fix: prevent presence race condition during WebRTC handshake

Add /joining and /joined endpoints to track user join intent before
WebRTC handshake completes. This prevents meetings from being
deactivated while users are still connecting.

- Add pending_joins Redis module with 30s TTL
- Add /joining endpoint (called before WebRTC handshake)
- Add /joined endpoint (called after connection established)
- Check for pending joins before deactivating meetings in worker
- Frontend integration with connectionId per browser tab

.gitleaksignore

@@ -4,3 +4,4 @@ docs/docs/installation/daily-setup.md:curl-auth-header:277
 gpu/self_hosted/DEV_SETUP.md:curl-auth-header:74
 gpu/self_hosted/DEV_SETUP.md:curl-auth-header:83
 server/reflector/worker/process.py:generic-api-key:465
+server/reflector/worker/process.py:generic-api-key:594

CHANGELOG.md

@@ -1,5 +1,22 @@
 # Changelog
 
+## [0.32.2](https://github.com/Monadical-SAS/reflector/compare/v0.32.1...v0.32.2) (2026-02-03)
+
+
+### Bug Fixes
+
+* increase TIMEOUT_MEDIUM from 2m to 5m for LLM tasks ([#843](https://github.com/Monadical-SAS/reflector/issues/843)) ([4acde4b](https://github.com/Monadical-SAS/reflector/commit/4acde4b7fdef88cc02ca12cf38c9020b05ed96ac))
+* make caddy optional ([#841](https://github.com/Monadical-SAS/reflector/issues/841)) ([a2ed7d6](https://github.com/Monadical-SAS/reflector/commit/a2ed7d60d557b551a5b64e4dfd909b63a791d9fc))
+* use Daily API recording.duration as master source for transcript duration ([#844](https://github.com/Monadical-SAS/reflector/issues/844)) ([8707c66](https://github.com/Monadical-SAS/reflector/commit/8707c6694a80c939b6214bbc13331741f192e082))
+
+## [0.32.1](https://github.com/Monadical-SAS/reflector/compare/v0.32.0...v0.32.1) (2026-01-30)
+
+
+### Bug Fixes
+
+* daily multitrack pipeline finalze dependency fix ([23eb137](https://github.com/Monadical-SAS/reflector/commit/23eb1371cb9348c4b81eb12ad506b582f8a4799e))
+* match httpx pad with hatchet audio timeout ([c05d1f0](https://github.com/Monadical-SAS/reflector/commit/c05d1f03cd8369fc06efd455527e50246887efd0))
+
 ## [0.32.0](https://github.com/Monadical-SAS/reflector/compare/v0.31.0...v0.32.0) (2026-01-30)
 
 

Caddyfile.example

@@ -1,6 +1,8 @@
-# Reflector Caddyfile
+# Reflector Caddyfile (optional reverse proxy)
-# Replace example.com with your actual domains
+# Use this only when you run Caddy via: docker compose -f docker-compose.prod.yml --profile caddy up -d
-# CORS is handled by the backend - Caddy just proxies
+# If Coolify, Traefik, or nginx already use ports 80/443, do NOT start Caddy; point your proxy at web:3000 and server:1250.
+#
+# Replace example.com with your actual domains. CORS is handled by the backend - Caddy just proxies.
 #
 # For environment variable substitution, set:
 #   FRONTEND_DOMAIN=app.example.com

docker-compose.prod.yml

@@ -1,9 +1,14 @@
 # Production Docker Compose configuration
 # Usage: docker compose -f docker-compose.prod.yml up -d
 #
+# Caddy (reverse proxy on ports 80/443) is OPTIONAL and behind the "caddy" profile:
+# - With Caddy (self-hosted, you manage SSL): docker compose -f docker-compose.prod.yml --profile caddy up -d
+# - Without Caddy (Coolify/Traefik/nginx already on 80/443): docker compose -f docker-compose.prod.yml up -d
+#   Then point your proxy at web:3000 (frontend) and server:1250 (API).
+#
 # Prerequisites:
 # 1. Copy .env.example to .env and configure for both server/ and www/
-# 2. Copy Caddyfile.example to Caddyfile and edit with your domains
+# 2. If using Caddy: copy Caddyfile.example to Caddyfile and edit your domains
 # 3. Deploy Modal GPU functions (see gpu/modal_deployments/deploy-all.sh)
 
 services:
@@ -84,6 +89,8 @@ services:
       retries: 3
 
   caddy:
+    profiles:
+      - caddy
     image: caddy:2-alpine
     restart: unless-stopped
     ports:

docs/docs/installation/docker-setup.md

@@ -11,15 +11,15 @@ This page documents the Docker Compose configuration for Reflector. For the comp
 
 The `docker-compose.prod.yml` includes these services:
 
-| Service | Image | Purpose |
+| Service    | Image                             | Purpose                                                                     |
-|---------|-------|---------|
+| ---------- | --------------------------------- | --------------------------------------------------------------------------- |
-| `web` | `monadicalsas/reflector-frontend` | Next.js frontend |
+| `web`      | `monadicalsas/reflector-frontend` | Next.js frontend                                                            |
-| `server` | `monadicalsas/reflector-backend` | FastAPI backend |
+| `server`   | `monadicalsas/reflector-backend`  | FastAPI backend                                                             |
-| `worker` | `monadicalsas/reflector-backend` | Celery worker for background tasks |
+| `worker`   | `monadicalsas/reflector-backend`  | Celery worker for background tasks                                          |
-| `beat` | `monadicalsas/reflector-backend` | Celery beat scheduler |
+| `beat`     | `monadicalsas/reflector-backend`  | Celery beat scheduler                                                       |
-| `redis` | `redis:7.2-alpine` | Message broker and cache |
+| `redis`    | `redis:7.2-alpine`                | Message broker and cache                                                    |
-| `postgres` | `postgres:17-alpine` | Primary database |
+| `postgres` | `postgres:17-alpine`              | Primary database                                                            |
-| `caddy` | `caddy:2-alpine` | Reverse proxy with auto-SSL |
+| `caddy`    | `caddy:2-alpine`                  | Reverse proxy with auto-SSL (optional; see [Caddy profile](#caddy-profile)) |
 
 ## Environment Files
 
@@ -30,6 +30,7 @@ Reflector uses two separate environment files:
 Used by: `server`, `worker`, `beat`
 
 Key variables:
+
 ```env
 # Database connection
 DATABASE_URL=postgresql+asyncpg://reflector:reflector@postgres:5432/reflector
@@ -54,6 +55,7 @@ TRANSCRIPT_MODAL_API_KEY=...
 Used by: `web`
 
 Key variables:
+
 ```env
 # Domain configuration
 SITE_URL=https://app.example.com
@@ -70,26 +72,42 @@ Note: `API_URL` is used client-side (browser), `SERVER_API_URL` is used server-s
 
 ## Volumes
 
-| Volume | Purpose |
+| Volume          | Purpose                       |
-|--------|---------|
+| --------------- | ----------------------------- |
-| `redis_data` | Redis persistence |
+| `redis_data`    | Redis persistence             |
-| `postgres_data` | PostgreSQL data |
+| `postgres_data` | PostgreSQL data               |
-| `server_data` | Uploaded files, local storage |
+| `server_data`   | Uploaded files, local storage |
-| `caddy_data` | SSL certificates |
+| `caddy_data`    | SSL certificates              |
-| `caddy_config` | Caddy configuration |
+| `caddy_config`  | Caddy configuration           |
 
 ## Network
 
 All services share the default network. The network is marked `attachable: true` to allow external containers (like Authentik) to join.
 
+## Caddy profile
+
+Caddy (ports 80 and 443) is **optional** and behind the `caddy` profile so it does not conflict with an existing reverse proxy (e.g. Coolify, Traefik, nginx).
+
+- **With Caddy** (you want Reflector to handle SSL):
+  `docker compose -f docker-compose.prod.yml --profile caddy up -d`
+- **Without Caddy** (Coolify or another proxy already on 80/443):
+  `docker compose -f docker-compose.prod.yml up -d`
+  Then configure your proxy to send traffic to `web:3000` (frontend) and `server:1250` (API).
+
 ## Common Commands
 
 ### Start all services
+
 ```bash
+# Without Caddy (e.g. when using Coolify)
 docker compose -f docker-compose.prod.yml up -d
+
+# With Caddy as reverse proxy
+docker compose -f docker-compose.prod.yml --profile caddy up -d
 ```
 
 ### View logs
+
 ```bash
 # All services
 docker compose -f docker-compose.prod.yml logs -f
@@ -99,6 +117,7 @@ docker compose -f docker-compose.prod.yml logs server --tail 50
 ```
 
 ### Restart a service
+
 ```bash
 # Quick restart (doesn't reload .env changes)
 docker compose -f docker-compose.prod.yml restart server
@@ -108,27 +127,32 @@ docker compose -f docker-compose.prod.yml up -d server
 ```
 
 ### Run database migrations
+
 ```bash
 docker compose -f docker-compose.prod.yml exec server uv run alembic upgrade head
 ```
 
 ### Access database
+
 ```bash
 docker compose -f docker-compose.prod.yml exec postgres psql -U reflector
 ```
 
 ### Pull latest images
+
 ```bash
 docker compose -f docker-compose.prod.yml pull
 docker compose -f docker-compose.prod.yml up -d
 ```
 
 ### Stop all services
+
 ```bash
 docker compose -f docker-compose.prod.yml down
 ```
 
 ### Full reset (WARNING: deletes data)
+
 ```bash
 docker compose -f docker-compose.prod.yml down -v
 ```
@@ -187,6 +211,7 @@ The Caddyfile supports environment variable substitution:
 Set `FRONTEND_DOMAIN` and `API_DOMAIN` environment variables, or edit the file directly.
 
