feat(core): Add Chat settings admin view (no-changelog)

[Cadiac]

Summary

Related Linear tickets, Github issues, and Community forum posts

Review / Merge checklist

• PR title and summary are descriptive. (conventions)
• Docs updated or follow-up ticket created.
• Tests included.
• PR Labeled with release/backport (if the PR is an urgent fix that needs to be backported)

[bundlemon]

BundleMon

Unchanged files (2)

Status	Path	Size	Limits
✅	WASM Dependencies tree-sitter-bash.wasm	181.26KB	-
✅	WASM Dependencies tree-sitter.wasm	74.47KB	-

No change in files bundle size

Groups updated (2)

Status	Path	Size	Limits
✅	**/*.js	11.35MB (+58.8KB +0.51%)	-
✅	**/*.css	229.34KB (+8.56KB +3.88%)	-

Final result: ✅

View report in BundleMon website ➡️

---

Current branch size history | Target branch size history

[codecov]

Codecov Report

❌ Patch coverage is 42.85714% with 432 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
...es/ai/chatHub/components/ProviderSettingsModal.vue	0.00%	257 Missing ⚠️
...c/features/ai/chatHub/components/ModelSelector.vue	0.00%	36 Missing ⚠️
...nd/editor-ui/src/features/ai/chatHub/chat.store.ts	2.94%	33 Missing ⚠️
.../src/modules/chat-hub/chat-hub.settings.service.ts	18.42%	31 Missing ⚠️
...tend/editor-ui/src/features/ai/chatHub/chat.api.ts	10.34%	26 Missing ⚠️
...or-ui/src/features/ai/chatHub/module.descriptor.ts	75.38%	16 Missing ⚠️
...c/modules/chat-hub/chat-hub.settings.controller.ts	0.00%	14 Missing ⚠️
...tures/ai/chatHub/composables/useChatCredentials.ts	0.00%	14 Missing ⚠️
...ckages/cli/src/modules/chat-hub/chat-hub.module.ts	0.00%	3 Missing ⚠️
...kages/cli/src/modules/chat-hub/chat-hub.service.ts	66.66%	1 Missing ⚠️
... and 1 more

📢 Thoughts on this report? Let us know!

[Cadiac]

This looked pretty broken - no code in the repo appears to use this table in the selectable mode currently and the with 'start' align that mode looks like one would expect.

But now I realize the code with table that was using this was removed after I reworked how the table modal looks - I wonder if I should just roll this back "just in case" or leave it for the next time someone tries to use the table with selects..

[cubic-dev-ai]

11 issues found across 23 files

Prompt for AI agents (all 11 issues)

Understand the root cause of the following 11 issues and fix them.


<file name="packages/cli/src/modules/chat-hub/chat-hub.settings.controller.ts">

<violation number="1" location="packages/cli/src/modules/chat-hub/chat-hub.settings.controller.ts:27">
`GET /chat/settings/:provider` exposes per-provider admin settings (e.g., credentialId, allowedModels) without any `chatHub:manage` guard, so regular users can now read privileged configuration. Add the same authorization decorator used on the POST handler to keep these settings restricted to admins.</violation>

<violation number="2" location="packages/cli/src/modules/chat-hub/chat-hub.settings.controller.ts:27">
Rule violated: **Tests**

New ChatHub admin endpoints (/settings list, /settings/:provider lookup, and POST save) were added without any tests, violating Community PR Guidelines §2 (Testing Requirements) that mandate PRs include tests for new functionality. These routes are the core configuration surface for providers, so shipping them untested risks unnoticed regressions.</violation>
</file>

<file name="packages/frontend/editor-ui/src/features/ai/chatHub/components/ModelSelector.vue">

<violation number="1" location="packages/frontend/editor-ui/src/features/ai/chatHub/components/ModelSelector.vue:80">
Rule violated: **Tests**

Community PR Guidelines §2 require UI changes to include tests. The new settings-based filtering (hiding disabled providers, injecting manual models, suppressing the “Add model” action) alters core Chat admin behavior but the PR adds no unit/UI/E2E tests to verify these flows, leaving the restriction logic untested. Please add automated coverage that proves the menu obeys module settings.</violation>

<violation number="2" location="packages/frontend/editor-ui/src/features/ai/chatHub/components/ModelSelector.vue:134">
Adding manual models by pushing into `agents.value[provider].models` mutates shared state inside a computed getter, so each recomputation duplicates those entries and pollutes the agents store.</violation>

