[#1467] node: Break notary deposit wait after VUB

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>

.docker/Dockerfile.adm

@@ -1,4 +1,4 @@
-FROM golang:1.21 as builder
+FROM golang:1.23 AS builder
 ARG BUILD=now
 ARG VERSION=dev
 ARG REPO=repository

.docker/Dockerfile.ci

@@ -1,4 +1,4 @@
-FROM golang:1.21
+FROM golang:1.23
 
 WORKDIR /tmp
 

.docker/Dockerfile.cli

@@ -1,4 +1,4 @@
-FROM golang:1.21 as builder
+FROM golang:1.23 AS builder
 ARG BUILD=now
 ARG VERSION=dev
 ARG REPO=repository

.docker/Dockerfile.ir

@@ -1,4 +1,4 @@
-FROM golang:1.21 as builder
+FROM golang:1.23 AS builder
 ARG BUILD=now
 ARG VERSION=dev
 ARG REPO=repository

.docker/Dockerfile.storage

@@ -1,4 +1,4 @@
-FROM golang:1.21 as builder
+FROM golang:1.23 AS builder
 ARG BUILD=now
 ARG VERSION=dev
 ARG REPO=repository

.forgejo/workflows/build.yml

@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go_versions: [ '1.20', '1.21' ]
+        go_versions: [ '1.22', '1.23' ]
 
     steps:
       - uses: actions/checkout@v3

.forgejo/workflows/dco.yml

@@ -13,7 +13,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v3
         with:
-          go-version: '1.21'
+          go-version: '1.22'
 
       - name: Run commit format checker
         uses: https://git.frostfs.info/TrueCloudLab/dco-go@v3

.forgejo/workflows/pre-commit.yml

@@ -0,0 +1,25 @@
+name: Pre-commit hooks
+on: [pull_request]
+
+jobs:
+  precommit:
+    name: Pre-commit
+    env:
+      # Skip pre-commit hooks which are executed by other actions.
+      SKIP: make-lint,go-staticcheck-repo-mod,go-unit-tests,gofumpt
+    runs-on: ubuntu-22.04
+    # If we use actions/setup-python from either Github or Gitea,
+    # the line above fails with a cryptic error about not being able to find python.
+    # So install everything manually.
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.23
+      - name: Set up Python
+        run: |
+          apt update
+          apt install -y pre-commit
+      - name: Run pre-commit
+        run: pre-commit run --color=always --hook-stage manual --all-files

.forgejo/workflows/tests.yml

@@ -11,7 +11,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: '1.21'
+          go-version: '1.23'
           cache: true
 
       - name: Install linters
@@ -25,7 +25,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go_versions: [ '1.20', '1.21' ]
+        go_versions: [ '1.22', '1.23' ]
       fail-fast: false
     steps:
       - uses: actions/checkout@v3
@@ -48,7 +48,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: '1.21'
+          go-version: '1.22'
           cache: true
 
       - name: Run tests
@@ -63,7 +63,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: '1.21'
+          go-version: '1.23'
           cache: true
 
       - name: Install staticcheck
@@ -81,7 +81,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: '1.21'
+          go-version: '1.22'
           cache: true
 
       - name: Install gopls
@@ -89,3 +89,23 @@ jobs:
 
       - name: Run gopls
         run: make gopls-run
+
+  fumpt:
+    name: Run gofumpt
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: '1.23'
+          cache: true
+
+      - name: Install gofumpt
+        run: make fumpt-install
+
+      - name: Run gofumpt
+        run: |
+          make fumpt
+          git diff --exit-code --quiet

.forgejo/workflows/vulncheck.yml

@@ -13,7 +13,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v3
         with:
-          go-version: '1.21'
+          go-version: '1.23'
 
       - name: Install govulncheck
         run: go install golang.org/x/vuln/cmd/govulncheck@latest

.gitlint

@@ -1,11 +0,0 @@
-[general]
-fail-without-commits=True
-regex-style-search=True
-contrib=CC1
-
-[title-match-regex]
-regex=^\[\#[0-9Xx]+\]\s
-
-[ignore-by-title]
-regex=^Release(.*)
-ignore=title-match-regex

.golangci.yml

@@ -12,7 +12,8 @@ run:
 # output configuration options
 output:
   # colored-line-number|line-number|json|tab|checkstyle|code-climate, default is "colored-line-number"
-  format: tab
+  formats:
+    - format: tab
 
 # all available settings of specific linters
 linters-settings:
@@ -37,6 +38,10 @@ linters-settings:
     alias:
       pkg: git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object
       alias: objectSDK
+  unused:
+    field-writes-are-uses: false
+    exported-fields-are-used: false
+    local-variables-are-used: false
   custom:
     truecloudlab-linters:
       path: bin/linters/external_linters.so
@@ -66,7 +71,7 @@ linters:
     - bidichk
     - durationcheck
     - exhaustive
-    - exportloopref
+    - copyloopvar
     - gofmt
     - goimports
     - misspell
@@ -82,5 +87,7 @@ linters:
     - perfsprint
     - testifylint
     - protogetter
+    - intrange
+    - tenv
   disable-all: true
   fast: false

.pre-commit-config.yaml

@@ -2,13 +2,6 @@ ci:
   autofix_prs: false
 
 repos:
-  - repo: https://github.com/jorisroovers/gitlint
-    rev:  v0.19.1
-    hooks:
-      - id: gitlint
-        stages: [commit-msg]
-      - id: gitlint-ci
-
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v4.5.0
     hooks:
@@ -23,7 +16,7 @@ repos:
     - id: trailing-whitespace
       args: [--markdown-linebreak-ext=md]
     - id: end-of-file-fixer
-      exclude: ".key$"
+      exclude: "(.key|.svg)$"
 
   - repo: https://github.com/shellcheck-py/shellcheck-py
     rev: v0.9.0.6
@@ -42,7 +35,7 @@ repos:
     hooks:
        - id: go-unit-tests
          name: go unit tests
-         entry: make test
+         entry: make test GOFLAGS=''
          pass_filenames: false
          types: [go]
          language: system

.woodpecker/pre-commit.yml

@@ -1,11 +0,0 @@
-pipeline:
-  # Kludge for non-root containers under WoodPecker
-  fix-ownership:
-    image: alpine:latest
-    commands: chown -R 1234:1234 .
-
-  pre-commit:
-    image: git.frostfs.info/truecloudlab/frostfs-ci:v0.36
-    commands:
-      - export HOME="$(getent passwd $(id -u) | cut '-d:' -f6)"
-      - pre-commit run --hook-stage manual

CHANGELOG.md

@@ -9,7 +9,75 @@ Changelog for FrostFS Node
 ### Removed
 ### Updated
 
-## [v0.38.0-rc.2]
+## [v0.42.0]
+
+### Added
+- Add audit logs for gRPC requests (#1184)
+- Add CLI command to convert eACL to APE (#1189)
+- Add `--await` flag to `control set-status` (#60)
+- `app_info` metric for binary version (#1154)
+- `--quiet` flag for healthcheck command (#1209)
+
+### Changed
+- Deprecate Container.SetEACL RPC (#1219)
+
+### Fixed
+- Take groups into account during APE processing (#1190)
+- Handle double SIGHUP correctly (#1145)
+- Handle empty filenames in tree listing (#1074)
+- Handle duplicate tree nodes in the split-brain scenario (#1234, #1251)
+- Remove APE pre-check in Object.GET/HEAD/RANGE RPC (#1249)
+- Delete EC gc marks and split info (#1257)
+- Do not search for non-existent objects on deletion (#1261)
+
+### Updated
+- Make putting EC chunks more robust (#1233)
+
+## [v0.41.0]
+
+### Added
+- Support mTLS for morph client (#1170)
+
+### Fixed
+- Update shard state metric during shard init (#1174)
+- Handle ENOSPC in blobovnicza (#1166)
+- Handle multiple split-infos for EC objects (#1163)
+- Set `Disabled` mode as the default for components (#1168)
+
+## [v0.40.0]
+
+### Added
+- Support EC chunk reconstruction in policer (#1129)
+- Support LOCK, DELETE and SEARCH methods on EC objects (#1147, 1144)
+- apemanager service to manage APE chains (#1105)
+
+### Fixed
+- Properly verify GetRangeHash response (#1083)
+- Send `MONOTONIC_USEC` in sdnotify on reload (#1135)
+
+### Updated
+- neo-go to `v0.106.0`
+
+## [v0.39.0]
+
+### Added
+- Preliminary erasure coding support (#1065, #1112, #1103, #1120)
+- TTL cache for blobovnicza tree (#1004)
+- Cache for frostfsid and policy contracts (#1117)
+- Writecache path to metric labels (#966)
+- Documentation for authentication mechanisms (#1097, #1104)
+- Metrics for metabase resync status (#1029)
+
+### Changed
+- Speed up metabase resync (#1024)
+
+### Fixed
+- Possible panic in GET_RANGE (#1077)
+
+### Updated
+- Minimum required Go version to 1.21
+
+## [v0.38.0]
 
 ### Added
 - Add `trace_id` to logs in `frostfs-node` (#146)
@@ -18,6 +86,7 @@ Changelog for FrostFS Node
 - Allow sealing writecache (#569)
 - Support tree service in data evacuation (#947)
 - Use new policy engine mechanism for access control (#770, #804)
+- Log about active notary deposit waiting (#963)
 
 ### Changed
 - Sort output in `frostfs-cli` subcommands (#333)

Makefile

@@ -4,20 +4,19 @@ SHELL = bash
 REPO ?= $(shell go list -m)
 VERSION ?= $(shell git describe --tags --dirty --match "v*" --always --abbrev=8 2>/dev/null || cat VERSION 2>/dev/null || echo "develop")
 
-HUB_IMAGE ?= truecloudlab/frostfs
+HUB_IMAGE ?= git.frostfs.info/truecloudlab/frostfs
 HUB_TAG ?= "$(shell echo ${VERSION} | sed 's/^v//')"
 
-GO_VERSION ?= 1.21
+GO_VERSION ?= 1.22
-LINT_VERSION ?= 1.55.2
+LINT_VERSION ?= 1.61.0
-TRUECLOUDLAB_LINT_VERSION ?= 0.0.3
+TRUECLOUDLAB_LINT_VERSION ?= 0.0.7
 PROTOC_VERSION ?= 25.0
-PROTOC_GEN_GO_VERSION ?= $(shell go list -f '{{.Version}}' -m google.golang.org/protobuf)
 PROTOGEN_FROSTFS_VERSION ?= $(shell go list -f '{{.Version}}' -m git.frostfs.info/TrueCloudLab/frostfs-api-go/v2)
 PROTOC_OS_VERSION=osx-x86_64
 ifeq ($(shell uname), Linux)
 	PROTOC_OS_VERSION=linux-x86_64
 endif
-STATICCHECK_VERSION ?= 2023.1.6
+STATICCHECK_VERSION ?= 2024.1.1
 ARCH = amd64
 
 BIN = bin
@@ -28,32 +27,32 @@ DIRS = $(BIN) $(RELEASE)
 CMDS = $(notdir $(basename $(wildcard cmd/frostfs-*)))
 BINS = $(addprefix $(BIN)/, $(CMDS))
 
-# .deb package versioning
-OS_RELEASE = $(shell lsb_release -cs)
-PKG_VERSION ?= $(shell echo $(VERSION) | sed "s/^v//" | \
-			sed -E "s/(.*)-(g[a-fA-F0-9]{6,8})(.*)/\1\3~\2/" | \
-			sed "s/-/~/")-${OS_RELEASE}
-
 OUTPUT_LINT_DIR ?= $(abspath $(BIN))/linters
 LINT_DIR = $(OUTPUT_LINT_DIR)/golangci-lint-$(LINT_VERSION)-v$(TRUECLOUDLAB_LINT_VERSION)
 TMP_DIR := .cache
 PROTOBUF_DIR ?= $(abspath $(BIN))/protobuf
 PROTOC_DIR ?= $(PROTOBUF_DIR)/protoc-v$(PROTOC_VERSION)
-PROTOC_GEN_GO_DIR ?= $(PROTOBUF_DIR)/protoc-gen-go-$(PROTOC_GEN_GO_VERSION)
 PROTOGEN_FROSTFS_DIR ?= $(PROTOBUF_DIR)/protogen-$(PROTOGEN_FROSTFS_VERSION)
 STATICCHECK_DIR ?= $(abspath $(BIN))/staticcheck
 STATICCHECK_VERSION_DIR ?= $(STATICCHECK_DIR)/$(STATICCHECK_VERSION)
 
+SOURCES = $(shell find . -type f -name "*.go" -print)
+
+GOFUMPT_VERSION ?= v0.7.0
+GOFUMPT_DIR ?= $(abspath $(BIN))/gofumpt
+GOFUMPT_VERSION_DIR ?= $(GOFUMPT_DIR)/$(GOFUMPT_VERSION)
+
 GOPLS_VERSION ?= v0.15.1
 GOPLS_DIR ?= $(abspath $(BIN))/gopls
 GOPLS_VERSION_DIR ?= $(GOPLS_DIR)/$(GOPLS_VERSION)
+GOPLS_TEMP_FILE := $(shell mktemp)
 
 FROSTFS_CONTRACTS_PATH=$(abspath ./../frostfs-contract)
 LOCODE_DB_PATH=$(abspath ./.cache/locode_db)
 LOCODE_DB_VERSION=v0.4.0
 
 .PHONY: help all images dep clean fmts fumpt imports test lint docker/lint
-		prepare-release debpackage pre-commit unpre-commit
+		prepare-release pre-commit unpre-commit
 
 # To build a specific binary, use it's name prefix with bin/ as a target
 # For example `make bin/frostfs-node` will build only storage node binary
@@ -100,21 +99,20 @@ export-metrics: dep
 
 # Regenerate proto files:
 protoc:
-	@if [ ! -d "$(PROTOC_DIR)" ] || [ ! -d "$(PROTOC_GEN_GO_DIR)" ] || [ ! -d "$(PROTOGEN_FROSTFS_DIR)" ]; then \
+	@if [ ! -d "$(PROTOC_DIR)" ] || [ ! -d "$(PROTOGEN_FROSTFS_DIR)" ]; then \
 		make protoc-install; \
 	fi
 	@for f in `find . -type f -name '*.proto' -not -path './bin/*'`; do \
 		echo "⇒ Processing $$f "; \
 		$(PROTOC_DIR)/bin/protoc \
 			--proto_path=.:$(PROTOC_DIR)/include:/usr/local/include \
-			--plugin=protoc-gen-go=$(PROTOC_GEN_GO_DIR)/protoc-gen-go \
 			--plugin=protoc-gen-go-frostfs=$(PROTOGEN_FROSTFS_DIR)/protogen \
 			--go-frostfs_out=. --go-frostfs_opt=paths=source_relative \
-			--go_out=. --go_opt=paths=source_relative \
 			--go-grpc_opt=require_unimplemented_servers=false \
 			--go-grpc_out=. --go-grpc_opt=paths=source_relative $$f; \
 	done
 
+# Install protoc
 protoc-install:
 	@rm -rf $(PROTOBUF_DIR)
 	@mkdir $(PROTOBUF_DIR)
@@ -122,8 +120,6 @@ protoc-install:
 	@wget -q -O $(PROTOBUF_DIR)/protoc-$(PROTOC_VERSION).zip 'https://github.com/protocolbuffers/protobuf/releases/download/v$(PROTOC_VERSION)/protoc-$(PROTOC_VERSION)-$(PROTOC_OS_VERSION).zip'
 	@unzip -q -o $(PROTOBUF_DIR)/protoc-$(PROTOC_VERSION).zip -d $(PROTOC_DIR)
 	@rm $(PROTOBUF_DIR)/protoc-$(PROTOC_VERSION).zip
-	@echo "⇒ Installing protoc-gen-go..."
-	@GOBIN=$(PROTOC_GEN_GO_DIR) go install -v google.golang.org/protobuf/...@$(PROTOC_GEN_GO_VERSION)
 	@echo "⇒ Instaling protogen FrostFS plugin..."
 	@GOBIN=$(PROTOGEN_FROSTFS_DIR) go install -mod=mod -v git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/util/protogen@$(PROTOGEN_FROSTFS_VERSION)
 
@@ -161,15 +157,27 @@ imports:
 	@echo "⇒ Processing goimports check"
 	@goimports -w cmd/ pkg/ misc/
 
+# Install gofumpt
+fumpt-install:
+	@rm -rf $(GOFUMPT_DIR)
+	@mkdir $(GOFUMPT_DIR)
+	@GOBIN=$(GOFUMPT_VERSION_DIR) go install mvdan.cc/gofumpt@$(GOFUMPT_VERSION)
+
+# Run gofumpt
 fumpt:
+	@if [ ! -d "$(GOFUMPT_VERSION_DIR)" ]; then \
+		make fumpt-install; \
+	fi
 	@echo "⇒ Processing gofumpt check"
-	@gofumpt -l -w cmd/ pkg/ misc/
+	$(GOFUMPT_VERSION_DIR)/gofumpt -l -w cmd/ pkg/ misc/
 
 # Run Unit Test with go test
+test: GOFLAGS ?= "-count=1"
 test:
 	@echo "⇒ Running go test"
-	@go test ./... -count=1
+	@GOFLAGS="$(GOFLAGS)" go test ./...
 
+# Run pre-commit
 pre-commit-run:
 	@pre-commit run -a --hook-stage manual
 
@@ -183,7 +191,7 @@ lint-install:
 	@@make -C $(TMP_DIR)/linters lib CGO_ENABLED=1 OUT_DIR=$(OUTPUT_LINT_DIR)
 	@rm -rf $(TMP_DIR)/linters
 	@rmdir $(TMP_DIR) 2>/dev/null || true
-	@CGO_ENABLED=1 GOBIN=$(LINT_DIR) go install github.com/golangci/golangci-lint/cmd/golangci-lint@v$(LINT_VERSION)
+	@CGO_ENABLED=1 GOBIN=$(LINT_DIR) go install -trimpath github.com/golangci/golangci-lint/cmd/golangci-lint@v$(LINT_VERSION)
 
 # Run linters
 lint:
@@ -205,18 +213,23 @@ staticcheck-run:
 	fi
 	@$(STATICCHECK_VERSION_DIR)/staticcheck ./...
 
+# Install gopls
 gopls-install:
 	@rm -rf $(GOPLS_DIR)
 	@mkdir $(GOPLS_DIR)
 	@GOBIN=$(GOPLS_VERSION_DIR) go install golang.org/x/tools/gopls@$(GOPLS_VERSION)
 
+# Run gopls
 gopls-run:
 	@if [ ! -d "$(GOPLS_VERSION_DIR)" ]; then \
 		make gopls-install; \
 	fi
-	@if [[ $$(find . -type f -name "*.go" -print | xargs $(GOPLS_VERSION_DIR)/gopls check | tee /dev/tty | wc -l) -ne 0 ]]; then \
+	$(GOPLS_VERSION_DIR)/gopls check $(SOURCES) 2>&1 >$(GOPLS_TEMP_FILE)
+	@if [[ $$(wc -l < $(GOPLS_TEMP_FILE)) -ne 0 ]]; then \
+		cat $(GOPLS_TEMP_FILE); \
 		exit 1; \
 	fi
+	rm $(GOPLS_TEMP_FILE)
 
 # Run linters in Docker
 docker/lint:
@@ -244,36 +257,32 @@ clean:
 	rm -rf $(BIN)
 	rm -rf $(RELEASE)
 
-# Package for Debian
+# Download locode database
-debpackage:
-	dch -b --package frostfs-node \
-			--controlmaint \
-			--newversion $(PKG_VERSION) \
-			--distribution $(OS_RELEASE) \
-			"Please see CHANGELOG.md for code changes for $(VERSION)"
-	dpkg-buildpackage --no-sign -b
-
-debclean:
-	dh clean
-
 locode-download:
-	@wget -q -O ./.cache/locode_db.gz 'https://git.frostfs.info/TrueCloudLab/frostfs-locode-db/releases/download/${LOCODE_DB_VERSION}/locode_db.gz'
+	mkdir -p $(TMP_DIR)
-	gzip -dfk ./.cache/locode_db.gz
+	@wget -q -O ./$(TMP_DIR)/locode_db.gz 'https://git.frostfs.info/TrueCloudLab/frostfs-locode-db/releases/download/${LOCODE_DB_VERSION}/locode_db.gz'
+	gzip -dfk ./$(TMP_DIR)/locode_db.gz
 
+# Start dev environment
 env-up: all
 	docker compose -f dev/docker-compose.yml up -d
 	@if [ ! -d "$(FROSTFS_CONTRACTS_PATH)" ]; then \
 		echo "Frostfs contracts not found"; exit 1; \
 	fi
 	${BIN}/frostfs-adm --config ./dev/adm/frostfs-adm.yml morph init --contracts ${FROSTFS_CONTRACTS_PATH}
-	${BIN}/frostfs-adm --config ./dev/adm/frostfs-adm.yml morph refill-gas --storage-wallet ./dev/storage/wallet.json --gas 10.0
+	${BIN}/frostfs-adm --config ./dev/adm/frostfs-adm.yml morph refill-gas --storage-wallet ./dev/storage/wallet01.json --gas 10.0
+	${BIN}/frostfs-adm --config ./dev/adm/frostfs-adm.yml morph refill-gas --storage-wallet ./dev/storage/wallet02.json --gas 10.0
+	${BIN}/frostfs-adm --config ./dev/adm/frostfs-adm.yml morph refill-gas --storage-wallet ./dev/storage/wallet03.json --gas 10.0
+	${BIN}/frostfs-adm --config ./dev/adm/frostfs-adm.yml morph refill-gas --storage-wallet ./dev/storage/wallet04.json --gas 10.0
 	@if [ ! -f "$(LOCODE_DB_PATH)" ]; then \
 		make locode-download; \
 	fi
+	mkdir -p ./$(TMP_DIR)/state
+	mkdir -p ./$(TMP_DIR)/storage
 
+# Shutdown dev environment
 env-down:
 	docker compose -f dev/docker-compose.yml down
 	docker volume rm -f frostfs-node_neo-go
-	rm -f ./.cache/.frostfs-ir-state
+	rm -rf ./$(TMP_DIR)/state
-	rm -f ./.cache/.frostfs-node-state
+	rm -rf ./$(TMP_DIR)/storage
-	rm -rf ./.cache/storage

README.md

@@ -7,9 +7,8 @@
 </p>
 
 ---
-[![Report](https://goreportcard.com/badge/github.com/TrueCloudLab/frostfs-node)](https://goreportcard.com/report/github.com/TrueCloudLab/frostfs-node)
+[![Report](https://goreportcard.com/badge/git.frostfs.info/TrueCloudLab/frostfs-node)](https://goreportcard.com/report/git.frostfs.info/TrueCloudLab/frostfs-node)
-![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/TrueCloudLab/frostfs-node?sort=semver)
+![Release (latest)](https://git.frostfs.info/TrueCloudLab/frostfs-node/badges/release.svg)
-![License](https://img.shields.io/github/license/TrueCloudLab/frostfs-node.svg?style=popout)
 
 # Overview
 
@@ -33,8 +32,8 @@ manipulate large amounts of data without paying a prohibitive price.
 