 ### Reload Caddy after changes
+
 ```bash
 docker compose -f docker-compose.prod.yml exec caddy caddy reload --config /etc/caddy/Caddyfile
 ```

docs/docs/installation/overview.md

@@ -26,7 +26,7 @@ flowchart LR
 
 Before starting, you need:
 
-- **Production server** -  4+ cores, 8GB+ RAM, public IP
+- **Production server** - 4+ cores, 8GB+ RAM, public IP
 - **Two domain names** - e.g., `app.example.com` (frontend) and `api.example.com` (backend)
 - **GPU processing** - Choose one:
   - Modal.com account, OR
@@ -60,16 +60,17 @@ Type: A    Name: api    Value: <your-server-ip>
 
 Reflector requires GPU processing for transcription and speaker diarization. Choose one option:
 
-| | **Modal.com (Cloud)** | **Self-Hosted GPU** |
+|              | **Modal.com (Cloud)**             | **Self-Hosted GPU**          |
-|---|---|---|
+| ------------ | --------------------------------- | ---------------------------- |
 | **Best for** | No GPU hardware, zero maintenance | Own GPU server, full control |
-| **Pricing** | Pay-per-use | Fixed infrastructure cost |
+| **Pricing**  | Pay-per-use                       | Fixed infrastructure cost    |
 
 ### Option A: Modal.com (Serverless Cloud GPU)
 
 #### Accept HuggingFace Licenses
 
 Visit both pages and click "Accept":
+
 - https://huggingface.co/pyannote/speaker-diarization-3.1
 - https://huggingface.co/pyannote/segmentation-3.0
 
@@ -179,6 +180,7 @@ Save these credentials - you'll need them in the next step.
 ## Configure Environment
 
 Reflector has two env files:
+
 - `server/.env` - Backend configuration
 - `www/.env` - Frontend configuration
 
@@ -190,6 +192,7 @@ nano server/.env
 ```
 
 **Required settings:**
+
 ```env
 # Database (defaults work with docker-compose.prod.yml)
 DATABASE_URL=postgresql+asyncpg://reflector:reflector@postgres:5432/reflector
@@ -249,6 +252,7 @@ nano www/.env
 ```
 
 **Required settings:**
+
 ```env
 # Your domains
 SITE_URL=https://app.example.com
@@ -266,7 +270,11 @@ FEATURE_REQUIRE_LOGIN=false
 
 ---
 
-## Configure Caddy
+## Reverse proxy (Caddy or existing)
+
+**If Coolify, Traefik, or nginx already use ports 80/443** (e.g. Coolify on your host): skip Caddy. Start the stack without the Caddy profile (see [Start Services](#start-services) below), then point your proxy at `web:3000` (frontend) and `server:1250` (API).
+
+**If you want Reflector to provide the reverse proxy and SSL:**
 
 ```bash
 cp Caddyfile.example Caddyfile
@@ -289,10 +297,18 @@ Replace `example.com` with your domains. The `{$VAR:default}` syntax uses Caddy'
 
 ## Start Services
 
+**Without Caddy** (e.g. Coolify already on 80/443):
+
 ```bash
 docker compose -f docker-compose.prod.yml up -d
 ```
 
+**With Caddy** (Reflector handles SSL):
+
+```bash
+docker compose -f docker-compose.prod.yml --profile caddy up -d
+```
+
 Wait for containers to start (first run may take 1-2 minutes to pull images and initialize).
 
 ---
@@ -300,18 +316,21 @@ Wait for containers to start (first run may take 1-2 minutes to pull images and
 ## Verify Deployment
 
 ### Check services
+
 ```bash
 docker compose -f docker-compose.prod.yml ps
 # All should show "Up"
 ```
 
 ### Test API
+
 ```bash
 curl https://api.example.com/health
 # Should return: {"status":"healthy"}
 ```
 
 ### Test Frontend
+
 - Visit https://app.example.com
 - You should see the Reflector interface
 - Try uploading an audio file to test transcription
@@ -327,6 +346,7 @@ By default, Reflector is open (no login required). **Authentication is required
 See [Authentication Setup](./auth-setup) for full Authentik OAuth configuration.
 
 Quick summary:
+
 1. Deploy Authentik on your server
 2. Create OAuth provider in Authentik
 3. Extract public key for JWT verification
@@ -358,6 +378,7 @@ DAILYCO_STORAGE_AWS_ROLE_ARN=<arn:aws:iam::ACCOUNT:role/DailyCo>
 ```
 
 Reload env and restart:
+
 ```bash
 docker compose -f docker-compose.prod.yml up -d server worker
 ```
@@ -367,35 +388,43 @@ docker compose -f docker-compose.prod.yml up -d server worker
 ## Troubleshooting
 
 ### Check logs for errors
+
 ```bash
 docker compose -f docker-compose.prod.yml logs server --tail 20
 docker compose -f docker-compose.prod.yml logs worker --tail 20
 ```
 
 ### Services won't start
+
 ```bash
 docker compose -f docker-compose.prod.yml logs
 ```
 
 ### CORS errors in browser
+
 - Verify `CORS_ORIGIN` in `server/.env` matches your frontend domain exactly (including `https://`)
 - Reload env: `docker compose -f docker-compose.prod.yml up -d server`
 
-### SSL certificate errors
+### SSL certificate errors (when using Caddy)
+
 - Caddy auto-provisions Let's Encrypt certificates
-- Ensure ports 80 and 443 are open
+- Ensure ports 80 and 443 are open and not used by another proxy
 - Check: `docker compose -f docker-compose.prod.yml logs caddy`
+- If port 80 is already in use (e.g. by Coolify), run without Caddy: `docker compose -f docker-compose.prod.yml up -d` and use your existing proxy
 
 ### Transcription not working
+
 - Check Modal dashboard: https://modal.com/apps
 - Verify URLs in `server/.env` match deployed functions
 - Check worker logs: `docker compose -f docker-compose.prod.yml logs worker`
 
 ### "Login required" but auth not configured
+
 - Set `FEATURE_REQUIRE_LOGIN=false` in `www/.env`
 - Rebuild frontend: `docker compose -f docker-compose.prod.yml up -d --force-recreate web`
 
 ### Database migrations or connectivity issues
+
 Migrations run automatically on server startup. To check database connectivity or debug migration failures:
 
 ```bash
@@ -408,4 +437,3 @@ docker compose -f docker-compose.prod.yml exec server uv run python -c "from ref
 # Manually run migrations (if needed)
 docker compose -f docker-compose.prod.yml exec server uv run alembic upgrade head
 ```
-

gpu/self_hosted/Dockerfile

@@ -4,27 +4,31 @@ ENV PYTHONUNBUFFERED=1 \
     UV_LINK_MODE=copy \
     UV_NO_CACHE=1
 
+# patch until nvidia updates the sha1 repo
+ADD sequoia.config /etc/crypto-policies/back-ends/sequoia.config
+
 WORKDIR /tmp
-RUN apt-get update \
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+ --mount=type=cache,target=/var/lib/apt,sharing=locked \
+ apt-get update \
  && apt-get install -y \
     ffmpeg \
     curl \
     ca-certificates \
     gnupg \
-    wget \
+    wget
- && apt-get clean
 # Add NVIDIA CUDA repo for Debian 12 (bookworm) and install cuDNN 9 for CUDA 12
 ADD https://developer.download.nvidia.com/compute/cuda/repos/debian12/x86_64/cuda-keyring_1.1-1_all.deb /cuda-keyring.deb
-RUN dpkg -i /cuda-keyring.deb \
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+ --mount=type=cache,target=/var/lib/apt,sharing=locked \
+ dpkg -i /cuda-keyring.deb \
  && rm /cuda-keyring.deb \
  && apt-get update \
  && apt-get install -y --no-install-recommends \
     cuda-cudart-12-6 \
     libcublas-12-6 \
     libcudnn9-cuda-12 \
-    libcudnn9-dev-cuda-12 \
+    libcudnn9-dev-cuda-12
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
 ADD https://astral.sh/uv/install.sh /uv-installer.sh
 RUN sh /uv-installer.sh && rm /uv-installer.sh
 ENV PATH="/root/.local/bin/:$PATH"
@@ -39,6 +43,13 @@ COPY ./app /app/app
 COPY ./main.py /app/
 COPY ./runserver.sh /app/
 
