perf: remove path validation delay

[trsdn]

Summary

Removes the timing-normalization wrapper from validate_and_sanitize_path(). The wrapper added a minimum ~50ms delay to every path validation even though this code path does not compare secrets or perform authentication checks.

Measured locally:

• Before: 20 validations in 1.070s (~53.5ms/call)
• After: 20 validations in 0.000826s (~0.041ms/call)

This improves convert_file latency and any workflow that validates many paths while preserving the existing path traversal, directory allow-list, dangerous path, and extension checks.

10 performance improvements identified

1. Remove artificial path-validation delay. Highest impact / lowest effort; implemented in this PR.
2. Lower validation-path logging from info to debug to reduce repeated conversion overhead and noisy stderr during batch operations.
3. Reuse a resolved safe-directory list instead of resolving allowed directories on every validation call.
4. Parallelize convert_directory conversions with bounded concurrency instead of processing supported files serially.
5. Avoid dispatching simple output writes through the executor in convert_directory; write synchronously after conversion or batch writes.
6. Add a direct fast path for plain text / markdown files to avoid MarkItDown overhead when no transformation is needed.
7. Cache the supported-formats response string instead of rebuilding it for each list_supported_formats call.
8. Stream or chunk output truncation for very large conversion results rather than holding full text before truncating.
9. Replace full JSON read() + json.loads() validation with a streaming/depth-limited parser to reduce memory for large JSON files.
10. Replace XML full-file regex validation with bounded pre-scan/streaming validation to reduce memory and regex cost on large XML files.

Validation

• ruff check markitdown_mcp/server.py
• pytest tests/unit/test_convert_file_tool.py tests/unit/test_convert_directory_tool.py tests/security/test_path_traversal.py --quiet — 62 passed
• pytest -m 'not performance and not slow and not security' --quiet — 190 passed, 2 skipped, 90 deselected
• pytest tests/security/test_path_traversal.py --quiet — 18 passed

Note: full pytest --quiet currently fails in unrelated existing performance/security tests: two memory-threshold tests in tests/performance/test_memory_usage.py and two JSON bomb generation failures in tests/security/test_malicious_files.py on Python 3.12 before the server handles the files.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[github-actions]

🔍 PR Analysis Results

PR: #43 | Commit: 4a0709ea34506ef54feed53fb62a591d7b78b1e7

🎨 Code Formatting

✅ All files properly formatted

🔧 Code Linting

✅ No linting issues found

📝 Type Checking

❌ Type checking issues found

Click to see type issues

usage: mypy [-h] [-v] [-V] [more options; see below]
            [-m MODULE] [-p PACKAGE] [-c PROGRAM_TEXT] [files ...]
mypy: error: unrecognized arguments: --json-report mypy_report.json

Fix: Add proper type annotations and resolve type errors

🔒 Security Analysis

✅ No security issues detected

📊 Test Coverage Analysis

✅ Coverage 82.17636022514071% meets 80% requirement

🧹 Dead Code Analysis

✅ Dead code analysis completed

📋 Summary

⚠️ Found 1 issue(s) that should be addressed:

• 📝 Types: Issues found

🔧 Quick Fix Commands:

# Fix formatting and auto-fixable linting issues
ruff format .
ruff check . --fix

# Run tests with coverage
pytest tests/unit/ --cov=markitdown_mcp --cov-report=term-missing

# Check security
bandit -r markitdown_mcp/

---

This analysis was automatically generated by the PR feedback workflow.
Report generated at 2026-06-10 11:01:35 UTC

[github-actions]

🔍 CI Quality Gates Summary

Overall Status: ✅ All Passed

Check	Status	Details	Action Required
🎨 Format	✅ Passed	ruff format check	None
🔧 Lint	✅ Passed	ruff linting	None
📝 Types	✅ Passed	mypy type checking	None
🧪 Tests	✅ Passed	Unit tests	None
📊 Coverage	82.2%	Minimum: 80%	None
🔌 MCP	✅ Valid	Protocol compliance	None
🔒 Security	✅ Clean	Dependency audit	None

🔗 Quick Links

• View detailed analysis
• See workflow logs

🛠️ Quick Fix Commands

# Fix most issues automatically
ruff format .
ruff check . --fix

# Run tests locally
pytest tests/unit/ --cov=markitdown_mcp

# Check types
mypy markitdown_mcp

---

Last updated: 2026-06-10 11:02:26 UTC

[github-actions]

🔍 PR Quality Summary

CI Status

✅ Security: success
✅ Docs: success
✅ Tests: success
✅ Quality: success

Metrics

Metric	Value	Trend
📊 Coverage	N/A	-
🧪 Tests	Test results unavailable	-
⏱️ Performance	No performance data	-

Quality Checks

• Format & Lint: Ruff formatting and linting
• Type Safety: MyPy strict type checking
• Security: Bandit, Safety, GitLeaks scanning
• MCP Protocol: Tool schema validation
• Documentation: Docstring coverage (80%+)

MCP Tools

• convert_file - Convert individual files to Markdown
• convert_directory - Batch convert directories
• list_supported_formats - Query supported file types

---

_{🤖 Auto-generated by CI • Last updated: 2026-06-10 11:04 UTC}