Add status summary and prioritized next steps to TASKS.md

Add at top of TASKS.md:
- Status Summary table (quick view of progress)
- Priority distribution (CRITICAL/HIGH/MEDIUM/LOW)
- Next Steps section (this week, 1-2 weeks)
- Each task includes: description, effort estimate, blocking factors

Makes task list immediately actionable and progress trackable.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

docs/TASKS.md

@@ -1,9 +1,91 @@
 # aXion1337.Chat – Task List & Meilensteine
 
+**Last Updated**: 2026-05-14  
 **Statusübersicht**: [✅ 6 Abgeschlossen] [🔄 1 In Progress] [📋 15+ Pending] [🔒 10 Security]
 
 ---
 
+## 📊 Status Summary (Quick View)
+
+| Kategorie | Count | Status | Details |
+|-----------|-------|--------|---------|
+| **Completed** | 6 | ✅ Done | K3S, Flux, ESS, Themes, Desktop, Monitoring, TURN |
+| **In Progress** | 1 | 🔄 Blocked | Authentik Stage 2 (awaiting manual config) |
+| **Backlog** | 15+ | 📋 Pending | Element Call Fork, DB Backups, NetworkPolicies, etc. |
+| **Security Tasks** | 10 | 🔒 Pending | Firewall, SSH, auditd, Kernel hardening, CrowdSec, Falco |
+
+### Priority Distribution
+
+| Priority | Count | Timeline |
+|----------|-------|----------|
+| 🔴 **CRITICAL** | 3 | This week |
+| 🟠 **HIGH** | 4 | 1–2 weeks |
+| 🟡 **MEDIUM** | 8 | ~1 month |
+| 🟢 **LOW** | 4+ | Nice-to-have |
+
+---
+
+## 🎯 Next Steps (Priorisiert)
+
+### 🔴 **THIS WEEK – CRITICAL**
+1. **Authentik Stage 2 abschließen**
+   - Manual: OIDC Provider + Application in Authentik UI erstellen
+   - Code: `upstream_oauth2_config` in `mas-secret.yaml` einfügen
+   - Code: `passwords: enabled: false` aktivieren
+   - Commit: `enable-authentik-oidc-integration-in-mas`
+   - Est. Time: 1–2 hours
+   - Blocker: Manual Authentik config (user action)
+
+2. **Hetzner Cloud Firewall – Default-Deny Setup**
+   - Ingress: Allow 80/443 only
+   - Allow SSH from your IP or via WireGuard/Tailscale
+   - Est. Time: 30 min
+   - Cost: Free
+   - Impact: Blocks 99% of internet background noise
+
+3. **SSH Hardening**
+   - Disable password auth (key-only)
+   - Disable root login
+   - MaxAuthTries 3
+   - Est. Time: 1–2 hours
+   - Priority: HIGH
+
+4. **Database Backup Strategy – Decision & First Backup**
+   - Decision: CloudNativePG (on K3S) or Hetzner Postgres (managed)?
+   - Setup: Daily automated backups
+   - Setup: Off-site storage (S3 / Storage Box)
+   - Setup: Monthly verified restores
+   - Est. Time: 2–3 days
+   - Priority: CRITICAL (disaster recovery)
+
+### 🟠 **NEXT 1–2 WEEKS – HIGH**
+1. **Authentik End-to-End Test**
+   - Test: Login flow Element → MAS → Authentik → Matrix User
+   - Test: Password reset
+   - Create: Test invite links
+   - Est. Time: 2 hours
+
+2. **Element Call Fork**
+   - Fork: element-hq/element-call
+   - Feature: Video/audio constraints parameters
+   - Integration: Synapse well-known config
+   - Est. Time: 2–3 days
+
+3. **External PostgreSQL Migration**
+   - Decision: CloudNativePG vs. Hetzner Postgres
+   - Setup: HA + Replication
+   - Migration: Move data from ESS embedded Postgres
+   - Testing: Verify all services work
+   - Est. Time: 1–2 days
+
+4. **NetworkPolicies Deployment**
+   - Create: Default-Deny for `matrix` namespace
+   - Create: Allow rules (Synapse↔Postgres, MAS↔Postgres, Ingress→Web, etc.)
+   - Test: Ensure no service breakage
+   - Est. Time: 1 day
+
+---
+
 ## ✅ Abgeschlossene Aufgaben (Chronologisch)
 
 ### Phase 1: Basis-Setup