GreyhavenHQ · deardarlingoose · Feb 6, 2026 · Feb 6, 2026
diff --git a/.github/workflows/test_next_server.yml b/.github/workflows/test_next_server.yml
@@ -13,6 +13,9 @@ on:
 jobs:
   test-next-server:
     runs-on: ubuntu-latest
+    concurrency:
+      group: test-next-server-${{ github.ref }}
+      cancel-in-progress: true
 
     defaults:
       run:
@@ -21,17 +24,12 @@ jobs:
     steps:
     - uses: actions/checkout@v4
 
-    - name: Setup Node.js
-      uses: actions/setup-node@v4
-      with:
-        node-version: '20'
-
     - name: Install pnpm
       uses: pnpm/action-setup@v4
       with:
-        version: 8
+        package_json_file: './www/package.json'
 
-    - name: Setup Node.js cache
+    - name: Setup Node.js
       uses: actions/setup-node@v4
       with:
         node-version: '20'
@@ -42,4 +40,4 @@ jobs:
       run: pnpm install
 
     - name: Run tests
-      run: pnpm test
+      run: pnpm test
diff --git a/server/reflector/db/calendar_events.py b/server/reflector/db/calendar_events.py
@@ -104,6 +104,26 @@ async def get_upcoming(
         results = await get_database().fetch_all(query)
         return [CalendarEvent(**result) for result in results]
 
+    async def get_upcoming_for_rooms(
+        self, room_ids: list[str], minutes_ahead: int = 120
+    ) -> list[CalendarEvent]:
+        now = datetime.now(timezone.utc)
+        future_time = now + timedelta(minutes=minutes_ahead)
+        query = (
+            calendar_events.select()
+            .where(
+                sa.and_(
+                    calendar_events.c.room_id.in_(room_ids),
+                    calendar_events.c.is_deleted == False,
+                    calendar_events.c.start_time <= future_time,
+                    calendar_events.c.end_time >= now,
+                )
+            )
+            .order_by(calendar_events.c.start_time.asc())
+        )
+        results = await get_database().fetch_all(query)
+        return [CalendarEvent(**result) for result in results]
+
     async def get_by_id(self, event_id: str) -> CalendarEvent | None:
         query = calendar_events.select().where(calendar_events.c.id == event_id)
         result = await get_database().fetch_one(query)

diff --git a/server/reflector/db/meetings.py b/server/reflector/db/meetings.py
@@ -301,6 +301,23 @@ async def get_all_active_for_room(
         results = await get_database().fetch_all(query)
         return [Meeting(**result) for result in results]
 
+    async def get_all_active_for_rooms(
+        self, room_ids: list[str], current_time: datetime
+    ) -> list[Meeting]:
+        query = (
+            meetings.select()
+            .where(
+                sa.and_(
+                    meetings.c.room_id.in_(room_ids),
+                    meetings.c.end_date > current_time,
+                    meetings.c.is_active,
+                )
+            )
+            .order_by(meetings.c.end_date.desc())
+        )
+        results = await get_database().fetch_all(query)
+        return [Meeting(**result) for result in results]
+
     async def get_active_by_calendar_event(
         self, room: Room, calendar_event_id: str, current_time: datetime
     ) -> Meeting | None:

diff --git a/server/reflector/db/rooms.py b/server/reflector/db/rooms.py
@@ -245,6 +245,11 @@ async def get_by_id_for_http(self, meeting_id: str, user_id: str | None) -> Room
 
         return room
 
+    async def get_by_names(self, names: list[str]) -> list[Room]:
+        query = rooms.select().where(rooms.c.name.in_(names))
+        results = await get_database().fetch_all(query)
+        return [Room(**r) for r in results]
+
     async def get_ics_enabled(self) -> list[Room]:
         query = rooms.select().where(
             rooms.c.ics_enabled == True, rooms.c.ics_url != None

diff --git a/server/reflector/views/rooms.py b/server/reflector/views/rooms.py
@@ -1,18 +1,21 @@
+import asyncio
 import logging
+from collections import defaultdict
 from datetime import datetime, timedelta, timezone
 from enum import Enum
 from typing import Annotated, Any, Literal, Optional
 
 from fastapi import APIRouter, Depends, HTTPException
 from fastapi_pagination import Page
 from fastapi_pagination.ext.databases import apaginate
-from pydantic import BaseModel
+from pydantic import BaseModel, Field
 from redis.exceptions import LockError
 
 import reflector.auth as auth
 from reflector.db import get_database
 from reflector.db.calendar_events import calendar_events_controller
 from reflector.db.meetings import meetings_controller
+from reflector.db.rooms import Room as DbRoom
 from reflector.db.rooms import rooms_controller
 from reflector.redis_cache import RedisAsyncLock
 from reflector.schemas.platform import Platform
@@ -195,6 +198,82 @@ async def rooms_list(
     return paginated
 
 
+class BulkStatusRequest(BaseModel):
+    room_names: list[str] = Field(max_length=100)
+
+
+class RoomMeetingStatus(BaseModel):
+    active_meetings: list[Meeting]
+    upcoming_events: list[CalendarEventResponse]
+
+
+@router.post("/rooms/meetings/bulk-status", response_model=dict[str, RoomMeetingStatus])
+async def rooms_bulk_meeting_status(
+    request: BulkStatusRequest,
+    user: Annotated[Optional[auth.UserInfo], Depends(auth.current_user_optional)],
+):
+    if not user and not settings.PUBLIC_MODE:
+        raise HTTPException(status_code=401, detail="Not authenticated")
+
+    user_id = user["sub"] if user else None
+
+    all_rooms = await rooms_controller.get_by_names(request.room_names)
+    # Filter to rooms the user can see (owned or shared), matching rooms_list behavior
+    rooms = [
+        r
+        for r in all_rooms
+        if r.is_shared or (user_id is not None and r.user_id == user_id)
+    ]
+    room_by_id: dict[str, DbRoom] = {r.id: r for r in rooms}
+    room_ids = list(room_by_id.keys())
+
+    if not room_ids:
+        return {
+            name: RoomMeetingStatus(active_meetings=[], upcoming_events=[])
+            for name in request.room_names
+        }
+
+    current_time = datetime.now(timezone.utc)
+    active_meetings, upcoming_events = await asyncio.gather(
+        meetings_controller.get_all_active_for_rooms(room_ids, current_time),
+        calendar_events_controller.get_upcoming_for_rooms(room_ids),
+    )
+
+    # Group by room name, converting DB models to view models
+    active_by_room: dict[str, list[Meeting]] = defaultdict(list)
+    for m in active_meetings:
+        room = room_by_id.get(m.room_id)
+        if not room:
+            continue
+        m.platform = room.platform
+        if user_id != room.user_id and m.platform == "whereby":
+            m.host_room_url = ""
+        active_by_room[room.name].append(
+            Meeting.model_validate(m, from_attributes=True)
+        )
+
+    upcoming_by_room: dict[str, list[CalendarEventResponse]] = defaultdict(list)
+    for e in upcoming_events:
+        room = room_by_id.get(e.room_id)
+        if not room:
+            continue
+        if user_id != room.user_id:
+            e.description = None
+            e.attendees = None
+        upcoming_by_room[room.name].append(
+            CalendarEventResponse.model_validate(e, from_attributes=True)
+        )
+
+    result: dict[str, RoomMeetingStatus] = {}
+    for name in request.room_names:
+        result[name] = RoomMeetingStatus(
+            active_meetings=active_by_room.get(name, []),
+            upcoming_events=upcoming_by_room.get(name, []),
+        )
+
+    return result
+
+
 @router.get("/rooms/{room_id}", response_model=RoomDetails)
 async def rooms_get(
     room_id: str,