+# prevent uv failing with too many open files on big cpus
+ENV UV_CONCURRENT_INSTALLS=16
+
+# first install
+RUN --mount=type=cache,target=/root/.cache/uv \
+    uv sync --compile-bytecode --locked
+
 EXPOSE 8000
 
 CMD ["sh", "/app/runserver.sh"]

gpu/self_hosted/sequoia.config

@@ -0,0 +1,2 @@
+[hash_algorithms]
+sha1 = "always"

server/reflector/hatchet/constants.py

@@ -35,7 +35,9 @@ LLM_RATE_LIMIT_PER_SECOND = 10
 
 # Task execution timeouts (seconds)
 TIMEOUT_SHORT = 60  # Quick operations: API calls, DB updates
-TIMEOUT_MEDIUM = 120  # Single LLM calls, waveform generation
+TIMEOUT_MEDIUM = (
+    300  # Single LLM calls, waveform generation (5m for slow LLM responses)
+)
 TIMEOUT_LONG = 180  # Action items (larger context LLM)
 TIMEOUT_AUDIO = 720  # Audio processing: padding, mixdown
 TIMEOUT_HEAVY = 600  # Transcription, fan-out LLM tasks

server/reflector/hatchet/workflows/daily_multitrack_pipeline.py

@@ -322,6 +322,7 @@ async def get_participants(input: PipelineInput, ctx: Context) -> ParticipantsRe
     mtg_session_id = recording.mtg_session_id
     async with fresh_db_connection():
         from reflector.db.transcripts import (  # noqa: PLC0415
+            TranscriptDuration,
             TranscriptParticipant,
             transcripts_controller,
         )
@@ -330,15 +331,26 @@ async def get_participants(input: PipelineInput, ctx: Context) -> ParticipantsRe
         if not transcript:
             raise ValueError(f"Transcript {input.transcript_id} not found")
         # Note: title NOT cleared - preserves existing titles
+        # Duration from Daily API (seconds -> milliseconds) - master source
+        duration_ms = recording.duration * 1000 if recording.duration else 0
         await transcripts_controller.update(
             transcript,
             {
                 "events": [],
                 "topics": [],
                 "participants": [],
+                "duration": duration_ms,
             },
         )
 
+        await append_event_and_broadcast(
+            input.transcript_id,
+            transcript,
+            "DURATION",
+            TranscriptDuration(duration=duration_ms),
+            logger=logger,
+        )
+
         mtg_session_id = assert_non_none_and_non_empty(
             mtg_session_id, "mtg_session_id is required"
         )
@@ -1095,7 +1107,7 @@ async def identify_action_items(
 
 
 @daily_multitrack_pipeline.task(
-    parents=[generate_title, generate_recap, identify_action_items],
+    parents=[process_tracks, generate_title, generate_recap, identify_action_items],
     execution_timeout=timedelta(seconds=TIMEOUT_SHORT),
     retries=3,
 )
@@ -1108,12 +1120,8 @@ async def finalize(input: PipelineInput, ctx: Context) -> FinalizeResult:
     """
     ctx.log("finalize: saving transcript and setting status to 'ended'")
 
-    mixdown_result = ctx.task_output(mixdown_tracks)
     track_result = ctx.task_output(process_tracks)
 
-    duration = mixdown_result.duration
-    all_words = track_result.all_words
-
     # Cleanup temporary padded S3 files (deferred until finalize for semantic parity with Celery)
     created_padded_files = track_result.created_padded_files
     if created_padded_files:
@@ -1133,7 +1141,6 @@ async def finalize(input: PipelineInput, ctx: Context) -> FinalizeResult:
 
     async with fresh_db_connection():
         from reflector.db.transcripts import (  # noqa: PLC0415
-            TranscriptDuration,
             TranscriptText,
             transcripts_controller,
         )
@@ -1142,8 +1149,6 @@ async def finalize(input: PipelineInput, ctx: Context) -> FinalizeResult:
         if transcript is None:
             raise ValueError(f"Transcript {input.transcript_id} not found in database")
 
-        merged_transcript = TranscriptType(words=all_words, translation=None)
-
         await append_event_and_broadcast(
             input.transcript_id,
             transcript,
@@ -1155,21 +1160,15 @@ async def finalize(input: PipelineInput, ctx: Context) -> FinalizeResult:
             logger=logger,
         )
 
-        # Save duration and clear workflow_run_id (workflow completed successfully)
+        # Clear workflow_run_id (workflow completed successfully)
-        # Note: title/long_summary/short_summary already saved by their callbacks
+        # Note: title/long_summary/short_summary/duration already saved by their callbacks
         await transcripts_controller.update(
             transcript,
             {
-                "duration": duration,
                 "workflow_run_id": None,  # Clear on success - no need to resume
             },
         )
 
-        duration_data = TranscriptDuration(duration=duration)
-        await append_event_and_broadcast(
-            input.transcript_id, transcript, "DURATION", duration_data, logger=logger
-        )
-
         await set_status_and_broadcast(input.transcript_id, "ended", logger=logger)
 
         ctx.log(

server/reflector/presence/__init__.py

@@ -0,0 +1,17 @@
+"""Presence tracking for meetings."""
+
+from reflector.presence.pending_joins import (
+    PENDING_JOIN_PREFIX,
+    PENDING_JOIN_TTL,
+    create_pending_join,
+    delete_pending_join,
+    has_pending_joins,
+)
+
+__all__ = [
+    "PENDING_JOIN_PREFIX",
+    "PENDING_JOIN_TTL",
+    "create_pending_join",
+    "delete_pending_join",
+    "has_pending_joins",
+]

server/reflector/presence/pending_joins.py

@@ -0,0 +1,59 @@
+"""Track pending join intents in Redis.
+
+When a user signals intent to join a meeting (before WebRTC handshake completes),
+we store a pending join record. This prevents the meeting from being deactivated
+while users are still connecting.
+"""
+
+import time
+
+from redis.asyncio import Redis
+
+from reflector.logger import logger
+
+PENDING_JOIN_TTL = 30  # seconds
+PENDING_JOIN_PREFIX = "pending_join"
+# Max keys to scan per Redis SCAN iteration
+SCAN_BATCH_SIZE = 100
+
+
+async def create_pending_join(redis: Redis, meeting_id: str, user_id: str) -> None:
+    """Create a pending join record. Called before WebRTC handshake."""
+    key = f"{PENDING_JOIN_PREFIX}:{meeting_id}:{user_id}"
+    log = logger.bind(meeting_id=meeting_id, user_id=user_id, key=key)
+    await redis.setex(key, PENDING_JOIN_TTL, str(time.time()))
+    log.debug("Created pending join")
+
+
+async def delete_pending_join(redis: Redis, meeting_id: str, user_id: str) -> None:
+    """Delete pending join. Called after WebRTC connection established."""
+    key = f"{PENDING_JOIN_PREFIX}:{meeting_id}:{user_id}"
+    log = logger.bind(meeting_id=meeting_id, user_id=user_id, key=key)
+    await redis.delete(key)
+    log.debug("Deleted pending join")
+
+
+async def has_pending_joins(redis: Redis, meeting_id: str) -> bool:
+    """Check if meeting has any pending joins.
+
+    Uses Redis SCAN to iterate through all keys matching the pattern.
+    Properly iterates until cursor returns 0 to ensure all keys are checked.
+    """
+    pattern = f"{PENDING_JOIN_PREFIX}:{meeting_id}:*"
+    log = logger.bind(meeting_id=meeting_id, pattern=pattern)
+
+    cursor = 0
+    iterations = 0
+    while True:
+        cursor, keys = await redis.scan(
+            cursor=cursor, match=pattern, count=SCAN_BATCH_SIZE
+        )
+        iterations += 1
+        if keys:
+            log.debug("Found pending joins", count=len(keys), iterations=iterations)
+            return True
+        if cursor == 0:
+            break
+
+    log.debug("No pending joins found", iterations=iterations)
+    return False

server/reflector/processors/audio_padding_modal.py

@@ -8,6 +8,7 @@ import os
 import httpx
 from pydantic import BaseModel
 
+from reflector.hatchet.constants import TIMEOUT_AUDIO
 from reflector.logger import logger
 