 FrostFS has a native [gRPC API](https://git.frostfs.info/TrueCloudLab/frostfs-api) and has
 protocol gateways for popular protocols such as [AWS
-S3](https://github.com/TrueCloudLab/frostfs-s3-gw),
+S3](https://git.frostfs.info/TrueCloudLab/frostfs-s3-gw),
-[HTTP](https://github.com/TrueCloudLab/frostfs-http-gw),
+[HTTP](https://git.frostfs.info/TrueCloudLab/frostfs-http-gw),
 [FUSE](https://wikipedia.org/wiki/Filesystem_in_Userspace) and
 [sFTP](https://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol) allowing
 developers to integrate applications without rewriting their code.
@@ -45,11 +44,11 @@ Now, we only support GNU/Linux on amd64 CPUs with AVX/AVX2 instructions. More
 platforms will be officially supported after release `1.0`.
 
 The latest version of frostfs-node works with frostfs-contract
-[v0.16.0](https://github.com/TrueCloudLab/frostfs-contract/releases/tag/v0.16.0).
+[v0.19.2](https://git.frostfs.info/TrueCloudLab/frostfs-contract/releases/tag/v0.19.2).
 
 # Building
 
-To make all binaries you need Go 1.20+ and `make`:
+To make all binaries you need Go 1.22+ and `make`:
 ```
 make all
 ```
@@ -71,7 +70,7 @@ make docker/bin/frostfs-<name> # build a specific binary
 
 ## Docker images
 
-To make docker images suitable for use in [frostfs-dev-env](https://github.com/TrueCloudLab/frostfs-dev-env/) use:
+To make docker images suitable for use in [frostfs-dev-env](https://git.frostfs.info/TrueCloudLab/frostfs-dev-env/) use:
 ```
 make images
 ```
@@ -125,7 +124,7 @@ the feature/topic you are going to implement.
 
 # Credits
 
-FrostFS is maintained by [True Cloud Lab](https://github.com/TrueCloudLab/) with the help and
+FrostFS is maintained by [True Cloud Lab](https://git.frostfs.info/TrueCloudLab/) with the help and
 contributions from community members.
 
 Please see [CREDITS](CREDITS.md) for details.

VERSION

@@ -1 +1 @@
-v0.36.0
+v0.42.0

cmd/frostfs-adm/README.md

@@ -56,7 +56,8 @@ credentials:     # passwords for consensus node / alphabet wallets
 #### Network deployment
 
 - `generate-alphabet` generates a set of wallets for consensus and
-  Alphabet nodes.
+  Alphabet nodes. The list of the name for alphabet wallets(no gaps between names allowed, order is important):
+  - az, buky, vedi, glagoli, dobro, yest, zhivete, dzelo, zemlja, izhe, izhei, gerv, kako, ljudi, mislete, nash, on, pokoj, rtsi, slovo, tverdo, uk
 
 - `init` initializes the sidechain by deploying smart contracts and
   setting provided FrostFS network configuration.

cmd/frostfs-adm/docs/deploy.md

@@ -9,8 +9,8 @@ related configuration details.
 
 To follow this guide you need:
 - latest released version of [neo-go](https://github.com/nspcc-dev/neo-go/releases) (v0.97.2 at the moment),
-- latest released version of [frostfs-adm](https://github.com/TrueCloudLab/frostfs-node/releases) utility (v0.25.1 at the moment),
+- latest released version of [frostfs-adm](https://git.frostfs.info/TrueCloudLab/frostfs-node/releases) utility (v0.42.9 at the moment),
-- latest released version of compiled [frostfs-contract](https://github.com/TrueCloudLab/frostfs-contract/releases) (v0.11.0 at the moment).
+- latest released version of compiled [frostfs-contract](https://git.frostfs.info/TrueCloudLab/frostfs-contract/releases) (v0.19.2 at the moment).
 
