Verified full API coverage matrix (CLI + SDK, positive + negative) + working-order execute fix

[SimonTarara62]

Summary

Proves capctl covers the complete Capital.com Open API surface with a verifiable test matrix, and fixes a real bug that the matrix uncovered.

• Canonical endpoint registry (tests/e2e/endpoints.py): all 41 REST + WebSocket operations, each mapped to its CLI command and SDK method. An offline cross-check asserts the registry equals the documented Capital.com surface and that every command/method exists. Finding: nothing was missing — every endpoint already has a CLI command and an SDK method (the CLI surface even exceeds the official MCP toolset).
• Per-endpoint test matrix — CLI positive, CLI negative, SDK positive, SDK negative — filled to 158/158 applicable cells (100%). The 3 CLI-only connectivity primitives (GET /time, GET /session, GET /session/encryptionKey) are marked N/A in the SDK columns by design.
• Generated, drift-guarded docs: make coverage-doc renders the matrix into docs/api-coverage.md and a shields.io endpoint JSON (docs/coverage-badge.json); a README API coverage badge links to the proof table. A drift test keeps the doc/badge in sync with the registry, and a completeness gate fails if any cell regresses.

Bug fixed (found by the live matrix)

trade execute-order crashed with INTERNAL_ERROR: 'type'. Working-order previews were persisted to the state file before the working-order type/level fields were attached, so executing a previewed working order from a separate CLI invocation (which reloads the preview from disk) hit a KeyError. The in-process SDK path kept the in-memory copy and worked, which is why it was never caught — working-order execute had no e2e coverage before. Fixed in core/risk.py (re-save the preview after adding the fields) with a TDD regression test that exercises the state-file round-trip.

Safety note

Negative tests use no-network failure modes (missing-config → exit 3 / ConfigMissingError, Typer type-errors → exit 2, and guard rejections that short-circuit before any HTTP). An earlier draft used wrong-password logins, which tripped the demo login rate limit and risked locking the account — that approach was removed.

Test Plan

• Offline: ruff + mypy clean, 302 passed, 6 skipped.
• Live demo (read-only, real keys): 137 passed, 0 failed.
• Live demo (full trading lifecycle, real keys): 150 passed, 1 env skip, 0 failed; account verified flat (no positions/orders/leftover watchlists) afterward.
• Coverage matrix 158/158 (100%); badge + drift guards green.
• CI (ubuntu + windows × 3.10/3.11/3.12) — to confirm on this PR.

🤖 Generated with Claude Code