fix(sync): invalidate API in-memory cache after sync-postgres

sync-postgres updates PostgreSQL but the Cloud Run API caches spec
responses in-process with a 24h TTL, so fresh data (e.g. today's
bucket-name migration in f37ebbd) remained invisible to clients.
The cache comment said "data only changes on deploy" — sync is the
counter-example that was never wired up.

- POST /debug/cache/invalidate: flushes the TTLCache; auth via
  X-Cache-Token header matched against CACHE_INVALIDATE_TOKEN;
  503 if the token is unset so the endpoint is inert by default.
- sync-postgres.yml: after a successful sync, POSTs to the endpoint
  with the GH Actions secret, skipping silently if unset.

Pushing this change also redeploys the backend (api/ is part of the
Cloud Build trigger), which clears the in-memory cache immediately
and unblocks interactive plots that were 400'ing against the stale
pyplots-images URLs still held in the old cache.

To fully activate recurring invalidation, set CACHE_INVALIDATE_TOKEN
as both a Cloud Run secret env var and a GitHub Actions repo secret.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: MarkusNeusinger

.github/workflows/sync-postgres.yml

@@ -71,6 +71,24 @@ jobs:
         GCS_BUCKET: ${{ vars.GCS_BUCKET || 'anyplot-images' }}
         ENVIRONMENT: production
 
+    - name: Invalidate API cache
+      env:
+        API_URL: ${{ vars.API_BASE_URL || 'https://api.anyplot.ai' }}
+        CACHE_INVALIDATE_TOKEN: ${{ secrets.CACHE_INVALIDATE_TOKEN }}
+      run: |
+        if [ -z "${CACHE_INVALIDATE_TOKEN}" ]; then
+          echo "CACHE_INVALIDATE_TOKEN not set — skipping cache invalidation (cache will fall back to TTL expiry)"
+          exit 0
+        fi
+        status=$(curl -sS -o /tmp/invalidate.json -w '%{http_code}' \
+          -X POST "${API_URL}/debug/cache/invalidate" \
+          -H "X-Cache-Token: ${CACHE_INVALIDATE_TOKEN}")
+        echo "HTTP ${status}"
+        cat /tmp/invalidate.json || true
+        if [ "${status}" != "200" ]; then
+          echo "::warning::Cache invalidation returned HTTP ${status} (sync succeeded; cache will fall back to TTL expiry)"
+        fi
+
     - name: Summary
       run: |
         echo "### Sync Complete" >> $GITHUB_STEP_SUMMARY

api/routers/debug.py

@@ -5,11 +5,13 @@
 import time
 from datetime import datetime, timezone
 
-from fastapi import APIRouter, Depends, Request
+from fastapi import APIRouter, Depends, Header, HTTPException, Request, status
 from pydantic import BaseModel
 from sqlalchemy.ext.asyncio import AsyncSession
 
+from api.cache import clear_cache, get_cache_stats
 from api.dependencies import require_db
+from core.config import settings
 from core.constants import SUPPORTED_LIBRARIES
 from core.database import SpecRepository
 
@@ -283,3 +285,31 @@ async def get_debug_status(request: Request, db: AsyncSession = Depends(require_
         system=system_health,
         specs=specs_status,
     )
+
+
+class CacheInvalidateResponse(BaseModel):
+    cleared: int
+    maxsize: int
+    ttl: int
+
+
+@router.post("/cache/invalidate", response_model=CacheInvalidateResponse)
+async def invalidate_cache(x_cache_token: str | None = Header(default=None)) -> CacheInvalidateResponse:
+    """Flush the in-memory response cache.
+
+    Called by sync-postgres at the end of a successful sync so clients see
+    fresh data without waiting for TTL expiry. Requires the shared token
+    `CACHE_INVALIDATE_TOKEN` in the `X-Cache-Token` header; returns 503 if
+    no token is configured on the server.
+    """
+    expected = settings.cache_invalidate_token
+    if not expected:
+        raise HTTPException(status_code=status.HTTP_503_SERVICE_UNAVAILABLE, detail="Cache invalidation not configured")
+    if x_cache_token != expected:
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid cache token")
+
+    stats_before = get_cache_stats()
+    clear_cache()
+    return CacheInvalidateResponse(
+        cleared=stats_before["size"], maxsize=stats_before["maxsize"], ttl=stats_before["ttl"]
+    )

core/config.py

@@ -143,6 +143,12 @@ class Settings(BaseSettings):
     cache_maxsize: int = 1000
     """Maximum number of cache entries"""
 
+    cache_invalidate_token: Optional[str] = None
+    """Shared secret required by the POST /debug/cache/invalidate endpoint.
+    When unset, the endpoint is disabled (503). Set via Secret Manager in Cloud Run
+    and as a GitHub Actions secret so sync-postgres can invalidate the cache after
+    writing new data to PostgreSQL."""
+
     # =============================================================================
     # CORS
     # =============================================================================