<violation number="3" location="packages/frontend/editor-ui/src/features/ai/chatHub/components/ModelSelector.vue:162">
Rule violated: **Prefer Typeguards over Type casting**

Avoid asserting `agent.model` to `ChatHubBaseLLMModel` just to read `.model`; use a type guard or tighten the typings so the compiler knows when `.model` is available instead of relying on `as`.</violation>

<violation number="4" location="packages/frontend/editor-ui/src/features/ai/chatHub/components/ModelSelector.vue:176">
The “Add model” option is now hidden unless a settings record exists, so providers without module settings can no longer add models at all. The condition should allow the button whenever models aren’t limited (including when settings are absent).</violation>
</file>

<file name="packages/@n8n/db/src/repositories/settings.repository.ts">

<violation number="1" location="packages/@n8n/db/src/repositories/settings.repository.ts:16">
`findBy` never returns `null`, so `findAllLike` should return `Promise&lt;Settings[]&gt;` rather than `Promise&lt;Settings[] | null&gt;` to keep the type accurate and avoid misleading callers.</violation>
</file>

<file name="packages/frontend/editor-ui/src/features/ai/chatHub/chat.store.ts">

<violation number="1" location="packages/frontend/editor-ui/src/features/ai/chatHub/chat.store.ts:737">
Ensure settingsLoading is reset even when fetchChatSettingsApi throws; wrap the await in try/finally so the loading flag can’t remain stuck after an error.</violation>
</file>

<file name="packages/cli/src/modules/chat-hub/chat-hub.service.ts">

<violation number="1" location="packages/cli/src/modules/chat-hub/chat-hub.service.ts:704">
Rule violated: **Tests**

The new ChatHubSettingsService gating logic is untested—Community PR Guidelines require adding tests whenever new core behavior is introduced, but no unit or integration tests exercise allow/deny scenarios for ensureModelIsAllowed.</violation>
</file>

<file name="packages/cli/src/modules/chat-hub/chat-hub.settings.service.ts">

<violation number="1" location="packages/cli/src/modules/chat-hub/chat-hub.settings.service.ts:45">
Rule violated: **Tests**

Community PR Guidelines §2 require tests for new functionality, but this new chat provider gating logic was added without any unit, workflow, or UI tests to verify provider enablement and model restrictions.</violation>
</file>

<file name="packages/frontend/editor-ui/src/features/ai/chatHub/components/ProviderSettingsModal.vue">

<violation number="1" location="packages/frontend/editor-ui/src/features/ai/chatHub/components/ProviderSettingsModal.vue:51">
Rule violated: **Prefer Typeguards over Type casting**

Avoid asserting `model.model as ChatHubBaseLLMModel` just to access `.model`. This relies on a narrowing cast of runtime data from the API; per the “Prefer Typeguards over Type casting” rule, replace the assertions with a type guard (e.g., a predicate that refines `model` based on its provider) or refine the `ChatModelDto` typing so the compiler already knows the shape.</violation>
</file>

_{Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR}

[cubic-dev-ai]

GET /chat/settings/:provider exposes per-provider admin settings (e.g., credentialId, allowedModels) without any chatHub:manage guard, so regular users can now read privileged configuration. Add the same authorization decorator used on the POST handler to keep these settings restricted to admins.

Prompt for AI agents

Address the following comment on packages/cli/src/modules/chat-hub/chat-hub.settings.controller.ts at line 27:

<comment>`GET /chat/settings/:provider` exposes per-provider admin settings (e.g., credentialId, allowedModels) without any `chatHub:manage` guard, so regular users can now read privileged configuration. Add the same authorization decorator used on the POST handler to keep these settings restricted to admins.</comment>

<file context>
@@ -15,26 +20,41 @@ export class ChatHubSettingsController {
 	}
 
-	@Patch(&#39;/settings&#39;)
+	@Get(&#39;/settings/:provider&#39;)
+	async getProviderSettings(
+		_req: AuthenticatedRequest,
</file context>

✅ Addressed in 8a67d38

[Cadiac]

the settings data is public by nature and also available through /module-settings endpoint, so I didn't see the need to limit the access to these GET endpoints.

I changed this anyways, mostly so that we don't get unnecessary security report from this.

[autologie]

Haven't gone through fully yet, but some initial thoughts.

[autologie]

A nice-to-have feature is to show the "re-select model" callout when the model for an existing conversation isn't allowed anymore, but this is probably a corner case and we can improve later.