L2: modify persistent-setup to require "Welcome Screen"

[BenWestgate]

Then modify bails-wallet into bails-signer which will refuse to run if networking is on and warn and prompt to shutdown.

A new autostart will do the same thing on startup if it doesn't detect offline mode. It will not be practically possible to remove these features or connect to Tor if starting with networking. It will also prompt to turn the persistent feature of welcome screen, dotfiles, gnupg back on.

bails-signercreates and recovers the same BUT the wallet name step only has amnesic option. And it will always display the QR for its descriptors on creation. A way to redisplay the descriptor QRs in bails-menu is needed.

Instructions will clearly say not to store your bails-signer USB with your Bails Node for security reasons. Nor both devices together.

The two devices will be a 2-of-2 together

We need two evil maids in two locations to wreck this setup.

It's looking like the most effective way is to add a key or two to your "High" security hot wallet and store them in locations where only you know and then give 100% of the shares of bails-signer to heirs, family, friends, and professionals. All of whom must be instructed at least inside the envelope if not explicitly to only release their shares under specific conditions which ensure your freedom and safety and verified.

The default threshold will be 3 for this wallet. But a lower and higher level will be available as well as the usual customization. This is because people differ wildly in the number of heirs they have from just their parents and maybe one best friend or trusted professional to dozens.

3 is best however as the shares people are holding will not reveal the use of the 2-of-2 multisig scheme while threshold 3 would.

Assuming wallet is persisted on the offline signer the minimum security level is 2 things you have 1 thing you know (the passphrase).

If the offline signer wallet is amnesic. Then it will take 1 share from loved ones, the passphrase and the public key fingerprint of the online Bails to recover. This is still "3 things" passphrase, ability to watch the L1 wallet and a share from bails-signer

Adding a share to the L1 setup will be MANDATORYotherwise going to multi-sig inevitably increases their risk of accidental loss since it's 2-of-2.

It's possible this setup can optionally decay to 1-of-2 after many years. 5-10 seems reasonable to discourage murder and incarceration.

[github-actions[bot]]

Stale issue message

[BenWestgate]

@BenWestgate: convert this to a discussion "L2 design"