 ## Step 1: Prepare network configuration
 
@@ -34,6 +34,8 @@ alphabet-wallets: /home/user/deploy/alphabet-wallets
 network:
   max_object_size: 67108864
   epoch_duration: 240
+  max_ec_data_count: 12
+  max_ec_parity_count: 4
   fee:
     candidate: 0
     container: 0
@@ -62,6 +64,11 @@ alphabet-wallets: /home/user/deploy/alphabet-wallets
 wallet[0]: hunter2
 ```
 
+This command generates wallets with the following names:
+ - az, buky, vedi, glagoli, dobro, yest, zhivete, dzelo, zemlja, izhe, izhei, gerv, kako, ljudi, mislete, nash, on, pokoj, rtsi, slovo, tverdo, uk
+
+No gaps between names allowed, order is important.
+
 Do not lose wallet files and network config. Store it in an encrypted backed up
 storage.
 

cmd/frostfs-adm/internal/commonflags/flags.go

@@ -26,6 +26,8 @@ const (
 	ContractsURLFlagDesc            = "URL to archive with compiled FrostFS contracts"
 	EpochDurationInitFlag           = "network.epoch_duration"
 	MaxObjectSizeInitFlag           = "network.max_object_size"
+	MaxECDataCountFlag              = "network.max_ec_data_count"
+	MaxECParityCounFlag             = "network.max_ec_parity_count"
 	RefillGasAmountFlag             = "gas"
 	StorageWalletFlag               = "storage-wallet"
 	ContainerFeeInitFlag            = "network.fee.container"
@@ -36,4 +38,5 @@ const (
 	HomomorphicHashDisabledInitFlag = "network.homomorphic_hash_disabled"
 	CustomZoneFlag                  = "domain"
 	AlphabetSizeFlag                = "size"
+	AllFlag                         = "all"
 )

cmd/frostfs-adm/internal/modules/config/config.go

@@ -21,6 +21,8 @@ type configTemplate struct {
 	CandidateFee            int
 	ContainerFee            int
 	ContainerAliasFee       int
+	MaxECDataCount          int
+	MaxECParityCount        int
 	WithdrawFee             int
 	Glagolitics             []string
 	HomomorphicHashDisabled bool
@@ -31,6 +33,8 @@ alphabet-wallets: {{ .AlphabetDir}}
 network:
   max_object_size: {{ .MaxObjectSize}}
   epoch_duration: {{ .EpochDuration}}
+  max_ec_data_count: {{ .MaxECDataCount}}
+  max_ec_parity_count: {{ .MaxECParityCount}}
   homomorphic_hash_disabled: {{ .HomomorphicHashDisabled}}
   fee:
     candidate: {{ .CandidateFee}}
@@ -106,6 +110,8 @@ func generateConfigExample(appDir string, credSize int) (string, error) {
 	tmpl := configTemplate{
 		Endpoint:                "https://neo.rpc.node:30333",
 		MaxObjectSize:           67108864,      // 64 MiB
+		MaxECDataCount:          12,            // Tested with 16-node networks, assuming 12 data + 4 parity nodes.
+		MaxECParityCount:        4,             // Maximum 4 parity chunks, typically <= 3 for most policies.
 		EpochDuration:           240,           // 1 hour with 15s per block
 		HomomorphicHashDisabled: false,         // object homomorphic hash is enabled
 		CandidateFee:            100_0000_0000, // 100.0 GAS (Fixed8)
@@ -122,7 +128,7 @@ func generateConfigExample(appDir string, credSize int) (string, error) {
 	tmpl.AlphabetDir = filepath.Join(appDir, "alphabet-wallets")
 
 	var i innerring.GlagoliticLetter
-	for i = 0; i < innerring.GlagoliticLetter(credSize); i++ {
+	for i = range innerring.GlagoliticLetter(credSize) {
 		tmpl.Glagolitics = append(tmpl.Glagolitics, i.String())
 	}
 

cmd/frostfs-adm/internal/modules/config/config_test.go

@@ -27,6 +27,8 @@ func TestGenerateConfigExample(t *testing.T) {
 	require.Equal(t, "https://neo.rpc.node:30333", v.GetString("rpc-endpoint"))
 	require.Equal(t, filepath.Join(appDir, "alphabet-wallets"), v.GetString("alphabet-wallets"))
 	require.Equal(t, 67108864, v.GetInt("network.max_object_size"))
+	require.Equal(t, 12, v.GetInt("network.max_ec_data_count"))
+	require.Equal(t, 4, v.GetInt("network.max_ec_parity_count"))
 	require.Equal(t, 240, v.GetInt("network.epoch_duration"))
 	require.Equal(t, 10000000000, v.GetInt("network.fee.candidate"))
 	require.Equal(t, 1000, v.GetInt("network.fee.container"))

cmd/frostfs-adm/internal/modules/metabase/root.go

@@ -0,0 +1,15 @@
+package metabase
+
+import "github.com/spf13/cobra"
+
+// RootCmd is a root command of config section.
+var RootCmd = &cobra.Command{
+	Use:   "metabase",
+	Short: "Section for metabase commands",
+}
+
+func init() {
+	RootCmd.AddCommand(UpgradeCmd)
+
+	initUpgradeCommand()
+}

cmd/frostfs-adm/internal/modules/metabase/upgrade.go

@@ -0,0 +1,150 @@
+package metabase
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"sync"
+	"time"
+
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/commonflags"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-node/config"
+	engineconfig "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-node/config/engine"
+	shardconfig "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-node/config/engine/shard"
+	morphconfig "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-node/config/morph"
+	nodeconfig "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-node/config/node"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
+	meta "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/local_object_storage/metabase"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/client"
+	morphcontainer "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/client/container"
+	"github.com/spf13/cobra"
+	"golang.org/x/sync/errgroup"
+)
+
+const (
+	noCompactFlag = "no-compact"
+)
+
+var (
+	errNoPathsFound          = errors.New("no metabase paths found")
+	errNoMorphEndpointsFound = errors.New("no morph endpoints found")
+)
+
+var UpgradeCmd = &cobra.Command{
+	Use:   "upgrade",
+	Short: "Upgrade metabase to latest version",
+	RunE:  upgrade,
+}
+
+func upgrade(cmd *cobra.Command, _ []string) error {
+	configFile, err := cmd.Flags().GetString(commonflags.ConfigFlag)
+	if err != nil {
+		return err
+	}
+	configDir, err := cmd.Flags().GetString(commonflags.ConfigDirFlag)
+	if err != nil {
+		return err
+	}
+	appCfg := config.New(configFile, configDir, config.EnvPrefix)
+	paths, err := getMetabasePaths(appCfg)
+	if err != nil {
+		return err
+	}
+	if len(paths) == 0 {
+		return errNoPathsFound
+	}
+	cmd.Println("found", len(paths), "metabases:")
+	for i, path := range paths {
+		cmd.Println(i+1, ":", path)
+	}
+	mc, err := createMorphClient(cmd.Context(), appCfg)
+	if err != nil {
+		return err
+	}
+	defer mc.Close()
+	civ, err := createContainerInfoProvider(mc)
+	if err != nil {
+		return err
+	}
+	noCompact, _ := cmd.Flags().GetBool(noCompactFlag)
+	result := make(map[string]bool)
+	var resultGuard sync.Mutex
+	eg, ctx := errgroup.WithContext(cmd.Context())
+	for _, path := range paths {
+		eg.Go(func() error {
+			var success bool
+			cmd.Println("upgrading metabase", path, "...")
+			if err := meta.Upgrade(ctx, path, !noCompact, civ, func(a ...any) {
+				cmd.Println(append([]any{time.Now().Format(time.RFC3339), ":", path, ":"}, a...)...)
+			}); err != nil {
+				cmd.Println("error: failed to upgrade metabase", path, ":", err)
+			} else {
+				success = true
+				cmd.Println("metabase", path, "upgraded successfully")
+			}
+			resultGuard.Lock()
+			result[path] = success
+			resultGuard.Unlock()
+			return nil
+		})
+	}
+	if err := eg.Wait(); err != nil {
+		return err
+	}
+	for mb, ok := range result {
+		if ok {
+			cmd.Println(mb, ": success")
+		} else {
+			cmd.Println(mb, ": failed")
+		}
+	}
+	return nil
+}
+
+func getMetabasePaths(appCfg *config.Config) ([]string, error) {
+	var paths []string
+	if err := engineconfig.IterateShards(appCfg, false, func(sc *shardconfig.Config) error {
+		paths = append(paths, sc.Metabase().Path())
+		return nil
+	}); err != nil {
+		return nil, fmt.Errorf("get metabase paths: %w", err)
+	}
+	return paths, nil
+}
+
+func createMorphClient(ctx context.Context, appCfg *config.Config) (*client.Client, error) {
+	addresses := morphconfig.RPCEndpoint(appCfg)
+	if len(addresses) == 0 {
+		return nil, errNoMorphEndpointsFound
+	}
+	key := nodeconfig.Key(appCfg)
+	cli, err := client.New(ctx,
+		key,
+		client.WithDialTimeout(morphconfig.DialTimeout(appCfg)),
+		client.WithEndpoints(addresses...),
+		client.WithSwitchInterval(morphconfig.SwitchInterval(appCfg)),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("create morph client:%w", err)
+	}
+	return cli, nil
+}
+
+func createContainerInfoProvider(cli *client.Client) (container.InfoProvider, error) {
+	sh, err := cli.NNSContractAddress(client.NNSContainerContractName)
+	if err != nil {
+		return nil, fmt.Errorf("resolve container contract hash: %w", err)
+	}
+	cc, err := morphcontainer.NewFromMorph(cli, sh, 0, morphcontainer.TryNotary())
+	if err != nil {
+		return nil, fmt.Errorf("create morph container client: %w", err)
+	}
+	return container.NewInfoProvider(func() (container.Source, error) {
+		return morphcontainer.AsContainerSource(cc), nil
+	}), nil
+}
+
+func initUpgradeCommand() {
+	flags := UpgradeCmd.Flags()
+	flags.Bool(noCompactFlag, false, "Do not compact upgraded metabase file")
+}

cmd/frostfs-adm/internal/modules/morph/ape/ape.go

@@ -16,6 +16,8 @@ import (
 const (
 	namespaceTarget   = "namespace"
 	containerTarget   = "container"
+	userTarget        = "user"
+	groupTarget       = "group"
 	jsonFlag          = "json"
 	jsonFlagDesc      = "Output rule chains in JSON format"
 	chainIDFlag       = "chain-id"
@@ -82,6 +84,15 @@ var (
 		},
 		Run: getAdmin,
 	}
+
+	listTargetsCmd = &cobra.Command{
+		Use:   "list-targets",
+		Short: "List targets",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(commonflags.EndpointFlag, cmd.Flags().Lookup(commonflags.EndpointFlag))
+		},
+		Run: listTargets,
+	}
 )
 
 func initAddRuleChainCmd() {
@@ -114,8 +125,9 @@ func initRemoveRuleChainCmd() {
 	removeRuleChainCmd.Flags().String(targetNameFlag, "", targetNameDesc)
 	_ = removeRuleChainCmd.MarkFlagRequired(targetNameFlag)
 	removeRuleChainCmd.Flags().String(chainIDFlag, "", chainIDDesc)
-	_ = removeRuleChainCmd.MarkFlagRequired(chainIDFlag)
 	removeRuleChainCmd.Flags().String(chainNameFlag, ingress, chainNameFlagDesc)
+	removeRuleChainCmd.Flags().Bool(commonflags.AllFlag, false, "Remove all chains for target")
+	removeRuleChainCmd.MarkFlagsMutuallyExclusive(commonflags.AllFlag, chainIDFlag)
 }
 
 func initListRuleChainsCmd() {
@@ -145,6 +157,14 @@ func initGetAdminCmd() {
 	getAdminCmd.Flags().StringP(commonflags.EndpointFlag, commonflags.EndpointFlagShort, "", commonflags.EndpointFlagDesc)
 }
 
+func initListTargetsCmd() {
+	Cmd.AddCommand(listTargetsCmd)
+
+	listTargetsCmd.Flags().StringP(commonflags.EndpointFlag, commonflags.EndpointFlagShort, "", commonflags.EndpointFlagDesc)
+	listTargetsCmd.Flags().StringP(targetTypeFlag, "t", "", targetTypeDesc)
+	_ = listTargetsCmd.MarkFlagRequired(targetTypeFlag)
+}
+
 func addRuleChain(cmd *cobra.Command, _ []string) {
 	chain := parseChain(cmd)
 	target := parseTarget(cmd)
@@ -157,14 +177,23 @@ func addRuleChain(cmd *cobra.Command, _ []string) {
 }
 
 func removeRuleChain(cmd *cobra.Command, _ []string) {
-	chainID := parseChainID(cmd)
 	target := parseTarget(cmd)
 	pci, ac := newPolicyContractInterface(cmd)
-	h, vub, err := pci.RemoveMorphRuleChain(parseChainName(cmd), target, chainID)
+	removeAll, _ := cmd.Flags().GetBool(commonflags.AllFlag)
-	cmd.Println("Waiting for transaction to persist...")
+	if removeAll {
-	_, err = ac.Wait(h, vub, err)
+		h, vub, err := pci.RemoveMorphRuleChainsByTarget(parseChainName(cmd), target)
-	commonCmd.ExitOnErr(cmd, "remove rule chain error: %w", err)
+		cmd.Println("Waiting for transaction to persist...")
-	cmd.Println("Rule chain removed successfully")
+		_, err = ac.Wait(h, vub, err)
+		commonCmd.ExitOnErr(cmd, "remove rule chain error: %w", err)
+		cmd.Println("All chains for target removed successfully")
+	} else {
+		chainID := parseChainID(cmd)
+		h, vub, err := pci.RemoveMorphRuleChain(parseChainName(cmd), target, chainID)
+		cmd.Println("Waiting for transaction to persist...")
+		_, err = ac.Wait(h, vub, err)
+		commonCmd.ExitOnErr(cmd, "remove rule chain error: %w", err)
+		cmd.Println("Rule chain removed successfully")
+	}
 }
 
 func listRuleChains(cmd *cobra.Command, _ []string) {
@@ -205,6 +234,29 @@ func getAdmin(cmd *cobra.Command, _ []string) {
 	cmd.Println(addr.StringLE())
 }
 
+func listTargets(cmd *cobra.Command, _ []string) {
+	typ, err := parseTargetType(cmd)
+	commonCmd.ExitOnErr(cmd, "parse target type error: %w", err)
+	pci, inv := newPolicyContractReaderInterface(cmd)
+
+	sid, it, err := pci.ListTargetsIterator(typ)
+	commonCmd.ExitOnErr(cmd, "list targets error: %w", err)
+	items, err := inv.TraverseIterator(sid, &it, 0)
+	for err == nil && len(items) != 0 {
+		for _, item := range items {
+			bts, err := item.TryBytes()
+			commonCmd.ExitOnErr(cmd, "list targets error: %w", err)
+			if len(bts) == 0 {
+				cmd.Println("(no name)")
+			} else {
+				cmd.Println(string(bts))
+			}
+		}
+		items, err = inv.TraverseIterator(sid, &it, 0)
+		commonCmd.ExitOnErr(cmd, "unable to list targets: %w", err)
+	}
+}
+
 func prettyJSONFormat(cmd *cobra.Command, chains []*apechain.Chain) {
 	wr := bytes.NewBufferString("")
 	data, err := json.Marshal(chains)

cmd/frostfs-adm/internal/modules/morph/ape/ape_util.go

@@ -1,7 +1,7 @@
 package ape
 
 import (
-	"fmt"
+	"errors"
 	"strings"
 
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph/constants"
@@ -28,30 +28,50 @@ var mChainName = map[string]apechain.Name{
 	s3:      apechain.S3,
 }
 
+var (
+	errUnknownTargetType    = errors.New("unknown target type")
+	errChainIDCannotBeEmpty = errors.New("chain id cannot be empty")
+	errRuleIsNotParsed      = errors.New("rule is not passed")
+	errUnsupportedChainName = errors.New("unsupported chain name")
+)
+
 func parseTarget(cmd *cobra.Command) policyengine.Target {
-	var targetType policyengine.TargetType
-	typ, _ := cmd.Flags().GetString(targetTypeFlag)
-	switch typ {
-	case namespaceTarget:
-		targetType = policyengine.Namespace
-	case containerTarget:
-		targetType = policyengine.Container
-	default:
-		commonCmd.ExitOnErr(cmd, "read target type error: %w", fmt.Errorf("unknown target type"))
-	}
 	name, _ := cmd.Flags().GetString(targetNameFlag)
+	typ, err := parseTargetType(cmd)
+
+	// interpret "root" namespace as empty
+	if typ == policyengine.Namespace && name == "root" {
+		name = ""
+	}
+
+	commonCmd.ExitOnErr(cmd, "read target type error: %w", err)
 
 	return policyengine.Target{
 		Name: name,
-		Type: targetType,
+		Type: typ,
 	}
 }
 
+func parseTargetType(cmd *cobra.Command) (policyengine.TargetType, error) {
+	typ, _ := cmd.Flags().GetString(targetTypeFlag)
+	switch typ {
+	case namespaceTarget:
+		return policyengine.Namespace, nil
+	case containerTarget:
+		return policyengine.Container, nil
+	case userTarget:
+		return policyengine.User, nil
+	case groupTarget:
+		return policyengine.Group, nil
+	}
+	return -1, errUnknownTargetType
+}
+
 func parseChainID(cmd *cobra.Command) apechain.ID {
 	chainID, _ := cmd.Flags().GetString(chainIDFlag)
 	if chainID == "" {
 		commonCmd.ExitOnErr(cmd, "read chain id error: %w",
-			fmt.Errorf("chain id cannot be empty"))
+			errChainIDCannotBeEmpty)
 	}
 	return apechain.ID(chainID)
 }
@@ -64,7 +84,7 @@ func parseChain(cmd *cobra.Command) *apechain.Chain {
 	} else if encPath, _ := cmd.Flags().GetString(pathFlag); encPath != "" {
 		commonCmd.ExitOnErr(cmd, "decode binary or json error: %w", parseutil.ParseAPEChainBinaryOrJSON(chain, encPath))
 	} else {
-		commonCmd.ExitOnErr(cmd, "parser error: %w", fmt.Errorf("rule is not passed"))
+		commonCmd.ExitOnErr(cmd, "parser error: %w", errRuleIsNotParsed)
 	}
 
 	chain.ID = parseChainID(cmd)
@@ -79,11 +99,21 @@ func parseChainName(cmd *cobra.Command) apechain.Name {
 	chainName, _ := cmd.Flags().GetString(chainNameFlag)
 	apeChainName, ok := mChainName[strings.ToLower(chainName)]
 	if !ok {
-		commonCmd.ExitOnErr(cmd, "", fmt.Errorf("unsupported chain name"))
+		commonCmd.ExitOnErr(cmd, "", errUnsupportedChainName)
 	}
 	return apeChainName
 }
 
+// invokerAdapter adapats invoker.Invoker to ContractStorageInvoker interface.
+type invokerAdapter struct {
+	*invoker.Invoker
+	rpcActor invoker.RPCInvoke
+}
+
+func (n *invokerAdapter) GetRPCInvoker() invoker.RPCInvoke {
+	return n.rpcActor
+}
+
 func newPolicyContractReaderInterface(cmd *cobra.Command) (*morph.ContractStorageReader, *invoker.Invoker) {
 	c, err := helper.GetN3Client(viper.GetViper())
 	commonCmd.ExitOnErr(cmd, "unable to create NEO rpc client: %w", err)
@@ -91,13 +121,18 @@ func newPolicyContractReaderInterface(cmd *cobra.Command) (*morph.ContractStorag
 	inv := invoker.New(c, nil)
 	var ch util.Uint160
 	r := management.NewReader(inv)
-	nnsCs, err := r.GetContractByID(1)
+	nnsCs, err := helper.GetContractByID(r, 1)
 	commonCmd.ExitOnErr(cmd, "can't get NNS contract state: %w", err)
 
 	ch, err = helper.NNSResolveHash(inv, nnsCs.Hash, helper.DomainOf(constants.PolicyContract))
 	commonCmd.ExitOnErr(cmd, "unable to resolve policy contract hash: %w", err)
 
-	return morph.NewContractStorageReader(inv, ch), inv
+	invokerAdapter := &invokerAdapter{
+		Invoker:  inv,
+		rpcActor: c,
+	}
+
+	return morph.NewContractStorageReader(invokerAdapter, ch), inv
 }
 
 func newPolicyContractInterface(cmd *cobra.Command) (*morph.ContractStorage, *helper.LocalActor) {
@@ -109,7 +144,7 @@ func newPolicyContractInterface(cmd *cobra.Command) (*morph.ContractStorage, *he
 
 	var ch util.Uint160
 	r := management.NewReader(ac.Invoker)
-	nnsCs, err := r.GetContractByID(1)
+	nnsCs, err := helper.GetContractByID(r, 1)
 	commonCmd.ExitOnErr(cmd, "can't get NNS contract state: %w", err)
 
 	ch, err = helper.NNSResolveHash(ac.Invoker, nnsCs.Hash, helper.DomainOf(constants.PolicyContract))

cmd/frostfs-adm/internal/modules/morph/ape/root.go

@@ -13,4 +13,5 @@ func init() {
 	initListRuleChainsCmd()
 	initSetAdminCmd()
 	initGetAdminCmd()
+	initListTargetsCmd()
 }

cmd/frostfs-adm/internal/modules/morph/balance/balance.go

@@ -60,7 +60,7 @@ func dumpBalances(cmd *cobra.Command, _ []string) error {
 
 	if dumpStorage || dumpAlphabet || dumpProxy {
 		r := management.NewReader(inv)
-		nnsCs, err = r.GetContractByID(1)
+		nnsCs, err = helper.GetContractByID(r, 1)
 		if err != nil {
 			return fmt.Errorf("can't get NNS contract info: %w", err)
 		}

cmd/frostfs-adm/internal/modules/morph/config/config.go

@@ -34,7 +34,7 @@ func dumpNetworkConfig(cmd *cobra.Command, _ []string) error {
 	inv := invoker.New(c, nil)
 	r := management.NewReader(inv)
 
-	cs, err := r.GetContractByID(1)
+	cs, err := helper.GetContractByID(r, 1)
 	if err != nil {
 		return fmt.Errorf("can't get NNS contract info: %w", err)
 	}
@@ -60,7 +60,8 @@ func dumpNetworkConfig(cmd *cobra.Command, _ []string) error {
 		switch k {
 		case netmap.ContainerFeeConfig, netmap.ContainerAliasFeeConfig,
 			netmap.EpochDurationConfig, netmap.IrCandidateFeeConfig,
-			netmap.MaxObjectSizeConfig, netmap.WithdrawFeeConfig:
+			netmap.MaxObjectSizeConfig, netmap.WithdrawFeeConfig,
+			netmap.MaxECDataCountConfig, netmap.MaxECParityCountConfig:
 			nbuf := make([]byte, 8)
 			copy(nbuf[:], v)
 			n := binary.LittleEndian.Uint64(nbuf)
@@ -92,7 +93,7 @@ func SetConfigCmd(cmd *cobra.Command, args []string) error {
 	}
 
 	r := management.NewReader(wCtx.ReadOnlyInvoker)
-	cs, err := r.GetContractByID(1)
+	cs, err := helper.GetContractByID(r, 1)
 	if err != nil {
 		return fmt.Errorf("can't get NNS contract info: %w", err)
 	}
@@ -103,14 +104,22 @@ func SetConfigCmd(cmd *cobra.Command, args []string) error {
 	}
 
 	forceFlag, _ := cmd.Flags().GetBool(forceConfigSet)
-
 	bw := io.NewBufBinWriter()
+	prm := make(map[string]any)
 	for _, arg := range args {
 		k, v, err := parseConfigPair(arg, forceFlag)
 		if err != nil {
 			return err
 		}
 
+		prm[k] = v
+	}
+
+	if err := validateConfig(prm, forceFlag); err != nil {
+		return err
+	}
+
+	for k, v := range prm {
 		// In NeoFS this is done via Notary contract. Here, however, we can form the
 		// transaction locally. The first `nil` argument is required only for notary
 		// disabled environment which is not supported by that command.
@@ -128,6 +137,50 @@ func SetConfigCmd(cmd *cobra.Command, args []string) error {
 	return wCtx.AwaitTx()
 }
 
+const maxECSum = 256
+
+func validateConfig(args map[string]any, forceFlag bool) error {
+	var sumEC int64
+	_, okData := args[netmap.MaxECDataCountConfig]
+	_, okParity := args[netmap.MaxECParityCountConfig]
+	if okData != okParity {
+		return fmt.Errorf("both %s and %s must be present in the configuration",
+			netmap.MaxECDataCountConfig, netmap.MaxECParityCountConfig)
+	}
+
+	for k, v := range args {
+		switch k {
+		case netmap.ContainerFeeConfig, netmap.ContainerAliasFeeConfig,
+			netmap.EpochDurationConfig, netmap.IrCandidateFeeConfig,
+			netmap.MaxObjectSizeConfig, netmap.WithdrawFeeConfig,
+			netmap.MaxECDataCountConfig, netmap.MaxECParityCountConfig:
+			value, ok := v.(int64)
+			if !ok {
+				return fmt.Errorf("%s has an invalid type. Expected type: int", k)
+			}
+
+			if value < 0 {
+				return fmt.Errorf("%s must be >= 0, got %v", k, v)
+			}
+
+			if k == netmap.MaxECDataCountConfig || k == netmap.MaxECParityCountConfig {
+				sumEC += value
+			}
+		case netmap.HomomorphicHashingDisabledKey, netmap.MaintenanceModeAllowedConfig:
+			_, ok := v.(bool)
+			if !ok {
+				return fmt.Errorf("%s has an invalid type. Expected type: bool", k)
+			}
+		}
+	}
+
