Features
What Sanctuary does.
A coordinator for Bitcoin wallets that never touches your private keys. Everything below is built around that constraint — from device connectivity to notifications to sharing.
Single-sig & multisig
Sanctuary coordinates both single-signature and multi-signature wallets. Import an output descriptor, connect devices directly, or scan xpub QR codes — then build and sign transactions across every co-signer from the same interface.
- › Output-descriptor import (e.g.
wpkh([fingerprint/84'/0'/0']xpub.../0/*)) - › JSON import from Sparrow, Specter, and other compatible wallets
- › Multi-wallet, multi-network (mainnet, testnet, signet) with per-network Electrum connections
- › Real-time sync via Electrum subscriptions — balances and new transactions appear without refresh
PSBT workflow
Every transaction Sanctuary builds is a Partially Signed Bitcoin Transaction — the BIP-174 standard format hardware wallets and co-signers speak natively. PSBTs are portable: you can sign one on a device physically disconnected from the internet, then import the signed result back via file or QR code.
- › Fee-rate control via an interactive mempool visualizer (click a block to adopt that fee rate)
- › Sub-sat/vB precision — fee rates support decimals as low as 0.1 sat/vB
- › UTXO selection for privacy-conscious coin control
- › Transaction drafts — save unsigned PSBTs, lock selected UTXOs, and coordinate shared signing flows
- › Verify every output on your hardware wallet before broadcasting
RBF & CPFP
If a transaction stalls in the mempool, you don't need to wait. Replace-By-Fee creates a replacement with a higher fee; Child-Pays-For-Parent attaches a high-fee child that pulls the parent through.
RBF (Replace-By-Fee)
- › Requires RBF-flagged sender (sequence < 0xfffffffe)
- › New rate must exceed current by ≥1 sat/vB
- › Only the replacement confirms — the original is dropped
CPFP
- › Works on received transactions you can't replace
- › Spends the unconfirmed output at a high fee
- › Miners include both to capture the combined fee
Role-based access
Share a wallet's visibility without sharing its custody. Sanctuary defines three roles per wallet, and groups let you apply the same permissions to a whole family or team.
| Role | View | Edit labels | Create tx | Share / delete |
|---|---|---|---|---|
| Owner | ✓ | ✓ | ✓ | ✓ |
| Signer | ✓ | ✓ | ✓ | — |
| Viewer | ✓ | — | — | — |
Admins can disable public registration so only invited users get accounts. Groups make it easy to give everyone the same access at once.
Air-gapped signing
For devices that never connect over USB — ColdCard, ColdCard Q, Keystone, Passport — Sanctuary speaks both QR codes and files.
QR code flow
Import xpubs by pointing your camera at the device, then sign PSBTs the same way — scan out, sign on the device, scan back in. Requires HTTPS for camera access.
MicroSD / file flow
Export a JSON descriptor or PSBT to a MicroSD card, sign on the device, bring it back. Works over plain HTTP too — handy when running on Umbrel.
Tor & private Electrum
By default Sanctuary uses public Electrum servers, which means someone on the other end sees which addresses you query. Swap that out for your own server — or route everything through Tor — and the network profile of your wallet usage disappears.
$ ./start.sh --with-tor
Point Sanctuary at Fulcrum, electrs, or ElectrumX over SSL or TCP via ELECTRUM_HOST in your .env.
2FA & audit logging
Opt-in TOTP-based two-factor authentication, backed by 10 single-use backup codes. Disabling 2FA requires both your password and a valid 2FA code — intentionally harder than enabling it.
Sanctuary also maintains an audit log of security-relevant events — logins, permission changes, wallet shares, gateway/mobile API activity — visible to administrators.
Notifications
Wallet activity can reach you on your terms:
- › Telegram — your own bot; per-wallet toggles for sent, received, consolidation events
- › In-browser sounds — 20 presets, configurable per event (receive, send, confirmation)
- › Push — via the optional mobile API gateway (iOS via APNs, Android via FCM)
- › Confirmation milestones — notifications at 1, 3, and 6 confirmations
Backup & restore
Export every piece of state Sanctuary holds — wallets, devices, users, 2FA settings, labels, groups, sharing permissions, audit logs — as a single JSON file. Restore onto the same instance to get everything back; restore onto a different instance and Sanctuary cleanly handles the encryption-boundary case.
| Data | Same instance | Different instance |
|---|---|---|
| Wallets & transactions | ✓ Restored | ✓ Restored |
| User accounts & passwords | ✓ Restored | ✓ Restored |
| Transaction labels | ✓ Restored | ✓ Restored |
| Node config passwords | ✓ Restored | ⚠ Cleared |
| 2FA secrets | ✓ Restored | ⚠ Cleared |
Migrating servers? Copy ENCRYPTION_KEY and ENCRYPTION_SALT to the new instance before restoring — encrypted data comes along for the ride.
Hardware wallet support
Sanctuary talks to the major hardware wallet vendors over USB, HID, Serial, or — for air-gapped devices — QR codes and files.
| Device | Connection | Requires HTTPS |
|---|---|---|
| Ledger Nano S / S+ / X / Stax / Flex | WebUSB | Yes |
| Trezor Model One / T / Safe 3 / 5 / 7 | Trezor Connect | Either |
| BitBox02 Untested | WebHID | Yes |
| Blockstream Jade Untested | WebSerial (or QR) | Yes for USB |
| ColdCard | File (MicroSD) | No |
| ColdCard Q | QR code or file | Yes for QR camera |
| Keystone | QR code or file | Yes for QR camera |
| Passport | QR code or file | Yes for QR camera |
Browser support: WebUSB / WebHID / WebSerial work in Chrome, Edge, and Brave. Firefox and Safari don't implement these APIs, so they're limited to air-gapped (QR/file) flows.
