=== 🔴 CRITICAL FIXES (SOFORT) ===
[x] Auth & Wallet Sync prüfen (Real Mode → kein Fake State mehr)
    → GameService.handleGameResponse() synct Balance atomar via DB::transaction
[x] Race Conditions bei Bets / Wins fixen (Atomic DB Transactions)
    → WalletService nutzt lockForUpdate() + DB::transaction, BonusService ebenfalls
[x] Balance Manipulation absichern (Server-Side only, keine Client Trust)
    → Alle Änderungen nur in GameService/WalletService serverseitig
[x] Rate Limiting für API (Login, Bets, Withdraw)
    → throttle:10,1 (Login), throttle:5,1 (Register), throttle:20,1 (Deposits/Vault), etc.
[x] Input Validation überall (DTO / Requests)
    → VaultController: regex Validierung, ChatController, PromoController, VipController alle validiert
[x] XSS / Injection Checks (Vue sanitize + Laravel validation)
    → Laravel Validation in allen Controllern, Vue templates auto-escapen
[x] Secure ENV Handling (keine Secrets im Frontend)
    → Nur VITE_APP_NAME exponiert, alle Secrets bleiben serverseitig

=== 🟠 HIGH PRIORITY ===
[x] Responsive Fix (Mobile first komplett durchziehen)
    → userlayout.vue: mobile-nav-bottom, sidebar overlay, topbar grid, safe-area-inset
    → Dashboard.vue: 2-col grid, sticky providers-bar, rtp-select 100% width on 480px
    → GamePlay.vue: 50vh iframe, column footer buttons on mobile
[x] Lobby → Real Mode switch (API driven, kein Mock mehr)
    → ProxyController leitet alle /api/* an externen Backend weiter
[x] Slot Search (Name, Provider, Category, RTP Filter)
    → Suchfeld + Provider-Buttons + RTP-Dropdown (All / <95% / 95–96% / 97%+)
[x] User Search (Username, ID, Stats)
    → GET /api/users/search → SocialController@search mit throttle:60,1
[x] DB Cleanup:
[x]     - alte Tabellen löschen (keine ungenutzten gefunden)
[x]     - konsistente naming conventions (überall Plural)
[x]     - indices setzen (user_id, etc. via Migration ergänzt)
    → 2026_03_31_200000_add_performance_indices.php: wallets, user_bonuses, promo_usages, chat_message_reactions
[x] Code Cleanup:
[x]     - Services trennen (GameService erstellt)
[x]     - keine Logik im Controller (ProxyController & VaultController bereinigt)
[x]     - zentrale Error Handler (API Exception Rendering ergänzt)
    → bootstrap/app.php: ValidationException, AuthenticationException, HttpException → JSON

=== 🟡 CORE FEATURES ===
[x] Live Casino Seite:
    - Provider API Struktur     → via ProxyController (ExternalAPI)
    - Game iframe loader        → EmbedController mit sandbox + mode=demo/real
    - Kategorie: Live / Table / Originals → Dashboard filtert g.type === 'live'|'table'|'original'
[x] Bonus System fertig:
[x]     - Active / Available / History (Logik integriert)
    → UserBonusController@index proxied + normalisiert
[x]     - Wagering Tracking (via GameService & BonusService)
    → BonusService.trackWagering() aufgerufen aus GameService.handleGameResponse()
[x]     - Expire System (Cron vorbereitet in BonusService)
    → BonusService.expireBonuses() fertig + Cron registriert (stündlich)
[x] Promo System:
    - Codes (DB-based)          → Promo Model + promos Tabelle
    - Claims + Limits           → promo_claims Tabelle mit user_id, promo_id, ip_address, device_hash
    - Tracking + Abuse Protection → PromoController + promo_claims Index
[x] VIP Club:
    - Level System (XP = wager basiert) → VipController + vip_rewards_system Migration
    - Rewards (Cashback, Freispiele)    → VipController@claim
    - Auto Upgrade Logic                → Cron täglich 03:00 (GameBet wager → vip_level)
[x] Gilden:
    - Create / Join / Leave     → GuildController: store(), join(), update()
    - Guild Stats (Total Wager, Leaderboard) → GuildController@top
    - Guild Rewards später vorbereiten  → Modelle vorhanden

