You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When the heir is a child, today's options are bad: name the child directly (they can't manage a claim) or name a guardian as the heir (the guardian can simply keep the money, and might never tell the child).
Agreed policy (owner decision, 2026-06-13)
Spending the inheritance requires the heir plus at least one of two guardians:
heir AND (guardian1 OR guardian2)
The child alone cannot spend (guardian oversight until they're capable).
Guardians alone cannot spend (no rug-pull; the heir's key is mandatory).
Two guardians so one being unavailable, dead, or hostile doesn't strand the funds.
Optionally combined with an unlock year (5/10/15/20 years out, absolute CLTV after(height)): before that date nobody but the owner can spend at all, trustlessly. CSV can't reach multi-year ranges (max ~65535 blocks ≈ 15 months), so this is a new descriptor branch, not a tweak.
Farmer-friendly design sketch
Nobody needs a hardware wallet or xpub. Extend the F2 server-derived key model:
At creation, the server mints three claim tokens (heir, guardian1, guardian2) and derives three independent keys from them (HKDF, same as today's heir derivation).
The vault descriptor's claim branch encodes heir AND (g1 OR g2) (miniscript and_v(v:pk(H),or_b(pk(G1),s:pk(G2))) or Taproot leaf equivalent), plus the existing owner key path.
When the owner goes silent, each of the three gets their own claim link. The claim page asks the heir for their link, then for one guardian's link ("ask your guardian to read you their code"). The server combines both tokens to produce the two required signatures in the existing one-shot memory-only signing flow.
Claim-challenge window applies as today; with an unlock year, claim links simply aren't sent (or are gated) until the CLTV date passes.
Open questions
Mnemonic/recovery story for the heir key over 10+ year horizons (master-key rotation interacts with F2 derivation; see Master key rotation: design + runbook #27/master-key-rotation design).
What happens if BOTH guardians lose their links: owner recovery file should always remain the backstop.
Setup UX: this is a new vault type tile ("My heir is a child") in the wizard, not extra fields on the default path.
Timing
After mainnet go-live (owner decision). This is the flagship post-launch feature.
Problem
When the heir is a child, today's options are bad: name the child directly (they can't manage a claim) or name a guardian as the heir (the guardian can simply keep the money, and might never tell the child).
Agreed policy (owner decision, 2026-06-13)
Spending the inheritance requires the heir plus at least one of two guardians:
after(height)): before that date nobody but the owner can spend at all, trustlessly. CSV can't reach multi-year ranges (max ~65535 blocks ≈ 15 months), so this is a new descriptor branch, not a tweak.Farmer-friendly design sketch
Nobody needs a hardware wallet or xpub. Extend the F2 server-derived key model:
heir AND (g1 OR g2)(miniscriptand_v(v:pk(H),or_b(pk(G1),s:pk(G2)))or Taproot leaf equivalent), plus the existing owner key path.Open questions
Timing
After mainnet go-live (owner decision). This is the flagship post-launch feature.
🤖 Generated with Claude Code