+	if sumEC > maxECSum && !forceFlag {
+		return fmt.Errorf("the sum of %s and %s must be <= %d, got %d",
+			netmap.MaxECDataCountConfig, netmap.MaxECParityCountConfig, maxECSum, sumEC)
+	}
+	return nil
+}
+
 func parseConfigPair(kvStr string, force bool) (key string, val any, err error) {
 	k, v, found := strings.Cut(kvStr, "=")
 	if !found {
@@ -140,7 +193,8 @@ func parseConfigPair(kvStr string, force bool) (key string, val any, err error)
 	switch key {
 	case netmap.ContainerFeeConfig, netmap.ContainerAliasFeeConfig,
 		netmap.EpochDurationConfig, netmap.IrCandidateFeeConfig,
-		netmap.MaxObjectSizeConfig, netmap.WithdrawFeeConfig:
+		netmap.MaxObjectSizeConfig, netmap.WithdrawFeeConfig,
+		netmap.MaxECDataCountConfig, netmap.MaxECParityCountConfig:
 		val, err = strconv.ParseInt(valRaw, 10, 64)
 		if err != nil {
 			err = fmt.Errorf("could not parse %s's value '%s' as int: %w", key, valRaw, err)

cmd/frostfs-adm/internal/modules/morph/config/config_test.go

@@ -0,0 +1,34 @@
+package config
+
+import (
+	"testing"
+
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/client/netmap"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_ValidateConfig(t *testing.T) {
+	testArgs := make(map[string]any)
+
+	testArgs[netmap.MaxECDataCountConfig] = int64(11)
+	require.Error(t, validateConfig(testArgs, false))
+
+	testArgs[netmap.MaxECParityCountConfig] = int64(256)
+	require.Error(t, validateConfig(testArgs, false))
+	require.NoError(t, validateConfig(testArgs, true))
+
+	testArgs[netmap.MaxECParityCountConfig] = int64(-1)
+	require.Error(t, validateConfig(testArgs, false))
+
+	testArgs[netmap.MaxECParityCountConfig] = int64(55)
+	require.NoError(t, validateConfig(testArgs, false))
+
+	testArgs[netmap.HomomorphicHashingDisabledKey] = "1"
+	require.Error(t, validateConfig(testArgs, false))
+
+	testArgs[netmap.HomomorphicHashingDisabledKey] = true
+	require.NoError(t, validateConfig(testArgs, false))
+
+	testArgs["not-well-known-configuration-key"] = "key"
+	require.NoError(t, validateConfig(testArgs, false))
+}

cmd/frostfs-adm/internal/modules/morph/container/container.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"slices"
 	"sort"
 
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph/constants"
@@ -33,7 +34,7 @@ func getContainerContractHash(cmd *cobra.Command, inv *invoker.Invoker) (util.Ui
 	}
 	if err != nil {
 		r := management.NewReader(inv)
-		nnsCs, err := r.GetContractByID(1)
+		nnsCs, err := helper.GetContractByID(r, 1)
 		if err != nil {
 			return util.Uint160{}, fmt.Errorf("can't get NNS contract state: %w", err)
 		}
@@ -138,13 +139,12 @@ func dumpContainers(cmd *cobra.Command, _ []string) error {
 func dumpSingleContainer(bw *io.BufBinWriter, ch util.Uint160, inv *invoker.Invoker, id []byte) (*Container, error) {
 	bw.Reset()
 	emit.AppCall(bw.BinWriter, ch, "get", callflag.All, id)
-	emit.AppCall(bw.BinWriter, ch, "eACL", callflag.All, id)
 	res, err := inv.Run(bw.Bytes())
 	if err != nil {
 		return nil, fmt.Errorf("can't get container info: %w", err)
 	}
-	if len(res.Stack) != 2 {
+	if len(res.Stack) != 1 {
-		return nil, fmt.Errorf("%w: expected 2 items on stack", errInvalidContainerResponse)
+		return nil, fmt.Errorf("%w: expected 1 items on stack", errInvalidContainerResponse)
 	}
 
 	cnt := new(Container)
@@ -153,14 +153,6 @@ func dumpSingleContainer(bw *io.BufBinWriter, ch util.Uint160, inv *invoker.Invo
 		return nil, fmt.Errorf("%w: %v", errInvalidContainerResponse, err)
 	}
 
-	ea := new(EACL)
-	err = ea.FromStackItem(res.Stack[1])
-	if err != nil {
-		return nil, fmt.Errorf("%w: %v", errInvalidContainerResponse, err)
-	}
-	if len(ea.Value) != 0 {
-		cnt.EACL = ea
-	}
 	return cnt, nil
 }
 
@@ -257,10 +249,6 @@ func restoreOrPutContainers(containers []Container, isOK func([]byte) bool, cmd
 func putContainer(bw *io.BufBinWriter, ch util.Uint160, cnt Container) {
 	emit.AppCall(bw.BinWriter, ch, "put", callflag.All,
 		cnt.Value, cnt.Signature, cnt.PublicKey, cnt.Token)
-	if ea := cnt.EACL; ea != nil {
-		emit.AppCall(bw.BinWriter, ch, "setEACL", callflag.All,
-			ea.Value, ea.Signature, ea.PublicKey, ea.Token)
-	}
 }
 
 func isContainerRestored(cmd *cobra.Command, wCtx *helper.InitializeContext, containerHash util.Uint160, bw *io.BufBinWriter, hashValue util.Uint256) (bool, error) {
@@ -303,7 +291,7 @@ func parseContainers(filename string) ([]Container, error) {
 
 func fetchContainerContractHash(wCtx *helper.InitializeContext) (util.Uint160, error) {
 	r := management.NewReader(wCtx.ReadOnlyInvoker)
-	nnsCs, err := r.GetContractByID(1)
+	nnsCs, err := helper.GetContractByID(r, 1)
 	if err != nil {
 		return util.Uint160{}, fmt.Errorf("can't get NNS contract state: %w", err)
 	}
@@ -321,15 +309,6 @@ type Container struct {
 	Signature []byte `json:"signature"`
 	PublicKey []byte `json:"public_key"`
 	Token     []byte `json:"token"`
-	EACL      *EACL  `json:"eacl"`
-}
-
-// EACL represents extended ACL struct in contract storage.
-type EACL struct {
-	Value     []byte `json:"value"`
-	Signature []byte `json:"signature"`
-	PublicKey []byte `json:"public_key"`
-	Token     []byte `json:"token"`
 }
 
 // ToStackItem implements stackitem.Convertible.
@@ -376,50 +355,6 @@ func (c *Container) FromStackItem(item stackitem.Item) error {
 	return nil
 }
 
-// ToStackItem implements stackitem.Convertible.
-func (c *EACL) ToStackItem() (stackitem.Item, error) {
-	return stackitem.NewStruct([]stackitem.Item{
-		stackitem.NewByteArray(c.Value),
-		stackitem.NewByteArray(c.Signature),
-		stackitem.NewByteArray(c.PublicKey),
-		stackitem.NewByteArray(c.Token),
-	}), nil
-}
-
-// FromStackItem implements stackitem.Convertible.
-func (c *EACL) FromStackItem(item stackitem.Item) error {
-	arr, ok := item.Value().([]stackitem.Item)
-	if !ok || len(arr) != 4 {
-		return errors.New("invalid stack item type")
-	}
-
-	value, err := arr[0].TryBytes()
-	if err != nil {
-		return errors.New("invalid eACL value")
-	}
-
-	sig, err := arr[1].TryBytes()
-	if err != nil {
-		return errors.New("invalid eACL signature")
-	}
-
-	pub, err := arr[2].TryBytes()
-	if err != nil {
-		return errors.New("invalid eACL public key")
-	}
-
-	tok, err := arr[3].TryBytes()
-	if err != nil {
-		return errors.New("invalid eACL token")
-	}
-
-	c.Value = value
-	c.Signature = sig
-	c.PublicKey = pub
-	c.Token = tok
-	return nil
-}
-
 // getCIDFilterFunc returns filtering function for container IDs.
 // Raw byte slices are used because it works with structures returned
 // from contract.
@@ -446,7 +381,7 @@ func getCIDFilterFunc(cmd *cobra.Command) (func([]byte) bool, error) {
 		var id cid.ID
 		id.SetSHA256(v)
 		idStr := id.EncodeToString()
-		n := sort.Search(len(rawIDs), func(i int) bool { return rawIDs[i] >= idStr })
+		_, found := slices.BinarySearch(rawIDs, idStr)
-		return n < len(rawIDs) && rawIDs[n] == idStr
+		return found
 	}, nil
 }

cmd/frostfs-adm/internal/modules/morph/contract/deploy.go

@@ -79,7 +79,7 @@ func deployContractCmd(cmd *cobra.Command, args []string) error {
 	}
 
 	r := management.NewReader(c.ReadOnlyInvoker)
-	nnsCs, err := r.GetContractByID(1)
+	nnsCs, err := helper.GetContractByID(r, 1)
 	if err != nil {
 		return fmt.Errorf("can't fetch NNS contract state: %w", err)
 	}

cmd/frostfs-adm/internal/modules/morph/contract/dump_hashes.go

@@ -42,7 +42,7 @@ func dumpContractHashes(cmd *cobra.Command, _ []string) error {
 	}
 
 	r := management.NewReader(invoker.New(c, nil))
-	cs, err := r.GetContractByID(1)
+	cs, err := helper.GetContractByID(r, 1)
 	if err != nil {
 		return err
 	}
@@ -68,7 +68,7 @@ func dumpContractHashes(cmd *cobra.Command, _ []string) error {
 
 	if irSize != 0 {
 		bw.Reset()
-		for i := 0; i < irSize; i++ {
+		for i := range irSize {
 			emit.AppCall(bw.BinWriter, cs.Hash, "resolve", callflag.ReadOnly,
 				helper.GetAlphabetNNSDomain(i),
 				int64(nns.TXT))
@@ -79,7 +79,7 @@ func dumpContractHashes(cmd *cobra.Command, _ []string) error {
 			return fmt.Errorf("can't fetch info from NNS: %w", err)
 		}
 
-		for i := 0; i < irSize; i++ {
+		for i := range irSize {
 			info := contractDumpInfo{name: fmt.Sprintf("alphabet %d", i)}
 			if h, err := helper.ParseNNSResolveResult(alphaRes.Stack[i]); err == nil {
 				info.hash = h

cmd/frostfs-adm/internal/modules/morph/frostfsid/frostfsid.go

@@ -3,24 +3,32 @@ package frostfsid
 import (
 	"errors"
 	"fmt"
+	"math/big"
 	"sort"
 
 	frostfsidclient "git.frostfs.info/TrueCloudLab/frostfs-contract/frostfsid/client"
+	frostfsidrpclient "git.frostfs.info/TrueCloudLab/frostfs-contract/rpcclient/frostfsid"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/commonflags"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph/constants"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph/helper"
 	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"github.com/google/uuid"
 	"github.com/nspcc-dev/neo-go/pkg/core/state"
 	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
 	"github.com/nspcc-dev/neo-go/pkg/io"
+	"github.com/nspcc-dev/neo-go/pkg/neorpc/result"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/management"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
+	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 
+const iteratorBatchSize = 1
+
 const (
 	namespaceFlag      = "namespace"
 	subjectNameFlag    = "subject-name"
@@ -194,6 +202,7 @@ func initFrostfsIDCreateGroupCmd() {
 	frostfsidCreateGroupCmd.Flags().String(namespaceFlag, "", "Namespace where create group")
 	frostfsidCreateGroupCmd.Flags().String(groupNameFlag, "", "Group name, must be unique in namespace")
 	frostfsidCreateGroupCmd.Flags().String(commonflags.AlphabetWalletsFlag, "", commonflags.AlphabetWalletsFlagDesc)
+	_ = frostfsidCreateGroupCmd.MarkFlagRequired(groupNameFlag)
 }
 
 func initFrostfsIDDeleteGroupCmd() {
@@ -249,12 +258,15 @@ func frostfsidCreateNamespace(cmd *cobra.Command, _ []string) {
 }
 
 func frostfsidListNamespaces(cmd *cobra.Command, _ []string) {
-	ffsid, err := newFrostfsIDClient(cmd)
+	inv, _, hash := initInvoker(cmd)
-	commonCmd.ExitOnErr(cmd, "init contract invoker: %w", err)
+	reader := frostfsidrpclient.NewReader(inv, hash)
-
+	sessionID, it, err := reader.ListNamespaces()
-	namespaces, err := ffsid.roCli.ListNamespaces()
+	commonCmd.ExitOnErr(cmd, "can't get namespace: %w", err)
-	commonCmd.ExitOnErr(cmd, "list namespaces: %w", err)
+	items, err := readIterator(inv, &it, iteratorBatchSize, sessionID)
+	commonCmd.ExitOnErr(cmd, "can't read iterator: %w", err)
 
+	namespaces, err := frostfsidclient.ParseNamespaces(items)
+	commonCmd.ExitOnErr(cmd, "can't parse namespace: %w", err)
 	sort.Slice(namespaces, func(i, j int) bool { return namespaces[i].Name < namespaces[j].Name })
 
 	for _, namespace := range namespaces {
@@ -295,14 +307,15 @@ func frostfsidDeleteSubject(cmd *cobra.Command, _ []string) {
 }
 
 func frostfsidListSubjects(cmd *cobra.Command, _ []string) {
-	ns := getFrostfsIDNamespace(cmd)
 	includeNames, _ := cmd.Flags().GetBool(includeNamesFlag)
+	ns := getFrostfsIDNamespace(cmd)
+	inv, _, hash := initInvoker(cmd)
+	reader := frostfsidrpclient.NewReader(inv, hash)
+	sessionID, it, err := reader.ListNamespaceSubjects(ns)
+	commonCmd.ExitOnErr(cmd, "can't get namespace: %w", err)
 
-	ffsid, err := newFrostfsIDClient(cmd)
+	subAddresses, err := frostfsidclient.UnwrapArrayOfUint160(readIterator(inv, &it, iteratorBatchSize, sessionID))
-	commonCmd.ExitOnErr(cmd, "init contract invoker: %w", err)
+	commonCmd.ExitOnErr(cmd, "can't unwrap: %w", err)
-
-	subAddresses, err := ffsid.roCli.ListNamespaceSubjects(ns)
-	commonCmd.ExitOnErr(cmd, "list subjects: %w", err)
 
 	sort.Slice(subAddresses, func(i, j int) bool { return subAddresses[i].Less(subAddresses[j]) })
 
@@ -312,8 +325,14 @@ func frostfsidListSubjects(cmd *cobra.Command, _ []string) {
 			continue
 		}
 
-		subj, err := ffsid.roCli.GetSubject(addr)
+		sessionID, it, err := reader.ListSubjects()
-		commonCmd.ExitOnErr(cmd, "get subject: %w", err)
+		commonCmd.ExitOnErr(cmd, "can't get subject: %w", err)
+
+		items, err := readIterator(inv, &it, iteratorBatchSize, sessionID)
+		commonCmd.ExitOnErr(cmd, "can't read iterator: %w", err)
+
+		subj, err := frostfsidclient.ParseSubject(items)
+		commonCmd.ExitOnErr(cmd, "can't parse subject: %w", err)
 
 		cmd.Printf("%s (%s)\n", address.Uint160ToString(addr), subj.Name)
 	}
@@ -348,13 +367,17 @@ func frostfsidDeleteGroup(cmd *cobra.Command, _ []string) {
 }
 
 func frostfsidListGroups(cmd *cobra.Command, _ []string) {
+	inv, _, hash := initInvoker(cmd)
 	ns := getFrostfsIDNamespace(cmd)
 
-	ffsid, err := newFrostfsIDClient(cmd)
+	reader := frostfsidrpclient.NewReader(inv, hash)
-	commonCmd.ExitOnErr(cmd, "init contract invoker: %w", err)
+	sessionID, it, err := reader.ListGroups(ns)
+	commonCmd.ExitOnErr(cmd, "can't get namespace: %w", err)
 
-	groups, err := ffsid.roCli.ListGroups(ns)
+	items, err := readIterator(inv, &it, iteratorBatchSize, sessionID)
-	commonCmd.ExitOnErr(cmd, "list groups: %w", err)
+	commonCmd.ExitOnErr(cmd, "can't list groups: %w", err)
+	groups, err := frostfsidclient.ParseGroups(items)
+	commonCmd.ExitOnErr(cmd, "can't parse groups: %w", err)
 
 	sort.Slice(groups, func(i, j int) bool { return groups[i].Name < groups[j].Name })
 
@@ -393,12 +416,19 @@ func frostfsidListGroupSubjects(cmd *cobra.Command, _ []string) {
 	ns := getFrostfsIDNamespace(cmd)
 	groupID := getFrostfsIDGroupID(cmd)
 	includeNames, _ := cmd.Flags().GetBool(includeNamesFlag)
+	inv, cs, hash := initInvoker(cmd)
+	_, err := helper.NNSResolveHash(inv, cs.Hash, helper.DomainOf(constants.FrostfsIDContract))
+	commonCmd.ExitOnErr(cmd, "can't get netmap contract hash: %w", err)
 
-	ffsid, err := newFrostfsIDClient(cmd)
+	reader := frostfsidrpclient.NewReader(inv, hash)
-	commonCmd.ExitOnErr(cmd, "init contract client: %w", err)
+	sessionID, it, err := reader.ListGroupSubjects(ns, big.NewInt(groupID))
+	commonCmd.ExitOnErr(cmd, "can't list groups: %w", err)
 
-	subjects, err := ffsid.roCli.ListGroupSubjects(ns, groupID)
+	items, err := readIterator(inv, &it, iteratorBatchSize, sessionID)
-	commonCmd.ExitOnErr(cmd, "list group subjects: %w", err)
+	commonCmd.ExitOnErr(cmd, "can't read iterator: %w", err)
+
+	subjects, err := frostfsidclient.UnwrapArrayOfUint160(items, err)
+	commonCmd.ExitOnErr(cmd, "can't unwrap: %w", err)
 
 	sort.Slice(subjects, func(i, j int) bool { return subjects[i].Less(subjects[j]) })
 
@@ -408,9 +438,10 @@ func frostfsidListGroupSubjects(cmd *cobra.Command, _ []string) {
 			continue
 		}
 
-		subj, err := ffsid.roCli.GetSubject(subjAddr)
+		items, err := reader.GetSubject(subjAddr)
-		commonCmd.ExitOnErr(cmd, "get subject: %w", err)
+		commonCmd.ExitOnErr(cmd, "can't get subject: %w", err)
-
+		subj, err := frostfsidclient.ParseSubject(items)
+		commonCmd.ExitOnErr(cmd, "can't parse subject: %w", err)
 		cmd.Printf("%s (%s)\n", address.Uint160ToString(subjAddr), subj.Name)
 	}
 }
@@ -425,11 +456,11 @@ type frostfsidClient struct {
 func newFrostfsIDClient(cmd *cobra.Command) (*frostfsidClient, error) {
 	wCtx, err := helper.NewInitializeContext(cmd, viper.GetViper())
 	if err != nil {
-		return nil, fmt.Errorf("can't to initialize context: %w", err)
+		return nil, fmt.Errorf("can't initialize context: %w", err)
 	}
 
 	r := management.NewReader(wCtx.ReadOnlyInvoker)
-	cs, err := r.GetContractByID(1)
+	cs, err := helper.GetContractByID(r, 1)
 	if err != nil {
 		return nil, fmt.Errorf("can't get NNS contract info: %w", err)
 	}
@@ -473,3 +504,35 @@ func (f *frostfsidClient) sendWaitRes() (*state.AppExecResult, error) {
 	f.wCtx.Command.Println("Waiting for transactions to persist...")
 	return f.roCli.Wait(f.wCtx.SentTxs[0].Hash, f.wCtx.SentTxs[0].Vub, nil)
 }
+
+func readIterator(inv *invoker.Invoker, iter *result.Iterator, batchSize int, sessionID uuid.UUID) ([]stackitem.Item, error) {
+	var shouldStop bool
+	res := make([]stackitem.Item, 0)
+	for !shouldStop {
+		items, err := inv.TraverseIterator(sessionID, iter, batchSize)
+		if err != nil {
+			return nil, err
+		}
+
+		res = append(res, items...)
+		shouldStop = len(items) < batchSize
+	}
+
+	return res, nil
+}
+
+func initInvoker(cmd *cobra.Command) (*invoker.Invoker, *state.Contract, util.Uint160) {
+	c, err := helper.GetN3Client(viper.GetViper())
+	commonCmd.ExitOnErr(cmd, "can't create N3 client: %w", err)
+
+	inv := invoker.New(c, nil)
+	r := management.NewReader(inv)
+
+	cs, err := r.GetContractByID(1)
+	commonCmd.ExitOnErr(cmd, "can't get NNS contract info: %w", err)
+
+	nmHash, err := helper.NNSResolveHash(inv, cs.Hash, helper.DomainOf(constants.FrostfsIDContract))
+	commonCmd.ExitOnErr(cmd, "can't get netmap contract hash: %w", err)
+
+	return inv, cs, nmHash
+}

cmd/frostfs-adm/internal/modules/morph/generate/generate.go

@@ -65,41 +65,47 @@ func initializeWallets(v *viper.Viper, walletDir string, size int) ([]string, er
 	pubs := make(keys.PublicKeys, size)
 	passwords := make([]string, size)
 
+	var errG errgroup.Group
+
 	for i := range wallets {
 		password, err := config.GetPassword(v, innerring.GlagoliticLetter(i).String())
 		if err != nil {
 			return nil, fmt.Errorf("can't fetch password: %w", err)
 		}
 
-		p := filepath.Join(walletDir, innerring.GlagoliticLetter(i).String()+".json")
+		errG.Go(func() error {
-		f, err := os.OpenFile(p, os.O_CREATE, 0o644)
+			p := filepath.Join(walletDir, innerring.GlagoliticLetter(i).String()+".json")
-		if err != nil {
+			f, err := os.OpenFile(p, os.O_CREATE, 0o644)
-			return nil, fmt.Errorf("can't create wallet file: %w", err)
+			if err != nil {
-		}
+				return fmt.Errorf("can't create wallet file: %w", err)
-		if err := f.Close(); err != nil {
+			}
-			return nil, fmt.Errorf("can't close wallet file: %w", err)
+			if err := f.Close(); err != nil {
-		}
+				return fmt.Errorf("can't close wallet file: %w", err)
-		w, err := wallet.NewWallet(p)
+			}
-		if err != nil {
+			w, err := wallet.NewWallet(p)
-			return nil, fmt.Errorf("can't create wallet: %w", err)
+			if err != nil {
-		}
+				return fmt.Errorf("can't create wallet: %w", err)
-		if err := w.CreateAccount(constants.SingleAccountName, password); err != nil {
+			}
-			return nil, fmt.Errorf("can't create account: %w", err)
+			if err := w.CreateAccount(constants.SingleAccountName, password); err != nil {
-		}
+				return fmt.Errorf("can't create account: %w", err)
+			}
 
-		passwords[i] = password
+			passwords[i] = password
-		wallets[i] = w
+			wallets[i] = w
-		pubs[i] = w.Accounts[0].PrivateKey().PublicKey()
+			pubs[i] = w.Accounts[0].PrivateKey().PublicKey()
+			return nil
+		})
 	}
 
-	var errG errgroup.Group
+	if err := errG.Wait(); err != nil {
+		return nil, err
+	}
 
 	// Create committee account with N/2+1 multi-signature.
 	majCount := smartcontract.GetMajorityHonestNodeCount(size)
 	// Create consensus account with 2*N/3+1 multi-signature.
 	bftCount := smartcontract.GetDefaultHonestNodeCount(size)
 	for i := range wallets {
-		i := i
 		ps := pubs.Copy()
 		errG.Go(func() error {
 			if err := addMultisigAccount(wallets[i], majCount, constants.CommitteeAccountName, passwords[i], ps); err != nil {

cmd/frostfs-adm/internal/modules/morph/generate/generate_test.go

@@ -23,8 +23,6 @@ import (
 )
 
 func TestGenerateAlphabet(t *testing.T) {
-	const size = 4
-
 	walletDir := t.TempDir()
 	buf := setupTestTerminal(t)
 
@@ -55,17 +53,17 @@ func TestGenerateAlphabet(t *testing.T) {
 	t.Run("no password for contract group wallet", func(t *testing.T) {
 		buf.Reset()
 		v.Set(commonflags.AlphabetWalletsFlag, walletDir)
-		require.NoError(t, cmd.Flags().Set(commonflags.AlphabetSizeFlag, strconv.FormatUint(size, 10)))
+		require.NoError(t, cmd.Flags().Set(commonflags.AlphabetSizeFlag, "1"))
-		for i := uint64(0); i < size; i++ {
+		buf.WriteString("pass\r")
-			buf.WriteString(strconv.FormatUint(i, 10) + "\r")
-		}
 		require.Error(t, AlphabetCreds(cmd, nil))
 	})
 
+	const size = 4
+
 	buf.Reset()
 	v.Set(commonflags.AlphabetWalletsFlag, walletDir)
 	require.NoError(t, GenerateAlphabetCmd.Flags().Set(commonflags.AlphabetSizeFlag, strconv.FormatUint(size, 10)))
-	for i := uint64(0); i < size; i++ {
+	for i := range uint64(size) {
 		buf.WriteString(strconv.FormatUint(i, 10) + "\r")
 	}
 

cmd/frostfs-adm/internal/modules/morph/generate/root.go

@@ -32,7 +32,7 @@ var (
 			_ = viper.BindPFlag(commonflags.EndpointFlag, cmd.Flags().Lookup(commonflags.EndpointFlag))
 			_ = viper.BindPFlag(commonflags.RefillGasAmountFlag, cmd.Flags().Lookup(commonflags.RefillGasAmountFlag))
 		},
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(cmd *cobra.Command, _ []string) error {
 			return refillGas(cmd, commonflags.RefillGasAmountFlag, false)
 		},
 	}

cmd/frostfs-adm/internal/modules/morph/helper/actor.go

@@ -23,9 +23,10 @@ import (
 
 // LocalActor is a kludge, do not use it outside of the morph commands.
 type LocalActor struct {
-	neoActor *actor.Actor
+	neoActor   *actor.Actor
-	accounts []*wallet.Account
+	accounts   []*wallet.Account
-	Invoker  *invoker.Invoker
+	Invoker    *invoker.Invoker
+	rpcInvoker invoker.RPCInvoke
 }
 
 // NewLocalActor create LocalActor with accounts form provided wallets.
@@ -68,9 +69,10 @@ func NewLocalActor(cmd *cobra.Command, c actor.RPCActor) (*LocalActor, error) {
 		}
 	}
 	return &LocalActor{
-		neoActor: act,
+		neoActor:   act,
-		accounts: accounts,
+		accounts:   accounts,