 
@@ -63,7 +64,7 @@ class AudioPaddingModalProcessor:
             headers["Authorization"] = f"Bearer {self.modal_api_key}"
 
         try:
-            async with httpx.AsyncClient() as client:
+            async with httpx.AsyncClient(timeout=TIMEOUT_AUDIO) as client:
                 response = await client.post(
                     url,
                     headers=headers,

server/reflector/views/rooms.py

@@ -1,4 +1,3 @@
-import logging
 from datetime import datetime, timedelta, timezone
 from enum import Enum
 from typing import Annotated, Any, Literal, Optional
@@ -14,16 +13,17 @@ from reflector.db import get_database
 from reflector.db.calendar_events import calendar_events_controller
 from reflector.db.meetings import meetings_controller
 from reflector.db.rooms import rooms_controller
-from reflector.redis_cache import RedisAsyncLock
+from reflector.logger import logger
+from reflector.presence.pending_joins import create_pending_join, delete_pending_join
+from reflector.redis_cache import RedisAsyncLock, get_async_redis_client
 from reflector.schemas.platform import Platform
 from reflector.services.ics_sync import ics_sync_service
 from reflector.settings import settings
+from reflector.utils.string import NonEmptyString
 from reflector.utils.url import add_query_param
 from reflector.video_platforms.factory import create_platform_client
 from reflector.worker.webhook import test_webhook
 
-logger = logging.getLogger(__name__)
-
 
 class Room(BaseModel):
     id: str
@@ -597,3 +597,112 @@ async def rooms_join_meeting(
         meeting.room_url = add_query_param(meeting.room_url, "t", token)
 
     return meeting
+
+
+class JoiningRequest(BaseModel):
+    """Request body for /joining and /joined endpoints."""
+
+    connection_id: NonEmptyString
+    """Unique identifier for this connection. Should be a UUID generated by the client.
+    Must be the same value for both /joining and /joined calls from the same tab."""
+
+
+class JoiningResponse(BaseModel):
+    status: Literal["ok"]
+
+
+def _get_pending_join_key(
+    user: Optional[auth.UserInfo], connection_id: NonEmptyString
+) -> str:
+    """Get a unique key for pending join tracking.
+
+    Uses user ID for authenticated users, connection_id for anonymous users.
+    This ensures each browser tab has its own unique pending join record.
+    """
+    if user:
+        return f"{user['sub']}:{connection_id}"
+    return f"anon:{connection_id}"
+
+
+@router.post(
+    "/rooms/{room_name}/meetings/{meeting_id}/joining", response_model=JoiningResponse
+)
+async def meeting_joining(
+    room_name: str,
+    meeting_id: str,
+    body: JoiningRequest,
+    user: Annotated[Optional[auth.UserInfo], Depends(auth.current_user_optional)],
+) -> JoiningResponse:
+    """Signal intent to join meeting. Called before WebRTC handshake starts.
+
+    This creates a pending join record that prevents the meeting from being
+    deactivated while the WebRTC handshake is in progress. The record expires
+    automatically after 30 seconds if the connection is not established.
+    """
+    log = logger.bind(
+        room_name=room_name, meeting_id=meeting_id, connection_id=body.connection_id
+    )
+
+    room = await rooms_controller.get_by_name(room_name)
+    if not room:
+        raise HTTPException(status_code=404, detail="Room not found")
+
+    meeting = await meetings_controller.get_by_id(meeting_id, room=room)
+    if not meeting:
+        raise HTTPException(status_code=404, detail="Meeting not found")
+
+    if not meeting.is_active:
+        raise HTTPException(status_code=400, detail="Meeting is not active")
+
+    join_key = _get_pending_join_key(user, body.connection_id)
+
+    redis = await get_async_redis_client()
+    try:
+        await create_pending_join(redis, meeting_id, join_key)
+        log.debug("Created pending join intent", join_key=join_key)
+    finally:
+        await redis.aclose()
+
+    return JoiningResponse(status="ok")
+
+
+@router.post(
+    "/rooms/{room_name}/meetings/{meeting_id}/joined", response_model=JoiningResponse
+)
+async def meeting_joined(
+    room_name: str,
+    meeting_id: str,
+    body: JoiningRequest,
+    user: Annotated[Optional[auth.UserInfo], Depends(auth.current_user_optional)],
+) -> JoiningResponse:
+    """Signal that WebRTC connection is established.
+
+    This clears the pending join record, confirming the user has successfully
+    connected to the meeting. Safe to call even if meeting was deactivated
+    during the handshake (idempotent cleanup).
+    """
+    log = logger.bind(
+        room_name=room_name, meeting_id=meeting_id, connection_id=body.connection_id
+    )
+
+    room = await rooms_controller.get_by_name(room_name)
+    if not room:
+        raise HTTPException(status_code=404, detail="Room not found")
+
+    meeting = await meetings_controller.get_by_id(meeting_id, room=room)
+    if not meeting:
+        raise HTTPException(status_code=404, detail="Meeting not found")
+
+    # Note: We don't check is_active here - the /joined call is a cleanup operation
+    # and should succeed even if the meeting was deactivated during the handshake
+
+    join_key = _get_pending_join_key(user, body.connection_id)
+
+    redis = await get_async_redis_client()
+    try:
+        await delete_pending_join(redis, meeting_id, join_key)
+        log.debug("Cleared pending join intent", join_key=join_key)
+    finally:
+        await redis.aclose()
+
+    return JoiningResponse(status="ok")

server/reflector/worker/process.py

@@ -31,9 +31,10 @@ from reflector.pipelines.main_multitrack_pipeline import (
     task_pipeline_multitrack_process,
 )
 from reflector.pipelines.topic_processing import EmptyPipeline
+from reflector.presence.pending_joins import has_pending_joins
 from reflector.processors import AudioFileWriterProcessor
 from reflector.processors.audio_waveform_processor import AudioWaveformProcessor
-from reflector.redis_cache import RedisAsyncLock
+from reflector.redis_cache import RedisAsyncLock, get_async_redis_client
 from reflector.settings import settings
 from reflector.storage import get_transcripts_storage
 from reflector.utils.daily import (
@@ -869,6 +870,18 @@ async def process_meetings():
                     logger_.debug("Meeting not yet started, keep it")
 
                 if should_deactivate:
+                    # Check for pending joins before deactivating
+                    # Users might be in the process of connecting via WebRTC
+                    redis = await get_async_redis_client()
+                    try:
+                        if await has_pending_joins(redis, meeting.id):
+                            logger_.info(
+                                "Meeting has pending joins, skipping deactivation"
+                            )
+                            continue
+                    finally:
+                        await redis.aclose()
+
                     await meetings_controller.update_meeting(
                         meeting.id, is_active=False
                     )

server/reflector/ws_manager.py

@@ -11,7 +11,6 @@ broadcast messages to all connected websockets.
 
 import asyncio
 import json
-import threading
 
 import redis.asyncio as redis
 from fastapi import WebSocket
@@ -98,6 +97,7 @@ class WebsocketManager:
 
     async def _pubsub_data_reader(self, pubsub_subscriber):
         while True:
+            # timeout=1.0 prevents tight CPU loop when no messages available
             message = await pubsub_subscriber.get_message(
                 ignore_subscribe_messages=True
             )
@@ -109,29 +109,38 @@ class WebsocketManager:
                     await socket.send_json(data)
 
 
+# Process-global singleton to ensure only one WebsocketManager instance exists.
+# Multiple instances would cause resource leaks and CPU issues.
+_ws_manager: WebsocketManager | None = None
+
+
 def get_ws_manager() -> WebsocketManager:
     """
-    Returns the WebsocketManager instance for managing websockets.
+    Returns the global WebsocketManager singleton.
 
-    This function initializes and returns the WebsocketManager instance,
+    Creates instance on first call, subsequent calls return cached instance.
-    which is responsible for managing websockets and handling websocket
+    Thread-safe via GIL. Concurrent initialization may create duplicate
-    connections.
+    instances but last write wins (acceptable for this use case).
 
     Returns:
-        WebsocketManager: The initialized WebsocketManager instance.
+        WebsocketManager: The global WebsocketManager instance.
-
-    Raises:
-        ImportError: If the 'reflector.settings' module cannot be imported.
-        RedisConnectionError: If there is an error connecting to the Redis server.
     """
-    local = threading.local()
+    global _ws_manager
-    if hasattr(local, "ws_manager"):
-        return local.ws_manager
 
+    if _ws_manager is not None:
+        return _ws_manager
+
+    # No lock needed - GIL makes this safe enough
+    # Worst case: race creates two instances, last assignment wins
     pubsub_client = RedisPubSubManager(
         host=settings.REDIS_HOST,
         port=settings.REDIS_PORT,
     )
-    ws_manager = WebsocketManager(pubsub_client=pubsub_client)
+    _ws_manager = WebsocketManager(pubsub_client=pubsub_client)
-    local.ws_manager = ws_manager
+    return _ws_manager
-    return ws_manager
+
+
+def reset_ws_manager() -> None:
+    """Reset singleton for testing. DO NOT use in production."""
+    global _ws_manager
+    _ws_manager = None

server/tests/conftest.py

@@ -1,6 +1,5 @@
 import os
 from contextlib import asynccontextmanager
-from tempfile import NamedTemporaryFile
 from unittest.mock import patch
 
 import pytest
@@ -333,11 +332,14 @@ def celery_enable_logging():
 
