@Wwwoodchuck I’m going to be blunt. None of the things you describe should be determined client side. The client should NEVER be trusted. It’s very easy to program this way. The only time client data is used is when it can only come from the client and no other trusted source. Anything else is poor design. If you do otherwise with a game your days of profitability are numbered. If you do otherwise in finance you risk avoidable theft, lawsuits, and reputational risk. (I’ve done software development, risk management, QA, etc. in finance and other domains)
Incubators. Each player has 4 incubator slots all tracked server side. All the client does is say I want to open the incubator in slot x. The server then checks if there is an incubator in that slot, if it can be opened at that time. If it can be opened, the server randomly generates the contents per the incubator type, adds those contents to the player inventory server side and sends that inventory update to the client. The client is not trusted to generate any of the information.
Similar logic is used with spawns. Client says I want to dart spawn y. The server determines if that spawn is still there, if the player has already completed darting it, etc. The darting session begins on the client. The client completes it and sends a DNA amount. Yes, this number is determined client side but it has a maximum value that the server can check based on rarity, VIP status, distance when darting starts. When the client sends the DNA quantity, the server sanity checks it, updates the player’s server side inventory and sends this update to the client. That little bit of trust is a trade-off. It avoids having to communicate with the server for every dart fired. However, it does allow the player to force close their app if they are unhappy with the results of their dart session because it isn’t sent until after the first of the two animations at the end of a darting session.
TL;DR: Nobody who cares about their company (entertainment, finance, services, etc.) programs in a way that trusts client side information that can and should be generated and tracked server side.