Coldcard A
policy signer
OFFLINE
signer powered down
HSM · cap + velocity + whitelist
Coldcard B
policy signer
OFFLINE
signer powered down
HSM · cap + velocity + whitelist
Coldcard C
3rd key · failover
OFFLINE
signer powered down
3rd key · failover / break-glass
Spending policy · enforced on every signer
auto-sign ≤sats/txn
· velocity ≤sats per
min
Message signing · 2-of-3 proof of control
Coordinator global velocity · the authoritative cap across all 3 signers
auto-sign while the period total ≤
sats per
min · spent this period: …
This is the precise operational cap: the keyless coordinator enforces it before any signer is asked, counting only broadcast transactions, so a refused or dropped spend never burns budget. It is not the last line of defence — the safety floor lives on the hardware. Even if this coordinator were offline (spending simply halts) or fully compromised, every spend still needs two Coldcards to each pass their own address whitelist + per-txn cap + velocity — so a rogue coordinator can't redirect funds off your whitelist or exceed the devices' ceilings. The coordinator limits; the hardware bounds.
Address whitelist. Anonymous demos can only pay the whitelisted sink
…. Choose “an un-whitelisted address ✗” above and run a spend to watch the
Coldcards refuse an off-list payee on-device.
Sign in with Nostr to authorise your own signet address and pay it instead of the sink.
Coordinator · keyless
// the coordinator holds no keys — its compromise can't move funds. // three on-device policies still gate every signature: cap · velocity · whitelist. // set an amount + destination, tune the policy, or sign a message — watch it happen live.
What's happening
1Build a PSBT from the watch-only 2-of-3 wallet
2Fan out to 2 of 3 signers over the tailnet
3Each Coldcard evaluates & signs (or refuses) under policy
4Combine the partial signatures
5Broadcast to real signet · watch it confirm