notes(feishu): lark-cli config 从 secret cp 到 PVC 子目录，可读可写 + 重启保留

initContainer cp /secrets/lark-cli/config.json → /data/lark-cli/config.json
（已存在不覆盖，保留运行时 refresh 过的 token）；feishu sidecar 主容器
subPath mount data PVC 的 lark-cli/ 到 /root/.lark-cli，lark-cli 写 cache、
refresh 都落 PVC。

apps/notes/k8s/all.yaml

@@ -36,6 +36,30 @@ spec:
     spec:
       imagePullSecrets:
         - name: registry-creds
+      initContainers:
+        # secret volume 是只读的，但 lark-cli 跑时要写 cache / refresh token。
+        # 启动时把 secret 里的 config.json 复制到 PVC 子目录 lark-cli/，主容器再挂这个子目录到 ~/.lark-cli。
+        # 已存在不覆盖（保留运行时刷新过的 token）。
+        - name: lark-config-init
+          image: busybox:1.36
+          command:
+            - sh
+            - -c
+            - |
+              mkdir -p /data/lark-cli
+              if [ ! -f /data/lark-cli/config.json ]; then
+                cp /secrets/lark-cli/config.json /data/lark-cli/config.json
+                chmod 600 /data/lark-cli/config.json
+                echo "seeded lark-cli config from secret"
+              else
+                echo "lark-cli config already present in PVC, leaving alone"
+              fi
+          volumeMounts:
+            - name: lark-cli-secret
+              mountPath: /secrets/lark-cli
+              readOnly: true
+            - name: data
+              mountPath: /data
       containers:
         - name: notes
           image: registry.famzheng.me/mochi/notes:latest
@@ -105,14 +129,14 @@ spec:
           volumeMounts:
             - name: data
               mountPath: /data
-            - name: lark-cli-config
+            - name: data
               mountPath: /root/.lark-cli
-              readOnly: false
+              subPath: lark-cli
       volumes:
         - name: data
           persistentVolumeClaim:
             claimName: notes-data
-        - name: lark-cli-config
+        - name: lark-cli-secret
           secret:
             secretName: lark-cli-creds
             items: