Project
ArcadeLab
A publishing platform where kids share browser games they build with AI — paste HTML, get a live URL. No accounts, no passwords, no friction.
What it is
ArcadeLab is “GitHub Pages meets itch.io” for kids. The core loop: a kid builds a game with an AI assistant, pastes the HTML into a big text box, and it’s instantly live at a shareable URL. No email, no password — identity is a memorable Creator Code like ROCKET-WOLF-COMET-73, generated on first publish.
Around that loop there’s a games library, creator profiles, a remix system with provenance tracking, source-code viewing for every game, weekly game jams, a curated showcase of educational simulations, and around 45 articles teaching kids how to build.
The part I’m proudest of: it’s one of the first websites designed with AI agents as a first-class audience. An AI assistant can discover ArcadeLab, learn the publish format, and ship a kid’s game to a live URL without a human ever touching the docs. ChatGPT was organically referring users within 24 hours of deployment.
How it’s built
- AI assistants as a first-class audience
A /for-ai page serves a live briefing for AI assistants — publish format, supported libraries, current jam theme, trending games — pulled dynamically from the database. llms.txt and llms-full.txt; a robots.txt that explicitly welcomes 15+ AI crawlers, including on source-code pages; hidden-but-semantic ai-info blocks so an agent reading any page learns how to publish, remix, and link back; a machine-parseable game header format any AI can emit; and a publish API agents call directly with a creator code or bearer token.
- Autonomous AI moderation
Every game is classified by Claude Haiku asynchronously after publish, so the kid's URL never waits. High-confidence scams are auto-removed and the creator banned with zero human involvement; lower-confidence flags are shadow-hidden pending one-click admin review. Fail-open by design. It has caught real phishing attacks in production — including social-engineering games built to harvest other kids' creator codes.
- Security through architecture
Games run on a separate origin (play.arcadelab.ai), in iframes sandboxed to allow-scripts, with CSP connect-src 'none' — malicious code can't phone home, steal cookies, or escape. The sandbox does the security work so a 7-year-old on an iPad never hits a login wall.
- AEO that actually worked
A dynamic sitemap with play-count-weighted priorities, 10+ JSON-LD schema types, question-format content, and an entity page. AI models now recommend ArcadeLab unprompted when kids ask how to share the games they've built.
- Supporting engineering
Runtime CDN library injection — declare phaser or three in the game header and it's injected at render, never stored. Remix lineage tracked in the database and shown on game pages. Anonymous session-deduped reporting with auto-hide thresholds, and HMAC-hashed IPs for scam-cluster analysis without storing raw IPs.