[#79 ] cli: Fix panic when setting domain for container

Signed-off-by: Anton Nikiforov <an.nikiforov@yadro.com>
[TrueCloudLab#78] .github: Fix CODEOWNERS
2023-03-01 11:11:11 +03:00 · 2023-02-28 16:44:50 +03:00 · 2023-02-28 13:39:14 +03:00 · 2023-02-28 13:37:23 +03:00 · 2023-02-28 13:36:25 +03:00 · 2023-02-28 13:36:25 +03:00
1203 changed files with 89983 additions and 29543 deletions
--- a/.docker/Dockerfile.adm
+++ b/.docker/Dockerfile.adm
@ -0,0 +1,19 @@
 FROM golang:1.18 as builder
 ARG BUILD=now
 ARG VERSION=dev
 ARG REPO=repository
 WORKDIR /src
 COPY . /src
 RUN make bin/frostfs-adm
 # Executable image
 FROM alpine AS frostfs-adm
 RUN apk add --no-cache bash
 WORKDIR /
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 COPY --from=builder /src/bin/frostfs-adm /bin/frostfs-adm
 CMD ["frostfs-adm"]
--- a/.docker/Dockerfile.cli
+++ b/.docker/Dockerfile.cli
@ -0,0 +1,19 @@
 FROM golang:1.18 as builder
 ARG BUILD=now
 ARG VERSION=dev
 ARG REPO=repository
 WORKDIR /src
 COPY . /src
 RUN make bin/frostfs-cli
 # Executable image
 FROM alpine AS frostfs-cli
 RUN apk add --no-cache bash
 WORKDIR /
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 COPY --from=builder /src/bin/frostfs-cli /bin/frostfs-cli
 CMD ["frostfs-cli"]
--- a/.docker/Dockerfile.dirty-adm
+++ b/.docker/Dockerfile.dirty-adm
@ -3,6 +3,6 @@ RUN apk add --no-cache bash ca-certificates
 WORKDIR /
-COPY bin/neofs-node /bin/neofs-node
+COPY bin/frostfs-adm /bin/frostfs-adm
-CMD ["neofs-node"]
+CMD ["frostfs-adm"]
--- a/.docker/Dockerfile.dirty-cli
+++ b/.docker/Dockerfile.dirty-cli
@ -3,6 +3,6 @@ RUN apk add --no-cache bash ca-certificates
 WORKDIR /
-COPY bin/neofs-cli /bin/neofs-cli
+COPY bin/frostfs-cli /bin/frostfs-cli
-CMD ["neofs-cli"]
+CMD ["frostfs-cli"]
--- a/.docker/Dockerfile.dirty-ir
+++ b/.docker/Dockerfile.dirty-ir
@ -3,6 +3,6 @@ RUN apk add --no-cache bash ca-certificates
 WORKDIR /
-COPY bin/neofs-ir /bin/neofs-ir
+COPY bin/frostfs-ir /bin/frostfs-ir
-CMD ["neofs-ir"]
+CMD ["frostfs-ir"]
--- a/.docker/Dockerfile.dirty-storage
+++ b/.docker/Dockerfile.dirty-storage
@ -0,0 +1,8 @@
 FROM alpine
 RUN apk add --no-cache bash ca-certificates
 WORKDIR /
 COPY bin/frostfs-node /bin/frostfs-node
 CMD ["frostfs-node"]
--- a/.docker/Dockerfile.ir
+++ b/.docker/Dockerfile.ir
@ -0,0 +1,18 @@
 FROM golang:1.18 as builder
 ARG BUILD=now
 ARG VERSION=dev
 ARG REPO=repository
 WORKDIR /src
 COPY . /src
 RUN make bin/frostfs-ir
 # Executable image
 FROM alpine AS frostfs-ir
 RUN apk add --no-cache bash
 WORKDIR /
 COPY --from=builder /src/bin/frostfs-ir /bin/frostfs-ir
 CMD ["frostfs-ir"]
--- a/.docker/Dockerfile.storage
+++ b/.docker/Dockerfile.storage
@ -0,0 +1,18 @@
 FROM golang:1.18 as builder
 ARG BUILD=now
 ARG VERSION=dev
 ARG REPO=repository
 WORKDIR /src
 COPY . /src
 RUN make bin/frostfs-node
 # Executable image
 FROM alpine AS frostfs-node
 RUN apk add --no-cache bash
 WORKDIR /
 COPY --from=builder /src/bin/frostfs-node /bin/frostfs-node
 CMD ["frostfs-node"]
--- a/.docker/Dockerfile.storage-testnet
+++ b/.docker/Dockerfile.storage-testnet
@ -0,0 +1,19 @@
 FROM golang:1.18 as builder
 ARG BUILD=now
 ARG VERSION=dev
 ARG REPO=repository
 WORKDIR /src
 COPY . /src
 RUN make bin/frostfs-node
 # Executable image
 FROM alpine AS frostfs-node
 RUN apk add --no-cache bash
 WORKDIR /
 COPY --from=builder /src/bin/frostfs-node /bin/frostfs-node
 COPY --from=builder /src/config/testnet/config.yml /config.yml
 CMD ["frostfs-node", "--config", "/config.yml"]
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -0,0 +1 @@
 *   @TrueCloudLab/storage-core @TrueCloudLab/committers
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -7,39 +7,44 @@ assignees: ''
 ---
-<!--- Provide a general summary of the issue in the Title above -->
+<!-- Provide a general summary of the issue in the Title above -->
 ## Expected Behavior
-<!--- If you're describing a bug, tell us what should happen -->
+<!-- If you're describing a bug, tell us what should happen
-<!--- If you're suggesting a change/improvement, tell us how it should work -->
+     If you're suggesting a change/improvement, tell us how it should work -->
 ## Current Behavior
-<!--- If describing a bug, tell us what happens instead of the expected behavior -->
+<!-- If describing a bug, tell us what happens instead of the expected behavior
-<!--- If suggesting a change/improvement, explain the difference from current behavior -->
+     If suggesting a change/improvement, explain the difference from current behavior -->
 ## Possible Solution
-<!--- Not obligatory, but suggest a fix/reason for the bug, -->
+<!-- Not obligatory, but suggest a fix/reason for the bug,
-<!--- or ideas how to implement the addition or change -->
+     or ideas how to implement the addition or change -->
 ## Steps to Reproduce (for bugs)
-<!--- Provide a link to a live example, or an unambiguous set of steps to -->
+<!-- Provide a link to a live example, or an unambiguous set of steps
-<!--- reproduce this bug. -->
+     to reproduce this bug. -->
 1.
 2.
 3.
 4.
 ## Context
-<!--- How has this issue affected you? What are you trying to accomplish? -->
+<!-- How has this issue affected you? What are you trying to accomplish?
-<!--- Providing context helps us come up with a solution that is most useful in the real world -->
+     Providing context helps us come up with a solution that is most useful in the real world -->
 ## Regression
-<!-- Is this issue a regression? (Yes / No) -->
+<!-- Is this issue a regression? (Yes / No)
-<!-- If Yes, optionally please include version or commit id or PR# that caused this regression, if you have these details. -->
+     If Yes, optionally please include version or commit id or PR# that caused this regression,
     if you have these details -->
 ## Your Environment
-<!--- Include as many relevant details about the environment you experienced the bug in -->
+<!-- Include as many relevant details about the environment you experienced the bug in -->
 * Version used:
 * Server setup and configuration:
 * Operating System and version (`uname -a`):
 ## Don't forget to add labels!
 - component label (`frostfs-adm`, `frostfs-storage`, ...)
 - `goodfirstissue`, `helpwanted` if needed
 - does this issue belong to an epic?
 - priority (`P0`-`P4`) if already triaged
 - quarter label (`202XQY`) if possible
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@ -7,14 +7,22 @@ assignees: ''
 ---
-**Is your feature request related to a problem? Please describe.**
+## Is your feature request related to a problem? Please describe.
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+<!-- A clear and concise description of what the problem is. Ex. I'm always frustrated when ... -->
-**Describe the solution you'd like**
+## Describe the solution you'd like
-A clear and concise description of what you want to happen.
+<!-- A clear and concise description of what you want to happen. -->
-**Describe alternatives you've considered**
+## Describe alternatives you've considered
-A clear and concise description of any alternative solutions or features you've considered.
+<!-- A clear and concise description of any alternative solutions or features you've considered. -->
-**Additional context**
+## Additional context
-Add any other context or screenshots about the feature request here.
+<!-- Add any other context or screenshots about the feature request here. -->
 ## Don't forget to add labels!
 - component label (`neofs-adm`, `neofs-storage`, ...)
 - issue type (`enhancement`, `refactor`, ...)
 - `goodfirstissue`, `helpwanted` if needed
 - does this issue belong to an epic?
 - priority (`P0`-`P4`) if already triaged
 - quarter label (`202XQY`) if possible
--- a/.github/logo.svg
+++ b/.github/logo.svg
@ -1,129 +1,70 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<?xml version="1.0" encoding="utf-8"?>
-<svg
+<!-- Generator: Adobe Illustrator 25.0.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
-   xmlns:dc="http://purl.org/dc/elements/1.1/"
+<svg version="1.1" id="Слой_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
-   xmlns:cc="http://creativecommons.org/ns#"
+	 viewBox="0 0 184.2 51.8" style="enable-background:new 0 0 184.2 51.8;" xml:space="preserve">
-   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+<style type="text/css">
-   xmlns:svg="http://www.w3.org/2000/svg"
+	.st0{display:none;}
-   xmlns="http://www.w3.org/2000/svg"
+	.st1{display:inline;}
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+	.st2{fill:#01E397;}
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+	.st3{display:inline;fill:#010032;}
-   sodipodi:docname="logo_fs.svg"
+	.st4{display:inline;fill:#00E599;}
-   inkscape:version="1.0 (4035a4fb49, 2020-05-01)"
+	.st5{display:inline;fill:#00AF92;}
-   id="svg57"
+	.st6{fill:#00C3E5;}
-   version="1.1"
+</style>
-   viewBox="0 0 105 25"
+<g id="Layer_2">
-   height="25mm"
+	<g id="Layer_1-2" class="st0">
