  clientSecret: ') + clientSecret);
+  logger.log('');
+  logger.log(chalk.yellow('⚠ ' + ONE_TIME_WARNING));
+  logger.log('');
+}
+
+/**
+ * Parse comma-separated string into non-empty trimmed array
+ * @param {string} [val] - Comma-separated value
+ * @returns {string[]}
+ */
+function parseList(val) {
+  if (val === undefined || val === null || String(val).trim() === '') {
+    return [];
+  }
+  return String(val)
+    .split(',')
+    .map(s => s.trim())
+    .filter(Boolean);
+}
+
+/**
+ * Validate username, email, redirectUris, groupIds; exit on failure
+ * @param {Object} options - CLI options
+ * @returns {{ username: string, email: string, redirectUris: string[], groupNames: string[], description?: string }}
+ */
+function validateServiceUserOptions(options) {
+  const username = options.username?.trim();
+  const email = options.email?.trim();
+  const redirectUris = parseList(options.redirectUris);
+  const groupNames = parseList(options.groupNames);
+  if (!username) {
+    logger.error(chalk.red('❌ Username is required. Use --username <username>.'));
+    process.exit(1);
+  }
+  if (!email) {
+    logger.error(chalk.red('❌ Email is required. Use --email <email>.'));
+    process.exit(1);
+  }
+  if (redirectUris.length === 0) {
+    logger.error(chalk.red('❌ At least one redirect URI is required. Use --redirect-uris <uri1,uri2,...>.'));
+    process.exit(1);
+  }
+  if (groupNames.length === 0) {
+    logger.error(chalk.red('❌ At least one group name is required. Use --group-names <name1,name2,...>.'));
+    process.exit(1);
+  }
+  return {
+    username,
+    email,
+    redirectUris,
+    groupNames,
+    description: options.description?.trim() || undefined
+  };
+}
+
+/**
+ * Resolve controller URL and auth; exit on failure
+ * @async
+ * @param {Object} options - CLI options
+ * @returns {Promise<{ username: string, email: string, redirectUris: string[], groupNames: string[], description?: string, controllerUrl: string, authConfig: Object }>}
+ */
+async function resolveOptionsAndAuth(options) {
+  const validated = validateServiceUserOptions(options);
+  const controllerUrl = options.controller || (await resolveControllerUrl());
+  if (!controllerUrl) {
+    logger.error(chalk.red('❌ Controller URL is required. Run "aifabrix login" first.'));
+    process.exit(1);
+  }
+  const authResult = await getServiceUserAuth(controllerUrl);
+  if (!authResult || !authResult.token) {
+    logger.error(chalk.red(`❌ No authentication token for controller: ${controllerUrl}`));
+    logger.error(chalk.gray('Run: aifabrix login'));
+    process.exit(1);
+  }
+  return {
+    ...validated,
+    controllerUrl: authResult.controllerUrl,
+    authConfig: { type: 'bearer', token: authResult.token }
+  };
+}
+
+/**
+ * Run service-user create: call POST /api/v1/service-users and display one-time secret with warning
+ * @async
+ * @param {Object} options - CLI options
+ * @param {string} [options.controller] - Controller URL override
+ * @param {string} options.username - Username (required)
+ * @param {string} options.email - Email (required)
+ * @param {string} options.redirectUris - Comma-separated redirect URIs (required, min 1)
+ * @param {string} options.groupNames - Comma-separated group names (required, e.g. AI-Fabrix-Developers)
+ * @param {string} [options.description] - Optional description
+ * @returns {Promise<void>}
+ */
+async function runServiceUserCreate(options = {}) {
+  const ctx = await resolveOptionsAndAuth(options);
+  const body = {
+    username: ctx.username,
+    email: ctx.email,
+    redirectUris: ctx.redirectUris,
+    groupNames: ctx.groupNames,
+    description: ctx.description
+  };
+  const response = await createServiceUser(ctx.controllerUrl, ctx.authConfig, body);
+  if (!response.success) {
+    handleCreateError(response);
+    return;
+  }
+  const { clientId, clientSecret } = extractCreateResponse(response);
+  displayCreateSuccess(clientId, clientSecret);
+}
+
+module.exports = {
+  runServiceUserCreate
+};

package/lib/commands/up-common.js

@@ -10,6 +10,7 @@
 
 const path = require('path');
 const fs = require('fs');
+const yaml = require('js-yaml');
 const chalk = require('chalk');
 const logger = require('../utils/logger');
 const pathsUtil = require('../utils/paths');
@@ -30,8 +31,74 @@ async function ensureTemplateAtPath(appName, targetAppPath) {
   return true;
 }
 