-		Invoker:  &act.Invoker,
+		Invoker:    &act.Invoker,
+		rpcInvoker: c,
 	}, nil
 }
 
@@ -167,3 +169,7 @@ func (a *LocalActor) MakeUnsignedRun(_ []byte, _ []transaction.Attribute) (*tran
 func (a *LocalActor) MakeCall(_ util.Uint160, _ string, _ ...any) (*transaction.Transaction, error) {
 	panic("unimplemented")
 }
+
+func (a *LocalActor) GetRPCInvoker() invoker.RPCInvoke {
+	return a.rpcInvoker
+}

cmd/frostfs-adm/internal/modules/morph/helper/contract.go

@@ -15,7 +15,7 @@ import (
 
 func getFrostfsIDAdminFromContract(roInvoker *invoker.Invoker) (util.Uint160, bool, error) {
 	r := management.NewReader(roInvoker)
-	cs, err := r.GetContractByID(1)
+	cs, err := GetContractByID(r, 1)
 	if err != nil {
 		return util.Uint160{}, false, fmt.Errorf("get nns contract: %w", err)
 	}
@@ -62,7 +62,7 @@ func GetContractDeployData(c *InitializeContext, ctrName string, keysParam []any
 		// In case if NNS is updated multiple times, we can't calculate
 		// it's actual hash based on local data, thus query chain.
 		r := management.NewReader(c.ReadOnlyInvoker)
-		nnsCs, err := r.GetContractByID(1)
+		nnsCs, err := GetContractByID(r, 1)
 		if err != nil {
 			return nil, fmt.Errorf("get nns contract: %w", err)
 		}
@@ -116,7 +116,7 @@ func GetContractDeployData(c *InitializeContext, ctrName string, keysParam []any
 	case constants.PolicyContract:
 		items = append(items, c.Contracts[constants.ProxyContract].Hash)
 	default:
-		panic(fmt.Sprintf("invalid contract name: %s", ctrName))
+		panic("invalid contract name: " + ctrName)
 	}
 	return items, nil
 }
@@ -166,5 +166,6 @@ func DeployNNS(c *InitializeContext, method string) error {
 		return fmt.Errorf("can't send deploy transaction: %w", err)
 	}
 
+	c.Command.Println("NNS hash:", invokeHash.StringLE())
 	return c.AwaitTx()
 }

cmd/frostfs-adm/internal/modules/morph/helper/download.go

@@ -14,6 +14,8 @@ import (
 	"github.com/spf13/cobra"
 )
 
+var errNoReleasesFound = errors.New("attempt to fetch contracts archive from the offitial repository failed: no releases found")
+
 func downloadContracts(cmd *cobra.Command, url string) (io.ReadCloser, error) {
 	cmd.Printf("Downloading contracts archive from '%s'\n", url)
 
@@ -61,7 +63,7 @@ func downloadContractsFromRepository(cmd *cobra.Command) (io.ReadCloser, error)
 	}
 
 	if latestRelease == nil {
-		return nil, fmt.Errorf("attempt to fetch contracts archive from the offitial repository failed: no releases found")
+		return nil, errNoReleasesFound
 	}
 
 	cmd.Printf("Found release %s (%s)\n", latestRelease.TagName, latestRelease.Title)

cmd/frostfs-adm/internal/modules/morph/helper/initialize_ctx.go

@@ -3,6 +3,7 @@ package helper
 import (
 	"encoding/hex"
 	"encoding/json"
+	"errors"
 	"fmt"
 	io2 "io"
 	"os"
@@ -33,6 +34,11 @@ import (
 	"github.com/spf13/viper"
 )
 
+var (
+	errNegativeDuration = errors.New("epoch duration must be positive")
+	errNegativeSize     = errors.New("max object size must be positive")
+)
+
 type ContractState struct {
 	NEF         *nef.File
 	RawNEF      []byte
@@ -166,11 +172,11 @@ func validateInit(cmd *cobra.Command) error {
 		return nil
 	}
 	if viper.GetInt64(commonflags.EpochDurationInitFlag) <= 0 {
-		return fmt.Errorf("epoch duration must be positive")
+		return errNegativeDuration
 	}
 
 	if viper.GetInt64(commonflags.MaxObjectSizeInitFlag) <= 0 {
-		return fmt.Errorf("max object size must be positive")
+		return errNegativeSize
 	}
 
 	return nil

cmd/frostfs-adm/internal/modules/morph/helper/local_client.go

@@ -44,7 +44,6 @@ type LocalClient struct {
 	transactions []*transaction.Transaction
 	dumpPath     string
 	accounts     []*wallet.Account
-	maxGasInvoke int64
 }
 
 func NewLocalClient(cmd *cobra.Command, v *viper.Viper, wallets []*wallet.Wallet, dumpPath string) (*LocalClient, error) {
@@ -104,10 +103,9 @@ func NewLocalClient(cmd *cobra.Command, v *viper.Viper, wallets []*wallet.Wallet
 	}
 
 	return &LocalClient{
-		bc:           bc,
+		bc:       bc,
-		dumpPath:     dumpPath,
+		dumpPath: dumpPath,
-		accounts:     accounts[:m],
+		accounts: accounts[:m],
-		maxGasInvoke: 15_0000_0000,
 	}, nil
 }
 
@@ -115,7 +113,7 @@ func (l *LocalClient) GetBlockCount() (uint32, error) {
 	return l.bc.BlockHeight(), nil
 }
 
-func (l *LocalClient) GetNativeContracts() ([]state.NativeContract, error) {
+func (l *LocalClient) GetNativeContracts() ([]state.Contract, error) {
 	return l.bc.GetNatives(), nil
 }
 
@@ -226,7 +224,7 @@ func (l *LocalClient) CalculateNetworkFee(tx *transaction.Transaction) (int64, e
 					paramz = []manifest.Parameter{{Type: smartcontract.SignatureType}}
 				} else if nSigs, _, ok := vm.ParseMultiSigContract(w.VerificationScript); ok {
 					paramz = make([]manifest.Parameter, nSigs)
-					for j := 0; j < nSigs; j++ {
+					for j := range nSigs {
 						paramz[j] = manifest.Parameter{Type: smartcontract.SignatureType}
 					}
 				}

cmd/frostfs-adm/internal/modules/morph/helper/n3client.go

@@ -2,6 +2,7 @@ package helper
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"time"
@@ -27,7 +28,7 @@ type Client interface {
 	invoker.RPCInvoke
 
 	GetBlockCount() (uint32, error)
-	GetNativeContracts() ([]state.NativeContract, error)
+	GetNativeContracts() ([]state.Contract, error)
 	GetApplicationLog(util.Uint256, *trigger.Type) (*result.ApplicationLog, error)
 	GetVersion() (*result.Version, error)
 	SendRawTransaction(*transaction.Transaction) (util.Uint256, error)
@@ -60,9 +61,23 @@ func GetN3Client(v *viper.Viper) (Client, error) {
 	if endpoint == "" {
 		return nil, errors.New("missing endpoint")
 	}
+
+	var cfg *tls.Config
+	if rootCAs := v.GetStringSlice("tls.trusted_ca_list"); len(rootCAs) != 0 {
+		certFile := v.GetString("tls.certificate")
+		keyFile := v.GetString("tls.key")
+
+		tlsConfig, err := rpcclient.TLSClientConfig(rootCAs, certFile, keyFile)
+		if err != nil {
+			return nil, err
+		}
+
+		cfg = tlsConfig
+	}
 	c, err := rpcclient.New(ctx, endpoint, rpcclient.Options{
 		MaxConnsPerHost: maxConnsPerHost,
 		RequestTimeout:  requestTimeout,
+		TLSClientConfig: cfg,
 	})
 	if err != nil {
 		return nil, err

cmd/frostfs-adm/internal/modules/morph/helper/netmap.go

@@ -29,10 +29,14 @@ var NetmapConfigKeys = []string{
 	netmap.MaintenanceModeAllowedConfig,
 }
 
+var errFailedToFetchListOfNetworkKeys = errors.New("can't fetch list of network config keys from the netmap contract")
+
 func GetDefaultNetmapContractConfigMap() map[string]any {
 	m := make(map[string]any)
 	m[netmap.EpochDurationConfig] = viper.GetInt64(commonflags.EpochDurationInitFlag)
 	m[netmap.MaxObjectSizeConfig] = viper.GetInt64(commonflags.MaxObjectSizeInitFlag)
+	m[netmap.MaxECDataCountConfig] = viper.GetInt64(commonflags.MaxECDataCountFlag)
+	m[netmap.MaxECParityCountConfig] = viper.GetInt64(commonflags.MaxECParityCounFlag)
 	m[netmap.ContainerFeeConfig] = viper.GetInt64(commonflags.ContainerFeeInitFlag)
 	m[netmap.ContainerAliasFeeConfig] = viper.GetInt64(commonflags.ContainerAliasFeeInitFlag)
 	m[netmap.IrCandidateFeeConfig] = viper.GetInt64(commonflags.CandidateFeeInitFlag)
@@ -68,13 +72,17 @@ func InvalidConfigValueErr(key string) error {
 	return fmt.Errorf("invalid %s config value from netmap contract", key)
 }
 
-func EmitNewEpochCall(bw *io.BufBinWriter, wCtx *InitializeContext, nmHash util.Uint160) error {
+func EmitNewEpochCall(bw *io.BufBinWriter, wCtx *InitializeContext, nmHash util.Uint160, countEpoch int64) error {
+	if countEpoch <= 0 {
+		return errors.New("number of epochs cannot be less than 1")
+	}
+
 	curr, err := unwrap.Int64(wCtx.ReadOnlyInvoker.Call(nmHash, "epoch"))
 	if err != nil {
 		return errors.New("can't fetch current epoch from the netmap contract")
 	}
 
-	newEpoch := curr + 1
+	newEpoch := curr + countEpoch
 	wCtx.Command.Printf("Current epoch: %d, increase to %d.\n", curr, newEpoch)
 
 	// In NeoFS this is done via Notary contract. Here, however, we can form the
@@ -85,7 +93,7 @@ func EmitNewEpochCall(bw *io.BufBinWriter, wCtx *InitializeContext, nmHash util.
 
 func GetNetConfigFromNetmapContract(roInvoker *invoker.Invoker) ([]stackitem.Item, error) {
 	r := management.NewReader(roInvoker)
-	cs, err := r.GetContractByID(1)
+	cs, err := GetContractByID(r, 1)
 	if err != nil {
 		return nil, fmt.Errorf("get nns contract: %w", err)
 	}
@@ -95,7 +103,7 @@ func GetNetConfigFromNetmapContract(roInvoker *invoker.Invoker) ([]stackitem.Ite
 	}
 	arr, err := unwrap.Array(roInvoker.Call(nmHash, "listConfig"))
 	if err != nil {
-		return nil, fmt.Errorf("can't fetch list of network config keys from the netmap contract")
+		return nil, errFailedToFetchListOfNetworkKeys
 	}
 	return arr, err
 }

cmd/frostfs-adm/internal/modules/morph/helper/util.go

@@ -14,10 +14,12 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/config"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph/constants"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/innerring"
+	"github.com/nspcc-dev/neo-go/pkg/core/state"
 	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/encoding/fixedn"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/management"
 	"github.com/nspcc-dev/neo-go/pkg/wallet"
 	"github.com/spf13/viper"
 )
@@ -40,45 +42,48 @@ func openAlphabetWallets(v *viper.Viper, walletDir string) ([]*wallet.Wallet, er
 		return nil, fmt.Errorf("can't read alphabet wallets dir: %w", err)
 	}
 
-	var size int
+	var wallets []*wallet.Wallet
-loop:
+	var letter string
-	for i := 0; i < len(walletFiles); i++ {
+	for i := range constants.MaxAlphabetNodes {
-		name := innerring.GlagoliticLetter(i).String() + ".json"
+		letter = innerring.GlagoliticLetter(i).String()
-		for j := range walletFiles {
-			if walletFiles[j].Name() == name {
-				size++
-				continue loop
-			}
-		}
-		break
-	}
-	if size == 0 {
-		return nil, errors.New("alphabet wallets dir is empty (run `generate-alphabet` command first)")
-	}
-
-	wallets := make([]*wallet.Wallet, size)
-	for i := 0; i < size; i++ {
-		letter := innerring.GlagoliticLetter(i).String()
 		p := filepath.Join(walletDir, letter+".json")
-		w, err := wallet.NewWalletFromFile(p)
+		var w *wallet.Wallet
+		w, err = wallet.NewWalletFromFile(p)
 		if err != nil {
-			return nil, fmt.Errorf("can't open wallet: %w", err)
+			if errors.Is(err, os.ErrNotExist) {
+				err = nil
+			} else {
+				err = fmt.Errorf("can't open wallet: %w", err)
+			}
+			break
 		}
 
-		password, err := config.GetPassword(v, letter)
+		var password string
+		password, err = config.GetPassword(v, letter)
 		if err != nil {
-			return nil, fmt.Errorf("can't fetch password: %w", err)
+			err = fmt.Errorf("can't fetch password: %w", err)
+			break
 		}
 
 		for i := range w.Accounts {
-			if err := w.Accounts[i].Decrypt(password, keys.NEP2ScryptParams()); err != nil {
+			if err = w.Accounts[i].Decrypt(password, keys.NEP2ScryptParams()); err != nil {
-				return nil, fmt.Errorf("can't unlock wallet: %w", err)
+				err = fmt.Errorf("can't unlock wallet: %w", err)
+				break
 			}
 		}
 
-		wallets[i] = w
+		wallets = append(wallets, w)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("can't read wallet for letter '%s': %w", letter, err)
+	}
+	if len(wallets) == 0 {
+		err = errors.New("there are no alphabet wallets in dir (run `generate-alphabet` command first)")
+		if len(walletFiles) > 0 {
+			err = fmt.Errorf("use glagolitic names for wallets(run `print-alphabet`): %w", err)
+		}
+		return nil, err
 	}
-
 	return wallets, nil
 }
 
@@ -122,11 +127,11 @@ func readContractsFromArchive(file io.Reader, names []string) (map[string]*Contr
 	}
 
 	r := tar.NewReader(gr)
-	for h, err := r.Next(); ; h, err = r.Next() {
+	var h *tar.Header
-		if err != nil {
+	for h, err = r.Next(); err == nil && h != nil; h, err = r.Next() {
-			break
+		if h.Typeflag != tar.TypeReg {
+			continue
 		}
-
 		dir, _ := filepath.Split(h.Name)
 		ctrName := filepath.Base(dir)
 
@@ -149,6 +154,9 @@ func readContractsFromArchive(file io.Reader, names []string) (map[string]*Contr
 		}
 		m[ctrName] = cs
 	}
+	if err != nil && err != io.EOF {
+		return nil, fmt.Errorf("can't read contracts from archive: %w", err)
+	}
 
 	for ctrName, cs := range m {
 		if cs.RawNEF == nil {
@@ -175,3 +183,18 @@ func ParseGASAmount(s string) (fixedn.Fixed8, error) {
 	}
 	return gasAmount, nil
 }
+
+// GetContractByID retrieves a contract by its ID using the standard GetContractByID method.
+// However, if the returned state.Contract is nil, it returns an error indicating that the contract was not found.
+// See https://git.frostfs.info/TrueCloudLab/frostfs-node/issues/1210
+func GetContractByID(r *management.ContractReader, id int32) (*state.Contract, error) {
+	cs, err := r.GetContractByID(id)
+	if err != nil {
+		return nil, err
+	}
+
+	if cs == nil {
+		return nil, errors.New("contract not found")
+	}
+	return cs, nil
+}

cmd/frostfs-adm/internal/modules/morph/initialize/initialize_nns.go

@@ -21,7 +21,7 @@ import (
 
 func setNNS(c *helper.InitializeContext) error {
 	r := management.NewReader(c.ReadOnlyInvoker)
-	nnsCs, err := r.GetContractByID(1)
+	nnsCs, err := helper.GetContractByID(r, 1)
 	if err != nil {
 		return err
 	}

cmd/frostfs-adm/internal/modules/morph/initialize/initialize_register.go

@@ -100,10 +100,7 @@ func registerCandidates(c *helper.InitializeContext) error {
 	// Register candidates in batches in order to overcome the signers amount limit.
 	// See: https://github.com/nspcc-dev/neo-go/blob/master/pkg/core/transaction/transaction.go#L27
 	for i := 0; i < need; i += registerBatchSize {
-		start, end := i, i+registerBatchSize
+		start, end := i, min(i+registerBatchSize, need)
-		if end > need {
-			end = need
-		}
 		// This check is sound because transactions are accepted/rejected atomically.
 		if have >= end {
 			continue

cmd/frostfs-adm/internal/modules/morph/initialize/initialize_roles.go

@@ -1,6 +1,8 @@
 package initialize
 
 import (
+	"fmt"
+
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph/helper"
 	"github.com/nspcc-dev/neo-go/pkg/core/native/noderoles"
 	"github.com/nspcc-dev/neo-go/pkg/io"
@@ -29,10 +31,14 @@ func setNotaryAndAlphabetNodes(c *helper.InitializeContext) error {
 		callflag.States|callflag.AllowNotify, int64(noderoles.NeoFSAlphabet), pubs)
 
 	if err := c.SendCommitteeTx(w.Bytes(), false); err != nil {
-		return err
+		return fmt.Errorf("send committee transaction: %w", err)
 	}
 
-	return c.AwaitTx()
+	err := c.AwaitTx()
+	if err != nil {
+		err = fmt.Errorf("await committee transaction: %w", err)
+	}
+	return err
 }
 
 func setRolesFinished(c *helper.InitializeContext) (bool, error) {

cmd/frostfs-adm/internal/modules/morph/initialize/initialize_test.go

@@ -113,7 +113,7 @@ func generateTestData(dir string, size int) error {
 	}
 
 	var pubs []string
-	for i := 0; i < size; i++ {
+	for i := range size {
 		p := filepath.Join(dir, innerring.GlagoliticLetter(i).String()+".json")
 		w, err := wallet.NewWalletFromFile(p)
 		if err != nil {
@@ -148,7 +148,7 @@ func generateTestData(dir string, size int) error {
 }
 
 func setTestCredentials(v *viper.Viper, size int) {
-	for i := 0; i < size; i++ {
+	for i := range size {
 		v.Set("credentials."+innerring.GlagoliticLetter(i).String(), strconv.FormatUint(uint64(i), 10))
 	}
 	v.Set("credentials.contract", constants.TestContractPassword)

cmd/frostfs-adm/internal/modules/morph/initialize/initialize_transfer.go

@@ -3,6 +3,7 @@ package initialize
 import (
 	"fmt"
 	"math/big"
+	"strings"
 
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph/constants"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph/helper"
@@ -28,6 +29,10 @@ const (
 	initialProxyGASAmount = 50_000 * native.GASFactor
 )
 
+func initialCommitteeGASAmount(c *helper.InitializeContext) int64 {
+	return (gasInitialTotalSupply - initialAlphabetGASAmount*int64(len(c.Wallets))) / 2
+}
+
 func transferFunds(c *helper.InitializeContext) error {
 	ok, err := transferFundsFinished(c)
 	if ok || err != nil {
@@ -54,7 +59,7 @@ func transferFunds(c *helper.InitializeContext) error {
 		transferTarget{
 			Token:   gas.Hash,
 			Address: c.CommitteeAcc.Contract.ScriptHash(),
-			Amount:  (gasInitialTotalSupply - initialAlphabetGASAmount*int64(len(c.Wallets))) / 2,
+			Amount:  initialCommitteeGASAmount(c),
 		},
 		transferTarget{
 			Token:   neo.Hash,
@@ -75,12 +80,19 @@ func transferFunds(c *helper.InitializeContext) error {
 	return c.AwaitTx()
 }
 
+// transferFundsFinished checks balances of accounts we transfer GAS to.
+// The stage is considered finished if the balance is greater than the half of what we need to transfer.
 func transferFundsFinished(c *helper.InitializeContext) (bool, error) {
 	acc := c.Accounts[0]
 
 	r := nep17.NewReader(c.ReadOnlyInvoker, gas.Hash)
 	res, err := r.BalanceOf(acc.Contract.ScriptHash())
-	return res.Cmp(big.NewInt(initialAlphabetGASAmount/2)) == 1, err
+	if err != nil || res.Cmp(big.NewInt(initialAlphabetGASAmount/2)) != 1 {
+		return false, err
+	}
+
+	res, err = r.BalanceOf(c.CommitteeAcc.ScriptHash())
+	return res != nil && res.Cmp(big.NewInt(initialCommitteeGASAmount(c)/2)) == 1, err
 }
 
 func transferGASToProxy(c *helper.InitializeContext) error {
@@ -140,5 +152,17 @@ func createNEP17MultiTransferTx(c helper.Client, acc *wallet.Account, recipients
 	if err != nil {
 		return nil, fmt.Errorf("can't create actor: %w", err)
 	}
-	return act.MakeRun(w.Bytes())
+	tx, err := act.MakeRun(w.Bytes())
+	if err != nil {
+		sum := make(map[util.Uint160]int64)
+		for _, recipient := range recipients {
+			sum[recipient.Token] += recipient.Amount
+		}
+		detail := make([]string, 0, len(sum))
+		for _, value := range sum {
+			detail = append(detail, fmt.Sprintf("amount=%v", value))
+		}
+		err = fmt.Errorf("transfer failed: from=%s(%s) %s: %w", acc.Label, acc.Address, strings.Join(detail, " "), err)
+	}
+	return tx, err
 }

cmd/frostfs-adm/internal/modules/morph/initialize/root.go

@@ -25,6 +25,8 @@ var Cmd = &cobra.Command{
 		_ = viper.BindPFlag(commonflags.EndpointFlag, cmd.Flags().Lookup(commonflags.EndpointFlag))
 		_ = viper.BindPFlag(commonflags.EpochDurationInitFlag, cmd.Flags().Lookup(epochDurationCLIFlag))
 		_ = viper.BindPFlag(commonflags.MaxObjectSizeInitFlag, cmd.Flags().Lookup(maxObjectSizeCLIFlag))
+		_ = viper.BindPFlag(commonflags.MaxECDataCountFlag, cmd.Flags().Lookup(commonflags.MaxECDataCountFlag))
+		_ = viper.BindPFlag(commonflags.MaxECParityCounFlag, cmd.Flags().Lookup(commonflags.MaxECParityCounFlag))
 		_ = viper.BindPFlag(commonflags.HomomorphicHashDisabledInitFlag, cmd.Flags().Lookup(homomorphicHashDisabledCLIFlag))
 		_ = viper.BindPFlag(commonflags.CandidateFeeInitFlag, cmd.Flags().Lookup(candidateFeeCLIFlag))
 		_ = viper.BindPFlag(commonflags.ContainerFeeInitFlag, cmd.Flags().Lookup(containerFeeCLIFlag))

cmd/frostfs-adm/internal/modules/morph/netmap/epoch.go

@@ -12,14 +12,16 @@ import (
 	"github.com/spf13/viper"
 )
 
+const deltaFlag = "delta"
+
 func ForceNewEpochCmd(cmd *cobra.Command, _ []string) error {
 	wCtx, err := helper.NewInitializeContext(cmd, viper.GetViper())
 	if err != nil {
-		return fmt.Errorf("can't to initialize context: %w", err)
+		return fmt.Errorf("can't initialize context: %w", err)
 	}
 
 	r := management.NewReader(wCtx.ReadOnlyInvoker)
-	cs, err := r.GetContractByID(1)
+	cs, err := helper.GetContractByID(r, 1)
 	if err != nil {
 		return fmt.Errorf("can't get NNS contract info: %w", err)
 	}
@@ -30,7 +32,8 @@ func ForceNewEpochCmd(cmd *cobra.Command, _ []string) error {
 	}
 
 	bw := io.NewBufBinWriter()
-	if err := helper.EmitNewEpochCall(bw, wCtx, nmHash); err != nil {
+	delta, _ := cmd.Flags().GetInt64(deltaFlag)
+	if err := helper.EmitNewEpochCall(bw, wCtx, nmHash, delta); err != nil {
 		return err
 	}
 

cmd/frostfs-adm/internal/modules/morph/netmap/netmap_candidates.go

@@ -19,7 +19,7 @@ func listNetmapCandidatesNodes(cmd *cobra.Command, _ []string) {
 	inv := invoker.New(c, nil)
 	r := management.NewReader(inv)
 
-	cs, err := r.GetContractByID(1)
+	cs, err := helper.GetContractByID(r, 1)
 	commonCmd.ExitOnErr(cmd, "can't get NNS contract info: %w", err)
 
 	nmHash, err := helper.NNSResolveHash(inv, cs.Hash, helper.DomainOf(constants.NetmapContract))

cmd/frostfs-adm/internal/modules/morph/netmap/root.go

@@ -35,6 +35,7 @@ func initForceNewEpochCmd() {
 	ForceNewEpoch.Flags().String(commonflags.AlphabetWalletsFlag, "", commonflags.AlphabetWalletsFlagDesc)
 	ForceNewEpoch.Flags().StringP(commonflags.EndpointFlag, commonflags.EndpointFlagShort, "", commonflags.EndpointFlagDesc)
 	ForceNewEpoch.Flags().String(commonflags.LocalDumpFlag, "", "Path to the blocks dump file")
+	ForceNewEpoch.Flags().Int64(deltaFlag, 1, "Number of epochs to increase the current epoch")
 }
 
 func init() {

cmd/frostfs-adm/internal/modules/morph/nns/domains.go

@@ -42,3 +42,23 @@ func registerDomain(cmd *cobra.Command, _ []string) {
 	commonCmd.ExitOnErr(cmd, "register domain error: %w", err)
 	cmd.Println("Domain registered successfully")
 }
+
+func initDeleteCmd() {
+	Cmd.AddCommand(deleteCmd)
+	deleteCmd.Flags().StringP(commonflags.EndpointFlag, commonflags.EndpointFlagShort, "", commonflags.EndpointFlagDesc)
+	deleteCmd.Flags().String(commonflags.AlphabetWalletsFlag, "", commonflags.AlphabetWalletsFlagDesc)
+	deleteCmd.Flags().String(nnsNameFlag, "", nnsNameFlagDesc)
+
+	_ = cobra.MarkFlagRequired(deleteCmd.Flags(), nnsNameFlag)
+}
