refactor: remove redundant fatalError ref, use state directly in handleLeave

When Cal.com events appear in an aggregated ICS feed, the same event
gets two different UIDs (one from Cal.com, one from Google Calendar).
This caused duplicate meetings to be created for the same time slot.

Add time-window dedup check in create_upcoming_meetings_for_event:
after verifying no meeting exists for the calendar_event_id, also check
if a meeting already exists for the same room + start_date + end_date.

.gitleaksignore

@@ -4,3 +4,4 @@ docs/docs/installation/daily-setup.md:curl-auth-header:277
 gpu/self_hosted/DEV_SETUP.md:curl-auth-header:74
 gpu/self_hosted/DEV_SETUP.md:curl-auth-header:83
 server/reflector/worker/process.py:generic-api-key:465
+server/reflector/worker/process.py:generic-api-key:594

CHANGELOG.md

@@ -1,5 +1,22 @@
 # Changelog
 
+## [0.32.2](https://github.com/Monadical-SAS/reflector/compare/v0.32.1...v0.32.2) (2026-02-03)
+
+
+### Bug Fixes
+
+* increase TIMEOUT_MEDIUM from 2m to 5m for LLM tasks ([#843](https://github.com/Monadical-SAS/reflector/issues/843)) ([4acde4b](https://github.com/Monadical-SAS/reflector/commit/4acde4b7fdef88cc02ca12cf38c9020b05ed96ac))
+* make caddy optional ([#841](https://github.com/Monadical-SAS/reflector/issues/841)) ([a2ed7d6](https://github.com/Monadical-SAS/reflector/commit/a2ed7d60d557b551a5b64e4dfd909b63a791d9fc))
+* use Daily API recording.duration as master source for transcript duration ([#844](https://github.com/Monadical-SAS/reflector/issues/844)) ([8707c66](https://github.com/Monadical-SAS/reflector/commit/8707c6694a80c939b6214bbc13331741f192e082))
+
+## [0.32.1](https://github.com/Monadical-SAS/reflector/compare/v0.32.0...v0.32.1) (2026-01-30)
+
+
+### Bug Fixes
+
+* daily multitrack pipeline finalze dependency fix ([23eb137](https://github.com/Monadical-SAS/reflector/commit/23eb1371cb9348c4b81eb12ad506b582f8a4799e))
+* match httpx pad with hatchet audio timeout ([c05d1f0](https://github.com/Monadical-SAS/reflector/commit/c05d1f03cd8369fc06efd455527e50246887efd0))
+
 ## [0.32.0](https://github.com/Monadical-SAS/reflector/compare/v0.31.0...v0.32.0) (2026-01-30)
 
 

Caddyfile.example

@@ -1,6 +1,8 @@
-# Reflector Caddyfile
-# Replace example.com with your actual domains
-# CORS is handled by the backend - Caddy just proxies
+# Reflector Caddyfile (optional reverse proxy)
+# Use this only when you run Caddy via: docker compose -f docker-compose.prod.yml --profile caddy up -d
+# If Coolify, Traefik, or nginx already use ports 80/443, do NOT start Caddy; point your proxy at web:3000 and server:1250.
+#
+# Replace example.com with your actual domains. CORS is handled by the backend - Caddy just proxies.
 #
 # For environment variable substitution, set:
 #   FRONTEND_DOMAIN=app.example.com

docker-compose.prod.yml

@@ -1,9 +1,14 @@
 # Production Docker Compose configuration
 # Usage: docker compose -f docker-compose.prod.yml up -d
 #
+# Caddy (reverse proxy on ports 80/443) is OPTIONAL and behind the "caddy" profile:
+# - With Caddy (self-hosted, you manage SSL): docker compose -f docker-compose.prod.yml --profile caddy up -d
+# - Without Caddy (Coolify/Traefik/nginx already on 80/443): docker compose -f docker-compose.prod.yml up -d
+#   Then point your proxy at web:3000 (frontend) and server:1250 (API).
+#
 # Prerequisites:
 # 1. Copy .env.example to .env and configure for both server/ and www/
-# 2. Copy Caddyfile.example to Caddyfile and edit with your domains
+# 2. If using Caddy: copy Caddyfile.example to Caddyfile and edit your domains
 # 3. Deploy Modal GPU functions (see gpu/modal_deployments/deploy-all.sh)
 
 services:
@@ -84,6 +89,8 @@ services:
       retries: 3
 
   caddy:
+    profiles:
+      - caddy
     image: caddy:2-alpine
     restart: unless-stopped
     ports:

docs/docs/installation/docker-setup.md

@@ -11,15 +11,15 @@ This page documents the Docker Compose configuration for Reflector. For the comp
 
 The `docker-compose.prod.yml` includes these services:
 
-| Service | Image | Purpose |
-|---------|-------|---------|
-| `web` | `monadicalsas/reflector-frontend` | Next.js frontend |
-| `server` | `monadicalsas/reflector-backend` | FastAPI backend |
-| `worker` | `monadicalsas/reflector-backend` | Celery worker for background tasks |
-| `beat` | `monadicalsas/reflector-backend` | Celery beat scheduler |
-| `redis` | `redis:7.2-alpine` | Message broker and cache |
-| `postgres` | `postgres:17-alpine` | Primary database |
-| `caddy` | `caddy:2-alpine` | Reverse proxy with auto-SSL |
+| Service    | Image                             | Purpose                                                                     |
+| ---------- | --------------------------------- | --------------------------------------------------------------------------- |
+| `web`      | `monadicalsas/reflector-frontend` | Next.js frontend                                                            |
+| `server`   | `monadicalsas/reflector-backend`  | FastAPI backend                                                             |
+| `worker`   | `monadicalsas/reflector-backend`  | Celery worker for background tasks                                          |
+| `beat`     | `monadicalsas/reflector-backend`  | Celery beat scheduler                                                       |
+| `redis`    | `redis:7.2-alpine`                | Message broker and cache                                                    |
+| `postgres` | `postgres:17-alpine`              | Primary database                                                            |
+| `caddy`    | `caddy:2-alpine`                  | Reverse proxy with auto-SSL (optional; see [Caddy profile](#caddy-profile)) |
 