-   width="105mm">
+		<g class="st1">
-  <defs
+			<path class="st2" d="M146.6,18.3v7.2h10.9V29h-10.9v10.7h-4V14.8h18v3.5H146.6z"/>
-     id="defs51">
+			<path class="st2" d="M180,15.7c1.7,0.9,3,2.2,4,3.8l-3,2.7c-0.6-1.3-1.5-2.4-2.6-3.3c-1.3-0.7-2.8-1-4.3-1
-    <clipPath
+				c-1.4-0.1-2.8,0.3-4,1.1c-0.9,0.5-1.5,1.5-1.4,2.6c0,1,0.5,1.9,1.4,2.4c1.5,0.8,3.2,1.3,4.9,1.5c1.9,0.3,3.7,0.8,5.4,1.6
-       clipPathUnits="userSpaceOnUse"
+				c1.2,0.5,2.2,1.3,2.9,2.3c0.6,1,1,2.2,0.9,3.4c0,1.4-0.5,2.7-1.3,3.8c-0.9,1.2-2.1,2.1-3.5,2.6c-1.7,0.6-3.4,0.9-5.2,0.8
-       id="clipPath434">
+				c-5,0-8.6-1.6-10.7-5l2.9-2.8c0.7,1.4,1.8,2.5,3.1,3.3c1.5,0.7,3.1,1.1,4.7,1c1.5,0.1,2.9-0.2,4.2-0.9c0.9-0.5,1.5-1.5,1.5-2.6
-      <path
+				c0-0.9-0.5-1.8-1.3-2.2c-1.5-0.7-3.1-1.2-4.8-1.5c-1.9-0.3-3.7-0.8-5.5-1.5c-1.2-0.5-2.2-1.4-3-2.4c-0.6-1-1-2.2-0.9-3.4
-         d="M 0,0 H 1366 V 768 H 0 Z"
+				c0-1.4,0.4-2.7,1.2-3.8c0.8-1.2,2-2.2,3.3-2.8c1.6-0.7,3.4-1.1,5.2-1C176.1,14.3,178.2,14.8,180,15.7z"/>
         id="path432" />
    </clipPath>
  </defs>
  <sodipodi:namedview
     inkscape:window-maximized="0"
     inkscape:window-y="0"
     inkscape:window-x="130"
     inkscape:window-height="1040"
     inkscape:window-width="1274"
     height="50mm"
     units="mm"
     showgrid="false"
     inkscape:document-rotation="0"
     inkscape:current-layer="layer1"
     inkscape:document-units="mm"
     inkscape:cy="344.49897"
     inkscape:cx="468.64708"
     inkscape:zoom="0.7"
     inkscape:pageshadow="2"
     inkscape:pageopacity="0.0"
     borderopacity="1.0"
     bordercolor="#666666"
     pagecolor="#ffffff"
     id="base" />
  <metadata
     id="metadata54">
    <rdf:RDF>
      <cc:Work
         rdf:about="">
        <dc:format>image/svg+xml</dc:format>
        <dc:type
           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
        <dc:title></dc:title>
      </cc:Work>
    </rdf:RDF>
  </metadata>
  <g
     id="layer1"
     inkscape:groupmode="layer"
     inkscape:label="Layer 1">
    <g
       id="g424"
       transform="matrix(0.35277777,0,0,-0.35277777,63.946468,10.194047)">
      <path
         d="m 0,0 v -8.093 h 12.287 v -3.94 H 0 V -24.067 H -4.534 V 3.898 H 15.677 V 0 Z"
         style="fill:#00e396;fill-opacity:1;fill-rule:nonzero;stroke:none"
         id="path426" />
 		</g>
-    <g
+		<path class="st3" d="M73.3,16.3c1.9,1.9,2.9,4.5,2.7,7.1v15.9h-4V24.8c0-2.6-0.5-4.5-1.6-5.7c-1.2-1.2-2.8-1.8-4.5-1.7
-       transform="matrix(0.35277777,0,0,-0.35277777,-315.43002,107.34005)"
+			c-1.3,0-2.5,0.3-3.7,0.8c-1.2,0.7-2.2,1.7-2.9,2.9c-0.8,1.5-1.1,3.2-1.1,4.9v13.3h-4V15.1l3.6,1.5v1.7c0.8-1.5,2.1-2.6,3.6-3.3
-       id="g428">
+			c1.5-0.8,3.2-1.2,4.9-1.1C68.9,13.8,71.3,14.7,73.3,16.3z"/>
-      <g
+		<path class="st3" d="M104.4,28.3H85.6c0.1,2.2,1,4.3,2.5,5.9c1.5,1.4,3.5,2.2,5.6,2.1c1.6,0.1,3.2-0.2,4.6-0.9
-         id="g430"
+			c1.1-0.6,2-1.6,2.5-2.8l3.3,1.8c-0.9,1.7-2.3,3.1-4,4c-2,1-4.2,1.5-6.4,1.4c-3.7,0-6.7-1.1-8.8-3.4s-3.2-5.5-3.2-9.6s1-7.2,3-9.5
-         clip-path="url(#clipPath434)">
+			s5-3.4,8.7-3.4c2.1-0.1,4.2,0.5,6.1,1.5c1.6,1,3,2.5,3.8,4.2c0.9,1.8,1.3,3.9,1.3,5.9C104.6,26.4,104.6,27.4,104.4,28.3z
-        <g
+			 M88.1,19.3c-1.4,1.5-2.2,3.4-2.4,5.5h15.1c-0.2-2-1-3.9-2.3-5.5c-1.4-1.3-3.2-2-5.1-1.9C91.5,17.3,89.6,18,88.1,19.3z"/>
-           id="g436"
+		<path class="st3" d="M131,17.3c2.2,2.3,3.2,5.5,3.2,9.5s-1,7.3-3.2,9.6s-5.1,3.4-8.8,3.4s-6.7-1.1-8.9-3.4s-3.2-5.5-3.2-9.6
-           transform="translate(1112.874,278.2981)">
+			s1.1-7.2,3.2-9.5s5.1-3.4,8.9-3.4S128.9,15,131,17.3z M116.2,19.9c-1.5,2-2.2,4.4-2.1,6.9c-0.2,2.5,0.6,5,2.1,7
-          <path
+			c1.5,1.7,3.7,2.7,6,2.6c2.3,0.1,4.4-0.9,5.9-2.6c1.5-2,2.3-4.5,2.1-7c0.1-2.5-0.6-4.9-2.1-6.9c-1.5-1.7-3.6-2.7-5.9-2.6
-             d="M 0,0 C 1.822,-0.932 3.354,-2.359 4.597,-4.28 L 1.165,-7.373 c -0.791,1.695 -1.779,2.924 -2.966,3.686 -1.186,0.763 -2.768,1.145 -4.745,1.145 -1.949,0 -3.461,-0.389 -4.534,-1.166 -1.074,-0.777 -1.61,-1.772 -1.61,-2.987 0,-1.13 0.523,-2.027 1.568,-2.69 1.045,-0.664 2.909,-1.236 5.593,-1.716 2.514,-0.452 4.512,-1.024 5.995,-1.716 1.483,-0.693 2.564,-1.554 3.242,-2.585 0.677,-1.031 1.016,-2.309 1.016,-3.834 0,-1.639 -0.466,-3.079 -1.398,-4.322 -0.932,-1.243 -2.239,-2.197 -3.919,-2.86 -1.681,-0.664 -3.623,-0.996 -5.826,-0.996 -5.678,0 -9.689,1.892 -12.033,5.678 l 3.178,3.178 c 0.903,-1.695 2.068,-2.939 3.495,-3.729 1.426,-0.791 3.199,-1.186 5.318,-1.186 2.005,0 3.58,0.345 4.724,1.038 1.144,0.692 1.716,1.674 1.716,2.945 0,1.017 -0.516,1.835 -1.547,2.457 -1.031,0.621 -2.832,1.172 -5.402,1.653 -2.571,0.479 -4.618,1.073 -6.143,1.779 -1.526,0.706 -2.635,1.582 -3.326,2.627 -0.693,1.045 -1.039,2.316 -1.039,3.813 0,1.582 0.438,3.023 1.314,4.322 0.875,1.299 2.14,2.33 3.792,3.093 1.653,0.763 3.58,1.144 5.783,1.144 C -4.018,1.398 -1.822,0.932 0,0"
+			C119.9,17.2,117.7,18.2,116.2,19.9z"/>
-             style="fill:#00e396;fill-opacity:1;fill-rule:nonzero;stroke:none"
+		<polygon class="st4" points="0,9.1 0,43.7 22.5,51.8 22.5,16.9 46.8,7.9 24.8,0 		"/>
-             id="path438" />
+		<polygon class="st5" points="24.3,17.9 24.3,36.8 46.8,44.9 46.8,9.6 		"/>
 	</g>
-        <g
+	<g>
-           id="g440"
+		<g>
-           transform="translate(993.0239,277.5454)">
+			<path class="st6" d="M41.6,17.5H28.2v6.9h10.4v3.3H28.2v10.2h-3.9V14.2h17.2V17.5z"/>
-          <path
+			<path class="st6" d="M45.8,37.9v-18h3.3l0.4,3.2c0.5-1.2,1.2-2.1,2.1-2.7c0.9-0.6,2.1-0.9,3.5-0.9c0.4,0,0.7,0,1.1,0.1
-             d="m 0,0 c 2.054,-1.831 3.083,-4.465 3.083,-7.902 v -17.935 h -4.484 v 16.366 c 0,2.914 -0.626,5.024 -1.877,6.332 -1.253,1.308 -2.924,1.962 -5.016,1.962 -1.495,0 -2.896,-0.327 -4.204,-0.981 -1.308,-0.654 -2.381,-1.719 -3.222,-3.194 -0.841,-1.477 -1.261,-3.335 -1.261,-5.576 v -14.909 h -4.484 V 1.328 l 4.086,-1.674 0.118,-1.84 c 0.933,1.681 2.222,2.923 3.867,3.727 1.643,0.803 3.493,1.205 5.548,1.205 C -4.671,2.746 -2.055,1.83 0,0"
+				c0.4,0.1,0.7,0.2,0.9,0.3l-0.5,3.4c-0.3-0.1-0.6-0.2-0.9-0.2C55.4,23,54.9,23,54.4,23c-0.7,0-1.5,0.2-2.2,0.6
-             style="fill:#000033;fill-opacity:1;fill-rule:nonzero;stroke:none"
+				c-0.7,0.4-1.3,1-1.8,1.8s-0.7,1.8-0.7,3v9.5H45.8z"/>
-             id="path442" />
+			<path class="st6" d="M68.6,19.6c1.8,0,3.3,0.4,4.6,1.1c1.3,0.7,2.4,1.8,3.1,3.2s1.1,3.1,1.1,5c0,1.9-0.4,3.6-1.1,5
 				c-0.8,1.4-1.8,2.5-3.1,3.2c-1.3,0.7-2.9,1.1-4.6,1.1s-3.3-0.4-4.6-1.1c-1.3-0.7-2.4-1.8-3.2-3.2c-0.8-1.4-1.2-3.1-1.2-5
 				c0-1.9,0.4-3.6,1.2-5s1.8-2.5,3.2-3.2C65.3,19.9,66.8,19.6,68.6,19.6z M68.6,22.6c-1.1,0-2,0.2-2.8,0.7c-0.8,0.5-1.3,1.2-1.7,2.1
 				s-0.6,2.1-0.6,3.5c0,1.3,0.2,2.5,0.6,3.4s1,1.7,1.7,2.2s1.7,0.7,2.8,0.7c1.1,0,2-0.2,2.7-0.7c0.7-0.5,1.3-1.2,1.7-2.2
 				s0.6-2.1,0.6-3.4c0-1.4-0.2-2.5-0.6-3.5s-1-1.6-1.7-2.1C70.6,22.8,69.6,22.6,68.6,22.6z"/>
 			<path class="st6" d="M89.2,38.3c-1.8,0-3.4-0.3-4.9-1c-1.5-0.7-2.7-1.7-3.5-3l2.7-2.3c0.5,1,1.3,1.8,2.3,2.4
 				c1,0.6,2.2,0.9,3.6,0.9c1.1,0,2-0.2,2.6-0.6c0.6-0.4,1-0.9,1-1.6c0-0.5-0.2-0.9-0.5-1.2s-0.9-0.6-1.7-0.8l-3.8-0.8
 				c-1.9-0.4-3.3-1-4.1-1.9c-0.8-0.9-1.2-1.9-1.2-3.3c0-1,0.3-1.9,0.9-2.7c0.6-0.8,1.4-1.5,2.5-2s2.5-0.8,4-0.8c1.8,0,3.3,0.3,4.6,1
 				c1.3,0.6,2.2,1.5,2.9,2.7l-2.7,2.2c-0.5-1-1.1-1.7-2-2.1c-0.9-0.5-1.8-0.7-2.8-0.7c-0.8,0-1.4,0.1-2,0.3c-0.6,0.2-1,0.5-1.3,0.8
 				c-0.3,0.3-0.4,0.7-0.4,1.2c0,0.5,0.2,0.9,0.5,1.3s1,0.6,1.9,0.8l4.1,0.9c1.7,0.3,2.9,0.9,3.7,1.7c0.7,0.8,1.1,1.8,1.1,2.9
 				c0,1.2-0.3,2.2-0.9,3c-0.6,0.9-1.5,1.6-2.6,2C92.1,38.1,90.7,38.3,89.2,38.3z"/>
 			<path class="st6" d="M112.8,19.9v3H99.3v-3H112.8z M106.6,14.6v17.9c0,0.9,0.2,1.5,0.7,1.9c0.5,0.4,1.1,0.6,1.9,0.6
 				c0.6,0,1.2-0.1,1.7-0.3c0.5-0.2,0.9-0.5,1.3-0.8l0.9,2.8c-0.6,0.5-1.2,0.9-2,1.1c-0.8,0.3-1.7,0.4-2.7,0.4c-1,0-2-0.2-2.8-0.5
 				s-1.5-0.9-2-1.6c-0.5-0.8-0.7-1.7-0.8-3V15.7L106.6,14.6z"/>
 			<path d="M137.9,17.5h-13.3v6.9h10.4v3.3h-10.4v10.2h-3.9V14.2h17.2V17.5z"/>
 			<path d="M150.9,13.8c2.1,0,4,0.4,5.5,1.2c1.6,0.8,2.9,2,4,3.5l-2.6,2.5c-0.9-1.4-1.9-2.4-3.1-3c-1.1-0.6-2.5-0.9-4-0.9
 				c-1.2,0-2.1,0.2-2.8,0.5c-0.7,0.3-1.3,0.7-1.6,1.2c-0.3,0.5-0.5,1.1-0.5,1.7c0,0.7,0.3,1.4,0.8,1.9c0.5,0.6,1.5,1,2.9,1.3
 				l4.8,1.1c2.3,0.5,3.9,1.3,4.9,2.3c1,1,1.4,2.3,1.4,3.9c0,1.5-0.4,2.7-1.2,3.8c-0.8,1.1-1.9,1.9-3.3,2.5s-3.1,0.9-5,0.9
 				c-1.7,0-3.2-0.2-4.5-0.6c-1.3-0.4-2.5-1-3.5-1.8c-1-0.7-1.8-1.6-2.5-2.6l2.7-2.7c0.5,0.8,1.1,1.6,1.9,2.2
 				c0.8,0.7,1.7,1.2,2.7,1.5c1,0.4,2.2,0.5,3.4,0.5c1.1,0,2.1-0.1,2.9-0.4c0.8-0.3,1.4-0.7,1.8-1.2c0.4-0.5,0.6-1.1,0.6-1.9
 				c0-0.7-0.2-1.3-0.7-1.8c-0.5-0.5-1.3-0.9-2.6-1.2l-5.2-1.2c-1.4-0.3-2.6-0.8-3.6-1.3c-0.9-0.6-1.6-1.3-2.1-2.1s-0.7-1.8-0.7-2.8
 				c0-1.3,0.4-2.6,1.1-3.7c0.7-1.1,1.8-2,3.2-2.6C147.3,14.1,148.9,13.8,150.9,13.8z"/>
 		</g>
        <g
           id="g444"
           transform="translate(1027.9968,264.0386)">
          <path
