.forgejo/workflows/build.yml

@@ -1,10 +1,6 @@
 name: Build
 
-on:
+on: [pull_request]
-  pull_request:
-  push:
-    branches:
-      - master
 
 jobs:
   build:

.forgejo/workflows/oci-image.yml

@@ -1,28 +0,0 @@
-name: OCI image
-
-on:
-  push:
-  workflow_dispatch:
-
-jobs:
-  image:
-    name: Build container images
-    runs-on: docker
-    container: git.frostfs.info/truecloudlab/env:oci-image-builder-bookworm
-    steps:
-      - name: Clone git repo
-        uses: actions/checkout@v3
-
-      - name: Build OCI image
-        run: make images
-
-      - name: Push image to OCI registry
-        run: |
-          echo "$REGISTRY_PASSWORD" \
-            | docker login --username truecloudlab --password-stdin git.frostfs.info
-          make push-images
-        if: >-
-          startsWith(github.ref, 'refs/tags/v') &&
-          (github.event_name == 'workflow_dispatch' || github.event_name == 'push')
-        env:
-          REGISTRY_PASSWORD: ${{secrets.FORGEJO_OCI_REGISTRY_PUSH_TOKEN}}

.forgejo/workflows/pre-commit.yml

@@ -1,10 +1,5 @@
 name: Pre-commit hooks
-
+on: [pull_request]
-on:
-  pull_request:
-  push:
-    branches:
-      - master
 
 jobs:
   precommit:

.forgejo/workflows/tests.yml

@@ -1,10 +1,5 @@
 name: Tests and linters
-
+on: [pull_request]
-on:
-  pull_request:
-  push:
-    branches:
-      - master
 
 jobs:
   lint:

.forgejo/workflows/vulncheck.yml

@@ -1,10 +1,5 @@
 name: Vulncheck
-
+on: [pull_request]
-on:
-  pull_request:
-  push:
-    branches:
-      - master
 
 jobs:
   vulncheck:
@@ -18,7 +13,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v3
         with:
-          go-version: '1.23.5'
+          go-version: '1.23'
 
       - name: Install govulncheck
         run: go install golang.org/x/vuln/cmd/govulncheck@latest

.golangci.yml

@@ -89,7 +89,5 @@ linters:
     - protogetter
     - intrange
     - tenv
-    - unconvert
-    - unparam
   disable-all: true
   fast: false

CHANGELOG.md

@@ -9,30 +9,6 @@ Changelog for FrostFS Node
 ### Removed
 ### Updated
 
-## [v0.44.0] - 2024-25-11 - Rongbuk
-
-### Added
-- Allow to prioritize nodes during GET traversal via attributes (#1439)
-- Add metrics for the frostfsid cache (#1464)
-- Customize constant attributes attached to every tracing span (#1488)
-- Manage additional keys in the `frostfsid` contract (#1505)
-- Describe `--rule` flag in detail for `frostfs-cli ape-manager` subcommands (#1519)
-
-### Changed
-- Support richer interaction with the console in `frostfs-cli container policy-playground` (#1396)
-- Print address in base58 format in `frostfs-adm morph policy set-admin` (#1515)
-
-### Fixed
-- Fix EC object search (#1408)
-- Fix EC object put when one of the nodes is unavailable (#1427)
-
-### Removed
-- Drop most of the eACL-related code (#1425)
-- Remove `--basic-acl` flag from `frostfs-cli container create` (#1483)
-
-### Upgrading from v0.43.0
-The metabase schema has changed completely, resync is required.
-
 ## [v0.42.0]
 
 ### Added

CODEOWNERS

@@ -1,3 +0,0 @@
-.*          @TrueCloudLab/storage-core-committers @TrueCloudLab/storage-core-developers
-.forgejo/.* @potyarkin
-Makefile    @potyarkin

Makefile

@@ -8,8 +8,8 @@ HUB_IMAGE ?= git.frostfs.info/truecloudlab/frostfs
 HUB_TAG ?= "$(shell echo ${VERSION} | sed 's/^v//')"
 
 GO_VERSION ?= 1.22
-LINT_VERSION ?= 1.62.2
+LINT_VERSION ?= 1.61.0
-TRUECLOUDLAB_LINT_VERSION ?= 0.0.8
+TRUECLOUDLAB_LINT_VERSION ?= 0.0.7
 PROTOC_VERSION ?= 25.0
 PROTOGEN_FROSTFS_VERSION ?= $(shell go list -f '{{.Version}}' -m git.frostfs.info/TrueCloudLab/frostfs-sdk-go)
 PROTOC_OS_VERSION=osx-x86_64
@@ -139,15 +139,6 @@ images: image-storage image-ir image-cli image-adm
 # Build dirty local Docker images
 dirty-images: image-dirty-storage image-dirty-ir image-dirty-cli image-dirty-adm
 
-# Push FrostFS components' docker image to the registry
-push-image-%:
-	@echo "⇒ Publish FrostFS $* docker image "
-	@docker push $(HUB_IMAGE)-$*:$(HUB_TAG)
-
-# Push all Docker images to the registry
-.PHONY: push-images
-push-images: push-image-storage push-image-ir push-image-cli push-image-adm
-
 # Run `make %` in Golang container
 docker/%:
 	docker run --rm -t \
@@ -279,12 +270,10 @@ env-up: all
 		echo "Frostfs contracts not found"; exit 1; \
 	fi
 	${BIN}/frostfs-adm --config ./dev/adm/frostfs-adm.yml morph init --contracts ${FROSTFS_CONTRACTS_PATH}
-	${BIN}/frostfs-adm --config ./dev/adm/frostfs-adm.yml morph refill-gas --gas 10.0 \
+	${BIN}/frostfs-adm --config ./dev/adm/frostfs-adm.yml morph refill-gas --storage-wallet ./dev/storage/wallet01.json --gas 10.0
-		--storage-wallet ./dev/storage/wallet01.json \
+	${BIN}/frostfs-adm --config ./dev/adm/frostfs-adm.yml morph refill-gas --storage-wallet ./dev/storage/wallet02.json --gas 10.0
-		--storage-wallet ./dev/storage/wallet02.json \
+	${BIN}/frostfs-adm --config ./dev/adm/frostfs-adm.yml morph refill-gas --storage-wallet ./dev/storage/wallet03.json --gas 10.0
-		--storage-wallet ./dev/storage/wallet03.json \
+	${BIN}/frostfs-adm --config ./dev/adm/frostfs-adm.yml morph refill-gas --storage-wallet ./dev/storage/wallet04.json --gas 10.0
-		--storage-wallet ./dev/storage/wallet04.json
-
 	@if [ ! -f "$(LOCODE_DB_PATH)" ]; then \
 		make locode-download; \
 	fi
@@ -293,6 +282,7 @@ env-up: all
 
 # Shutdown dev environment
 env-down:
-	docker compose -f dev/docker-compose.yml down -v
+	docker compose -f dev/docker-compose.yml down
+	docker volume rm -f frostfs-node_neo-go
 	rm -rf ./$(TMP_DIR)/state
 	rm -rf ./$(TMP_DIR)/storage

