The MCP game the AI can't cheat at

A live MCP server where the AI physically can't leak the answer, played through Claude Code, plus the parts of the 2026 MCP ecosystem worth knowing: registry, observability, enterprise rollout.

TL;DR: I built a word game you play by chatting with Claude, and the AI hosting it can't cheat: the answer never leaves the server. It's live, there's a global leaderboard with exactly one name on it, and it's the clearest demo I have of a rule worth stealing: put the truth in a tool, not in the prompt. Ten seconds to start playing.

My favorite thing I built this year is a game the AI can't cheat at. Not won't. Can't.

Secret Word Quest is a word-guessing game you play inside a chat with Claude. Claude hosts the round: it relays the clue, passes your guesses to the server, reads back the feedback, celebrates when you finally get one. But the word itself never touches the model. It sits on a server Claude can only reach through six tools, and nothing you type can pull it across.

If you've ever watched an AI confidently invent an answer, you already care about this. A model can't leak, spoil, or make up a fact it never receives. That's the whole trick, and it's the part most MCP demos skip. This post is that idea, playable, plus where the MCP ecosystem actually stands halfway through 2026.

Where the word lives

Start a round and my server picks a word, hides it, and hands Claude exactly three things: a category, a letter count, and a clue. That's all the model ever knows about the round.

Here's a real round, played in Claude Code:

Claude Code session playing Secret Word Quest. The MCP tool calls are visible: new_game returns a category, a length and a clue, each guess goes to the server, and the winning guess comes back worth 135 points.

The screenshot is the whole argument. You can see new_game hand back a clue and a length, never the word. You can see each guess leave the chat, hit the server, and come back as feedback the server computed. Claude isn't playing the game. It's hosting it, blind. The model just moves information around. The truth never lives in it.

So there's no prompt that gets the answer out. You can beg, you can "ignore all previous instructions," you can ask Claude to reason step by step about what the word might be. It'll happily guess along with you (it's a language model, it has seen a lot of eight-letter tech words), but it can't leak what it was never given.

That's the real lesson, and it applies way beyond games: when something must be true, put it in a tool, not in a prompt. Prompts are suggestions. Tools are facts. If you're worried about an AI quietly making things up, this is the fix.

The whole game is six tools:

Tool What it does
new_game(player, difficulty, category) Start a round. The server hides a word.
guess(game_id, word) Submit a guess, get 🟩🟨⬛ feedback.
hint(game_id) Reveal the next hint (costs points).
status(game_id) Current state, no spoilers.
give_up(game_id) Reveal the word, end the round.
leaderboard(top) Global high scores, shared across players.

All six run on the server. Claude just decides when to call them based on what you type. That's MCP, complete and playable.

Play it right now

The server is hosted, so there's nothing to clone. In a client that supports remote MCP servers (Claude on a paid plan, Cursor, VS Code), add a custom connector with this URL:

https://secret-word-quest.wonderfuldune-d3efe9ff.centralindia.azurecontainerapps.io/mcp

Then say "let's play Secret Word Quest." You're now on the same global leaderboard as everyone else. The word list isn't in the public code, so there's no looking anything up. You have to play.

Claude Code calling the leaderboard MCP tool. The global board has a single entry: jamal, 135 points, for solving "algorithm" on medium difficulty.

That's the real board as I publish this. One entry, mine, from the round in the screenshot above. The #1 spot has a very low bar right now.

Prefer local? It's a normal stdio server too:

pip install -r requirements.txt
python server.py            # then point Claude Desktop at it in the config

The registry

A protocol only gets you so far if the servers are scattered across GitHub READMEs, which is roughly what MCP discovery was for its first year. That changed in September 2025, when the MCP project launched the official MCP Registry at registry.modelcontextprotocol.io. It's still technically a preview (the publish API is frozen at v0.1 while v1 general availability gets built), but it's already the index the ecosystem standardizes on.

It listed around 9,600 servers in late May 2026 and was closing in on 10,000 by the AI Engineer World's Fair at the end of June, where the road to GA was a main topic.