             d="m 0,0 h -21.128 c 0.261,-2.84 1.205,-5.044 2.83,-6.613 1.625,-1.57 3.727,-2.355 6.305,-2.355 2.054,0 3.763,0.356 5.128,1.065 1.363,0.71 2.288,1.738 2.774,3.083 l 3.755,-1.961 c -1.121,-1.981 -2.616,-3.495 -4.484,-4.54 -1.868,-1.046 -4.259,-1.569 -7.173,-1.569 -4.223,0 -7.538,1.289 -9.948,3.867 -2.41,2.578 -3.615,6.146 -3.615,10.704 0,4.558 1.149,8.127 3.447,10.705 2.298,2.578 5.557,3.867 9.779,3.867 2.615,0 4.876,-0.58 6.782,-1.738 1.905,-1.158 3.343,-2.728 4.315,-4.707 C -0.262,7.827 0.224,5.605 0.224,3.139 0.224,2.092 0.149,1.046 0,0 m -18.298,10.144 c -1.513,-1.457 -2.438,-3.512 -2.775,-6.165 h 16.982 c -0.3,2.615 -1.159,4.661 -2.578,6.137 -1.42,1.476 -3.307,2.214 -5.661,2.214 -2.466,0 -4.455,-0.728 -5.968,-2.186"
             style="fill:#000033;fill-opacity:1;fill-rule:nonzero;stroke:none"
             id="path446" />
        </g>
        <g
           id="g448"
           transform="translate(1057.8818,276.4246)">
          <path
             d="m 0,0 c 2.41,-2.578 3.615,-6.147 3.615,-10.705 0,-4.558 -1.205,-8.126 -3.615,-10.704 -2.41,-2.578 -5.726,-3.867 -9.948,-3.867 -4.222,0 -7.537,1.289 -9.947,3.867 -2.41,2.578 -3.615,6.146 -3.615,10.704 0,4.558 1.205,8.127 3.615,10.705 2.41,2.578 5.725,3.867 9.947,3.867 C -5.726,3.867 -2.41,2.578 0,0 m -16.617,-2.858 c -1.607,-1.906 -2.41,-4.522 -2.41,-7.847 0,-3.326 0.803,-5.94 2.41,-7.846 1.607,-1.905 3.83,-2.858 6.669,-2.858 2.839,0 5.063,0.953 6.67,2.858 1.606,1.906 2.41,4.52 2.41,7.846 0,3.325 -0.804,5.941 -2.41,7.847 C -4.885,-0.953 -7.109,0 -9.948,0 c -2.839,0 -5.062,-0.953 -6.669,-2.858"
             style="fill:#000033;fill-opacity:1;fill-rule:nonzero;stroke:none"
             id="path450" />
        </g>
      </g>
    </g>
    <g
       id="g452"
       transform="matrix(0.35277777,0,0,-0.35277777,5.8329581,6.5590171)">
      <path
         d="m 0,0 0.001,-38.946 25.286,-9.076 V -8.753 L 52.626,1.321 27.815,10.207 Z"
         style="fill:#00e599;fill-opacity:1;fill-rule:nonzero;stroke:none"
         id="path454" />
    </g>
    <g
       id="g456"
       transform="matrix(0.35277777,0,0,-0.35277777,15.479008,10.041927)">
      <path
         d="M 0,0 V -21.306 L 25.293,-30.364 25.282,9.347 Z"
         style="fill:#00b091;fill-opacity:1;fill-rule:nonzero;stroke:none"
         id="path458" />
 	</g>
 </g>
 </svg>
--- a/.github/workflows/changelog.yml
+++ b/.github/workflows/changelog.yml
@ -0,0 +1,29 @@
 name: CHANGELOG check
 on:
  pull_request:
    branches:
      - master
      - support/**
 jobs:
  build:
    runs-on: ubuntu-latest
    name: Check for updates
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Get changed CHANGELOG
        id: changelog-diff
        uses: tj-actions/changed-files@v29
        with:
          files: CHANGELOG.md
      - name: Fail if changelog not updated
        if: steps.changelog-diff.outputs.any_changed == 'false'
        uses: actions/github-script@v3
        with:
          script: |
            core.setFailed('CHANGELOG.md has not been updated')
--- a/.github/workflows/config-update.yml
+++ b/.github/workflows/config-update.yml
@ -0,0 +1,37 @@
 name: Configuration check
 on:
  pull_request:
    branches:
      - master
      - support/**
 jobs:
  build:
    runs-on: ubuntu-latest
    name: config-check
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Get changed config-related files
        id: config-diff
        uses: tj-actions/changed-files@v29
        with:
          files: |
            config/**
            cmd/neofs-node/config/**
      - name: Get changed doc files
        id: docs-diff
        uses: tj-actions/changed-files@v29
        with:
          files: docs/**
      - name: Fail if config files are changed but the documentation is not updated
        if: steps.config-diff.outputs.any_changed == 'true' && steps.docs-diff.outputs.any_changed == 'false'
        uses: actions/github-script@v3
        with:
          script: |
            core.setFailed('Documentation has not been updated')
--- a/.github/workflows/dco.yml
+++ b/.github/workflows/dco.yml
@ -4,6 +4,7 @@ on:
  pull_request:
    branches:
      - master
      - support/**
 jobs:
  commits_check_job:
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@ -1,14 +1,16 @@
-name: neofs-node tests
+name: frostfs-node tests
 on:
  push:
    branches:
      - master
      - support/**
    paths-ignore:
      - '*.md'
  pull_request:
    branches:
      - master
      - support/**
    paths-ignore:
      - '*.md'
@ -17,18 +19,18 @@ jobs:
    runs-on: ubuntu-20.04
    strategy:
      matrix:
-        go: [ '1.16.x' ]
+        go: [ '1.18.x', '1.19.x' ]
    steps:
      - name: Setup go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
        with:
          go-version: ${{ matrix.go }}
      - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Cache go mod
-        uses: actions/cache@v2
+        uses: actions/cache@v3
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ matrix.go }}-${{ hashFiles('**/go.sum') }}
@ -46,12 +48,13 @@ jobs:
  lint:
    runs-on: ubuntu-20.04
    steps:
-      - name: Check out code
+      - uses: actions/setup-go@v3
        uses: actions/checkout@v2
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v2
        with:
-          version: v1.30
+          go-version: 1.19
      - uses: actions/checkout@v3
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v3
        with:
          version: v1.50.0
          args: --timeout=5m
          only-new-issues: true
--- a/.gitignore
+++ b/.gitignore
@ -1,11 +1,51 @@
 # IDE
 .idea
-bin
+.vscode
 # Vendoring
 vendor
 # tempfiles
 .DS_Store
 *~
 .cache
 temp
 tmp
 # binary
 bin/
 release/
 # coverage
 coverage.txt
 coverage.html
 # testing
 cmd/test
 /plugins/
 /vendor/
 testfile
 # misc
 .neofs-cli.yml
-.cache
+# debhelpers
 debian/*debhelper*
 # logfiles
 debian/*.log
 # .substvars
 debian/*.substvars
 # .bash-completion
 debian/*.bash-completion
 # Install folders and files
 debian/frostfs-cli/
 debian/frostfs-ir/
 debian/files
 debian/frostfs-storage/
 debian/changelog
 man/
 debs/
--- a/.golangci.yml
+++ b/.golangci.yml
@ -29,26 +29,28 @@ linters:
  enable:
    # mandatory linters
    - govet
-    - golint
+    - revive
    # some default golangci-lint linters
    - errcheck
    - gosimple
    - godot
    - ineffassign
    - staticcheck
    - typecheck
    - unused
    # extra linters
    - bidichk
    - durationcheck
    - exhaustive
    - exportloopref
    - gofmt
    - whitespace
    - goimports
    - misspell
    - predeclared
    - reassign
    - whitespace
  disable-all: true
  fast: false
 issues:
  # Excluding configuration per-path, per-linter, per-text and per-source
  exclude-rules:
    - path: policy/grammar\.go # ignore structtag issues there
      linters:
        - govet
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -3,8 +3,8 @@
 First, thank you for contributing! We love and encourage pull requests from
 everyone. Please follow the guidelines:
- Check the open [issues](https://github.com/nspcc-dev/neofs-node/issues) and
+- Check the open [issues](https://github.com/TrueCloudLab/frostfs-node/issues) and
-  [pull requests](https://github.com/nspcc-dev/neofs-node/pulls) for existing
+  [pull requests](https://github.com/TrueCloudLab/frostfs-node/pulls) for existing
  discussions.
 - Open an issue first, to discuss a new feature or enhancement.
@ -23,23 +23,23 @@ everyone. Please follow the guidelines:
 ## Development Workflow
-Start by forking the `neofs-node` repository, make changes in a branch and then
+Start by forking the `frostfs-node` repository, make changes in a branch and then
 send a pull request. We encourage pull requests to discuss code changes. Here
 are the steps in details:
 ### Set up your GitHub Repository
-Fork [NeoFS node upstream](https://github.com/nspcc-dev/neofs-node/fork) source
+Fork [FrostFS node upstream](https://github.com/TrueCloudLab/frostfs-node/fork) source
 repository to your own personal repository. Copy the URL of your fork (you will
 need it for the `git clone` command below).
 ```sh
-$ git clone https://github.com/nspcc-dev/neofs-node
+$ git clone https://github.com/TrueCloudLab/frostfs-node
 ```
 ### Set up git remote as ``upstream``
 ```sh
-$ cd neofs-node
+$ cd frostfs-node
-$ git remote add upstream https://github.com/nspcc-dev/neofs-node
+$ git remote add upstream https://github.com/TrueCloudLab/frostfs-node
 $ git fetch upstream
 $ git merge upstream/master
 ...
@ -79,7 +79,7 @@ Description
 ```
 ```
-$ git commit -am '[#123] Add some feature'
+$ git commit -sam '[#123] Add some feature'
 ```
 ### Push to the branch
@ -106,7 +106,8 @@ contributors".
 To sign your work, just add a line like this at the end of your commit message:
 ```
-Signed-off-by: Samii Sakisaka <samii@nspcc.ru>
+Signed-off-by: Samii Sakisaka <samii@ivunojikan.co.jp>
 ```
 This can easily be done with the `--signoff` option to `git commit`.
--- a/CREDITS.md
+++ b/CREDITS.md
@ -1,5 +1,7 @@
 # Credits
 FrostFS continues the development of NeoFS.
 Initial NeoFS research and development (2018-2020) was done by
 [NeoSPCC](https://nspcc.ru) team.