diff --git a/server/tests/test_rooms_bulk_status.py b/server/tests/test_rooms_bulk_status.py
@@ -0,0 +1,184 @@
+from datetime import datetime, timedelta, timezone
+
+import pytest
+from conftest import authenticated_client_ctx
+
+from reflector.db.calendar_events import CalendarEvent, calendar_events_controller
+from reflector.db.meetings import meetings_controller
+from reflector.db.rooms import Room, rooms_controller
+from reflector.settings import settings
+
+
+async def _create_room(name: str, user_id: str, is_shared: bool = False) -> Room:
+    return await rooms_controller.add(
+        name=name,
+        user_id=user_id,
+        zulip_auto_post=False,
+        zulip_stream="",
+        zulip_topic="",
+        is_locked=False,
+        room_mode="normal",
+        recording_type="cloud",
+        recording_trigger="automatic-2nd-participant",
+        is_shared=is_shared,
+        webhook_url="",
+        webhook_secret="",
+    )
+
+
+async def _create_meeting(room: Room, active: bool = True):
+    now = datetime.now(timezone.utc)
+    return await meetings_controller.create(
+        id=f"meeting-{room.name}-{now.timestamp()}",
+        room_name=room.name,
+        room_url="room-url",
+        host_room_url="host-url",
+        start_date=now - timedelta(minutes=10),
+        end_date=now + timedelta(minutes=50) if active else now - timedelta(minutes=1),
+        room=room,
+    )
+
+
+async def _create_calendar_event(room: Room):
+    now = datetime.now(timezone.utc)
+    return await calendar_events_controller.upsert(
+        CalendarEvent(
+            room_id=room.id,
+            ics_uid=f"event-{room.name}",
+            title=f"Upcoming in {room.name}",
+            description="secret description",
+            start_time=now + timedelta(minutes=30),
+            end_time=now + timedelta(minutes=90),
+            attendees=[{"name": "Alice", "email": "alice@example.com"}],
+        )
+    )
+
+
+@pytest.mark.asyncio
+async def test_bulk_status_returns_empty_for_no_rooms(client):
+    """Empty room_names returns empty dict."""
+    async with authenticated_client_ctx():
+        resp = await client.post("/rooms/meetings/bulk-status", json={"room_names": []})
+    assert resp.status_code == 200
+    assert resp.json() == {}
+
+
+@pytest.mark.asyncio
+async def test_bulk_status_returns_active_meetings_and_upcoming_events(client):
+    """Owner sees active meetings and upcoming events for their rooms."""
+    room = await _create_room("bulk-test-room", "randomuserid")
+    await _create_meeting(room, active=True)
+    await _create_calendar_event(room)
+
+    async with authenticated_client_ctx():
+        resp = await client.post(
+            "/rooms/meetings/bulk-status",
+            json={"room_names": ["bulk-test-room"]},
+        )
+
+    assert resp.status_code == 200
+    data = resp.json()
+    assert "bulk-test-room" in data
+    status = data["bulk-test-room"]
+    assert len(status["active_meetings"]) == 1
+    assert len(status["upcoming_events"]) == 1
+    # Owner sees description
+    assert status["upcoming_events"][0]["description"] == "secret description"
+
+
+@pytest.mark.asyncio
+async def test_bulk_status_redacts_data_for_non_owner(client):
+    """Non-owner of a shared room gets redacted calendar events and no whereby host_room_url."""
+    room = await _create_room("shared-bulk", "other-user-id", is_shared=True)
+    await _create_meeting(room, active=True)
+    await _create_calendar_event(room)
+
+    # authenticated as "randomuserid" but room owned by "other-user-id"
+    async with authenticated_client_ctx():
+        resp = await client.post(
+            "/rooms/meetings/bulk-status",
+            json={"room_names": ["shared-bulk"]},
+        )
+
+    assert resp.status_code == 200
+    status = resp.json()["shared-bulk"]
+    assert len(status["active_meetings"]) == 1
+    assert len(status["upcoming_events"]) == 1
+    # Non-owner: description and attendees redacted
+    assert status["upcoming_events"][0]["description"] is None
+    assert status["upcoming_events"][0]["attendees"] is None
+
+
+@pytest.mark.asyncio
+async def test_bulk_status_filters_private_rooms_of_other_users(client):
+    """User cannot see private rooms owned by others."""
+    await _create_room("private-other", "other-user-id", is_shared=False)
+
+    async with authenticated_client_ctx():
+        resp = await client.post(
+            "/rooms/meetings/bulk-status",
+            json={"room_names": ["private-other"]},
+        )
+
+    assert resp.status_code == 200
+    status = resp.json()["private-other"]
+    assert status["active_meetings"] == []
+    assert status["upcoming_events"] == []
+
+
+@pytest.mark.asyncio
+async def test_bulk_status_redacts_whereby_host_room_url_for_non_owner(client):
+    """Non-owner of a shared whereby room gets empty host_room_url."""
+    room = await _create_room("shared-whereby", "other-user-id", is_shared=True)
+    # Force platform to whereby
+    from reflector.db import get_database
+    from reflector.db.rooms import rooms as rooms_table
+
+    await get_database().execute(
+        rooms_table.update()
+        .where(rooms_table.c.id == room.id)
+        .values(platform="whereby")
+    )
+
+    await _create_meeting(room, active=True)
+
+    async with authenticated_client_ctx():
+        resp = await client.post(
+            "/rooms/meetings/bulk-status",
+            json={"room_names": ["shared-whereby"]},
+        )
+
+    assert resp.status_code == 200
+    status = resp.json()["shared-whereby"]
+    assert len(status["active_meetings"]) == 1
+    assert status["active_meetings"][0]["host_room_url"] == ""
+
+
+@pytest.mark.asyncio
+async def test_bulk_status_unauthenticated_rejected_non_public(client):
+    """Unauthenticated request on non-PUBLIC_MODE instance returns 401."""
+    original = settings.PUBLIC_MODE
+    try:
+        settings.PUBLIC_MODE = False
+        resp = await client.post(
+            "/rooms/meetings/bulk-status",
+            json={"room_names": ["any-room"]},
+        )
+        assert resp.status_code == 401
+    finally:
+        settings.PUBLIC_MODE = original
+
+
+@pytest.mark.asyncio
+async def test_bulk_status_nonexistent_room_returns_empty(client):
+    """Requesting a room that doesn't exist returns empty lists."""
+    async with authenticated_client_ctx():
+        resp = await client.post(
+            "/rooms/meetings/bulk-status",
+            json={"room_names": ["does-not-exist"]},
+        )
+
+    assert resp.status_code == 200
+    status = resp.json()["does-not-exist"]
+    assert status["active_meetings"] == []
+    assert status["upcoming_events"] == []