DEV Community

Induwara Ashinsana
Induwara Ashinsana

Posted on • Originally published at induwara.lk

I built a free AI website builder — describe it, refine by chat, download the code

#webdev #ai #javascript #showdev

Most "AI website builders" trap your work behind an editor you can't leave: you
can't see the code, and you definitely can't take it with you. I wanted the
opposite — describe a site, watch it get built, tweak it by chatting, and then
download the actual source and host it anywhere. So I shipped one and made
it free.

This is a quick tour of the AI website builder on
induwara.lk — how it works and the engineering decisions behind it.

What it does

  1. Describe the site you want (plain English).
  2. Opus 4.8 writes a plan — pages, sections, style — which you confirm.
  3. Sonnet builds it, streaming the code live (you watch the token count climb).
  4. Preview it in a sandboxed iframe, right there.
  5. Refine by chat — "make the header dark", "add a testimonials section" — it edits the project and re-previews.
  6. Download the full source as a .zip.

No signup cost, one free build a day's worth of tokens, and the code is yours.

The interesting engineering bits

Untrusted prompts + a code-gen model = a security problem

The naive approach — point an autonomous coding agent at a folder and let it run
— is a disaster for public input: a malicious prompt could read your secrets or
run commands. So the generator never acts as an agent in my environment. It
runs the model in pure text mode with every tool disabled, the model just
returns the code as text, and my server parses + validates it (extension
allow-list, no path traversal, size caps). The model can't touch the filesystem
or run anything.

Live streaming the build

--print text mode buffers the whole response, so the UI looked frozen. Switching
to stream-json (content_block_delta events) gives true token-by-token output —
the front end shows the code scrolling in and a live token counter.

"Resume" without byte-exact replay

You can't resume a half-written file from a language model. But you can continue
the conversation. Every project is a persistent session, so iterations (and
continuing after a budget pause) just resume that session with full context —
nothing is ever regenerated from scratch or lost.

Safe previews on a shared domain

Generated code is served with a Content-Security-Policy: sandbox header, so it
runs in an opaque origin and can't read the parent site's cookies — even on direct
navigation. The on-page iframe is sandboxed too.

Try it

induwara.lk/build — describe a site, refine it
by chat, download the code. Built in Sri Lanka.

If you just want APIs, there's also a free developer API
(NIC decoder, holidays, tax, and a free text-to-speech endpoint).

Top comments (0)