@ -18,6 +20,10 @@ In alphabetical order:
 In chronological order:
 - Pavel Karpy
 - Zhang Tao
 - Angira Kekteeva
 - Sergio Nemirowski
 - Tivizi Jing
 # Special Thanks
--- a/Dockerfile.aio
+++ b/Dockerfile.aio
@ -1,24 +0,0 @@
 ARG HUB_IMAGE=nspccdev/neofs
 ARG HUB_TAG=latest
 FROM ${HUB_IMAGE}-cli:${HUB_TAG} as neofs-cli
 FROM ${HUB_IMAGE}-ir:${HUB_TAG} as neofs-ir
 FROM ${HUB_IMAGE}-storage:${HUB_TAG} as neofs-storage
 # Executable image
 FROM alpine AS neofs-aio
 RUN apk add --no-cache \
  bash \
  ca-certificates \
  jq \
  expect \
  iputils
 WORKDIR /
 COPY --from=neofs-cli /bin/neofs-cli /bin/neofs-cli
 COPY --from=neofs-ir /bin/neofs-ir /bin/neofs-ir
 COPY --from=neofs-storage /bin/neofs-node /bin/neofs-node
 CMD ["neofs-cli"]
--- a/Dockerfile.cli
+++ b/Dockerfile.cli
@ -1,22 +0,0 @@
 FROM golang:1.16-alpine as basebuilder
 RUN apk add --update make bash
 FROM basebuilder as builder
 ARG BUILD=now
 ARG VERSION=dev
 ARG REPO=repository
 WORKDIR /src
 COPY . /src
 RUN make bin/neofs-cli
 # Executable image
 FROM alpine AS neofs-cli
 RUN apk add --no-cache bash
 WORKDIR /
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 COPY --from=builder /src/bin/neofs-cli /bin/neofs-cli
 CMD ["neofs-cli"]
--- a/Dockerfile.ir
+++ b/Dockerfile.ir
@ -1,21 +0,0 @@
 FROM golang:1.16-alpine as basebuilder
 RUN apk add --update make bash
 FROM basebuilder as builder
 ARG BUILD=now
 ARG VERSION=dev
 ARG REPO=repository
 WORKDIR /src
 COPY . /src
 RUN make bin/neofs-ir
 # Executable image
 FROM alpine AS neofs-ir
 RUN apk add --no-cache bash
 WORKDIR /
 COPY --from=builder /src/bin/neofs-ir /bin/neofs-ir
 CMD ["neofs-ir"]
--- a/Dockerfile.storage
+++ b/Dockerfile.storage
@ -1,21 +0,0 @@
 FROM golang:1.16-alpine as basebuilder
 RUN apk add --update make bash
 FROM basebuilder as builder
 ARG BUILD=now
 ARG VERSION=dev
 ARG REPO=repository
 WORKDIR /src
 COPY . /src
 RUN make bin/neofs-node
 # Executable image
 FROM alpine AS neofs-node
 RUN apk add --no-cache bash
 WORKDIR /
 COPY --from=builder /src/bin/neofs-node /bin/neofs-node
 CMD ["neofs-node"]
--- a/Dockerfile.storage-testnet
+++ b/Dockerfile.storage-testnet
@ -1,22 +0,0 @@
 FROM golang:1.16-alpine as basebuilder
 RUN apk add --update make bash
 FROM basebuilder as builder
 ARG BUILD=now
 ARG VERSION=dev
 ARG REPO=repository
 WORKDIR /src
 COPY . /src
 RUN make bin/neofs-node
 # Executable image
 FROM alpine AS neofs-node
 RUN apk add --no-cache bash
 WORKDIR /
 COPY --from=builder /src/bin/neofs-node /bin/neofs-node
 COPY --from=builder /src/config/testnet/config.yml /config.yml
 CMD ["neofs-node", "--config", "/config.yml"]
--- a/120
+++ b/120
@ -2,91 +2,113 @@
 SHELL = bash
 REPO ?= $(shell go list -m)
-VERSION ?= $(shell git describe --tags --dirty --always)
+VERSION ?= $(shell git describe --tags --dirty --match "v*" --always --abbrev=8 2>/dev/null || cat VERSION 2>/dev/null || echo "develop")
 BUILD ?= $(shell date -u --iso=seconds)
 DEBUG ?= false
-HUB_IMAGE ?= nspccdev/neofs
+HUB_IMAGE ?= truecloudlab/frostfs
 HUB_TAG ?= "$(shell echo ${VERSION} | sed 's/^v//')"
 GO_VERSION ?= 1.19
 LINT_VERSION ?= 1.50.0
 ARCH = amd64
 BIN = bin
-DIRS= $(BIN)
+RELEASE = release
 DIRS = $(BIN) $(RELEASE)
 # List of binaries to build.
-CMDS = $(notdir $(basename $(wildcard cmd/*)))
+CMDS = $(notdir $(basename $(wildcard cmd/frostfs-*)))
 BINS = $(addprefix $(BIN)/, $(CMDS))
-.PHONY: help all dep clean fmts fmt imports test lint docker/lint
+# .deb package versioning
 OS_RELEASE = $(shell lsb_release -cs)
 PKG_VERSION ?= $(shell echo $(VERSION) | sed "s/^v//" | \
 			sed -E "s/(.*)-(g[a-fA-F0-9]{6,8})(.*)/\1\3~\2/" | \
 			sed "s/-/~/")-${OS_RELEASE}
 .PHONY: help all images dep clean fmts fmt imports test lint docker/lint
 		prepare-release debpackage
 # To build a specific binary, use it's name prefix with bin/ as a target
-# For example `make bin/neofs-node` will build only storage node binary
+# For example `make bin/frostfs-node` will build only storage node binary
 # Just `make` will build all possible binaries
 all: $(DIRS) $(BINS)
 # help target
 include help.mk
 $(BINS): $(DIRS) dep
 	@echo "⇒ Build $@"
 	CGO_ENABLED=0 \
 	GO111MODULE=on \
 	go build -v -trimpath \
-	-ldflags "-X $(REPO)/misc.Version=$(VERSION) \
+	-ldflags "-X $(REPO)/misc.Version=$(VERSION)" \
 	-X $(REPO)/misc.Build=$(BUILD) \
 	-X $(REPO)/misc.Debug=$(DEBUG)" \
 	-o $@ ./cmd/$(notdir $@)
 $(DIRS):
 	@echo "⇒ Ensure dir: $@"
 	@mkdir -p $@
 # Prepare binaries and archives for release
 .ONESHELL:
 prepare-release: docker/all
 	@for file in `ls -1 $(BIN)/frostfs-*`; do
 		cp $$file $(RELEASE)/`basename $$file`-$(ARCH)
 		strip $(RELEASE)/`basename $$file`-$(ARCH)
 		tar -czf $(RELEASE)/`basename $$file`-$(ARCH).tar.gz $(RELEASE)/`basename $$file`-$(ARCH)
 	done
 # Pull go dependencies
 dep:
 	@printf "⇒ Download requirements: "
 	CGO_ENABLED=0 \
 	GO111MODULE=on \
 	go mod download && echo OK
 	@printf "⇒ Tidy requirements : "
 	CGO_ENABLED=0 \
 	GO111MODULE=on \
 	go mod tidy -v && echo OK
 # Regenerate proto files:
 protoc:
-	@GOPRIVATE=github.com/nspcc-dev go mod vendor
+	@GOPRIVATE=github.com/TrueCloudLab go mod vendor
 	# Install specific version for protobuf lib
-	@go list -f '{{.Path}}/...@{{.Version}}' -m  github.com/golang/protobuf | xargs go get -v
+	@go list -f '{{.Path}}/...@{{.Version}}' -m  github.com/golang/protobuf | xargs go install -v
 	@GOBIN=$(abspath $(BIN)) go install -mod=mod -v github.com/TrueCloudLab/frostfs-api-go/v2/util/protogen
 	# Protoc generate
 	@for f in `find . -type f -name '*.proto' -not -path './vendor/*'`; do \
 		echo "⇒ Processing $$f "; \
 		protoc \
 			--proto_path=.:./vendor:/usr/local/include \
-			--go_out=plugins=grpc,paths=source_relative:. $$f; \
+			--plugin=protoc-gen-go-frostfs=$(BIN)/protogen \
 			--go-frostfs_out=. --go-frostfs_opt=paths=source_relative \
 			--go_out=. --go_opt=paths=source_relative \
 			--go-grpc_opt=require_unimplemented_servers=false \
 			--go-grpc_out=. --go-grpc_opt=paths=source_relative $$f; \
 	done
 	rm -rf vendor
-# Build all-in-one NeoFS docker image
+# Build FrostFS component's docker image
 image-aio: images
 	@echo "⇒ Build NeoFS All-In-One Docker image "
 	@docker build \
 		--build-arg HUB_IMAGE=$(HUB_IMAGE) \
 		--build-arg HUB_TAG=$(HUB_TAG) \
 		--rm \
 		-f Dockerfile.aio \
 		-t $(HUB_IMAGE)-aio:$(HUB_TAG) .
 # Build NeoFS component's docker image
 image-%:
-	@echo "⇒ Build NeoFS $* docker image "
+	@echo "⇒ Build FrostFS $* docker image "
 	@docker build \
 		--build-arg REPO=$(REPO) \
 		--build-arg VERSION=$(VERSION) \
 		--rm \
-		-f Dockerfile.$* \
+		-f .docker/Dockerfile.$* \
 		-t $(HUB_IMAGE)-$*:$(HUB_TAG) .
 # Build all Docker images
-images: image-storage image-ir image-cli
+images: image-storage image-ir image-cli image-adm image-storage-testnet
 # Build dirty local Docker images
-dirty-images: image-dirty-storage image-dirty-ir image-dirty-cli
+dirty-images: image-dirty-storage image-dirty-ir image-dirty-cli image-dirty-adm
 # Run `make %` in Golang container
 docker/%:
 	docker run --rm -t \
 	-v `pwd`:/src \
 	-w /src \
 	-u "$$(id -u):$$(id -g)" \
 	--env HOME=/src \
 	golang:$(GO_VERSION) make $*
 # Run all code formatters
 fmts: fmt imports
@ -94,17 +116,17 @@ fmts: fmt imports
 # Reformat code
 fmt:
 	@echo "⇒ Processing gofmt check"
-	@GO111MODULE=on gofmt -s -w cmd/ pkg/ misc/
+	@gofmt -s -w cmd/ pkg/ misc/
 # Reformat imports
 imports:
 	@echo "⇒ Processing goimports check"
-	@GO111MODULE=on goimports -w cmd/ pkg/ misc/
+	@goimports -w cmd/ pkg/ misc/
 # Run Unit Test with go test
 test:
 	@echo "⇒ Running go test"
-	@GO111MODULE=on go test ./...
+	@go test ./...
 # Run linters
 lint:
@ -112,26 +134,30 @@ lint:
 # Run linters in Docker
 docker/lint:
-	docker run --rm -it \
+	docker run --rm -t \
 	-v `pwd`:/src \
 	-u `stat -c "%u:%g" .` \
 	--env HOME=/src \
-	golangci/golangci-lint:v1.30 bash -c 'cd /src/ && make lint'
+	golangci/golangci-lint:v$(LINT_VERSION) bash -c 'cd /src/ && make lint'
 # Print version
 version:
 	@echo $(VERSION)
 # Show this help prompt
 help:
 	@echo '  Usage:'
 	@echo ''
 	@echo '    make <target>'
 	@echo ''
 	@echo '  Targets:'
 	@echo ''
 	@awk '/^#/{ comment = substr($$0,3) } comment && /^[a-zA-Z][a-zA-Z0-9_-]+ ?:/{ print "   ", $$1, comment }' $(MAKEFILE_LIST) | column -t -s ':' | grep -v 'IGNORE' | sort -u
 clean:
 	rm -rf vendor
 	rm -rf .cache
 	rm -rf $(BIN)
 	rm -rf $(RELEASE)
 # Package for Debian
 debpackage:
 	dch -b --package frostfs-node \
 			--controlmaint \
 			--newversion $(PKG_VERSION) \
 			--distribution $(OS_RELEASE) \
 			"Please see CHANGELOG.md for code changes for $(VERSION)"
 	dpkg-buildpackage --no-sign -b
 debclean:
 	dh clean
--- a/README.md
+++ b/README.md
@ -1,49 +1,80 @@
 <p align="center">
-<img src="./.github/logo.svg" width="500px" alt="NeoFS">
+  <img src="./.github/logo.svg" width="500px" alt="FrostFS">
 </p>
 <p align="center">
-  <a href="https://fs.neo.org">NeoFS</a> is a decentralized distributed object storage integrated with the <a href="https://neo.org">NEO Blockchain</a>.
+  <a href="https://frostfs.info">FrostFS</a> is a decentralized distributed object storage integrated with the <a href="https://neo.org">NEO Blockchain</a>.
 </p>
 ---
-[![Report](https://goreportcard.com/badge/github.com/nspcc-dev/neo-go)](https://goreportcard.com/report/github.com/nspcc-dev/neofs-node)
+[![Report](https://goreportcard.com/badge/github.com/TrueCloudLab/frostfs-node)](https://goreportcard.com/report/github.com/TrueCloudLab/frostfs-node)
-![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/nspcc-dev/neofs-node?sort=semver)
+![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/TrueCloudLab/frostfs-node?sort=semver)
-![License](https://img.shields.io/github/license/nspcc-dev/neofs-node.svg?style=popout)
+![License](https://img.shields.io/github/license/TrueCloudLab/frostfs-node.svg?style=popout)
 # Overview
-NeoFS Nodes are organized in peer-to-peer network that takes care of storing and
+FrostFS Nodes are organized in a peer-to-peer network that takes care of storing
-distributing user's data. Any Neo user may participate in the network and get
+and distributing user's data. Any Neo user may participate in the network and
-paid for providing storage resources to other users or store his data in NeoFS
+get paid for providing storage resources to other users or store their data in
-and pay a competitive price for it.
+FrostFS and pay a competitive price for it.
-Users can reliably store object data in the NeoFS network and have a transparent
+Users can reliably store object data in the FrostFS network and have a transparent
-data placement process due to decentralized architecture and flexible storage
+data placement process due to a decentralized architecture and flexible storage
 policies. Each node is responsible for executing the storage policies that the
 users select for geographical location, reliability level, number of nodes, type
-of disks, capacity, etc. Thus, NeoFS gives full control over data to users.
+of disks, capacity, etc. Thus, FrostFS gives full control over data to users.
-Deep [Neo Blockchain](https://neo.org) integration allows NeoFS to be used by
+Deep [Neo Blockchain](https://neo.org) integration allows FrostFS to be used by
-dApp directly from
+dApps directly from
 [NeoVM](https://docs.neo.org/docs/en-us/basic/technology/neovm.html) on the
-[Smart Contract](https://docs.neo.org/docs/en-us/basic/technology/neocontract.html)
+[Smart Contract](https://docs.neo.org/docs/en-us/intro/glossary.html)
 code level. This way dApps are not limited to on-chain storage and can
 manipulate large amounts of data without paying a prohibitive price.
