It all started when I read about people running poker-bots. Systems that play poker on poker websites. I wanted to try my hand at writing a robot but I didn't want to play against humans. Those websites have rules against robotic players and I didn't want to spend time fighting that arms race. I wanted a system with an API designed for robots to interact with. I also didn't want to gamble with actual money. This would be an intellectual effort for me so I'd want all the "chips" the robots gamble with to all evaporate once one robot has been declared the winner.
Not being able to find such a venue, I wanted to try building one. Wanting to avoid human players meant that a tournament would need to be held in a closed system where all the players are completely autonomous, allowing no interaction with the outside world.
I sketched out my plan. Each developer would upload a ZIP file to my server that contained the program code. The controller code on my server would unzip and launch each player process, connecting to the stdin and stdout of each process. The controller would send event notifications into the stdin ("You have been dealt this hand.") and read player instructions from the stdout ("Discard card #3.")
That was when I realised my problem. If I allow strangers to upload any program they like, people are going to send me malicious programs. Bitcoin miners. Spam senders. All sorts of potential for evil.
I considered JavaScript as that's designed to run inside a restricted environment but it was impractical. Do I launch a web browser from my server? How does my service code communicate with the JS code? Can I stop JS code from connecting to the internet?
Even if I could work through to a practical solution, I didn't really want JS, I wanted Python.
Googling for answers led me to a set of projects that didn't quite fit the bill. Most hadn't been touched for years and others had a different security model to what I needed. If this project was going to get anywhere I'd need a partner who knows exactly how to run a process on a Linux server in a way that can't do anything other than be a poker bot.
So here I am. I'm hoping that projects like the one I described already exist and that'd be great. Maybe someone knows of a way to launch the Python interpreter but won't allow code to start reading files or connect to other services on the internet.
Or maybe I should stick with my plan B where player code runs on the developers own machines and I accept the possibility of human players as an unavoidable reality.
I guess I don't get why it is important to filter 'real' players for starters, and I definitely don't get why you'd land on just running uploaded Python code... the entire approach seems so needlessly convoluted.
I also don't understand why you are so worried about the cat and mouse game with the 'big sites' if you are just using play money. I haven't followed developments here in years, but back when I was earning a living it was enough to just run a screen scraper on your machine, that then passed of table state data to a seperate device (which is running the actual bot logic / storing player hand history databases, etc.) -- and even that wasn't strictly necessary unless you really raised some red flags.
Maybe take a look at some of the open source botting platforms like OpenHoldem, and use that as inspiration to re-evaluate your approach?
https://github.com/OpenHoldem/openholdembot/releases
This just seems like such an unsafe and half-cocked approach -- even if you got this python bot site up, I can tell you as a former pro poker botter that I would never ever have considered uploading my bot to your site, aside from your code execution concerns. You'd then see all my logic, and that's the biggest leak a poker botter could have.
Even if you pull this off, no one doing serious work on their bot logic is going to trust you with it -- for you it may be an intellectual exercise, but for that community it's a lucrative job where the only thing that makes you stand above the rest is a dynamic strategy that you are going to protect just as tightly as the key to a bitcoin wallet. The only submissions you will get are toy bots that have no chance of being competitive anyway... which kind of defeats the purpose of 'bots only' I think.
I don't mean to be discouraging, but as someone who made a living doing this for a few years I can say without a doubt no one who has put even a moderate amount of work tuning their bot is going to upload it for you to be able to rip the logic off.
If nothing else, you should be re-evaluating this in a manner where the only data exchanged between you and the client is the table state as it changes, as well as an API for submitting their action on their turn. Otherwise this is dead on arrival.