The mental model that helped me most: the registry stores metadata, not code. Your server still lives wherever code normally lives: PyPI, npm, GitHub, or a hosted URL. The registry holds a small server.json that points at it. Mine points at the live server, since Secret Word Quest is hosted:

{
  "name": "io.github.jamaljm/secret-word-quest",
  "description": "A word-guessing game you play through an AI. The server holds the hidden word so the AI can't cheat.",
  "remotes": [
    { "type": "streamable-http", "url": "https://.../mcp" }
  ]
}

Two design choices make it trustworthy. Namespaces are tied to identity: to publish under io.github.jamaljm, I log in with that GitHub account through a device flow, and the registry rejects names that don't match. Nobody can squat a namespace they don't own. And it's a backbone, not a walled garden: the registry publishes an open API, GitHub built its own registry on top of it, and client marketplaces pull from it. One source of truth, many storefronts.

Worth keeping separate in your head, though: the open registry is low-curation by design. Anyone can self-publish, and moderation happens after the fact, when someone flags spam or a malicious server. It's an index, not a seal of approval.

Claude's Connectors directory is the curated shelf on top: a reviewed, vetted set with a real bar to entry (privacy policy, tool annotations, OAuth for remote servers) that shows up for one-click install inside Claude. That directory alone lists over 300 connectors used by millions of people a day. My server sits in the open index; anyone can still add it to Claude by hand as a custom connector.

What shipped in 2026

The registry matters more this year because the ecosystem around it grew up fast. Three things landed in June alone.

Connector submission moved inside Claude. Team and Enterprise admins can now submit a remote connector to the Connectors directory from an admin portal in the app, instead of a separate web form. Small change, but it turns publishing from "there's a process somewhere" into part of the product.

Connector observability hit public beta. Own a connector and you now get a dashboard: installs, tool calls, error rates, latency, and your directory rank over time. Shipping a server stopped being a fire-and-forget exercise.

And enterprise-managed connectors arrived. Admins can provision MCP connectors across an organization through an identity provider, Okta first, so users get access on first login with no per-user OAuth dance. This is the piece that makes MCP deployable at big-company scale.

Two things I'm watching

Code execution with MCP. In November 2025, Anthropic showed that instead of the model calling each tool directly, it can write code that calls the tools, loading definitions only when needed. Their example cut a task from about 150,000 tokens to about 2,000. That's a 98.7% drop. It sounds like an implementation detail until you wire up a dozen servers and notice the tool definitions alone are eating your context window.

MCP Server Cards. A draft proposal for exposing a server's capabilities at /.well-known/mcp/server-card.json, so clients, crawlers, and registries can see what a server does without connecting to it. Not shipped, just a draft on the roadmap. But it's the missing piece for making servers discoverable the way websites are.

A toy, on purpose

Secret Word Quest is not a product. It's about 350 lines of Python and a words file. But it's a complete, working tour of the loop that matters: a server that owns some truth, tools a model calls on your behalf, a registry entry tied to a real identity, and a hosted URL you can point your client at right now.

Add the server, knock me off the #1 spot, then go read the code and see how little of it there is. That was the point of building it.

FAQ

Can the AI cheat at Secret Word Quest?

No. The secret word lives only inside the server. The AI is just the host: it relays the clue and passes your guesses to a tool. It never receives the answer, so it cannot leak it or solve it for you.

Do I need to code to play?

No. In an AI client that supports remote MCP servers (Claude on a paid plan, Cursor, VS Code), you add the server URL once, then just chat. Say 'let's play Secret Word Quest' and start guessing.

Is it free to play?

Yes. Connect the hosted server as a remote MCP server in your AI client and play. It is a small demo, so treat the shared leaderboard as for fun.

What is MCP in one line?

The Model Context Protocol is an open standard from Anthropic (2024) that lets any AI client connect to any tool or data source through one shared interface, instead of a custom integration per pair.