feat: add automatic token cleanup with crond + fixed /tmp/crontabs for HF read-only fs

Dockerfile

@@ -2,17 +2,20 @@ FROM eceasy/cli-proxy-api:latest
 
 USER root
 
-RUN apk add --no-cache bash libc6-compat gcompat
+RUN apk add --no-cache bash libc6-compat gcompat jq
 
 WORKDIR /app
 RUN cp /CLIProxyAPI/CLIProxyAPI ./cli-proxy-api && chmod +x ./cli-proxy-api
 RUN mkdir -p /tmp/.cli-proxy-api /tmp/logs /tmp/pg_cache/pgstore && chmod -R 777 /tmp
 
 COPY config.yaml /app/config.yaml
-# 修复 config.example.yaml 缺失
+COPY cleanup_tokens.sh /app/cleanup_tokens.sh
+COPY entrypoint.sh /app/entrypoint.sh
+
 RUN cp /app/config.yaml /app/config.example.yaml
+RUN chmod +x /app/cleanup_tokens.sh /app/entrypoint.sh
 
 ENV TZ=Asia/Shanghai
 EXPOSE 7860
 
-CMD ["./cli-proxy-api", "--config", "/app/config.yaml"]
+CMD ["/app/entrypoint.sh"]

cleanup_tokens.sh

@@ -0,0 +1,217 @@
+#!/bin/sh
+#
+# cleanup_tokens.sh - Remove invalid/unavailable auth tokens via CLIProxyAPI Management API
+#
+# Environment variables:
+#   MANAGEMENT_PASSWORD     CLIProxyAPI management API password (required)
+#   FEISHU_WEBHOOK_URL      Feishu bot webhook URL for notifications (optional)
+#   CLEANUP_CONCURRENCY     Max parallel DELETE requests (default: 20)
+#
+
+API_BASE="http://localhost:7860/v0/management"
+TIMESTAMP="$(date '+%Y-%m-%d %H:%M:%S')"
+LOG_PREFIX="[cleanup_tokens] ${TIMESTAMP}"
+TMP_FILE="/tmp/auth_files_$$.json"
+TMP_NAMES="/tmp/auth_names_$$.txt"
+TMP_DIR="/tmp/cleanup_$$"
+
+CONCURRENCY="${CLEANUP_CONCURRENCY:-20}"
+
+cleanup_tmp() {
+    rm -f "$TMP_FILE" "$TMP_NAMES"
+    rm -rf "$TMP_DIR"
+}
+trap cleanup_tmp EXIT
+
+# ---------------------------------------------------------------------------
+# notify_feishu TITLE BODY
+# ---------------------------------------------------------------------------
+notify_feishu() {
+    [ -z "$FEISHU_WEBHOOK_URL" ] && return 0
+    PAYLOAD=$(jq -n --arg title "$1" --arg body "$2" '{
+        msg_type: "post",
+        content: { post: { zh_cn: {
+            title: $title,
+            content: [[{"tag": "text", "text": $body}]]
+        }}}
+    }')
+    curl -sf -X POST -H "Content-Type: application/json" \
+        -d "$PAYLOAD" "$FEISHU_WEBHOOK_URL" > /dev/null 2>&1 \
+    && echo "${LOG_PREFIX} Feishu notification sent." \
+    || echo "${LOG_PREFIX} WARNING: Failed to send Feishu notification."
+}
+
+# ---------------------------------------------------------------------------
+# delete_one NAME  — writes result to $TMP_DIR/<name>.result
+# Format: "OK <name>" or "ERR <name> <http_status>"
+# ---------------------------------------------------------------------------
+delete_one() {
+    NAME="$1"
+    ENCODED=$(printf '%s' "$NAME" | sed 's/@/%40/g; s/ /%20/g')
+    RESULT_FILE="${TMP_DIR}/$(printf '%s' "$NAME" | md5sum | cut -d' ' -f1).result"
+
+    HTTP_ST=$(curl -s -o /dev/null -w "%{http_code}" \
+        -X DELETE \
+        -H "Authorization: Bearer ${MANAGEMENT_PASSWORD}" \
+        "${API_BASE}/auth-files?name=${ENCODED}" 2>/dev/null)
+
+    if [ "$HTTP_ST" = "200" ]; then
+        printf 'OK %s\n' "$NAME" > "$RESULT_FILE"
+    else
+        printf 'ERR %s %s\n' "$NAME" "$HTTP_ST" > "$RESULT_FILE"
+    fi
+}
+
+# ---------------------------------------------------------------------------
+# Main
+# ---------------------------------------------------------------------------
+
+if [ -z "$MANAGEMENT_PASSWORD" ]; then
+    echo "${LOG_PREFIX} ERROR: MANAGEMENT_PASSWORD not set, skipping cleanup"
+    exit 1
+fi
+
+echo "${LOG_PREFIX} Starting invalid token cleanup... (concurrency=${CONCURRENCY})"
+
+# --- Fetch auth file list ---------------------------------------------------
+HTTP_STATUS=$(curl -s -o "$TMP_FILE" -w "%{http_code}" \
+    -H "Authorization: Bearer ${MANAGEMENT_PASSWORD}" \
+    "${API_BASE}/auth-files" 2>/dev/null)
+
+if [ "$HTTP_STATUS" != "200" ]; then
+    MSG="API 返回 HTTP ${HTTP_STATUS}，服务可能尚未就绪。"
+    echo "${LOG_PREFIX} ERROR: ${MSG}"
+    notify_feishu "❌  Token 清理失败" "[TIME]  ${TIMESTAMP}