+
+func deleteDomain(cmd *cobra.Command, _ []string) {
+	c, actor, _ := getRPCClient(cmd)
+
+	name, _ := cmd.Flags().GetString(nnsNameFlag)
+	h, vub, err := c.DeleteDomain(name)
+
+	_, err = actor.Wait(h, vub, err)
+	commonCmd.ExitOnErr(cmd, "delete domain error: %w", err)
+	cmd.Println("Domain deleted successfully")
+}

cmd/frostfs-adm/internal/modules/morph/nns/helper.go

@@ -19,7 +19,7 @@ func getRPCClient(cmd *cobra.Command) (*client.Contract, *helper.LocalActor, uti
 	commonCmd.ExitOnErr(cmd, "can't create actor: %w", err)
 
 	r := management.NewReader(ac.Invoker)
-	nnsCs, err := r.GetContractByID(1)
+	nnsCs, err := helper.GetContractByID(r, 1)
 	commonCmd.ExitOnErr(cmd, "can't get NNS contract state: %w", err)
 	return client.New(ac, nnsCs.Hash), ac, nnsCs.Hash
 }

cmd/frostfs-adm/internal/modules/morph/nns/record.go

@@ -47,6 +47,19 @@ func initDelRecordsCmd() {
 	_ = cobra.MarkFlagRequired(delRecordsCmd.Flags(), nnsRecordTypeFlag)
 }
 
+func initDelRecordCmd() {
+	Cmd.AddCommand(delRecordCmd)
+	delRecordCmd.Flags().StringP(commonflags.EndpointFlag, commonflags.EndpointFlagShort, "", commonflags.EndpointFlagDesc)
+	delRecordCmd.Flags().String(commonflags.AlphabetWalletsFlag, "", commonflags.AlphabetWalletsFlagDesc)
+	delRecordCmd.Flags().String(nnsNameFlag, "", nnsNameFlagDesc)
+	delRecordCmd.Flags().String(nnsRecordTypeFlag, "", nnsRecordTypeFlagDesc)
+	delRecordCmd.Flags().String(nnsRecordDataFlag, "", nnsRecordDataFlagDesc)
+
+	_ = cobra.MarkFlagRequired(delRecordCmd.Flags(), nnsNameFlag)
+	_ = cobra.MarkFlagRequired(delRecordCmd.Flags(), nnsRecordTypeFlag)
+	_ = cobra.MarkFlagRequired(delRecordCmd.Flags(), nnsRecordDataFlag)
+}
+
 func addRecord(cmd *cobra.Command, _ []string) {
 	c, actor, _ := getRPCClient(cmd)
 	name, _ := cmd.Flags().GetString(nnsNameFlag)
@@ -115,6 +128,22 @@ func delRecords(cmd *cobra.Command, _ []string) {
 	cmd.Println("Records removed successfully")
 }
 
+func delRecord(cmd *cobra.Command, _ []string) {
+	c, actor, _ := getRPCClient(cmd)
+	name, _ := cmd.Flags().GetString(nnsNameFlag)
+	data, _ := cmd.Flags().GetString(nnsRecordDataFlag)
+	recordType, _ := cmd.Flags().GetString(nnsRecordTypeFlag)
+	typ, err := getRecordType(recordType)
+	commonCmd.ExitOnErr(cmd, "unable to parse record type: %w", err)
+	h, vub, err := c.DeleteRecord(name, typ, data)
+	commonCmd.ExitOnErr(cmd, "unable to delete record: %w", err)
+
+	cmd.Println("Waiting for transaction to persist...")
+	_, err = actor.Wait(h, vub, err)
+	commonCmd.ExitOnErr(cmd, "delete records error: %w", err)
+	cmd.Println("Record removed successfully")
+}
+
 func getRecordType(recordType string) (*big.Int, error) {
 	switch strings.ToUpper(recordType) {
 	case "A":

cmd/frostfs-adm/internal/modules/morph/nns/root.go

@@ -42,6 +42,15 @@ var (
 		},
 		Run: registerDomain,
 	}
+	deleteCmd = &cobra.Command{
+		Use:   "delete",
+		Short: "Delete a domain by name",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(commonflags.EndpointFlag, cmd.Flags().Lookup(commonflags.EndpointFlag))
+			_ = viper.BindPFlag(commonflags.AlphabetWalletsFlag, cmd.Flags().Lookup(commonflags.AlphabetWalletsFlag))
+		},
+		Run: deleteDomain,
+	}
 	renewCmd = &cobra.Command{
 		Use:   "renew",
 		Short: "Increases domain expiration date",
@@ -86,14 +95,25 @@ var (
 		},
 		Run: delRecords,
 	}
+	delRecordCmd = &cobra.Command{
+		Use:   "delete-record",
+		Short: "Removes domain record with the specified type and data",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(commonflags.EndpointFlag, cmd.Flags().Lookup(commonflags.EndpointFlag))
+			_ = viper.BindPFlag(commonflags.AlphabetWalletsFlag, cmd.Flags().Lookup(commonflags.AlphabetWalletsFlag))
+		},
+		Run: delRecord,
+	}
 )
 
 func init() {
 	initTokensCmd()
 	initRegisterCmd()
+	initDeleteCmd()
 	initRenewCmd()
 	initUpdateCmd()
 	initAddRecordCmd()
 	initGetRecordsCmd()
 	initDelRecordsCmd()
+	initDelRecordCmd()
 }

cmd/frostfs-adm/internal/modules/morph/nns/tokens.go

@@ -1,15 +1,25 @@
 package nns
 
 import (
+	"math/big"
+	"strings"
+
+	"git.frostfs.info/TrueCloudLab/frostfs-contract/nns"
+	client "git.frostfs.info/TrueCloudLab/frostfs-contract/rpcclient/nns"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/commonflags"
 	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
 	"github.com/spf13/cobra"
 )
 
+const (
+	verboseDesc = "Include additional information about CNAME record."
+)
+
 func initTokensCmd() {
 	Cmd.AddCommand(tokensCmd)
 	tokensCmd.Flags().StringP(commonflags.EndpointFlag, commonflags.EndpointFlagShort, "", commonflags.EndpointFlagDesc)
 	tokensCmd.Flags().String(commonflags.AlphabetWalletsFlag, "", commonflags.AlphabetWalletsFlagDesc)
+	tokensCmd.Flags().BoolP(commonflags.Verbose, commonflags.VerboseShorthand, false, verboseDesc)
 }
 
 func listTokens(cmd *cobra.Command, _ []string) {
@@ -18,7 +28,39 @@ func listTokens(cmd *cobra.Command, _ []string) {
 	commonCmd.ExitOnErr(cmd, "unable to get tokens: %w", err)
 	for toks, err := it.Next(10); err == nil && len(toks) > 0; toks, err = it.Next(10) {
 		for _, token := range toks {
-			cmd.Println(string(token))
+			output := string(token)
+			if verbose, _ := cmd.Flags().GetBool(commonflags.Verbose); verbose {
+				cname, err := getCnameRecord(c, token)
+				commonCmd.ExitOnErr(cmd, "", err)
+				if cname != "" {
+					output += " (CNAME: " + cname + ")"
+				}
+			}
+			cmd.Println(output)
 		}
 	}
 }
+
+func getCnameRecord(c *client.Contract, token []byte) (string, error) {
+	items, err := c.GetRecords(string(token), big.NewInt(int64(nns.CNAME)))
+
+	// GetRecords returns the error "not an array" if the domain does not contain records.
+	if err != nil && strings.Contains(err.Error(), "not an array") {
+		return "", nil
+	}
+
+	if err != nil {
+		return "", err
+	}
+
+	if len(items) == 0 {
+		return "", nil
+	}
+
+	record, err := items[0].TryBytes()
+	if err != nil {
+		return "", err
+	}
+
+	return string(record), nil
+}

cmd/frostfs-adm/internal/modules/morph/node/remove.go

@@ -37,7 +37,7 @@ func RemoveNodesCmd(cmd *cobra.Command, args []string) error {
 	defer wCtx.Close()
 
 	r := management.NewReader(wCtx.ReadOnlyInvoker)
-	cs, err := r.GetContractByID(1)
+	cs, err := helper.GetContractByID(r, 1)
 	if err != nil {
 		return fmt.Errorf("can't get NNS contract info: %w", err)
 	}
@@ -53,7 +53,7 @@ func RemoveNodesCmd(cmd *cobra.Command, args []string) error {
 			int64(netmapcontract.NodeStateOffline), nodeKeys[i].Bytes())
 	}
 
-	if err := helper.EmitNewEpochCall(bw, wCtx, nmHash); err != nil {
+	if err := helper.EmitNewEpochCall(bw, wCtx, nmHash, 1); err != nil {
 		return err
 	}
 

cmd/frostfs-adm/internal/modules/morph/notary/notary.go

@@ -1,6 +1,7 @@
 package notary
 
 import (
+	"errors"
 	"fmt"
 	"math/big"
 	"strconv"
@@ -31,6 +32,8 @@ const (
 	notaryDepositTillFlag = "till"
 )
 
+var errInvalidNotaryDepositLifetime = errors.New("notary deposit lifetime must be a positive integer")
+
 func depositNotary(cmd *cobra.Command, _ []string) error {
 	w, err := openWallet(cmd)
 	if err != nil {
@@ -78,7 +81,7 @@ func depositNotary(cmd *cobra.Command, _ []string) error {
 	if tillStr != "" {
 		till, err = strconv.ParseInt(tillStr, 10, 64)
 		if err != nil || till <= 0 {
-			return fmt.Errorf("notary deposit lifetime must be a positive integer")
+			return errInvalidNotaryDepositLifetime
 		}
 	}
 

cmd/frostfs-adm/internal/modules/morph/policy/policy.go

@@ -2,6 +2,7 @@ package policy
 
 import (
 	"bytes"
+	"errors"
 	"fmt"
 	"strconv"
 	"strings"
@@ -24,17 +25,19 @@ const (
 	setFeeParam       = "FeePerByte"
 )
 
+var errInvalidParameterFormat = errors.New("invalid parameter format, must be Parameter=Value")
+
 func SetPolicyCmd(cmd *cobra.Command, args []string) error {
 	wCtx, err := helper.NewInitializeContext(cmd, viper.GetViper())
 	if err != nil {
-		return fmt.Errorf("can't to initialize context: %w", err)
+		return fmt.Errorf("can't initialize context: %w", err)
 	}
 
 	bw := io.NewBufBinWriter()
 	for i := range args {
 		k, v, found := strings.Cut(args[i], "=")
 		if !found {
-			return fmt.Errorf("invalid parameter format, must be Parameter=Value")
+			return errInvalidParameterFormat
 		}
 
 		switch k {
@@ -45,7 +48,7 @@ func SetPolicyCmd(cmd *cobra.Command, args []string) error {
 
 		value, err := strconv.ParseUint(v, 10, 32)
 		if err != nil {
-			return fmt.Errorf("can't parse parameter value '%s': %w", args[1], err)
+			return fmt.Errorf("can't parse parameter value '%s': %w", args[i], err)
 		}
 
 		emit.AppCall(bw.BinWriter, policy.Hash, "set"+k, callflag.All, int64(value))

cmd/frostfs-adm/internal/modules/morph/policy/root.go

@@ -16,7 +16,7 @@ var (
 			_ = viper.BindPFlag(commonflags.EndpointFlag, cmd.Flags().Lookup(commonflags.EndpointFlag))
 		},
 		RunE: SetPolicyCmd,
-		ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+		ValidArgsFunction: func(_ *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCompDirective) {
 			return []string{"ExecFeeFactor=", "StoragePrice=", "FeePerByte="}, cobra.ShellCompDirectiveNoSpace
 		},
 	}

cmd/frostfs-adm/internal/modules/morph/proxy/proxy.go

@@ -39,11 +39,11 @@ func removeProxyAccount(cmd *cobra.Command, _ []string) {
 func processAccount(cmd *cobra.Command, addr util.Uint160, method string) error {
 	wCtx, err := helper.NewInitializeContext(cmd, viper.GetViper())
 	if err != nil {
-		return fmt.Errorf("can't to initialize context: %w", err)
+		return fmt.Errorf("can't initialize context: %w", err)
 	}
 
 	r := management.NewReader(wCtx.ReadOnlyInvoker)
-	cs, err := r.GetContractByID(1)
+	cs, err := helper.GetContractByID(r, 1)
 	if err != nil {
 		return fmt.Errorf("can't get NNS contract info: %w", err)
 	}

cmd/frostfs-adm/internal/modules/morph/proxy/root.go

@@ -30,11 +30,13 @@ var (
 func initProxyAddAccount() {
 	AddAccountCmd.Flags().StringP(commonflags.EndpointFlag, commonflags.EndpointFlagShort, "", commonflags.EndpointFlagDesc)
 	AddAccountCmd.Flags().String(accountAddressFlag, "", "Wallet address string")
+	AddAccountCmd.Flags().String(commonflags.AlphabetWalletsFlag, "", commonflags.AlphabetWalletsFlagDesc)
 }
 
 func initProxyRemoveAccount() {
 	RemoveAccountCmd.Flags().StringP(commonflags.EndpointFlag, commonflags.EndpointFlagShort, "", commonflags.EndpointFlagDesc)
 	RemoveAccountCmd.Flags().String(accountAddressFlag, "", "Wallet address string")
+	RemoveAccountCmd.Flags().String(commonflags.AlphabetWalletsFlag, "", commonflags.AlphabetWalletsFlagDesc)
 }
 
 func init() {

cmd/frostfs-adm/internal/modules/root.go

@@ -5,6 +5,7 @@ import (
 
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/commonflags"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/config"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/metabase"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/storagecfg"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/misc"
@@ -41,6 +42,7 @@ func init() {
 	rootCmd.AddCommand(config.RootCmd)
 	rootCmd.AddCommand(morph.RootCmd)
 	rootCmd.AddCommand(storagecfg.RootCmd)
+	rootCmd.AddCommand(metabase.RootCmd)
 
 	rootCmd.AddCommand(autocomplete.Command("frostfs-adm"))
 	rootCmd.AddCommand(gendoc.Command(rootCmd, gendoc.Options{}))

cmd/frostfs-adm/internal/modules/storagecfg/config.go

@@ -61,6 +61,8 @@ storage:
           depth: 1  # max depth of object tree storage in key-value DB
           width: 4   # max width of object tree storage in key-value DB
           opened_cache_capacity: 50  # maximum number of opened database files
+          opened_cache_ttl: 5m  # ttl for opened database file
+          opened_cache_exp_interval: 15s  # cache cleanup interval for expired blobovnicza's
 
       gc:
         remover_batch_size: 200  # number of objects to be removed by the garbage collector

cmd/frostfs-cli/internal/client/client.go

@@ -2,10 +2,13 @@ package internal
 
 import (
 	"bytes"
+	"cmp"
 	"context"
 	"errors"
 	"fmt"
 	"io"
+	"os"
+	"slices"
 	"sort"
 	"strings"
 
@@ -14,13 +17,14 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
 	containerSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
-	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/netmap"
 	objectSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/version"
 )
 
+var errMissingHeaderInResponse = errors.New("missing header in response")
+
 // BalanceOfPrm groups parameters of BalanceOf operation.
 type BalanceOfPrm struct {
 	commonPrm
@@ -187,54 +191,6 @@ func DeleteContainer(ctx context.Context, prm DeleteContainerPrm) (res DeleteCon
 	return
 }
 
-// EACLPrm groups parameters of EACL operation.
-type EACLPrm struct {
-	Client       *client.Client
-	ClientParams client.PrmContainerEACL
-}
-
-// EACLRes groups the resulting values of EACL operation.
-type EACLRes struct {
-	cliRes *client.ResContainerEACL
-}
-
-// EACL returns requested eACL table.
-func (x EACLRes) EACL() eacl.Table {
-	return x.cliRes.Table()
-}
-
-// EACL reads eACL table from FrostFS by container ID.
-//
-// Returns any error which prevented the operation from completing correctly in error return.
-func EACL(ctx context.Context, prm EACLPrm) (res EACLRes, err error) {
-	res.cliRes, err = prm.Client.ContainerEACL(ctx, prm.ClientParams)
-
-	return
-}
-
-// SetEACLPrm groups parameters of SetEACL operation.
-type SetEACLPrm struct {
-	Client       *client.Client
-	ClientParams client.PrmContainerSetEACL
-}
-
-// SetEACLRes groups the resulting values of SetEACL operation.
-type SetEACLRes struct{}
-
-// SetEACL requests to save an eACL table in FrostFS.
-//
-// Operation is asynchronous and no guaranteed even in the absence of errors.
-// The required time is also not predictable.
-//
-// Success can be verified by reading by container identifier.
-//
-// Returns any error which prevented the operation from completing correctly in error return.
-func SetEACL(ctx context.Context, prm SetEACLPrm) (res SetEACLRes, err error) {
-	_, err = prm.Client.ContainerSetEACL(ctx, prm.ClientParams)
-
-	return
-}
-
 // NetworkInfoPrm groups parameters of NetworkInfo operation.
 type NetworkInfoPrm struct {
 	Client       *client.Client
@@ -353,7 +309,7 @@ type PutObjectPrm struct {
 
 	rdr io.Reader
 
-	headerCallback func(*objectSDK.Object)
+	headerCallback func()
 
 	prepareLocally bool
 }
@@ -370,7 +326,7 @@ func (x *PutObjectPrm) SetPayloadReader(rdr io.Reader) {
 
 // SetHeaderCallback sets callback which is called on the object after the header is received
 // but before the payload is written.
-func (x *PutObjectPrm) SetHeaderCallback(f func(*objectSDK.Object)) {
+func (x *PutObjectPrm) SetHeaderCallback(f func()) {
 	x.headerCallback = f
 }
 
@@ -439,7 +395,7 @@ func PutObject(ctx context.Context, prm PutObjectPrm) (*PutObjectRes, error) {
 
 	if wrt.WriteHeader(ctx, *prm.hdr) {
 		if prm.headerCallback != nil {
-			prm.headerCallback(prm.hdr)
+			prm.headerCallback()
 		}
 
 		sz := prm.hdr.PayloadSize()
@@ -609,13 +565,6 @@ type HeadObjectPrm struct {
 	commonObjectPrm
 	objectAddressPrm
 	rawPrm
-
-	mainOnly bool
-}
-
-// SetMainOnlyFlag sets flag to get only main fields of an object header in terms of FrostFS API.
-func (x *HeadObjectPrm) SetMainOnlyFlag(v bool) {
-	x.mainOnly = v
 }
 
 // HeadObjectRes groups the resulting values of HeadObject operation.
@@ -654,7 +603,7 @@ func HeadObject(ctx context.Context, prm HeadObjectPrm) (*HeadObjectRes, error)
 	var hdr objectSDK.Object
 
 	if !res.ReadHeader(&hdr) {
-		return nil, fmt.Errorf("missing header in response")
+		return nil, errMissingHeaderInResponse
 	}
 
 	return &HeadObjectRes{
@@ -710,9 +659,7 @@ func SearchObjects(ctx context.Context, prm SearchObjectsPrm) (*SearchObjectsRes
 
 	for {
 		n, ok = rdr.Read(buf)
-		for i := 0; i < n; i++ {
+		list = append(list, buf[:n]...)
-			list = append(list, buf[i])
-		}
 		if !ok {
 			break
 		}
@@ -890,3 +837,65 @@ func SyncContainerSettings(ctx context.Context, prm SyncContainerPrm) (*SyncCont
 
 	return new(SyncContainerRes), nil
 }
+
+// PatchObjectPrm groups parameters of PatchObject operation.
+type PatchObjectPrm struct {
+	commonObjectPrm
+	objectAddressPrm
+
+	NewAttributes []objectSDK.Attribute
+
+	ReplaceAttribute bool
+
+	PayloadPatches []PayloadPatch
+}
+
+type PayloadPatch struct {
+	Range objectSDK.Range
+
+	PayloadPath string
+}
+
+type PatchRes struct {
+	OID oid.ID
+}
+
+func Patch(ctx context.Context, prm PatchObjectPrm) (*PatchRes, error) {
+	patchPrm := client.PrmObjectPatch{
+		XHeaders:    prm.xHeaders,
+		BearerToken: prm.bearerToken,
+		Session:     prm.sessionToken,
+		Address:     prm.objAddr,
+	}
+
+	slices.SortFunc(prm.PayloadPatches, func(a, b PayloadPatch) int {
+		return cmp.Compare(a.Range.GetOffset(), b.Range.GetOffset())
+	})
+
+	patcher, err := prm.cli.ObjectPatchInit(ctx, patchPrm)
+	if err != nil {
+		return nil, fmt.Errorf("init payload reading: %w", err)
+	}
+
+	if patcher.PatchAttributes(ctx, prm.NewAttributes, prm.ReplaceAttribute) {
+		for _, pp := range prm.PayloadPatches {
+			payloadFile, err := os.OpenFile(pp.PayloadPath, os.O_RDONLY, os.ModePerm)
+			if err != nil {
+				return nil, err
+			}
+			applied := patcher.PatchPayload(ctx, &pp.Range, payloadFile)
+			_ = payloadFile.Close()
+			if !applied {
+				break
+			}
+		}
+	}
+
+	res, err := patcher.Close(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &PatchRes{
+		OID: res.ObjectID(),
+	}, nil
+}

cmd/frostfs-cli/internal/client/sdk.go

@@ -58,6 +58,7 @@ func GetSDKClient(ctx context.Context, cmd *cobra.Command, key *ecdsa.PrivateKey
 		GRPCDialOptions: []grpc.DialOption{
 			grpc.WithChainUnaryInterceptor(tracing.NewUnaryClientInteceptor()),
 			grpc.WithChainStreamInterceptor(tracing.NewStreamClientInterceptor()),
+			grpc.WithDefaultCallOptions(grpc.WaitForReady(true)),
 		},
 	}
 	if timeout := viper.GetDuration(commonflags.Timeout); timeout > 0 {

cmd/frostfs-cli/internal/commonflags/flags.go

@@ -11,9 +11,9 @@ import (
 // values and their usage descriptions.
 const (
 	GenerateKey          = "generate-key"
-	generateKeyShorthand = "g"
+	GenerateKeyShorthand = "g"
-	generateKeyDefault   = false
+	GenerateKeyDefault   = false
-	generateKeyUsage     = "Generate new private key"
+	GenerateKeyUsage     = "Generate new private key"
 
 	WalletPath          = "wallet"
 	WalletPathShorthand = "w"
@@ -50,6 +50,13 @@ const (
 
 	TracingFlag      = "trace"
 	TracingFlagUsage = "Generate trace ID and print it."
+
+	AwaitFlag      = "await"
+	AwaitFlagUsage = "Wait for the operation to complete"
+
+	QuietFlag          = "quiet"
+	QuietFlagShorthand = "q"
+	QuietFlagUsage     = "Print nothing and exit with non-zero code on failure"
 )
 
 // Init adds common flags to the command:
@@ -72,7 +79,7 @@ func Init(cmd *cobra.Command) {
 func InitWithoutRPC(cmd *cobra.Command) {
 	ff := cmd.Flags()
 
-	ff.BoolP(GenerateKey, generateKeyShorthand, generateKeyDefault, generateKeyUsage)
+	ff.BoolP(GenerateKey, GenerateKeyShorthand, GenerateKeyDefault, GenerateKeyUsage)
 	ff.StringP(WalletPath, WalletPathShorthand, WalletPathDefault, WalletPathUsage)
 	ff.StringP(Account, AccountShorthand, AccountDefault, AccountUsage)
 }

cmd/frostfs-cli/internal/key/key_test.go

@@ -24,6 +24,8 @@ var testCmd = &cobra.Command{
 }
 
 func Test_getOrGenerate(t *testing.T) {
+	t.Cleanup(viper.Reset)
+
 	dir := t.TempDir()
 
 	wallPath := filepath.Join(dir, "wallet.json")

cmd/frostfs-cli/modules/accounting/balance.go

@@ -23,7 +23,7 @@ var accountingBalanceCmd = &cobra.Command{
 	Use:   "balance",
 	Short: "Get internal balance of FrostFS account",
 	Long:  `Get internal balance of FrostFS account`,
-	Run: func(cmd *cobra.Command, args []string) {
+	Run: func(cmd *cobra.Command, _ []string) {
 		var idUser user.ID
 
 		pk := key.GetOrGenerate(cmd)

cmd/frostfs-cli/modules/accounting/root.go

@@ -11,7 +11,7 @@ var Cmd = &cobra.Command{
 	Use:   "accounting",
 	Short: "Operations with accounts and balances",
 	Long:  `Operations with accounts and balances`,
-	PersistentPreRun: func(cmd *cobra.Command, args []string) {
+	PersistentPreRun: func(cmd *cobra.Command, _ []string) {
 		flags := cmd.Flags()
 
 		_ = viper.BindPFlag(commonflags.WalletPath, flags.Lookup(commonflags.WalletPath))

cmd/frostfs-cli/modules/ape_manager/add_chain.go

@@ -0,0 +1,138 @@
+package apemanager
+
+import (
+	"encoding/hex"
+	"errors"
+
+	internalclient "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	apeSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/ape"
+	client_sdk "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
+	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
+	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
+	"github.com/spf13/cobra"
+)
+
+const (
+	chainIDFlag    = "chain-id"
+	chainIDHexFlag = "chain-id-hex"
+	ruleFlag       = "rule"
+	pathFlag       = "path"
+)
+
+const (
+	targetNameFlag = "target-name"
+	targetNameDesc = "Resource name in APE resource name format"
+	targetTypeFlag = "target-type"
+	targetTypeDesc = "Resource type(container/namespace)"
+)
+
+const (
+	namespaceTarget = "namespace"
+	containerTarget = "container"
+	userTarget      = "user"
+	groupTarget     = "group"
+)
+
+var errUnknownTargetType = errors.New("unknown target type")
+
+var addCmd = &cobra.Command{
+	Use:   "add",
+	Short: "Add rule chain for a target",
+	Run:   add,
+	PersistentPreRun: func(cmd *cobra.Command, _ []string) {
+		commonflags.Bind(cmd)
+	},
+}