 @pytest.fixture(scope="session")
 def celery_config():
-    with NamedTemporaryFile() as f:
+    redis_host = os.environ.get("REDIS_HOST", "localhost")
-        yield {
+    redis_port = os.environ.get("REDIS_PORT", "6379")
-            "broker_url": "memory://",
+    # Use db 2 to avoid conflicts with main app
-            "result_backend": f"db+sqlite:///{f.name}",
+    redis_url = f"redis://{redis_host}:{redis_port}/2"
-        }
+    yield {
+        "broker_url": redis_url,
+        "result_backend": redis_url,
+    }
 
 
 @pytest.fixture(scope="session")
@@ -370,9 +372,12 @@ async def ws_manager_in_memory(monkeypatch):
         def __init__(self, queue: asyncio.Queue):
             self.queue = queue
 
-        async def get_message(self, ignore_subscribe_messages: bool = True):
+        async def get_message(
+            self, ignore_subscribe_messages: bool = True, timeout: float | None = None
+        ):
+            wait_timeout = timeout if timeout is not None else 0.05
             try:
-                return await asyncio.wait_for(self.queue.get(), timeout=0.05)
+                return await asyncio.wait_for(self.queue.get(), timeout=wait_timeout)
             except Exception:
                 return None
 

server/tests/test_joining_endpoint.py

@@ -0,0 +1,362 @@
+"""Integration tests for /joining and /joined endpoints.
+
+Tests for the join intent tracking to prevent race conditions during
+WebRTC handshake when users join meetings.
+"""
+
+from datetime import datetime, timedelta, timezone
+from unittest.mock import AsyncMock, patch
+
+import pytest
+
+from reflector.db.meetings import Meeting
+from reflector.presence.pending_joins import PENDING_JOIN_PREFIX
+
+TEST_CONNECTION_ID = "test-connection-uuid-12345"
+
+
+@pytest.fixture
+def mock_room():
+    """Mock room object."""
+    from reflector.db.rooms import Room
+
+    return Room(
+        id="room-123",
+        name="test-room",
+        user_id="owner-user",
+        created_at=datetime.now(timezone.utc),
+        zulip_auto_post=False,
+        zulip_stream="",
+        zulip_topic="",
+        is_locked=False,
+        room_mode="normal",
+        recording_type="cloud",
+        recording_trigger="automatic",
+        is_shared=True,
+        platform="daily",
+        skip_consent=False,
+    )
+
+
+@pytest.fixture
+def mock_meeting():
+    """Mock meeting object."""
+    now = datetime.now(timezone.utc)
+    return Meeting(
+        id="meeting-456",
+        room_id="room-123",
+        room_name="test-room-20251118120000",
+        room_url="https://daily.co/test-room-20251118120000",
+        host_room_url="https://daily.co/test-room-20251118120000?t=host",
+        platform="daily",
+        num_clients=0,
+        is_active=True,
+        start_date=now,
+        end_date=now + timedelta(hours=1),
+    )
+
+
+@pytest.mark.asyncio
+@patch("reflector.views.rooms.rooms_controller.get_by_name")
+@patch("reflector.views.rooms.meetings_controller.get_by_id")
+@patch("reflector.views.rooms.get_async_redis_client")
+async def test_joining_endpoint_creates_pending_join(
+    mock_get_redis,
+    mock_get_meeting,
+    mock_get_room,
+    mock_room,
+    mock_meeting,
+    client,
+    authenticated_client,
+):
+    """Test that /joining endpoint creates pending join in Redis."""
+    mock_get_room.return_value = mock_room
+    mock_get_meeting.return_value = mock_meeting
+
+    mock_redis = AsyncMock()
+    mock_redis.setex = AsyncMock()
+    mock_redis.aclose = AsyncMock()
+    mock_get_redis.return_value = mock_redis
+
+    response = await client.post(
+        f"/rooms/{mock_room.name}/meetings/{mock_meeting.id}/joining",
+        json={"connection_id": TEST_CONNECTION_ID},
+    )
+
+    assert response.status_code == 200
+    assert response.json() == {"status": "ok"}
+
+    # Verify Redis setex was called with correct key pattern
+    mock_redis.setex.assert_called_once()
+    call_args = mock_redis.setex.call_args[0]
+    assert call_args[0].startswith(f"{PENDING_JOIN_PREFIX}:{mock_meeting.id}:")
+    assert TEST_CONNECTION_ID in call_args[0]
+
+
+@pytest.mark.asyncio
+@patch("reflector.views.rooms.rooms_controller.get_by_name")
+@patch("reflector.views.rooms.meetings_controller.get_by_id")
+@patch("reflector.views.rooms.get_async_redis_client")
+async def test_joined_endpoint_deletes_pending_join(
+    mock_get_redis,
+    mock_get_meeting,
+    mock_get_room,
+    mock_room,
+    mock_meeting,
+    client,
+    authenticated_client,
+):
+    """Test that /joined endpoint deletes pending join from Redis."""
+    mock_get_room.return_value = mock_room
+    mock_get_meeting.return_value = mock_meeting
+
+    mock_redis = AsyncMock()
+    mock_redis.delete = AsyncMock()
+    mock_redis.aclose = AsyncMock()
+    mock_get_redis.return_value = mock_redis
+
+    response = await client.post(
+        f"/rooms/{mock_room.name}/meetings/{mock_meeting.id}/joined",
+        json={"connection_id": TEST_CONNECTION_ID},
+    )
+
+    assert response.status_code == 200
+    assert response.json() == {"status": "ok"}
+
+    # Verify Redis delete was called with correct key pattern
+    mock_redis.delete.assert_called_once()
+    call_args = mock_redis.delete.call_args[0]
+    assert call_args[0].startswith(f"{PENDING_JOIN_PREFIX}:{mock_meeting.id}:")
+    assert TEST_CONNECTION_ID in call_args[0]
+
+
+@pytest.mark.asyncio
+@patch("reflector.views.rooms.rooms_controller.get_by_name")
+async def test_joining_endpoint_room_not_found(
+    mock_get_room,
+    client,
+    authenticated_client,
+):
+    """Test that /joining returns 404 when room not found."""
+    mock_get_room.return_value = None
+
+    response = await client.post(
+        "/rooms/nonexistent-room/meetings/meeting-123/joining",
+        json={"connection_id": TEST_CONNECTION_ID},
+    )
+
+    assert response.status_code == 404
+    assert response.json()["detail"] == "Room not found"
+
+
+@pytest.mark.asyncio
+@patch("reflector.views.rooms.rooms_controller.get_by_name")
+@patch("reflector.views.rooms.meetings_controller.get_by_id")
+async def test_joining_endpoint_meeting_not_found(
+    mock_get_meeting,
+    mock_get_room,
+    mock_room,
+    client,
+    authenticated_client,
+):
+    """Test that /joining returns 404 when meeting not found."""
+    mock_get_room.return_value = mock_room
+    mock_get_meeting.return_value = None
+
+    response = await client.post(
+        f"/rooms/{mock_room.name}/meetings/nonexistent-meeting/joining",
+        json={"connection_id": TEST_CONNECTION_ID},
+    )
+
+    assert response.status_code == 404
+    assert response.json()["detail"] == "Meeting not found"
+
+
+@pytest.mark.asyncio
+@patch("reflector.views.rooms.rooms_controller.get_by_name")
+@patch("reflector.views.rooms.meetings_controller.get_by_id")
+async def test_joining_endpoint_meeting_not_active(
+    mock_get_meeting,
+    mock_get_room,
+    mock_room,
+    mock_meeting,
+    client,
+    authenticated_client,
+):
+    """Test that /joining returns 400 when meeting is not active."""
+    mock_get_room.return_value = mock_room
+    inactive_meeting = mock_meeting.model_copy(update={"is_active": False})
+    mock_get_meeting.return_value = inactive_meeting
+
+    response = await client.post(
+        f"/rooms/{mock_room.name}/meetings/{mock_meeting.id}/joining",
+        json={"connection_id": TEST_CONNECTION_ID},
+    )
+
+    assert response.status_code == 400
+    assert response.json()["detail"] == "Meeting is not active"
+
+
+@pytest.mark.asyncio
+@patch("reflector.views.rooms.rooms_controller.get_by_name")
+@patch("reflector.views.rooms.meetings_controller.get_by_id")
+@patch("reflector.views.rooms.get_async_redis_client")
+async def test_joining_endpoint_anonymous_user(
+    mock_get_redis,
+    mock_get_meeting,
+    mock_get_room,
+    mock_room,
+    mock_meeting,
+    client,
+):
+    """Test that /joining works for anonymous users with unique connection_id."""
+    mock_get_room.return_value = mock_room
+    mock_get_meeting.return_value = mock_meeting
+
+    mock_redis = AsyncMock()
+    mock_redis.setex = AsyncMock()
+    mock_redis.aclose = AsyncMock()
+    mock_get_redis.return_value = mock_redis
+
+    response = await client.post(
+        f"/rooms/{mock_room.name}/meetings/{mock_meeting.id}/joining",
+        json={"connection_id": TEST_CONNECTION_ID},
+    )
+
+    assert response.status_code == 200
+    assert response.json() == {"status": "ok"}
+
+    # Verify Redis setex was called with "anon:" prefix and connection_id
+    call_args = mock_redis.setex.call_args[0]
+    assert ":anon:" in call_args[0]
+    assert TEST_CONNECTION_ID in call_args[0]
+
+
+@pytest.mark.asyncio
+@patch("reflector.views.rooms.rooms_controller.get_by_name")
+@patch("reflector.views.rooms.meetings_controller.get_by_id")
+@patch("reflector.views.rooms.get_async_redis_client")
+async def test_joining_endpoint_redis_closed_on_success(
+    mock_get_redis,
+    mock_get_meeting,
+    mock_get_room,
+    mock_room,
+    mock_meeting,
+    client,
+    authenticated_client,
+):
+    """Test that Redis connection is closed after successful operation."""
+    mock_get_room.return_value = mock_room
+    mock_get_meeting.return_value = mock_meeting
+
+    mock_redis = AsyncMock()
+    mock_redis.setex = AsyncMock()
+    mock_redis.aclose = AsyncMock()
+    mock_get_redis.return_value = mock_redis
+
+    await client.post(
+        f"/rooms/{mock_room.name}/meetings/{mock_meeting.id}/joining",
+        json={"connection_id": TEST_CONNECTION_ID},
+    )
+
+    mock_redis.aclose.assert_called_once()
+
+
+@pytest.mark.asyncio
+@patch("reflector.views.rooms.rooms_controller.get_by_name")
+@patch("reflector.views.rooms.meetings_controller.get_by_id")
+@patch("reflector.views.rooms.get_async_redis_client")
+async def test_joining_endpoint_redis_closed_on_error(
+    mock_get_redis,
+    mock_get_meeting,
+    mock_get_room,
+    mock_room,
+    mock_meeting,
+    client,
+    authenticated_client,
+):
+    """Test that Redis connection is closed even when operation fails."""
+    mock_get_room.return_value = mock_room
+    mock_get_meeting.return_value = mock_meeting
+
+    mock_redis = AsyncMock()
+    mock_redis.setex = AsyncMock(side_effect=Exception("Redis error"))
+    mock_redis.aclose = AsyncMock()
+    mock_get_redis.return_value = mock_redis
+
+    with pytest.raises(Exception):
+        await client.post(
+            f"/rooms/{mock_room.name}/meetings/{mock_meeting.id}/joining",
+            json={"connection_id": TEST_CONNECTION_ID},
+        )
+
+    mock_redis.aclose.assert_called_once()
+
+
+@pytest.mark.asyncio
+async def test_joining_endpoint_requires_connection_id(
+    client,
+):
+    """Test that /joining returns 422 when connection_id is missing."""
+    response = await client.post(
+        "/rooms/test-room/meetings/meeting-123/joining",
+        json={},
+    )
+
+    assert response.status_code == 422  # Validation error
+
+
+@pytest.mark.asyncio
+async def test_joining_endpoint_rejects_empty_connection_id(
+    client,
+):
+    """Test that /joining returns 422 when connection_id is empty string."""
+    response = await client.post(
+        "/rooms/test-room/meetings/meeting-123/joining",
+        json={"connection_id": ""},
+    )
+
+    assert response.status_code == 422  # Validation error (NonEmptyString)
+
+
+@pytest.mark.asyncio
+@patch("reflector.views.rooms.rooms_controller.get_by_name")
+@patch("reflector.views.rooms.meetings_controller.get_by_id")
+@patch("reflector.views.rooms.get_async_redis_client")
+async def test_different_connection_ids_create_different_keys(
+    mock_get_redis,
+    mock_get_meeting,
+    mock_get_room,
+    mock_room,
+    mock_meeting,
+    client,
+):
+    """Test that different connection_ids create different Redis keys."""
+    mock_get_room.return_value = mock_room
+    mock_get_meeting.return_value = mock_meeting
+
+    mock_redis = AsyncMock()
+    mock_redis.setex = AsyncMock()
+    mock_redis.aclose = AsyncMock()
+    mock_get_redis.return_value = mock_redis
+
+    # First connection
+    await client.post(
+        f"/rooms/{mock_room.name}/meetings/{mock_meeting.id}/joining",
+        json={"connection_id": "connection-1"},
+    )
+    key1 = mock_redis.setex.call_args[0][0]
+
+    mock_redis.setex.reset_mock()
+
+    # Second connection (different tab)
+    await client.post(
+        f"/rooms/{mock_room.name}/meetings/{mock_meeting.id}/joining",
+        json={"connection_id": "connection-2"},
+    )
+    key2 = mock_redis.setex.call_args[0][0]
+
+    # Keys should be different
+    assert key1 != key2
+    assert "connection-1" in key1
+    assert "connection-2" in key2