README.md

@@ -98,7 +98,7 @@ See `frostfs-contract`'s README.md for build instructions.
 4. To create container and put object into it run (container and object IDs will be different):
 
 ```
-./bin/frostfs-cli container create -r 127.0.0.1:8080 --wallet ./dev/wallet.json --policy "REP 1 IN X CBF 1 SELECT 1 FROM * AS X" --await
+./bin/frostfs-cli container create -r 127.0.0.1:8080 --wallet ./dev/wallet.json --policy "REP 1 IN X CBF 1 SELECT 1 FROM * AS X" --basic-acl public-read-write --await
 Enter password >  <- press ENTER, the is no password for wallet
 CID: CfPhEuHQ2PRvM4gfBQDC4dWZY3NccovyfcnEdiq2ixju
 

VERSION

@@ -1 +1 @@
-v0.44.0
+v0.42.0

cmd/frostfs-adm/internal/commonflags/flags.go

@@ -20,7 +20,6 @@ const (
 	AlphabetWalletsFlagDesc = "Path to alphabet wallets dir"
 
 	LocalDumpFlag                   = "local-dump"
-	ProtoConfigPath                 = "protocol"
 	ContractsInitFlag               = "contracts"
 	ContractsInitFlagDesc           = "Path to archive with compiled FrostFS contracts (the default is to fetch the latest release from the official repository)"
 	ContractsURLFlag                = "contracts-url"

cmd/frostfs-adm/internal/modules/metabase/upgrade.go

@@ -28,7 +28,6 @@ const (
 var (
 	errNoPathsFound          = errors.New("no metabase paths found")
 	errNoMorphEndpointsFound = errors.New("no morph endpoints found")
-	errUpgradeFailed         = errors.New("upgrade failed")
 )
 
 var UpgradeCmd = &cobra.Command{
@@ -92,19 +91,14 @@ func upgrade(cmd *cobra.Command, _ []string) error {
 	if err := eg.Wait(); err != nil {
 		return err
 	}
-	allSuccess := true
 	for mb, ok := range result {
 		if ok {
 			cmd.Println(mb, ": success")
 		} else {
 			cmd.Println(mb, ": failed")
-			allSuccess = false
 		}
 	}
-	if allSuccess {
 	return nil
-	}
-	return errUpgradeFailed
 }
 
 func getMetabasePaths(appCfg *config.Config) ([]string, error) {
@@ -141,7 +135,7 @@ func createContainerInfoProvider(cli *client.Client) (container.InfoProvider, er
 	if err != nil {
 		return nil, fmt.Errorf("resolve container contract hash: %w", err)
 	}
-	cc, err := morphcontainer.NewFromMorph(cli, sh, 0)
+	cc, err := morphcontainer.NewFromMorph(cli, sh, 0, morphcontainer.TryNotary())
 	if err != nil {
 		return nil, fmt.Errorf("create morph container client: %w", err)
 	}

cmd/frostfs-adm/internal/modules/morph/ape/ape.go

@@ -5,19 +5,35 @@ import (
 	"encoding/json"
 
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/commonflags"
+	parseutil "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
 	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
-	apeCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common/ape"
 	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
-	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
+	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 
 const (
+	namespaceTarget   = "namespace"
+	containerTarget   = "container"
+	userTarget        = "user"
+	groupTarget       = "group"
 	jsonFlag          = "json"
 	jsonFlagDesc      = "Output rule chains in JSON format"
+	chainIDFlag       = "chain-id"
+	chainIDDesc       = "Rule chain ID"
+	ruleFlag          = "rule"
+	ruleFlagDesc      = "Rule chain in text format"
+	pathFlag          = "path"
+	pathFlagDesc      = "path to encoded chain in JSON or binary format"
+	targetNameFlag    = "target-name"
+	targetNameDesc    = "Resource name in APE resource name format"
+	targetTypeFlag    = "target-type"
+	targetTypeDesc    = "Resource type(container/namespace)"
 	addrAdminFlag     = "addr"
 	addrAdminDesc     = "The address of the admins wallet"
+	chainNameFlag     = "chain-name"
+	chainNameFlagDesc = "Chain name(ingress|s3)"
 )
 
 var (
@@ -85,17 +101,17 @@ func initAddRuleChainCmd() {
 	addRuleChainCmd.Flags().StringP(commonflags.EndpointFlag, commonflags.EndpointFlagShort, "", commonflags.EndpointFlagDesc)
 	addRuleChainCmd.Flags().String(commonflags.AlphabetWalletsFlag, "", commonflags.AlphabetWalletsFlagDesc)
 
-	addRuleChainCmd.Flags().String(apeCmd.TargetTypeFlag, "", apeCmd.TargetTypeFlagDesc)
+	addRuleChainCmd.Flags().String(targetTypeFlag, "", targetTypeDesc)
-	_ = addRuleChainCmd.MarkFlagRequired(apeCmd.TargetTypeFlag)
+	_ = addRuleChainCmd.MarkFlagRequired(targetTypeFlag)
-	addRuleChainCmd.Flags().String(apeCmd.TargetNameFlag, "", apeCmd.TargetTypeFlagDesc)
+	addRuleChainCmd.Flags().String(targetNameFlag, "", targetNameDesc)
-	_ = addRuleChainCmd.MarkFlagRequired(apeCmd.TargetNameFlag)
+	_ = addRuleChainCmd.MarkFlagRequired(targetNameFlag)
 
-	addRuleChainCmd.Flags().String(apeCmd.ChainIDFlag, "", apeCmd.ChainIDFlagDesc)
+	addRuleChainCmd.Flags().String(chainIDFlag, "", chainIDDesc)
-	_ = addRuleChainCmd.MarkFlagRequired(apeCmd.ChainIDFlag)
+	_ = addRuleChainCmd.MarkFlagRequired(chainIDFlag)
-	addRuleChainCmd.Flags().StringArray(apeCmd.RuleFlag, []string{}, apeCmd.RuleFlagDesc)
+	addRuleChainCmd.Flags().StringArray(ruleFlag, []string{}, ruleFlagDesc)
-	addRuleChainCmd.Flags().String(apeCmd.PathFlag, "", apeCmd.PathFlagDesc)
+	addRuleChainCmd.Flags().String(pathFlag, "", pathFlagDesc)
-	addRuleChainCmd.Flags().String(apeCmd.ChainNameFlag, apeCmd.Ingress, apeCmd.ChainNameFlagDesc)
+	addRuleChainCmd.Flags().String(chainNameFlag, ingress, chainNameFlagDesc)
-	addRuleChainCmd.MarkFlagsMutuallyExclusive(apeCmd.RuleFlag, apeCmd.PathFlag)
+	addRuleChainCmd.MarkFlagsMutuallyExclusive(ruleFlag, pathFlag)
 }
 
 func initRemoveRuleChainCmd() {
@@ -104,25 +120,26 @@ func initRemoveRuleChainCmd() {
 	removeRuleChainCmd.Flags().StringP(commonflags.EndpointFlag, commonflags.EndpointFlagShort, "", commonflags.EndpointFlagDesc)
 	removeRuleChainCmd.Flags().String(commonflags.AlphabetWalletsFlag, "", commonflags.AlphabetWalletsFlagDesc)
 
-	removeRuleChainCmd.Flags().String(apeCmd.TargetTypeFlag, "", apeCmd.TargetTypeFlagDesc)
+	removeRuleChainCmd.Flags().String(targetTypeFlag, "", targetTypeDesc)
-	_ = removeRuleChainCmd.MarkFlagRequired(apeCmd.TargetTypeFlag)
+	_ = removeRuleChainCmd.MarkFlagRequired(targetTypeFlag)
-	removeRuleChainCmd.Flags().String(apeCmd.TargetNameFlag, "", apeCmd.TargetNameFlagDesc)
+	removeRuleChainCmd.Flags().String(targetNameFlag, "", targetNameDesc)
-	_ = removeRuleChainCmd.MarkFlagRequired(apeCmd.TargetNameFlag)
+	_ = removeRuleChainCmd.MarkFlagRequired(targetNameFlag)
-	removeRuleChainCmd.Flags().String(apeCmd.ChainIDFlag, "", apeCmd.ChainIDFlagDesc)
+	removeRuleChainCmd.Flags().String(chainIDFlag, "", chainIDDesc)
-	removeRuleChainCmd.Flags().String(apeCmd.ChainNameFlag, apeCmd.Ingress, apeCmd.ChainNameFlagDesc)
+	removeRuleChainCmd.Flags().String(chainNameFlag, ingress, chainNameFlagDesc)
 	removeRuleChainCmd.Flags().Bool(commonflags.AllFlag, false, "Remove all chains for target")
-	removeRuleChainCmd.MarkFlagsMutuallyExclusive(commonflags.AllFlag, apeCmd.ChainIDFlag)
+	removeRuleChainCmd.MarkFlagsMutuallyExclusive(commonflags.AllFlag, chainIDFlag)
 }
 
 func initListRuleChainsCmd() {
 	Cmd.AddCommand(listRuleChainsCmd)
 
 	listRuleChainsCmd.Flags().StringP(commonflags.EndpointFlag, commonflags.EndpointFlagShort, "", commonflags.EndpointFlagDesc)
-	listRuleChainsCmd.Flags().StringP(apeCmd.TargetTypeFlag, "t", "", apeCmd.TargetTypeFlagDesc)
+	listRuleChainsCmd.Flags().StringP(targetTypeFlag, "t", "", targetTypeDesc)
-	_ = listRuleChainsCmd.MarkFlagRequired(apeCmd.TargetTypeFlag)
+	_ = listRuleChainsCmd.MarkFlagRequired(targetTypeFlag)
-	listRuleChainsCmd.Flags().String(apeCmd.TargetNameFlag, "", apeCmd.TargetNameFlagDesc)
+	listRuleChainsCmd.Flags().String(targetNameFlag, "", targetNameDesc)
+	_ = listRuleChainsCmd.MarkFlagRequired(targetNameFlag)
 	listRuleChainsCmd.Flags().Bool(jsonFlag, false, jsonFlagDesc)
-	listRuleChainsCmd.Flags().String(apeCmd.ChainNameFlag, apeCmd.Ingress, apeCmd.ChainNameFlagDesc)
+	listRuleChainsCmd.Flags().String(chainNameFlag, ingress, chainNameFlagDesc)
 }
 
 func initSetAdminCmd() {
@@ -144,15 +161,15 @@ func initListTargetsCmd() {
 	Cmd.AddCommand(listTargetsCmd)
 
 	listTargetsCmd.Flags().StringP(commonflags.EndpointFlag, commonflags.EndpointFlagShort, "", commonflags.EndpointFlagDesc)
-	listTargetsCmd.Flags().StringP(apeCmd.TargetTypeFlag, "t", "", apeCmd.TargetTypeFlagDesc)
+	listTargetsCmd.Flags().StringP(targetTypeFlag, "t", "", targetTypeDesc)
-	_ = listTargetsCmd.MarkFlagRequired(apeCmd.TargetTypeFlag)
+	_ = listTargetsCmd.MarkFlagRequired(targetTypeFlag)
 }
 
 func addRuleChain(cmd *cobra.Command, _ []string) {
-	chain := apeCmd.ParseChain(cmd)
+	chain := parseChain(cmd)
 	target := parseTarget(cmd)
 	pci, ac := newPolicyContractInterface(cmd)
-	h, vub, err := pci.AddMorphRuleChain(apeCmd.ParseChainName(cmd), target, chain)
+	h, vub, err := pci.AddMorphRuleChain(parseChainName(cmd), target, chain)
 	cmd.Println("Waiting for transaction to persist...")
 	_, err = ac.Wait(h, vub, err)
 	commonCmd.ExitOnErr(cmd, "add rule chain error: %w", err)
@@ -164,14 +181,14 @@ func removeRuleChain(cmd *cobra.Command, _ []string) {
 	pci, ac := newPolicyContractInterface(cmd)
 	removeAll, _ := cmd.Flags().GetBool(commonflags.AllFlag)
 	if removeAll {
-		h, vub, err := pci.RemoveMorphRuleChainsByTarget(apeCmd.ParseChainName(cmd), target)
+		h, vub, err := pci.RemoveMorphRuleChainsByTarget(parseChainName(cmd), target)
 		cmd.Println("Waiting for transaction to persist...")
 		_, err = ac.Wait(h, vub, err)
 		commonCmd.ExitOnErr(cmd, "remove rule chain error: %w", err)
 		cmd.Println("All chains for target removed successfully")
 	} else {
-		chainID := apeCmd.ParseChainID(cmd)
+		chainID := parseChainID(cmd)
-		h, vub, err := pci.RemoveMorphRuleChain(apeCmd.ParseChainName(cmd), target, chainID)
+		h, vub, err := pci.RemoveMorphRuleChain(parseChainName(cmd), target, chainID)
 		cmd.Println("Waiting for transaction to persist...")
 		_, err = ac.Wait(h, vub, err)
 		commonCmd.ExitOnErr(cmd, "remove rule chain error: %w", err)
@@ -182,7 +199,7 @@ func removeRuleChain(cmd *cobra.Command, _ []string) {
 func listRuleChains(cmd *cobra.Command, _ []string) {
 	target := parseTarget(cmd)
 	pci, _ := newPolicyContractReaderInterface(cmd)
-	chains, err := pci.ListMorphRuleChains(apeCmd.ParseChainName(cmd), target)
+	chains, err := pci.ListMorphRuleChains(parseChainName(cmd), target)
 	commonCmd.ExitOnErr(cmd, "list rule chains error: %w", err)
 	if len(chains) == 0 {
 		return
@@ -193,14 +210,14 @@ func listRuleChains(cmd *cobra.Command, _ []string) {
 		prettyJSONFormat(cmd, chains)
 	} else {
 		for _, c := range chains {
-			apeCmd.PrintHumanReadableAPEChain(cmd, c)
+			parseutil.PrintHumanReadableAPEChain(cmd, c)
 		}
 	}
 }
 
 func setAdmin(cmd *cobra.Command, _ []string) {
 	s, _ := cmd.Flags().GetString(addrAdminFlag)
-	addr, err := address.StringToUint160(s)
+	addr, err := util.Uint160DecodeStringLE(s)
 	commonCmd.ExitOnErr(cmd, "can't decode admin addr: %w", err)
 	pci, ac := newPolicyContractInterface(cmd)
 	h, vub, err := pci.SetAdmin(addr)
@@ -214,11 +231,12 @@ func getAdmin(cmd *cobra.Command, _ []string) {
 	pci, _ := newPolicyContractReaderInterface(cmd)
 	addr, err := pci.GetAdmin()
 	commonCmd.ExitOnErr(cmd, "unable to get admin: %w", err)
-	cmd.Println(address.Uint160ToString(addr))
+	cmd.Println(addr.StringLE())
 }
 
 func listTargets(cmd *cobra.Command, _ []string) {
-	typ := apeCmd.ParseTargetType(cmd)
+	typ, err := parseTargetType(cmd)
+	commonCmd.ExitOnErr(cmd, "parse target type error: %w", err)
 	pci, inv := newPolicyContractReaderInterface(cmd)
 
 	sid, it, err := pci.ListTargetsIterator(typ)

cmd/frostfs-adm/internal/modules/morph/ape/ape_util.go

@@ -2,12 +2,13 @@ package ape
 
 import (
 	"errors"
+	"strings"
 
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph/constants"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph/helper"
+	parseutil "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
 	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
-	apeCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common/ape"
+	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
-	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
 	morph "git.frostfs.info/TrueCloudLab/policy-engine/pkg/morph/policy"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
@@ -17,29 +18,90 @@ import (
 	"github.com/spf13/viper"
 )
 
-var errUnknownTargetType = errors.New("unknown target type")
+const (
+	ingress = "ingress"
+	s3      = "s3"
+)
+
+var mChainName = map[string]apechain.Name{
+	ingress: apechain.Ingress,
+	s3:      apechain.S3,
+}
+
+var (
+	errUnknownTargetType    = errors.New("unknown target type")
+	errChainIDCannotBeEmpty = errors.New("chain id cannot be empty")
+	errRuleIsNotParsed      = errors.New("rule is not passed")
+	errUnsupportedChainName = errors.New("unsupported chain name")
+)
 
 func parseTarget(cmd *cobra.Command) policyengine.Target {
-	typ := apeCmd.ParseTargetType(cmd)
+	name, _ := cmd.Flags().GetString(targetNameFlag)
-	name, _ := cmd.Flags().GetString(apeCmd.TargetNameFlag)
+	typ, err := parseTargetType(cmd)
-	switch typ {
+
-	case policyengine.Namespace:
+	// interpret "root" namespace as empty
-		if name == "root" {
+	if typ == policyengine.Namespace && name == "root" {
 		name = ""
 	}
-		return policyengine.NamespaceTarget(name)
+
-	case policyengine.Container:
+	commonCmd.ExitOnErr(cmd, "read target type error: %w", err)
-		var cnr cid.ID
+
-		commonCmd.ExitOnErr(cmd, "can't decode container ID: %w", cnr.DecodeString(name))
+	return policyengine.Target{
-		return policyengine.ContainerTarget(name)
+		Name: name,
-	case policyengine.User:
+		Type: typ,
-		return policyengine.UserTarget(name)
-	case policyengine.Group:
-		return policyengine.GroupTarget(name)
-	default:
-		commonCmd.ExitOnErr(cmd, "read target type error: %w", errUnknownTargetType)
 	}
-	panic("unreachable")
+}
+
+func parseTargetType(cmd *cobra.Command) (policyengine.TargetType, error) {
+	typ, _ := cmd.Flags().GetString(targetTypeFlag)
+	switch typ {
+	case namespaceTarget:
+		return policyengine.Namespace, nil
+	case containerTarget:
+		return policyengine.Container, nil
+	case userTarget:
+		return policyengine.User, nil
+	case groupTarget:
+		return policyengine.Group, nil
+	}
+	return -1, errUnknownTargetType
+}
+
+func parseChainID(cmd *cobra.Command) apechain.ID {
+	chainID, _ := cmd.Flags().GetString(chainIDFlag)
+	if chainID == "" {
+		commonCmd.ExitOnErr(cmd, "read chain id error: %w",
+			errChainIDCannotBeEmpty)
+	}
+	return apechain.ID(chainID)
+}
+
+func parseChain(cmd *cobra.Command) *apechain.Chain {
+	chain := new(apechain.Chain)
+
+	if rules, _ := cmd.Flags().GetStringArray(ruleFlag); len(rules) > 0 {
+		commonCmd.ExitOnErr(cmd, "parser error: %w", parseutil.ParseAPEChain(chain, rules))
+	} else if encPath, _ := cmd.Flags().GetString(pathFlag); encPath != "" {
+		commonCmd.ExitOnErr(cmd, "decode binary or json error: %w", parseutil.ParseAPEChainBinaryOrJSON(chain, encPath))
+	} else {
+		commonCmd.ExitOnErr(cmd, "parser error: %w", errRuleIsNotParsed)
+	}
+
+	chain.ID = parseChainID(cmd)
+
+	cmd.Println("Parsed chain:")
+	parseutil.PrintHumanReadableAPEChain(cmd, chain)
+
+	return chain
+}
+
+func parseChainName(cmd *cobra.Command) apechain.Name {
+	chainName, _ := cmd.Flags().GetString(chainNameFlag)
+	apeChainName, ok := mChainName[strings.ToLower(chainName)]
+	if !ok {
+		commonCmd.ExitOnErr(cmd, "", errUnsupportedChainName)
+	}
+	return apeChainName
 }
 
 // invokerAdapter adapats invoker.Invoker to ContractStorageInvoker interface.
@@ -53,15 +115,16 @@ func (n *invokerAdapter) GetRPCInvoker() invoker.RPCInvoke {
 }
 
 func newPolicyContractReaderInterface(cmd *cobra.Command) (*morph.ContractStorageReader, *invoker.Invoker) {
-	c, err := helper.NewRemoteClient(viper.GetViper())
+	c, err := helper.GetN3Client(viper.GetViper())
 	commonCmd.ExitOnErr(cmd, "unable to create NEO rpc client: %w", err)
 
 	inv := invoker.New(c, nil)
+	var ch util.Uint160
 	r := management.NewReader(inv)
 	nnsCs, err := helper.GetContractByID(r, 1)
 	commonCmd.ExitOnErr(cmd, "can't get NNS contract state: %w", err)
 
-	ch, err := helper.NNSResolveHash(inv, nnsCs.Hash, helper.DomainOf(constants.PolicyContract))
+	ch, err = helper.NNSResolveHash(inv, nnsCs.Hash, helper.DomainOf(constants.PolicyContract))
 	commonCmd.ExitOnErr(cmd, "unable to resolve policy contract hash: %w", err)
 
 	invokerAdapter := &invokerAdapter{
@@ -73,7 +136,7 @@ func newPolicyContractReaderInterface(cmd *cobra.Command) (*morph.ContractStorag
 }
 
 func newPolicyContractInterface(cmd *cobra.Command) (*morph.ContractStorage, *helper.LocalActor) {
-	c, err := helper.NewRemoteClient(viper.GetViper())
+	c, err := helper.GetN3Client(viper.GetViper())
 	commonCmd.ExitOnErr(cmd, "unable to create NEO rpc client: %w", err)
 
 	ac, err := helper.NewLocalActor(cmd, c, constants.ConsensusAccountName)

cmd/frostfs-adm/internal/modules/morph/balance/balance.go

@@ -51,7 +51,7 @@ func dumpBalances(cmd *cobra.Command, _ []string) error {
 		nmHash          util.Uint160
 	)
 
-	c, err := helper.NewRemoteClient(viper.GetViper())
+	c, err := helper.GetN3Client(viper.GetViper())
 	if err != nil {
 		return err
 	}

cmd/frostfs-adm/internal/modules/morph/config/config.go

@@ -26,7 +26,7 @@ import (
 const forceConfigSet = "force"
 
 func dumpNetworkConfig(cmd *cobra.Command, _ []string) error {
-	c, err := helper.NewRemoteClient(viper.GetViper())
+	c, err := helper.GetN3Client(viper.GetViper())
 	if err != nil {
 		return fmt.Errorf("can't create N3 client: %w", err)
 	}

cmd/frostfs-adm/internal/modules/morph/constants/const.go

@@ -4,6 +4,7 @@ import "time"
 
 const (
 	ConsensusAccountName = "consensus"
+	ProtoConfigPath      = "protocol"
 
 	// MaxAlphabetNodes is the maximum number of candidates allowed, which is currently limited by the size
 	// of the invocation script.

cmd/frostfs-adm/internal/modules/morph/container/container.go

@@ -76,7 +76,7 @@ func dumpContainers(cmd *cobra.Command, _ []string) error {
 		return fmt.Errorf("invalid filename: %w", err)
 	}
 
-	c, err := helper.NewRemoteClient(viper.GetViper())
+	c, err := helper.GetN3Client(viper.GetViper())
 	if err != nil {
 		return fmt.Errorf("can't create N3 client: %w", err)
 	}
@@ -157,7 +157,7 @@ func dumpSingleContainer(bw *io.BufBinWriter, ch util.Uint160, inv *invoker.Invo
 }
 
 func listContainers(cmd *cobra.Command, _ []string) error {
-	c, err := helper.NewRemoteClient(viper.GetViper())
+	c, err := helper.GetN3Client(viper.GetViper())
 	if err != nil {
 		return fmt.Errorf("can't create N3 client: %w", err)
 	}

cmd/frostfs-adm/internal/modules/morph/contract/dump_hashes.go

@@ -36,7 +36,7 @@ type contractDumpInfo struct {
 }
 
 func dumpContractHashes(cmd *cobra.Command, _ []string) error {
-	c, err := helper.NewRemoteClient(viper.GetViper())
+	c, err := helper.GetN3Client(viper.GetViper())
 	if err != nil {
 		return fmt.Errorf("can't create N3 client: %w", err)
 	}

cmd/frostfs-adm/internal/modules/morph/frostfsid/additional_keys.go

@@ -1,83 +0,0 @@
-package frostfsid
-
-import (
-	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/commonflags"
-	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
-	"github.com/spf13/cobra"
-	"github.com/spf13/viper"
-)
-
-var (
-	frostfsidAddSubjectKeyCmd = &cobra.Command{
-		Use:   "add-subject-key",
-		Short: "Add a public key to the subject in frostfsid contract",
-		PreRun: func(cmd *cobra.Command, _ []string) {
-			_ = viper.BindPFlag(commonflags.AlphabetWalletsFlag, cmd.Flags().Lookup(commonflags.AlphabetWalletsFlag))
-			_ = viper.BindPFlag(commonflags.EndpointFlag, cmd.Flags().Lookup(commonflags.EndpointFlag))
-		},
-		Run: frostfsidAddSubjectKey,
-	}
-	frostfsidRemoveSubjectKeyCmd = &cobra.Command{
-		Use:   "remove-subject-key",
-		Short: "Remove a public key from the subject in frostfsid contract",
-		PreRun: func(cmd *cobra.Command, _ []string) {
-			_ = viper.BindPFlag(commonflags.AlphabetWalletsFlag, cmd.Flags().Lookup(commonflags.AlphabetWalletsFlag))
-			_ = viper.BindPFlag(commonflags.EndpointFlag, cmd.Flags().Lookup(commonflags.EndpointFlag))
-		},
-		Run: frostfsidRemoveSubjectKey,
-	}
-)
-
-func initFrostfsIDAddSubjectKeyCmd() {
-	Cmd.AddCommand(frostfsidAddSubjectKeyCmd)
-
-	ff := frostfsidAddSubjectKeyCmd.Flags()
-	ff.StringP(commonflags.EndpointFlag, commonflags.EndpointFlagShort, "", commonflags.EndpointFlagDesc)
-	ff.String(commonflags.AlphabetWalletsFlag, "", commonflags.AlphabetWalletsFlagDesc)
-
-	ff.String(subjectAddressFlag, "", "Subject address")
-	_ = frostfsidAddSubjectKeyCmd.MarkFlagRequired(subjectAddressFlag)
-
-	ff.String(subjectKeyFlag, "", "Public key to add")
-	_ = frostfsidAddSubjectKeyCmd.MarkFlagRequired(subjectKeyFlag)
-}
-
-func initFrostfsIDRemoveSubjectKeyCmd() {
-	Cmd.AddCommand(frostfsidRemoveSubjectKeyCmd)
-
-	ff := frostfsidRemoveSubjectKeyCmd.Flags()
-	ff.StringP(commonflags.EndpointFlag, commonflags.EndpointFlagShort, "", commonflags.EndpointFlagDesc)
-	ff.String(commonflags.AlphabetWalletsFlag, "", commonflags.AlphabetWalletsFlagDesc)
