TRON 多签账户权限管理工具：原生三层权限模型与多签交易流程详解

multi-sig-%26-account-permissions by bofai/skills

2 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/bofai/skills --skill 'Multi-Sig & Account Permissions'

区块链命令行工具安全

🇨🇳中文介绍

多签与账户权限

通过协议层内置的多签支持，管理 TRON 的原生三层权限模型（Owner、Active、Witness）——无需外部合约。配置密钥、阈值和操作范围，然后通过提议 → 批准 → 执行的流程来协调多签交易。

快速开始

cd multisig-permissions && npm install
export TRON_PRIVATE_KEY="<your-private-key>"
export TRON_NETWORK="mainnet"

[!CAUTION] 错误配置 所有者权限 可能导致账户被永久锁定且无法恢复。务必先使用 --dry-run 模式，并确认你控制着足够多的密钥以满足新的阈值要求。

可用脚本

脚本	用途	读/写
`status.js`	查看当前权限配置	只读
`update.js`

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

权限	类型	用途	默认值
Owner	0	完全控制。唯一可以修改其他权限的权限。	账户密钥，阈值 1
Active	2	日常操作。可以限定为特定的交易类型。	账户密钥，阈值 1，所有操作
Witness	1	区块生产（仅限超级代表）。	未设置

模式 1：检查账户安全性

# 检查你自己的账户
node scripts/status.js

# 检查任意账户
node scripts/status.js TXk8rQSAvPvBBNtqSoY3UkFdpMTMbqRMKU

模式 2：设置多签（3 选 2）

# 步骤 1：预览更改（务必先进行试运行！）
node scripts/update.js add-key TKey2Address... --permission owner --weight 1 --dry-run
node scripts/update.js add-key TKey3Address... --permission owner --weight 1 --dry-run
node scripts/update.js set-threshold 2 --permission owner --dry-run

# 步骤 2：或者使用模板一次性完成所有操作
node scripts/update.js from-template basic-2of3 \
  --key1 TKey1... --key2 TKey2... --key3 TKey3... --dry-run

# 步骤 3：确认无误后执行
node scripts/update.js from-template basic-2of3 \
  --key1 TKey1... --key2 TKey2... --key3 TKey3...

模式 3：将代理权限限制为仅限 DeFi

# 代理密钥只能调用智能合约，人类保留 2 选 2 的所有者控制权
node scripts/update.js from-template agent-restricted \
  --key1 THumanKey... --key2 TBackupKey... --key3 TAgentKey... --dry-run

模式 4：多签交易流程

# 签名者 1：提议一笔转账
node scripts/propose.js transfer TRecipient... 10000 --memo "Q1 budget"

# 签名者 2：审查并批准
node scripts/approve.js prop_1709312400_a3f2

# 任何签名者：达到阈值后执行
node scripts/execute.js prop_1709312400_a3f2

# 检查所有待处理的提案
node scripts/pending.js

模式 5：混合签名（人工 + 代理）

review.js 脚本是一个单独的 CLI 工具，供人工用户列出、检查、联署和执行由代理创建的提案。它使用 TRON_HUMAN_PRIVATE_KEY（而非 TRON_PRIVATE_KEY）来避免混淆人工和代理密钥。

# 代理（密钥 B）提议一笔转账（使用 TRON_PRIVATE_KEY）：
node scripts/propose.js transfer TRecipient... 500 --memo "Q1 vendor payment"
# → 输出提案 ID：prop_1710345600_b7e4

# 人工（密钥 A）审查所有待处理提案（无需密钥）：
node scripts/review.js

# 人工检查特定提案（只读，无需密钥）：
node scripts/review.js prop_1710345600_b7e4

# 人工在验证详情后联署（使用 TRON_HUMAN_PRIVATE_KEY）：
export TRON_HUMAN_PRIVATE_KEY="<human-key>"
node scripts/review.js prop_1710345600_b7e4 --sign

