Control surface verdict

Short answer

• Official external API: not evidenced.
• Undocumented internal web API: strongly evidenced from page scripts and action flows.
• Alternate page: yes, the H5/mobile app.

What we can do without touching machines

• Map menus, pages, filters, exports, and approval flows.
• Infer command surface from JS endpoints and button bindings.
• See which machine actions exist in UI even if we do not execute them.

What looks operable via undocumented web calls

/Alarm/ClearMidFault
/Alarm/ClearMidListFault
/AssetsManage/AddAM
/AssetsManage/Delete
/AssetsManage/EditAM
/AssetsManage/EditSelIfBox
/AssetsManage/GetAM
/AssetsManage/GetCity
/AssetsManage/GetCountry
/AssetsManage/GetFatherCity
/AssetsManage/GetGXList
/AssetsManage/GetMacCabinet
/AssetsManage/GetMachineInfo
/AssetsManage/GetMachineMiAccuracy
/AssetsManage/GetMachineSize
/AssetsManage/GetMachineType
/AssetsManage/GetNFCSN
/AssetsManage/GetSCDetail
/AssetsManage/GetStringMachineGroup
/AssetsManage/ListJson
/AssetsManage/MachineIn
/AssetsManage/MachineInEdit
/AssetsManage/NFCDeviceActive
/AssetsManage/NFCDeviceAuth
/AssetsManage/NFCDeviceCancelAuth
/AssetsManage/NFCDeviceUnbind
/AssetsManage/OpenMAD
/AssetsManage/OpenMachineDoor
/AssetsManage/Screenshot
/AssetsManage/UpdateMid
/CommodityInfo/AddCI
/CommodityInfo/AuditList
/CommodityInfo/Delete
/CommodityInfo/DownLoad
/CommodityInfo/EditCI
/CommodityType/AddCMT
/CommodityType/CMTEdit
/CommodityType/Delete
/LoginSetting/EscRemind
/LoginSetting/GetDays
/LoginSetting/SetDays
/MachineGroup/AddMachineGroup
/MachineGroup/Delete
/MachineGroup/Edit_MG
/MachineOverview/RefreshAudit/
/OperateMonitor/ClearErrJson
/OperateMonitor/UpgradeVersion
/OutReport/SubmitRemoteShip
/PersonalSettings/GetPersonals
/Role/AddRole
/Role/EditRole
/Role/UpdateRole
/Selection/AddWarm
/Selection/Audit
/Selection/ClMachine
/Selection/ClearSoltInfo
/Selection/ClearSoltInfoAll
/Selection/DeleteQuantity
/Selection/Edit
/Selection/EditWarningQuantity
/Selection/GetselectWarm
/Selection/MultiEdit
/Selection/SEdit
/Selection/SetSlotHot
/Selection/Warm
/User/AddUser
/User/Delete
/User/EditUser
/User/RestPsd
/VendorManage/AddVM
/VendorManage/Delete
/VendorManage/EditVM
/WxMallProduct/AuditImge

Important nuance

Some JSON/data endpoints returned 403 when called directly outside the exact browser flow. That does not negate the control surface. It means the vendor UI likely adds expected headers, params, or anti-automation checks.

Best next steps

1. Drive the UI in-browser and capture real XHR/fetch traffic for 3-5 target workflows.
2. Build a narrow adapter for the few flows Ballbox actually needs.
3. Keep H5 in the plan; it may cover the most common ops with less reverse-engineering.