-
-	ff.String(subjectAddressFlag, "", "Subject address")
-	_ = frostfsidAddSubjectKeyCmd.MarkFlagRequired(subjectAddressFlag)
-
-	ff.String(subjectKeyFlag, "", "Public key to remove")
-	_ = frostfsidAddSubjectKeyCmd.MarkFlagRequired(subjectKeyFlag)
-}
-
-func frostfsidAddSubjectKey(cmd *cobra.Command, _ []string) {
-	addr := getFrostfsIDSubjectAddress(cmd)
-	pub := getFrostfsIDSubjectKey(cmd)
-
-	ffsid, err := newFrostfsIDClient(cmd)
-	commonCmd.ExitOnErr(cmd, "init contract client: %w", err)
-
-	ffsid.addCall(ffsid.roCli.AddSubjectKeyCall(addr, pub))
-
-	err = ffsid.sendWait()
-	commonCmd.ExitOnErr(cmd, "add subject key: %w", err)
-}
-
-func frostfsidRemoveSubjectKey(cmd *cobra.Command, _ []string) {
-	addr := getFrostfsIDSubjectAddress(cmd)
-	pub := getFrostfsIDSubjectKey(cmd)
-
-	ffsid, err := newFrostfsIDClient(cmd)
-	commonCmd.ExitOnErr(cmd, "init contract client: %w", err)
-
-	ffsid.addCall(ffsid.roCli.RemoveSubjectKeyCall(addr, pub))
-
-	err = ffsid.sendWait()
-	commonCmd.ExitOnErr(cmd, "remove subject key: %w", err)
-}

cmd/frostfs-adm/internal/modules/morph/frostfsid/frostfsid.go

@@ -1,6 +1,7 @@
 package frostfsid
 
 import (
+	"errors"
 	"fmt"
 	"math/big"
 	"sort"
@@ -60,6 +61,7 @@ var (
 		Use:   "list-namespaces",
 		Short: "List all namespaces in frostfsid",
 		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(commonflags.AlphabetWalletsFlag, cmd.Flags().Lookup(commonflags.AlphabetWalletsFlag))
 			_ = viper.BindPFlag(commonflags.EndpointFlag, cmd.Flags().Lookup(commonflags.EndpointFlag))
 		},
 		Run: frostfsidListNamespaces,
@@ -89,6 +91,7 @@ var (
 		Use:   "list-subjects",
 		Short: "List subjects in namespace",
 		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(commonflags.AlphabetWalletsFlag, cmd.Flags().Lookup(commonflags.AlphabetWalletsFlag))
 			_ = viper.BindPFlag(commonflags.EndpointFlag, cmd.Flags().Lookup(commonflags.EndpointFlag))
 		},
 		Run: frostfsidListSubjects,
@@ -118,6 +121,7 @@ var (
 		Use:   "list-groups",
 		Short: "List groups in namespace",
 		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(commonflags.AlphabetWalletsFlag, cmd.Flags().Lookup(commonflags.AlphabetWalletsFlag))
 			_ = viper.BindPFlag(commonflags.EndpointFlag, cmd.Flags().Lookup(commonflags.EndpointFlag))
 		},
 		Run: frostfsidListGroups,
@@ -147,6 +151,7 @@ var (
 		Use:   "list-group-subjects",
 		Short: "List subjects in group",
 		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(commonflags.AlphabetWalletsFlag, cmd.Flags().Lookup(commonflags.AlphabetWalletsFlag))
 			_ = viper.BindPFlag(commonflags.EndpointFlag, cmd.Flags().Lookup(commonflags.EndpointFlag))
 		},
 		Run: frostfsidListGroupSubjects,
@@ -164,6 +169,7 @@ func initFrostfsIDCreateNamespaceCmd() {
 func initFrostfsIDListNamespacesCmd() {
 	Cmd.AddCommand(frostfsidListNamespacesCmd)
 	frostfsidListNamespacesCmd.Flags().StringP(commonflags.EndpointFlag, commonflags.EndpointFlagShort, "", commonflags.EndpointFlagDesc)
+	frostfsidListNamespacesCmd.Flags().String(commonflags.AlphabetWalletsFlag, "", commonflags.AlphabetWalletsFlagDesc)
 }
 
 func initFrostfsIDCreateSubjectCmd() {
@@ -187,6 +193,7 @@ func initFrostfsIDListSubjectsCmd() {
 	frostfsidListSubjectsCmd.Flags().StringP(commonflags.EndpointFlag, commonflags.EndpointFlagShort, "", commonflags.EndpointFlagDesc)
 	frostfsidListSubjectsCmd.Flags().String(namespaceFlag, "", "Namespace to list subjects")
 	frostfsidListSubjectsCmd.Flags().Bool(includeNamesFlag, false, "Whether include subject name (require additional requests)")
+	frostfsidListSubjectsCmd.Flags().String(commonflags.AlphabetWalletsFlag, "", commonflags.AlphabetWalletsFlagDesc)
 }
 
 func initFrostfsIDCreateGroupCmd() {
@@ -210,6 +217,7 @@ func initFrostfsIDListGroupsCmd() {
 	Cmd.AddCommand(frostfsidListGroupsCmd)
 	frostfsidListGroupsCmd.Flags().StringP(commonflags.EndpointFlag, commonflags.EndpointFlagShort, "", commonflags.EndpointFlagDesc)
 	frostfsidListGroupsCmd.Flags().String(namespaceFlag, "", "Namespace to list groups")
+	frostfsidListGroupsCmd.Flags().String(commonflags.AlphabetWalletsFlag, "", commonflags.AlphabetWalletsFlagDesc)
 }
 
 func initFrostfsIDAddSubjectToGroupCmd() {
@@ -234,6 +242,7 @@ func initFrostfsIDListGroupSubjectsCmd() {
 	frostfsidListGroupSubjectsCmd.Flags().String(namespaceFlag, "", "Namespace name")
 	frostfsidListGroupSubjectsCmd.Flags().Int64(groupIDFlag, 0, "Group id")
 	frostfsidListGroupSubjectsCmd.Flags().Bool(includeNamesFlag, false, "Whether include subject name (require additional requests)")
+	frostfsidListGroupSubjectsCmd.Flags().String(commonflags.AlphabetWalletsFlag, "", commonflags.AlphabetWalletsFlagDesc)
 }
 
 func frostfsidCreateNamespace(cmd *cobra.Command, _ []string) {
@@ -253,7 +262,7 @@ func frostfsidListNamespaces(cmd *cobra.Command, _ []string) {
 	reader := frostfsidrpclient.NewReader(inv, hash)
 	sessionID, it, err := reader.ListNamespaces()
 	commonCmd.ExitOnErr(cmd, "can't get namespace: %w", err)
-	items, err := readIterator(inv, &it, sessionID)
+	items, err := readIterator(inv, &it, iteratorBatchSize, sessionID)
 	commonCmd.ExitOnErr(cmd, "can't read iterator: %w", err)
 
 	namespaces, err := frostfsidclient.ParseNamespaces(items)
@@ -305,7 +314,7 @@ func frostfsidListSubjects(cmd *cobra.Command, _ []string) {
 	sessionID, it, err := reader.ListNamespaceSubjects(ns)
 	commonCmd.ExitOnErr(cmd, "can't get namespace: %w", err)
 
-	subAddresses, err := frostfsidclient.UnwrapArrayOfUint160(readIterator(inv, &it, sessionID))
+	subAddresses, err := frostfsidclient.UnwrapArrayOfUint160(readIterator(inv, &it, iteratorBatchSize, sessionID))
 	commonCmd.ExitOnErr(cmd, "can't unwrap: %w", err)
 
 	sort.Slice(subAddresses, func(i, j int) bool { return subAddresses[i].Less(subAddresses[j]) })
@@ -319,7 +328,7 @@ func frostfsidListSubjects(cmd *cobra.Command, _ []string) {
 		sessionID, it, err := reader.ListSubjects()
 		commonCmd.ExitOnErr(cmd, "can't get subject: %w", err)
 
-		items, err := readIterator(inv, &it, sessionID)
+		items, err := readIterator(inv, &it, iteratorBatchSize, sessionID)
 		commonCmd.ExitOnErr(cmd, "can't read iterator: %w", err)
 
 		subj, err := frostfsidclient.ParseSubject(items)
@@ -365,7 +374,7 @@ func frostfsidListGroups(cmd *cobra.Command, _ []string) {
 	sessionID, it, err := reader.ListGroups(ns)
 	commonCmd.ExitOnErr(cmd, "can't get namespace: %w", err)
 
-	items, err := readIterator(inv, &it, sessionID)
+	items, err := readIterator(inv, &it, iteratorBatchSize, sessionID)
 	commonCmd.ExitOnErr(cmd, "can't list groups: %w", err)
 	groups, err := frostfsidclient.ParseGroups(items)
 	commonCmd.ExitOnErr(cmd, "can't parse groups: %w", err)
@@ -415,7 +424,7 @@ func frostfsidListGroupSubjects(cmd *cobra.Command, _ []string) {
 	sessionID, it, err := reader.ListGroupSubjects(ns, big.NewInt(groupID))
 	commonCmd.ExitOnErr(cmd, "can't list groups: %w", err)
 
-	items, err := readIterator(inv, &it, sessionID)
+	items, err := readIterator(inv, &it, iteratorBatchSize, sessionID)
 	commonCmd.ExitOnErr(cmd, "can't read iterator: %w", err)
 
 	subjects, err := frostfsidclient.UnwrapArrayOfUint160(items, err)
@@ -488,28 +497,32 @@ func (f *frostfsidClient) sendWaitRes() (*state.AppExecResult, error) {
 	}
 	f.bw.Reset()
 
+	if len(f.wCtx.SentTxs) == 0 {
+		return nil, errors.New("no transactions to wait")
+	}
+
 	f.wCtx.Command.Println("Waiting for transactions to persist...")
 	return f.roCli.Wait(f.wCtx.SentTxs[0].Hash, f.wCtx.SentTxs[0].Vub, nil)
 }
 
-func readIterator(inv *invoker.Invoker, iter *result.Iterator, sessionID uuid.UUID) ([]stackitem.Item, error) {
+func readIterator(inv *invoker.Invoker, iter *result.Iterator, batchSize int, sessionID uuid.UUID) ([]stackitem.Item, error) {
 	var shouldStop bool
 	res := make([]stackitem.Item, 0)
 	for !shouldStop {
-		items, err := inv.TraverseIterator(sessionID, iter, iteratorBatchSize)
+		items, err := inv.TraverseIterator(sessionID, iter, batchSize)
 		if err != nil {
 			return nil, err
 		}
 
 		res = append(res, items...)
-		shouldStop = len(items) < iteratorBatchSize
+		shouldStop = len(items) < batchSize
 	}
 
 	return res, nil
 }
 
 func initInvoker(cmd *cobra.Command) (*invoker.Invoker, *state.Contract, util.Uint160) {
-	c, err := helper.NewRemoteClient(viper.GetViper())
+	c, err := helper.GetN3Client(viper.GetViper())
 	commonCmd.ExitOnErr(cmd, "can't create N3 client: %w", err)
 
 	inv := invoker.New(c, nil)

cmd/frostfs-adm/internal/modules/morph/frostfsid/frostfsid_util_test.go

@@ -1,12 +1,59 @@
 package frostfsid
 
 import (
+	"encoding/hex"
 	"testing"
 
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph/helper"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/internal/ape"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
+	"github.com/spf13/viper"
 	"github.com/stretchr/testify/require"
 )
 
+func TestFrostfsIDConfig(t *testing.T) {
+	pks := make([]*keys.PrivateKey, 4)
+	for i := range pks {
+		pk, err := keys.NewPrivateKey()
+		require.NoError(t, err)
+		pks[i] = pk
+	}
+
+	fmts := []string{
+		pks[0].GetScriptHash().StringLE(),
+		address.Uint160ToString(pks[1].GetScriptHash()),
+		hex.EncodeToString(pks[2].PublicKey().UncompressedBytes()),
+		hex.EncodeToString(pks[3].PublicKey().Bytes()),
+	}
+
+	for i := range fmts {
+		v := viper.New()
+		v.Set("frostfsid.admin", fmts[i])
+
+		actual, found, err := helper.GetFrostfsIDAdmin(v)
+		require.NoError(t, err)
+		require.True(t, found)
+		require.Equal(t, pks[i].GetScriptHash(), actual)
+	}
+
+	t.Run("bad key", func(t *testing.T) {
+		v := viper.New()
+		v.Set("frostfsid.admin", "abc")
+
+		_, found, err := helper.GetFrostfsIDAdmin(v)
+		require.Error(t, err)
+		require.True(t, found)
+	})
+	t.Run("missing key", func(t *testing.T) {
+		v := viper.New()
+
+		_, found, err := helper.GetFrostfsIDAdmin(v)
+		require.NoError(t, err)
+		require.False(t, found)
+	})
+}
+
 func TestNamespaceRegexp(t *testing.T) {
 	for _, tc := range []struct {
 		name      string

cmd/frostfs-adm/internal/modules/morph/frostfsid/root.go

@@ -12,6 +12,4 @@ func init() {
 	initFrostfsIDAddSubjectToGroupCmd()
 	initFrostfsIDRemoveSubjectFromGroupCmd()
 	initFrostfsIDListGroupSubjectsCmd()
-	initFrostfsIDAddSubjectKeyCmd()
-	initFrostfsIDRemoveSubjectKeyCmd()
 }

cmd/frostfs-adm/internal/modules/morph/generate/generate.go

@@ -12,6 +12,7 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph/helper"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/innerring"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
 	"github.com/nspcc-dev/neo-go/pkg/io"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/gas"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract"
@@ -140,11 +141,41 @@ func addMultisigAccount(w *wallet.Wallet, m int, name, password string, pubs key
 }
 
 func generateStorageCreds(cmd *cobra.Command, _ []string) error {
-	walletPath, _ := cmd.Flags().GetString(commonflags.StorageWalletFlag)
+	return refillGas(cmd, storageGasConfigFlag, true)
-	w, err := wallet.NewWallet(walletPath)
+}
+
+func refillGas(cmd *cobra.Command, gasFlag string, createWallet bool) (err error) {
+	// storage wallet path is not part of the config
+	storageWalletPath, _ := cmd.Flags().GetString(commonflags.StorageWalletFlag)
+	// wallet address is not part of the config
+	walletAddress, _ := cmd.Flags().GetString(walletAddressFlag)
+
+	var gasReceiver util.Uint160
+
+	if len(walletAddress) != 0 {
+		gasReceiver, err = address.StringToUint160(walletAddress)
 		if err != nil {
-		return fmt.Errorf("create wallet: %w", err)
+			return fmt.Errorf("invalid wallet address %s: %w", walletAddress, err)
 		}
+	} else {
+		if storageWalletPath == "" {
+			return fmt.Errorf("missing wallet path (use '--%s <out.json>')", commonflags.StorageWalletFlag)
+		}
+
+		var w *wallet.Wallet
+
+		if createWallet {
+			w, err = wallet.NewWallet(storageWalletPath)
+		} else {
+			w, err = wallet.NewWalletFromFile(storageWalletPath)
+		}
+
+		if err != nil {
+			return fmt.Errorf("can't create wallet: %w", err)
+		}
+
+		if createWallet {
+			var password string
 
 			label, _ := cmd.Flags().GetString(storageWalletLabelFlag)
 			password, err := config.GetStoragePassword(viper.GetViper(), label)
@@ -159,10 +190,11 @@ func generateStorageCreds(cmd *cobra.Command, _ []string) error {
 			if err := w.CreateAccount(label, password); err != nil {
 				return fmt.Errorf("can't create account: %w", err)
 			}
-	return refillGas(cmd, storageGasConfigFlag, w.Accounts[0].ScriptHash())
+		}
-}
+
+		gasReceiver = w.Accounts[0].Contract.ScriptHash()
+	}
 
-func refillGas(cmd *cobra.Command, gasFlag string, gasReceivers ...util.Uint160) (err error) {
 	gasStr := viper.GetString(gasFlag)
 
 	gasAmount, err := helper.ParseGASAmount(gasStr)
@@ -176,11 +208,9 @@ func refillGas(cmd *cobra.Command, gasFlag string, gasReceivers ...util.Uint160)
 	}
 
 	bw := io.NewBufBinWriter()
-	for _, gasReceiver := range gasReceivers {
 	emit.AppCall(bw.BinWriter, gas.Hash, "transfer", callflag.All,
 		wCtx.CommitteeAcc.Contract.ScriptHash(), gasReceiver, int64(gasAmount), nil)
 	emit.Opcodes(bw.BinWriter, opcode.ASSERT)
-	}
 	if bw.Err != nil {
 		return fmt.Errorf("BUG: invalid transfer arguments: %w", bw.Err)
 	}

cmd/frostfs-adm/internal/modules/morph/generate/root.go

@@ -1,12 +1,7 @@
 package generate
 
 import (
-	"fmt"
-
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/commonflags"
-	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
-	"github.com/nspcc-dev/neo-go/pkg/util"
-	"github.com/nspcc-dev/neo-go/pkg/wallet"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
@@ -38,27 +33,7 @@ var (
 			_ = viper.BindPFlag(commonflags.RefillGasAmountFlag, cmd.Flags().Lookup(commonflags.RefillGasAmountFlag))
 		},
 		RunE: func(cmd *cobra.Command, _ []string) error {
-			storageWalletPaths, _ := cmd.Flags().GetStringArray(commonflags.StorageWalletFlag)
+			return refillGas(cmd, commonflags.RefillGasAmountFlag, false)
-			walletAddresses, _ := cmd.Flags().GetStringArray(walletAddressFlag)
-
-			var gasReceivers []util.Uint160
-			for _, walletAddress := range walletAddresses {
-				addr, err := address.StringToUint160(walletAddress)
-				if err != nil {
-					return fmt.Errorf("invalid wallet address %s: %w", walletAddress, err)
-				}
-
-				gasReceivers = append(gasReceivers, addr)
-			}
-			for _, storageWalletPath := range storageWalletPaths {
-				w, err := wallet.NewWalletFromFile(storageWalletPath)
-				if err != nil {
-					return fmt.Errorf("can't create wallet: %w", err)
-				}
-
-				gasReceivers = append(gasReceivers, w.Accounts[0].Contract.ScriptHash())
-			}
-			return refillGas(cmd, commonflags.RefillGasAmountFlag, gasReceivers...)
 		},
 	}
 	GenerateAlphabetCmd = &cobra.Command{
@@ -75,10 +50,10 @@ var (
 func initRefillGasCmd() {
 	RefillGasCmd.Flags().String(commonflags.AlphabetWalletsFlag, "", commonflags.AlphabetWalletsFlagDesc)
 	RefillGasCmd.Flags().StringP(commonflags.EndpointFlag, commonflags.EndpointFlagShort, "", commonflags.EndpointFlagDesc)
-	RefillGasCmd.Flags().StringArray(commonflags.StorageWalletFlag, nil, "Path to storage node wallet")
+	RefillGasCmd.Flags().String(commonflags.StorageWalletFlag, "", "Path to storage node wallet")
-	RefillGasCmd.Flags().StringArray(walletAddressFlag, nil, "Address of wallet")
+	RefillGasCmd.Flags().String(walletAddressFlag, "", "Address of wallet")
 	RefillGasCmd.Flags().String(commonflags.RefillGasAmountFlag, "", "Additional amount of GAS to transfer")
-	RefillGasCmd.MarkFlagsOneRequired(walletAddressFlag, commonflags.StorageWalletFlag)
+	RefillGasCmd.MarkFlagsMutuallyExclusive(walletAddressFlag, commonflags.StorageWalletFlag)
 }
 
 func initGenerateStorageCmd() {

cmd/frostfs-adm/internal/modules/morph/helper/actor.go

@@ -38,7 +38,20 @@ func NewLocalActor(cmd *cobra.Command, c actor.RPCActor, accName string) (*Local
 	walletDir := config.ResolveHomePath(viper.GetString(commonflags.AlphabetWalletsFlag))
 	var act *actor.Actor
 	var accounts []*wallet.Account
-
+	if walletDir == "" {
+		account, err := wallet.NewAccount()
+		commonCmd.ExitOnErr(cmd, "unable to create dummy account: %w", err)
+		act, err = actor.New(c, []actor.SignerAccount{{
+			Signer: transaction.Signer{
+				Account: account.Contract.ScriptHash(),
+				Scopes:  transaction.Global,
+			},
+			Account: account,
+		}})
+		if err != nil {
+			return nil, err
+		}
+	} else {
 		wallets, err := GetAlphabetWallets(viper.GetViper(), walletDir)
 		commonCmd.ExitOnErr(cmd, "unable to get alphabet wallets: %w", err)
 
@@ -57,6 +70,7 @@ func NewLocalActor(cmd *cobra.Command, c actor.RPCActor, accName string) (*Local
 		if err != nil {
 			return nil, err
 		}
+	}
 	return &LocalActor{
 		neoActor:   act,
 		accounts:   accounts,

cmd/frostfs-adm/internal/modules/morph/helper/contract.go

@@ -82,7 +82,7 @@ func GetContractDeployData(c *InitializeContext, ctrName string, keysParam []any
 			h, found, err = getFrostfsIDAdminFromContract(c.ReadOnlyInvoker)
 		}
 		if method != constants.UpdateMethodName || err == nil && !found {
-			h, found, err = getFrostfsIDAdmin(viper.GetViper())
+			h, found, err = GetFrostfsIDAdmin(viper.GetViper())
 		}
 		if err != nil {
 			return nil, err

cmd/frostfs-adm/internal/modules/morph/helper/frostfsid.go

@@ -11,7 +11,7 @@ import (
 
 const frostfsIDAdminConfigKey = "frostfsid.admin"
 
-func getFrostfsIDAdmin(v *viper.Viper) (util.Uint160, bool, error) {
+func GetFrostfsIDAdmin(v *viper.Viper) (util.Uint160, bool, error) {
 	admin := v.GetString(frostfsIDAdminConfigKey)
 	if admin == "" {
 		return util.Uint160{}, false, nil

cmd/frostfs-adm/internal/modules/morph/helper/frostfsid_test.go

@@ -1,53 +0,0 @@
-package helper
-
-import (
-	"encoding/hex"
-	"testing"
-
-	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
-	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
-	"github.com/spf13/viper"
-	"github.com/stretchr/testify/require"
-)
-
-func TestFrostfsIDConfig(t *testing.T) {
-	pks := make([]*keys.PrivateKey, 4)
-	for i := range pks {
-		pk, err := keys.NewPrivateKey()
-		require.NoError(t, err)
-		pks[i] = pk
-	}
-
-	fmts := []string{
-		pks[0].GetScriptHash().StringLE(),
-		address.Uint160ToString(pks[1].GetScriptHash()),
-		hex.EncodeToString(pks[2].PublicKey().UncompressedBytes()),
-		hex.EncodeToString(pks[3].PublicKey().Bytes()),
-	}
-
-	for i := range fmts {
-		v := viper.New()
-		v.Set("frostfsid.admin", fmts[i])
-
-		actual, found, err := getFrostfsIDAdmin(v)
-		require.NoError(t, err)
-		require.True(t, found)
-		require.Equal(t, pks[i].GetScriptHash(), actual)
-	}
-
-	t.Run("bad key", func(t *testing.T) {
-		v := viper.New()
-		v.Set("frostfsid.admin", "abc")
-
-		_, found, err := getFrostfsIDAdmin(v)
-		require.Error(t, err)
-		require.True(t, found)
-	})
-	t.Run("missing key", func(t *testing.T) {
-		v := viper.New()
-
-		_, found, err := getFrostfsIDAdmin(v)
-		require.NoError(t, err)
-		require.False(t, found)
-	})
-}

cmd/frostfs-adm/internal/modules/morph/helper/initialize_ctx.go

@@ -134,12 +134,12 @@ func NewInitializeContext(cmd *cobra.Command, v *viper.Viper) (*InitializeContex
 		return nil, err
 	}
 
-	accounts, err := getSingleAccounts(wallets)
+	accounts, err := createWalletAccounts(wallets)
 	if err != nil {
 		return nil, err
 	}
 
-	cliCtx, err := defaultClientContext(c, committeeAcc)
+	cliCtx, err := DefaultClientContext(c, committeeAcc)
 	if err != nil {
 		return nil, fmt.Errorf("client context: %w", err)
 	}
@@ -191,7 +191,7 @@ func createClient(cmd *cobra.Command, v *viper.Viper, wallets []*wallet.Wallet)
 		}
 		c, err = NewLocalClient(cmd, v, wallets, ldf.Value.String())
 	} else {
-		c, err = NewRemoteClient(v)
+		c, err = GetN3Client(v)
 	}
 	if err != nil {
 		return nil, fmt.Errorf("can't create N3 client: %w", err)
@@ -211,7 +211,7 @@ func getContractsPath(cmd *cobra.Command, needContracts bool) (string, error) {
 	return ctrPath, nil
 }
 
-func getSingleAccounts(wallets []*wallet.Wallet) ([]*wallet.Account, error) {
+func createWalletAccounts(wallets []*wallet.Wallet) ([]*wallet.Account, error) {
 	accounts := make([]*wallet.Account, len(wallets))
 	for i, w := range wallets {
 		acc, err := GetWalletAccount(w, constants.SingleAccountName)

cmd/frostfs-adm/internal/modules/morph/helper/local_client.go

@@ -8,7 +8,6 @@ import (
 	"sort"
 	"time"
 
-	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/commonflags"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph/constants"
 	"github.com/google/uuid"
 	"github.com/nspcc-dev/neo-go/pkg/config"
@@ -48,7 +47,7 @@ type LocalClient struct {
 }
 
 func NewLocalClient(cmd *cobra.Command, v *viper.Viper, wallets []*wallet.Wallet, dumpPath string) (*LocalClient, error) {
-	cfg, err := config.LoadFile(v.GetString(commonflags.ProtoConfigPath))
+	cfg, err := config.LoadFile(v.GetString(constants.ProtoConfigPath))
 	if err != nil {
 		return nil, err
 	}