Untested: BitBox02 and Blockstream Jade integrations are implemented against their vendor SDKs but haven't yet been verified end-to-end on physical hardware. If you have one and try it, please report results on Codeberg — success or failure both help.
Built so far
46 tagged releases in 4.5 months. Day-one watch-only, hardware-signed throughout. Larger dots are major milestones; hover or focus the smaller dots to peek at minor releases. Tap any point to expand its detail below.
Watch-only foundations
v0.1 · 2025-12-11- › Watch-only Bitcoin wallet with Electrum and Bitcoin Core RPC support
- › Multi-signature wallet support with descriptor and JSON import
- › Hardware wallet PSBT signing via WebUSB (Ledger, Trezor)
- › Wallet sharing with role assignment for users and groups
- › HTTPS-only setup so WebUSB / WebHID flows work in the browser
Multi-user, 2FA, notifications
v0.2 – v0.3 · 2025-12-13- › Role-based wallet permissions with admin registration control
- › Two-factor authentication and security hardening
- › Telegram notifications for wallet transactions
- › Push notification backend foundations for iOS and Android
- › Real-time sync log tab in wallet detail view
Drafts, audit log, Umbrel
v0.4 · 2025-12-17- › Trezor hardware wallet support alongside Ledger
- › Draft transactions, transaction export (CSV/JSON), table layout
- › Comprehensive audit logging system with correlation IDs
- › Backup and restore for admins;
ENCRYPTION_KEYsupport in installer - › Umbrel Community App Store package and one-liner install
- › QR camera scanning for device import; Coldcard JSON import
Gateway, RBF, multi-server pool
v0.5 – v0.6 · 2025-12-20- › API Gateway introduced — architectural foundation for native mobile apps
- › RBF and CPFP actions on transactions with proper draft/UTXO locking
- › Electrum connection pool with multi-server failover and health history
- › Multi-output sends, draft transactions with field locking and expiration
- › Configurable mempool fee estimator with sub-sat/vB precision
- › Telegram + push notifications for transactions and drafts
Tor, testnet, QR signing, AI Assistant
v0.7.0 – v0.7.9 · 2025-12-21- › Tor proxy support with .onion verification and decoy-output privacy mode
- › Full testnet and signet support with per-network connection modes
- › QR-code signing for air-gapped wallets (Passport, Coldcard, Keystone)
- › AI Assistant: transaction labeling, natural-language queries, isolated container
- › BitBox02 and Blockstream Jade hardware wallet adapters
- › Coin Control + Payjoin (BIP78) with privacy scoring
Multi-account devices & multisig polish
v0.7.10 – v0.7.27 · 2026-01-05- › Multi-account device support with SD-card and QR import
- › Device-merge flow for duplicate fingerprint consolidation
- › Multisig signing fixes across Trezor, Coldcard, BitBox02, Jade, Passport
- › 2FA encryption-at-rest with downloadable encryption-key backup
- › Wallet repair flow; extensible registries for import/export formats
Mobile gateway TLS & email verification
v0.7.28 – v0.8.0 · 2026-02- › Email verification for user registration
- › Native TLS in the API gateway with 4096-bit RSA, CA support, gateway-level audit
- › iOS backend enhancements: mobile permissions model and push notifications
- › Backend tests migrated to Vitest; new monitoring page with Grafana access
- › Multi-implementation address verification + Stryker mutation testing
Worker architecture & scale-out
v0.8.0 – v0.8.9 · 2026-03-01- › Dedicated background worker handles sync, subscriptions, and blockchain ops
- › Block-height tracking and pagination for hundreds-of-wallets deployments
- › Wallet sync moved off navigation, onto worker-driven event cadence
- › 30+ "god files" split into focused domain modules across server and frontend
Treasury Autopilot & feature flags
v0.8.10 – v0.8.17 · 2026-03-15- › Treasury Autopilot Phase 1: automated fee monitoring and consolidation alerts
- › Feature-flag admin UI with runtime toggling, audit trail, gated rollouts
- › 20+ premium UI enhancements: rich tooltips, animated tabs, sparklines, fee flash
- › Official BIP test-vector verification (BIP-143, BIP-341, BIP-380)
Vault Policies & Treasury Intelligence
v0.8.18 – v0.8.34 · 2026-04-01- › Vault Policies & Spending Governance: rules engine with approval workflows
- › Treasury Intelligence ("On-Chain CFO"): AI-powered wallet analysis
- › Support Bundle: one-click diagnostic export across the whole stack
- › Modernized typography, tighter UI radii, segmented network tabs
- › Major dependency upgrades: TypeScript 6, Prisma 7, Express 5, Vite 7
Agent wallets, MCP, CI hardening
v0.8.35 – v0.8.44 · 2026-04-15- › Agent wallets: dedicated operational wallets with funding flows, owner overrides, and alerts
- › Read-only MCP server so external AI tools can query Sanctuary safely
- › Hardened security: rate limits, CORS guards, cookie auth (HttpOnly + CSRF), Node 24 LTS
- › Reorganised documentation under the Diátaxis framework
- › Refactored 40+ UI and backend hotspots into smaller, testable modules
Sanctuary Console & local AI
v0.8.45 – v0.8.46 · 2026-04-25- › Sanctuary Console: in-app AI assistant drawer with admin controls and MCP tooling
- › Typed AI provider profiles with first-class support for local providers
- › Transaction-aware "typed intents" so the Console plans without surprising users
- › Living architecture documentation with diagram drift detection
- › Requester-only agent wallet setup flow and DB-backed price-provider settings
Ready to try it?
Install takes a couple of minutes on any Docker-capable machine. Sanctuary is still experimental and in active development — start small while you get comfortable.