-NeoFS has native [gRPC](https://grpc.io) API and popular protocol gates such as
+FrostFS has a native [gRPC API](https://github.com/TrueCloudLab/frostfs-api) and has
-[AWS S3](https://docs.aws.amazon.com/AmazonS3/latest/API/Welcome.html),
+protocol gateways for popular protocols such as [AWS
-[HTTP](https://wikipedia.org/wiki/Hypertext_Transfer_Protocol),
+S3](https://github.com/TrueCloudLab/frostfs-s3-gw),
 [HTTP](https://github.com/TrueCloudLab/frostfs-http-gw),
 [FUSE](https://wikipedia.org/wiki/Filesystem_in_Userspace) and
 [sFTP](https://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol) allowing
-developers to easily integrate applications without rewriting their code.
+developers to integrate applications without rewriting their code.
 # Supported platforms
-For now we only support GNU/Linux on amd64 CPUs with AVX/AVX2 instructions. More
+Now, we only support GNU/Linux on amd64 CPUs with AVX/AVX2 instructions. More
-platforms will be officially supported after '1.0' release.
+platforms will be officially supported after release `1.0`.
-Latest version of neofs-node works with neofs-contract 
+The latest version of frostfs-node works with frostfs-contract
-[v0.9.0](https://github.com/nspcc-dev/neofs-contract/releases/tag/v0.9.0).
+[v0.16.0](https://github.com/TrueCloudLab/frostfs-contract/releases/tag/v0.16.0).
 # Building
 To make all binaries you need Go 1.18+ and `make`:
 ```
 make all
 ```
 The resulting binaries will appear in `bin/` folder.
 To make a specific binary use:
 ```
 make bin/frostfs-<name>
 ```
 See the list of all available commands in the `cmd` folder.
 ## Building with Docker
 Building can also be performed in a container:
 ```
 make docker/all                     # build all binaries
 make docker/bin/frostfs-<name> # build a specific binary
 ```
 ## Docker images
 To make docker images suitable for use in [frostfs-dev-env](https://github.com/TrueCloudLab/frostfs-dev-env/) use:
 ```
 make images
 ```
 # Contributing
@ -55,7 +86,7 @@ the feature/topic you are going to implement.
 # Credits
-NeoFS is maintained by [NeoSPCC](https://nspcc.ru) with the help and
+FrostFS is maintained by [True Cloud Lab](https://github.com/TrueCloudLab/) with the help and
 contributions from community members.
 Please see [CREDITS](CREDITS.md) for details.
--- a/1
+++ b/1
@ -0,0 +1 @@
 v0.35.0
--- a/cmd/frostfs-adm/README.md
+++ b/cmd/frostfs-adm/README.md
@ -0,0 +1,104 @@
 # FrostFS Admin Tool
 ## Overview
 Admin tool provides an easier way to deploy and maintain private installation
 of FrostFS. Private installation provides a set of N3 consensus nodes, FrostFS 
 Alphabet, and Storage nodes. Admin tool generates consensus keys, initializes 
 the sidechain, and provides functions to update the network and register new
 Storage nodes.
 ## Build
 To build binary locally, use `make bin/frostfs-adm` command. 
 For clean build inside a docker container, use `make docker/bin/frostfs-adm`. 
 Build docker image with `make image-adm`.
 At FrostFS private install deployment, frostfs-adm requires compiled FrostFS 
 contracts. Find them in the latest release of 
 [frostfs-contract repository](https://github.com/TrueCloudLab/frostfs-contract/releases).
 ## Commands
 ### Config
 Config section provides `init` command that creates a configuration file for
 private installation deployment and updates. Config file is optional, all
 parameters can be passed by arguments or read from standard input (wallet 
 passwords).
 Config example:
 ```yaml
 rpc-endpoint: https://address:port # sidechain RPC node endpoint
 alphabet-wallets: /path            # path to consensus node / alphabet wallets storage
 network:
  max_object_size: 67108864 # max size of a single FrostFS object, bytes
  epoch_duration: 240       # duration of a FrostFS epoch in blocks, consider block generation frequency in the sidechain
  basic_income_rate: 0      # basic income rate, for private consider 0
  fee:
    audit: 0     # network audit fee, for private installation consider 0
    candidate: 0 # inner ring candidate registration fee, for private installation consider 0
    container: 0 # container creation fee, for private installation consider 0
    container_alias: 0 # container nice-name registration fee, for private installation consider 0
    withdraw: 0  # withdraw fee, for private installation consider 0
 credentials:     # passwords for consensus node / alphabet wallets
  az: password1
  buky: password2
  vedi: password3
  glagoli: password4
  dobro: password5
  yest: password6
  zhivete: password7
 ```
 ### Morph
 #### Network deployment
 - `generate-alphabet` generates a set of wallets for consensus and 
  Alphabet nodes. 
 - `init` initializes the sidechain by deploying smart contracts and
  setting provided FrostFS network configuration.
 - `generate-storage-wallet` generates a wallet for the Storage node that 
  is ready for deployment. It also transfers a bit of sidechain GAS, so this 
  wallet can be used for FrostFS bootstrap.
 #### Network maintenance
 - `set-config` add/update configuration values in the Netmap contract.
 - `force-new-epoch` increments FrostFS epoch number and executes new epoch
  handlers in FrostFS nodes.
 - `refill-gas` transfers sidechain GAS to the specified wallet. 
 - `update-contracts` updates contracts to a new version.
 #### Container migration
 If a network has to be redeployed, these commands will migrate all container meta
 info. These commands **do not migrate actual objects**.
 - `dump-containers` saves all containers and metadata registered in the container
  contract to a file.
 - `restore-containers` restores previously saved containers by their repeated registration in 
 the container contract.
 - `list-containers` output all containers ids.
 #### Network info
 - `dump-config` prints FrostFS network configuration.
 - `dump-hashes` prints FrostFS contract addresses stored in NNS.
 ## Private network deployment
 Read step-by-step guide of private storage deployment [in docs](./docs/deploy.md).
--- a/cmd/frostfs-adm/docs/deploy.md
+++ b/cmd/frostfs-adm/docs/deploy.md
@ -0,0 +1,211 @@
 # Step-by-step private FrostFS deployment
 This is a short guide on how to deploy a private FrostFS storage network on bare
 metal without docker images. This guide does not cover details on how to start
 consensus, Alphabet, or Storage nodes. This guide covers only `frostfs-adm` 
 related configuration details.
 ## Prerequisites
 To follow this guide you need:
 - latest released version of [neo-go](https://github.com/nspcc-dev/neo-go/releases) (v0.97.2 at the moment),
 - latest released version of [frostfs-adm](https://github.com/TrueCloudLab/frostfs-node/releases) utility (v0.25.1 at the moment),
 - latest released version of compiled [frostfs-contract](https://github.com/TrueCloudLab/frostfs-contract/releases) (v0.11.0 at the moment).
 ## Step 1: Prepare network configuration 
 To start a network, you need a set of consensus nodes, the same number of 
 Alphabet nodes and any number of Storage nodes. While the number of Storage 
 nodes can be scaled almost infinitely, the number of consensus and Alphabet 
 nodes can't be changed so easily right now. Consider this before going any further.
 It is easier to use`frostfs-adm` with a predefined configuration. First, create
 a network configuration file. In this example, there is going to be only one
 consensus / Alphabet node in the network.
 ```
 $ frostfs-adm config init --path foo.network.yml
 Initial config file saved to foo.network.yml
 $ cat foo.network.yml 
 rpc-endpoint: https://neo.rpc.node:30333
 alphabet-wallets: /home/user/deploy/alphabet-wallets
 network:
  max_object_size: 67108864
  epoch_duration: 240
  basic_income_rate: 0
  fee:
    audit: 0
    candidate: 0
    container: 0
    withdraw: 0
 credentials:
  az: hunter2
 ```
 For private installation, it is recommended to set all **fees** and **basic 
 income rate** to 0. 
 As for **epoch duration**, consider consensus node block generation frequency. 
 With default 15 seconds per block, 240 blocks are going to be a 1-hour epoch. 
 For **max object size**, 67108864 (64 MiB) or 134217728 (128 MiB) should provide 
 good chunk distribution in most cases.
 With this config, generate wallets (private keys) of consensus nodes. The same
 wallets will be used for Alphabet nodes. Make sure, that dir for alphabet 
 wallets already exists.
 ```
 $ frostfs-adm -c foo.network.yml morph generate-alphabet --size 1
 size: 1
 alphabet-wallets: /home/user/deploy/alphabet-wallets
 wallet[0]: hunter2
 ```
 Do not lose wallet files and network config. Store it in an encrypted backed up
 storage.
 ## Step 2: Launch consensus nodes
 Configure blockchain nodes with the generated wallets from the previous step.
 Config examples can be found in 
 [neo-go repository](https://github.com/nspcc-dev/neo-go/tree/master/config).
 Gather public keys from **all** generated wallets. We are interested in the first
 `simple signature contract` public key.
 ```
 $ neo-go wallet dump-keys -w alphabet-wallets/az.json 
 NitdS4k4f1Hh5mbLJhAswBK3WC2gQgPN1o (simple signature contract):
 02c1cc85f9c856dbe2d02017349bcb7b4e5defa78b8056a09b3240ba2a8c078869
 NiMKabp3ddi3xShmLAXhTfbnuWb4cSJT6E (1 out of 1 multisig contract):
 02c1cc85f9c856dbe2d02017349bcb7b4e5defa78b8056a09b3240ba2a8c078869
 NiMKabp3ddi3xShmLAXhTfbnuWb4cSJT6E (1 out of 1 multisig contract):
 02c1cc85f9c856dbe2d02017349bcb7b4e5defa78b8056a09b3240ba2a8c078869
 ```
 Put the list of public keys into `ProtocolConfiguration.StandbyCommittee` 
 section. Specify the wallet path and the password in `ApplicationConfiguration.P2PNotary`
 and `ApplicationConfiguration.UnlockWallet` sections. If config includes
 `ProtocolConfiguration.NativeActivations` section, add notary 
 contract `Notary: [0]`.
 ```yaml
 ProtocolConfiguration:
  StandbyCommittee:
    - 02c1cc85f9c856dbe2d02017349bcb7b4e5defa78b8056a09b3240ba2a8c078869
  NativeActivations:
    Notary: [0]
 ApplicationConfiguration:
  P2PNotary:
    Enabled: true
    UnlockWallet:
      Path: "/home/user/deploy/alphabet-wallets/az.json"
      Password: "hunter2"
  UnlockWallet:
    Path: "/home/user/deploy/alphabet-wallets/az.json"
    Password: "hunter2"
 ```
 Then, launch consensus nodes. They should connect to each other and start
 producing blocks in consensus. You might want to deploy additional RPC
 nodes at this stage because Storage nodes should be connected to the chain too.
 It is not recommended to use a consensus node as an RPC node due to security policies
 and possible overload issues.
 ## Step 3: Initialize sidechain
 Use archive with compiled FrostFS contracts to initialize the sidechain.
 ```
 $ tar -xzvf frostfs-contract-v0.11.0.tar.gz 
 $ ./frostfs-adm -c foo.network.yml morph init --contracts ./frostfs-contract-v0.11.0
 Stage 1: transfer GAS to alphabet nodes.
 Waiting for transactions to persist...
 Stage 2: set notary and alphabet nodes in designate contract.
 Waiting for transactions to persist...
 Stage 3: deploy NNS contract.
 Waiting for transactions to persist...
 Stage 4: deploy FrostFS contracts.
 Waiting for transactions to persist...
 Stage 4.1: Transfer GAS to proxy contract.
 Waiting for transactions to persist...
 Stage 5: register candidates.
 Waiting for transactions to persist...
 Stage 6: transfer NEO to alphabet contracts.
 Waiting for transactions to persist...
 Stage 7: set addresses in NNS.
 Waiting for transactions to persist...
 NNS: Set alphabet0.frostfs -> f692dfb4d43a15b464eb51a7041160fb29c44b6a
 NNS: Set audit.frostfs -> 7df847b993affb3852074345a7c2bd622171ee0d
 NNS: Set balance.frostfs -> 103519b3067a66307080a66570c0491ee8f68879
 NNS: Set container.frostfs -> cae60bdd689d185901e495352d0247752ce50846
 NNS: Set frostfsid.frostfs -> c421fb60a3895865a8f24d197d6a80ef686041d2
 NNS: Set netmap.frostfs -> 894eb854632f50fb124412ce7951ebc00763525e
 NNS: Set proxy.frostfs -> ac6e6fe4b373d0ca0ca4969d1e58fa0988724e7d
 NNS: Set reputation.frostfs -> 6eda57c9d93d990573646762d1fea327ce41191f
 Waiting for transactions to persist...