+
+func parseTarget(cmd *cobra.Command) (ct apeSDK.ChainTarget) {
+	typ, _ := cmd.Flags().GetString(targetTypeFlag)
+	name, _ := cmd.Flags().GetString(targetNameFlag)
+
+	ct.Name = name
+
+	switch typ {
+	case namespaceTarget:
+		ct.TargetType = apeSDK.TargetTypeNamespace
+	case containerTarget:
+		var cnr cid.ID
+		commonCmd.ExitOnErr(cmd, "can't decode container ID: %w", cnr.DecodeString(name))
+		ct.TargetType = apeSDK.TargetTypeContainer
+	case userTarget:
+		ct.TargetType = apeSDK.TargetTypeUser
+	case groupTarget:
+		ct.TargetType = apeSDK.TargetTypeGroup
+	default:
+		commonCmd.ExitOnErr(cmd, "read target type error: %w", errUnknownTargetType)
+	}
+	return ct
+}
+
+func parseChain(cmd *cobra.Command) apeSDK.Chain {
+	chainID, _ := cmd.Flags().GetString(chainIDFlag)
+	hexEncoded, _ := cmd.Flags().GetBool(chainIDHexFlag)
+
+	chainIDRaw := []byte(chainID)
+
+	if hexEncoded {
+		var err error
+		chainIDRaw, err = hex.DecodeString(chainID)
+		commonCmd.ExitOnErr(cmd, "can't decode chain ID as hex: %w", err)
+	}
+
+	chain := new(apechain.Chain)
+	chain.ID = apechain.ID(chainIDRaw)
+
+	if rules, _ := cmd.Flags().GetStringArray(ruleFlag); len(rules) > 0 {
+		commonCmd.ExitOnErr(cmd, "parser error: %w", util.ParseAPEChain(chain, rules))
+	} else if encPath, _ := cmd.Flags().GetString(pathFlag); encPath != "" {
+		commonCmd.ExitOnErr(cmd, "decode binary or json error: %w", util.ParseAPEChainBinaryOrJSON(chain, encPath))
+	} else {
+		commonCmd.ExitOnErr(cmd, "parser error: %w", errors.New("rule is not passed"))
+	}
+
+	cmd.Println("Parsed chain:")
+	util.PrintHumanReadableAPEChain(cmd, chain)
+
+	serialized := chain.Bytes()
+	return apeSDK.Chain{
+		Raw: serialized,
+	}
+}
+
+func add(cmd *cobra.Command, _ []string) {
+	c := parseChain(cmd)
+
+	target := parseTarget(cmd)
+
+	key := key.Get(cmd)
+	cli := internalclient.GetSDKClientByFlag(cmd, key, commonflags.RPC)
+
+	res, err := cli.APEManagerAddChain(cmd.Context(), client_sdk.PrmAPEManagerAddChain{
+		ChainTarget: target,
+		Chain:       c,
+	})
+
+	commonCmd.ExitOnErr(cmd, "add chain error: %w", err)
+
+	cmd.Println("Rule has been added.")
+	cmd.Println("Chain ID: ", string(res.ChainID))
+}
+
+func initAddCmd() {
+	commonflags.Init(addCmd)
+
+	ff := addCmd.Flags()
+	ff.StringArray(ruleFlag, []string{}, "Rule statement")
+	ff.String(pathFlag, "", "Path to encoded chain in JSON or binary format")
+	ff.String(chainIDFlag, "", "Assign ID to the parsed chain")
+	ff.String(targetNameFlag, "", targetNameDesc)
+	ff.String(targetTypeFlag, "", targetTypeDesc)
+	_ = addCmd.MarkFlagRequired(targetTypeFlag)
+	ff.Bool(chainIDHexFlag, false, "Flag to parse chain ID as hex")
+
+	addCmd.MarkFlagsMutuallyExclusive(pathFlag, ruleFlag)
+}

cmd/frostfs-cli/modules/ape_manager/list_chain.go

@@ -0,0 +1,49 @@
+package apemanager
+
+import (
+	internalclient "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
+	apeutil "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	client_sdk "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
+	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
+	"github.com/spf13/cobra"
+)
+
+var listCmd = &cobra.Command{
+	Use:   "list",
+	Short: "List rule chains defined on target",
+	Run:   list,
+	PersistentPreRun: func(cmd *cobra.Command, _ []string) {
+		commonflags.Bind(cmd)
+	},
+}
+
+func list(cmd *cobra.Command, _ []string) {
+	target := parseTarget(cmd)
+
+	key := key.Get(cmd)
+	cli := internalclient.GetSDKClientByFlag(cmd, key, commonflags.RPC)
+
+	resp, err := cli.APEManagerListChains(cmd.Context(),
+		client_sdk.PrmAPEManagerListChains{
+			ChainTarget: target,
+		})
+	commonCmd.ExitOnErr(cmd, "list chains call error: %w", err)
+
+	for _, respChain := range resp.Chains {
+		var chain apechain.Chain
+		commonCmd.ExitOnErr(cmd, "decode error: %w", chain.DecodeBytes(respChain.Raw))
+		apeutil.PrintHumanReadableAPEChain(cmd, &chain)
+	}
+}
+
+func initListCmd() {
+	commonflags.Init(listCmd)
+
+	ff := listCmd.Flags()
+	ff.String(targetNameFlag, "", targetNameDesc)
+	ff.String(targetTypeFlag, "", targetTypeDesc)
+	_ = listCmd.MarkFlagRequired(targetTypeFlag)
+}

cmd/frostfs-cli/modules/ape_manager/remove_chain.go

@@ -0,0 +1,66 @@
+package apemanager
+
+import (
+	"encoding/hex"
+	"errors"
+
+	internalclient "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	client_sdk "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
+	"github.com/spf13/cobra"
+)
+
+var (
+	errEmptyChainID = errors.New("chain id cannot be empty")
+
+	removeCmd = &cobra.Command{
+		Use:   "remove",
+		Short: "Remove rule chain for a target",
+		Run:   remove,
+		PersistentPreRun: func(cmd *cobra.Command, _ []string) {
+			commonflags.Bind(cmd)
+		},
+	}
+)
+
+func remove(cmd *cobra.Command, _ []string) {
+	target := parseTarget(cmd)
+
+	key := key.Get(cmd)
+	cli := internalclient.GetSDKClientByFlag(cmd, key, commonflags.RPC)
+
+	chainID, _ := cmd.Flags().GetString(chainIDFlag)
+	if chainID == "" {
+		commonCmd.ExitOnErr(cmd, "read chain id error: %w", errEmptyChainID)
+	}
+	chainIDRaw := []byte(chainID)
+
+	hexEncoded, _ := cmd.Flags().GetBool(chainIDHexFlag)
+	if hexEncoded {
+		var err error
+		chainIDRaw, err = hex.DecodeString(chainID)
+		commonCmd.ExitOnErr(cmd, "can't decode chain ID as hex: %w", err)
+	}
+
+	_, err := cli.APEManagerRemoveChain(cmd.Context(), client_sdk.PrmAPEManagerRemoveChain{
+		ChainTarget: target,
+		ChainID:     chainIDRaw,
+	})
+
+	commonCmd.ExitOnErr(cmd, "remove chain error: %w", err)
+
+	cmd.Println("\nRule has been removed.")
+}
+
+func initRemoveCmd() {
+	commonflags.Init(removeCmd)
+
+	ff := removeCmd.Flags()
+	ff.String(targetNameFlag, "", targetNameDesc)
+	ff.String(targetTypeFlag, "", targetTypeDesc)
+	_ = removeCmd.MarkFlagRequired(targetTypeFlag)
+	ff.String(chainIDFlag, "", "Chain id")
+	ff.Bool(chainIDHexFlag, false, "Flag to parse chain ID as hex")
+}

cmd/frostfs-cli/modules/ape_manager/root.go

@@ -0,0 +1,21 @@
+package apemanager
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var Cmd = &cobra.Command{
+	Use:   "ape-manager",
+	Short: "Operations with APE manager",
+	Long:  `Operations with APE manager`,
+}
+
+func init() {
+	Cmd.AddCommand(addCmd)
+	Cmd.AddCommand(removeCmd)
+	Cmd.AddCommand(listCmd)
+
+	initAddCmd()
+	initRemoveCmd()
+	initListCmd()
+}

cmd/frostfs-cli/modules/bearer/create.go

@@ -15,10 +15,12 @@ import (
 	eaclSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
 	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
 )
 
 const (
 	eaclFlag           = "eacl"
+	apeFlag            = "ape"
 	issuedAtFlag       = "issued-at"
 	notValidBeforeFlag = "not-valid-before"
 	ownerFlag          = "owner"
@@ -37,10 +39,17 @@ In this case --` + commonflags.RPC + ` flag should be specified and the epoch in
 is set to current epoch + n.
 `,
 	Run: createToken,
+	PersistentPreRun: func(cmd *cobra.Command, _ []string) {
+		ff := cmd.Flags()
+
+		_ = viper.BindPFlag(commonflags.WalletPath, ff.Lookup(commonflags.WalletPath))
+		_ = viper.BindPFlag(commonflags.Account, ff.Lookup(commonflags.Account))
+	},
 }
 
 func init() {
-	createCmd.Flags().StringP(eaclFlag, "e", "", "Path to the extended ACL table (mutually exclusive with --impersonate flag)")
+	createCmd.Flags().StringP(eaclFlag, "e", "", "Path to the extended ACL table (mutually exclusive with --impersonate and --ape flag)")
+	createCmd.Flags().StringP(apeFlag, "a", "", "Path to the JSON-encoded APE override (mutually exclusive with --impersonate and --eacl flag)")
 	createCmd.Flags().StringP(issuedAtFlag, "i", "+0", "Epoch to issue token at")
 	createCmd.Flags().StringP(notValidBeforeFlag, "n", "+0", "Not valid before epoch")
 	createCmd.Flags().StringP(commonflags.ExpireAt, "x", "", "The last active epoch for the token")
@@ -49,13 +58,15 @@ func init() {
 	createCmd.Flags().Bool(jsonFlag, false, "Output token in JSON")
 	createCmd.Flags().Bool(impersonateFlag, false, "Mark token as impersonate to consider the token signer as the request owner (mutually exclusive with --eacl flag)")
 	createCmd.Flags().StringP(commonflags.RPC, commonflags.RPCShorthand, commonflags.RPCDefault, commonflags.RPCUsage)
+	createCmd.Flags().StringP(commonflags.WalletPath, commonflags.WalletPathShorthand, commonflags.WalletPathDefault, commonflags.WalletPathUsage)
+	createCmd.Flags().StringP(commonflags.Account, commonflags.AccountShorthand, commonflags.AccountDefault, commonflags.AccountUsage)
 
-	createCmd.MarkFlagsMutuallyExclusive(eaclFlag, impersonateFlag)
+	createCmd.MarkFlagsMutuallyExclusive(eaclFlag, apeFlag, impersonateFlag)
 
 	_ = cobra.MarkFlagFilename(createCmd.Flags(), eaclFlag)
+	_ = cobra.MarkFlagFilename(createCmd.Flags(), apeFlag)
 
 	_ = cobra.MarkFlagRequired(createCmd.Flags(), commonflags.ExpireAt)
-	_ = cobra.MarkFlagRequired(createCmd.Flags(), ownerFlag)
 	_ = cobra.MarkFlagRequired(createCmd.Flags(), outFlag)
 }
 
@@ -96,16 +107,16 @@ func createToken(cmd *cobra.Command, _ []string) {
 			fmt.Errorf("expiration epoch is less than not-valid-before epoch: %d < %d", exp, nvb))
 	}
 
-	ownerStr, _ := cmd.Flags().GetString(ownerFlag)
-
-	var ownerID user.ID
-	commonCmd.ExitOnErr(cmd, "can't parse recipient: %w", ownerID.DecodeString(ownerStr))
-
 	var b bearer.Token
 	b.SetExp(exp)
 	b.SetNbf(nvb)
 	b.SetIat(iat)
-	b.ForUser(ownerID)
+
+	if ownerStr, _ := cmd.Flags().GetString(ownerFlag); ownerStr != "" {
+		var ownerID user.ID
+		commonCmd.ExitOnErr(cmd, "can't parse recipient: %w", ownerID.DecodeString(ownerStr))
+		b.ForUser(ownerID)
+	}
 
 	impersonate, _ := cmd.Flags().GetBool(impersonateFlag)
 	b.SetImpersonate(impersonate)
@@ -119,6 +130,14 @@ func createToken(cmd *cobra.Command, _ []string) {
 		b.SetEACLTable(*table)
 	}
 
+	apePath, _ := cmd.Flags().GetString(apeFlag)
+	if apePath != "" {
+		var apeOverride bearer.APEOverride
+		raw, err := os.ReadFile(apePath)
+		commonCmd.ExitOnErr(cmd, "can't read APE rules: %w", err)
+		commonCmd.ExitOnErr(cmd, "can't parse APE rules: %w", json.Unmarshal(raw, &apeOverride))
+		b.SetAPEOverride(apeOverride)
+	}
 	var data []byte
 
 	toJSON, _ := cmd.Flags().GetBool(jsonFlag)

cmd/frostfs-cli/modules/bearer/generate_override.go

@@ -0,0 +1,115 @@
+package bearer
+
+import (
+	"errors"
+	"fmt"
+	"os"
+
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	parseutil "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	apeSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/ape"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
+	cidSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
+	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
+	"github.com/spf13/cobra"
+)
+
+var (
+	errChainIDCannotBeEmpty = errors.New("chain id cannot be empty")
+	errRuleIsNotParsed      = errors.New("rule is not passed")
+)
+
+const (
+	chainIDFlag    = "chain-id"
+	chainIDHexFlag = "chain-id-hex"
+	ruleFlag       = "rule"
+	pathFlag       = "path"
+	outputFlag     = "output"
+)
+
+var generateAPEOverrideCmd = &cobra.Command{
+	Use:   "generate-ape-override",
+	Short: "Generate APE override.",
+	Long: `Generate APE override by target and APE chains. Util command.
+
+Generated APE override can be dumped to a file in JSON format that is passed to
+"create" command.
+`,
+	Run: genereateAPEOverride,
+}
+
+func genereateAPEOverride(cmd *cobra.Command, _ []string) {
+	c := parseChain(cmd)
+
+	targetCID, _ := cmd.Flags().GetString(commonflags.CIDFlag)
+	var cid cidSDK.ID
+	commonCmd.ExitOnErr(cmd, "invalid cid format: %w", cid.DecodeString(targetCID))
+
+	override := &bearer.APEOverride{
+		Target: apeSDK.ChainTarget{
+			TargetType: apeSDK.TargetTypeContainer,
+			Name:       targetCID,
+		},
+		Chains: []apeSDK.Chain{
+			{
+				Raw: c.Bytes(),
+			},
+		},
+	}
+
+	overrideMarshalled, err := override.MarshalJSON()
+	commonCmd.ExitOnErr(cmd, "failed to marshal APE override: %w", err)
+
+	outputPath, _ := cmd.Flags().GetString(outputFlag)
+	if outputPath != "" {
+		err := os.WriteFile(outputPath, []byte(overrideMarshalled), 0o644)
+		commonCmd.ExitOnErr(cmd, "dump error: %w", err)
+	} else {
+		fmt.Print("\n")
+		fmt.Println(string(overrideMarshalled))
+	}
+}
+
+func init() {
+	ff := generateAPEOverrideCmd.Flags()
+
+	ff.StringP(commonflags.CIDFlag, "", "", "Target container ID.")
+	_ = cobra.MarkFlagRequired(createCmd.Flags(), commonflags.CIDFlag)
+
+	ff.StringArray(ruleFlag, []string{}, "Rule statement")
+	ff.String(pathFlag, "", "Path to encoded chain in JSON or binary format")
+	ff.String(chainIDFlag, "", "Assign ID to the parsed chain")
+	ff.Bool(chainIDHexFlag, false, "Flag to parse chain ID as hex")
+
+	ff.String(outputFlag, "", "Output path to dump result JSON-encoded APE override")
+	_ = cobra.MarkFlagFilename(createCmd.Flags(), outputFlag)
+}
+
+func parseChainID(cmd *cobra.Command) apechain.ID {
+	chainID, _ := cmd.Flags().GetString(chainIDFlag)
+	if chainID == "" {
+		commonCmd.ExitOnErr(cmd, "read chain id error: %w",
+			errChainIDCannotBeEmpty)
+	}
+	return apechain.ID(chainID)
+}
+
+func parseChain(cmd *cobra.Command) *apechain.Chain {
+	chain := new(apechain.Chain)
+
+	if rules, _ := cmd.Flags().GetStringArray(ruleFlag); len(rules) > 0 {
+		commonCmd.ExitOnErr(cmd, "parser error: %w", parseutil.ParseAPEChain(chain, rules))
+	} else if encPath, _ := cmd.Flags().GetString(pathFlag); encPath != "" {
+		commonCmd.ExitOnErr(cmd, "decode binary or json error: %w", parseutil.ParseAPEChainBinaryOrJSON(chain, encPath))
+	} else {
+		commonCmd.ExitOnErr(cmd, "parser error: %w", errRuleIsNotParsed)
+	}
+
+	chain.ID = parseChainID(cmd)
+
+	cmd.Println("Parsed chain:")
+	parseutil.PrintHumanReadableAPEChain(cmd, chain)
+
+	return chain
+}

cmd/frostfs-cli/modules/bearer/root.go

@@ -11,4 +11,5 @@ var Cmd = &cobra.Command{
 
 func init() {
 	Cmd.AddCommand(createCmd)
+	Cmd.AddCommand(generateAPEOverrideCmd)
 }

cmd/frostfs-cli/modules/container/create.go

@@ -38,7 +38,7 @@ var createContainerCmd = &cobra.Command{
 	Short: "Create new container",
 	Long: `Create new container and register it in the FrostFS.
 It will be stored in sidechain when inner ring will accepts it.`,
-	Run: func(cmd *cobra.Command, args []string) {
+	Run: func(cmd *cobra.Command, _ []string) {
 		placementPolicy, err := parseContainerPolicy(cmd, containerPolicy)
 		commonCmd.ExitOnErr(cmd, "", err)
 
@@ -58,13 +58,27 @@ It will be stored in sidechain when inner ring will accepts it.`,
 				"use --force option to skip this check: %w", err)
 
 			for i, nodes := range nodesByRep {
-				if placementPolicy.ReplicaNumberByIndex(i) > uint32(len(nodes)) {
+				if repNum := placementPolicy.ReplicaDescriptor(i).NumberOfObjects(); repNum > 0 {
-					commonCmd.ExitOnErr(cmd, "", fmt.Errorf(
+					if repNum > uint32(len(nodes)) {
-						"the number of nodes '%d' in selector is not enough for the number of replicas '%d', "+
+						commonCmd.ExitOnErr(cmd, "", fmt.Errorf(
-							"use --force option to skip this check",
+							"the number of nodes '%d' in selector is not enough for the number of replicas '%d', "+
-						len(nodes),
+								"use --force option to skip this check",
-						placementPolicy.ReplicaNumberByIndex(i),
+							len(nodes),
-					))
+							repNum,
+						))
+					}
+				} else if ecParts := placementPolicy.ReplicaDescriptor(i).TotalECPartCount(); ecParts > 0 {
+					if ecParts > uint32(len(nodes)) {
+						commonCmd.ExitOnErr(cmd, "", fmt.Errorf(
+							"the number of nodes '%d' in selector is not enough for EC placement '%d.%d', "+
+								"use --force option to skip this check",
+							len(nodes),
+							placementPolicy.ReplicaDescriptor(i).GetECDataCount(),
+							placementPolicy.ReplicaDescriptor(i).GetECParityCount(),
+						))
+					}
+				} else {
+					commonCmd.ExitOnErr(cmd, "%w", errors.New("no replication policy is set"))
 				}
 			}
 		}
@@ -125,7 +139,7 @@ It will be stored in sidechain when inner ring will accepts it.`,
 				},
 			}
 
-			for i := 0; i < awaitTimeout; i++ {
+			for range awaitTimeout {
 				time.Sleep(1 * time.Second)
 
 				_, err := internalclient.GetContainer(cmd.Context(), getPrm)

cmd/frostfs-cli/modules/container/delete.go

@@ -20,7 +20,7 @@ var deleteContainerCmd = &cobra.Command{
 	Short: "Delete existing container",
 	Long: `Delete existing container.
 Only owner of the container has a permission to remove container.`,
-	Run: func(cmd *cobra.Command, args []string) {
+	Run: func(cmd *cobra.Command, _ []string) {
 		id := parseContainerID(cmd)
 
 		tok := getSession(cmd)
@@ -110,7 +110,7 @@ Only owner of the container has a permission to remove container.`,
 				},
 			}
 
-			for i := 0; i < awaitTimeout; i++ {
+			for range awaitTimeout {
 				time.Sleep(1 * time.Second)
 
 				_, err := internalclient.GetContainer(cmd.Context(), getPrm)

cmd/frostfs-cli/modules/container/get.go

@@ -33,7 +33,7 @@ var getContainerInfoCmd = &cobra.Command{
 	Use:   "get",
 	Short: "Get container field info",
 	Long:  `Get container field info`,
-	Run: func(cmd *cobra.Command, args []string) {
+	Run: func(cmd *cobra.Command, _ []string) {
 		cnr, _ := getContainer(cmd)
 
 		prettyPrintContainer(cmd, cnr, containerJSON)

cmd/frostfs-cli/modules/container/get_eacl.go

@@ -1,68 +0,0 @@
-package container
-
-import (
-	"os"
-
-	internalclient "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
-	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
-	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
-	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
-	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
-	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
-	"github.com/spf13/cobra"
-)
-
-var getExtendedACLCmd = &cobra.Command{
-	Use:   "get-eacl",
-	Short: "Get extended ACL table of container",
-	Long:  `Get extended ACL table of container`,
-	Run: func(cmd *cobra.Command, args []string) {
-		id := parseContainerID(cmd)
-		pk := key.GetOrGenerate(cmd)
-		cli := internalclient.GetSDKClientByFlag(cmd, pk, commonflags.RPC)
-
-		eaclPrm := internalclient.EACLPrm{
-			Client: cli,
-			ClientParams: client.PrmContainerEACL{
-				ContainerID: &id,
-			},
-		}
-
-		res, err := internalclient.EACL(cmd.Context(), eaclPrm)
-		commonCmd.ExitOnErr(cmd, "rpc error: %w", err)
-
-		eaclTable := res.EACL()
-
-		if containerPathTo == "" {
-			cmd.Println("eACL: ")
-			common.PrettyPrintJSON(cmd, &eaclTable, "eACL")
-
-			return
-		}
-
-		var data []byte
-
-		if containerJSON {
-			data, err = eaclTable.MarshalJSON()
-			commonCmd.ExitOnErr(cmd, "can't encode to JSON: %w", err)
-		} else {
-			data, err = eaclTable.Marshal()
-			commonCmd.ExitOnErr(cmd, "can't encode to binary: %w", err)
-		}
-
-		cmd.Println("dumping data to file:", containerPathTo)
-
-		err = os.WriteFile(containerPathTo, data, 0o644)
-		commonCmd.ExitOnErr(cmd, "could not write eACL to file: %w", err)
-	},
-}
-
-func initContainerGetEACLCmd() {
-	commonflags.Init(getExtendedACLCmd)
-
-	flags := getExtendedACLCmd.Flags()
-
-	flags.StringVar(&containerID, commonflags.CIDFlag, "", commonflags.CIDFlagUsage)
-	flags.StringVar(&containerPathTo, "to", "", "Path to dump encoded container (default: binary encoded)")
-	flags.BoolVar(&containerJSON, commonflags.JSON, false, "Encode EACL table in json format")
-}

cmd/frostfs-cli/modules/container/list.go

@@ -1,9 +1,6 @@
 package container
 
 import (
-	"strings"
-
-	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/container"
 	internalclient "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
@@ -18,6 +15,8 @@ const (
 	flagListPrintAttr      = "with-attr"
 	flagListContainerOwner = "owner"
 	flagListName           = "name"
+
+	generateKeyContainerUsage = commonflags.GenerateKeyUsage + ", should be used with --owner flag"
 )
 
 // flag vars of list command.
@@ -31,9 +30,14 @@ var listContainersCmd = &cobra.Command{
 	Use:   "list",
 	Short: "List all created containers",
 	Long:  "List all created containers",
-	Run: func(cmd *cobra.Command, args []string) {
+	Run: func(cmd *cobra.Command, _ []string) {
 		var idUser user.ID
 
+		generateKey, _ := cmd.Flags().GetBool(commonflags.GenerateKey)
+		if flagVarListContainerOwner == "" && generateKey {
+			cmd.PrintErrln("WARN: using -g without --owner - output will be empty")
+		}
+
 		key := key.GetOrGenerate(cmd)
 
 		if flagVarListContainerOwner == "" {
@@ -63,7 +67,6 @@ var listContainersCmd = &cobra.Command{
 				continue
 			}
 
-			cnrID := cnrID
 			prmGet.ClientParams.ContainerID = &cnrID
 			res, err := internalclient.GetContainer(cmd.Context(), prmGet)
 			if err != nil {
@@ -78,12 +81,8 @@ var listContainersCmd = &cobra.Command{
 			cmd.Println(cnrID.String())
 
 			if flagVarListPrintAttr {
-				cnr.IterateAttributes(func(key, val string) {
+				cnr.IterateUserAttributes(func(key, val string) {
-					if !strings.HasPrefix(key, container.SysAttributePrefix) && !strings.HasPrefix(key, container.SysAttributePrefixNeoFS) {
+					cmd.Printf("  %s: %s\n", key, val)
-						// FIXME(@cthulhu-rider): https://git.frostfs.info/TrueCloudLab/frostfs-sdk-go/issues/97
-						//	Use dedicated method to skip system attributes.
-						cmd.Printf("  %s: %s\n", key, val)
-					}
 				})
 			}
 		}
@@ -104,4 +103,5 @@ func initContainerListContainersCmd() {
 	flags.BoolVar(&flagVarListPrintAttr, flagListPrintAttr, false,
 		"Request and print attributes of each container",
 	)
+	flags.Lookup(commonflags.GenerateKey).Usage = generateKeyContainerUsage
