Either I haven't been very good at explaining why there's no possibility to cheat, or I'm wrong. But if I'm wrong, no-one has posted a specific objection. So I'll try to explain it again, by presenting a specific design to show that a dishonest client cannot cheat.
Sorry, your system seems quite well thought, indeed. I hadn't been paying enough attention.
Still, I keep thinking that renting ssh access would be much simpler a solution.