[AD] I've wrote a short paper on this; Remote Software Identification -- Zero Trust Remote Software Verification [1] after reading a blog post by GUIX - and I've provide PoC code in Go [2]. It utilises a hash chain log server side, of inputs and outputs, every response from server embeds the related hash chain entry, client side can request and replay the log and verify the response hash adds up to the hash they calculated.

[1] - https://gist.github.com/adrianduke/ab40044ccee16804a9d0b2b77... [2] - https://gist.github.com/adrianduke/676ee1ffb88f4489b31aebf5e...