diff --git a/apps/notes/feishu/server.py b/apps/notes/feishu/server.py
index 4535a18..5aaef8d 100644
--- a/apps/notes/feishu/server.py
+++ b/apps/notes/feishu/server.py
@@ -198,6 +198,7 @@ def convert(req: ConvertReq):
     if not md.exists():
         raise HTTPException(400, f'md not found: {md}')
 
+    # user identity = fam 自己拥有 doc（host 上手动跑过 OAuth 授权一次）
     cmd = ['/usr/local/bin/markdown-to-feishu', str(md), '--as', 'user']
     if req.existing_doc_id:
         cmd += ['--update', req.existing_doc_id]
@@ -241,6 +242,7 @@ def convert(req: ConvertReq):
         raise HTTPException(502, f'md2feishu missing doc_id/url: {data}')
     log.info("ok: doc_id=%s url=%s embeds=%s",
              doc_id, url, data.get('embeds_inserted'))
+
     return {
         'doc_id': doc_id,
         'url': url,
diff --git a/apps/notes/k8s/all.yaml b/apps/notes/k8s/all.yaml
index 695dc7e..15924a9 100644
--- a/apps/notes/k8s/all.yaml
+++ b/apps/notes/k8s/all.yaml
@@ -37,23 +37,29 @@ spec:
       imagePullSecrets:
         - name: registry-creds
       initContainers:
-        # secret volume 是只读的，但 lark-cli 跑时要写 cache / refresh token。
-        # 启动时把 secret 里的 config.json 复制到 PVC 子目录 lark-cli/，主容器再挂这个子目录到 ~/.lark-cli。
-        # 已存在不覆盖（保留运行时刷新过的 token）。
+        # lark-cli auth 分两处：
+        #   ~/.lark-cli/config.json  — app id / open id 索引
+        #   ~/.local/share/lark-cli/*.enc + master.key — 加密的 OAuth user token
+        # secret volume 只读但 lark-cli 跑时要刷 token 写回。先 cp 到 PVC 让它可写。
+        # 已存在不覆盖：保留运行时 refresh 过的 token，免每次重启回滚到老 token。
         - name: lark-config-init
           image: busybox:1.36
           command:
             - sh
             - -c
             - |
-              mkdir -p /data/lark-cli
+              mkdir -p /data/lark-cli /data/lark-share
               if [ ! -f /data/lark-cli/config.json ]; then
                 cp /secrets/lark-cli/config.json /data/lark-cli/config.json
-                chmod 600 /data/lark-cli/config.json
-                echo "seeded lark-cli config from secret"
-              else
-                echo "lark-cli config already present in PVC, leaving alone"
+                echo "seeded ~/.lark-cli/config.json"
               fi
+              for f in master.key appsecret_cli_a3f21503fbb8900e.enc cli_a3f21503fbb8900e_ou_1d4fb299843b6a341c1942b056181ca8.enc; do
+                if [ ! -f "/data/lark-share/$f" ]; then
+                  cp "/secrets/lark-cli/$f" "/data/lark-share/$f"
+                  echo "seeded ~/.local/share/lark-cli/$f"
+                fi
+              done
+              chmod -R 600 /data/lark-cli /data/lark-share 2>/dev/null || true
           volumeMounts:
             - name: lark-cli-secret
               mountPath: /secrets/lark-cli
@@ -142,6 +148,9 @@ spec:
             - name: data
               mountPath: /root/.lark-cli
               subPath: lark-cli
+            - name: data
+              mountPath: /root/.local/share/lark-cli
+              subPath: lark-share
       volumes:
         - name: data
           persistentVolumeClaim:
@@ -149,9 +158,7 @@ spec:
         - name: lark-cli-secret
           secret:
             secretName: lark-cli-creds
-            items:
-              - key: config.json
-                path: config.json
+            # 默认挂全部 keys（config.json + master.key + 两个 .enc）
 ---
 apiVersion: v1
 kind: Service