 ```
 ## Step 4: Launch Alphabet nodes
 Configure Alphabet nodes with the wallets generated in step 1. For 
 `morph.validators` use a list of public keys from 
 `ProtocolConfiguration.StandbyCommittee`.
 ```yaml
 wallet:
  path: "/home/user/deploy/alphabet-wallets/az.json"
  password: "hunter2"
  account: "NitdS4k4f1Hh5mbLJhAswBK3WC2gQgPN1o"
 morph:
  validators:
    - 02c1cc85f9c856dbe2d02017349bcb7b4e5defa78b8056a09b3240ba2a8c078869
 contracts:
  alphabet:
    amount: 1
 ```
 ## Step 4: Launch Storage node
 Generate a new wallet for a Storage node.
 ```
 $ frostfs-adm -c foo.network.yml morph generate-storage-wallet --storage-wallet ./sn01.json --initial-gas 10.0
 New password > 
 Waiting for transactions to persist...
 $ neo-go wallet dump-keys -w sn01.json 
 Ngr7p8Z9S22XDH6VkUG9oXobv8zZRAWwwv (simple signature contract):
 0355eccb72cd46f09a3e5237eaa0f4949cceb5ecfa5a225bd3bb9fd021c4d75b85
 ```
 Configure the Storage node to use this wallet.
 ```
 node:
  wallet:
    path: "/home/user/deploy/sn01.json"
    address: "Ngr7p8Z9S22XDH6VkUG9oXobv8zZRAWwwv"
    password: "foobar"
 ```
 The storage node will be included in the network map in the next FrostFS epoch. To
 speed up this process, you can increment epoch counter immediately.
 ```
 $ frostfs-adm -c foo.network.yml morph force-new-epoch
 Current epoch: 8, increase to 9.
 Waiting for transactions to persist...
 ```
 --- 
 After that, FrostFS Storage is ready to work. You can access it directly or
 with protocol gates.
--- a/cmd/frostfs-adm/docs/subnetwork-creation.md
+++ b/cmd/frostfs-adm/docs/subnetwork-creation.md
@ -0,0 +1,39 @@
 # FrostFS subnetwork creation
 This is a short guide on how to create FrostFS subnetworks. This guide 
 considers that the sidechain and the inner ring (alphabet nodes) have already been 
 deployed and the sidechain contains a deployed `subnet` contract.
 ## Prerequisites
 To follow this guide, you need:
 - neo-go sidechain RPC endpoint;
 - latest released version of [frostfs-adm](https://github.com/TrueCloudLab/frostfs-node/releases);
 - wallet with FrostFS account.
 ## Creation
 ```shell
 $ frostfs-adm morph subnet create \
    -r <side_chain_RPC_endpoint> \
    -w </path/to/owner/wallet> \
    --notary
 Create subnet request sent successfully. ID: 4223489767.
 ```
 **NOTE:** in notary-enabled environment you should have a sufficient
 notary deposit (not expired, with enough GAS balance). Your subnet ID
 will differ from the example.
 The default account in the wallet that has been passed with `-w` flag is the owner
 of the just created subnetwork.
 You can check if your subnetwork was created successfully:
 ```shell
 $ frostfs-adm morph subnet get \
    -r <side_chain_RPC_endpoint> \
    --subnet <subnet_ID>
 Owner: NUc734PMJXiqa2J9jRtvskU3kCdyyuSN8Q
 ```
 Your owner will differ from the example.
--- a/cmd/frostfs-adm/docs/subnetwork-usage.md
+++ b/cmd/frostfs-adm/docs/subnetwork-usage.md
@ -0,0 +1,137 @@
 # Managing Subnetworks
 This is a short guide on how to manage FrostFS subnetworks. This guide
 considers that the sidechain and the inner ring (alphabet nodes) have already been
 deployed, and the sidechain contains a deployed `subnet` contract.
 ## Prerequisites
 - neo-go sidechain RPC endpoint;
 - latest released version of [frostfs-adm](https://github.com/TrueCloudLab/frostfs-node/releases);
 - [created](subnetwork-creation.md) subnetwork;
 - wallet with the account that owns the subnetwork;
 - public key of the Storage Node;
 - public keys of the node and client administrators;
 - owner IDs of the FrostFS users.
 ## Add node administrator
 Node administrators are accounts that can manage (add and delete nodes)
 the whitelist of the nodes which can be included to a subnetwork. Only the subnet
 owner is allowed to add and remove node administrators from the subnetwork.
 ```shell
 $ frostfs-adm morph subnet admin add \
    -r <side_chain_RPC_endpoint> \
    -w </path/to/owner/wallet> \
    --admin <HEX_admin_public_key> \
    --subnet <subnet_ID>
 Add admin request sent successfully.
 ```
 ## Add node
 Adding a node to a subnetwork means that the node becomes able to service
 containers that have been created in that subnetwork. Addition only changes
 the list of the allowed nodes. Node is not required to be bootstrapped at the
 moment of its inclusion.
 ```shell
 $ frostfs-adm morph subnet node add \
    -r <side_chain_RPC_endpoint> \
    -w </path/to/node_admin/wallet> \
    --node <HEX_node_public_key> \
    --subnet <subnet_ID>
 Add node request sent successfully.
 ```
 **NOTE:** the owner of the subnetwork is also allowed to add nodes.
 ## Add client administrator
 Client administrators are accounts that can manage (add and delete
 nodes) the whitelist of the clients that can create containers in the
 subnetwork. Only the subnet owner is allowed to add and remove client
 administrators from the subnetwork.
 ```shell
 $ frostfs-adm morph subnet admin add \
    -r <side_chain_RPC_endpoint> \
    -w </path/to/owner/wallet> \
    --admin <HEX_admin_public_key> \
    --subnet <subnet_ID> \
    --client \
    --group <group_ID>
 Add admin request sent successfully.
 ```
 **NOTE:** you do not need to create a group explicitly, it will be created
 right after the first client admin is added. Group ID is a 4-byte
 positive integer number.
 ## Add client
 ```shell
 $ frostfs-adm morph subnet client add \
    -r <side_chain_RPC_endpoint> \
    -w </path/to/client_admin/wallet> \
    --client <client_ownerID> \
    --subnet <subnet_ID> \
    --group <group_ID>
 Add client request sent successfully.
 ```
 **NOTE:** the owner of the subnetwork is also allowed to add clients. This is
 the only one command that accepts `ownerID`, not the public key.
 Administrator can manage only their group (a group where that administrator
 has been added by the subnet owner).
 # Bootstrapping Storage Node
 After a subnetwork [is created](subnetwork-creation.md) and a node is included into it, the 
 node could be bootstrapped and service subnetwork containers.
 For bootstrapping, you need to specify the ID of the subnetwork in the node's 
 configuration: 
 ```yaml
 ...
 node:
  ...
  subnet:
    entries: # list of IDs of subnets to enter in a text format of FrostFS API protocol (overrides corresponding attributes)
      - <subnetwork_ID>
  ...
 ...
 ```
 **NOTE:** specifying subnetwork that is denied for the node is not an error:
 that configuration value would be ignored. You do not need to specify zero 
 (with 0 ID) subnetwork: its inclusion is implicit. On the contrary, to exclude
 a node from the default zero subnetwork, you need to specify it explicitly:
 ```yaml
 ...
 node:
  ...
  subnet:
    exit_zero: true # toggle entrance to zero subnet (overrides corresponding attribute and occurrence in `entries`)
  ...
 ...
 ```
 # Creating container in non-zero subnetwork
 Creating containers without using `--subnet` flag is equivalent to 
 creating container in the zero subnetwork.
 To create a container in a private network, your wallet must be added to
 the client whitelist by the client admins or the subnet owners:
 ```shell
 $ frostfs-cli container create \
    --policy 'REP 1' \
    -w </path/to/wallet> \
    -r s01.frostfs.devenv:8080 \
    --subnet <subnet_ID>
 ```
--- a/cmd/frostfs-adm/internal/commonflags/flags.go
+++ b/cmd/frostfs-adm/internal/commonflags/flags.go
@ -0,0 +1,14 @@
 package commonflags
 const (
 	ConfigFlag          = "config"
 	ConfigFlagShorthand = "c"
 	ConfigFlagUsage     = "Config file"
 	ConfigDirFlag      = "config-dir"
 	ConfigDirFlagUsage = "Config directory"
 	Verbose          = "verbose"
 	VerboseShorthand = "v"
 	VerboseUsage     = "Verbose output"
 )
--- a/cmd/frostfs-adm/internal/modules/config/config.go
+++ b/cmd/frostfs-adm/internal/modules/config/config.go
@ -0,0 +1,166 @@
 package config
 import (
 	"bytes"
 	"fmt"
 	"os"
 	"path/filepath"
 	"text/template"
 	"github.com/TrueCloudLab/frostfs-node/pkg/innerring"
 	"github.com/nspcc-dev/neo-go/cli/input"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 type configTemplate struct {
 	Endpoint                string
 	AlphabetDir             string
 	MaxObjectSize           int
 	EpochDuration           int
 	BasicIncomeRate         int
 	AuditFee                int
 	CandidateFee            int
 	ContainerFee            int
 	ContainerAliasFee       int
 	WithdrawFee             int
 	Glagolitics             []string
 	HomomorphicHashDisabled bool
 }
 const configTxtTemplate = `rpc-endpoint: {{ .Endpoint}}
 alphabet-wallets: {{ .AlphabetDir}}
 network:
  max_object_size: {{ .MaxObjectSize}}
  epoch_duration: {{ .EpochDuration}}
  basic_income_rate: {{ .BasicIncomeRate}}
  homomorphic_hash_disabled: {{ .HomomorphicHashDisabled}}
  fee:
    audit: {{ .AuditFee}}
    candidate: {{ .CandidateFee}}
    container: {{ .ContainerFee}}
    container_alias: {{ .ContainerAliasFee }}
    withdraw: {{ .WithdrawFee}}
 # if credentials section is omitted, then frostfs-adm will require manual password input
 credentials:
  contract: password # wallet for contract group signature{{ range.Glagolitics}}
  {{.}}: password{{end}}
 `
 func initConfig(cmd *cobra.Command, args []string) error {
 	configPath, err := readConfigPathFromArgs(cmd)
 	if err != nil {
 		return nil
 	}
 	pathDir := filepath.Dir(configPath)
 	err = os.MkdirAll(pathDir, 0700)
 	if err != nil {
 		return fmt.Errorf("create dir %s: %w", pathDir, err)
 	}
 	f, err := os.OpenFile(configPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC|os.O_SYNC, 0600)
 	if err != nil {
 		return fmt.Errorf("open %s: %w", configPath, err)
 	}
 	defer f.Close()
 	configText, err := generateConfigExample(pathDir, 7)
 	if err != nil {
 		return err
 	}
 	_, err = f.WriteString(configText)
 	if err != nil {
 		return fmt.Errorf("writing to %s: %w", configPath, err)
 	}
 	cmd.Printf("Initial config file saved to %s\n", configPath)
 	return nil
 }
 func readConfigPathFromArgs(cmd *cobra.Command) (string, error) {
 	configPath, err := cmd.Flags().GetString(configPathFlag)
 	if err != nil {
 		return "", err
 	}
 	if configPath != "" {
 		return configPath, nil
 	}
 	return defaultConfigPath()
 }
 func defaultConfigPath() (string, error) {
 	home, err := os.UserHomeDir()
 	if err != nil {
 		return "", fmt.Errorf("getting home dir path: %w", err)
 	}
 	return filepath.Join(home, ".frostfs", "adm", "config.yml"), nil
 }
 // generateConfigExample builds .yml representation of the config file. It is
 // easier to build it manually with template instead of using viper, because we
 // want to order records in specific order in file and, probably, provide
 // some comments as well.