# 人工一步完成联署并广播：
node scripts/review.js prop_1710345600_b7e4 --sign --execute

模式 6：限定 Active 权限的操作范围

# 将 active 权限限制为仅限 TRX 转账和智能合约调用
node scripts/update.js scope-active --id 2 \
  --operations TransferContract,TriggerSmartContract --dry-run

模板使用 --keyN 标志将地址分配给指定的角色。密钥在 所有者和活跃角色中按位置编号（去重，所有者优先）。你也可以直接使用 --role_name（例如 --agent_key TAddr...）。

模板	配置	密钥映射	描述
`basic-2of3`	3 选 2 所有者，1 选 1 活跃（所有操作）	`--key1`=KEY_1, `--key2`=KEY_2, `--key3`=KEY_3	标准多签
`agent-restricted`	2 选 2 所有者，1 选 1 活跃（仅限 TriggerSmartContract）	`--key1`=HUMAN_KEY, `--key2`=BACKUP_KEY, `--key3`=AGENT_KEY	代理只能调用合约
`team-tiered`	5 选 3 所有者，3 选 2 活跃（转账 + 合约）	`--key1`..`--key5`=KEY_1..KEY_5	具有分级访问权限的团队
`weighted-authority`	阈值 3：主密钥（权重 2）+ 次密钥（权重 1）	`--key1`=PRIMARY_KEY, `--key2`=SECONDARY_1, `--key3`=SECONDARY_2	加权密钥授权

交易类型（操作）

与 scope-active --operations 配合使用：

操作	描述
`TransferContract`	转账 TRX
`TransferAssetContract`	转账 TRC10 代币
`TriggerSmartContract`	调用任何智能合约（DeFi、代币等）
`FreezeBalanceV2Contract`	质押 TRX 获取能量/带宽
`UnfreezeBalanceV2Contract`	解除 TRX 质押
`DelegateResourceContract`	委托能量/带宽
`VoteWitnessContract`	为超级代表投票
`AccountPermissionUpdateContract`	修改权限（在 Active 权限中非常危险）

完整列表请参见 resources/permission_config.json。

[!WARNING] 防止锁定：如果新阈值超过总密钥权重，update.js 脚本将拒绝执行。但是，你必须验证你实际控制着这些密钥——脚本无法检查这一点。

始终先进行试运行：每个写入操作都支持 --dry-run。
所有者更改不可逆：只有所有者密钥集可以修改权限。如果你将自己锁定在外，账户将永久丢失。
验证密钥控制权：在更改所有者权限之前，确认你拥有足够多的密钥访问权限以满足新的阈值要求。
限定活跃权限范围：不要给代理所有操作的访问权限。使用 scope-active 将其限制为 TriggerSmartContract。
提案会过期：默认过期时间为 24 小时。过期的提案无法执行。

提案以 JSON 文件形式本地存储在 ~/.clawdbot/multisig/pending/ 目录下。执行后，它们会被归档到 ~/.clawdbot/multisig/executed/。

对于多方设置，将提案 ID 分享给能够访问同一文件系统的联署人，或者将提案 JSON 文件复制给他们。

"锁定危险：阈值超过总密钥权重"

脚本阻止了一次危险的权限更改。请降低阈值或添加更多密钥。

"账户未找到或未激活"

该地址没有链上账户。请发送至少 0.1 TRX 来激活它。

提案的 24 小时窗口已过。请使用 propose.js 创建一个新提案。

提案需要更多签名。请检查 pending.js 以查看还需要多少权重。

变量	必需	描述
`TRON_PRIVATE_KEY`	是（代理脚本）	代理用于签名的私钥（由 `propose.js`、`approve.js` 等使用）
`TRON_HUMAN_PRIVATE_KEY`	是（`review.js --sign`）	用于 `review.js` 的人工私钥。必须单独设置——不会回退到 `TRON_PRIVATE_KEY`。
`TRON_NETWORK`	否（默认：mainnet）	`mainnet`、`nile` 或 `shasta`
`TRONGRID_API_KEY`	否	TronGrid API 密钥，用于提高速率限制

版本 1.0.0 — 由 M2M Agent Registry 为 Bank of AI 创建

🇺🇸English

Multi-Sig & Account Permissions

Manage TRON's native three-tier permission model (Owner, Active, Witness) with built-in multi-sig support at the protocol level — no external contracts needed. Configure keys, thresholds, and operation scopes, then coordinate multi-signature transactions through a propose → approve → execute flow.