 ## Environment Files
 
@@ -30,6 +30,7 @@ Reflector uses two separate environment files:
 Used by: `server`, `worker`, `beat`
 
 Key variables:
+
 ```env
 # Database connection
 DATABASE_URL=postgresql+asyncpg://reflector:reflector@postgres:5432/reflector
@@ -54,6 +55,7 @@ TRANSCRIPT_MODAL_API_KEY=...
 Used by: `web`
 
 Key variables:
+
 ```env
 # Domain configuration
 SITE_URL=https://app.example.com
@@ -70,26 +72,42 @@ Note: `API_URL` is used client-side (browser), `SERVER_API_URL` is used server-s
 
 ## Volumes
 
-| Volume | Purpose |
-|--------|---------|
-| `redis_data` | Redis persistence |
-| `postgres_data` | PostgreSQL data |
-| `server_data` | Uploaded files, local storage |
-| `caddy_data` | SSL certificates |
-| `caddy_config` | Caddy configuration |
+| Volume          | Purpose                       |
+| --------------- | ----------------------------- |
+| `redis_data`    | Redis persistence             |
+| `postgres_data` | PostgreSQL data               |
+| `server_data`   | Uploaded files, local storage |
+| `caddy_data`    | SSL certificates              |
+| `caddy_config`  | Caddy configuration           |
 
 ## Network
 
 All services share the default network. The network is marked `attachable: true` to allow external containers (like Authentik) to join.
 
+## Caddy profile
+
+Caddy (ports 80 and 443) is **optional** and behind the `caddy` profile so it does not conflict with an existing reverse proxy (e.g. Coolify, Traefik, nginx).
+
+- **With Caddy** (you want Reflector to handle SSL):
+  `docker compose -f docker-compose.prod.yml --profile caddy up -d`
+- **Without Caddy** (Coolify or another proxy already on 80/443):
+  `docker compose -f docker-compose.prod.yml up -d`
+  Then configure your proxy to send traffic to `web:3000` (frontend) and `server:1250` (API).
+
 ## Common Commands
 
 ### Start all services
+
 ```bash
+# Without Caddy (e.g. when using Coolify)
 docker compose -f docker-compose.prod.yml up -d
+
+# With Caddy as reverse proxy
+docker compose -f docker-compose.prod.yml --profile caddy up -d
 ```
 
 ### View logs
+
 ```bash
 # All services
 docker compose -f docker-compose.prod.yml logs -f
@@ -99,6 +117,7 @@ docker compose -f docker-compose.prod.yml logs server --tail 50
 ```
 
 ### Restart a service
+
 ```bash
 # Quick restart (doesn't reload .env changes)
 docker compose -f docker-compose.prod.yml restart server
@@ -108,27 +127,32 @@ docker compose -f docker-compose.prod.yml up -d server
 ```
 
 ### Run database migrations
+
 ```bash
 docker compose -f docker-compose.prod.yml exec server uv run alembic upgrade head
 ```
 
 ### Access database
+
 ```bash
 docker compose -f docker-compose.prod.yml exec postgres psql -U reflector
 ```
 
 ### Pull latest images
+
 ```bash
 docker compose -f docker-compose.prod.yml pull
 docker compose -f docker-compose.prod.yml up -d
 ```
 
 ### Stop all services
+
 ```bash
 docker compose -f docker-compose.prod.yml down
 ```
 
 ### Full reset (WARNING: deletes data)
+
 ```bash
 docker compose -f docker-compose.prod.yml down -v
 ```
@@ -187,6 +211,7 @@ The Caddyfile supports environment variable substitution:
 Set `FRONTEND_DOMAIN` and `API_DOMAIN` environment variables, or edit the file directly.
 
 ### Reload Caddy after changes
+
 ```bash
 docker compose -f docker-compose.prod.yml exec caddy caddy reload --config /etc/caddy/Caddyfile
 ```

docs/docs/installation/overview.md

@@ -26,7 +26,7 @@ flowchart LR
 
 Before starting, you need:
 
-- **Production server** -  4+ cores, 8GB+ RAM, public IP
+- **Production server** - 4+ cores, 8GB+ RAM, public IP
 - **Two domain names** - e.g., `app.example.com` (frontend) and `api.example.com` (backend)
 - **GPU processing** - Choose one:
   - Modal.com account, OR
@@ -60,16 +60,17 @@ Type: A    Name: api    Value: <your-server-ip>
 
 Reflector requires GPU processing for transcription and speaker diarization. Choose one option:
 
-| | **Modal.com (Cloud)** | **Self-Hosted GPU** |
-|---|---|---|
+|              | **Modal.com (Cloud)**             | **Self-Hosted GPU**          |
+| ------------ | --------------------------------- | ---------------------------- |
 | **Best for** | No GPU hardware, zero maintenance | Own GPU server, full control |
-| **Pricing** | Pay-per-use | Fixed infrastructure cost |
+| **Pricing**  | Pay-per-use                       | Fixed infrastructure cost    |
 
 ### Option A: Modal.com (Serverless Cloud GPU)
 
 #### Accept HuggingFace Licenses
 
 Visit both pages and click "Accept":
+
 - https://huggingface.co/pyannote/speaker-diarization-3.1
 - https://huggingface.co/pyannote/segmentation-3.0
 
@@ -179,6 +180,7 @@ Save these credentials - you'll need them in the next step.
 ## Configure Environment
 
 Reflector has two env files:
+
 - `server/.env` - Backend configuration
 - `www/.env` - Frontend configuration
 