+
+[ERROR]  ${MSG}"
+    exit 1
+fi
+
+if ! jq empty "$TMP_FILE" 2>/dev/null; then
+    echo "${LOG_PREFIX} ERROR: Invalid JSON response"
+    notify_feishu "❌  Token 清理失败" "[TIME]  ${TIMESTAMP}
+
+[ERROR]  API 返回了无效的 JSON 响应"
+    exit 1
+fi
+
+TOTAL=$(jq '.files | length' "$TMP_FILE")
+echo "${LOG_PREFIX} Total auth files: ${TOTAL}"
+
+[ "$TOTAL" -eq 0 ] && { echo "${LOG_PREFIX} No auth files found."; exit 0; }
+
+# --- Identify tokens to delete ---------------------------------------------
+jq -r '
+  .files[] |
+  select(.runtime_only != true) |
+  select(
+    .unavailable == true or
+    (.status != null and (
+      .status == "error" or .status == "expired" or
+      .status == "invalid" or .status == "failed" or
+      .status == "unauthorized" or .status == "quota_exceeded"
+    ))
+  ) |
+  .name
+' "$TMP_FILE" > "$TMP_NAMES"
+
+TO_DELETE=$(grep -c '' "$TMP_NAMES" 2>/dev/null || echo 0)
+echo "${LOG_PREFIX} Tokens to delete: ${TO_DELETE}"
+
+if [ "$TO_DELETE" -eq 0 ]; then
+    echo "${LOG_PREFIX} All tokens healthy, nothing to clean up."
+    notify_feishu "✅  Token 状态检查" "[TIME]  ${TIMESTAMP}
+
+[STATS]  共 ${TOTAL} 个 token，全部健康
+
+[RESULT]  无需清理"
+    exit 0
+fi
+
+# Log the plan
+while IFS= read -r NAME; do
+    STATUS=$(jq -r --arg n "$NAME" '.files[] | select(.name==$n) | .status // "unknown"' "$TMP_FILE")
+    echo "${LOG_PREFIX}   - ${NAME} (${STATUS})"
+done < "$TMP_NAMES"
+
+# --- Parallel DELETE with concurrency control ------------------------------
+mkdir -p "$TMP_DIR"
+
+ACTIVE=0
+while IFS= read -r NAME; do
+    [ -z "$NAME" ] && continue
+
+    # Launch delete in background
+    delete_one "$NAME" &
+    ACTIVE=$((ACTIVE + 1))
+
+    # When we hit the concurrency limit, wait for all current batch to finish
+    if [ "$ACTIVE" -ge "$CONCURRENCY" ]; then
+        wait
+        ACTIVE=0
+    fi
+done < "$TMP_NAMES"
+
+# Wait for any remaining background jobs
+wait
+
+# --- Collect results -------------------------------------------------------
+DELETED=0
+ERRORS=0
+DETAIL_LINES=""
+ERROR_LINES=""
+
+# Re-read the names file to preserve status info for the notification
+while IFS= read -r NAME; do
+    [ -z "$NAME" ] && continue
+    RESULT_FILE="${TMP_DIR}/$(printf '%s' "$NAME" | md5sum | cut -d' ' -f1).result"
+    RESULT=$(cat "$RESULT_FILE" 2>/dev/null)
+
+    case "$RESULT" in
+        OK*)
+            STATUS=$(jq -r --arg n "$NAME" '.files[] | select(.name==$n) | .status // "unknown"' "$TMP_FILE")
+            echo "${LOG_PREFIX} DELETED: ${NAME}"
+            DELETED=$((DELETED + 1))
+            DETAIL_LINES="${DETAIL_LINES}  •  ${NAME}  [${STATUS}]\n"
+            ;;
+        ERR*)
+            HTTP_ST=$(echo "$RESULT" | awk '{print $3}')
+            echo "${LOG_PREFIX} ERROR deleting ${NAME} (HTTP ${HTTP_ST})"
+            ERRORS=$((ERRORS + 1))
+            ERROR_LINES="${ERROR_LINES}  •  ${NAME}  (HTTP ${HTTP_ST})\n"
+            ;;
+        *)
+            echo "${LOG_PREFIX} WARNING: No result for ${NAME}"
+            ERRORS=$((ERRORS + 1))
+            ERROR_LINES="${ERROR_LINES}  •  ${NAME}  (no result)\n"
+            ;;
+    esac
+done < "$TMP_NAMES"
+
+echo "${LOG_PREFIX} Done. Deleted: ${DELETED}, Errors: ${ERRORS}"
+
+# --- Feishu notification ---------------------------------------------------
+# printf to interpret \n in the accumulated lines
+DETAIL_LINES=$(printf '%b' "$DETAIL_LINES")
+ERROR_LINES=$(printf '%b' "$ERROR_LINES")
+
+if [ "$ERRORS" -gt 0 ]; then
+    notify_feishu "⚠️  Token 清理完成（有错误）" "[TIME]  ${TIMESTAMP}
+
+[STATS]  共 ${TOTAL} 个 token，发现 ${TO_DELETE} 个失效
+
+────────────────────
+[SUCCESS]  已删除 ${DELETED} 个：
+${DETAIL_LINES}
+[FAIL]  删除失败 ${ERRORS} 个：
+${ERROR_LINES}────────────────────"
+else
+    notify_feishu "🧹  Token 清理完成" "[TIME]  ${TIMESTAMP}
+
+[STATS]  共 ${TOTAL} 个 token，清理 ${DELETED} 个失效
+
+────────────────────
+[REMOVED]  已删除：
+${DETAIL_LINES}────────────────────
+[RESULT]  Success: ${DELETED}/${TO_DELETE}  |  Failed: 0/${TO_DELETE}"
+fi