@@ -58,30 +57,35 @@ func NewLocalClient(cmd *cobra.Command, v *viper.Viper, wallets []*wallet.Wallet
 		return nil, err
 	}
 
-	go bc.Run()
+	m := smartcontract.GetDefaultHonestNodeCount(int(cfg.ProtocolConfiguration.ValidatorsCount))
-
+	accounts := make([]*wallet.Account, len(wallets))
-	accounts, err := getBlockSigningAccounts(cfg.ProtocolConfiguration, wallets)
+	for i := range accounts {
+		accounts[i], err = GetWalletAccount(wallets[i], constants.ConsensusAccountName)
 		if err != nil {
 			return nil, err
 		}
+	}
+
+	indexMap := make(map[string]int)
+	for i, pub := range cfg.ProtocolConfiguration.StandbyCommittee {
+		indexMap[pub] = i
+	}
+
+	sort.Slice(accounts, func(i, j int) bool {
+		pi := accounts[i].PrivateKey().PublicKey().Bytes()
+		pj := accounts[j].PrivateKey().PublicKey().Bytes()
+		return indexMap[string(pi)] < indexMap[string(pj)]
+	})
+	sort.Slice(accounts[:cfg.ProtocolConfiguration.ValidatorsCount], func(i, j int) bool {
+		return accounts[i].PublicKey().Cmp(accounts[j].PublicKey()) == -1
+	})
+
+	go bc.Run()
 
 	if cmd.Name() != "init" {
-		if err := restoreDump(bc, dumpPath); err != nil {
-			return nil, fmt.Errorf("restore dump: %w", err)
-		}
-	}
-
-	return &LocalClient{
-		bc:       bc,
-		dumpPath: dumpPath,
-		accounts: accounts,
-	}, nil
-}
-
-func restoreDump(bc *core.Blockchain, dumpPath string) error {
 		f, err := os.OpenFile(dumpPath, os.O_RDONLY, 0o600)
 		if err != nil {
-		return fmt.Errorf("can't open local dump: %w", err)
+			return nil, fmt.Errorf("can't open local dump: %w", err)
 		}
 		defer f.Close()
 
@@ -94,37 +98,15 @@ func restoreDump(bc *core.Blockchain, dumpPath string) error {
 
 		count := r.ReadU32LE() - skip
 		if err := chaindump.Restore(bc, r, skip, count, nil); err != nil {
-		return err
+			return nil, fmt.Errorf("can't restore local dump: %w", err)
 		}
-	return nil
-}
-
-func getBlockSigningAccounts(cfg config.ProtocolConfiguration, wallets []*wallet.Wallet) ([]*wallet.Account, error) {
-	accounts := make([]*wallet.Account, len(wallets))
-	for i := range accounts {
-		acc, err := GetWalletAccount(wallets[i], constants.ConsensusAccountName)
-		if err != nil {
-			return nil, err
-		}
-		accounts[i] = acc
 	}
 
-	indexMap := make(map[string]int)
+	return &LocalClient{
-	for i, pub := range cfg.StandbyCommittee {
+		bc:       bc,
-		indexMap[pub] = i
+		dumpPath: dumpPath,
-	}
+		accounts: accounts[:m],
-
+	}, nil
-	sort.Slice(accounts, func(i, j int) bool {
-		pi := accounts[i].PrivateKey().PublicKey().Bytes()
-		pj := accounts[j].PrivateKey().PublicKey().Bytes()
-		return indexMap[string(pi)] < indexMap[string(pj)]
-	})
-	sort.Slice(accounts[:cfg.ValidatorsCount], func(i, j int) bool {
-		return accounts[i].PublicKey().Cmp(accounts[j].PublicKey()) == -1
-	})
-
-	m := smartcontract.GetDefaultHonestNodeCount(int(cfg.ValidatorsCount))
-	return accounts[:m], nil
 }
 
 func (l *LocalClient) GetBlockCount() (uint32, error) {
@@ -145,6 +127,11 @@ func (l *LocalClient) GetApplicationLog(h util.Uint256, t *trigger.Type) (*resul
 	return &a, nil
 }
 
+func (l *LocalClient) GetCommittee() (keys.PublicKeys, error) {
+	// not used by `morph init` command
+	panic("unexpected call")
+}
+
 // InvokeFunction is implemented via `InvokeScript`.
 func (l *LocalClient) InvokeFunction(h util.Uint160, method string, sPrm []smartcontract.Parameter, ss []transaction.Signer) (*result.Invoke, error) {
 	var err error
@@ -308,7 +295,13 @@ func (l *LocalClient) InvokeScript(script []byte, signers []transaction.Signer)
 }
 
 func (l *LocalClient) SendRawTransaction(tx *transaction.Transaction) (util.Uint256, error) {
-	tx = tx.Copy()
+	// We need to test that transaction was formed correctly to catch as many errors as we can.
+	bs := tx.Bytes()
+	_, err := transaction.NewTransactionFromBytes(bs)
+	if err != nil {
+		return tx.Hash(), fmt.Errorf("invalid transaction: %w", err)
+	}
+
 	l.transactions = append(l.transactions, tx)
 	return tx.Hash(), nil
 }

cmd/frostfs-adm/internal/modules/morph/helper/n3client.go

@@ -10,6 +10,7 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/commonflags"
 	"github.com/nspcc-dev/neo-go/pkg/core/state"
 	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/neorpc/result"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
@@ -24,10 +25,15 @@ import (
 // Client represents N3 client interface capable of test-invoking scripts
 // and sending signed transactions to chain.
 type Client interface {
-	actor.RPCActor
+	invoker.RPCInvoke
 
+	GetBlockCount() (uint32, error)
 	GetNativeContracts() ([]state.Contract, error)
 	GetApplicationLog(util.Uint256, *trigger.Type) (*result.ApplicationLog, error)
+	GetVersion() (*result.Version, error)
+	SendRawTransaction(*transaction.Transaction) (util.Uint256, error)
+	GetCommittee() (keys.PublicKeys, error)
+	CalculateNetworkFee(tx *transaction.Transaction) (int64, error)
 }
 
 type HashVUBPair struct {
@@ -42,7 +48,7 @@ type ClientContext struct {
 	SentTxs         []HashVUBPair
 }
 
-func NewRemoteClient(v *viper.Viper) (Client, error) {
+func GetN3Client(v *viper.Viper) (Client, error) {
 	// number of opened connections
 	// by neo-go client per one host
 	const (
@@ -82,14 +88,8 @@ func NewRemoteClient(v *viper.Viper) (Client, error) {
 	return c, nil
 }
 
-func defaultClientContext(c Client, committeeAcc *wallet.Account) (*ClientContext, error) {
+func DefaultClientContext(c Client, committeeAcc *wallet.Account) (*ClientContext, error) {
-	commAct, err := actor.New(c, []actor.SignerAccount{{
+	commAct, err := NewActor(c, committeeAcc)
-		Signer: transaction.Signer{
-			Account: committeeAcc.Contract.ScriptHash(),
-			Scopes:  transaction.Global,
-		},
-		Account: committeeAcc,
-	}})
 	if err != nil {
 		return nil, err
 	}

cmd/frostfs-adm/internal/modules/morph/helper/util.go

@@ -15,8 +15,10 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph/constants"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/innerring"
 	"github.com/nspcc-dev/neo-go/pkg/core/state"
+	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/encoding/fixedn"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/management"
 	"github.com/nspcc-dev/neo-go/pkg/wallet"
 	"github.com/spf13/viper"
@@ -85,6 +87,16 @@ func openAlphabetWallets(v *viper.Viper, walletDir string) ([]*wallet.Wallet, er
 	return wallets, nil
 }
 
+func NewActor(c actor.RPCActor, committeeAcc *wallet.Account) (*actor.Actor, error) {
+	return actor.New(c, []actor.SignerAccount{{
+		Signer: transaction.Signer{
+			Account: committeeAcc.Contract.ScriptHash(),
+			Scopes:  transaction.Global,
+		},
+		Account: committeeAcc,
+	}})
+}
+
 func ReadContract(ctrPath, ctrName string) (*ContractState, error) {
 	rawNef, err := os.ReadFile(filepath.Join(ctrPath, ctrName+"_contract.nef"))
 	if err != nil {

cmd/frostfs-adm/internal/modules/morph/initialize/initialize_test.go

@@ -62,7 +62,7 @@ func testInitialize(t *testing.T, committeeSize int) {
 	v := viper.GetViper()
 
 	require.NoError(t, generateTestData(testdataDir, committeeSize))
-	v.Set(commonflags.ProtoConfigPath, filepath.Join(testdataDir, protoFileName))
+	v.Set(constants.ProtoConfigPath, filepath.Join(testdataDir, protoFileName))
 
 	// Set to the path or remove the next statement to download from the network.
 	require.NoError(t, Cmd.Flags().Set(commonflags.ContractsInitFlag, contractsPath))

cmd/frostfs-adm/internal/modules/morph/initialize/root.go

@@ -2,6 +2,7 @@ package initialize
 
 import (
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/commonflags"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph/constants"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
@@ -31,7 +32,7 @@ var Cmd = &cobra.Command{
 		_ = viper.BindPFlag(commonflags.ContainerFeeInitFlag, cmd.Flags().Lookup(containerFeeCLIFlag))
 		_ = viper.BindPFlag(commonflags.ContainerAliasFeeInitFlag, cmd.Flags().Lookup(containerAliasFeeCLIFlag))
 		_ = viper.BindPFlag(commonflags.WithdrawFeeInitFlag, cmd.Flags().Lookup(withdrawFeeCLIFlag))
-		_ = viper.BindPFlag(commonflags.ProtoConfigPath, cmd.Flags().Lookup(commonflags.ProtoConfigPath))
+		_ = viper.BindPFlag(constants.ProtoConfigPath, cmd.Flags().Lookup(constants.ProtoConfigPath))
 	},
 	RunE: initializeSideChainCmd,
 }
@@ -47,7 +48,7 @@ func initInitCmd() {
 	// Defaults are taken from neo-preodolenie.
 	Cmd.Flags().Uint64(containerFeeCLIFlag, 1000, "Container registration fee")
 	Cmd.Flags().Uint64(containerAliasFeeCLIFlag, 500, "Container alias fee")
-	Cmd.Flags().String(commonflags.ProtoConfigPath, "", "Path to the consensus node configuration")
+	Cmd.Flags().String(constants.ProtoConfigPath, "", "Path to the consensus node configuration")
 	Cmd.Flags().String(commonflags.LocalDumpFlag, "", "Path to the blocks dump file")
 	Cmd.MarkFlagsMutuallyExclusive(commonflags.ContractsInitFlag, commonflags.ContractsURLFlag)
 }

cmd/frostfs-adm/internal/modules/morph/netmap/netmap_candidates.go

@@ -13,7 +13,7 @@ import (
 )
 
 func listNetmapCandidatesNodes(cmd *cobra.Command, _ []string) {
-	c, err := helper.NewRemoteClient(viper.GetViper())
+	c, err := helper.GetN3Client(viper.GetViper())
 	commonCmd.ExitOnErr(cmd, "can't create N3 client: %w", err)
 
 	inv := invoker.New(c, nil)

cmd/frostfs-adm/internal/modules/morph/netmap/root.go

@@ -12,6 +12,7 @@ var (
 		Short: "List netmap candidates nodes",
 		PreRun: func(cmd *cobra.Command, _ []string) {
 			_ = viper.BindPFlag(commonflags.EndpointFlag, cmd.Flags().Lookup(commonflags.EndpointFlag))
+			_ = viper.BindPFlag(commonflags.AlphabetWalletsFlag, cmd.Flags().Lookup(commonflags.AlphabetWalletsFlag))
 		},
 		Run: listNetmapCandidatesNodes,
 	}

cmd/frostfs-adm/internal/modules/morph/nns/domains.go

@@ -24,7 +24,7 @@ func initRegisterCmd() {
 }
 
 func registerDomain(cmd *cobra.Command, _ []string) {
-	c, actor := nnsWriter(cmd)
+	c, actor, _ := getRPCClient(cmd)
 
 	name, _ := cmd.Flags().GetString(nnsNameFlag)
 	email, _ := cmd.Flags().GetString(nnsEmailFlag)
@@ -53,7 +53,7 @@ func initDeleteCmd() {
 }
 
 func deleteDomain(cmd *cobra.Command, _ []string) {
-	c, actor := nnsWriter(cmd)
+	c, actor, _ := getRPCClient(cmd)
 
 	name, _ := cmd.Flags().GetString(nnsNameFlag)
 	h, vub, err := c.DeleteDomain(name)

cmd/frostfs-adm/internal/modules/morph/nns/helper.go

@@ -5,15 +5,15 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph/constants"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph/helper"
 	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
-	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/management"
+	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 
-func nnsWriter(cmd *cobra.Command) (*client.Contract, *helper.LocalActor) {
+func getRPCClient(cmd *cobra.Command) (*client.Contract, *helper.LocalActor, util.Uint160) {
 	v := viper.GetViper()
-	c, err := helper.NewRemoteClient(v)
+	c, err := helper.GetN3Client(v)
 	commonCmd.ExitOnErr(cmd, "unable to create NEO rpc client: %w", err)
 
 	ac, err := helper.NewLocalActor(cmd, c, constants.CommitteeAccountName)
@@ -22,17 +22,5 @@ func nnsWriter(cmd *cobra.Command) (*client.Contract, *helper.LocalActor) {
 	r := management.NewReader(ac.Invoker)
 	nnsCs, err := helper.GetContractByID(r, 1)
 	commonCmd.ExitOnErr(cmd, "can't get NNS contract state: %w", err)
-	return client.New(ac, nnsCs.Hash), ac
+	return client.New(ac, nnsCs.Hash), ac, nnsCs.Hash
-}
-
-func nnsReader(cmd *cobra.Command) (*client.ContractReader, *invoker.Invoker) {
-	c, err := helper.NewRemoteClient(viper.GetViper())
-	commonCmd.ExitOnErr(cmd, "unable to create NEO rpc client: %w", err)
-
-	inv := invoker.New(c, nil)
-	r := management.NewReader(inv)
-	nnsCs, err := helper.GetContractByID(r, 1)
-	commonCmd.ExitOnErr(cmd, "can't get NNS contract state: %w", err)
-
-	return client.NewReader(inv, nnsCs.Hash), inv
 }

cmd/frostfs-adm/internal/modules/morph/nns/record.go

@@ -8,6 +8,7 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-contract/nns"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/commonflags"
 	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
 	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
 	"github.com/spf13/cobra"
 )
@@ -28,6 +29,7 @@ func initAddRecordCmd() {
 func initGetRecordsCmd() {
 	Cmd.AddCommand(getRecordsCmd)
 	getRecordsCmd.Flags().StringP(commonflags.EndpointFlag, commonflags.EndpointFlagShort, "", commonflags.EndpointFlagDesc)
+	getRecordsCmd.Flags().String(commonflags.AlphabetWalletsFlag, "", commonflags.AlphabetWalletsFlagDesc)
 	getRecordsCmd.Flags().String(nnsNameFlag, "", nnsNameFlagDesc)
 	getRecordsCmd.Flags().String(nnsRecordTypeFlag, "", nnsRecordTypeFlagDesc)
 
@@ -59,7 +61,7 @@ func initDelRecordCmd() {
 }
 
 func addRecord(cmd *cobra.Command, _ []string) {
-	c, actor := nnsWriter(cmd)
+	c, actor, _ := getRPCClient(cmd)
 	name, _ := cmd.Flags().GetString(nnsNameFlag)
 	data, _ := cmd.Flags().GetString(nnsRecordDataFlag)
 	recordType, _ := cmd.Flags().GetString(nnsRecordTypeFlag)
@@ -75,16 +77,16 @@ func addRecord(cmd *cobra.Command, _ []string) {
 }
 
 func getRecords(cmd *cobra.Command, _ []string) {
-	c, inv := nnsReader(cmd)
+	c, act, hash := getRPCClient(cmd)
 	name, _ := cmd.Flags().GetString(nnsNameFlag)
 	recordType, _ := cmd.Flags().GetString(nnsRecordTypeFlag)
 	if recordType == "" {
-		sid, r, err := c.GetAllRecords(name)
+		sid, r, err := unwrap.SessionIterator(act.Invoker.Call(hash, "getAllRecords", name))
 		commonCmd.ExitOnErr(cmd, "unable to get records: %w", err)
 		defer func() {
-			_ = inv.TerminateSession(sid)
+			_ = act.Invoker.TerminateSession(sid)
 		}()
-		items, err := inv.TraverseIterator(sid, &r, 0)
+		items, err := act.Invoker.TraverseIterator(sid, &r, 0)
 		commonCmd.ExitOnErr(cmd, "unable to get records: %w", err)
 		for len(items) != 0 {
 			for j := range items {
@@ -95,7 +97,7 @@ func getRecords(cmd *cobra.Command, _ []string) {
 					recordTypeToString(nns.RecordType(rs[1].Value().(*big.Int).Int64())),
 					string(bs))
 			}
-			items, err = inv.TraverseIterator(sid, &r, 0)
+			items, err = act.Invoker.TraverseIterator(sid, &r, 0)
 			commonCmd.ExitOnErr(cmd, "unable to get records: %w", err)
 		}
 	} else {
@@ -112,7 +114,7 @@ func getRecords(cmd *cobra.Command, _ []string) {
 }
 
 func delRecords(cmd *cobra.Command, _ []string) {
-	c, actor := nnsWriter(cmd)
+	c, actor, _ := getRPCClient(cmd)
 	name, _ := cmd.Flags().GetString(nnsNameFlag)
 	recordType, _ := cmd.Flags().GetString(nnsRecordTypeFlag)
 	typ, err := getRecordType(recordType)
@@ -127,7 +129,7 @@ func delRecords(cmd *cobra.Command, _ []string) {
 }
 
 func delRecord(cmd *cobra.Command, _ []string) {
-	c, actor := nnsWriter(cmd)
+	c, actor, _ := getRPCClient(cmd)
 	name, _ := cmd.Flags().GetString(nnsNameFlag)
 	data, _ := cmd.Flags().GetString(nnsRecordDataFlag)
 	recordType, _ := cmd.Flags().GetString(nnsRecordTypeFlag)

cmd/frostfs-adm/internal/modules/morph/nns/renew.go

@@ -14,7 +14,7 @@ func initRenewCmd() {
 }
 
 func renewDomain(cmd *cobra.Command, _ []string) {
-	c, actor := nnsWriter(cmd)
+	c, actor, _ := getRPCClient(cmd)
 	name, _ := cmd.Flags().GetString(nnsNameFlag)
 	h, vub, err := c.Renew(name)
 	commonCmd.ExitOnErr(cmd, "unable to renew domain: %w", err)

cmd/frostfs-adm/internal/modules/morph/nns/tokens.go

@@ -18,11 +18,12 @@ const (
 func initTokensCmd() {
 	Cmd.AddCommand(tokensCmd)
 	tokensCmd.Flags().StringP(commonflags.EndpointFlag, commonflags.EndpointFlagShort, "", commonflags.EndpointFlagDesc)
+	tokensCmd.Flags().String(commonflags.AlphabetWalletsFlag, "", commonflags.AlphabetWalletsFlagDesc)
 	tokensCmd.Flags().BoolP(commonflags.Verbose, commonflags.VerboseShorthand, false, verboseDesc)
 }
 
 func listTokens(cmd *cobra.Command, _ []string) {
-	c, _ := nnsReader(cmd)
+	c, _, _ := getRPCClient(cmd)
 	it, err := c.Tokens()
 	commonCmd.ExitOnErr(cmd, "unable to get tokens: %w", err)
 	for toks, err := it.Next(10); err == nil && len(toks) > 0; toks, err = it.Next(10) {
@@ -40,7 +41,7 @@ func listTokens(cmd *cobra.Command, _ []string) {
 	}
 }
 
-func getCnameRecord(c *client.ContractReader, token []byte) (string, error) {
+func getCnameRecord(c *client.Contract, token []byte) (string, error) {
 	items, err := c.GetRecords(string(token), big.NewInt(int64(nns.CNAME)))
 
 	// GetRecords returns the error "not an array" if the domain does not contain records.

cmd/frostfs-adm/internal/modules/morph/nns/update.go

@@ -30,7 +30,7 @@ func initUpdateCmd() {
 }
 
 func updateSOA(cmd *cobra.Command, _ []string) {
-	c, actor := nnsWriter(cmd)
+	c, actor, _ := getRPCClient(cmd)
 
 	name, _ := cmd.Flags().GetString(nnsNameFlag)
 	email, _ := cmd.Flags().GetString(nnsEmailFlag)

cmd/frostfs-adm/internal/modules/morph/notary/notary.go

@@ -4,6 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"math/big"
+	"strconv"
 
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/commonflags"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph/helper"
@@ -40,8 +41,7 @@ func depositNotary(cmd *cobra.Command, _ []string) error {
 	}
 
 	accHash := w.GetChangeAddress()
-	addr, _ := cmd.Flags().GetString(walletAccountFlag)
+	if addr, err := cmd.Flags().GetString(walletAccountFlag); err == nil {
-	if addr != "" {
 		accHash, err = address.StringToUint160(addr)
 		if err != nil {
 			return fmt.Errorf("invalid address: %s", addr)
@@ -53,7 +53,7 @@ func depositNotary(cmd *cobra.Command, _ []string) error {
 		return fmt.Errorf("can't find account for %s", accHash)
 	}
 
-	prompt := fmt.Sprintf("Enter password for %s > ", address.Uint160ToString(accHash))
+	prompt := fmt.Sprintf("Enter password for %s >", address.Uint160ToString(accHash))
 	pass, err := input.ReadPassword(prompt)
 	if err != nil {
 		return fmt.Errorf("can't get password: %v", err)
@@ -73,16 +73,23 @@ func depositNotary(cmd *cobra.Command, _ []string) error {
 		return err
 	}
 
-	till, _ := cmd.Flags().GetInt64(notaryDepositTillFlag)
+	till := int64(defaultNotaryDepositLifetime)
-	if till <= 0 {
+	tillStr, err := cmd.Flags().GetString(notaryDepositTillFlag)
+	if err != nil {
+		return err
+	}
+	if tillStr != "" {
+		till, err = strconv.ParseInt(tillStr, 10, 64)
+		if err != nil || till <= 0 {
 			return errInvalidNotaryDepositLifetime
 		}
+	}
 
 	return transferGas(cmd, acc, accHash, gasAmount, till)
 }
 
 func transferGas(cmd *cobra.Command, acc *wallet.Account, accHash util.Uint160, gasAmount fixedn.Fixed8, till int64) error {
-	c, err := helper.NewRemoteClient(viper.GetViper())
+	c, err := helper.GetN3Client(viper.GetViper())
 	if err != nil {
 		return err
 	}

cmd/frostfs-adm/internal/modules/morph/notary/root.go

@@ -20,7 +20,7 @@ func initDepositoryNotaryCmd() {
 	DepositCmd.Flags().String(commonflags.StorageWalletFlag, "", "Path to storage node wallet")
 	DepositCmd.Flags().String(walletAccountFlag, "", "Wallet account address")
 	DepositCmd.Flags().String(commonflags.RefillGasAmountFlag, "", "Amount of GAS to deposit")
-	DepositCmd.Flags().Int64(notaryDepositTillFlag, defaultNotaryDepositLifetime, "Notary deposit duration in blocks")
+	DepositCmd.Flags().String(notaryDepositTillFlag, "", "Notary deposit duration in blocks")
 }
 
 func init() {

cmd/frostfs-adm/internal/modules/morph/policy/policy.go

@@ -62,7 +62,7 @@ func SetPolicyCmd(cmd *cobra.Command, args []string) error {
 }
 
 func dumpPolicyCmd(cmd *cobra.Command, _ []string) error {
-	c, err := helper.NewRemoteClient(viper.GetViper())
+	c, err := helper.GetN3Client(viper.GetViper())
 	commonCmd.ExitOnErr(cmd, "can't create N3 client:", err)
 
 	inv := invoker.New(c, nil)

cmd/frostfs-adm/internal/modules/morph/proxy/proxy.go

@@ -20,32 +20,23 @@ const (
 	accountAddressFlag = "account"
 )
 
-func parseAddresses(cmd *cobra.Command) []util.Uint160 {
+func addProxyAccount(cmd *cobra.Command, _ []string) {
-	var addrs []util.Uint160
+	acc, _ := cmd.Flags().GetString(accountAddressFlag)
-
-	accs, _ := cmd.Flags().GetStringArray(accountAddressFlag)
-	for _, acc := range accs {
 	addr, err := address.StringToUint160(acc)
 	commonCmd.ExitOnErr(cmd, "invalid account: %w", err)
-
+	err = processAccount(cmd, addr, "addAccount")
-		addrs = append(addrs, addr)
-	}
-	return addrs
-}
-
-func addProxyAccount(cmd *cobra.Command, _ []string) {
-	addrs := parseAddresses(cmd)
-	err := processAccount(cmd, addrs, "addAccount")
 	commonCmd.ExitOnErr(cmd, "processing error: %w", err)
 }
 
 func removeProxyAccount(cmd *cobra.Command, _ []string) {
-	addrs := parseAddresses(cmd)
+	acc, _ := cmd.Flags().GetString(accountAddressFlag)
-	err := processAccount(cmd, addrs, "removeAccount")
+	addr, err := address.StringToUint160(acc)
+	commonCmd.ExitOnErr(cmd, "invalid account: %w", err)
+	err = processAccount(cmd, addr, "removeAccount")
 	commonCmd.ExitOnErr(cmd, "processing error: %w", err)
 }
 
-func processAccount(cmd *cobra.Command, addrs []util.Uint160, method string) error {
+func processAccount(cmd *cobra.Command, addr util.Uint160, method string) error {
 	wCtx, err := helper.NewInitializeContext(cmd, viper.GetViper())
