I regret I still don't get it...

My #1 priority is ensuring that baddies can not trick my server into doing bad things. I assume that baddies own my client and everything in it. ...

... the client and the server are running in the same machine, communicating using Unix Sockets. If the bad people "own" the client, what is to stop them sending well formed messages to the server, whatever format you choose ? Since they own the client, they own all the required code... Shirley ?

Your authentication presumably is expected to prevent a bad person from connecting to the server ? If so, then the threat is the bad person injecting requests into an existing open conversation ? You say you don't need to worry about encryption... you may be missing the dual purpose of encrypting. The first, and obvious, purpose is to prevent someone who can intercept the conversation from being able to read it. The second, and not so obvious, purpose is to detect attempts to (a) inject stuff into, or (b) remove stuff from, or (c) tamper with the conversation. Obviously, you arrange for both ends to establish a session key during the authentication step, in such a way that the bad person cannot know it. Now, if each message is transmitted with the length of the data, the data and a crc -- where the data is encrypted -- then only after decrypting the data will the crc pass. Which implies that only people with a copy of the session key can send a valid message, or mess with a message and have it still be valid. To detect removed messages you need to include a sequence number in each one.

I'm still struggling to understand the objective, though. As I said, if the bad people can get to own the client, it's hard to see what you can do to prevent them using it to send bad stuff to the server, simply by using the client... Even if every request requires username & password, if the bad people own the client, they just capture the credentials ?