 func generateConfigExample(appDir string, credSize int) (string, error) {
 	tmpl := configTemplate{
 		Endpoint:                "https://neo.rpc.node:30333",
 		MaxObjectSize:           67108864,      // 64 MiB
 		EpochDuration:           240,           // 1 hour with 15s per block
 		BasicIncomeRate:         1_0000_0000,   // 0.0001 GAS per GiB (Fixed12)
 		HomomorphicHashDisabled: false,         // object homomorphic hash is enabled
 		AuditFee:                1_0000,        // 0.00000001 GAS per audit (Fixed12)
 		CandidateFee:            100_0000_0000, // 100.0 GAS (Fixed8)
 		ContainerFee:            1000,          // 0.000000001 * 7 GAS per container (Fixed12)
 		ContainerAliasFee:       500,           // ContainerFee / 2
 		WithdrawFee:             1_0000_0000,   // 1.0 GAS (Fixed8)
 		Glagolitics:             make([]string, 0, credSize),
 	}
 	appDir, err := filepath.Abs(appDir)
 	if err != nil {
 		return "", fmt.Errorf("making absolute path for %s: %w", appDir, err)
 	}
 	tmpl.AlphabetDir = filepath.Join(appDir, "alphabet-wallets")
 	var i innerring.GlagoliticLetter
 	for i = 0; i < innerring.GlagoliticLetter(credSize); i++ {
 		tmpl.Glagolitics = append(tmpl.Glagolitics, i.String())
 	}
 	t, err := template.New("config.yml").Parse(configTxtTemplate)
 	if err != nil {
 		return "", fmt.Errorf("parsing config template: %w", err)
 	}
 	buf := bytes.NewBuffer(nil)
 	err = t.Execute(buf, tmpl)
 	if err != nil {
 		return "", fmt.Errorf("generating config from template: %w", err)
 	}
 	return buf.String(), nil
 }
 func GetPassword(v *viper.Viper, name string) (string, error) {
 	key := "credentials." + name
 	if v.IsSet(key) {
 		return v.GetString(key), nil
 	}
 	prompt := "Password for " + name + " wallet > "
 	return input.ReadPassword(prompt)
 }
 func GetStoragePassword(v *viper.Viper, name string) (string, error) {
 	key := "storage." + name
 	if name != "" && v.IsSet(key) {
 		return v.GetString(key), nil
 	}
 	return input.ReadPassword("New password > ")
 }
--- a/cmd/frostfs-adm/internal/modules/config/config_test.go
+++ b/cmd/frostfs-adm/internal/modules/config/config_test.go
@ -0,0 +1,46 @@
 package config
 import (
 	"bytes"
 	"path/filepath"
 	"testing"
 	"github.com/TrueCloudLab/frostfs-node/pkg/innerring"
 	"github.com/spf13/viper"
 	"github.com/stretchr/testify/require"
 )
 func TestGenerateConfigExample(t *testing.T) {
 	const (
 		n      = 10
 		appDir = "/home/example/.frostfs"
 	)
 	configText, err := generateConfigExample(appDir, n)
 	require.NoError(t, err)
 	v := viper.New()
 	v.SetConfigType("yml")
 	require.NoError(t, v.ReadConfig(bytes.NewBufferString(configText)))
 	require.Equal(t, "https://neo.rpc.node:30333", v.GetString("rpc-endpoint"))
 	require.Equal(t, filepath.Join(appDir, "alphabet-wallets"), v.GetString("alphabet-wallets"))
 	require.Equal(t, 67108864, v.GetInt("network.max_object_size"))
 	require.Equal(t, 240, v.GetInt("network.epoch_duration"))
 	require.Equal(t, 100000000, v.GetInt("network.basic_income_rate"))
 	require.Equal(t, 10000, v.GetInt("network.fee.audit"))
 	require.Equal(t, 10000000000, v.GetInt("network.fee.candidate"))
 	require.Equal(t, 1000, v.GetInt("network.fee.container"))
 	require.Equal(t, 100000000, v.GetInt("network.fee.withdraw"))
 	var i innerring.GlagoliticLetter
 	for i = 0; i < innerring.GlagoliticLetter(n); i++ {
 		key := "credentials." + i.String()
 		require.Equal(t, "password", v.GetString(key))
 	}
 	require.Equal(t, "password", v.GetString("credentials.contract"))
 	key := "credentials." + i.String()
 	require.Equal(t, "", v.GetString(key))
 }
--- a/cmd/frostfs-adm/internal/modules/config/root.go
+++ b/cmd/frostfs-adm/internal/modules/config/root.go
@ -0,0 +1,29 @@
 package config
 import (
 	"github.com/spf13/cobra"
 )
 const configPathFlag = "path"
 var (
 	// RootCmd is a root command of config section.
 	RootCmd = &cobra.Command{
 		Use:   "config",
 		Short: "Section for frostfs-adm config related commands",
 	}
 	initCmd = &cobra.Command{
 		Use:   "init",
 		Short: "Initialize basic frostfs-adm configuration file",
 		Example: `frostfs-adm config init
 frostfs-adm config init --path .config/frostfs-adm.yml`,
 		RunE: initConfig,
 	}
 )
 func init() {
 	RootCmd.AddCommand(initCmd)
 	initCmd.Flags().String(configPathFlag, "", "Path to config (default ~/.frostfs/adm/config.yml)")
 }
--- a/cmd/frostfs-adm/internal/modules/config/util.go
+++ b/cmd/frostfs-adm/internal/modules/config/util.go
@ -0,0 +1,24 @@
 package config
 import (
 	"os"
 	"path/filepath"
 	"strings"
 )
 // ResolveHomePath replaces leading `~`
 // with home directory.
 //
 // Does nothing if path does not start
 // with contain `~`.
 func ResolveHomePath(path string) string {
 	homeDir, _ := os.UserHomeDir()
 	if path == "~" {
 		path = homeDir
 	} else if strings.HasPrefix(path, "~/") {
 		path = filepath.Join(homeDir, path[2:])
 	}
 	return path
 }
--- a/cmd/frostfs-adm/internal/modules/morph/balance.go
+++ b/cmd/frostfs-adm/internal/modules/morph/balance.go
@ -0,0 +1,241 @@
 package morph
 import (
 	"crypto/elliptic"
 	"errors"
 	"fmt"
 	"math/big"
 	"github.com/TrueCloudLab/frostfs-contract/nns"
 	"github.com/TrueCloudLab/frostfs-sdk-go/netmap"
 	"github.com/nspcc-dev/neo-go/pkg/core/native/noderoles"
 	"github.com/nspcc-dev/neo-go/pkg/core/state"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
 	"github.com/nspcc-dev/neo-go/pkg/encoding/fixedn"
 	"github.com/nspcc-dev/neo-go/pkg/io"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/gas"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/rolemgmt"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
 	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
 	"github.com/nspcc-dev/neo-go/pkg/vm/vmstate"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 type accBalancePair struct {
 	scriptHash util.Uint160
 	balance    *big.Int
 }
 const (
 	dumpBalancesStorageFlag       = "storage"
 	dumpBalancesAlphabetFlag      = "alphabet"
 	dumpBalancesProxyFlag         = "proxy"
 	dumpBalancesUseScriptHashFlag = "script-hash"
 	// notaryEnabled signifies whether contracts were deployed in a notary-enabled environment.
 	// The setting is here to simplify testing and building the command for testnet (notary currently disabled).
 	// It will be removed eventually.
 	notaryEnabled = true
 )
 func dumpBalances(cmd *cobra.Command, _ []string) error {
 	var (
 		dumpStorage, _  = cmd.Flags().GetBool(dumpBalancesStorageFlag)
 		dumpAlphabet, _ = cmd.Flags().GetBool(dumpBalancesAlphabetFlag)
 		dumpProxy, _    = cmd.Flags().GetBool(dumpBalancesProxyFlag)
 		nnsCs           *state.Contract
 		nmHash          util.Uint160
 	)
 	c, err := getN3Client(viper.GetViper())
 	if err != nil {
 		return err
 	}
 	inv := invoker.New(c, nil)
 	if !notaryEnabled || dumpStorage || dumpAlphabet || dumpProxy {
 		nnsCs, err = c.GetContractStateByID(1)
 		if err != nil {
 			return fmt.Errorf("can't get NNS contract info: %w", err)
 		}
 		nmHash, err = nnsResolveHash(inv, nnsCs.Hash, netmapContract+".frostfs")
 		if err != nil {
 			return fmt.Errorf("can't get netmap contract hash: %w", err)
 		}
 	}
 	irList, err := fetchIRNodes(c, nmHash, rolemgmt.Hash)
 	if err != nil {
 		return err
 	}
 	if err := fetchBalances(inv, gas.Hash, irList); err != nil {
 		return err
 	}
 	printBalances(cmd, "Inner ring nodes balances:", irList)
 	if dumpStorage {
 		arr, err := unwrap.Array(inv.Call(nmHash, "netmap"))
 		if err != nil {
 			return errors.New("can't fetch the list of storage nodes")
 		}
 		snList := make([]accBalancePair, len(arr))
 		for i := range arr {
 			node, ok := arr[i].Value().([]stackitem.Item)
 			if !ok || len(node) == 0 {
 				return errors.New("can't parse the list of storage nodes")
 			}
 			bs, err := node[0].TryBytes()
 			if err != nil {
 				return errors.New("can't parse the list of storage nodes")
 			}
 			var ni netmap.NodeInfo
 			if err := ni.Unmarshal(bs); err != nil {
 				return fmt.Errorf("can't parse the list of storage nodes: %w", err)
 			}
 			pub, err := keys.NewPublicKeyFromBytes(ni.PublicKey(), elliptic.P256())
 			if err != nil {
 				return fmt.Errorf("can't parse storage node public key: %w", err)
 			}
 			snList[i].scriptHash = pub.GetScriptHash()
 		}
 		if err := fetchBalances(inv, gas.Hash, snList); err != nil {
 			return err
 		}
 		printBalances(cmd, "\nStorage node balances:", snList)
 	}
 	if dumpProxy {
 		h, err := nnsResolveHash(inv, nnsCs.Hash, proxyContract+".frostfs")
 		if err != nil {
 			return fmt.Errorf("can't get hash of the proxy contract: %w", err)
 		}
 		proxyList := []accBalancePair{{scriptHash: h}}
 		if err := fetchBalances(inv, gas.Hash, proxyList); err != nil {
 			return err
 		}
 		printBalances(cmd, "\nProxy contract balance:", proxyList)
 	}
 	if dumpAlphabet {
 		alphaList := make([]accBalancePair, len(irList))
 		w := io.NewBufBinWriter()
 		for i := range alphaList {
 			emit.AppCall(w.BinWriter, nnsCs.Hash, "resolve", callflag.ReadOnly,
 				getAlphabetNNSDomain(i),
 				int64(nns.TXT))
 		}
 		if w.Err != nil {
 			panic(w.Err)
 		}
 		alphaRes, err := c.InvokeScript(w.Bytes(), nil)
 		if err != nil {
 			return fmt.Errorf("can't fetch info from NNS: %w", err)
 		}
 		for i := range alphaList {
 			h, err := parseNNSResolveResult(alphaRes.Stack[i])
 			if err != nil {
 				return fmt.Errorf("can't fetch the alphabet contract #%d hash: %w", i, err)
 			}
 			alphaList[i].scriptHash = h
 		}
 		if err := fetchBalances(inv, gas.Hash, alphaList); err != nil {
 			return err
 		}
 		printBalances(cmd, "\nAlphabet contracts balances:", alphaList)
 	}
 	return nil
 }
 func fetchIRNodes(c Client, nmHash, desigHash util.Uint160) ([]accBalancePair, error) {
 	var irList []accBalancePair
 	inv := invoker.New(c, nil)
 	if notaryEnabled {
 		height, err := c.GetBlockCount()
 		if err != nil {
 			return nil, fmt.Errorf("can't get block height: %w", err)
 		}
 		arr, err := getDesignatedByRole(inv, desigHash, noderoles.NeoFSAlphabet, height)
 		if err != nil {
 			return nil, errors.New("can't fetch list of IR nodes from the netmap contract")
 		}
 		irList = make([]accBalancePair, len(arr))
 		for i := range arr {
 			irList[i].scriptHash = arr[i].GetScriptHash()
 		}
 	} else {
 		arr, err := unwrap.ArrayOfBytes(inv.Call(nmHash, "innerRingList"))
 		if err != nil {
 			return nil, errors.New("can't fetch list of IR nodes from the netmap contract")
 		}
 		irList = make([]accBalancePair, len(arr))
 		for i := range arr {
 			pub, err := keys.NewPublicKeyFromBytes(arr[i], elliptic.P256())
 			if err != nil {
 				return nil, fmt.Errorf("can't parse IR node public key: %w", err)
 			}
 			irList[i].scriptHash = pub.GetScriptHash()
 		}
 	}
 	return irList, nil
 }
 func printBalances(cmd *cobra.Command, prefix string, accounts []accBalancePair) {
 	useScriptHash, _ := cmd.Flags().GetBool(dumpBalancesUseScriptHashFlag)
 	cmd.Println(prefix)
 	for i := range accounts {
 		var addr string
 		if useScriptHash {
 			addr = accounts[i].scriptHash.StringLE()
 		} else {
