multi signature – design a sturdy 2-of-2 Bitcoin multisig signing stream with two Ledgers (no Sparrow dépend)

I’m growing a Bitcoin software (“Bitcoin Monitor”) whose aim is to not substitute wallets, however to orchestrate customary PSBT signing flows in a sturdy and long-term-resilient method.

My present setup is:

Bitcoin multisig 2-of-2 (A + B)

P2WSH

Two Ledger units (Ledger A and Ledger B)

PSBT signing through HWI

Watch-only pockets / UTXO scanning dealt with by my software

I’ve validated this setup utilizing Sparrow, however I need to take away Sparrow from the belief and dependency mannequin.

The core concern I’m making an attempt to handle is:

If Sparrow disappears, I don’t need to be locked right into a third-party UI to spend my funds.

The place I’m at the moment

My software can construct a PSBT from recognized UTXOs.

I can name hwi signtx and acquire partial signatures.

Ledger requires a “first affirmation / evaluation step” earlier than signing, which I perceive is regular conduct.

I need to reliably signal with Ledger A primary, then Ledger B, after which finalize and broadcast the transaction.

What I’m making an attempt to attain (goal structure)

Use solely Bitcoin requirements (PSBT, descriptors, BIP32/48 derivation paths).

Make my software a PSBT orchestrator, not a pockets.

Let the Ledger units carry out all signing, with no non-public keys ever uncovered.

Make sure the setup stays usable even when Sparrow, Specter, or every other UI disappears.

My questions

1. What’s the minimal PSBT info required for Ledger to:

acknowledge inputs as belonging to the gadget

keep away from alarming warnings

permit clear multi-step signing (Ledger A then Ledger B)

2. Is storing and utilizing descriptors (obtain + change) thought-about the really helpful long-term method for this use case?

3. In a 2-of-2 P2WSH multisig, is the next stream thought-about appropriate and sturdy?

construct PSBT

signal with Ledger A (through HWI)

signal with Ledger B (through HWI)

finalize and broadcast (Bitcoin Core)

4. Are there any pitfalls to keep away from when designing this with out Sparrow (e.g. derivation paths, witness_utxo vs non_witness_utxo, Ledger-specific UX constraints)?

I’m explicitly making an attempt to keep away from proprietary codecs and UI lock-in, and would recognize suggestions from individuals who have designed related multisig, institutional, or long-term custody setups.

Thanks upfront

Victor