Observations from initial testing

Below I attach AI analysis of the issues: HW transfer to spending — QA analysis

1. transfer from Trezor 7 connected via BLE

• my initial balance on Trezor was 2 100 000
• had issue each time (2 or 3 times) when trying to transfer MAX - was able to sign transaction but at the end got "Reconnect Hardware Device" error toast ❌

• after those few failed attampts I tried to transfer 25% of Trezor balance and was successful with that ✅
• Tried to transfer again from Trezor - had 1 682 648 balance on Trezor - but calculated MAX on Transfer to spending was 90 278 - which looked a bit off [but guessing it was due to LSP liquidity limits] ⚠️
• during the transfer I had Bitkit/Trezor enforce reconnect device - despite the fact it was connected before - this operation again ended with "Reconnect Hardware Device" toast error. ❌

2. transfer from Trezor 7 connected via USB

• after that I disconnected Trezor 7 connected via BLE and connected the same device using USB.
• I was able to send MAX twice - which calculated as ~90k both times with the 1500k balance on trezor.
• After that the Transfer to spending shown 0 for me and wasn't able to transfer anymore. ⚠️
• Closed all the channels, mined 10 blocks, tried to transfer MAX. Got "Insufficient funds" error toast ❌

Attaching logs from the session:
bitkit_logs_2026-06-23_11-06-01.zip

In general it looks that there is a lot of "reconnect" errors - especially on connection via BLE.
Also some polishing around LSP limits is probably needed - last error showing insufficient funds.

Other observations:

• Looks like "Transfer" transactions that are from Trezor never get "Confirmed" status and are permanently "In Transfer" despite the blocks were they belong are mined long time ago. ❌

HW transfer to spending — QA analysis

Session logs: bitkit_logs_2026-06-23_11-06-01 (bitkit-logs)
Device: Samsung S22, Android 16, Trezor Safe 7, regtest
App: 2.3.0 (182)

Cross-checked manual testing observations against logs and the #1039 transfer flow.

Verdict overview

1. BLE — “Reconnect Hardware Device” after MAX

Logs: Four failed MAX attempts used clientBalanceSat ≈ 1,661,647 (not ~90k). Failures are:

• signTxFromPsbt failed [TimeoutCancellationException: Timed out waiting for 45000 ms] (×3)
• connectKnownDevice timeout (×1)
• One user cancel: Device error (code 4): Cancelled

All timeouts surface the same “Reconnect Hardware Device” toast, even though BLE was still active (244-byte TX/RX right before timeout).

Successful BLE transfer: 25% order (415,412 sats) at 09:33 — tx af815b34…, order settled.

Recommendations

1. Don’t use the reconnect toast for timeouts — separate copy (“Signing took too long…”) and check mempool/watcher before erroring (tx may have broadcast).
2. Raise BLE sign timeout (45s is tight for large PSBTs); consider separate budgets for reconnect vs sign.
3. Skip forceSession disconnect when already connected on the same deviceId.
4. Retest MAX on BLE only after smaller amounts work; first MAX at ~1.66M is a stress case.

Also saw a real BLE failure: THP handshake failed: Expected channel allocation response, got: 3f (~10:56) — same reconnect toast; needs distinct handling.

2. MAX ~90k with large Trezor balance

Expected, not a Trezor balance bug.

MAX is capped by Blocktank total channel liquidity, not Trezor balance. Formula subtracts existing Blocktank channel capacity from LSP maxChannelSizeSat (~1.74M on regtest).

Logs: USB success at 10:17 — Trezor ~1.68M, transfer 90,278 sats (amountSats=90278). LDK already had large claimable closes (~415k + others), so remaining headroom was ~90k.

Recommendations

• UI: distinguish Trezor available vs LSP transfer limit (MAX label / helper text).
• When MAX is tiny vs Trezor balance, explain that spending from Lightning does not free this cap — only coop-close / transfer to savings does.

3. USB — two ~90k MAX, then MAX = 0

Expected after ~415k (BLE) + 2× ~90k (USB) ≈ ~1.6M of ~1.74M cap.

Sending from spending balance does not reduce existing_channels_total_sat; only closing channels does.

4. “Insufficient funds” after closing channels

Bug — misleading MAX, not empty Trezor.

After coop-close, snapshot shows 0 channels, 483k on-chain swept, Trezor watcher still ~1.5M. UI offered MAX with clientBalanceSat ≈ 1,498,181.

Logs (11:01:54):

Insufficient funds: 1499674 sat available of 1500672 sat needed — 998 sats short.

MAX is derived from watcher total balance and client amount; signing pays order.feeSat (client + LSP/network fees). Compose also had to select multiple UTXOs after several HW sends.

