refactor(resource): ensure post-fetch hooks receive resolved gateway content

[TS0713]

Summary

Fixes Issue 2648 by invoking resources before running post-fetch hooks.

Changes

1. Execute RESOURCE_POST_FETCH hooks after gateway invocation
2. Refactor read_resource to resolve content first
3. Add explicit DB commit before network calls
4. Added test case under - mcp-context-forge/tests/unit/plugins/test_secrets_detection.py
   • to verify resolved content.text is passed to post-fetch hook

[crivetimihai]

Good fix, @TS0713 — post-fetch hooks should definitely receive resolved content, not template URIs. The refactored control flow with a single return path and null checks on invoke_resource is also an improvement.

Two things to address:

1. Removed db.commit() — potential performance regression:
The original code had an explicit db.commit() with the comment "Release transaction before network calls to avoid idle-in-transaction during invoke_resource". Removing it means the DB transaction stays open during potentially slow gateway calls. On PostgreSQL under load, this can cause connection pool exhaustion. Can you confirm this is safe, or re-add the commit before the gateway calls?

2. Unrelated files from incorrect rebase:
12 files under plugins/unified_pdp/ and tests/unit/plugins/ only add # -*- coding: utf-8 -*- headers — these likely came from an incorrect rebase picking up changes from another branch. Please rebase cleanly against main and remove them:

git checkout origin/main -- plugins/unified_pdp/ tests/unit/plugins/test_unified_pdp.py tests/unit/plugins/test_unified_pdp_plugin.py
git commit -s -m "chore: remove unrelated files from rebase"

[TS0713]

. Removed db.commit() — potential performance regression:
The original code had an explicit db.commit() with the comment "Release transaction before network calls to avoid idle-in-transaction during invoke_resource". Removing it means the DB transaction stays open during potentially slow gateway calls. On PostgreSQL under load, this can cause connection pool exhaustion. Can you confirm this is safe, or re-add the commit before the gateway calls?

Thanks for flagging this — read_resource was holding the DB transaction until invoke_resource. I’ll add an explicit commit immediately before gateway invocation so connections aren’t held across plugin or network calls, then rebase, re-test, and update the PR.

[crivetimihai]

Review & Rebase Summary

Rebased onto main, squashed 6 commits into 1 clean commit (original author preserved), and fixed minor issues.

Changes made during rebase

• Removed 12 unrelated files (plugins/unified_pdp/ encoding header removals) that leaked in from a prior rebase
• Fixed flake8 E302 — missing blank line before TestAwsSecretPattern class in test_secrets_detection.py
• Squashed all commits into a single clean commit with conventional commit message

Review notes

Logic — Correct. Moves RESOURCE_POST_FETCH hooks to after invoke_resource() resolves actual content from the gateway. Previously, plugins like secrets_detection received raw template URIs and couldn't redact secrets.

Consistency — Matches the existing TOOL_POST_INVOKE pattern in tool_service.py, where post-invocation hooks run after the actual result is available.

Security — This is a security improvement: closes a gap where resolved secrets could bypass plugin redaction.

Performance — No impact; hook invocation is moved, not duplicated.

Tests — All 21 related tests pass. Full unit suite passes (1 pre-existing flaky cache timing test unrelated to this PR).

Structural improvements in the PR:

• Refactored early-return branches into a single if/elif/else chain with one return point
• Added defensive if resource_response: null-checks before overwriting blob/text
• db.commit() placement preserved before network calls