 	if err != nil {
 		return fmt.Errorf("can't initialize context: %w", err)
@@ -63,9 +54,7 @@ func processAccount(cmd *cobra.Command, addrs []util.Uint160, method string) err
 	}
 
 	bw := io.NewBufBinWriter()
-	for _, addr := range addrs {
 	emit.AppCall(bw.BinWriter, proxyHash, method, callflag.All, addr)
-	}
 
 	if err := wCtx.SendConsensusTx(bw.Bytes()); err != nil {
 		return err

cmd/frostfs-adm/internal/modules/morph/proxy/root.go

@@ -29,15 +29,13 @@ var (
 
 func initProxyAddAccount() {
 	AddAccountCmd.Flags().StringP(commonflags.EndpointFlag, commonflags.EndpointFlagShort, "", commonflags.EndpointFlagDesc)
-	AddAccountCmd.Flags().StringArray(accountAddressFlag, nil, "Wallet address string")
+	AddAccountCmd.Flags().String(accountAddressFlag, "", "Wallet address string")
-	_ = AddAccountCmd.MarkFlagRequired(accountAddressFlag)
 	AddAccountCmd.Flags().String(commonflags.AlphabetWalletsFlag, "", commonflags.AlphabetWalletsFlagDesc)
 }
 
 func initProxyRemoveAccount() {
 	RemoveAccountCmd.Flags().StringP(commonflags.EndpointFlag, commonflags.EndpointFlagShort, "", commonflags.EndpointFlagDesc)
-	RemoveAccountCmd.Flags().StringArray(accountAddressFlag, nil, "Wallet address string")
+	RemoveAccountCmd.Flags().String(accountAddressFlag, "", "Wallet address string")
-	_ = AddAccountCmd.MarkFlagRequired(accountAddressFlag)
 	RemoveAccountCmd.Flags().String(commonflags.AlphabetWalletsFlag, "", commonflags.AlphabetWalletsFlagDesc)
 }
 

cmd/frostfs-adm/internal/modules/storagecfg/root.go

@@ -11,7 +11,6 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
-	"slices"
 	"strconv"
 	"strings"
 	"text/template"
@@ -106,7 +105,7 @@ func storageConfig(cmd *cobra.Command, args []string) {
 		fatalOnErr(errors.New("can't find account in wallet"))
 	}
 
-	c.Wallet.Password, err = input.ReadPassword(fmt.Sprintf("Enter password for %s > ", c.Wallet.Account))
+	c.Wallet.Password, err = input.ReadPassword(fmt.Sprintf("Account password for %s: ", c.Wallet.Account))
 	fatalOnErr(err)
 
 	err = acc.Decrypt(c.Wallet.Password, keys.NEP2ScryptParams())
@@ -411,7 +410,8 @@ func initClient(rpc []string) *rpcclient.Client {
 	var c *rpcclient.Client
 	var err error
 
-	shuffled := slices.Clone(rpc)
+	shuffled := make([]string, len(rpc))
+	copy(shuffled, rpc)
 	rand.Shuffle(len(shuffled), func(i, j int) { shuffled[i], shuffled[j] = shuffled[j], shuffled[i] })
 
 	for _, endpoint := range shuffled {

cmd/frostfs-cli/docs/sessions.md

@@ -72,3 +72,4 @@ All other `object` sub-commands support only static sessions (2).
 List of commands supporting sessions (static only):
 - `create`
 - `delete`
+- `set-eacl`

cmd/frostfs-cli/internal/client/client.go

@@ -9,6 +9,7 @@ import (
 	"io"
 	"os"
 	"slices"
+	"sort"
 	"strings"
 
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/accounting"
@@ -77,31 +78,13 @@ func ListContainers(ctx context.Context, prm ListContainersPrm) (res ListContain
 // SortedIDList returns sorted list of identifiers of user's containers.
 func (x ListContainersRes) SortedIDList() []cid.ID {
 	list := x.cliRes.Containers()
-	slices.SortFunc(list, func(lhs, rhs cid.ID) int {
+	sort.Slice(list, func(i, j int) bool {
-		return strings.Compare(lhs.EncodeToString(), rhs.EncodeToString())
+		lhs, rhs := list[i].EncodeToString(), list[j].EncodeToString()
+		return strings.Compare(lhs, rhs) < 0
 	})
 	return list
 }
 
-func ListContainersStream(ctx context.Context, prm ListContainersPrm, processCnr func(id cid.ID) bool) (err error) {
-	cliPrm := &client.PrmContainerListStream{
-		XHeaders: prm.XHeaders,
-		OwnerID:  prm.OwnerID,
-		Session:  prm.Session,
-	}
-	rdr, err := prm.cli.ContainerListInit(ctx, *cliPrm)
-	if err != nil {
-		return fmt.Errorf("init container list: %w", err)
-	}
-
-	err = rdr.Iterate(processCnr)
-	if err != nil {
-		return fmt.Errorf("read container list: %w", err)
-	}
-
-	return
-}
-
 // PutContainerPrm groups parameters of PutContainer operation.
 type PutContainerPrm struct {
 	Client       *client.Client

cmd/frostfs-cli/modules/ape_manager/add_chain.go

@@ -1,19 +1,44 @@
 package apemanager
 
 import (
-	"fmt"
+	"encoding/hex"
+	"errors"
 
 	internalclient "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
 	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
-	apeCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common/ape"
 	apeSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/ape"
 	client_sdk "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
-	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
+	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
+	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 	"github.com/spf13/cobra"
 )
 
+const (
+	chainIDFlag    = "chain-id"
+	chainIDHexFlag = "chain-id-hex"
+	ruleFlag       = "rule"
+	pathFlag       = "path"
+)
+
+const (
+	targetNameFlag = "target-name"
+	targetNameDesc = "Resource name in APE resource name format"
+	targetTypeFlag = "target-type"
+	targetTypeDesc = "Resource type(container/namespace)"
+)
+
+const (
+	namespaceTarget = "namespace"
+	containerTarget = "container"
+	userTarget      = "user"
+	groupTarget     = "group"
+)
+
+var errUnknownTargetType = errors.New("unknown target type")
+
 var addCmd = &cobra.Command{
 	Use:   "add",
 	Short: "Add rule chain for a target",
@@ -24,28 +49,55 @@ var addCmd = &cobra.Command{
 }
 
 func parseTarget(cmd *cobra.Command) (ct apeSDK.ChainTarget) {
-	t := apeCmd.ParseTarget(cmd)
+	typ, _ := cmd.Flags().GetString(targetTypeFlag)
+	name, _ := cmd.Flags().GetString(targetNameFlag)
 
-	ct.Name = t.Name
+	ct.Name = name
 
-	switch t.Type {
+	switch typ {
-	case engine.Namespace:
+	case namespaceTarget:
 		ct.TargetType = apeSDK.TargetTypeNamespace
-	case engine.Container:
+	case containerTarget:
+		var cnr cid.ID
+		commonCmd.ExitOnErr(cmd, "can't decode container ID: %w", cnr.DecodeString(name))
 		ct.TargetType = apeSDK.TargetTypeContainer
-	case engine.User:
+	case userTarget:
 		ct.TargetType = apeSDK.TargetTypeUser
-	case engine.Group:
+	case groupTarget:
 		ct.TargetType = apeSDK.TargetTypeGroup
 	default:
-		commonCmd.ExitOnErr(cmd, "conversion error: %w", fmt.Errorf("unknown type '%c'", t.Type))
+		commonCmd.ExitOnErr(cmd, "read target type error: %w", errUnknownTargetType)
 	}
 	return ct
 }
 
 func parseChain(cmd *cobra.Command) apeSDK.Chain {
-	c := apeCmd.ParseChain(cmd)
+	chainID, _ := cmd.Flags().GetString(chainIDFlag)
-	serialized := c.Bytes()
+	hexEncoded, _ := cmd.Flags().GetBool(chainIDHexFlag)
+
+	chainIDRaw := []byte(chainID)
+
+	if hexEncoded {
+		var err error
+		chainIDRaw, err = hex.DecodeString(chainID)
+		commonCmd.ExitOnErr(cmd, "can't decode chain ID as hex: %w", err)
+	}
+
+	chain := new(apechain.Chain)
+	chain.ID = apechain.ID(chainIDRaw)
+
+	if rules, _ := cmd.Flags().GetStringArray(ruleFlag); len(rules) > 0 {
+		commonCmd.ExitOnErr(cmd, "parser error: %w", util.ParseAPEChain(chain, rules))
+	} else if encPath, _ := cmd.Flags().GetString(pathFlag); encPath != "" {
+		commonCmd.ExitOnErr(cmd, "decode binary or json error: %w", util.ParseAPEChainBinaryOrJSON(chain, encPath))
+	} else {
+		commonCmd.ExitOnErr(cmd, "parser error: %w", errors.New("rule is not passed"))
+	}
+
+	cmd.Println("Parsed chain:")
+	util.PrintHumanReadableAPEChain(cmd, chain)
+
+	serialized := chain.Bytes()
 	return apeSDK.Chain{
 		Raw: serialized,
 	}
@@ -74,13 +126,13 @@ func initAddCmd() {
 	commonflags.Init(addCmd)
 
 	ff := addCmd.Flags()
-	ff.StringArray(apeCmd.RuleFlag, []string{}, apeCmd.RuleFlagDesc)
+	ff.StringArray(ruleFlag, []string{}, "Rule statement")
-	ff.String(apeCmd.PathFlag, "", apeCmd.PathFlagDesc)
+	ff.String(pathFlag, "", "Path to encoded chain in JSON or binary format")
-	ff.String(apeCmd.ChainIDFlag, "", apeCmd.ChainIDFlagDesc)
+	ff.String(chainIDFlag, "", "Assign ID to the parsed chain")
-	ff.String(apeCmd.TargetNameFlag, "", apeCmd.TargetNameFlagDesc)
+	ff.String(targetNameFlag, "", targetNameDesc)
-	ff.String(apeCmd.TargetTypeFlag, "", apeCmd.TargetTypeFlagDesc)
+	ff.String(targetTypeFlag, "", targetTypeDesc)
-	_ = addCmd.MarkFlagRequired(apeCmd.TargetTypeFlag)
+	_ = addCmd.MarkFlagRequired(targetTypeFlag)
-	ff.Bool(apeCmd.ChainIDHexFlag, false, apeCmd.ChainIDHexFlagDesc)
+	ff.Bool(chainIDHexFlag, false, "Flag to parse chain ID as hex")
 
-	addCmd.MarkFlagsMutuallyExclusive(apeCmd.PathFlag, apeCmd.RuleFlag)
+	addCmd.MarkFlagsMutuallyExclusive(pathFlag, ruleFlag)
 }

cmd/frostfs-cli/modules/ape_manager/list_chain.go

@@ -4,8 +4,8 @@ import (
 	internalclient "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
+	apeutil "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
 	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
-	apeCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common/ape"
 	client_sdk "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
 	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 	"github.com/spf13/cobra"
@@ -35,7 +35,7 @@ func list(cmd *cobra.Command, _ []string) {
 	for _, respChain := range resp.Chains {
 		var chain apechain.Chain
 		commonCmd.ExitOnErr(cmd, "decode error: %w", chain.DecodeBytes(respChain.Raw))
-		apeCmd.PrintHumanReadableAPEChain(cmd, &chain)
+		apeutil.PrintHumanReadableAPEChain(cmd, &chain)
 	}
 }
 
@@ -43,7 +43,7 @@ func initListCmd() {
 	commonflags.Init(listCmd)
 
 	ff := listCmd.Flags()
-	ff.String(apeCmd.TargetNameFlag, "", apeCmd.TargetNameFlagDesc)
+	ff.String(targetNameFlag, "", targetNameDesc)
-	ff.String(apeCmd.TargetTypeFlag, "", apeCmd.TargetTypeFlagDesc)
+	ff.String(targetTypeFlag, "", targetTypeDesc)
-	_ = listCmd.MarkFlagRequired(apeCmd.TargetTypeFlag)
+	_ = listCmd.MarkFlagRequired(targetTypeFlag)
 }

cmd/frostfs-cli/modules/ape_manager/remove_chain.go

@@ -1,23 +1,29 @@
 package apemanager
 
 import (
+	"encoding/hex"
+	"errors"
+
 	internalclient "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
 	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
-	apeCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common/ape"
 	client_sdk "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
 	"github.com/spf13/cobra"
 )
 
-var removeCmd = &cobra.Command{
+var (
+	errEmptyChainID = errors.New("chain id cannot be empty")
+
+	removeCmd = &cobra.Command{
 		Use:   "remove",
 		Short: "Remove rule chain for a target",
 		Run:   remove,
 		PersistentPreRun: func(cmd *cobra.Command, _ []string) {
 			commonflags.Bind(cmd)
 		},
-}
+	}
+)
 
 func remove(cmd *cobra.Command, _ []string) {
 	target := parseTarget(cmd)
@@ -25,9 +31,19 @@ func remove(cmd *cobra.Command, _ []string) {
 	key := key.Get(cmd)
 	cli := internalclient.GetSDKClientByFlag(cmd, key, commonflags.RPC)
 
-	chainID := apeCmd.ParseChainID(cmd)
+	chainID, _ := cmd.Flags().GetString(chainIDFlag)
+	if chainID == "" {
+		commonCmd.ExitOnErr(cmd, "read chain id error: %w", errEmptyChainID)
+	}
 	chainIDRaw := []byte(chainID)
 
+	hexEncoded, _ := cmd.Flags().GetBool(chainIDHexFlag)
+	if hexEncoded {
+		var err error
+		chainIDRaw, err = hex.DecodeString(chainID)
+		commonCmd.ExitOnErr(cmd, "can't decode chain ID as hex: %w", err)
+	}
+
 	_, err := cli.APEManagerRemoveChain(cmd.Context(), client_sdk.PrmAPEManagerRemoveChain{
 		ChainTarget: target,
 		ChainID:     chainIDRaw,
@@ -42,10 +58,9 @@ func initRemoveCmd() {
 	commonflags.Init(removeCmd)
 
 	ff := removeCmd.Flags()
-	ff.String(apeCmd.TargetNameFlag, "", apeCmd.TargetNameFlagDesc)
+	ff.String(targetNameFlag, "", targetNameDesc)
-	ff.String(apeCmd.TargetTypeFlag, "", apeCmd.TargetTypeFlagDesc)
+	ff.String(targetTypeFlag, "", targetTypeDesc)
-	_ = removeCmd.MarkFlagRequired(apeCmd.TargetTypeFlag)
+	_ = removeCmd.MarkFlagRequired(targetTypeFlag)
-	ff.String(apeCmd.ChainIDFlag, "", apeCmd.ChainIDFlagDesc)
+	ff.String(chainIDFlag, "", "Chain id")
-	_ = removeCmd.MarkFlagRequired(apeCmd.ChainIDFlag)
+	ff.Bool(chainIDHexFlag, false, "Flag to parse chain ID as hex")
-	ff.Bool(apeCmd.ChainIDHexFlag, false, apeCmd.ChainIDHexFlagDesc)
 }

cmd/frostfs-cli/modules/bearer/generate_override.go

@@ -1,19 +1,30 @@
 package bearer
 
 import (
+	"errors"
 	"fmt"
 	"os"
 
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	parseutil "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
 	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
-	apeCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common/ape"
 	apeSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/ape"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
 	cidSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
+	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 	"github.com/spf13/cobra"
 )
 
+var (
+	errChainIDCannotBeEmpty = errors.New("chain id cannot be empty")
+	errRuleIsNotParsed      = errors.New("rule is not passed")
+)
+
 const (
+	chainIDFlag    = "chain-id"
+	chainIDHexFlag = "chain-id-hex"
+	ruleFlag       = "rule"
+	pathFlag       = "path"
 	outputFlag     = "output"
 )
 
@@ -29,7 +40,7 @@ Generated APE override can be dumped to a file in JSON format that is passed to
 }
 
 func genereateAPEOverride(cmd *cobra.Command, _ []string) {
-	c := apeCmd.ParseChain(cmd)
+	c := parseChain(cmd)
 
 	targetCID, _ := cmd.Flags().GetString(commonflags.CIDFlag)
 	var cid cidSDK.ID
@@ -52,7 +63,7 @@ func genereateAPEOverride(cmd *cobra.Command, _ []string) {
 
 	outputPath, _ := cmd.Flags().GetString(outputFlag)
 	if outputPath != "" {
-		err := os.WriteFile(outputPath, overrideMarshalled, 0o644)
+		err := os.WriteFile(outputPath, []byte(overrideMarshalled), 0o644)
 		commonCmd.ExitOnErr(cmd, "dump error: %w", err)
 	} else {
 		fmt.Print("\n")
@@ -66,11 +77,39 @@ func init() {
 	ff.StringP(commonflags.CIDFlag, "", "", "Target container ID.")
 	_ = cobra.MarkFlagRequired(createCmd.Flags(), commonflags.CIDFlag)
 
-	ff.StringArray(apeCmd.RuleFlag, []string{}, "Rule statement")
+	ff.StringArray(ruleFlag, []string{}, "Rule statement")
-	ff.String(apeCmd.PathFlag, "", "Path to encoded chain in JSON or binary format")
+	ff.String(pathFlag, "", "Path to encoded chain in JSON or binary format")
-	ff.String(apeCmd.ChainIDFlag, "", "Assign ID to the parsed chain")
+	ff.String(chainIDFlag, "", "Assign ID to the parsed chain")
-	ff.Bool(apeCmd.ChainIDHexFlag, false, "Flag to parse chain ID as hex")
+	ff.Bool(chainIDHexFlag, false, "Flag to parse chain ID as hex")
 
 	ff.String(outputFlag, "", "Output path to dump result JSON-encoded APE override")
 	_ = cobra.MarkFlagFilename(createCmd.Flags(), outputFlag)
 }
+
+func parseChainID(cmd *cobra.Command) apechain.ID {
+	chainID, _ := cmd.Flags().GetString(chainIDFlag)
+	if chainID == "" {
+		commonCmd.ExitOnErr(cmd, "read chain id error: %w",
+			errChainIDCannotBeEmpty)
+	}
+	return apechain.ID(chainID)
+}
+
+func parseChain(cmd *cobra.Command) *apechain.Chain {
+	chain := new(apechain.Chain)
+
+	if rules, _ := cmd.Flags().GetStringArray(ruleFlag); len(rules) > 0 {
+		commonCmd.ExitOnErr(cmd, "parser error: %w", parseutil.ParseAPEChain(chain, rules))
+	} else if encPath, _ := cmd.Flags().GetString(pathFlag); encPath != "" {
+		commonCmd.ExitOnErr(cmd, "decode binary or json error: %w", parseutil.ParseAPEChainBinaryOrJSON(chain, encPath))
+	} else {
+		commonCmd.ExitOnErr(cmd, "parser error: %w", errRuleIsNotParsed)
+	}
+
+	chain.ID = parseChainID(cmd)
+
+	cmd.Println("Parsed chain:")
+	parseutil.PrintHumanReadableAPEChain(cmd, chain)
+
+	return chain
+}

cmd/frostfs-cli/modules/container/create.go

@@ -15,12 +15,14 @@ import (
 	containerApi "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/container"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/netmap"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
 	"github.com/spf13/cobra"
 )
 
 var (
+	containerACL         string
 	containerPolicy      string
 	containerAttributes  []string
 	containerAwait       bool
@@ -87,6 +89,9 @@ It will be stored in sidechain when inner ring will accepts it.`,
 		err = parseAttributes(&cnr, containerAttributes)
 		commonCmd.ExitOnErr(cmd, "", err)
 
+		var basicACL acl.Basic
+		commonCmd.ExitOnErr(cmd, "decode basic ACL string: %w", basicACL.DecodeString(containerACL))
+
 		tok := getSession(cmd)
 
 		if tok != nil {
@@ -100,6 +105,7 @@ It will be stored in sidechain when inner ring will accepts it.`,
 		}
 
 		cnr.SetPlacementPolicy(*placementPolicy)
+		cnr.SetBasicACL(basicACL)
 
 		var syncContainerPrm internalclient.SyncContainerPrm
 		syncContainerPrm.SetClient(cli)
@@ -157,6 +163,10 @@ func initContainerCreateCmd() {
 	flags.DurationP(commonflags.Timeout, commonflags.TimeoutShorthand, commonflags.TimeoutDefault, commonflags.TimeoutUsage)
 	flags.StringP(commonflags.WalletPath, commonflags.WalletPathShorthand, commonflags.WalletPathDefault, commonflags.WalletPathUsage)
 	flags.StringP(commonflags.Account, commonflags.AccountShorthand, commonflags.AccountDefault, commonflags.AccountUsage)
+
+	flags.StringVar(&containerACL, "basic-acl", acl.NamePrivate, fmt.Sprintf("HEX encoded basic ACL value or keywords like '%s', '%s', '%s'",
+		acl.NamePublicRW, acl.NamePrivate, acl.NamePublicROExtended,
+	))
 	flags.StringVarP(&containerPolicy, "policy", "p", "", "QL-encoded or JSON-encoded placement policy or path to file with it")
 	flags.StringSliceVarP(&containerAttributes, "attributes", "a", nil, "Comma separated pairs of container attributes in form of Key1=Value1,Key2=Value2")
 	flags.BoolVar(&containerAwait, "await", false, "Block execution until container is persisted")

cmd/frostfs-cli/modules/container/list.go

@@ -6,11 +6,8 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
 	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
 	containerSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container"
-	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
 	"github.com/spf13/cobra"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
 )
 
 // flags of list command.
@@ -54,58 +51,42 @@ var listContainersCmd = &cobra.Command{
 
 		var prm internalclient.ListContainersPrm
 		prm.SetClient(cli)
-		prm.OwnerID = idUser
+		prm.Account = idUser
+
+		res, err := internalclient.ListContainers(cmd.Context(), prm)
+		commonCmd.ExitOnErr(cmd, "rpc error: %w", err)
+
 		prmGet := internalclient.GetContainerPrm{
 			Client: cli,
 		}
-		var containerIDs []cid.ID
-
-		err := internalclient.ListContainersStream(cmd.Context(), prm, func(id cid.ID) bool {
-			printContainer(cmd, prmGet, id)
-			return false
-		})
-		if err == nil {
-			return
-		}
-
-		if e, ok := status.FromError(err); ok && e.Code() == codes.Unimplemented {
-			res, err := internalclient.ListContainers(cmd.Context(), prm)
-			commonCmd.ExitOnErr(cmd, "rpc error: %w", err)
-			containerIDs = res.SortedIDList()
-		} else {
-			commonCmd.ExitOnErr(cmd, "rpc error: %w", err)
-		}
 
+		containerIDs := res.SortedIDList()
 		for _, cnrID := range containerIDs {
-			printContainer(cmd, prmGet, cnrID)
-		}
-	},
-}
-
-func printContainer(cmd *cobra.Command, prmGet internalclient.GetContainerPrm, id cid.ID) {
 			if flagVarListName == "" && !flagVarListPrintAttr {
-		cmd.Println(id.String())
+				cmd.Println(cnrID.String())
-		return
+				continue
 			}
 
-	prmGet.ClientParams.ContainerID = &id
+			prmGet.ClientParams.ContainerID = &cnrID
 			res, err := internalclient.GetContainer(cmd.Context(), prmGet)
 			if err != nil {
 				cmd.Printf("  failed to read attributes: %v\n", err)
-		return
+				continue
 			}
 
 			cnr := res.Container()
 			if cnrName := containerSDK.Name(cnr); flagVarListName != "" && cnrName != flagVarListName {
-		return
+				continue
 			}
-	cmd.Println(id.String())
+			cmd.Println(cnrID.String())
 
 			if flagVarListPrintAttr {
 				cnr.IterateUserAttributes(func(key, val string) {
 					cmd.Printf("  %s: %s\n", key, val)
 				})
 			}
+		}
+	},
 }
 
 func initContainerListContainersCmd() {

cmd/frostfs-cli/modules/container/policy_playground.go

@@ -23,11 +23,11 @@ type policyPlaygroundREPL struct {
 	nodes map[string]netmap.NodeInfo
 }
 
-func newPolicyPlaygroundREPL(cmd *cobra.Command) *policyPlaygroundREPL {
+func newPolicyPlaygroundREPL(cmd *cobra.Command) (*policyPlaygroundREPL, error) {
 	return &policyPlaygroundREPL{
 		cmd:   cmd,
 		nodes: map[string]netmap.NodeInfo{},
-	}
+	}, nil
 }
 
 func (repl *policyPlaygroundREPL) handleLs(args []string) error {
@@ -246,7 +246,8 @@ var policyPlaygroundCmd = &cobra.Command{
 	Long: `A REPL for testing placement policies.
 If a wallet and endpoint is provided, the initial netmap data will be loaded from the snapshot of the node. Otherwise, an empty playground is created.`,
 	Run: func(cmd *cobra.Command, _ []string) {
-		repl := newPolicyPlaygroundREPL(cmd)
+		repl, err := newPolicyPlaygroundREPL(cmd)
+		commonCmd.ExitOnErr(cmd, "could not create policy playground: %w", err)
 		commonCmd.ExitOnErr(cmd, "policy playground failed: %w", repl.run())
 	},
 }

cmd/frostfs-cli/modules/control/add_rule.go

@@ -1,14 +1,23 @@
 package control
 
 import (
+	"encoding/hex"
+	"errors"
+