Quick Start

cd multisig-permissions && npm install
export TRON_PRIVATE_KEY="<your-private-key>"
export TRON_NETWORK="mainnet"

[!CAUTION] Misconfiguring owner permissions can permanently lock an account with no recovery. Always use --dry-run first and verify you control enough keys to meet the new threshold.

Available Scripts

Script	Purpose	Reads/Writes
`status.js`	View current permission configuration	Read-only
`update.js`	Modify account permissions (add/remove keys, thresholds, scope)	Write
`propose.js`	Create a multi-sig transaction proposal	Write
`approve.js`	Add your signature to a pending proposal	Write
`execute.js`	Broadcast a fully-signed transaction	Write
`pending.js`	List pending multi-sig proposals	Read-only
`review.js`	Human CLI: list, inspect, co-sign, and execute proposals in one tool	Write

TRON Permission Model

Every TRON account has three permission tiers:

Permission	Type	Purpose	Default
Owner	0	Full control. Only permission that can modify other permissions.	Account key, threshold 1
Active	2	Day-to-day operations. Can be scoped to specific transaction types.	Account key, threshold 1, all ops
Witness	1	Block production (Super Representatives only).	Not set

Each permission has keys (address + weight pairs) and a threshold (minimum total weight to authorize). Example: 3 keys with weight 1 each and threshold 2 = 2-of-3 multi-sig.

Usage Patterns

Pattern 1: Inspect Account Security

# Check your own account
node scripts/status.js

# Check any account
node scripts/status.js TXk8rQSAvPvBBNtqSoY3UkFdpMTMbqRMKU

Pattern 2: Set Up Multi-Sig (2-of-3)

# Step 1: Preview changes (always dry-run first!)
node scripts/update.js add-key TKey2Address... --permission owner --weight 1 --dry-run
node scripts/update.js add-key TKey3Address... --permission owner --weight 1 --dry-run
node scripts/update.js set-threshold 2 --permission owner --dry-run

# Step 2: Or use a template for all at once
node scripts/update.js from-template basic-2of3 \
  --key1 TKey1... --key2 TKey2... --key3 TKey3... --dry-run

# Step 3: Execute when satisfied
node scripts/update.js from-template basic-2of3 \
  --key1 TKey1... --key2 TKey2... --key3 TKey3...

Pattern 3: Restrict Agent to DeFi Only

# Agent key can only call smart contracts, humans retain 2-of-2 owner control
node scripts/update.js from-template agent-restricted \
  --key1 THumanKey... --key2 TBackupKey... --key3 TAgentKey... --dry-run

Pattern 4: Multi-Sig Transaction Flow

# Signer 1: Propose a transfer
node scripts/propose.js transfer TRecipient... 10000 --memo "Q1 budget"

# Signer 2: Review and approve
node scripts/approve.js prop_1709312400_a3f2

# Any signer: Execute when threshold is met
node scripts/execute.js prop_1709312400_a3f2

# Check all pending proposals
node scripts/pending.js

Pattern 5: Hybrid Signature (Human + Agent)

The review.js script is a single CLI tool for humans to list, inspect, co-sign, and execute agent-created proposals. It uses TRON_HUMAN_PRIVATE_KEY (not TRON_PRIVATE_KEY) to avoid mixing up human and agent keys.