 }

cmd/frostfs-cli/modules/container/list_objects.go

@@ -1,9 +1,6 @@
 package container
 
 import (
-	"strings"
-
-	v2object "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/object"
 	internalclient "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
@@ -28,7 +25,7 @@ var listContainerObjectsCmd = &cobra.Command{
 	Use:   "list-objects",
 	Short: "List existing objects in container",
 	Long:  `List existing objects in container`,
-	Run: func(cmd *cobra.Command, args []string) {
+	Run: func(cmd *cobra.Command, _ []string) {
 		id := parseContainerID(cmd)
 
 		filters := new(objectSDK.SearchFilters)
@@ -67,14 +64,8 @@ var listContainerObjectsCmd = &cobra.Command{
 
 				resHead, err := internalclient.HeadObject(cmd.Context(), prmHead)
 				if err == nil {
-					attrs := resHead.Header().Attributes()
+					for _, attr := range resHead.Header().UserAttributes() {
-					for i := range attrs {
+						cmd.Printf("  %s: %s\n", attr.Key(), attr.Value())
-						attrKey := attrs[i].Key()
-						if !strings.HasPrefix(attrKey, v2object.SysAttributePrefix) && !strings.HasPrefix(attrKey, v2object.SysAttributePrefixNeoFS) {
-							// FIXME(@cthulhu-rider): https://git.frostfs.info/TrueCloudLab/frostfs-sdk-go/issues/97
-							//	Use dedicated method to skip system attributes.
-							cmd.Printf("  %s: %s\n", attrKey, attrs[i].Value())
-						}
 					}
 				} else {
 					cmd.Printf("  failed to read attributes: %v\n", err)

cmd/frostfs-cli/modules/container/nodes.go

@@ -2,6 +2,7 @@ package container
 
 import (
 	"crypto/sha256"
+	"errors"
 
 	internalclient "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
@@ -19,7 +20,7 @@ var containerNodesCmd = &cobra.Command{
 	Use:   "nodes",
 	Short: "Show nodes for container",
 	Long:  "Show nodes taking part in a container at the current epoch.",
-	Run: func(cmd *cobra.Command, args []string) {
+	Run: func(cmd *cobra.Command, _ []string) {
 		cnr, pkey := getContainer(cmd)
 
 		if pkey == nil {
@@ -46,7 +47,14 @@ var containerNodesCmd = &cobra.Command{
 		commonCmd.ExitOnErr(cmd, "could not build container nodes for given container: %w", err)
 
 		for i := range cnrNodes {
-			cmd.Printf("Descriptor #%d, REP %d:\n", i+1, policy.ReplicaNumberByIndex(i))
+			if repNum := policy.ReplicaDescriptor(i).NumberOfObjects(); repNum > 0 {
+				cmd.Printf("Descriptor #%d, REP %d:\n", i+1, repNum)
+			} else if ecParts := policy.ReplicaDescriptor(i).TotalECPartCount(); ecParts > 0 {
+				cmd.Printf("Descriptor #%d, EC %d.%d:\n", i+1, policy.ReplicaDescriptor(i).GetECDataCount(),
+					policy.ReplicaDescriptor(i).GetECParityCount())
+			} else {
+				commonCmd.ExitOnErr(cmd, "%w", errors.New("no replication policy is set"))
+			}
 			for j := range cnrNodes[i] {
 				commonCmd.PrettyPrintNodeInfo(cmd, cnrNodes[i][j], j, "\t", short)
 			}

cmd/frostfs-cli/modules/container/policy_playground.go

@@ -20,14 +20,12 @@ import (
 
 type policyPlaygroundREPL struct {
 	cmd   *cobra.Command
-	args  []string
 	nodes map[string]netmap.NodeInfo
 }
 
-func newPolicyPlaygroundREPL(cmd *cobra.Command, args []string) (*policyPlaygroundREPL, error) {
+func newPolicyPlaygroundREPL(cmd *cobra.Command) (*policyPlaygroundREPL, error) {
 	return &policyPlaygroundREPL{
 		cmd:   cmd,
-		args:  args,
 		nodes: map[string]netmap.NodeInfo{},
 	}, nil
 }
@@ -221,8 +219,8 @@ var policyPlaygroundCmd = &cobra.Command{
 	Short: "A REPL for testing placement policies",
 	Long: `A REPL for testing placement policies.
 If a wallet and endpoint is provided, the initial netmap data will be loaded from the snapshot of the node. Otherwise, an empty playground is created.`,
-	Run: func(cmd *cobra.Command, args []string) {
+	Run: func(cmd *cobra.Command, _ []string) {
-		repl, err := newPolicyPlaygroundREPL(cmd, args)
+		repl, err := newPolicyPlaygroundREPL(cmd)
 		commonCmd.ExitOnErr(cmd, "could not create policy playground: %w", err)
 		commonCmd.ExitOnErr(cmd, "policy playground failed: %w", repl.run())
 	},

cmd/frostfs-cli/modules/container/root.go

@@ -10,7 +10,7 @@ var Cmd = &cobra.Command{
 	Use:   "container",
 	Short: "Operations with containers",
 	Long:  "Operations with containers",
-	PersistentPreRun: func(cmd *cobra.Command, args []string) {
+	PersistentPreRun: func(cmd *cobra.Command, _ []string) {
 		// bind exactly that cmd's flags to
 		// the viper before execution
 		commonflags.Bind(cmd)
@@ -25,8 +25,6 @@ func init() {
 		deleteContainerCmd,
 		listContainerObjectsCmd,
 		getContainerInfoCmd,
-		getExtendedACLCmd,
-		setExtendedACLCmd,
 		containerNodesCmd,
 		policyPlaygroundCmd,
 	}
@@ -38,8 +36,6 @@ func init() {
 	initContainerDeleteCmd()
 	initContainerListObjectsCmd()
 	initContainerInfoCmd()
-	initContainerGetEACLCmd()
-	initContainerSetEACLCmd()
 	initContainerNodesCmd()
 	initContainerPolicyPlaygroundCmd()
 
@@ -53,7 +49,6 @@ func init() {
 	}{
 		{createContainerCmd, "PUT"},
 		{deleteContainerCmd, "DELETE"},
-		{setExtendedACLCmd, "SETEACL"},
 	} {
 		commonflags.InitSession(el.cmd, "container "+el.verb)
 	}

cmd/frostfs-cli/modules/container/set_eacl.go

@@ -1,108 +0,0 @@
-package container
-
-import (
-	"bytes"
-	"errors"
-	"time"
-
-	internalclient "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
-	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
-	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
-	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
-	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
-	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
-	"github.com/spf13/cobra"
-)
-
-var flagVarsSetEACL struct {
-	noPreCheck bool
-
-	srcPath string
-}
-
-var setExtendedACLCmd = &cobra.Command{
-	Use:   "set-eacl",
-	Short: "Set new extended ACL table for container",
-	Long: `Set new extended ACL table for container.
-Container ID in EACL table will be substituted with ID from the CLI.`,
-	Run: func(cmd *cobra.Command, args []string) {
-		id := parseContainerID(cmd)
-		eaclTable := common.ReadEACL(cmd, flagVarsSetEACL.srcPath)
-
-		tok := getSession(cmd)
-
-		eaclTable.SetCID(id)
-
-		pk := key.GetOrGenerate(cmd)
-		cli := internalclient.GetSDKClientByFlag(cmd, pk, commonflags.RPC)
-
-		if !flagVarsSetEACL.noPreCheck {
-			cmd.Println("Checking the ability to modify access rights in the container...")
-
-			extendable, err := internalclient.IsACLExtendable(cmd.Context(), cli, id)
-			commonCmd.ExitOnErr(cmd, "Extensibility check failure: %w", err)
-
-			if !extendable {
-				commonCmd.ExitOnErr(cmd, "", errors.New("container ACL is immutable"))
-			}
-
-			cmd.Println("ACL extension is enabled in the container, continue processing.")
-		}
-
-		setEACLPrm := internalclient.SetEACLPrm{
-			Client: cli,
-			ClientParams: client.PrmContainerSetEACL{
-				Table:   eaclTable,
-				Session: tok,
-			},
-		}
-
-		_, err := internalclient.SetEACL(cmd.Context(), setEACLPrm)
-		commonCmd.ExitOnErr(cmd, "rpc error: %w", err)
-
-		if containerAwait {
-			exp, err := eaclTable.Marshal()
-			commonCmd.ExitOnErr(cmd, "broken EACL table: %w", err)
-
-			cmd.Println("awaiting...")
-
-			getEACLPrm := internalclient.EACLPrm{
-				Client: cli,
-				ClientParams: client.PrmContainerEACL{
-					ContainerID: &id,
-				},
-			}
-
-			for i := 0; i < awaitTimeout; i++ {
-				time.Sleep(1 * time.Second)
-
-				res, err := internalclient.EACL(cmd.Context(), getEACLPrm)
-				if err == nil {
-					// compare binary values because EACL could have been set already
-					table := res.EACL()
-					got, err := table.Marshal()
-					if err != nil {
-						continue
-					}
-
-					if bytes.Equal(exp, got) {
-						cmd.Println("EACL has been persisted on sidechain")
-						return
-					}
-				}
-			}
-
-			commonCmd.ExitOnErr(cmd, "", errSetEACLTimeout)
-		}
-	},
-}
-
-func initContainerSetEACLCmd() {
-	commonflags.Init(setExtendedACLCmd)
-
-	flags := setExtendedACLCmd.Flags()
-	flags.StringVar(&containerID, commonflags.CIDFlag, "", commonflags.CIDFlagUsage)
-	flags.StringVar(&flagVarsSetEACL.srcPath, "table", "", "path to file with JSON or binary encoded EACL table")
-	flags.BoolVar(&containerAwait, "await", false, "block execution until EACL is persisted")
-	flags.BoolVar(&flagVarsSetEACL.noPreCheck, "no-precheck", false, "do not pre-check the extensibility of the container ACL")
-}

cmd/frostfs-cli/modules/container/util.go

@@ -18,9 +18,8 @@ const (
 )
 
 var (
-	errCreateTimeout  = errors.New("timeout: container has not been persisted on sidechain")
+	errCreateTimeout = errors.New("timeout: container has not been persisted on sidechain")
-	errDeleteTimeout  = errors.New("timeout: container has not been removed from sidechain")
+	errDeleteTimeout = errors.New("timeout: container has not been removed from sidechain")
-	errSetEACLTimeout = errors.New("timeout: EACL has not been persisted on sidechain")
 )
 
 func parseContainerID(cmd *cobra.Command) cid.ID {

cmd/frostfs-cli/modules/control/add_rule.go

@@ -24,7 +24,7 @@ var addRuleCmd = &cobra.Command{
 	Long:  "Add local APE rule to a node with following format:\n<action>[:action_detail] <operation> [<condition1> ...] <resource>",
 	Example: `control add-rule --endpoint ... -w ... --address ... --chain-id ChainID --cid ... --rule "allow Object.Get *"
 --rule "deny Object.Get EbxzAdz5LB4uqxuz6crWKAumBNtZyK2rKsqQP7TdZvwr/*"
---rule "deny:QuotaLimitReached Object.Put Object.Resource:Department=HR *"
+--rule "deny:QuotaLimitReached Object.Put ResourceCondition:Department=HR *"
 
 control add-rule --endpoint ... -w ... --address ... --chain-id ChainID --cid ... --path some_chain.json
 `,

cmd/frostfs-cli/modules/control/drop_objects.go

@@ -14,7 +14,7 @@ var dropObjectsCmd = &cobra.Command{
 	Use:   "drop-objects",
 	Short: "Drop objects from the node's local storage",
 	Long:  "Drop objects from the node's local storage",
-	Run: func(cmd *cobra.Command, args []string) {
+	Run: func(cmd *cobra.Command, _ []string) {
 		pk := key.Get(cmd)
 
 		dropObjectsList, _ := cmd.Flags().GetStringSlice(dropObjectsFlag)

cmd/frostfs-cli/modules/control/evacuation.go

@@ -20,6 +20,10 @@ const (
 	awaitFlag      = "await"
 	noProgressFlag = "no-progress"
 	scopeFlag      = "scope"
+	repOneOnlyFlag = "rep-one-only"
+
+	containerWorkerCountFlag = "container-worker-count"
+	objectWorkerCountFlag    = "object-worker-count"
 
 	scopeAll     = "all"
 	scopeObjects = "objects"
@@ -53,16 +57,29 @@ var stopEvacuationShardCmd = &cobra.Command{
 	Run:   stopEvacuateShardStatus,
 }
 
+var resetEvacuationStatusShardCmd = &cobra.Command{
+	Use:   "reset",
+	Short: "Reset evacuate objects from shard status",
+	Long:  "Reset evacuate objects from shard to other shards status",
+	Run:   resetEvacuateShardStatus,
+}
+
 func startEvacuateShard(cmd *cobra.Command, _ []string) {
 	pk := key.Get(cmd)
 
 	ignoreErrors, _ := cmd.Flags().GetBool(ignoreErrorsFlag)
+	containerWorkerCount, _ := cmd.Flags().GetUint32(containerWorkerCountFlag)
+	objectWorkerCount, _ := cmd.Flags().GetUint32(objectWorkerCountFlag)
+	repOneOnly, _ := cmd.Flags().GetBool(repOneOnlyFlag)
 
 	req := &control.StartShardEvacuationRequest{
 		Body: &control.StartShardEvacuationRequest_Body{
-			Shard_ID:     getShardIDList(cmd),
+			Shard_ID:             getShardIDList(cmd),
-			IgnoreErrors: ignoreErrors,
+			IgnoreErrors:         ignoreErrors,
-			Scope:        getEvacuationScope(cmd),
+			Scope:                getEvacuationScope(cmd),
+			ContainerWorkerCount: containerWorkerCount,
+			ObjectWorkerCount:    objectWorkerCount,
+			RepOneOnly:           repOneOnly,
 		},
 	}
 
@@ -152,6 +169,29 @@ func stopEvacuateShardStatus(cmd *cobra.Command, _ []string) {
 	cmd.Println("Evacuation stopped.")
 }
 
+func resetEvacuateShardStatus(cmd *cobra.Command, _ []string) {
+	pk := key.Get(cmd)
+	req := &control.ResetShardEvacuationStatusRequest{
+		Body: &control.ResetShardEvacuationStatusRequest_Body{},
+	}
+
+	signRequest(cmd, pk, req)
+
+	cli := getClient(cmd, pk)
+
+	var resp *control.ResetShardEvacuationStatusResponse
+	var err error
+	err = cli.ExecRaw(func(client *client.Client) error {
+		resp, err = control.ResetShardEvacuationStatus(client, req)
+		return err
+	})
+	commonCmd.ExitOnErr(cmd, "Reset shards evacuation status failed, rpc error: %w", err)
+
+	verifyResponse(cmd, resp.GetSignature(), resp.GetBody())
+
+	cmd.Println("Shards evacuation status has been reset.")
+}
+
 func waitEvacuateCompletion(cmd *cobra.Command, pk *ecdsa.PrivateKey, cli *clientSDK.Client, printProgress, printCompleted bool) {
 	const statusPollingInterval = 1 * time.Second
 	const reportIntervalSeconds = 5
@@ -323,10 +363,12 @@ func initControlEvacuationShardCmd() {
 	evacuationShardCmd.AddCommand(startEvacuationShardCmd)
 	evacuationShardCmd.AddCommand(getEvacuationShardStatusCmd)
 	evacuationShardCmd.AddCommand(stopEvacuationShardCmd)
+	evacuationShardCmd.AddCommand(resetEvacuationStatusShardCmd)
 
 	initControlStartEvacuationShardCmd()
 	initControlFlags(getEvacuationShardStatusCmd)
 	initControlFlags(stopEvacuationShardCmd)
+	initControlFlags(resetEvacuationStatusShardCmd)
 }
 
 func initControlStartEvacuationShardCmd() {
@@ -339,6 +381,9 @@ func initControlStartEvacuationShardCmd() {
 	flags.String(scopeFlag, scopeAll, fmt.Sprintf("Evacuation scope; possible values: %s, %s, %s", scopeTrees, scopeObjects, scopeAll))
 	flags.Bool(awaitFlag, false, "Block execution until evacuation is completed")
 	flags.Bool(noProgressFlag, false, fmt.Sprintf("Print progress if %s provided", awaitFlag))
+	flags.Uint32(containerWorkerCountFlag, 0, "Count of concurrent container evacuation workers")
+	flags.Uint32(objectWorkerCountFlag, 0, "Count of concurrent object evacuation workers")
+	flags.Bool(repOneOnlyFlag, false, "Evacuate objects only from containers with policy 'REP 1 ...'")
 
 	startEvacuationShardCmd.MarkFlagsMutuallyExclusive(shardIDFlag, shardAllFlag)
 }

cmd/frostfs-cli/modules/control/healthcheck.go

@@ -1,7 +1,10 @@
 package control
 
 import (
+	"os"
+
 	rawclient "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc/client"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
 	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
@@ -24,6 +27,7 @@ func initControlHealthCheckCmd() {
 
 	flags := healthCheckCmd.Flags()
 	flags.Bool(healthcheckIRFlag, false, "Communicate with IR node")
+	flags.BoolP(commonflags.QuietFlag, commonflags.QuietFlagShorthand, false, commonflags.QuietFlagUsage)
 	_ = flags.MarkDeprecated(healthcheckIRFlag, "for health check of inner ring nodes, use the 'control ir healthcheck' command instead.")
 }
 
@@ -50,6 +54,12 @@ func healthCheck(cmd *cobra.Command, args []string) {
 	commonCmd.ExitOnErr(cmd, "rpc error: %w", err)
 
 	verifyResponse(cmd, resp.GetSignature(), resp.GetBody())
+	if quietFlag, _ := cmd.Flags().GetBool(commonflags.QuietFlag); quietFlag {
+		if resp.GetBody().GetHealthStatus() == control.HealthStatus_READY {
+			return
+		}
+		os.Exit(1)
+	}
 
 	cmd.Printf("Network status: %s\n", resp.GetBody().GetNetmapStatus())
 	cmd.Printf("Health status: %s\n", resp.GetBody().GetHealthStatus())

cmd/frostfs-cli/modules/control/ir_healthcheck.go

@@ -1,7 +1,10 @@
 package control
 
 import (
+	"os"
+
 	rawclient "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc/client"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
 	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
 	ircontrol "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control/ir"
@@ -18,6 +21,8 @@ var irHealthCheckCmd = &cobra.Command{
 
 func initControlIRHealthCheckCmd() {
 	initControlFlags(irHealthCheckCmd)
+	flags := irHealthCheckCmd.Flags()
+	flags.BoolP(commonflags.QuietFlag, commonflags.QuietFlagShorthand, false, commonflags.QuietFlagUsage)
 }
 
 func irHealthCheck(cmd *cobra.Command, _ []string) {
@@ -39,6 +44,12 @@ func irHealthCheck(cmd *cobra.Command, _ []string) {
 	commonCmd.ExitOnErr(cmd, "rpc error: %w", err)
 
 	verifyResponse(cmd, resp.GetSignature(), resp.GetBody())
+	if quietFlag, _ := cmd.Flags().GetBool(commonflags.QuietFlag); quietFlag {
+		if resp.GetBody().GetHealthStatus() == ircontrol.HealthStatus_READY {
+			return
+		}
+		os.Exit(1)
+	}
 
 	cmd.Printf("Health status: %s\n", resp.GetBody().GetHealthStatus())
 }

cmd/frostfs-cli/modules/control/list_rules.go

@@ -1,6 +1,7 @@
 package control
 
 import (
+	"errors"
 	"fmt"
 	"strings"
 
@@ -26,6 +27,8 @@ const (
 	defaultNamespace = "root"
 	namespaceTarget  = "namespace"
 	containerTarget  = "container"
+	userTarget       = "user"
+	groupTarget      = "group"
 )
 
 const (
@@ -35,6 +38,11 @@ const (
 	targetTypeDesc = "Resource type(container/namespace)"
 )
 
+var (
+	errSettingDefaultValueWasDeclined = errors.New("setting default value was declined")
+	errUnknownTargetType              = errors.New("unknown target type")
+)
+
 func parseTarget(cmd *cobra.Command) *control.ChainTarget {
 	typ, _ := cmd.Flags().GetString(targetTypeFlag)
 	name, _ := cmd.Flags().GetString(targetNameFlag)
@@ -45,7 +53,7 @@ func parseTarget(cmd *cobra.Command) *control.ChainTarget {
 			commonCmd.ExitOnErr(cmd, "read line error: %w", err)
 			ln = strings.ToLower(ln)
 			if len(ln) > 0 && (ln[0] == 'n') {
-				commonCmd.ExitOnErr(cmd, "read namespace error: %w", fmt.Errorf("setting default value was declined"))
+				commonCmd.ExitOnErr(cmd, "read namespace error: %w", errSettingDefaultValueWasDeclined)
 			}
 			name = defaultNamespace
 		}
@@ -60,8 +68,18 @@ func parseTarget(cmd *cobra.Command) *control.ChainTarget {
 			Name: name,
 			Type: control.ChainTarget_CONTAINER,
 		}
+	case userTarget:
+		return &control.ChainTarget{
+			Name: name,
+			Type: control.ChainTarget_USER,
+		}
+	case groupTarget:
+		return &control.ChainTarget{
+			Name: name,
+			Type: control.ChainTarget_GROUP,
+		}
 	default:
-		commonCmd.ExitOnErr(cmd, "read target type error: %w", fmt.Errorf("unknown target type"))
+		commonCmd.ExitOnErr(cmd, "read target type error: %w", errUnknownTargetType)
 	}
 	return nil
 }

cmd/frostfs-cli/modules/control/list_targets.go

@@ -13,6 +13,8 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
 	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	"github.com/spf13/cobra"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 )
 
 const (
@@ -52,6 +54,10 @@ func listTargets(cmd *cobra.Command, _ []string) {
 		resp, err = control.ListTargetsLocalOverrides(client, req)
 		return err
 	})
+	if err != nil && status.Code(err) == codes.NotFound {
+		cmd.Println("Local overrides are not defined for any target.")
+		return
+	}
 	commonCmd.ExitOnErr(cmd, "rpc error: %w", err)
 
 	verifyResponse(cmd, resp.GetSignature(), resp.GetBody())

cmd/frostfs-cli/modules/control/rebuild_shards.go

@@ -0,0 +1,88 @@
+package control
+
+import (
+	"fmt"
+
+	rawclient "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc/client"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
+	"github.com/mr-tron/base58"
+	"github.com/spf13/cobra"
+)
+
+const (
+	fillPercentFlag = "fill_percent"
+)
+
+var shardsRebuildCmd = &cobra.Command{
+	Use:   "rebuild",
+	Short: "Rebuild shards",
+	Long:  "Rebuild reclaims storage occupied by dead objects and adjusts the storage structure according to the configuration (for blobovnicza only now)",
+	Run:   shardsRebuild,
+}
+
+func shardsRebuild(cmd *cobra.Command, _ []string) {
+	pk := key.Get(cmd)
+
+	req := &control.StartShardRebuildRequest{
+		Body: &control.StartShardRebuildRequest_Body{
+			Shard_ID:          getShardIDList(cmd),
+			TargetFillPercent: getFillPercentValue(cmd),
+			ConcurrencyLimit:  getConcurrencyValue(cmd),
+		},
+	}
+
+	signRequest(cmd, pk, req)
+
+	cli := getClient(cmd, pk)
+
+	var resp *control.StartShardRebuildResponse
+	var err error
+	err = cli.ExecRaw(func(client *rawclient.Client) error {
+		resp, err = control.StartShardRebuild(client, req)
+		return err
+	})
+	commonCmd.ExitOnErr(cmd, "rpc error: %w", err)
+
+	verifyResponse(cmd, resp.GetSignature(), resp.GetBody())
+
+	var success, failed uint
+	for _, res := range resp.GetBody().GetResults() {
+		if res.GetSuccess() {
+			success++
+			cmd.Printf("Shard %s: OK\n", base58.Encode(res.GetShard_ID()))
+		} else {
+			failed++
+			cmd.Printf("Shard %s: failed with error %q\n", base58.Encode(res.GetShard_ID()), res.GetError())
+		}
+	}
+	cmd.Printf("Total: %d success, %d failed\n", success, failed)
+}
+
+func getFillPercentValue(cmd *cobra.Command) uint32 {
+	v, _ := cmd.Flags().GetUint32(fillPercentFlag)
+	if v <= 0 || v > 100 {
+		commonCmd.ExitOnErr(cmd, "invalid fill_percent value", fmt.Errorf("fill_percent value must be (0, 100], current value: %d", v))
+	}
+	return v
+}
+
+func getConcurrencyValue(cmd *cobra.Command) uint32 {
+	v, _ := cmd.Flags().GetUint32(concurrencyFlag)
+	if v <= 0 || v > 10000 {
+		commonCmd.ExitOnErr(cmd, "invalid concurrency value", fmt.Errorf("concurrency value must be (0, 10 000], current value: %d", v))
+	}
+	return v
+}
+
+func initControlShardRebuildCmd() {
+	initControlFlags(shardsRebuildCmd)
+
+	flags := shardsRebuildCmd.Flags()
+	flags.StringSlice(shardIDFlag, nil, "List of shard IDs in base58 encoding")
+	flags.Bool(shardAllFlag, false, "Process all shards")
+	flags.Uint32(fillPercentFlag, 80, "Target fill percent to reclaim space")
+	flags.Uint32(concurrencyFlag, 20, "Maximum count of concurrently rebuilding files")
+	setShardModeCmd.MarkFlagsMutuallyExclusive(shardIDFlag, shardAllFlag)
+}