@@ -190,6 +192,7 @@ nano server/.env
 ```
 
 **Required settings:**
+
 ```env
 # Database (defaults work with docker-compose.prod.yml)
 DATABASE_URL=postgresql+asyncpg://reflector:reflector@postgres:5432/reflector
@@ -249,6 +252,7 @@ nano www/.env
 ```
 
 **Required settings:**
+
 ```env
 # Your domains
 SITE_URL=https://app.example.com
@@ -266,7 +270,11 @@ FEATURE_REQUIRE_LOGIN=false
 
 ---
 
-## Configure Caddy
+## Reverse proxy (Caddy or existing)
+
+**If Coolify, Traefik, or nginx already use ports 80/443** (e.g. Coolify on your host): skip Caddy. Start the stack without the Caddy profile (see [Start Services](#start-services) below), then point your proxy at `web:3000` (frontend) and `server:1250` (API).
+
+**If you want Reflector to provide the reverse proxy and SSL:**
 
 ```bash
 cp Caddyfile.example Caddyfile
@@ -289,10 +297,18 @@ Replace `example.com` with your domains. The `{$VAR:default}` syntax uses Caddy'
 
 ## Start Services
 
+**Without Caddy** (e.g. Coolify already on 80/443):
+
 ```bash
 docker compose -f docker-compose.prod.yml up -d
 ```
 
+**With Caddy** (Reflector handles SSL):
+
+```bash
+docker compose -f docker-compose.prod.yml --profile caddy up -d
+```
+
 Wait for containers to start (first run may take 1-2 minutes to pull images and initialize).
 
 ---
@@ -300,18 +316,21 @@ Wait for containers to start (first run may take 1-2 minutes to pull images and
 ## Verify Deployment
 
 ### Check services
+
 ```bash
 docker compose -f docker-compose.prod.yml ps
 # All should show "Up"
 ```
 
 ### Test API
+
 ```bash
 curl https://api.example.com/health
 # Should return: {"status":"healthy"}
 ```
 
 ### Test Frontend
+
 - Visit https://app.example.com
 - You should see the Reflector interface
 - Try uploading an audio file to test transcription
@@ -327,6 +346,7 @@ By default, Reflector is open (no login required). **Authentication is required
 See [Authentication Setup](./auth-setup) for full Authentik OAuth configuration.
 
 Quick summary:
+
 1. Deploy Authentik on your server
 2. Create OAuth provider in Authentik
 3. Extract public key for JWT verification
@@ -358,6 +378,7 @@ DAILYCO_STORAGE_AWS_ROLE_ARN=<arn:aws:iam::ACCOUNT:role/DailyCo>
 ```
 
 Reload env and restart:
+
 ```bash
 docker compose -f docker-compose.prod.yml up -d server worker
 ```
@@ -367,35 +388,43 @@ docker compose -f docker-compose.prod.yml up -d server worker
 ## Troubleshooting
 
 ### Check logs for errors
+
 ```bash
 docker compose -f docker-compose.prod.yml logs server --tail 20
 docker compose -f docker-compose.prod.yml logs worker --tail 20
 ```
 
 ### Services won't start
+
 ```bash
 docker compose -f docker-compose.prod.yml logs
 ```
 
 ### CORS errors in browser
+
 - Verify `CORS_ORIGIN` in `server/.env` matches your frontend domain exactly (including `https://`)
 - Reload env: `docker compose -f docker-compose.prod.yml up -d server`
 
-### SSL certificate errors
+### SSL certificate errors (when using Caddy)
+
 - Caddy auto-provisions Let's Encrypt certificates
-- Ensure ports 80 and 443 are open
+- Ensure ports 80 and 443 are open and not used by another proxy
 - Check: `docker compose -f docker-compose.prod.yml logs caddy`
+- If port 80 is already in use (e.g. by Coolify), run without Caddy: `docker compose -f docker-compose.prod.yml up -d` and use your existing proxy
 
 ### Transcription not working
+
 - Check Modal dashboard: https://modal.com/apps
 - Verify URLs in `server/.env` match deployed functions
 - Check worker logs: `docker compose -f docker-compose.prod.yml logs worker`
 
 ### "Login required" but auth not configured
+
 - Set `FEATURE_REQUIRE_LOGIN=false` in `www/.env`
 - Rebuild frontend: `docker compose -f docker-compose.prod.yml up -d --force-recreate web`
 
 ### Database migrations or connectivity issues
+
 Migrations run automatically on server startup. To check database connectivity or debug migration failures:
 
 ```bash
@@ -408,4 +437,3 @@ docker compose -f docker-compose.prod.yml exec server uv run python -c "from ref
 # Manually run migrations (if needed)
 docker compose -f docker-compose.prod.yml exec server uv run alembic upgrade head
 ```
-

gpu/self_hosted/Dockerfile

@@ -4,27 +4,31 @@ ENV PYTHONUNBUFFERED=1 \
     UV_LINK_MODE=copy \
     UV_NO_CACHE=1
 
+# patch until nvidia updates the sha1 repo
+ADD sequoia.config /etc/crypto-policies/back-ends/sequoia.config
+
 WORKDIR /tmp
-RUN apt-get update \
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+ --mount=type=cache,target=/var/lib/apt,sharing=locked \
+ apt-get update \
  && apt-get install -y \
     ffmpeg \
     curl \
     ca-certificates \
     gnupg \
-    wget \
- && apt-get clean
+    wget
 # Add NVIDIA CUDA repo for Debian 12 (bookworm) and install cuDNN 9 for CUDA 12
 ADD https://developer.download.nvidia.com/compute/cuda/repos/debian12/x86_64/cuda-keyring_1.1-1_all.deb /cuda-keyring.deb
-RUN dpkg -i /cuda-keyring.deb \
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+ --mount=type=cache,target=/var/lib/apt,sharing=locked \
+ dpkg -i /cuda-keyring.deb \
  && rm /cuda-keyring.deb \
  && apt-get update \
  && apt-get install -y --no-install-recommends \
     cuda-cudart-12-6 \
     libcublas-12-6 \
     libcudnn9-cuda-12 \
-    libcudnn9-dev-cuda-12 \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
+    libcudnn9-dev-cuda-12
 ADD https://astral.sh/uv/install.sh /uv-installer.sh
 RUN sh /uv-installer.sh && rm /uv-installer.sh
 ENV PATH="/root/.local/bin/:$PATH"
@@ -39,6 +43,13 @@ COPY ./app /app/app
 COPY ./main.py /app/
 COPY ./runserver.sh /app/
 
