Introducing kreuzcrawl v0.3.0
kreuzcrawl began as a Rust core with bindings for ten languages. v0.3.0 ships fourteen, adds a tiered WAF-aware dispatch engine, cuts peak streaming memory from ~2.5 GB to ~20 MB, and enables SSRF defense across every outbound call path by default. It is the first release we consider API-stable. This post covers what changed, why each decision was made, and what the harder engineering problems looked like from the inside. At a glance Area v0.2.0 v0.3.0 Language bindings 10 14 (+Dart, Kotlin/Android, Swift, Zig) Peak streaming memory ~2.5 GB ~20 MB SSRF protection opt-in on by default Dispatch model static HTTP / bypass / browser tiered, signal-driven escalation WAF fingerprints — 35 across 8 vendors Fingerprint hot-reload — lock-free ( ArcSwap ), 500 ms debounce MCP tools partial 1:1 with CLI, safety-annotated CLI subcommands scrape, crawl + batch-scrape, batch-crawl, download, citations Robots / sitemap parsers engine-internal public modules API stability preview stable Four new language bindings v0.2.0 shipped Rust, Python, Node.js, Ruby, Go, Java, C#, PHP, Elixir, and WebAssembly. v0.3.0 adds Dart , Kotlin/Android , Swift , and Zig — bringing the total to fourteen. None of the per-language glue is written by hand. Every binding is generated from the Rust core by alef , our polyglot binding generator. The Dart and Kotlin/Android packages bind through the C FFI layer ( kreuzcrawl-ffi ) via dart:ffi and JNI respectively. Swift binds through clang. Zig uses @cImport against the same C header. The generation pipeline also hardened in this release: the Docker publish matrix now builds each architecture natively rather than via QEMU emulation, the Dart build no longer requires the Flutter SDK for pub.dev publishes, Swift artifactbundle checksums are injected automatically, and the Elixir/PHP/Ruby releases preserve their lock files through the source-publish step. === "Python" ```sh pip install kreuzcrawl ``` === "Node.js" ```sh npm install @xberg/kreuzcrawl ``` === "Rus