server/tests/test_pending_joins.py

@@ -0,0 +1,153 @@
+"""Tests for pending joins Redis helper functions.
+
+TDD tests for tracking join intent to prevent race conditions during
+WebRTC handshake when users join meetings.
+"""
+
+from unittest.mock import AsyncMock
+
+import pytest
+
+from reflector.presence.pending_joins import (
+    PENDING_JOIN_PREFIX,
+    PENDING_JOIN_TTL,
+    create_pending_join,
+    delete_pending_join,
+    has_pending_joins,
+)
+
+
+@pytest.fixture
+def mock_redis():
+    """Mock async Redis client."""
+    redis = AsyncMock()
+    redis.setex = AsyncMock()
+    redis.delete = AsyncMock()
+    redis.scan = AsyncMock(return_value=(0, []))
+    return redis
+
+
+@pytest.mark.asyncio
+async def test_create_pending_join_sets_key_with_ttl(mock_redis):
+    """Test that create_pending_join stores key with correct TTL."""
+    meeting_id = "meeting-123"
+    user_id = "user-456"
+
+    await create_pending_join(mock_redis, meeting_id, user_id)
+
+    expected_key = f"{PENDING_JOIN_PREFIX}:{meeting_id}:{user_id}"
+    mock_redis.setex.assert_called_once()
+    call_args = mock_redis.setex.call_args
+    assert call_args[0][0] == expected_key
+    assert call_args[0][1] == PENDING_JOIN_TTL
+    # Value should be a timestamp string
+    assert call_args[0][2] is not None
+
+
+@pytest.mark.asyncio
+async def test_delete_pending_join_removes_key(mock_redis):
+    """Test that delete_pending_join removes the key."""
+    meeting_id = "meeting-123"
+    user_id = "user-456"
+
+    await delete_pending_join(mock_redis, meeting_id, user_id)
+
+    expected_key = f"{PENDING_JOIN_PREFIX}:{meeting_id}:{user_id}"
+    mock_redis.delete.assert_called_once_with(expected_key)
+
+
+@pytest.mark.asyncio
+async def test_has_pending_joins_returns_false_when_no_keys(mock_redis):
+    """Test has_pending_joins returns False when no matching keys."""
+    mock_redis.scan.return_value = (0, [])
+
+    result = await has_pending_joins(mock_redis, "meeting-123")
+
+    assert result is False
+    mock_redis.scan.assert_called_once()
+    call_kwargs = mock_redis.scan.call_args.kwargs
+    assert call_kwargs["match"] == f"{PENDING_JOIN_PREFIX}:meeting-123:*"
+
+
+@pytest.mark.asyncio
+async def test_has_pending_joins_returns_true_when_keys_exist(mock_redis):
+    """Test has_pending_joins returns True when matching keys found."""
+    mock_redis.scan.return_value = (0, [b"pending_join:meeting-123:user-1"])
+
+    result = await has_pending_joins(mock_redis, "meeting-123")
+
+    assert result is True
+
+
+@pytest.mark.asyncio
+async def test_has_pending_joins_scans_with_correct_pattern(mock_redis):
+    """Test has_pending_joins uses correct scan pattern."""
+    meeting_id = "meeting-abc-def"
+    mock_redis.scan.return_value = (0, [])
+
+    await has_pending_joins(mock_redis, meeting_id)
+
+    expected_pattern = f"{PENDING_JOIN_PREFIX}:{meeting_id}:*"
+    mock_redis.scan.assert_called_once()
+    call_kwargs = mock_redis.scan.call_args.kwargs
+    assert call_kwargs["match"] == expected_pattern
+    assert call_kwargs["count"] == 100
+
+
+@pytest.mark.asyncio
+async def test_multiple_users_pending_joins(mock_redis):
+    """Test that multiple users can have pending joins for same meeting."""
+    meeting_id = "meeting-123"
+    # Simulate two pending joins
+    mock_redis.scan.return_value = (
+        0,
+        [b"pending_join:meeting-123:user-1", b"pending_join:meeting-123:user-2"],
+    )
+
+    result = await has_pending_joins(mock_redis, meeting_id)
+
+    assert result is True
+
+
+@pytest.mark.asyncio
+async def test_pending_join_ttl_value():
+    """Test that PENDING_JOIN_TTL has expected value."""
+    # 30 seconds should be enough for WebRTC handshake but not too long
+    assert PENDING_JOIN_TTL == 30
+
+
+@pytest.mark.asyncio
+async def test_pending_join_prefix_value():
+    """Test that PENDING_JOIN_PREFIX has expected value."""
+    assert PENDING_JOIN_PREFIX == "pending_join"
+
+
+@pytest.mark.asyncio
+async def test_has_pending_joins_multi_iteration_scan_no_keys(mock_redis):
+    """Test has_pending_joins iterates until cursor returns 0."""
+    # Simulate multi-iteration scan: cursor 100 -> cursor 50 -> cursor 0
+    mock_redis.scan.side_effect = [
+        (100, []),  # First iteration, no keys, continue
+        (50, []),  # Second iteration, no keys, continue
+        (0, []),  # Third iteration, cursor 0, done
+    ]
+
+    result = await has_pending_joins(mock_redis, "meeting-123")
+
+    assert result is False
+    assert mock_redis.scan.call_count == 3
+
+
+@pytest.mark.asyncio
+async def test_has_pending_joins_multi_iteration_finds_key_later(mock_redis):
+    """Test has_pending_joins finds key on second iteration."""
+    # Simulate finding key on second scan iteration
+    mock_redis.scan.side_effect = [
+        (100, []),  # First iteration, no keys
+        (0, [b"pending_join:meeting-123:user-1"]),  # Second iteration, found key
+    ]
+
+    result = await has_pending_joins(mock_redis, "meeting-123")
+
+    assert result is True
+    assert mock_redis.scan.call_count == 2