+# prevent uv failing with too many open files on big cpus
+ENV UV_CONCURRENT_INSTALLS=16
+
+# first install
+RUN --mount=type=cache,target=/root/.cache/uv \
+    uv sync --compile-bytecode --locked
+
 EXPOSE 8000
 
 CMD ["sh", "/app/runserver.sh"]

gpu/self_hosted/sequoia.config

@@ -0,0 +1,2 @@
+[hash_algorithms]
+sha1 = "always"

server/reflector/db/meetings.py

@@ -346,6 +346,27 @@ class MeetingController:
             return None
         return Meeting(**result)
 
+    async def get_by_room_and_time_window(
+        self, room: Room, start_date: datetime, end_date: datetime
+    ) -> Meeting | None:
+        """Check if a meeting already exists for this room with the same time window."""
+        query = (
+            meetings.select()
+            .where(
+                sa.and_(
+                    meetings.c.room_id == room.id,
+                    meetings.c.start_date == start_date,
+                    meetings.c.end_date == end_date,
+                    meetings.c.is_active,
+                )
+            )
+            .limit(1)
+        )
+        result = await get_database().fetch_one(query)
+        if not result:
+            return None
+        return Meeting(**result)
+
     async def update_meeting(self, meeting_id: str, **kwargs):
         query = meetings.update().where(meetings.c.id == meeting_id).values(**kwargs)
         await get_database().execute(query)

server/reflector/hatchet/constants.py

@@ -35,7 +35,9 @@ LLM_RATE_LIMIT_PER_SECOND = 10
 
 # Task execution timeouts (seconds)
 TIMEOUT_SHORT = 60  # Quick operations: API calls, DB updates
-TIMEOUT_MEDIUM = 120  # Single LLM calls, waveform generation
+TIMEOUT_MEDIUM = (
+    300  # Single LLM calls, waveform generation (5m for slow LLM responses)
+)
 TIMEOUT_LONG = 180  # Action items (larger context LLM)
 TIMEOUT_AUDIO = 720  # Audio processing: padding, mixdown
 TIMEOUT_HEAVY = 600  # Transcription, fan-out LLM tasks

server/reflector/hatchet/workflows/daily_multitrack_pipeline.py

@@ -322,6 +322,7 @@ async def get_participants(input: PipelineInput, ctx: Context) -> ParticipantsRe
     mtg_session_id = recording.mtg_session_id
     async with fresh_db_connection():
         from reflector.db.transcripts import (  # noqa: PLC0415
+            TranscriptDuration,
             TranscriptParticipant,
             transcripts_controller,
         )
@@ -330,15 +331,26 @@ async def get_participants(input: PipelineInput, ctx: Context) -> ParticipantsRe
         if not transcript:
             raise ValueError(f"Transcript {input.transcript_id} not found")
         # Note: title NOT cleared - preserves existing titles
+        # Duration from Daily API (seconds -> milliseconds) - master source
+        duration_ms = recording.duration * 1000 if recording.duration else 0
         await transcripts_controller.update(
             transcript,
             {
                 "events": [],
                 "topics": [],
                 "participants": [],
+                "duration": duration_ms,
             },
         )
 
+        await append_event_and_broadcast(
+            input.transcript_id,
+            transcript,
+            "DURATION",
+            TranscriptDuration(duration=duration_ms),
+            logger=logger,
+        )
+
         mtg_session_id = assert_non_none_and_non_empty(
             mtg_session_id, "mtg_session_id is required"
         )
@@ -1095,7 +1107,7 @@ async def identify_action_items(
 
 
 @daily_multitrack_pipeline.task(
-    parents=[generate_title, generate_recap, identify_action_items],
+    parents=[process_tracks, generate_title, generate_recap, identify_action_items],
     execution_timeout=timedelta(seconds=TIMEOUT_SHORT),
     retries=3,
 )
@@ -1108,12 +1120,8 @@ async def finalize(input: PipelineInput, ctx: Context) -> FinalizeResult:
     """
     ctx.log("finalize: saving transcript and setting status to 'ended'")
 
-    mixdown_result = ctx.task_output(mixdown_tracks)
     track_result = ctx.task_output(process_tracks)
 
-    duration = mixdown_result.duration
-    all_words = track_result.all_words
-
     # Cleanup temporary padded S3 files (deferred until finalize for semantic parity with Celery)
     created_padded_files = track_result.created_padded_files
     if created_padded_files:
@@ -1133,7 +1141,6 @@ async def finalize(input: PipelineInput, ctx: Context) -> FinalizeResult:
 
     async with fresh_db_connection():
         from reflector.db.transcripts import (  # noqa: PLC0415
-            TranscriptDuration,
             TranscriptText,
             transcripts_controller,
         )
@@ -1142,8 +1149,6 @@ async def finalize(input: PipelineInput, ctx: Context) -> FinalizeResult:
         if transcript is None:
             raise ValueError(f"Transcript {input.transcript_id} not found in database")
 
-        merged_transcript = TranscriptType(words=all_words, translation=None)
-
         await append_event_and_broadcast(
             input.transcript_id,
             transcript,
@@ -1155,21 +1160,15 @@ async def finalize(input: PipelineInput, ctx: Context) -> FinalizeResult:
             logger=logger,
         )
 
-        # Save duration and clear workflow_run_id (workflow completed successfully)
-        # Note: title/long_summary/short_summary already saved by their callbacks
+        # Clear workflow_run_id (workflow completed successfully)
+        # Note: title/long_summary/short_summary/duration already saved by their callbacks
         await transcripts_controller.update(
             transcript,
             {
-                "duration": duration,
                 "workflow_run_id": None,  # Clear on success - no need to resume
             },
         )
 
