diff --git a/apps/notes/k8s/all.yaml b/apps/notes/k8s/all.yaml
index c7dfa5d..be75619 100644
--- a/apps/notes/k8s/all.yaml
+++ b/apps/notes/k8s/all.yaml
@@ -36,6 +36,30 @@ spec:
     spec:
       imagePullSecrets:
         - name: registry-creds
+      initContainers:
+        # secret volume 是只读的，但 lark-cli 跑时要写 cache / refresh token。
+        # 启动时把 secret 里的 config.json 复制到 PVC 子目录 lark-cli/，主容器再挂这个子目录到 ~/.lark-cli。
+        # 已存在不覆盖（保留运行时刷新过的 token）。
+        - name: lark-config-init
+          image: busybox:1.36
+          command:
+            - sh
+            - -c
+            - |
+              mkdir -p /data/lark-cli
+              if [ ! -f /data/lark-cli/config.json ]; then
+                cp /secrets/lark-cli/config.json /data/lark-cli/config.json
+                chmod 600 /data/lark-cli/config.json
+                echo "seeded lark-cli config from secret"
+              else
+                echo "lark-cli config already present in PVC, leaving alone"
+              fi
+          volumeMounts:
+            - name: lark-cli-secret
+              mountPath: /secrets/lark-cli
+              readOnly: true
+            - name: data
+              mountPath: /data
       containers:
         - name: notes
           image: registry.famzheng.me/mochi/notes:latest
@@ -105,14 +129,14 @@ spec:
           volumeMounts:
             - name: data
               mountPath: /data
-            - name: lark-cli-config
+            - name: data
               mountPath: /root/.lark-cli
-              readOnly: false
+              subPath: lark-cli
       volumes:
         - name: data
           persistentVolumeClaim:
             claimName: notes-data
-        - name: lark-cli-config
+        - name: lark-cli-secret
           secret:
             secretName: lark-cli-creds
             items: