SAFE BY DESIGN

How a programming language can protect the kids who use it — not with filters bolted on top, but in its very grammar.

Most user-generated-content platforms fight an endless war: users can upload anything, so moderators must inspect everything. Images, audio, links, scripts — each one a channel for content nobody wants a ten-year-old to see. The usual answer is bigger filters, more reviewers, AI classifiers. Arcadia takes the opposite road: make the dangerous channels impossible to express in the first place.

1 · THE LANGUAGE IS THE GUARDRAIL

A closed world of objects. Arcadia has no image upload, no sprite editor for players, no asset URLs. Every game is built from one curated cast — ships, frogs, coins, blocks. You cannot draw something inappropriate in a language that has no way to draw.

No way to talk to the internet. The language has no fetch, no links, no embeds, no way to load or send anything. A finished game is a small WebAssembly module whose only connections to the outside world are the keyboard going in and the canvas coming out. There is nothing to phish with and nowhere to lure a player to.

No player input besides arrows and space. Games can't ask players to type. No chat, no name entry, no "enter your age" — so games can't collect anything from the children playing them. Data minimization, enforced by grammar.

One narrow channel for free text. The only free text a creator controls is the title, a short description, and what say prints on screen. One narrow channel is easy to inspect — and because it's the only channel, inspecting it is sufficient. This is what makes Arcadia's moderation deterministic: no AI guesswork, just complete coverage of a small surface.

Bounded by construction. A game lives in 64 KB of memory with at most 200 objects. It cannot allocate, recurse, or escape its sandbox — the compiler simply has no instructions for it. The worst a malicious genius can do is make a boring game.

2 · THE PIPELINE BEHIND THE GUARDRAIL

Language design removes most risk; the publishing pipeline handles the rest. Every submission passes a deterministic vetting engine that (1) must compile, (2) scans every text channel against tiered wordlists — with leetspeak, spaced-out and stretched spellings normalized away — plus URL, email, phone and contact-solicitation patterns, and (3) statically analyzes gameplay for spawn floods, strobe loops and banner spam (yes, photosensitivity is a content-safety issue). Clean games publish instantly. Grey areas wait for human eyes. Clear violations bounce with an explanation of exactly which rule fired — the same engine runs in the Studio, so creators can check before submitting.

And because rules improve over time, a nightly audit agent re-vets every published game against the newest rule set. A game that squeaked past last month's rules doesn't get to stay published under this month's.

3 · WHAT THIS MEANS FOR PARENTS & TEACHERS

Playing requires no account, no email, no personal information — nothing is collected from players, because nothing can be. Publishing requires an account that is just a username and password (an email is optional, used only for recovery). Creators own their games; the site only holds a license to display them. There are no ads, and no game can ever show one.

4 · CONSTRAINT IS A FEATURE, TWICE

The same limits that make Arcadia safe make it creative.

A 30-line game is possible precisely because the language is tiny; a safe game is guaranteed for the same reason. The jams lean into it: best game in 30 lines, a game with one object kind, gravity-as-the-enemy week. Limits aren't the price of safety — they're the game design philosophy and the safety model, sharing one body.

A NOTE ON THIS DOCUMENT

This booklet describes a design approach, not a legal guarantee; no system is perfect, and a report button backs up everything above. The booklet is free to share. If you build a kids' creative platform, steal these principles — that's what they're for.