-        duration_data = TranscriptDuration(duration=duration)
-        await append_event_and_broadcast(
-            input.transcript_id, transcript, "DURATION", duration_data, logger=logger
-        )
-
         await set_status_and_broadcast(input.transcript_id, "ended", logger=logger)
 
         ctx.log(

server/reflector/processors/audio_padding_modal.py

@@ -8,6 +8,7 @@ import os
 import httpx
 from pydantic import BaseModel
 
+from reflector.hatchet.constants import TIMEOUT_AUDIO
 from reflector.logger import logger
 
 
@@ -63,7 +64,7 @@ class AudioPaddingModalProcessor:
             headers["Authorization"] = f"Bearer {self.modal_api_key}"
 
         try:
-            async with httpx.AsyncClient() as client:
+            async with httpx.AsyncClient(timeout=TIMEOUT_AUDIO) as client:
                 response = await client.post(
                     url,
                     headers=headers,

server/reflector/worker/ics_sync.py

@@ -5,7 +5,7 @@ from celery import shared_task
 from celery.utils.log import get_task_logger
 
 from reflector.asynctask import asynctask
-from reflector.db.calendar_events import calendar_events_controller
+from reflector.db.calendar_events import CalendarEvent, calendar_events_controller
 from reflector.db.meetings import meetings_controller
 from reflector.db.rooms import Room, rooms_controller
 from reflector.redis_cache import RedisAsyncLock
@@ -83,10 +83,9 @@ def _should_sync(room) -> bool:
     return time_since_sync.total_seconds() >= room.ics_fetch_interval
 
 
-MEETING_DEFAULT_DURATION = timedelta(hours=1)
-
-
-async def create_upcoming_meetings_for_event(event, create_window, room: Room):
+async def create_upcoming_meetings_for_event(
+    event: CalendarEvent, create_window: datetime, room: Room
+):
     if event.start_time <= create_window:
         return
     existing_meeting = await meetings_controller.get_by_calendar_event(event.id, room)
@@ -94,6 +93,21 @@ async def create_upcoming_meetings_for_event(event, create_window, room: Room):
     if existing_meeting:
         return
 
+    # Prevent duplicate meetings from aggregated calendar feeds
+    # (e.g. same event appears with different UIDs from Cal.com and Google Calendar)
+    end_date = event.end_time
+    existing_by_time = await meetings_controller.get_by_room_and_time_window(
+        room, event.start_time, end_date
+    )
+    if existing_by_time:
+        logger.info(
+            "Skipping duplicate calendar event - meeting already exists for this time window",
+            room_id=room.id,
+            event_id=event.id,
+            existing_meeting_id=existing_by_time.id,
+        )
+        return
+
     logger.info(
         "Pre-creating meeting for calendar event",
         room_id=room.id,
@@ -102,8 +116,6 @@ async def create_upcoming_meetings_for_event(event, create_window, room: Room):
     )
 
     try:
-        end_date = event.end_time or (event.start_time + MEETING_DEFAULT_DURATION)
-
         client = create_platform_client(room.platform)
 
         meeting_data = await client.create_meeting(

server/reflector/ws_manager.py

@@ -11,7 +11,6 @@ broadcast messages to all connected websockets.
 
 import asyncio
 import json
-import threading
 
 import redis.asyncio as redis
 from fastapi import WebSocket
@@ -98,6 +97,7 @@ class WebsocketManager:
 
     async def _pubsub_data_reader(self, pubsub_subscriber):
         while True:
+            # timeout=1.0 prevents tight CPU loop when no messages available
             message = await pubsub_subscriber.get_message(
                 ignore_subscribe_messages=True
             )
@@ -109,29 +109,38 @@ class WebsocketManager:
                     await socket.send_json(data)
 
 
+# Process-global singleton to ensure only one WebsocketManager instance exists.
+# Multiple instances would cause resource leaks and CPU issues.
+_ws_manager: WebsocketManager | None = None
+
+
 def get_ws_manager() -> WebsocketManager:
     """
-    Returns the WebsocketManager instance for managing websockets.
+    Returns the global WebsocketManager singleton.
 
-    This function initializes and returns the WebsocketManager instance,
-    which is responsible for managing websockets and handling websocket
-    connections.
+    Creates instance on first call, subsequent calls return cached instance.
+    Thread-safe via GIL. Concurrent initialization may create duplicate
+    instances but last write wins (acceptable for this use case).
 
     Returns:
-        WebsocketManager: The initialized WebsocketManager instance.
-
-    Raises:
-        ImportError: If the 'reflector.settings' module cannot be imported.
-        RedisConnectionError: If there is an error connecting to the Redis server.
+        WebsocketManager: The global WebsocketManager instance.
     """
-    local = threading.local()
-    if hasattr(local, "ws_manager"):
-        return local.ws_manager
+    global _ws_manager
 
+    if _ws_manager is not None:
+        return _ws_manager
+
+    # No lock needed - GIL makes this safe enough
+    # Worst case: race creates two instances, last assignment wins
     pubsub_client = RedisPubSubManager(
         host=settings.REDIS_HOST,
         port=settings.REDIS_PORT,
     )
-    ws_manager = WebsocketManager(pubsub_client=pubsub_client)
-    local.ws_manager = ws_manager
-    return ws_manager
+    _ws_manager = WebsocketManager(pubsub_client=pubsub_client)
+    return _ws_manager
+
+
+def reset_ws_manager() -> None:
+    """Reset singleton for testing. DO NOT use in production."""
+    global _ws_manager
+    _ws_manager = None

server/tests/conftest.py

@@ -1,6 +1,5 @@
 import os
 from contextlib import asynccontextmanager
-from tempfile import NamedTemporaryFile
 from unittest.mock import patch
 
 import pytest
@@ -333,11 +332,14 @@ def celery_enable_logging():
 
 @pytest.fixture(scope="session")
 def celery_config():
-    with NamedTemporaryFile() as f:
-        yield {
-            "broker_url": "memory://",
-            "result_backend": f"db+sqlite:///{f.name}",
-        }
+    redis_host = os.environ.get("REDIS_HOST", "localhost")
+    redis_port = os.environ.get("REDIS_PORT", "6379")
+    # Use db 2 to avoid conflicts with main app
+    redis_url = f"redis://{redis_host}:{redis_port}/2"
+    yield {
+        "broker_url": redis_url,
+        "result_backend": redis_url,
+    }
 
 
 @pytest.fixture(scope="session")
@@ -370,9 +372,12 @@ async def ws_manager_in_memory(monkeypatch):
         def __init__(self, queue: asyncio.Queue):
             self.queue = queue
 
-        async def get_message(self, ignore_subscribe_messages: bool = True):
+        async def get_message(
+            self, ignore_subscribe_messages: bool = True, timeout: float | None = None
+        ):
+            wait_timeout = timeout if timeout is not None else 0.05
             try:
-                return await asyncio.wait_for(self.queue.get(), timeout=0.05)
+                return await asyncio.wait_for(self.queue.get(), timeout=wait_timeout)
             except Exception:
                 return None
 

server/tests/test_ics_dedup.py

@@ -0,0 +1,190 @@
+from datetime import datetime, timedelta, timezone
+from unittest.mock import AsyncMock, patch
+
+import pytest
+
+from reflector.db import get_database
+from reflector.db.calendar_events import CalendarEvent, calendar_events_controller
+from reflector.db.meetings import meetings
+from reflector.db.rooms import rooms_controller
+from reflector.worker.ics_sync import create_upcoming_meetings_for_event
+
+
+@pytest.mark.asyncio
+async def test_duplicate_calendar_event_does_not_create_duplicate_meeting():
+    """When an aggregated ICS feed contains the same event with different UIDs
+    (e.g. Cal.com UID + Google Calendar UUID), only one meeting should be created."""
+
+    room = await rooms_controller.add(
+        name="dedup-test-room",
+        user_id="test-user",
+        zulip_auto_post=False,
+        zulip_stream="",
+        zulip_topic="",
+        is_locked=False,
+        room_mode="normal",
+        recording_type="cloud",
+        recording_trigger="automatic-2nd-participant",
+        is_shared=False,
+        ics_url="https://calendar.example.com/dedup.ics",
+        ics_enabled=True,
+    )
+
+    now = datetime.now(timezone.utc)
+    start_time = now + timedelta(hours=1)
+    end_time = now + timedelta(hours=2)
+
+    # Create first calendar event (Cal.com UID)
+    event1 = await calendar_events_controller.upsert(
+        CalendarEvent(
+            room_id=room.id,
+            ics_uid="abc123@Cal.com",
+            title="Team Standup",
+            start_time=start_time,
+            end_time=end_time,
+        )
+    )
+
+    # create_window must be before start_time for the function to proceed
+    create_window = now - timedelta(minutes=6)
+
+    # Create meeting for event1
+    with patch(
+        "reflector.worker.ics_sync.create_platform_client"
+    ) as mock_platform_factory:
+        mock_client = AsyncMock()
+
+        async def mock_create_meeting_1(room_name_prefix, *, end_date, room):
+            return AsyncMock(
+                meeting_id="meeting-1",
+                room_name="dedup-test-room-abc",
+                room_url="https://mock.video/dedup-test-room-abc",
+                host_room_url="https://mock.video/dedup-test-room-abc?host=true",
+            )
+
+        mock_client.create_meeting = mock_create_meeting_1
+        mock_client.upload_logo = AsyncMock()
+        mock_platform_factory.return_value = mock_client
+
+        await create_upcoming_meetings_for_event(event1, create_window, room)
+
+    # Verify meeting was created
+    results = await get_database().fetch_all(
+        meetings.select().where(meetings.c.room_id == room.id)
+    )
+    assert len(results) == 1, f"Expected 1 meeting, got {len(results)}"
+
+    # Create second calendar event with different UID but same time window (Google Calendar UUID)
+    event2 = await calendar_events_controller.upsert(
+        CalendarEvent(
+            room_id=room.id,
+            ics_uid="550e8400-e29b-41d4-a716-446655440000",
+            title="Team Standup",
+            start_time=start_time,
+            end_time=end_time,
+        )
+    )
+
+    # Try to create meeting for event2 - should be skipped due to dedup
+    with patch(
+        "reflector.worker.ics_sync.create_platform_client"
+    ) as mock_platform_factory:
+        mock_client = AsyncMock()
+        create_meeting_called = False
+
+        async def mock_create_meeting_2(room_name_prefix, *, end_date, room):
+            nonlocal create_meeting_called
+            create_meeting_called = True
+
+        mock_client.create_meeting = mock_create_meeting_2
+        mock_client.upload_logo = AsyncMock()
+        mock_platform_factory.return_value = mock_client
+
+        await create_upcoming_meetings_for_event(event2, create_window, room)
+
+        # Platform client should NOT have been called for the duplicate
+        assert (
+            not create_meeting_called
+        ), "create_meeting should not be called for duplicate"
+
+    # Verify still only 1 meeting
+    results = await get_database().fetch_all(
+        meetings.select().where(meetings.c.room_id == room.id)
+    )
+    assert len(results) == 1, f"Expected 1 meeting after dedup, got {len(results)}"
+
+
+@pytest.mark.asyncio
+async def test_different_time_windows_create_separate_meetings():
+    """Events at different times should create separate meetings, even if titles match."""
+
+    room = await rooms_controller.add(
+        name="dedup-diff-time-room",
+        user_id="test-user",
+        zulip_auto_post=False,
+        zulip_stream="",
+        zulip_topic="",
+        is_locked=False,
+        room_mode="normal",
+        recording_type="cloud",
+        recording_trigger="automatic-2nd-participant",
+        is_shared=False,
+        ics_url="https://calendar.example.com/dedup2.ics",
+        ics_enabled=True,
+    )
+
+    now = datetime.now(timezone.utc)
+    create_window = now - timedelta(minutes=6)
+
+    # Event 1: 1-2pm
+    event1 = await calendar_events_controller.upsert(
+        CalendarEvent(
+            room_id=room.id,
+            ics_uid="event-morning@Cal.com",
+            title="Team Standup",
+            start_time=now + timedelta(hours=1),
+            end_time=now + timedelta(hours=2),
+        )
+    )
+
+    # Event 2: 3-4pm (different time)
+    event2 = await calendar_events_controller.upsert(
+        CalendarEvent(
+            room_id=room.id,
+            ics_uid="event-afternoon@Cal.com",
+            title="Team Standup",
+            start_time=now + timedelta(hours=3),
+            end_time=now + timedelta(hours=4),
+        )
+    )
+
+    with patch(
+        "reflector.worker.ics_sync.create_platform_client"
+    ) as mock_platform_factory:
+        mock_client = AsyncMock()
+
+        call_count = 0
+
+        async def mock_create_meeting(room_name_prefix, *, end_date, room):
+            nonlocal call_count
+            call_count += 1
+            return AsyncMock(
+                meeting_id=f"meeting-{call_count}",
+                room_name=f"dedup-diff-time-room-{call_count}",
+                room_url=f"https://mock.video/dedup-diff-time-room-{call_count}",
+                host_room_url=f"https://mock.video/dedup-diff-time-room-{call_count}?host=true",
+            )
+
+        mock_client.create_meeting = mock_create_meeting
+        mock_client.upload_logo = AsyncMock()
+        mock_platform_factory.return_value = mock_client
+
+        await create_upcoming_meetings_for_event(event1, create_window, room)
+        await create_upcoming_meetings_for_event(event2, create_window, room)
+
+    results = await get_database().fetch_all(
+        meetings.select().where(meetings.c.room_id == room.id)
+    )
+    assert (
+        len(results) == 2
+    ), f"Expected 2 meetings for different times, got {len(results)}"

server/tests/test_transcripts_rtc_ws.py

@@ -115,9 +115,7 @@ def appserver(tmpdir, setup_database, celery_session_app, celery_session_worker)
     settings.DATA_DIR = DATA_DIR
 
 
-@pytest.fixture(scope="session")
-def celery_includes():
-    return ["reflector.pipelines.main_live_pipeline"]
+# Using celery_includes from conftest.py which includes both pipelines
 
 
 @pytest.mark.usefixtures("setup_database")

server/tests/test_user_websocket_auth.py

@@ -56,7 +56,12 @@ def appserver_ws_user(setup_database):
 
     if server_instance:
         server_instance.should_exit = True
-        server_thread.join(timeout=30)
+        server_thread.join(timeout=2.0)
+
+    # Reset global singleton for test isolation
+    from reflector.ws_manager import reset_ws_manager
+
+    reset_ws_manager()
 
 
 @pytest.fixture(autouse=True)
@@ -133,6 +138,8 @@ async def test_user_ws_accepts_valid_token_and_receives_events(appserver_ws_user
 
     # Connect and then trigger an event via HTTP create
     async with aconnect_ws(base_ws, subprotocols=subprotocols) as ws:
+        await asyncio.sleep(0.2)
+
         # Emit an event to the user's room via a standard HTTP action
         from httpx import AsyncClient
 
@@ -150,6 +157,7 @@ async def test_user_ws_accepts_valid_token_and_receives_events(appserver_ws_user
             "email": "user-abc@example.com",
         }
 
+        # Use in-memory client (global singleton makes it share ws_manager)
         async with AsyncClient(app=app, base_url=f"http://{host}:{port}/v1") as ac:
             # Create a transcript as this user so that the server publishes TRANSCRIPT_CREATED to user room
             resp = await ac.post("/transcripts", json={"name": "WS Test"})

www/app/[roomName]/components/DailyRoom.tsx

@@ -8,7 +8,7 @@ import {
   useRef,
   useState,
 } from "react";
-import { Box, Spinner, Center, Text } from "@chakra-ui/react";
+import { Box, Spinner, Center, Text, Button, VStack } from "@chakra-ui/react";
 import { useRouter, useParams } from "next/navigation";
 import DailyIframe, {
   DailyCall,
@@ -16,10 +16,13 @@ import DailyIframe, {
   DailyCustomTrayButton,
   DailyCustomTrayButtons,
   DailyEventObjectCustomButtonClick,
+  DailyEventObjectFatalError,
+  DailyFatalErrorType,
   DailyFactoryOptions,
   DailyParticipantsObject,
 } from "@daily-co/daily-js";
 import type { components } from "../../reflector-api";
+import { printApiError, ApiError } from "../../api/_error";
 import { useAuth } from "../../lib/AuthProvider";
 import { useConsentDialog } from "../../lib/consent";
 import {
@@ -45,6 +48,63 @@ const RAW_TRACKS_NAMESPACE = "a1b2c3d4-e5f6-7890-abcd-ef1234567890";
 const RECORDING_START_DELAY_MS = 2000;
 const RECORDING_START_MAX_RETRIES = 5;
 
+const FATAL_ERROR_MESSAGES: Partial<
+  Record<DailyFatalErrorType, { message: string; rejoinable?: boolean }>
+> = {
+  "connection-error": {
+    message: "Connection lost. Please check your network.",
+    rejoinable: true,
+  },
+  "exp-room": { message: "The meeting time has ended." },
+  "exp-token": { message: "Your session has expired.", rejoinable: true },
+  ejected: { message: "You were removed from this meeting." },
+  "meeting-full": { message: "This meeting is full." },
+  "not-allowed": { message: "You are not allowed to join this meeting." },
+  "nbf-room": { message: "This meeting hasn't started yet." },
+  "nbf-token": { message: "This meeting hasn't started yet." },
+  "no-room": { message: "This room does not exist." },
+  "end-of-life": { message: "This meeting room is no longer available." },
+};
+
+function FatalErrorScreen({
+  error,
+  roomName,
+}: {
+  error: FatalError;
+  roomName: string;
+}) {
+  const router = useRouter();
+  const info =
+    error.type !== "unknown" ? FATAL_ERROR_MESSAGES[error.type] : undefined;
+  const message = info?.message ?? `Something went wrong: ${error.message}`;
+  const rejoinable = info?.rejoinable ?? false;
+
+  return (
+    <Center width="100vw" height="100vh">
+      <VStack gap={4}>
+        <Text color="red.500">{message}</Text>
+        {rejoinable ? (
+          <>
+            <Button onClick={() => window.location.reload()}>
+              Try Rejoining
+            </Button>
+            <Button
+              variant="outline"
+              onClick={() => router.push(`/${roomName}`)}
+            >
+              Leave
+            </Button>
+          </>
+        ) : (
+          <Button onClick={() => router.push(`/${roomName}`)}>
+            Back to Room
+          </Button>
+        )}
+      </VStack>
+    </Center>
+  );
+}
+
 type Meeting = components["schemas"]["Meeting"];
 type Room = components["schemas"]["RoomDetails"];
 
@@ -82,6 +142,8 @@ const USE_FRAME_INIT_STATE = {
   joined: false as boolean,
 } as const;
 
+type FatalError = { type: DailyFatalErrorType | "unknown"; message: string };
+
 // Daily js and not Daily react used right now because daily-js allows for prebuild interface vs. -react is customizable but has no nice defaults
 const useFrame = (
   container: HTMLDivElement | null,
@@ -89,6 +151,7 @@ const useFrame = (
     onLeftMeeting: () => void;
     onCustomButtonClick: (ev: DailyEventObjectCustomButtonClick) => void;
     onJoinMeeting: () => void;
+    onError: (ev: DailyEventObjectFatalError) => void;
   },
 ) => {
   const [{ frame, joined }, setState] = useState(USE_FRAME_INIT_STATE);
@@ -134,6 +197,7 @@ const useFrame = (
     if (!frame) return;
     frame.on("left-meeting", cbs.onLeftMeeting);
     frame.on("custom-button-click", cbs.onCustomButtonClick);
+    frame.on("error", cbs.onError);
     const joinCb = () => {
       if (!frame) {
         console.error("frame is null in joined-meeting callback");
@@ -145,6 +209,7 @@ const useFrame = (
     return () => {
       frame.off("left-meeting", cbs.onLeftMeeting);
       frame.off("custom-button-click", cbs.onCustomButtonClick);
+      frame.off("error", cbs.onError);
       frame.off("joined-meeting", joinCb);
     };
   }, [frame, cbs]);
@@ -188,6 +253,7 @@ export default function DailyRoom({ meeting, room }: DailyRoomProps) {
   const joinMutation = useRoomJoinMeeting();
   const startRecordingMutation = useMeetingStartRecording();
   const [joinedMeeting, setJoinedMeeting] = useState<Meeting | null>(null);
+  const [fatalError, setFatalError] = useState<FatalError | null>(null);
 
   // Generate deterministic instanceIds so all participants use SAME IDs
   const cloudInstanceId = parseNonEmptyString(meeting.id);
@@ -234,8 +300,18 @@ export default function DailyRoom({ meeting, room }: DailyRoomProps) {
   const roomUrl = joinedMeeting?.room_url;
 
   const handleLeave = useCallback(() => {
+    // If a fatal error occurred, don't redirect — let the error UI show
+    if (fatalError) return;
     router.push("/browse");
-  }, [router]);
+  }, [router, fatalError]);
+
+  const handleError = useCallback((ev: DailyEventObjectFatalError) => {
+    const error: FatalError = {
+      type: ev.error?.type ?? "unknown",
+      message: ev.errorMsg,
+    };
+    setFatalError(error);
+  }, []);
 
   const handleCustomButtonClick = useCallback(
     (ev: DailyEventObjectCustomButtonClick) => {
@@ -324,6 +400,7 @@ export default function DailyRoom({ meeting, room }: DailyRoomProps) {
     onLeftMeeting: handleLeave,
     onCustomButtonClick: handleCustomButtonClick,
     onJoinMeeting: handleFrameJoinMeeting,
+    onError: handleError,
   });
 
   useEffect(() => {
@@ -380,13 +457,27 @@ export default function DailyRoom({ meeting, room }: DailyRoomProps) {
   }
 
   if (joinMutation.isError) {
+    const apiDetail = printApiError(
+      joinMutation.error as /*ref 095959E6-01CC-4CF0-B3A9-F65F12F046D3*/ ApiError,
+    );
     return (
       <Center width="100vw" height="100vh">
-        <Text color="red.500">Failed to join meeting. Please try again.</Text>
+        <VStack gap={4}>
+          <Text color="red.500">
+            {apiDetail ?? "Failed to join meeting. Please try again."}
+          </Text>
+          <Button onClick={() => router.push(`/${roomName}`)}>
+            Back to Room
+          </Button>
+        </VStack>
       </Center>
     );
   }
 
+  if (fatalError) {
+    return <FatalErrorScreen error={fatalError} roomName={roomName} />;
+  }
+
   if (!roomUrl) {
     return null;
   }

www/app/lib/apiHooks.ts

@@ -9,6 +9,7 @@ import { MeetingId } from "./types";
 import { NonEmptyString } from "./utils";
 
 /*
+ * ref 095959E6-01CC-4CF0-B3A9-F65F12F046D3
  * XXX error types returned from the hooks are not always correct; declared types are ValidationError but real type could be string or any other
  * this is either a limitation or incorrect usage of Python json schema generator
  * or, limitation or incorrect usage of .d type generator from json schema