multi signature – How you can design a sturdy 2-of-2 Bitcoin multisig signing move with two Ledgers (no Sparrow dépend)

I’m creating a Bitcoin utility (“Bitcoin Monitor”) whose aim is to not change wallets, however to orchestrate commonplace PSBT signing flows in a sturdy and long-term-resilient method.

My present setup is:

Bitcoin multisig 2-of-2 (A + B)

P2WSH

Two Ledger gadgets (Ledger A and Ledger B)

PSBT signing by way of HWI

Watch-only pockets / UTXO scanning dealt with by my utility

I’ve validated this setup utilizing Sparrow, however I wish to take away Sparrow from the belief and dependency mannequin.

The core concern I’m making an attempt to deal with is:

If Sparrow disappears, I don’t wish to be locked right into a third-party UI to spend my funds.

The place I’m at present

My utility can construct a PSBT from recognized UTXOs.

I can name hwi signtx and procure partial signatures.

Ledger requires a “first affirmation / evaluate step” earlier than signing, which I perceive is regular conduct.

I wish to reliably signal with Ledger A primary, then Ledger B, after which finalize and broadcast the transaction.

What I’m making an attempt to realize (goal structure)

Use solely Bitcoin requirements (PSBT, descriptors, BIP32/48 derivation paths).

Make my utility a PSBT orchestrator, not a pockets.

Let the Ledger gadgets carry out all signing, with no non-public keys ever uncovered.

Make sure the setup stays usable even when Sparrow, Specter, or some other UI disappears.

My questions

1. What’s the minimal PSBT data required for Ledger to:

acknowledge inputs as belonging to the system

keep away from alarming warnings

enable clear multi-step signing (Ledger A then Ledger B)

2. Is storing and utilizing descriptors (obtain + change) thought of the really useful long-term method for this use case?

3. In a 2-of-2 P2WSH multisig, is the next move thought of appropriate and strong?

construct PSBT

signal with Ledger A (by way of HWI)

signal with Ledger B (by way of HWI)

finalize and broadcast (Bitcoin Core)

4. Are there any pitfalls to keep away from when designing this with out Sparrow (e.g. derivation paths, witness_utxo vs non_witness_utxo, Ledger-specific UX constraints)?

I’m explicitly making an attempt to keep away from proprietary codecs and UI lock-in, and would respect suggestions from individuals who have designed related multisig, institutional, or long-term custody setups.

Thanks prematurely

Victor