server/tests/test_process_meetings_pending_joins.py

@@ -0,0 +1,241 @@
+"""Tests for process_meetings pending joins check.
+
+Tests that process_meetings correctly skips deactivation when
+pending joins exist for a meeting.
+"""
+
+from datetime import datetime, timedelta, timezone
+from unittest.mock import AsyncMock, patch
+
+import pytest
+
+from reflector.db.meetings import Meeting
+
+
+def _get_process_meetings_fn():
+    """Get the underlying async function without Celery/asynctask decorators."""
+    from reflector.worker import process
+
+    fn = process.process_meetings
+    # Get through both decorator layers (@shared_task and @asynctask)
+    if hasattr(fn, "__wrapped__"):
+        fn = fn.__wrapped__
+    if hasattr(fn, "__wrapped__"):
+        fn = fn.__wrapped__
+    return fn
+
+
+@pytest.fixture
+def mock_active_meeting():
+    """Mock an active meeting that should be considered for deactivation."""
+    now = datetime.now(timezone.utc)
+    return Meeting(
+        id="meeting-123",
+        room_id="room-456",
+        room_name="test-room-20251118120000",
+        room_url="https://daily.co/test-room-20251118120000",
+        host_room_url="https://daily.co/test-room-20251118120000?t=host",
+        platform="daily",
+        num_clients=0,
+        is_active=True,
+        start_date=now - timedelta(hours=1),
+        end_date=now - timedelta(minutes=30),  # Already ended
+    )
+
+
+@pytest.mark.asyncio
+@patch("reflector.worker.process.meetings_controller.get_all_active")
+@patch("reflector.worker.process.RedisAsyncLock")
+@patch("reflector.worker.process.create_platform_client")
+@patch("reflector.worker.process.get_async_redis_client")
+@patch("reflector.worker.process.has_pending_joins")
+@patch("reflector.worker.process.meetings_controller.update_meeting")
+async def test_process_meetings_skips_deactivation_with_pending_joins(
+    mock_update_meeting,
+    mock_has_pending_joins,
+    mock_get_redis,
+    mock_create_client,
+    mock_redis_lock_class,
+    mock_get_all_active,
+    mock_active_meeting,
+):
+    """Test that process_meetings skips deactivation when pending joins exist."""
+    process_meetings = _get_process_meetings_fn()
+
+    mock_get_all_active.return_value = [mock_active_meeting]
+
+    # Mock lock acquired
+    mock_lock_instance = AsyncMock()
+    mock_lock_instance.acquired = True
+    mock_lock_instance.__aenter__ = AsyncMock(return_value=mock_lock_instance)
+    mock_lock_instance.__aexit__ = AsyncMock()
+    mock_redis_lock_class.return_value = mock_lock_instance
+
+    # Mock platform client - no active sessions, but had sessions (triggers deactivation)
+    mock_daily_client = AsyncMock()
+    mock_session = AsyncMock()
+    mock_session.ended_at = datetime.now(timezone.utc)  # Session ended
+    mock_daily_client.get_room_sessions = AsyncMock(return_value=[mock_session])
+    mock_create_client.return_value = mock_daily_client
+
+    # Mock Redis client
+    mock_redis = AsyncMock()
+    mock_redis.aclose = AsyncMock()
+    mock_get_redis.return_value = mock_redis
+
+    # Mock pending joins exist
+    mock_has_pending_joins.return_value = True
+
+    await process_meetings()
+
+    # Verify has_pending_joins was called
+    mock_has_pending_joins.assert_called_once_with(mock_redis, mock_active_meeting.id)
+
+    # Verify meeting was NOT deactivated
+    mock_update_meeting.assert_not_called()
+
+    # Verify Redis was closed
+    mock_redis.aclose.assert_called_once()
+
+
+@pytest.mark.asyncio
+@patch("reflector.worker.process.meetings_controller.get_all_active")
+@patch("reflector.worker.process.RedisAsyncLock")
+@patch("reflector.worker.process.create_platform_client")
+@patch("reflector.worker.process.get_async_redis_client")
+@patch("reflector.worker.process.has_pending_joins")
+@patch("reflector.worker.process.meetings_controller.update_meeting")
+async def test_process_meetings_deactivates_without_pending_joins(
+    mock_update_meeting,
+    mock_has_pending_joins,
+    mock_get_redis,
+    mock_create_client,
+    mock_redis_lock_class,
+    mock_get_all_active,
+    mock_active_meeting,
+):
+    """Test that process_meetings deactivates when no pending joins."""
+    process_meetings = _get_process_meetings_fn()
+
+    mock_get_all_active.return_value = [mock_active_meeting]
+
+    # Mock lock acquired
+    mock_lock_instance = AsyncMock()
+    mock_lock_instance.acquired = True
+    mock_lock_instance.__aenter__ = AsyncMock(return_value=mock_lock_instance)
+    mock_lock_instance.__aexit__ = AsyncMock()
+    mock_redis_lock_class.return_value = mock_lock_instance
+
+    # Mock platform client - no active sessions, but had sessions
+    mock_daily_client = AsyncMock()
+    mock_session = AsyncMock()
+    mock_session.ended_at = datetime.now(timezone.utc)
+    mock_daily_client.get_room_sessions = AsyncMock(return_value=[mock_session])
+    mock_create_client.return_value = mock_daily_client
+
+    # Mock Redis client
+    mock_redis = AsyncMock()
+    mock_redis.aclose = AsyncMock()
+    mock_get_redis.return_value = mock_redis
+
+    # Mock no pending joins
+    mock_has_pending_joins.return_value = False
+
+    await process_meetings()
+
+    # Verify meeting was deactivated
+    mock_update_meeting.assert_called_once_with(mock_active_meeting.id, is_active=False)
+
+
+@pytest.mark.asyncio
+@patch("reflector.worker.process.meetings_controller.get_all_active")
+@patch("reflector.worker.process.RedisAsyncLock")
+@patch("reflector.worker.process.create_platform_client")
+async def test_process_meetings_no_check_when_active_sessions(
+    mock_create_client,
+    mock_redis_lock_class,
+    mock_get_all_active,
+    mock_active_meeting,
+):
+    """Test that pending joins check is skipped when there are active sessions."""
+    process_meetings = _get_process_meetings_fn()
+
+    mock_get_all_active.return_value = [mock_active_meeting]
+
+    # Mock lock acquired
+    mock_lock_instance = AsyncMock()
+    mock_lock_instance.acquired = True
+    mock_lock_instance.__aenter__ = AsyncMock(return_value=mock_lock_instance)
+    mock_lock_instance.__aexit__ = AsyncMock()
+    mock_redis_lock_class.return_value = mock_lock_instance
+
+    # Mock platform client - has active session
+    mock_daily_client = AsyncMock()
+    mock_session = AsyncMock()
+    mock_session.ended_at = None  # Still active
+    mock_daily_client.get_room_sessions = AsyncMock(return_value=[mock_session])
+    mock_create_client.return_value = mock_daily_client
+
+    with (
+        patch("reflector.worker.process.get_async_redis_client") as mock_get_redis,
+        patch("reflector.worker.process.has_pending_joins") as mock_has_pending_joins,
+        patch(
+            "reflector.worker.process.meetings_controller.update_meeting"
+        ) as mock_update_meeting,
+    ):
+        await process_meetings()
+
+        # Verify pending joins check was NOT called (no need - active sessions exist)
+        mock_has_pending_joins.assert_not_called()
+
+        # Verify meeting was NOT deactivated
+        mock_update_meeting.assert_not_called()
+
+
+@pytest.mark.asyncio
+@patch("reflector.worker.process.meetings_controller.get_all_active")
+@patch("reflector.worker.process.RedisAsyncLock")
+@patch("reflector.worker.process.create_platform_client")
+@patch("reflector.worker.process.get_async_redis_client")
+@patch("reflector.worker.process.has_pending_joins")
+@patch("reflector.worker.process.meetings_controller.update_meeting")
+async def test_process_meetings_closes_redis_even_on_continue(
+    mock_update_meeting,
+    mock_has_pending_joins,
+    mock_get_redis,
+    mock_create_client,
+    mock_redis_lock_class,
+    mock_get_all_active,
+    mock_active_meeting,
+):
+    """Test that Redis connection is always closed, even when skipping deactivation."""
+    process_meetings = _get_process_meetings_fn()
+
+    mock_get_all_active.return_value = [mock_active_meeting]
+
+    # Mock lock acquired
+    mock_lock_instance = AsyncMock()
+    mock_lock_instance.acquired = True
+    mock_lock_instance.__aenter__ = AsyncMock(return_value=mock_lock_instance)
+    mock_lock_instance.__aexit__ = AsyncMock()
+    mock_redis_lock_class.return_value = mock_lock_instance
+
+    # Mock platform client - no active sessions
+    mock_daily_client = AsyncMock()
+    mock_session = AsyncMock()
+    mock_session.ended_at = datetime.now(timezone.utc)
+    mock_daily_client.get_room_sessions = AsyncMock(return_value=[mock_session])
+    mock_create_client.return_value = mock_daily_client
+
+    # Mock Redis client
+    mock_redis = AsyncMock()
+    mock_redis.aclose = AsyncMock()
+    mock_get_redis.return_value = mock_redis
+
+    # Mock pending joins exist (will trigger continue)
+    mock_has_pending_joins.return_value = True
+
+    await process_meetings()
+
+    # Verify Redis was closed
+    mock_redis.aclose.assert_called_once()

