multi signature – How you can design a strong 2-of-2 Bitcoin multisig signing circulation with two Ledgers (no Sparrow dépend)

I’m creating a Bitcoin utility (“Bitcoin Monitor”) whose aim is to not exchange wallets, however to orchestrate commonplace PSBT signing flows in a strong and long-term-resilient manner.

My present setup is:

Bitcoin multisig 2-of-2 (A + B)

P2WSH

Two Ledger units (Ledger A and Ledger B)

PSBT signing through HWI

Watch-only pockets / UTXO scanning dealt with by my utility

I’ve validated this setup utilizing Sparrow, however I need to take away Sparrow from the belief and dependency mannequin.

The core concern I’m making an attempt to handle is:

If Sparrow disappears, I don’t need to be locked right into a third-party UI to spend my funds.

The place I’m immediately

My utility can construct a PSBT from identified UTXOs.

I can name hwi signtx and acquire partial signatures.

Ledger requires a “first affirmation / evaluate step” earlier than signing, which I perceive is regular habits.

I need to reliably signal with Ledger A primary, then Ledger B, after which finalize and broadcast the transaction.

What I’m making an attempt to attain (goal structure)

Use solely Bitcoin requirements (PSBT, descriptors, BIP32/48 derivation paths).

Make my utility a PSBT orchestrator, not a pockets.

Let the Ledger units carry out all signing, with no non-public keys ever uncovered.

Make sure the setup stays usable even when Sparrow, Specter, or some other UI disappears.

My questions

1. What’s the minimal PSBT info required for Ledger to:

acknowledge inputs as belonging to the gadget

keep away from alarming warnings

permit clear multi-step signing (Ledger A then Ledger B)

2. Is storing and utilizing descriptors (obtain + change) thought of the beneficial long-term strategy for this use case?

3. In a 2-of-2 P2WSH multisig, is the next circulation thought of right and sturdy?

construct PSBT

signal with Ledger A (through HWI)

signal with Ledger B (through HWI)

finalize and broadcast (Bitcoin Core)

4. Are there any pitfalls to keep away from when designing this with out Sparrow (e.g. derivation paths, witness_utxo vs non_witness_utxo, Ledger-specific UX constraints)?

I’m explicitly making an attempt to keep away from proprietary codecs and UI lock-in, and would admire suggestions from individuals who have designed related multisig, institutional, or long-term custody setups.

Thanks prematurely

Victor