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
 	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
-	apeCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common/ape"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/rpc/client"
+	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 	"github.com/spf13/cobra"
 )
 
+const (
+	ruleFlag = "rule"
+	pathFlag = "path"
+)
+
 var addRuleCmd = &cobra.Command{
 	Use:   "add-rule",
 	Short: "Add local override",
@@ -22,12 +31,41 @@ control add-rule --endpoint ... -w ... --address ... --chain-id ChainID --cid ..
 	Run: addRule,
 }
 
+func parseChain(cmd *cobra.Command) *apechain.Chain {
+	chainID, _ := cmd.Flags().GetString(chainIDFlag)
+	hexEncoded, _ := cmd.Flags().GetBool(chainIDHexFlag)
+
+	chainIDRaw := []byte(chainID)
+
+	if hexEncoded {
+		var err error
+		chainIDRaw, err = hex.DecodeString(chainID)
+		commonCmd.ExitOnErr(cmd, "can't decode chain ID as hex: %w", err)
+	}
+
+	chain := new(apechain.Chain)
+	chain.ID = apechain.ID(chainIDRaw)
+
+	if rules, _ := cmd.Flags().GetStringArray(ruleFlag); len(rules) > 0 {
+		commonCmd.ExitOnErr(cmd, "parser error: %w", util.ParseAPEChain(chain, rules))
+	} else if encPath, _ := cmd.Flags().GetString(pathFlag); encPath != "" {
+		commonCmd.ExitOnErr(cmd, "decode binary or json error: %w", util.ParseAPEChainBinaryOrJSON(chain, encPath))
+	} else {
+		commonCmd.ExitOnErr(cmd, "parser error", errors.New("rule is not passed"))
+	}
+
+	cmd.Println("Parsed chain:")
+	util.PrintHumanReadableAPEChain(cmd, chain)
+
+	return chain
+}
+
 func addRule(cmd *cobra.Command, _ []string) {
 	pk := key.Get(cmd)
 
 	target := parseTarget(cmd)
 
-	parsed := apeCmd.ParseChain(cmd)
+	parsed := parseChain(cmd)
 
 	req := &control.AddChainLocalOverrideRequest{
 		Body: &control.AddChainLocalOverrideRequest_Body{
@@ -56,13 +94,13 @@ func initControlAddRuleCmd() {
 	initControlFlags(addRuleCmd)
 
 	ff := addRuleCmd.Flags()
-	ff.StringArray(apeCmd.RuleFlag, []string{}, "Rule statement")
+	ff.StringArray(ruleFlag, []string{}, "Rule statement")
-	ff.String(apeCmd.PathFlag, "", "Path to encoded chain in JSON or binary format")
+	ff.String(pathFlag, "", "Path to encoded chain in JSON or binary format")
-	ff.String(apeCmd.ChainIDFlag, "", "Assign ID to the parsed chain")
+	ff.String(chainIDFlag, "", "Assign ID to the parsed chain")
-	ff.String(apeCmd.TargetNameFlag, "", apeCmd.TargetNameFlagDesc)
+	ff.String(targetNameFlag, "", targetNameDesc)
-	ff.String(apeCmd.TargetTypeFlag, "", apeCmd.TargetTypeFlagDesc)
+	ff.String(targetTypeFlag, "", targetTypeDesc)
-	_ = addRuleCmd.MarkFlagRequired(apeCmd.TargetTypeFlag)
+	_ = addRuleCmd.MarkFlagRequired(targetTypeFlag)
-	ff.Bool(apeCmd.ChainIDHexFlag, false, "Flag to parse chain ID as hex")
+	ff.Bool(chainIDHexFlag, false, "Flag to parse chain ID as hex")
 
-	addRuleCmd.MarkFlagsMutuallyExclusive(apeCmd.PathFlag, apeCmd.RuleFlag)
+	addRuleCmd.MarkFlagsMutuallyExclusive(pathFlag, ruleFlag)
 }

cmd/frostfs-cli/modules/control/evacuate_shard.go

@@ -0,0 +1,56 @@
+package control
+
+import (
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/rpc/client"
+	"github.com/spf13/cobra"
+)
+
+const ignoreErrorsFlag = "no-errors"
+
+var evacuateShardCmd = &cobra.Command{
+	Use:        "evacuate",
+	Short:      "Evacuate objects from shard",
+	Long:       "Evacuate objects from shard to other shards",
+	Run:        evacuateShard,
+	Deprecated: "use frostfs-cli control shards evacuation start",
+}
+
+func evacuateShard(cmd *cobra.Command, _ []string) {
+	pk := key.Get(cmd)
+
+	req := &control.EvacuateShardRequest{Body: new(control.EvacuateShardRequest_Body)}
+	req.Body.Shard_ID = getShardIDList(cmd)
+	req.Body.IgnoreErrors, _ = cmd.Flags().GetBool(ignoreErrorsFlag)
+
+	signRequest(cmd, pk, req)
+
+	cli := getClient(cmd, pk)
+
+	var resp *control.EvacuateShardResponse
+	var err error
+	err = cli.ExecRaw(func(client *client.Client) error {
+		resp, err = control.EvacuateShard(client, req)
+		return err
+	})
+	commonCmd.ExitOnErr(cmd, "rpc error: %w", err)
+
+	cmd.Printf("Objects moved: %d\n", resp.GetBody().GetCount())
+
+	verifyResponse(cmd, resp.GetSignature(), resp.GetBody())
+
+	cmd.Println("Shard has successfully been evacuated.")
+}
+
+func initControlEvacuateShardCmd() {
+	initControlFlags(evacuateShardCmd)
+
+	flags := evacuateShardCmd.Flags()
+	flags.StringSlice(shardIDFlag, nil, "List of shard IDs in base58 encoding")
+	flags.Bool(shardAllFlag, false, "Process all shards")
+	flags.Bool(ignoreErrorsFlag, false, "Skip invalid/unreadable objects")
+
+	evacuateShardCmd.MarkFlagsMutuallyExclusive(shardIDFlag, shardAllFlag)
+}

cmd/frostfs-cli/modules/control/evacuation.go

@@ -21,7 +21,6 @@ const (
 	noProgressFlag = "no-progress"
 	scopeFlag      = "scope"
 	repOneOnlyFlag = "rep-one-only"
-	ignoreErrorsFlag = "no-errors"
 
 	containerWorkerCountFlag = "container-worker-count"
 	objectWorkerCountFlag    = "object-worker-count"

cmd/frostfs-cli/modules/control/get_rule.go

@@ -4,8 +4,8 @@ import (
 	"encoding/hex"
 
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
 	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
-	apecmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common/ape"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/rpc/client"
 	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
@@ -24,8 +24,8 @@ func getRule(cmd *cobra.Command, _ []string) {
 
 	target := parseTarget(cmd)
 
-	chainID, _ := cmd.Flags().GetString(apecmd.ChainIDFlag)
+	chainID, _ := cmd.Flags().GetString(chainIDFlag)
-	hexEncoded, _ := cmd.Flags().GetBool(apecmd.ChainIDHexFlag)
+	hexEncoded, _ := cmd.Flags().GetBool(chainIDHexFlag)
 
 	if hexEncoded {
 		chainIDBytes, err := hex.DecodeString(chainID)
@@ -56,16 +56,16 @@ func getRule(cmd *cobra.Command, _ []string) {
 
 	var chain apechain.Chain
 	commonCmd.ExitOnErr(cmd, "decode error: %w", chain.DecodeBytes(resp.GetBody().GetChain()))
-	apecmd.PrintHumanReadableAPEChain(cmd, &chain)
+	util.PrintHumanReadableAPEChain(cmd, &chain)
 }
 
 func initControGetRuleCmd() {
 	initControlFlags(getRuleCmd)
 
 	ff := getRuleCmd.Flags()
-	ff.String(apecmd.TargetNameFlag, "", apecmd.TargetNameFlagDesc)
+	ff.String(targetNameFlag, "", targetNameDesc)
-	ff.String(apecmd.TargetTypeFlag, "", apecmd.TargetTypeFlagDesc)
+	ff.String(targetTypeFlag, "", targetTypeDesc)
-	_ = getRuleCmd.MarkFlagRequired(apecmd.TargetTypeFlag)
+	_ = getRuleCmd.MarkFlagRequired(targetTypeFlag)
-	ff.String(apecmd.ChainIDFlag, "", "Chain id")
+	ff.String(chainIDFlag, "", "Chain id")
-	ff.Bool(apecmd.ChainIDHexFlag, false, "Flag to parse chain ID as hex")
+	ff.Bool(chainIDHexFlag, false, "Flag to parse chain ID as hex")
 }

cmd/frostfs-cli/modules/control/list_rules.go

@@ -1,16 +1,18 @@
 package control
 
 import (
+	"errors"
 	"fmt"
 	"strings"
 
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
 	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
-	apeCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common/ape"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/rpc/client"
+	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
-	policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
+	"github.com/nspcc-dev/neo-go/cli/input"
 	"github.com/spf13/cobra"
 )
 
@@ -21,25 +23,65 @@ var listRulesCmd = &cobra.Command{
 	Run:   listRules,
 }
 
-var engineToControlSvcType = map[policyengine.TargetType]control.ChainTarget_TargetType{
+const (
-	policyengine.Namespace: control.ChainTarget_NAMESPACE,
+	defaultNamespace = "root"
-	policyengine.Container: control.ChainTarget_CONTAINER,
+	namespaceTarget  = "namespace"
-	policyengine.User:      control.ChainTarget_USER,
+	containerTarget  = "container"
-	policyengine.Group:     control.ChainTarget_GROUP,
+	userTarget       = "user"
-}
+	groupTarget      = "group"
+)
+
+const (
+	targetNameFlag = "target-name"
+	targetNameDesc = "Resource name in APE resource name format"
+	targetTypeFlag = "target-type"
+	targetTypeDesc = "Resource type(container/namespace)"
+)
+
+var (
+	errSettingDefaultValueWasDeclined = errors.New("setting default value was declined")
+	errUnknownTargetType              = errors.New("unknown target type")
+)
 
 func parseTarget(cmd *cobra.Command) *control.ChainTarget {
-	target := apeCmd.ParseTarget(cmd)
+	typ, _ := cmd.Flags().GetString(targetTypeFlag)
-
+	name, _ := cmd.Flags().GetString(targetNameFlag)
-	typ, ok := engineToControlSvcType[target.Type]
+	switch typ {
-	if !ok {
+	case namespaceTarget:
-		commonCmd.ExitOnErr(cmd, "%w", fmt.Errorf("unknown type '%c", target.Type))
+		if name == "" {
+			ln, err := input.ReadLine(fmt.Sprintf("Target name is not set. Confirm to use %s namespace (n|Y)> ", defaultNamespace))
+			commonCmd.ExitOnErr(cmd, "read line error: %w", err)
+			ln = strings.ToLower(ln)
+			if len(ln) > 0 && (ln[0] == 'n') {
+				commonCmd.ExitOnErr(cmd, "read namespace error: %w", errSettingDefaultValueWasDeclined)
+			}
+			name = defaultNamespace
 		}
-
 		return &control.ChainTarget{
-		Name: target.Name,
+			Name: name,
-		Type: typ,
+			Type: control.ChainTarget_NAMESPACE,
 		}
+	case containerTarget:
+		var cnr cid.ID
+		commonCmd.ExitOnErr(cmd, "can't decode container ID: %w", cnr.DecodeString(name))
+		return &control.ChainTarget{
+			Name: name,
+			Type: control.ChainTarget_CONTAINER,
+		}
+	case userTarget:
+		return &control.ChainTarget{
+			Name: name,
+			Type: control.ChainTarget_USER,
+		}
+	case groupTarget:
+		return &control.ChainTarget{
+			Name: name,
+			Type: control.ChainTarget_GROUP,
+		}
+	default:
+		commonCmd.ExitOnErr(cmd, "read target type error: %w", errUnknownTargetType)
+	}
+	return nil
 }
 
 func listRules(cmd *cobra.Command, _ []string) {
@@ -75,7 +117,7 @@ func listRules(cmd *cobra.Command, _ []string) {
 	for _, c := range chains {
 		var chain apechain.Chain
 		commonCmd.ExitOnErr(cmd, "decode error: %w", chain.DecodeBytes(c))
-		apeCmd.PrintHumanReadableAPEChain(cmd, &chain)
+		util.PrintHumanReadableAPEChain(cmd, &chain)
 	}
 }
 
@@ -83,7 +125,7 @@ func initControlListRulesCmd() {
 	initControlFlags(listRulesCmd)
 
 	ff := listRulesCmd.Flags()
-	ff.String(apeCmd.TargetNameFlag, "", apeCmd.TargetNameFlagDesc)
+	ff.String(targetNameFlag, "", targetNameDesc)
-	ff.String(apeCmd.TargetTypeFlag, "", apeCmd.TargetTypeFlagDesc)
+	ff.String(targetTypeFlag, "", targetTypeDesc)
-	_ = listRulesCmd.MarkFlagRequired(apeCmd.TargetTypeFlag)
+	_ = listRulesCmd.MarkFlagRequired(targetTypeFlag)
 }

cmd/frostfs-cli/modules/control/list_targets.go

@@ -2,20 +2,26 @@ package control
 
 import (
 	"bytes"
+	"crypto/sha256"
 	"fmt"
 	"strconv"
 	"text/tabwriter"
 
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
 	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
-	apeCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common/ape"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/rpc/client"
+	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 )
 
+const (
+	chainNameFlag      = "chain-name"
+	chainNameFlagUsage = "Chain name(ingress|s3)"
+)
+
 var listTargetsCmd = &cobra.Command{
 	Use:   "list-targets",
 	Short: "List local targets",
@@ -26,11 +32,15 @@ var listTargetsCmd = &cobra.Command{
 func listTargets(cmd *cobra.Command, _ []string) {
 	pk := key.Get(cmd)
 
-	chainName := apeCmd.ParseChainName(cmd)
+	var cnr cid.ID
+	chainName, _ := cmd.Flags().GetString(chainNameFlag)
+
+	rawCID := make([]byte, sha256.Size)
+	cnr.Encode(rawCID)
 
 	req := &control.ListTargetsLocalOverridesRequest{
 		Body: &control.ListTargetsLocalOverridesRequest_Body{
-			ChainName: string(chainName),
+			ChainName: chainName,
 		},
 	}
 
@@ -72,7 +82,7 @@ func initControlListTargetsCmd() {
 	initControlFlags(listTargetsCmd)
 
 	ff := listTargetsCmd.Flags()
-	ff.String(apeCmd.ChainNameFlag, "", apeCmd.ChainNameFlagDesc)
+	ff.String(chainNameFlag, "", chainNameFlagUsage)
 
-	_ = cobra.MarkFlagRequired(ff, apeCmd.ChainNameFlag)
+	_ = cobra.MarkFlagRequired(ff, chainNameFlag)
 }

cmd/frostfs-cli/modules/control/remove_rule.go

@@ -6,12 +6,17 @@ import (
 
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
 	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
-	apecmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common/ape"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/rpc/client"
 	"github.com/spf13/cobra"
 )
 
+const (
+	chainIDFlag    = "chain-id"
+	chainIDHexFlag = "chain-id-hex"
+	allFlag        = "all"
+)
+
 var (
 	errEmptyChainID = errors.New("chain id cannot be empty")
 
@@ -25,8 +30,8 @@ var (
 
 func removeRule(cmd *cobra.Command, _ []string) {
 	pk := key.Get(cmd)
-	hexEncoded, _ := cmd.Flags().GetBool(apecmd.ChainIDHexFlag)
+	hexEncoded, _ := cmd.Flags().GetBool(chainIDHexFlag)
-	removeAll, _ := cmd.Flags().GetBool(apecmd.AllFlag)
+	removeAll, _ := cmd.Flags().GetBool(allFlag)
 	if removeAll {
 		req := &control.RemoveChainLocalOverridesByTargetRequest{
 			Body: &control.RemoveChainLocalOverridesByTargetRequest_Body{
@@ -47,7 +52,7 @@ func removeRule(cmd *cobra.Command, _ []string) {
 		return
 	}
 
-	chainID, _ := cmd.Flags().GetString(apecmd.ChainIDFlag)
+	chainID, _ := cmd.Flags().GetString(chainIDFlag)
 	if chainID == "" {
 		commonCmd.ExitOnErr(cmd, "read chain id error: %w", errEmptyChainID)
 	}
@@ -87,11 +92,11 @@ func initControlRemoveRuleCmd() {
 	initControlFlags(removeRuleCmd)
 
 	ff := removeRuleCmd.Flags()
-	ff.String(apecmd.TargetNameFlag, "", apecmd.TargetNameFlagDesc)
+	ff.String(targetNameFlag, "", targetNameDesc)
-	ff.String(apecmd.TargetTypeFlag, "", apecmd.TargetTypeFlagDesc)
+	ff.String(targetTypeFlag, "", targetTypeDesc)
-	_ = removeRuleCmd.MarkFlagRequired(apecmd.TargetTypeFlag)
+	_ = removeRuleCmd.MarkFlagRequired(targetTypeFlag)
-	ff.String(apecmd.ChainIDFlag, "", apecmd.ChainIDFlagDesc)
+	ff.String(chainIDFlag, "", "Chain id")
-	ff.Bool(apecmd.ChainIDHexFlag, false, apecmd.ChainIDHexFlagDesc)
+	ff.Bool(chainIDHexFlag, false, "Flag to parse chain ID as hex")
-	ff.Bool(apecmd.AllFlag, false, "Remove all chains")
+	ff.Bool(allFlag, false, "Remove all chains")
-	removeRuleCmd.MarkFlagsMutuallyExclusive(apecmd.AllFlag, apecmd.ChainIDFlag)
+	removeRuleCmd.MarkFlagsMutuallyExclusive(allFlag, chainIDFlag)
 }

cmd/frostfs-cli/modules/control/shards.go

@@ -13,6 +13,7 @@ var shardsCmd = &cobra.Command{
 func initControlShardsCmd() {
 	shardsCmd.AddCommand(listShardsCmd)
 	shardsCmd.AddCommand(setShardModeCmd)
+	shardsCmd.AddCommand(evacuateShardCmd)
 	shardsCmd.AddCommand(evacuationShardCmd)
 	shardsCmd.AddCommand(flushCacheCmd)
 	shardsCmd.AddCommand(doctorCmd)
@@ -22,6 +23,7 @@ func initControlShardsCmd() {
 
 	initControlShardsListCmd()
 	initControlSetShardModeCmd()
+	initControlEvacuateShardCmd()
 	initControlEvacuationShardCmd()
 	initControlFlushCacheCmd()
 	initControlDoctorCmd()

cmd/frostfs-cli/modules/object/hash.go

@@ -9,6 +9,7 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
 	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/checksum"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
 	"github.com/spf13/cobra"
@@ -41,9 +42,7 @@ func initObjectHashCmd() {
 	flags.String(commonflags.OIDFlag, "", commonflags.OIDFlagUsage)
 	_ = objectHashCmd.MarkFlagRequired(commonflags.OIDFlag)
 
-	flags.StringSlice("range", nil, "Range to take hash from in the form offset1:length1,...")
+	flags.String("range", "", "Range to take hash from in the form offset1:length1,...")
-	_ = objectHashCmd.MarkFlagRequired("range")
-
 	flags.String("type", hashSha256, "Hash type. Either 'sha256' or 'tz'")
 	flags.String(getRangeHashSaltFlag, "", "Salt in hex format")
 }
@@ -67,6 +66,36 @@ func getObjectHash(cmd *cobra.Command, _ []string) {
 	pk := key.GetOrGenerate(cmd)
 	cli := internalclient.GetSDKClientByFlag(cmd, pk, commonflags.RPC)
 
+	tz := typ == hashTz
+	fullHash := len(ranges) == 0
+	if fullHash {
+		var headPrm internalclient.HeadObjectPrm
+		headPrm.SetClient(cli)
+		Prepare(cmd, &headPrm)
+		headPrm.SetAddress(objAddr)
+
+		// get hash of full payload through HEAD (may be user can do it through dedicated command?)
+		res, err := internalclient.HeadObject(cmd.Context(), headPrm)
+		commonCmd.ExitOnErr(cmd, "rpc error: %w", err)
+
+		var cs checksum.Checksum
+		var csSet bool
+
+		if tz {
+			cs, csSet = res.Header().PayloadHomomorphicHash()
+		} else {
+			cs, csSet = res.Header().PayloadChecksum()
+		}
+
+		if csSet {
+			cmd.Println(hex.EncodeToString(cs.Value()))
+		} else {
+			cmd.Println("Missing checksum in object header.")
+		}
+
+		return
+	}
+
 	var hashPrm internalclient.HashPayloadRangesPrm
 	hashPrm.SetClient(cli)
 	Prepare(cmd, &hashPrm)
@@ -75,7 +104,7 @@ func getObjectHash(cmd *cobra.Command, _ []string) {
 	hashPrm.SetSalt(salt)
 	hashPrm.SetRanges(ranges)
 
-	if typ == hashTz {
+	if tz {
 		hashPrm.TZ()
 	}
 

cmd/frostfs-cli/modules/object/nodes.go

@@ -1,12 +1,15 @@
 package object
 
 import (
+	"bytes"
+	"cmp"
 	"context"
 	"crypto/ecdsa"
 	"encoding/hex"
 	"encoding/json"
 	"errors"
 	"fmt"
+	"slices"
 	"sync"
 
 	internalclient "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
@@ -504,6 +507,7 @@ func isObjectStoredOnNode(ctx context.Context, cmd *cobra.Command, cnrID cid.ID,
 }
 
 func printPlacement(cmd *cobra.Command, objID oid.ID, objects []phyObject, result *objectNodesResult) {
+	normilizeObjectNodesResult(objects, result)
 	if json, _ := cmd.Flags().GetBool(commonflags.JSON); json {
 		printObjectNodesAsJSON(cmd, objID, objects, result)
 	} else {
@@ -511,6 +515,34 @@ func printPlacement(cmd *cobra.Command, objID oid.ID, objects []phyObject, resul
 	}
 }
 
+func normilizeObjectNodesResult(objects []phyObject, result *objectNodesResult) {
+	slices.SortFunc(objects, func(lhs, rhs phyObject) int {
+		if lhs.ecHeader == nil && rhs.ecHeader == nil {
+			return bytes.Compare(lhs.objectID[:], rhs.objectID[:])
+		}
+		if lhs.ecHeader == nil {
+			return -1
+		}
+		if rhs.ecHeader == nil {
+			return 1
+		}
+		if lhs.ecHeader.parent == rhs.ecHeader.parent {
+			return cmp.Compare(lhs.ecHeader.index, rhs.ecHeader.index)
+		}
+		return bytes.Compare(lhs.ecHeader.parent[:], rhs.ecHeader.parent[:])
+	})
+	for _, obj := range objects {
+		op := result.placements[obj.objectID]
+		slices.SortFunc(op.confirmedNodes, func(lhs, rhs netmapSDK.NodeInfo) int {
+			return bytes.Compare(lhs.PublicKey(), rhs.PublicKey())
+		})
+		slices.SortFunc(op.requiredNodes, func(lhs, rhs netmapSDK.NodeInfo) int {
+			return bytes.Compare(lhs.PublicKey(), rhs.PublicKey())
+		})
+		result.placements[obj.objectID] = op
+	}
+}
+
 func printObjectNodesAsText(cmd *cobra.Command, objID oid.ID, objects []phyObject, result *objectNodesResult) {
 	fmt.Fprintf(cmd.OutOrStdout(), "Object %s stores payload in %d data objects:\n", objID.EncodeToString(), len(objects))
 

cmd/frostfs-cli/modules/object/patch.go

@@ -46,7 +46,7 @@ func initObjectPatchCmd() {
 	flags.String(commonflags.OIDFlag, "", commonflags.OIDFlagUsage)
 	_ = objectRangeCmd.MarkFlagRequired(commonflags.OIDFlag)
 
-	flags.StringSlice(newAttrsFlagName, nil, "New object attributes in form of Key1=Value1,Key2=Value2")
+	flags.String(newAttrsFlagName, "", "New object attributes in form of Key1=Value1,Key2=Value2")
 	flags.Bool(replaceAttrsFlagName, false, "Replace object attributes by new ones.")
 	flags.StringSlice(rangeFlagName, []string{}, "Range to which patch payload is applied. Format: offset:length")
 	flags.StringSlice(payloadFlagName, []string{}, "Path to file with patch payload.")
@@ -99,9 +99,11 @@ func patch(cmd *cobra.Command, _ []string) {
 }
 
 func parseNewObjectAttrs(cmd *cobra.Command) ([]objectSDK.Attribute, error) {
-	rawAttrs, err := cmd.Flags().GetStringSlice(newAttrsFlagName)
+	var rawAttrs []string
-	if err != nil {
+
-		return nil, err
+	raw := cmd.Flag(newAttrsFlagName).Value.String()
+	if len(raw) != 0 {
+		rawAttrs = strings.Split(raw, ",")
 	}
 
 	attrs := make([]objectSDK.Attribute, len(rawAttrs), len(rawAttrs)+2) // name + timestamp attributes

cmd/frostfs-cli/modules/object/put.go

@@ -50,7 +50,7 @@ func initObjectPutCmd() {
 
 	flags.String(commonflags.CIDFlag, "", commonflags.CIDFlagUsage)
 
-	flags.StringSlice("attributes", nil, "User attributes in form of Key1=Value1,Key2=Value2")
+	flags.String("attributes", "", "User attributes in form of Key1=Value1,Key2=Value2")
 	flags.Bool("disable-filename", false, "Do not set well-known filename attribute")
 	flags.Bool("disable-timestamp", false, "Do not set well-known timestamp attribute")
 	flags.Uint64VarP(&putExpiredOn, commonflags.ExpireAt, "e", 0, "The last active epoch in the life of the object")
@@ -214,9 +214,11 @@ func getAllObjectAttributes(cmd *cobra.Command) []objectSDK.Attribute {
 }
 
 func parseObjectAttrs(cmd *cobra.Command) ([]objectSDK.Attribute, error) {
-	rawAttrs, err := cmd.Flags().GetStringSlice("attributes")
+	var rawAttrs []string
-	if err != nil {
+
-		return nil, err
+	raw := cmd.Flag("attributes").Value.String()
+	if len(raw) != 0 {
+		rawAttrs = strings.Split(raw, ",")
 	}
 