+/**
+ * Resolve the directory (folder) that would contain the .env file for envOutputPath.
+ * @param {string} envOutputPath - Value from build.envOutputPath (e.g. ../../.env)
+ * @param {string} variablesPath - Path to variables.yaml
+ * @returns {string} Absolute path to the folder that would contain the output .env file
+ */
+function getEnvOutputPathFolder(envOutputPath, variablesPath) {
+  const variablesDir = path.dirname(variablesPath);
+  const resolvedFile = path.resolve(variablesDir, envOutputPath);
+  return path.dirname(resolvedFile);
+}
+
+/**
+ * Validates envOutputPath: if the target folder does not exist, patches variables.yaml to set envOutputPath to null.
+ * Used by up-platform, up-miso, up-dataplane so we do not keep a path that points outside an existing tree.
+ *
+ * @param {string} appName - Application name (e.g. keycloak, miso-controller, dataplane)
+ */
+function validateEnvOutputPathFolderOrNull(appName) {
+  if (!appName || typeof appName !== 'string') return;
+  const pathsToPatch = [pathsUtil.getBuilderPath(appName)];
+  const cwdBuilderPath = path.join(process.cwd(), 'builder', appName);
+  if (path.resolve(cwdBuilderPath) !== path.resolve(pathsToPatch[0])) {
+    pathsToPatch.push(cwdBuilderPath);
+  }
+  const envOutputPathLine = /^(\s*envOutputPath:)\s*.*$/m;
+  const replacement = '$1 null  # deploy only, no copy';
+  for (const appPath of pathsToPatch) {
+    const variablesPath = path.join(appPath, 'variables.yaml');
+    if (!fs.existsSync(variablesPath)) continue;
+    try {
+      const content = fs.readFileSync(variablesPath, 'utf8');
+      const variables = yaml.load(content);
+      const value = variables?.build?.envOutputPath;
+      if (value === null || value === undefined || value === '') continue;
+      const folder = getEnvOutputPathFolder(String(value).trim(), variablesPath);
+      if (fs.existsSync(folder)) continue;
+      const newContent = content.replace(envOutputPathLine, replacement);
+      fs.writeFileSync(variablesPath, newContent, 'utf8');
+    } catch (err) {
+      logger.warn(chalk.yellow(`Could not validate envOutputPath in ${variablesPath}: ${err.message}`));
+    }
+  }
+}
+
+/**
+ * Patches a single variables.yaml to set build.envOutputPath to null for deploy-only.
+ *
+ * @param {string} variablesPath - Path to variables.yaml
+ * @param {RegExp} envOutputPathLine - Regex for envOutputPath line
+ * @param {string} replacement - Replacement string
+ */
+function patchOneVariablesFileForDeployOnly(variablesPath, envOutputPathLine, replacement) {
+  const content = fs.readFileSync(variablesPath, 'utf8');
+  if (!envOutputPathLine.test(content)) return;
+  const variables = yaml.load(content);
+  const value = variables?.build?.envOutputPath;
+  if (value !== null && value !== undefined && value !== '') {
+    const folder = getEnvOutputPathFolder(String(value).trim(), variablesPath);
+    if (fs.existsSync(folder)) return;
+  }
+  const newContent = content.replace(envOutputPathLine, replacement);
+  fs.writeFileSync(variablesPath, newContent, 'utf8');
+}
+
 /**
  * Patches variables.yaml to set build.envOutputPath to null for deploy-only (no local code).
+ * Only patches when the target folder does NOT exist; when folder exists, keeps the value.
  * Use when running up-miso/up-platform so we do not copy .env to repo paths or show that message.
  * Patches both primary builder path and cwd/builder if different.
  *
@@ -50,10 +117,7 @@ function patchEnvOutputPathForDeployOnly(appName) {
     const variablesPath = path.join(appPath, 'variables.yaml');
     if (!fs.existsSync(variablesPath)) continue;
     try {
-      let content = fs.readFileSync(variablesPath, 'utf8');
-      if (!envOutputPathLine.test(content)) continue;
-      content = content.replace(envOutputPathLine, replacement);
-      fs.writeFileSync(variablesPath, content, 'utf8');
+      patchOneVariablesFileForDeployOnly(variablesPath, envOutputPathLine, replacement);
     } catch (err) {
       logger.warn(chalk.yellow(`Could not patch envOutputPath in ${variablesPath}: ${err.message}`));
     }
@@ -99,4 +163,9 @@ async function ensureAppFromTemplate(appName) {
   return primaryCopied;
 }
 