config.yaml

@@ -12,4 +12,4 @@ remote-management:
   secret-key: "${MANAGEMENT_PASSWORD}"
 
 commercial-mode: true
-debug: false
+debug: false

entrypoint.sh

@@ -0,0 +1,54 @@
+#!/bin/sh
+#
+# entrypoint.sh - Start crond for scheduled cleanup, then launch CLIProxyAPI
+#
+# Environment variables:
+#   CLEANUP_CRON_SCHEDULE  - Cron schedule for token cleanup (default: "0 */6 * * *", every 6h)
+#   CLEANUP_STARTUP_DELAY  - Seconds to wait after service is ready before first cleanup (default: 10)
+#
+
+echo "[entrypoint] Starting up at $(date)"
+
+CLEANUP_CRON_SCHEDULE="${CLEANUP_CRON_SCHEDULE:-0 */6 * * *}"
+CLEANUP_STARTUP_DELAY="${CLEANUP_STARTUP_DELAY:-10}"
+CRON_OK=0
+
+mkdir -p /tmp/logs /tmp/crontabs
+
+# Write crontab to /tmp (HuggingFace root filesystem is read-only)
+cat > /tmp/crontabs/root << EOF
+${CLEANUP_CRON_SCHEDULE} /app/cleanup_tokens.sh >> /tmp/logs/cleanup.log 2>&1
+EOF
+
+echo "[entrypoint] Cleanup schedule: ${CLEANUP_CRON_SCHEDULE}"
+
+# Try crond; if it fails, fall back to a sleep loop
+if crond -c /tmp/crontabs -l 8 -L /tmp/logs/crond.log 2>/dev/null; then
+    echo "[entrypoint] crond started"
+    CRON_OK=1
+else
+    echo "[entrypoint] WARNING: crond failed, will use sleep-loop fallback"
+fi
+
+# Background: wait for API ready, run initial cleanup, then optionally loop
+(
+    MAX_WAIT=120
+    WAITED=0
+    while ! wget -q -O /dev/null http://localhost:7860/ 2>/dev/null; do
+        sleep 2
+        WAITED=$((WAITED + 2))
+        [ "$WAITED" -ge "$MAX_WAIT" ] && break
+    done
+    sleep "${CLEANUP_STARTUP_DELAY}"
+    /app/cleanup_tokens.sh >> /tmp/logs/cleanup.log 2>&1
+
+    if [ "$CRON_OK" = "0" ]; then
+        while true; do
+            sleep 21600
+            /app/cleanup_tokens.sh >> /tmp/logs/cleanup.log 2>&1
+        done
+    fi
+) &
+
+echo "[entrypoint] Launching cli-proxy-api..."
+exec /app/cli-proxy-api --config /app/config.yaml "$@"