 	attrs := make([]objectSDK.Attribute, len(rawAttrs), len(rawAttrs)+2) // name + timestamp attributes

cmd/frostfs-cli/modules/object/range.go

@@ -38,7 +38,7 @@ func initObjectRangeCmd() {
 	flags.String(commonflags.OIDFlag, "", commonflags.OIDFlagUsage)
 	_ = objectRangeCmd.MarkFlagRequired(commonflags.OIDFlag)
 
-	flags.StringSlice("range", nil, "Range to take data from in the form offset:length")
+	flags.String("range", "", "Range to take data from in the form offset:length")
 	flags.String(fileFlag, "", "File to write object payload to. Default: stdout.")
 	flags.Bool(rawFlag, false, rawFlagDesc)
 }
@@ -195,10 +195,11 @@ func marshalECInfo(cmd *cobra.Command, info *objectSDK.ECInfo) ([]byte, error) {
 }
 
 func getRangeList(cmd *cobra.Command) ([]objectSDK.Range, error) {
-	vs, err := cmd.Flags().GetStringSlice("range")
+	v := cmd.Flag("range").Value.String()
-	if len(vs) == 0 || err != nil {
+	if len(v) == 0 {
-		return nil, err
+		return nil, nil
 	}
+	vs := strings.Split(v, ",")
 	rs := make([]objectSDK.Range, len(vs))
 	for i := range vs {
 		before, after, found := strings.Cut(vs[i], rangeSep)

cmd/frostfs-cli/modules/util/ape.go

@@ -1,14 +1,16 @@
-package ape
+package util
 
 import (
 	"errors"
 	"fmt"
 	"os"
+	"strconv"
 	"strings"
 
 	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 	nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
 	"github.com/flynn-archive/go-shlex"
+	"github.com/spf13/cobra"
 )
 
 var (
@@ -25,6 +27,38 @@ var (
 	errFailedToParseAllAny       = errors.New("any/all is not parsed")
 )
 
+// PrintHumanReadableAPEChain print APE chain rules.
+func PrintHumanReadableAPEChain(cmd *cobra.Command, chain *apechain.Chain) {
+	cmd.Println("Chain ID: " + string(chain.ID))
+	cmd.Printf("     HEX: %x\n", chain.ID)
+	cmd.Println("Rules:")
+	for _, rule := range chain.Rules {
+		cmd.Println("\n\tStatus: " + rule.Status.String())
+		cmd.Println("\tAny: " + strconv.FormatBool(rule.Any))
+		cmd.Println("\tConditions:")
+		for _, c := range rule.Condition {
+			var ot string
+			switch c.Kind {
+			case apechain.KindResource:
+				ot = "Resource"
+			case apechain.KindRequest:
+				ot = "Request"
+			default:
+				panic("unknown object type")
+			}
+			cmd.Println(fmt.Sprintf("\t\t%s %s %s %s", ot, c.Key, c.Op, c.Value))
+		}
+		cmd.Println("\tActions:\tInverted:" + strconv.FormatBool(rule.Actions.Inverted))
+		for _, name := range rule.Actions.Names {
+			cmd.Println("\t\t" + name)
+		}
+		cmd.Println("\tResources:\tInverted:" + strconv.FormatBool(rule.Resources.Inverted))
+		for _, name := range rule.Resources.Names {
+			cmd.Println("\t\t" + name)
+		}
+	}
+}
+
 func ParseAPEChainBinaryOrJSON(chain *apechain.Chain, path string) error {
 	data, err := os.ReadFile(path)
 	if err != nil {
@@ -261,7 +295,7 @@ func parseResource(lexeme string, isObj bool) (string, error) {
 		} else {
 			if lexeme == "*" {
 				return nativeschema.ResourceFormatAllContainers, nil
-			} else if lexeme == "/*" || lexeme == "root/*" {
+			} else if lexeme == "/*" {
 				return nativeschema.ResourceFormatRootContainers, nil
 			} else if strings.HasPrefix(lexeme, "/") && len(lexeme) > 1 {
 				lexeme = lexeme[1:]

cmd/frostfs-cli/modules/util/ape_test.go

@@ -1,4 +1,4 @@
-package ape
+package util
 
 import (
 	"fmt"
@@ -43,15 +43,6 @@ func TestParseAPERule(t *testing.T) {
 				Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatRootObjects}},
 			},
 		},
-		{
-			name: "Valid rule for all containers in explicit root namespace",
-			rule: "allow Container.Put root/*",
-			expectRule: policyengine.Rule{
-				Status:    policyengine.Allow,
-				Actions:   policyengine.Actions{Names: []string{nativeschema.MethodPutContainer}},
-				Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatRootContainers}},
-			},
-		},
 		{
 			name: "Valid rule for all objects in root namespace and container",
 			rule: "allow Object.Put /cid/*",

cmd/frostfs-cli/modules/util/convert_eacl.go

@@ -6,7 +6,7 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
 	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
-	apeutil "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/ape"
+	apeutil "git.frostfs.info/TrueCloudLab/frostfs-node/internal/ape"
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 	"github.com/spf13/cobra"
 )

cmd/frostfs-ir/config.go

@@ -1,7 +1,6 @@
 package main
 
 import (
-	"context"
 	"os"
 	"os/signal"
 	"syscall"
@@ -47,7 +46,7 @@ func reloadConfig() error {
 	return logPrm.Reload()
 }
 
-func watchForSignal(ctx context.Context, cancel func()) {
+func watchForSignal(cancel func()) {
 	ch := make(chan os.Signal, 1)
 	signal.Notify(ch, syscall.SIGINT, syscall.SIGTERM)
 
@@ -59,49 +58,49 @@ func watchForSignal(ctx context.Context, cancel func()) {
 		// signals causing application to shut down should have priority over
 		// reconfiguration signal
 		case <-ch:
-			log.Info(ctx, logs.FrostFSNodeTerminationSignalHasBeenReceivedStopping)
+			log.Info(logs.FrostFSNodeTerminationSignalHasBeenReceivedStopping)
 			cancel()
-			shutdown(ctx)
+			shutdown()
-			log.Info(ctx, logs.FrostFSNodeTerminationSignalProcessingIsComplete)
+			log.Info(logs.FrostFSNodeTerminationSignalProcessingIsComplete)
 			return
 		case err := <-intErr: // internal application error
-			log.Info(ctx, logs.FrostFSIRInternalError, zap.String("msg", err.Error()))
+			log.Info(logs.FrostFSIRInternalError, zap.String("msg", err.Error()))
 			cancel()
-			shutdown(ctx)
+			shutdown()
 			return
 		default:
 			// block until any signal is receieved
 			select {
 			case <-ch:
-				log.Info(ctx, logs.FrostFSNodeTerminationSignalHasBeenReceivedStopping)
+				log.Info(logs.FrostFSNodeTerminationSignalHasBeenReceivedStopping)
 				cancel()
-				shutdown(ctx)
+				shutdown()
-				log.Info(ctx, logs.FrostFSNodeTerminationSignalProcessingIsComplete)
+				log.Info(logs.FrostFSNodeTerminationSignalProcessingIsComplete)
 				return
 			case err := <-intErr: // internal application error
-				log.Info(ctx, logs.FrostFSIRInternalError, zap.String("msg", err.Error()))
+				log.Info(logs.FrostFSIRInternalError, zap.String("msg", err.Error()))
 				cancel()
-				shutdown(ctx)
+				shutdown()
 				return
 			case <-sighupCh:
-				log.Info(ctx, logs.FrostFSNodeSIGHUPHasBeenReceivedRereadingConfiguration)
+				log.Info(logs.FrostFSNodeSIGHUPHasBeenReceivedRereadingConfiguration)
-				if !innerRing.CompareAndSwapHealthStatus(ctx, control.HealthStatus_READY, control.HealthStatus_RECONFIGURING) {
+				if !innerRing.CompareAndSwapHealthStatus(control.HealthStatus_READY, control.HealthStatus_RECONFIGURING) {
-					log.Info(ctx, logs.FrostFSNodeSIGHUPSkip)
+					log.Info(logs.FrostFSNodeSIGHUPSkip)
 					break
 				}
 				err := reloadConfig()
 				if err != nil {
-					log.Error(ctx, logs.FrostFSNodeConfigurationReading, zap.Error(err))
+					log.Error(logs.FrostFSNodeConfigurationReading, zap.Error(err))
 				}
-				pprofCmp.reload(ctx)
+				pprofCmp.reload()
-				metricsCmp.reload(ctx)
+				metricsCmp.reload()
-				log.Info(ctx, logs.FrostFSIRReloadExtraWallets)
+				log.Info(logs.FrostFSIRReloadExtraWallets)
 				err = innerRing.SetExtraWallets(cfg)
 				if err != nil {
-					log.Error(ctx, logs.FrostFSNodeConfigurationReading, zap.Error(err))
+					log.Error(logs.FrostFSNodeConfigurationReading, zap.Error(err))
 				}
-				innerRing.CompareAndSwapHealthStatus(ctx, control.HealthStatus_RECONFIGURING, control.HealthStatus_READY)
+				innerRing.CompareAndSwapHealthStatus(control.HealthStatus_RECONFIGURING, control.HealthStatus_READY)
-				log.Info(ctx, logs.FrostFSNodeConfigurationHasBeenReloadedSuccessfully)
+				log.Info(logs.FrostFSNodeConfigurationHasBeenReloadedSuccessfully)
 			}
 		}
 	}

cmd/frostfs-ir/httpcomponent.go

@@ -1,7 +1,6 @@
 package main
 
 import (
-	"context"
 	"net/http"
 	"time"
 
@@ -25,8 +24,8 @@ const (
 	shutdownTimeoutKeyPostfix = ".shutdown_timeout"
 )
 
-func (c *httpComponent) init(ctx context.Context) {
+func (c *httpComponent) init() {
-	log.Info(ctx, "init "+c.name)
+	log.Info("init " + c.name)
 	c.enabled = cfg.GetBool(c.name + enabledKeyPostfix)
 	c.address = cfg.GetString(c.name + addressKeyPostfix)
 	c.shutdownDur = cfg.GetDuration(c.name + shutdownTimeoutKeyPostfix)
@@ -40,14 +39,14 @@ func (c *httpComponent) init(ctx context.Context) {
 			httputil.WithShutdownTimeout(c.shutdownDur),
 		)
 	} else {
-		log.Info(ctx, c.name+" is disabled, skip")
+		log.Info(c.name + " is disabled, skip")
 		c.srv = nil
 	}
 }
 
-func (c *httpComponent) start(ctx context.Context) {
+func (c *httpComponent) start() {
 	if c.srv != nil {
-		log.Info(ctx, "start "+c.name)
+		log.Info("start " + c.name)
 		wg.Add(1)
 		go func() {
 			defer wg.Done()
@@ -56,10 +55,10 @@ func (c *httpComponent) start(ctx context.Context) {
 	}
 }
 
-func (c *httpComponent) shutdown(ctx context.Context) error {
+func (c *httpComponent) shutdown() error {
 	if c.srv != nil {
-		log.Info(ctx, "shutdown "+c.name)
+		log.Info("shutdown " + c.name)
-		return c.srv.Shutdown(ctx)
+		return c.srv.Shutdown()
 	}
 	return nil
 }
@@ -71,17 +70,17 @@ func (c *httpComponent) needReload() bool {
 	return enabled != c.enabled || enabled && (address != c.address || dur != c.shutdownDur)
 }
 
-func (c *httpComponent) reload(ctx context.Context) {
+func (c *httpComponent) reload() {
-	log.Info(ctx, "reload "+c.name)
+	log.Info("reload " + c.name)
 	if c.needReload() {
-		log.Info(ctx, c.name+" config updated")
+		log.Info(c.name + " config updated")
-		if err := c.shutdown(ctx); err != nil {
+		if err := c.shutdown(); err != nil {
-			log.Debug(ctx, logs.FrostFSIRCouldNotShutdownHTTPServer,
+			log.Debug(logs.FrostFSIRCouldNotShutdownHTTPServer,
-				zap.Error(err),
+				zap.String("error", err.Error()),
 			)
 		} else {
-			c.init(ctx)
+			c.init()
-			c.start(ctx)
+			c.start()
 		}
 	}
 }

cmd/frostfs-ir/main.go

@@ -87,48 +87,48 @@ func main() {
 	ctx, cancel := context.WithCancel(context.Background())
 
 	pprofCmp = newPprofComponent()
-	pprofCmp.init(ctx)
+	pprofCmp.init()
 
 	metricsCmp = newMetricsComponent()
-	metricsCmp.init(ctx)
+	metricsCmp.init()
 	audit.Store(cfg.GetBool("audit.enabled"))
 
 	innerRing, err = innerring.New(ctx, log, cfg, intErr, metrics, cmode, audit)
 	exitErr(err)
 
-	pprofCmp.start(ctx)
+	pprofCmp.start()
-	metricsCmp.start(ctx)
+	metricsCmp.start()
 
 	// start inner ring
 	err = innerRing.Start(ctx, intErr)
 	exitErr(err)
 
-	log.Info(ctx, logs.CommonApplicationStarted,
+	log.Info(logs.CommonApplicationStarted,
 		zap.String("version", misc.Version))
 
-	watchForSignal(ctx, cancel)
+	watchForSignal(cancel)
 
 	<-ctx.Done() // graceful shutdown
-	log.Debug(ctx, logs.FrostFSNodeWaitingForAllProcessesToStop)
+	log.Debug(logs.FrostFSNodeWaitingForAllProcessesToStop)
 	wg.Wait()
 
-	log.Info(ctx, logs.FrostFSIRApplicationStopped)
+	log.Info(logs.FrostFSIRApplicationStopped)
 }
 
-func shutdown(ctx context.Context) {
+func shutdown() {
-	innerRing.Stop(ctx)
+	innerRing.Stop()
-	if err := metricsCmp.shutdown(ctx); err != nil {
+	if err := metricsCmp.shutdown(); err != nil {
-		log.Debug(ctx, logs.FrostFSIRCouldNotShutdownHTTPServer,
+		log.Debug(logs.FrostFSIRCouldNotShutdownHTTPServer,
-			zap.Error(err),
+			zap.String("error", err.Error()),
 		)
 	}
-	if err := pprofCmp.shutdown(ctx); err != nil {
+	if err := pprofCmp.shutdown(); err != nil {
-		log.Debug(ctx, logs.FrostFSIRCouldNotShutdownHTTPServer,
+		log.Debug(logs.FrostFSIRCouldNotShutdownHTTPServer,
-			zap.Error(err),
+			zap.String("error", err.Error()),
 		)
 	}
 
 	if err := sdnotify.ClearStatus(); err != nil {
-		log.Error(ctx, logs.FailedToReportStatusToSystemd, zap.Error(err))
+		log.Error(logs.FailedToReportStatusToSystemd, zap.Error(err))
 	}
 }

cmd/frostfs-ir/pprof.go

@@ -1,7 +1,6 @@
 package main
 
 import (
-	"context"
 	"runtime"
 
 	"git.frostfs.info/TrueCloudLab/frostfs-node/internal/logs"
@@ -29,8 +28,8 @@ func newPprofComponent() *pprofComponent {
 	}
 }
 
-func (c *pprofComponent) init(ctx context.Context) {
+func (c *pprofComponent) init() {
-	c.httpComponent.init(ctx)
+	c.httpComponent.init()
 
 	if c.enabled {
 		c.blockRate = cfg.GetInt(pprofBlockRateKey)
@@ -52,17 +51,17 @@ func (c *pprofComponent) needReload() bool {
 		c.enabled && (c.blockRate != blockRate || c.mutexRate != mutexRate)
 }
 
-func (c *pprofComponent) reload(ctx context.Context) {
+func (c *pprofComponent) reload() {
-	log.Info(ctx, "reload "+c.name)
+	log.Info("reload " + c.name)
 	if c.needReload() {
-		log.Info(ctx, c.name+" config updated")
+		log.Info(c.name + " config updated")
-		if err := c.shutdown(ctx); err != nil {
+		if err := c.shutdown(); err != nil {
-			log.Debug(ctx, logs.FrostFSIRCouldNotShutdownHTTPServer,
+			log.Debug(logs.FrostFSIRCouldNotShutdownHTTPServer,
-				zap.Error(err))
+				zap.String("error", err.Error()))
 			return
 		}
 
-		c.init(ctx)
+		c.init()
-		c.start(ctx)
+		c.start()
 	}
 }

cmd/frostfs-lens/internal/blobovnicza/inspect.go

@@ -28,7 +28,7 @@ func inspectFunc(cmd *cobra.Command, _ []string) {
 	common.ExitOnErr(cmd, common.Errf("invalid address argument: %w", err))
 
 	blz := openBlobovnicza(cmd)
-	defer blz.Close(cmd.Context())
+	defer blz.Close()
 
 	var prm blobovnicza.GetPrm
 	prm.SetAddress(addr)

cmd/frostfs-lens/internal/blobovnicza/list.go

@@ -32,7 +32,7 @@ func listFunc(cmd *cobra.Command, _ []string) {
 	}
 
 	blz := openBlobovnicza(cmd)
-	defer blz.Close(cmd.Context())
+	defer blz.Close()
 
 	err := blobovnicza.IterateAddresses(context.Background(), blz, wAddr)
 	common.ExitOnErr(cmd, common.Errf("blobovnicza iterator failure: %w", err))

cmd/frostfs-lens/internal/blobovnicza/root.go

@@ -27,7 +27,7 @@ func openBlobovnicza(cmd *cobra.Command) *blobovnicza.Blobovnicza {
 		blobovnicza.WithPath(vPath),
 		blobovnicza.WithReadOnly(true),
 	)
-	common.ExitOnErr(cmd, blz.Open(cmd.Context()))
+	common.ExitOnErr(cmd, blz.Open())
 
 	return blz
 }

cmd/frostfs-lens/internal/meta/inspect.go

@@ -31,7 +31,7 @@ func inspectFunc(cmd *cobra.Command, _ []string) {
 	common.ExitOnErr(cmd, common.Errf("invalid address argument: %w", err))
 
 	db := openMeta(cmd)
-	defer db.Close(cmd.Context())
+	defer db.Close()
 
 	storageID := meta.StorageIDPrm{}
 	storageID.SetAddress(addr)

cmd/frostfs-lens/internal/meta/list-garbage.go

@@ -19,7 +19,7 @@ func init() {
 
 func listGarbageFunc(cmd *cobra.Command, _ []string) {
 	db := openMeta(cmd)
-	defer db.Close(cmd.Context())
+	defer db.Close()
 
 	var garbPrm meta.GarbageIterationPrm
 	garbPrm.SetHandler(

cmd/frostfs-lens/internal/meta/list-graveyard.go

@@ -19,7 +19,7 @@ func init() {
 
 func listGraveyardFunc(cmd *cobra.Command, _ []string) {
 	db := openMeta(cmd)
-	defer db.Close(cmd.Context())
+	defer db.Close()
 
 	var gravePrm meta.GraveyardIterationPrm
 	gravePrm.SetHandler(

cmd/frostfs-lens/internal/tui/buckets.go

@@ -124,7 +124,10 @@ func (v *BucketsView) loadNodeChildren(
 	path := parentBucket.Path
 	parser := parentBucket.NextParser
 
-	buffer := LoadBuckets(ctx, v.ui.db, path, v.ui.loadBufferSize)
+	buffer, err := LoadBuckets(ctx, v.ui.db, path, v.ui.loadBufferSize)
+	if err != nil {
+		return err
+	}
 
 	for item := range buffer {
 		if item.err != nil {
@@ -132,7 +135,6 @@ func (v *BucketsView) loadNodeChildren(
 		}
 		bucket := item.val
 
-		var err error
 		bucket.Entry, bucket.NextParser, err = parser(bucket.Name, nil)
 		if err != nil {
 			return err
@@ -178,7 +180,10 @@ func (v *BucketsView) bucketSatisfiesFilter(
 	defer cancel()
 
 	// Check the current bucket's nested buckets if exist
-	bucketsBuffer := LoadBuckets(ctx, v.ui.db, bucket.Path, v.ui.loadBufferSize)
+	bucketsBuffer, err := LoadBuckets(ctx, v.ui.db, bucket.Path, v.ui.loadBufferSize)
+	if err != nil {
+		return false, err
+	}
 
 	for item := range bucketsBuffer {
 		if item.err != nil {
@@ -186,7 +191,6 @@ func (v *BucketsView) bucketSatisfiesFilter(
 		}
 		b := item.val
 
-		var err error
 		b.Entry, b.NextParser, err = bucket.NextParser(b.Name, nil)
 		if err != nil {
 			return false, err
@@ -202,7 +206,10 @@ func (v *BucketsView) bucketSatisfiesFilter(
 	}
 
 	// Check the current bucket's nested records if exist
-	recordsBuffer := LoadRecords(ctx, v.ui.db, bucket.Path, v.ui.loadBufferSize)
+	recordsBuffer, err := LoadRecords(ctx, v.ui.db, bucket.Path, v.ui.loadBufferSize)
+	if err != nil {
+		return false, err
+	}
 
 	for item := range recordsBuffer {
 		if item.err != nil {
@@ -210,7 +217,6 @@ func (v *BucketsView) bucketSatisfiesFilter(
 		}
 		r := item.val
 
-		var err error
 		r.Entry, _, err = bucket.NextParser(r.Key, r.Value)
 		if err != nil {
 			return false, err

cmd/frostfs-lens/internal/tui/db.go

@@ -35,7 +35,7 @@ func resolvePath(tx *bbolt.Tx, path [][]byte) (*bbolt.Bucket, error) {
 func load[T any](
 	ctx context.Context, db *bbolt.DB, path [][]byte, bufferSize int,
 	filter func(key, value []byte) bool, transform func(key, value []byte) T,
-) <-chan Item[T] {
+) (<-chan Item[T], error) {
 	buffer := make(chan Item[T], bufferSize)
 
 	go func() {
@@ -77,13 +77,13 @@ func load[T any](
 		}
 	}()
 
-	return buffer
+	return buffer, nil
 }
 
 func LoadBuckets(
 	ctx context.Context, db *bbolt.DB, path [][]byte, bufferSize int,
-) <-chan Item[*Bucket] {
+) (<-chan Item[*Bucket], error) {
-	buffer := load(
+	buffer, err := load(
 		ctx, db, path, bufferSize,
 		func(_, value []byte) bool {
 			return value == nil
@@ -98,14 +98,17 @@ func LoadBuckets(
 			}
 		},
 	)
+	if err != nil {
+		return nil, fmt.Errorf("can't start iterating bucket: %w", err)
+	}
 
-	return buffer
+	return buffer, nil
 }
 
 func LoadRecords(
 	ctx context.Context, db *bbolt.DB, path [][]byte, bufferSize int,
-) <-chan Item[*Record] {
+) (<-chan Item[*Record], error) {
-	buffer := load(
+	buffer, err := load(
 		ctx, db, path, bufferSize,
 		func(_, value []byte) bool {
 			return value != nil
@@ -121,8 +124,11 @@ func LoadRecords(
 			}
 		},
 	)
+	if err != nil {
+		return nil, fmt.Errorf("can't start iterating bucket: %w", err)
+	}
 
-	return buffer
+	return buffer, nil
 }
 
 // HasBuckets checks if a bucket has nested buckets. It relies on assumption
@@ -131,21 +137,24 @@ func HasBuckets(ctx context.Context, db *bbolt.DB, path [][]byte) (bool, error)
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
 
-	buffer := load(
+	buffer, err := load(
 		ctx, db, path, 1,
 		nil,
 		func(_, value []byte) []byte { return value },
 	)
+	if err != nil {
+		return false, err
+	}
 
 	x, ok := <-buffer
 	if !ok {
 		return false, nil
 	}
 	if x.err != nil {
-		return false, x.err
+		return false, err
 	}
 	if x.val != nil {
-		return false, nil
+		return false, err
 	}
 	return true, nil
 }

cmd/frostfs-lens/internal/tui/records.go

@@ -62,7 +62,10 @@ func (v *RecordsView) Mount(ctx context.Context) error {
 
 	ctx, v.onUnmount = context.WithCancel(ctx)
 
-	tempBuffer := LoadRecords(ctx, v.ui.db, v.bucket.Path, v.ui.loadBufferSize)
+	tempBuffer, err := LoadRecords(ctx, v.ui.db, v.bucket.Path, v.ui.loadBufferSize)
+	if err != nil {
+		return err
+	}
 
 	v.buffer = make(chan *Record, v.ui.loadBufferSize)
 	go func() {
@@ -70,12 +73,11 @@ func (v *RecordsView) Mount(ctx context.Context) error {
 
 		for item := range tempBuffer {
 			if item.err != nil {
-				v.ui.stopOnError(item.err)
+				v.ui.stopOnError(err)
 				break
 			}
 			record := item.val
 
-			var err error
 			record.Entry, _, err = v.bucket.NextParser(record.Key, record.Value)
 			if err != nil {
 				v.ui.stopOnError(err)

cmd/frostfs-node/apemanager.go

@@ -19,7 +19,6 @@ func initAPEManagerService(c *cfg) {
 		c.cfgObject.cfgAccessPolicyEngine.policyContractHash)
 
 	execsvc := apemanager.New(c.cfgObject.cnrSource, contractStorage,
-		c.cfgMorph.client,
 		apemanager.WithLogger(c.log))
 	sigsvc := apemanager.NewSignService(&c.key.PrivateKey, execsvc)
 	auditSvc := apemanager.NewAuditService(sigsvc, c.log, c.audit)

cmd/frostfs-node/cache.go

@@ -196,6 +196,31 @@ func (s ttlContainerStorage) DeletionInfo(cnr cid.ID) (*container.DelInfo, error
 	return s.delInfoCache.get(cnr)
 }
 
+type ttlEACLStorage struct {
+	*ttlNetCache[cid.ID, *container.EACL]
+}
+
+func newCachedEACLStorage(v container.EACLSource, ttl time.Duration) ttlEACLStorage {
+	const eaclCacheSize = 100
+
+	lruCnrCache := newNetworkTTLCache(eaclCacheSize, ttl, func(id cid.ID) (*container.EACL, error) {
+		return v.GetEACL(id)
+	}, metrics.NewCacheMetrics("eacl"))
+
+	return ttlEACLStorage{lruCnrCache}
+}
+
+// GetEACL returns eACL value from the cache. If value is missing in the cache
+// or expired, then it returns value from side chain and updates cache.
+func (s ttlEACLStorage) GetEACL(cnr cid.ID) (*container.EACL, error) {
+	return s.get(cnr)
+}
+
+// InvalidateEACL removes cached eACL value.
+func (s ttlEACLStorage) InvalidateEACL(cnr cid.ID) {
+	s.remove(cnr)
+}
+
 type lruNetmapSource struct {
 	netState netmap.State
 

cmd/frostfs-node/config.go

@@ -397,16 +397,16 @@ type internals struct {