Recommendations

1. MAX must reserve order.feeSat (not just clientBalanceSat) + mining fee slack.
2. Optional compose dry-run before sign screen.
3. User-facing error: “Not enough confirmed Trezor balance for this order (fees included)” instead of generic “Insufficient funds”.
4. Refresh watcher before sign after channel closes.

5. Trezor “Transfer” activities stuck “In Transfer”

Confirmed bug.

Successful HW paths log Created sent onchain activity … confirmed=false. Orders settle (Order settled in logs), but activities never flip confirmed because HW txs are outside LDK — only the Trezor watcher sees confirmations; main activity store is not updated.

Recommendation

When watcher reports confirmations > 0 (or order is EXECUTED), upsert main activity confirmed=true by txid.

PR #1039 — suggested gate

Blockers before merge

• Reconnect toast conflates timeout / THP failure / real disconnect (especially BLE).
• HW transfer activities never confirm in Activity list.
• Insufficient funds when MAX looked valid (fee / order.feeSat math).

Polish (non-blocking but worth tracking)

• LSP limit UX (MAX vs Trezor balance, MAX=0 messaging).
• Power save was on in support snapshot — may worsen BLE; note in QA matrix.

Looks correct / expected

• ~90k MAX with large Trezor balance.
• MAX → 0 after filling LSP capacity.

Log references (for dev follow-up)

had issue each time (2 or 3 times) when trying to transfer MAX - was able to sign transaction but at the end got "Reconnect Hardware Device" error toast

"Insufficient funds" after closing channels

Looks like "Transfer" transactions that are from Trezor never get "Confirmed" status and are permanently "In Transfer"

Thanks Piotr, I pushed fixes for the issues you identified in the first round of early validation.

This now:

• confirms HW transfer activities from Trezor watcher data
• avoids double-counting total balance while a paid HW order becomes a pending/ready channel
• calculates HW funding/MAX against the final order.feeSat plus the composed mining fee
• stores the actual composed mining fee on the HW transfer activity
• separates reconnect, funding composition, and signing timeout handling, with better BLE/session reuse

Validation video: MAX transfer

Resolved in 2ecf4d1

QA re-test — HW transfer to spending (2026-06-24)

Build: 2.3.0 (182) · Samsung S22, Android 16 · regtest · Trezor Safe 7
Logs:
bitkit_logs_2026-06-24_10-26-57.zip

What I tested

• Trezor → spending on BLE and USB
• MAX at LSP cap (~1.65M sats) — both transports succeeded
• Smaller transfers, multiple channel opens (6 settled orders), coop closes (incl. batch close), spending → new channel (~138k)
• Pair / forget / re-pair BLE; BLE ↔ USB switching
• Activity list — HW transfers no longer stuck “In Transfer”; confirm as expected after completion (fixes prior QA blocker)
• Mostly tested with power save on. Sanity tested with power save off: connect via BLE + transfer to spending

Result

Stable — no sign timeouts, no insufficient-funds on MAX, no THP failures on successful paths (major improvement vs 2026-06-23 session).

Minor UX (non-blocking)

On the HW sign screen, tapping “Open Trezor Connect” sometimes results in red “Reconnect Hardware Device” toast when device is locked / connection in progress — usually fixed by unlocking Trezor, not re-pairing. Logs: THP Error: DeviceLocked, Connection already in progress. Softer copy would help.

Out of scope for this PR (filed separately)

• [Bug]: Spending balance briefly doubles after coop close + second channel open #1041 — spending balance double-count after coop close + second channel (general balance)
• [Bug]: LN activity keeps failed attempt amount after successful retry (same invoice) #1042 — LN activity wrong amount after failed retry (general activity sync)

Verdict

Approve for HW transfer-to-spending scope. Manual coverage is sufficient for merge; follow-ups are tracked issues + toast polish.

Noticed additional minor issue — SpendingIntro / hasSeenSpendingIntro

SpendingIntro is skipped on HW → spending and also hasSeenSpendingIntro is never set, so intro still appears on later savings → spending transfer despite HW -> spending was done already.

Noticed additional minor issue — SpendingIntro / hasSeenSpendingIntro

SpendingIntro is skipped on HW → spending and also hasSeenSpendingIntro is never set, so intro still appears on later savings → spending transfer despite HW -> spending was done already.

Fixed by routing first-time hardware-wallet transfer-to-spending through the same shared SpendingIntro gate. Continuing from that intro now sets hasSeenSpendingIntro=true and then opens the hardware-wallet amount screen with the selected deviceId; once the intro has been seen, both HW and app-wallet transfer-to-spending flows skip it.

I also checked the supplied Figma HW frames: they start at the HW Amount screen and do not define a separate HW intro, so this reuses the existing generic spending intro.

Resolved in d9a5314