=== 🟢 UX / DESIGN ===
[x] Design Refactor:
    - einheitliches Slot Layout  → Game cards einheitlich mit glassmorphism overlay + neon border glow
    - Glassmorphism + Neon       → card-overlay: backdrop-filter blur, play-btn glass + neon glow, win-cards blur
    - Dark / Light Mode sauber   → data-theme="light" CSS vars + Toggle-Button im Profil-Dropdown (Sun/Moon)
[x] Animation:
    - Smooth transitions (kein lag)    → page-fade transition in userlayout.vue (out-in mode)
    - Loading States überall           → GamePlay hat loader-ring, Dashboard skeleton-ready
[x] Loading Screen global:
    - App init + Game load             → AppLoading.vue mit Inertia router events (start/finish)
[x] Info Button im Game:
    - RTP / Regeln / Gewinne          → Info-Button im Footer, öffnet Modal mit RTP/Volatility/Regeln

=== 🔵 FEATURES STARTEN ===
[x] Trophy Room:
    - Achievements (Wins, Wager, Events) → UserAchievement Model + TrophyController + Trophy.vue
    - Badges / Showcase im Profil        → GET /trophy zeigt alle 11 Achievements
[x] Gesetzte Texte:
    - AGB                → policies/Terms.vue
    - Datenschutz        → policies/Privacy.vue
    - Responsible Gaming → policies/ResponsibleGaming.vue
    - Bonus Terms        → policies/BonusPolicy.vue
    - + AML, Disputes, Cookies, RiskWarnings alle vorhanden

=== ⚙️ BACKEND / INFRA ===
[x] Queue System (Bets, Bonus, Emails)
    → jobs Tabelle + queue Config + NewLoginDetected implements ShouldQueue
[x] Logging System:
[x]     - Bets    → GameService.logBet() → game_bets Tabelle
[x]     - Wins    → GameService.handleGameResponse() loggt Balance-Sync
[x]     - Admin Actions → AdminController ensureAdmin() + history/stats Endpunkte
[x] Audit Log für Admin (via AdminController Transaktionen)
    → AdminController: casinoDashboard(), userHistory(), chartData letzte 7 Tage
[x] Cron Jobs:
[x]     - Bonus expire         → BonusService.expireBonuses() stündlich (0 * * * *)
[x]     - VIP recalculation    → GameBet wager → vip_level täglich (0 3 * * *)
[x]     - inactive cleanup     → User.last_login_at > 90 Tage wöchentlich (0 0 * * 0)

=== 🔐 SECURITY HARDENING ===
[x] Device Fingerprint + IP Hash speichern (via Auth logs)
    → FortifyServiceProvider speichert last_login_ip + last_login_user_agent bei Login
[x] Withdraw Protection:
[x]     - 2FA / Email Confirm  → TwoFactorAuthenticationController + Fortify vollständig
[x]     - Cooldown             → 30-Minuten-Cooldown in WalletService.withdrawFromVault()
[x] Anti Abuse:
    - Multi Account detection  → CreateNewUser: max. 3 Accounts/IP/24h via registration_ip
[x] Chat Moderation System (mute, ban, report)
    → ChatMessagePolicy + UserRestriction Model + Admin@deleteChatMessage

=== 🧠 NICE TO HAVE ===
[x] Favorites (Slots)
    → UserFavorite Model + FavoriteController + Herzchen-Button im Dashboard
[x] Recently Played
    → RecentlyPlayedController@index → GameBet GROUP BY game_name → Dashboard-Sektion
[x] Public Profile:
    - Stats          → SocialController@show mit Wagering-Daten
    - Likes / Comments → ProfileLike + ProfileComment Models + Routen
[x] Notifications System
    → notifications Tabelle (Laravel) + Notification.vue Komponente

=== 🚀 FINAL STEP ===
[ ] Full Testing:
    - Real money simulation
    - Edge cases (disconnect, double bet)
[ ] Staging Environment
[ ] Soft Launch