-module.exports = { ensureAppFromTemplate, patchEnvOutputPathForDeployOnly };
+module.exports = {
+  ensureAppFromTemplate,
+  patchEnvOutputPathForDeployOnly,
+  validateEnvOutputPathFolderOrNull,
+  getEnvOutputPathFolder
+};

package/lib/commands/up-dataplane.js

@@ -1,9 +1,10 @@
 /**
  * AI Fabrix Builder - Up Dataplane Command
  *
- * Registers or rotates dataplane app in dev, then deploys. Miso-controller runs
- * the dataplane container; this command does not run the image locally.
- * If app is already registered, uses rotate-secret; otherwise registers.
+ * Always local deployment: registers or rotates dataplane app in dev, sends
+ * deployment manifest to Miso Controller, then runs the dataplane app locally
+ * (same as aifabrix deploy dataplane --deployment=local). If app is already
+ * registered, uses rotate-secret; otherwise registers.
  *
  * @fileoverview up-dataplane command implementation
  * @author AI Fabrix Team
@@ -23,7 +24,7 @@ const { registerApplication } = require('../app/register');
 const { rotateSecret } = require('../app/rotate-secret');
 const { checkApplicationExists } = require('../utils/app-existence');
 const app = require('../app');
-const { ensureAppFromTemplate } = require('./up-common');
+const { ensureAppFromTemplate, validateEnvOutputPathFolderOrNull } = require('./up-common');
 
 /**
  * Register or rotate dataplane: if app exists in controller, rotate secret; otherwise register.
@@ -64,7 +65,8 @@ function buildDataplaneImageRef(registry) {
 
 /**
  * Handle up-dataplane command: ensure logged in, environment dev, ensure dataplane,
- * register or rotate (if already registered), then deploy (miso-controller runs the container).
+ * register or rotate (if already registered), deploy (send manifest to controller),
+ * then run dataplane app locally (always local deployment).
  *
  * @async
  * @function handleUpDataplane
@@ -80,7 +82,7 @@ async function handleUpDataplane(options = {}) {
   if (builderDir) {
     process.env.AIFABRIX_BUILDER_DIR = builderDir;
   }
-  logger.log(chalk.blue('Starting up-dataplane (register/rotate, deploy dataplane in dev)...\n'));
+  logger.log(chalk.blue('Starting up-dataplane (register/rotate, deploy, then run dataplane locally)...\n'));
 
   const [controllerUrl, environmentKey] = await Promise.all([resolveControllerUrl(), resolveEnvironment()]);
   const authConfig = await checkAuthentication(controllerUrl, environmentKey);
@@ -95,6 +97,8 @@ async function handleUpDataplane(options = {}) {
   logger.log(chalk.green('✓ Logged in and environment is dev'));
 
   await ensureAppFromTemplate('dataplane');
+  // If envOutputPath target folder does not exist, set envOutputPath to null
+  validateEnvOutputPathFolderOrNull('dataplane');
 
   await registerOrRotateDataplane(options, controllerUrl, environmentKey, authConfig);
 
@@ -102,8 +106,10 @@ async function handleUpDataplane(options = {}) {
   const deployOpts = { imageOverride, image: imageOverride, registryMode: options.registryMode };
 
   await app.deployApp('dataplane', deployOpts);
+  logger.log('');
+  await app.runApp('dataplane', {});
 
-  logger.log(chalk.green('\n✓ up-dataplane complete. Dataplane is registered and deployed in dev (miso-controller runs the container).'));
+  logger.log(chalk.green('\n✓ up-dataplane complete. Dataplane is registered, deployed in dev, and running locally.'));
 }
 
 module.exports = { handleUpDataplane, buildDataplaneImageRef };