# Agent (Key B) proposes a transfer (uses TRON_PRIVATE_KEY):
node scripts/propose.js transfer TRecipient... 500 --memo "Q1 vendor payment"
# → Outputs proposal ID: prop_1710345600_b7e4

# Human (Key A) reviews all pending proposals (no key needed):
node scripts/review.js

# Human inspects a specific proposal (read-only, no key needed):
node scripts/review.js prop_1710345600_b7e4

# Human co-signs after verifying details (uses TRON_HUMAN_PRIVATE_KEY):
export TRON_HUMAN_PRIVATE_KEY="<human-key>"
node scripts/review.js prop_1710345600_b7e4 --sign

# Human co-signs AND broadcasts in one step:
node scripts/review.js prop_1710345600_b7e4 --sign --execute

Pattern 6: Scope Active Permission Operations

# Restrict active permission to only TRX transfers and smart contract calls
node scripts/update.js scope-active --id 2 \
  --operations TransferContract,TriggerSmartContract --dry-run

Permission Templates

Templates use --keyN flags to assign addresses to named roles. Keys are numbered positionally across owner and active roles (deduplicated, owner first). You can also use --role_name directly (e.g. --agent_key TAddr...).

Template	Config	Key mapping	Description
`basic-2of3`	2-of-3 owner, 1-of-1 active (all ops)	`--key1`=KEY_1, `--key2`=KEY_2, `--key3`=KEY_3	Standard multi-sig
`agent-restricted`	2-of-2 owner, 1-of-1 active (TriggerSmartContract only)	`--key1`=HUMAN_KEY, `--key2`=BACKUP_KEY, =AGENT_KEY

Transaction Types (Operations)

Used with scope-active --operations:

Operation	Description
`TransferContract`	Transfer TRX
`TransferAssetContract`	Transfer TRC10 tokens
`TriggerSmartContract`	Call any smart contract (DeFi, tokens, etc.)
`FreezeBalanceV2Contract`	Stake TRX for energy/bandwidth
`UnfreezeBalanceV2Contract`	Unstake TRX
`DelegateResourceContract`

See resources/permission_config.json for the full list.

Security Rules

[!WARNING] Lockout prevention : The update.js script refuses to execute if the new threshold exceeds the total key weight. However, you MUST verify you actually control the keys — the script cannot check this.

Always dry-run first : Every write operation supports --dry-run.
Owner changes are irreversible : Only the owner key set can modify permissions. If you lock yourself out, the account is permanently lost.
Verify key control : Before changing owner permissions, confirm you have access to enough keys to meet the new threshold.
Scope active permissions : Don't give agents all-operations access. Use scope-active to limit to TriggerSmartContract.
Proposals expire : Default expiry is 24 hours. Expired proposals cannot be executed.

Multi-Sig Proposal Storage

Proposals are stored locally at ~/.clawdbot/multisig/pending/ as JSON files. After execution, they are archived to ~/.clawdbot/multisig/executed/.

For multi-party setups, share the proposal ID with co-signers who have access to the same file system, or copy the proposal JSON file to them.

Common Issues

"LOCKOUT DANGER: threshold exceeds total key weight"

The script prevented a dangerous permission change. Reduce the threshold or add more keys.

"Account not found or not activated"

The address has no on-chain account. Send at least 0.1 TRX to activate it.

"Proposal has expired"

The proposal's 24-hour window has passed. Create a new proposal with propose.js.

"Threshold not met"

The proposal needs more signatures. Check pending.js to see remaining weight needed.

Environment Variables

Variable	Required	Description
`TRON_PRIVATE_KEY`	Yes (agent scripts)	Agent's private key for signing (used by `propose.js`, `approve.js`, etc.)
`TRON_HUMAN_PRIVATE_KEY`	Yes (`review.js --sign`)	Human's private key for `review.js`. Must be set separately — does not fall back to `TRON_PRIVATE_KEY`.

Version 1.0.0 — Created byM2M Agent Registry for Bank of AI

Weekly Installs

–

Repository

bofai/skills

GitHub Stars

First Seen

–

xdrop 文件传输脚本：Bun 环境下安全上传下载工具，支持加密分享

28,800 周安装