Bitcoin Multisig Vault — Collaborative Custody. Zero Knowledge.

A 2-of-3 multisig vault: you hold 2 of the 3 keys, we hold 1. Spending takes any 2 of the 3, so your two hardware wallets are enough to move funds entirely on your own — you have full control of your funds. Our single key can't do anything by itself: it's a recovery/backup co-signer, never a gatekeeper.

Multisig and spending policies aren't new — collaborative custody is an established space, and we're not trying to reinvent it. Our goal is the part that's still hard: doing all of it while keeping your data private, encrypted, and readable only by you. That's the difference — everything sensitive is encrypted in your browser before it ever reaches our servers.

Zero-knowledge by design
- Your passphrase derives your keys in-browser. The encryption key never leaves your tab.
- We store only ciphertext: xpubs, descriptor, labels, vault policies, pending spends, even recovery settings — all AES-256-GCM under keys we don't have. We can't read your vault. Not "we promise not to" — we don't hold the keys.

Here's the tell:
- If a platform can show you a company-wide "assets secured" number, it can read every customer's holdings.
- If a platform charges you by the amount you hold, it can read every customer's holdings.
We can't produce that number. Your balance is computed in your browser from data we can't decrypt — we genuinely don't know how much you hold, or where.

You can always recover without us
- It's a standard wsh(sortedmulti) descriptor. Export it, load it into Sparrow, sign with your two hardware wallets — done. No platform service key required, ever. If we vanished tomorrow, your coins are unaffected.
- We walk you through a recovery drill (save the descriptor, verify an address on-device, send a test tx) so you KNOW it works before funding.

Address & transaction lookups: no-log proxy
- To show balances and history, your address and transaction requests are relayed straight through a proxy — we don't log or store them. The proxy forwards a query as a page loads and keeps nothing.
- Want even that gone? Private Mode makes zero chain queries — track balances in Sparrow instead.

The co-signing key lives in a secure enclave
- Our third key runs inside a secure enclave: attestation-gated and non-extractable. The signing seed is decrypted only inside the enclave.

Spending policies you control with your hardware wallet
- Set rules the co-signer checks before it adds its signature: recipient allowlists, rolling 24h velocity limits (a max spend and a max number of transactions), and SIGHASH_ALL only.
- Changing a policy takes a hardware-wallet signature — not just your login. A hijacked session or a malicious browser can't quietly raise your limits or add a payout address; the new policy is signed on your device and bound to the enclave's key.
- Policies are stored zero-knowledge (encrypted to keys we don't hold — we can't read your rules either), and every service co-signature is appended to a tamper-evident, append-only audit log.

Shared vaults (two people)
- 2-of-2 for everyday spends, plus a time-locked, single-destination recovery escape hatch if one person loses a key. Invites are capability-gated with public-key verification built into the invite string — so even we can't substitute a key during a share.

Would you guys be interested in a product like this? We're going live in the next 1–3 weeks and are accepting beta testers now. Honest feedback is welcome — what would it take for you to trust it with real sats?