 }
 
 // starts node's maintenance.
-func (c *cfg) startMaintenance(ctx context.Context) {
+func (c *cfg) startMaintenance() {
 	c.isMaintenance.Store(true)
 	c.cfgNetmap.state.setControlNetmapStatus(control.NetmapStatus_MAINTENANCE)
-	c.log.Info(ctx, logs.FrostFSNodeStartedLocalNodesMaintenance)
+	c.log.Info(logs.FrostFSNodeStartedLocalNodesMaintenance)
 }
 
 // stops node's maintenance.
-func (c *internals) stopMaintenance(ctx context.Context) {
+func (c *internals) stopMaintenance() {
 	if c.isMaintenance.CompareAndSwap(true, false) {
-		c.log.Info(ctx, logs.FrostFSNodeStoppedLocalNodesMaintenance)
+		c.log.Info(logs.FrostFSNodeStoppedLocalNodesMaintenance)
 	}
 }
 
@@ -591,6 +591,8 @@ type cfgMorph struct {
 
 	client *client.Client
 
+	notaryEnabled bool
+
 	// TTL of Sidechain cached values. Non-positive value disables caching.
 	cacheTTL time.Duration
 
@@ -609,7 +611,6 @@ type cfgContainer struct {
 	parsers     map[event.Type]event.NotificationParser
 	subscribers map[event.Type][]event.Handler
 	workerPool  util.WorkerPool // pool for asynchronous handlers
-	containerBatchSize uint32
 }
 
 type cfgFrostfsID struct {
@@ -641,6 +642,8 @@ type cfgObject struct {
 
 	cnrSource container.Source
 
+	eaclSource container.EACLSource
+
 	cfgAccessPolicyEngine cfgAccessPolicyEngine
 
 	pool cfgObjectRoutines
@@ -698,12 +701,13 @@ func initCfg(appCfg *config.Config) *cfg {
 
 	netState.metrics = c.metricsCollector
 
-	logPrm := c.loggerPrm()
+	logPrm, err := c.loggerPrm()
+	fatalOnErr(err)
 	logPrm.SamplingHook = c.metricsCollector.LogMetrics().GetSamplingHook()
 	log, err := logger.NewLogger(logPrm)
 	fatalOnErr(err)
 	if loggerconfig.ToLokiConfig(appCfg).Enabled {
-		log.WithOptions(zap.WrapCore(func(core zapcore.Core) zapcore.Core {
+		log.Logger = log.Logger.WithOptions(zap.WrapCore(func(core zapcore.Core) zapcore.Core {
 			lokiCore := lokicore.New(core, loggerconfig.ToLokiConfig(appCfg))
 			return lokiCore
 		}))
@@ -853,7 +857,7 @@ func initFrostfsID(appCfg *config.Config) cfgFrostfsID {
 
 func initCfgGRPC() cfgGRPC {
 	maxChunkSize := uint64(maxMsgSize) * 3 / 4          // 25% to meta, 75% to payload
-	maxAddrAmount := maxChunkSize / addressSize // each address is about 72 bytes
+	maxAddrAmount := uint64(maxChunkSize) / addressSize // each address is about 72 bytes
 
 	return cfgGRPC{
 		maxChunkSize:  maxChunkSize,
@@ -1058,7 +1062,7 @@ func (c *cfg) getShardOpts(ctx context.Context, shCfg shardCfg) shardOptsWithID
 	return sh
 }
 
-func (c *cfg) loggerPrm() *logger.Prm {
+func (c *cfg) loggerPrm() (*logger.Prm, error) {
 	// check if it has been inited before
 	if c.dynamicConfiguration.logger == nil {
 		c.dynamicConfiguration.logger = new(logger.Prm)
@@ -1077,7 +1081,7 @@ func (c *cfg) loggerPrm() *logger.Prm {
 	}
 	c.dynamicConfiguration.logger.PrependTimestamp = c.LoggerCfg.timestamp
 
-	return c.dynamicConfiguration.logger
+	return c.dynamicConfiguration.logger, nil
 }
 
 func (c *cfg) LocalAddress() network.AddressGroup {
@@ -1087,7 +1091,7 @@ func (c *cfg) LocalAddress() network.AddressGroup {
 func initLocalStorage(ctx context.Context, c *cfg) {
 	ls := engine.New(c.engineOpts()...)
 
-	addNewEpochAsyncNotificationHandler(c, func(ctx context.Context, ev event.Event) {
+	addNewEpochAsyncNotificationHandler(c, func(ev event.Event) {
 		ls.HandleNewEpoch(ctx, ev.(netmap2.NewEpoch).EpochNumber())
 	})
 
@@ -1101,10 +1105,10 @@ func initLocalStorage(ctx context.Context, c *cfg) {
 			shard.WithTombstoneSource(c.createTombstoneSource()),
 			shard.WithContainerInfoProvider(c.createContainerInfoProvider(ctx)))...)
 		if err != nil {
-			c.log.Error(ctx, logs.FrostFSNodeFailedToAttachShardToEngine, zap.Error(err))
+			c.log.Error(logs.FrostFSNodeFailedToAttachShardToEngine, zap.Error(err))
 		} else {
 			shardsAttached++
-			c.log.Info(ctx, logs.FrostFSNodeShardAttachedToEngine, zap.Stringer("id", id))
+			c.log.Info(logs.FrostFSNodeShardAttachedToEngine, zap.Stringer("id", id))
 		}
 	}
 	if shardsAttached == 0 {
@@ -1114,23 +1118,23 @@ func initLocalStorage(ctx context.Context, c *cfg) {
 	c.cfgObject.cfgLocalStorage.localStorage = ls
 
 	c.onShutdown(func() {
-		c.log.Info(ctx, logs.FrostFSNodeClosingComponentsOfTheStorageEngine)
+		c.log.Info(logs.FrostFSNodeClosingComponentsOfTheStorageEngine)
 
 		err := ls.Close(context.WithoutCancel(ctx))
 		if err != nil {
-			c.log.Info(ctx, logs.FrostFSNodeStorageEngineClosingFailure,
+			c.log.Info(logs.FrostFSNodeStorageEngineClosingFailure,
-				zap.Error(err),
+				zap.String("error", err.Error()),
 			)
 		} else {
-			c.log.Info(ctx, logs.FrostFSNodeAllComponentsOfTheStorageEngineClosedSuccessfully)
+			c.log.Info(logs.FrostFSNodeAllComponentsOfTheStorageEngineClosedSuccessfully)
 		}
 	})
 }
 
-func initAccessPolicyEngine(ctx context.Context, c *cfg) {
+func initAccessPolicyEngine(_ context.Context, c *cfg) {
 	var localOverrideDB chainbase.LocalOverrideDatabase
 	if nodeconfig.PersistentPolicyRules(c.appCfg).Path() == "" {
-		c.log.Warn(ctx, logs.FrostFSNodePersistentRuleStorageDBPathIsNotSetInmemoryWillBeUsed)
+		c.log.Warn(logs.FrostFSNodePersistentRuleStorageDBPathIsNotSetInmemoryWillBeUsed)
 		localOverrideDB = chainbase.NewInmemoryLocalOverrideDatabase()
 	} else {
 		localOverrideDB = chainbase.NewBoltLocalOverrideDatabase(
@@ -1146,7 +1150,7 @@ func initAccessPolicyEngine(ctx context.Context, c *cfg) {
 		c.cfgObject.cfgAccessPolicyEngine.policyContractHash)
 
 	cacheSize := morphconfig.APEChainCacheSize(c.appCfg)
-	if cacheSize > 0 && c.cfgMorph.cacheTTL > 0 {
+	if cacheSize > 0 {
 		morphRuleStorage = newMorphCache(morphRuleStorage, int(cacheSize), c.cfgMorph.cacheTTL)
 	}
 
@@ -1155,7 +1159,7 @@ func initAccessPolicyEngine(ctx context.Context, c *cfg) {
 
 	c.onShutdown(func() {
 		if err := ape.LocalOverrideDatabaseCore().Close(); err != nil {
-			c.log.Warn(ctx, logs.FrostFSNodeAccessPolicyEngineClosingFailure,
+			c.log.Warn(logs.FrostFSNodeAccessPolicyEngineClosingFailure,
 				zap.Error(err),
 			)
 		}
@@ -1204,12 +1208,12 @@ func (c *cfg) setContractNodeInfo(ni *netmap.NodeInfo) {
 	c.cfgNetmap.state.setNodeInfo(ni)
 }
 
-func (c *cfg) updateContractNodeInfo(ctx context.Context, epoch uint64) {
+func (c *cfg) updateContractNodeInfo(epoch uint64) {
 	ni, err := c.netmapLocalNodeState(epoch)
 	if err != nil {
-		c.log.Error(ctx, logs.FrostFSNodeCouldNotUpdateNodeStateOnNewEpoch,
+		c.log.Error(logs.FrostFSNodeCouldNotUpdateNodeStateOnNewEpoch,
 			zap.Uint64("epoch", epoch),
-			zap.Error(err))
+			zap.String("error", err.Error()))
 		return
 	}
 
@@ -1219,37 +1223,41 @@ func (c *cfg) updateContractNodeInfo(ctx context.Context, epoch uint64) {
 // bootstrapWithState calls "addPeer" method of the Sidechain Netmap contract
 // with the binary-encoded information from the current node's configuration.
 // The state is set using the provided setter which MUST NOT be nil.
-func (c *cfg) bootstrapWithState(ctx context.Context, state netmap.NodeState) error {
+func (c *cfg) bootstrapWithState(stateSetter func(*netmap.NodeInfo)) error {
 	ni := c.cfgNodeInfo.localInfo
-	ni.SetStatus(state)
+	stateSetter(&ni)
 
 	prm := nmClient.AddPeerPrm{}
 	prm.SetNodeInfo(ni)
 
-	return c.cfgNetmap.wrapper.AddPeer(ctx, prm)
+	return c.cfgNetmap.wrapper.AddPeer(prm)
 }
 
 // bootstrapOnline calls cfg.bootstrapWithState with "online" state.
-func bootstrapOnline(ctx context.Context, c *cfg) error {
+func bootstrapOnline(c *cfg) error {
-	return c.bootstrapWithState(ctx, netmap.Online)
+	return c.bootstrapWithState(func(ni *netmap.NodeInfo) {
+		ni.SetStatus(netmap.Online)
+	})
 }
 
 // bootstrap calls bootstrapWithState with:
 //   - "maintenance" state if maintenance is in progress on the current node
 //   - "online", otherwise
-func (c *cfg) bootstrap(ctx context.Context) error {
+func (c *cfg) bootstrap() error {
 	// switch to online except when under maintenance
 	st := c.cfgNetmap.state.controlNetmapStatus()
 	if st == control.NetmapStatus_MAINTENANCE {
-		c.log.Info(ctx, logs.FrostFSNodeBootstrappingWithTheMaintenanceState)
+		c.log.Info(logs.FrostFSNodeBootstrappingWithTheMaintenanceState)
-		return c.bootstrapWithState(ctx, netmap.Maintenance)
+		return c.bootstrapWithState(func(ni *netmap.NodeInfo) {
+			ni.SetStatus(netmap.Maintenance)
+		})
 	}
 
-	c.log.Info(ctx, logs.FrostFSNodeBootstrappingWithOnlineState,
+	c.log.Info(logs.FrostFSNodeBootstrappingWithOnlineState,
 		zap.Stringer("previous", st),
 	)
 
-	return bootstrapOnline(ctx, c)
+	return bootstrapOnline(c)
 }
 
 // needBootstrap checks if local node should be registered in network on bootup.
@@ -1274,19 +1282,19 @@ func (c *cfg) signalWatcher(ctx context.Context) {
 		// signals causing application to shut down should have priority over
 		// reconfiguration signal
 		case <-ch:
-			c.log.Info(ctx, logs.FrostFSNodeTerminationSignalHasBeenReceivedStopping)
+			c.log.Info(logs.FrostFSNodeTerminationSignalHasBeenReceivedStopping)
 
-			c.shutdown(ctx)
+			c.shutdown()
 
-			c.log.Info(ctx, logs.FrostFSNodeTerminationSignalProcessingIsComplete)
+			c.log.Info(logs.FrostFSNodeTerminationSignalProcessingIsComplete)
 			return
 		case err := <-c.internalErr: // internal application error
-			c.log.Warn(ctx, logs.FrostFSNodeInternalApplicationError,
+			c.log.Warn(logs.FrostFSNodeInternalApplicationError,
 				zap.String("message", err.Error()))
 
-			c.shutdown(ctx)
+			c.shutdown()
 
-			c.log.Info(ctx, logs.FrostFSNodeInternalErrorProcessingIsComplete)
+			c.log.Info(logs.FrostFSNodeInternalErrorProcessingIsComplete)
 			return
 		default:
 			// block until any signal is receieved
@@ -1294,19 +1302,19 @@ func (c *cfg) signalWatcher(ctx context.Context) {
 			case <-sighupCh:
 				c.reloadConfig(ctx)
 			case <-ch:
-				c.log.Info(ctx, logs.FrostFSNodeTerminationSignalHasBeenReceivedStopping)
+				c.log.Info(logs.FrostFSNodeTerminationSignalHasBeenReceivedStopping)
 
-				c.shutdown(ctx)
+				c.shutdown()
 
-				c.log.Info(ctx, logs.FrostFSNodeTerminationSignalProcessingIsComplete)
+				c.log.Info(logs.FrostFSNodeTerminationSignalProcessingIsComplete)
 				return
 			case err := <-c.internalErr: // internal application error
-				c.log.Warn(ctx, logs.FrostFSNodeInternalApplicationError,
+				c.log.Warn(logs.FrostFSNodeInternalApplicationError,
 					zap.String("message", err.Error()))
 
-				c.shutdown(ctx)
+				c.shutdown()
 
-				c.log.Info(ctx, logs.FrostFSNodeInternalErrorProcessingIsComplete)
+				c.log.Info(logs.FrostFSNodeInternalErrorProcessingIsComplete)
 				return
 			}
 		}
@@ -1314,17 +1322,17 @@ func (c *cfg) signalWatcher(ctx context.Context) {
 }
 
 func (c *cfg) reloadConfig(ctx context.Context) {
-	c.log.Info(ctx, logs.FrostFSNodeSIGHUPHasBeenReceivedRereadingConfiguration)
+	c.log.Info(logs.FrostFSNodeSIGHUPHasBeenReceivedRereadingConfiguration)
 
-	if !c.compareAndSwapHealthStatus(ctx, control.HealthStatus_READY, control.HealthStatus_RECONFIGURING) {
+	if !c.compareAndSwapHealthStatus(control.HealthStatus_READY, control.HealthStatus_RECONFIGURING) {
-		c.log.Info(ctx, logs.FrostFSNodeSIGHUPSkip)
+		c.log.Info(logs.FrostFSNodeSIGHUPSkip)
 		return
 	}
-	defer c.compareAndSwapHealthStatus(ctx, control.HealthStatus_RECONFIGURING, control.HealthStatus_READY)
+	defer c.compareAndSwapHealthStatus(control.HealthStatus_RECONFIGURING, control.HealthStatus_READY)
 
 	err := c.reloadAppConfig()
 	if err != nil {
-		c.log.Error(ctx, logs.FrostFSNodeConfigurationReading, zap.Error(err))
+		c.log.Error(logs.FrostFSNodeConfigurationReading, zap.Error(err))
 		return
 	}
 
@@ -1333,7 +1341,11 @@ func (c *cfg) reloadConfig(ctx context.Context) {
 
 	// Logger
 
-	logPrm := c.loggerPrm()
+	logPrm, err := c.loggerPrm()
+	if err != nil {
+		c.log.Error(logs.FrostFSNodeLoggerConfigurationPreparation, zap.Error(err))
+		return
+	}
 
 	components := c.getComponents(ctx, logPrm)
 
@@ -1352,25 +1364,25 @@ func (c *cfg) reloadConfig(ctx context.Context) {
 
 	err = c.cfgObject.cfgLocalStorage.localStorage.Reload(ctx, rcfg)
 	if err != nil {
-		c.log.Error(ctx, logs.FrostFSNodeStorageEngineConfigurationUpdate, zap.Error(err))
+		c.log.Error(logs.FrostFSNodeStorageEngineConfigurationUpdate, zap.Error(err))
 		return
 	}
 
 	for _, component := range components {
 		err = component.reloadFunc()
 		if err != nil {
-			c.log.Error(ctx, logs.FrostFSNodeUpdatedConfigurationApplying,
+			c.log.Error(logs.FrostFSNodeUpdatedConfigurationApplying,
 				zap.String("component", component.name),
 				zap.Error(err))
 		}
 	}
 
 	if err := c.dialerSource.Update(internalNetConfig(c.appCfg, c.metricsCollector.MultinetMetrics())); err != nil {
-		c.log.Error(ctx, logs.FailedToUpdateMultinetConfiguration, zap.Error(err))
+		c.log.Error(logs.FailedToUpdateMultinetConfiguration, zap.Error(err))
 		return
 	}
 
-	c.log.Info(ctx, logs.FrostFSNodeConfigurationHasBeenReloadedSuccessfully)
+	c.log.Info(logs.FrostFSNodeConfigurationHasBeenReloadedSuccessfully)
 }
 
 func (c *cfg) getComponents(ctx context.Context, logPrm *logger.Prm) []dCmp {
@@ -1378,7 +1390,7 @@ func (c *cfg) getComponents(ctx context.Context, logPrm *logger.Prm) []dCmp {
 
 	components = append(components, dCmp{"logger", logPrm.Reload})
 	components = append(components, dCmp{"runtime", func() error {
-		setRuntimeParameters(ctx, c)
+		setRuntimeParameters(c)
 		return nil
 	}})
 	components = append(components, dCmp{"audit", func() error {
@@ -1393,7 +1405,7 @@ func (c *cfg) getComponents(ctx context.Context, logPrm *logger.Prm) []dCmp {
 		}
 		updated, err := tracing.Setup(ctx, *traceConfig)
 		if updated {
-			c.log.Info(ctx, logs.FrostFSNodeTracingConfigationUpdated)
+			c.log.Info(logs.FrostFSNodeTracingConfigationUpdated)
 		}
 		return err
 	}})
@@ -1428,7 +1440,7 @@ func (c *cfg) reloadPools() error {
 func (c *cfg) reloadPool(p *ants.Pool, newSize int, name string) {
 	oldSize := p.Cap()
 	if oldSize != newSize {
-		c.log.Info(context.Background(), logs.FrostFSNodePoolConfigurationUpdate, zap.String("field", name),
+		c.log.Info(logs.FrostFSNodePoolConfigurationUpdate, zap.String("field", name),
 			zap.Int("old", oldSize), zap.Int("new", newSize))
 		p.Tune(newSize)
 	}
@@ -1456,7 +1468,7 @@ func (c *cfg) createTombstoneSource() *tombstone.ExpirationChecker {
 func (c *cfg) createContainerInfoProvider(ctx context.Context) container.InfoProvider {
 	return container.NewInfoProvider(func() (container.Source, error) {
 		c.initMorphComponents(ctx)
-		cc, err := containerClient.NewFromMorph(c.cfgMorph.client, c.cfgContainer.scriptHash, 0)
+		cc, err := containerClient.NewFromMorph(c.cfgMorph.client, c.cfgContainer.scriptHash, 0, containerClient.TryNotary())
 		if err != nil {
 			return nil, err
 		}
@@ -1464,14 +1476,14 @@ func (c *cfg) createContainerInfoProvider(ctx context.Context) container.InfoPro
 	})
 }
 
-func (c *cfg) shutdown(ctx context.Context) {
+func (c *cfg) shutdown() {
-	old := c.swapHealthStatus(ctx, control.HealthStatus_SHUTTING_DOWN)
+	old := c.swapHealthStatus(control.HealthStatus_SHUTTING_DOWN)
 	if old == control.HealthStatus_SHUTTING_DOWN {
-		c.log.Info(ctx, logs.FrostFSNodeShutdownSkip)
+		c.log.Info(logs.FrostFSNodeShutdownSkip)
 		return
 	}
 	if old == control.HealthStatus_STARTING {
-		c.log.Warn(ctx, logs.FrostFSNodeShutdownWhenNotReady)
+		c.log.Warn(logs.FrostFSNodeShutdownWhenNotReady)
 	}
 
 	c.ctxCancel()
@@ -1481,6 +1493,6 @@ func (c *cfg) shutdown(ctx context.Context) {
 	}
 
 	if err := sdnotify.ClearStatus(); err != nil {
-		c.log.Error(ctx, logs.FailedToReportStatusToSystemd, zap.Error(err))
+		c.log.Error(logs.FailedToReportStatusToSystemd, zap.Error(err))
 	}
 }

cmd/frostfs-node/config/calls.go

@@ -1,7 +1,6 @@
 package config
 
 import (
-	"slices"
 	"strings"
 
 	configViper "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common/config"
@@ -53,5 +52,6 @@ func (x *Config) Value(name string) any {
 // It supports only one level of nesting and is intended to be used
 // to provide default values.
 func (x *Config) SetDefault(from *Config) {
-	x.defaultPath = slices.Clone(from.path)
+	x.defaultPath = make([]string, len(from.path))
+	copy(x.defaultPath, from.path)
 }

cmd/frostfs-node/config/container/container.go

@@ -1,27 +0,0 @@
-package containerconfig
-
-import "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-node/config"
-
-const (
-	subsection           = "container"
-	listStreamSubsection = "list_stream"
-
-	// ContainerBatchSizeDefault represents the maximum amount of containers to send via stream at once.
-	ContainerBatchSizeDefault = 1000
-)
-
-// ContainerBatchSize returns the value of "batch_size" config parameter
-// from "list_stream" subsection of "container" section.
-//
-// Returns ContainerBatchSizeDefault if the value is missing or if
-// the value is not positive integer.
-func ContainerBatchSize(c *config.Config) uint32 {
-	if c.Sub(subsection).Sub(listStreamSubsection).Value("batch_size") == nil {
-		return ContainerBatchSizeDefault
-	}
-	size := config.Uint32Safe(c.Sub(subsection).Sub(listStreamSubsection), "batch_size")
-	if size == 0 {
-		return ContainerBatchSizeDefault
-	}
-	return size
-}

cmd/frostfs-node/config/container/container_test.go

@@ -1,27 +0,0 @@
-package containerconfig_test
-
-import (
-	"testing"
-
-	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-node/config"
-	containerconfig "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-node/config/container"
-	configtest "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-node/config/test"
-	"github.com/stretchr/testify/require"
-)
-
-func TestContainerSection(t *testing.T) {
-	t.Run("defaults", func(t *testing.T) {
-		empty := configtest.EmptyConfig()
-		require.Equal(t, uint32(containerconfig.ContainerBatchSizeDefault), containerconfig.ContainerBatchSize(empty))
-	})
-
-	const path = "../../../../config/example/node"
-	fileConfigTest := func(c *config.Config) {
-		require.Equal(t, uint32(500), containerconfig.ContainerBatchSize(c))
-	}
-
-	configtest.ForEachFileType(path, fileConfigTest)
-	t.Run("ENV", func(t *testing.T) {
-		configtest.ForEnvFileType(t, path, fileConfigTest)
-	})
-}

cmd/frostfs-node/config/engine/config.go

@@ -41,10 +41,6 @@ func IterateShards(c *config.Config, required bool, f func(*shardconfig.Config)
 			c.Sub(si),
 		)
 
-		if sc.Mode() == mode.Disabled {
-			continue
-		}
-
 		// Path for the blobstor can't be present in the default section, because different shards
 		// must have different paths, so if it is missing, the shard is not here.
 		// At the same time checking for "blobstor" section doesn't work proper
@@ -54,6 +50,10 @@ func IterateShards(c *config.Config, required bool, f func(*shardconfig.Config)
 		}
 		(*config.Config)(sc).SetDefault(def)
 
+		if sc.Mode() == mode.Disabled {
+			continue
+		}
+
 		if err := f(sc); err != nil {
 			return err
 		}

cmd/frostfs-node/config/engine/config_test.go

@@ -18,22 +18,6 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func TestIterateShards(t *testing.T) {
-	fileConfigTest := func(c *config.Config) {
-		var res []string
-		require.NoError(t,
-			engineconfig.IterateShards(c, false, func(sc *shardconfig.Config) error {
-				res = append(res, sc.Metabase().Path())
-				return nil
-			}))
-		require.Equal(t, []string{"abc", "xyz"}, res)
-	}
-
-	const cfgDir = "./testdata/shards"
-	configtest.ForEachFileType(cfgDir, fileConfigTest)
-	configtest.ForEnvFileType(t, cfgDir, fileConfigTest)
-}
-
 func TestEngineSection(t *testing.T) {
 	t.Run("defaults", func(t *testing.T) {
 		empty := configtest.EmptyConfig()

cmd/frostfs-node/config/engine/testdata/shards.env

@@ -1,3 +0,0 @@
-FROSTFS_STORAGE_SHARD_0_METABASE_PATH=abc
-FROSTFS_STORAGE_SHARD_1_MODE=disabled
-FROSTFS_STORAGE_SHARD_2_METABASE_PATH=xyz

cmd/frostfs-node/config/engine/testdata/shards.json

@@ -1,13 +0,0 @@
-{
-  "storage.shard": {
-    "0": {
-      "metabase.path": "abc"
-    },
-    "1": {
-      "mode": "disabled"
-    },
-    "2": {
-      "metabase.path": "xyz"
-    }
-  }
-}

cmd/frostfs-node/config/engine/testdata/shards.yaml

@@ -1,7 +0,0 @@
-storage.shard:
-  0:
-    metabase.path: abc
-  1:
-    mode: disabled
-  2:
-    metabase.path: xyz

cmd/frostfs-node/config/node/config.go

@@ -198,7 +198,7 @@ func (l PersistentPolicyRulesConfig) Path() string {
 //
 // Returns PermDefault if the value is not a positive number.
 func (l PersistentPolicyRulesConfig) Perm() fs.FileMode {
-	p := config.UintSafe(l.cfg, "perm")
+	p := config.UintSafe((*config.Config)(l.cfg), "perm")
 	if p == 0 {
 		p = PermDefault
 	}
@@ -210,7 +210,7 @@ func (l PersistentPolicyRulesConfig) Perm() fs.FileMode {
 //
 // Returns false if the value is not a boolean.
 func (l PersistentPolicyRulesConfig) NoSync() bool {
-	return config.BoolSafe(l.cfg, "no_sync")
+	return config.BoolSafe((*config.Config)(l.cfg), "no_sync")
 }
 
 // CompatibilityMode returns true if need to run node in compatibility with previous versions mode.