server/tests/test_transcripts_rtc_ws.py

@@ -115,9 +115,7 @@ def appserver(tmpdir, setup_database, celery_session_app, celery_session_worker)
     settings.DATA_DIR = DATA_DIR
 
 
-@pytest.fixture(scope="session")
+# Using celery_includes from conftest.py which includes both pipelines
-def celery_includes():
-    return ["reflector.pipelines.main_live_pipeline"]
 
 
 @pytest.mark.usefixtures("setup_database")

server/tests/test_user_websocket_auth.py

@@ -56,7 +56,12 @@ def appserver_ws_user(setup_database):
 
     if server_instance:
         server_instance.should_exit = True
-        server_thread.join(timeout=30)
+        server_thread.join(timeout=2.0)
+
+    # Reset global singleton for test isolation
+    from reflector.ws_manager import reset_ws_manager
+
+    reset_ws_manager()
 
 
 @pytest.fixture(autouse=True)
@@ -133,6 +138,8 @@ async def test_user_ws_accepts_valid_token_and_receives_events(appserver_ws_user
 
     # Connect and then trigger an event via HTTP create
     async with aconnect_ws(base_ws, subprotocols=subprotocols) as ws:
+        await asyncio.sleep(0.2)
+
         # Emit an event to the user's room via a standard HTTP action
         from httpx import AsyncClient
 
@@ -150,6 +157,7 @@ async def test_user_ws_accepts_valid_token_and_receives_events(appserver_ws_user
             "email": "user-abc@example.com",
         }
 
+        # Use in-memory client (global singleton makes it share ws_manager)
         async with AsyncClient(app=app, base_url=f"http://{host}:{port}/v1") as ac:
             # Create a transcript as this user so that the server publishes TRANSCRIPT_CREATED to user room
             resp = await ac.post("/transcripts", json={"name": "WS Test"})

www/app/[roomName]/components/DailyRoom.tsx

@@ -25,6 +25,8 @@ import { useConsentDialog } from "../../lib/consent";
 import {
   useRoomJoinMeeting,
   useMeetingStartRecording,
+  useMeetingJoining,
+  useMeetingJoined,
 } from "../../lib/apiHooks";
 import { omit } from "remeda";
 import {
@@ -187,8 +189,14 @@ export default function DailyRoom({ meeting, room }: DailyRoomProps) {
   const [container, setContainer] = useState<HTMLDivElement | null>(null);
   const joinMutation = useRoomJoinMeeting();
   const startRecordingMutation = useMeetingStartRecording();
+  const joiningMutation = useMeetingJoining();
+  const joinedMutation = useMeetingJoined();
   const [joinedMeeting, setJoinedMeeting] = useState<Meeting | null>(null);
 
+  // Generate a stable connection ID for this component instance
+  // Used to track pending joins per browser tab (prevents key collision for anonymous users)
+  const connectionId = useMemo(() => crypto.randomUUID(), []);
+
   // Generate deterministic instanceIds so all participants use SAME IDs
   const cloudInstanceId = parseNonEmptyString(meeting.id);
   const rawTracksInstanceId = parseNonEmptyString(
@@ -249,6 +257,28 @@ export default function DailyRoom({ meeting, room }: DailyRoomProps) {
   );
 
   const handleFrameJoinMeeting = useCallback(() => {
+    // Signal that WebRTC connection is established
+    // This clears the pending join intent, confirming successful connection
+    joinedMutation.mutate(
+      {
+        params: {
+          path: {
+            room_name: roomName,
+            meeting_id: meeting.id,
+          },
+        },
+        body: {
+          connection_id: connectionId,
+        },
+      },
+      {
+        onError: (error: unknown) => {
+          // Non-blocking: log but don't fail - this is cleanup, not critical
+          console.warn("Failed to signal joined:", error);
+        },
+      },
+    );
+
     if (meeting.recording_type === "cloud") {
       console.log("Starting dual recording via REST API", {
         cloudInstanceId,
@@ -310,6 +340,9 @@ export default function DailyRoom({ meeting, room }: DailyRoomProps) {
   }, [
     meeting.recording_type,
     meeting.id,
+    roomName,
+    connectionId,
+    joinedMutation,
     startRecordingMutation,
     cloudInstanceId,
     rawTracksInstanceId,
@@ -328,8 +361,28 @@ export default function DailyRoom({ meeting, room }: DailyRoomProps) {
 
   useEffect(() => {
     if (!frame || !roomUrl) return;
-    frame
+
-      .join({
+    const joinRoom = async () => {
+      // Signal intent to join before WebRTC handshake starts
+      // This prevents race condition where meeting is deactivated during handshake
+      try {
+        await joiningMutation.mutateAsync({
+          params: {
+            path: {
+              room_name: roomName,
+              meeting_id: meeting.id,
+            },
+          },
+          body: {
+            connection_id: connectionId,
+          },
+        });
+      } catch (error) {
+        // Non-blocking: log but continue with join
+        console.warn("Failed to signal joining intent:", error);
+      }
+
+      await frame.join({
         url: roomUrl,
         sendSettings: {
           video: {
@@ -341,9 +394,13 @@ export default function DailyRoom({ meeting, room }: DailyRoomProps) {
           },
           // Note: screenVideo intentionally not configured to preserve full quality for screen shares
         },
-      })
+      });
-      .catch(console.error.bind(console, "Failed to join daily room:"));
+    };
-  }, [frame, roomUrl]);
+
+    joinRoom().catch(console.error.bind(console, "Failed to join daily room:"));
+    // joiningMutation excluded from deps - it's a stable hook reference
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [frame, roomUrl, roomName, meeting.id, connectionId]);
 
   useEffect(() => {
     setCustomTrayButton(

www/app/lib/apiHooks.ts

@@ -807,6 +807,26 @@ export function useRoomJoinMeeting() {
   );
 }
 
+// Presence race fix endpoints (not yet in OpenAPI spec)
+// These signal join intent to prevent race conditions during WebRTC handshake
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+export function useMeetingJoining(): any {
+  return ($api as any).useMutation(
+    "post",
+    "/v1/rooms/{room_name}/meetings/{meeting_id}/joining",
+    {},
+  );
+}
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+export function useMeetingJoined(): any {
+  return ($api as any).useMutation(
+    "post",
+    "/v1/rooms/{room_name}/meetings/{meeting_id}/joined",
+    {},
+  );
+}
+
 export function useRoomIcsSync() {
   const { setError } = useError();