I think it should be only on client side mainly to limit the risk but also because user should not be allowed to trigger actions that he could not do from the client.
So globally I think the main difficulty is to create a descriptive language to manipulate (script) the client. For me this sounds a lot like Scripting Tryton Tutorial Video
The remaining part if just input/output API.