 			addr = address.Uint160ToString(accounts[i].scriptHash)
 		}
 		cmd.Printf("%s: %s\n", addr, fixedn.ToString(accounts[i].balance, 8))
 	}
 }
 func fetchBalances(c *invoker.Invoker, gasHash util.Uint160, accounts []accBalancePair) error {
 	w := io.NewBufBinWriter()
 	for i := range accounts {
 		emit.AppCall(w.BinWriter, gasHash, "balanceOf", callflag.ReadStates, accounts[i].scriptHash)
 	}
 	if w.Err != nil {
 		panic(w.Err)
 	}
 	res, err := c.Run(w.Bytes())
 	if err != nil || res.State != vmstate.Halt.String() || len(res.Stack) != len(accounts) {
 		return errors.New("can't fetch account balances")
 	}
 	for i := range accounts {
 		bal, err := res.Stack[i].TryInteger()
 		if err != nil {
 			return fmt.Errorf("can't parse account balance: %w", err)
 		}
 		accounts[i].balance = bal
 	}
 	return nil
 }
--- a/cmd/frostfs-adm/internal/modules/morph/config.go
+++ b/cmd/frostfs-adm/internal/modules/morph/config.go
@ -0,0 +1,192 @@
 package morph
 import (
 	"bytes"
 	"encoding/binary"
 	"encoding/hex"
 	"errors"
 	"fmt"
 	"strconv"
 	"strings"
 	"text/tabwriter"
 	"github.com/nspcc-dev/neo-go/pkg/io"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
 	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 const forceConfigSet = "force"
 func dumpNetworkConfig(cmd *cobra.Command, _ []string) error {
 	c, err := getN3Client(viper.GetViper())
 	if err != nil {
 		return fmt.Errorf("can't create N3 client: %w", err)
 	}
 	inv := invoker.New(c, nil)
 	cs, err := c.GetContractStateByID(1)
 	if err != nil {
 		return fmt.Errorf("can't get NNS contract info: %w", err)
 	}
 	nmHash, err := nnsResolveHash(inv, cs.Hash, netmapContract+".frostfs")
 	if err != nil {
 		return fmt.Errorf("can't get netmap contract hash: %w", err)
 	}
 	arr, err := unwrap.Array(inv.Call(nmHash, "listConfig"))
 	if err != nil {
 		return errors.New("can't fetch list of network config keys from the netmap contract")
 	}
 	buf := bytes.NewBuffer(nil)
 	tw := tabwriter.NewWriter(buf, 0, 2, 2, ' ', 0)
 	for _, param := range arr {
 		tuple, ok := param.Value().([]stackitem.Item)
 		if !ok || len(tuple) != 2 {
 			return errors.New("invalid ListConfig response from netmap contract")
 		}
 		k, err := tuple[0].TryBytes()
 		if err != nil {
 			return errors.New("invalid config key from netmap contract")
 		}
 		v, err := tuple[1].TryBytes()
 		if err != nil {
 			return invalidConfigValueErr(k)
 		}
 		switch string(k) {
 		case netmapAuditFeeKey, netmapBasicIncomeRateKey,
 			netmapContainerFeeKey, netmapContainerAliasFeeKey,
 			netmapEigenTrustIterationsKey,
 			netmapEpochKey, netmapInnerRingCandidateFeeKey,
 			netmapMaxObjectSizeKey, netmapWithdrawFeeKey:
 			nbuf := make([]byte, 8)
 			copy(nbuf[:], v)
 			n := binary.LittleEndian.Uint64(nbuf)
 			_, _ = tw.Write([]byte(fmt.Sprintf("%s:\t%d (int)\n", k, n)))
 		case netmapEigenTrustAlphaKey:
 			_, _ = tw.Write([]byte(fmt.Sprintf("%s:\t%s (str)\n", k, v)))
 		case netmapHomomorphicHashDisabledKey, netmapMaintenanceAllowedKey:
 			vBool, err := tuple[1].TryBool()
 			if err != nil {
 				return invalidConfigValueErr(k)
 			}
 			_, _ = tw.Write([]byte(fmt.Sprintf("%s:\t%t (bool)\n", k, vBool)))
 		default:
 			_, _ = tw.Write([]byte(fmt.Sprintf("%s:\t%s (hex)\n", k, hex.EncodeToString(v))))
 		}
 	}
 	_ = tw.Flush()
 	cmd.Print(buf.String())
 	return nil
 }
 func setConfigCmd(cmd *cobra.Command, args []string) error {
 	if len(args) == 0 {
 		return errors.New("empty config pairs")
 	}
 	wCtx, err := newInitializeContext(cmd, viper.GetViper())
 	if err != nil {
 		return fmt.Errorf("can't initialize context: %w", err)
 	}
 	cs, err := wCtx.Client.GetContractStateByID(1)
 	if err != nil {
 		return fmt.Errorf("can't get NNS contract info: %w", err)
 	}
 	nmHash, err := nnsResolveHash(wCtx.ReadOnlyInvoker, cs.Hash, netmapContract+".frostfs")
 	if err != nil {
 		return fmt.Errorf("can't get netmap contract hash: %w", err)
 	}
 	forceFlag, _ := cmd.Flags().GetBool(forceConfigSet)
 	bw := io.NewBufBinWriter()
 	for _, arg := range args {
 		k, v, err := parseConfigPair(arg, forceFlag)
 		if err != nil {
 			return err
 		}
 		// In NeoFS this is done via Notary contract. Here, however, we can form the
 		// transaction locally. The first `nil` argument is required only for notary
 		// disabled environment which is not supported by that command.
 		emit.AppCall(bw.BinWriter, nmHash, "setConfig", callflag.All, nil, k, v)
 		if bw.Err != nil {
 			return fmt.Errorf("can't form raw transaction: %w", bw.Err)
 		}
 	}
 	err = wCtx.sendConsensusTx(bw.Bytes())
 	if err != nil {
 		return err
 	}
 	return wCtx.awaitTx()
 }
 func parseConfigPair(kvStr string, force bool) (key string, val any, err error) {
 	k, v, found := strings.Cut(kvStr, "=")
 	if !found {
 		return "", nil, fmt.Errorf("invalid parameter format: must be 'key=val', got: %s", kvStr)
 	}
 	key = k
 	valRaw := v
 	switch key {
 	case netmapAuditFeeKey, netmapBasicIncomeRateKey,
 		netmapContainerFeeKey, netmapContainerAliasFeeKey,
 		netmapEigenTrustIterationsKey,
 		netmapEpochKey, netmapInnerRingCandidateFeeKey,
 		netmapMaxObjectSizeKey, netmapWithdrawFeeKey:
 		val, err = strconv.ParseInt(valRaw, 10, 64)
 		if err != nil {
 			err = fmt.Errorf("could not parse %s's value '%s' as int: %w", key, valRaw, err)
 		}
 	case netmapEigenTrustAlphaKey:
 		// just check that it could
 		// be parsed correctly
 		_, err = strconv.ParseFloat(v, 64)
 		if err != nil {
 			err = fmt.Errorf("could not parse %s's value '%s' as float: %w", key, valRaw, err)
 		}
 		val = valRaw
 	case netmapHomomorphicHashDisabledKey, netmapMaintenanceAllowedKey:
 		val, err = strconv.ParseBool(valRaw)
 		if err != nil {
 			err = fmt.Errorf("could not parse %s's value '%s' as bool: %w", key, valRaw, err)
 		}
 	default:
 		if !force {
 			return "", nil, fmt.Errorf(
 				"'%s' key is not well-known, use '--%s' flag if want to set it anyway",
 				key, forceConfigSet)
 		}
 		val = valRaw
 	}
 	return
 }
 func invalidConfigValueErr(key []byte) error {
 	return fmt.Errorf("invalid %s config value from netmap contract", key)
 }
--- a/cmd/frostfs-adm/internal/modules/morph/container.go
+++ b/cmd/frostfs-adm/internal/modules/morph/container.go
@ -0,0 +1,373 @@
 package morph
 import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"os"
 	"sort"
 	cid "github.com/TrueCloudLab/frostfs-sdk-go/container/id"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/hash"
 	"github.com/nspcc-dev/neo-go/pkg/io"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
 	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 var errInvalidContainerResponse = errors.New("invalid response from container contract")
 func getContainerContractHash(cmd *cobra.Command, inv *invoker.Invoker, c Client) (util.Uint160, error) {
 	s, err := cmd.Flags().GetString(containerContractFlag)
 	var ch util.Uint160
 	if err == nil {
 		ch, err = util.Uint160DecodeStringLE(s)
 	}
 	if err != nil {
 		nnsCs, err := c.GetContractStateByID(1)
 		if err != nil {
 			return util.Uint160{}, fmt.Errorf("can't get NNS contract state: %w", err)
 		}
 		ch, err = nnsResolveHash(inv, nnsCs.Hash, containerContract+".frostfs")
 		if err != nil {
 			return util.Uint160{}, err
 		}
 	}
 	return ch, nil
 }
 func getContainersList(inv *invoker.Invoker, ch util.Uint160) ([][]byte, error) {
 	res, err := inv.Call(ch, "list", "")
 	if err != nil {
 		return nil, fmt.Errorf("%w: %v", errInvalidContainerResponse, err)
 	}
 	itm, err := unwrap.Item(res, err)
 	if _, ok := itm.(stackitem.Null); !ok {
 		return unwrap.ArrayOfBytes(res, err)
 	}
 	return nil, nil
 }
 func dumpContainers(cmd *cobra.Command, _ []string) error {
 	filename, err := cmd.Flags().GetString(containerDumpFlag)
 	if err != nil {
 		return fmt.Errorf("invalid filename: %w", err)
 	}
 	c, err := getN3Client(viper.GetViper())
 	if err != nil {
 		return fmt.Errorf("can't create N3 client: %w", err)
 	}
 	inv := invoker.New(c, nil)
 	ch, err := getContainerContractHash(cmd, inv, c)
 	if err != nil {
 		return fmt.Errorf("unable to get contaract hash: %w", err)
 	}
 	cids, err := getContainersList(inv, ch)
 	if err != nil {
 		return fmt.Errorf("%w: %v", errInvalidContainerResponse, err)
 	}
 	isOK, err := getCIDFilterFunc(cmd)
 	if err != nil {
 		return err
 	}
 	var containers []*Container
 	bw := io.NewBufBinWriter()
 	for _, id := range cids {
 		if !isOK(id) {
 			continue
 		}
 		bw.Reset()
 		emit.AppCall(bw.BinWriter, ch, "get", callflag.All, id)
 		emit.AppCall(bw.BinWriter, ch, "eACL", callflag.All, id)
 		res, err := inv.Run(bw.Bytes())
 		if err != nil {
 			return fmt.Errorf("can't get container info: %w", err)
 		}
 		if len(res.Stack) != 2 {
 			return fmt.Errorf("%w: expected 2 items on stack", errInvalidContainerResponse)
 		}
 		cnt := new(Container)
 		err = cnt.FromStackItem(res.Stack[0])
 		if err != nil {
 			return fmt.Errorf("%w: %v", errInvalidContainerResponse, err)
 		}
 		ea := new(EACL)
 		err = ea.FromStackItem(res.Stack[1])
 		if err != nil {
 			return fmt.Errorf("%w: %v", errInvalidContainerResponse, err)
 		}
 		if len(ea.Value) != 0 {
 			cnt.EACL = ea
 		}
 		containers = append(containers, cnt)
 	}
 	out, err := json.Marshal(containers)
 	if err != nil {
 		return err
 	}
 	return os.WriteFile(filename, out, 0o660)
 }
 func listContainers(cmd *cobra.Command, _ []string) error {
 	c, err := getN3Client(viper.GetViper())
 	if err != nil {
 		return fmt.Errorf("can't create N3 client: %w", err)
 	}
 	inv := invoker.New(c, nil)
 	ch, err := getContainerContractHash(cmd, inv, c)
 	if err != nil {
 		return fmt.Errorf("unable to get contaract hash: %w", err)
 	}
 	cids, err := getContainersList(inv, ch)
 	if err != nil {
 		return fmt.Errorf("%w: %v", errInvalidContainerResponse, err)
 	}
 	for _, id := range cids {
 		var idCnr cid.ID
 		err = idCnr.Decode(id)
 		if err != nil {
 			return fmt.Errorf("unable to decode container id: %w", err)
 		}
 		cmd.Println(idCnr)
 	}
 	return nil
 }
 func restoreContainers(cmd *cobra.Command, _ []string) error {
 	filename, err := cmd.Flags().GetString(containerDumpFlag)
 	if err != nil {
 		return fmt.Errorf("invalid filename: %w", err)
 	}
 	wCtx, err := newInitializeContext(cmd, viper.GetViper())
 	if err != nil {
 		return err
 	}
 	defer wCtx.close()
 	nnsCs, err := wCtx.Client.GetContractStateByID(1)
 	if err != nil {
 		return fmt.Errorf("can't get NNS contract state: %w", err)
 	}
 	ch, err := nnsResolveHash(wCtx.ReadOnlyInvoker, nnsCs.Hash, containerContract+".frostfs")
 	if err != nil {
 		return fmt.Errorf("can't fetch container contract hash: %w", err)
 	}
 	data, err := os.ReadFile(filename)
 	if err != nil {
 		return fmt.Errorf("can't read dump file: %w", err)
 	}
 	var containers []Container
 	err = json.Unmarshal(data, &containers)
 	if err != nil {
 		return fmt.Errorf("can't parse dump file: %w", err)
 	}
 	isOK, err := getCIDFilterFunc(cmd)
 	if err != nil {
 		return err
 	}
 	bw := io.NewBufBinWriter()
 	for _, cnt := range containers {
 		hv := hash.Sha256(cnt.Value)
 		if !isOK(hv[:]) {
 			continue
 		}
 		bw.Reset()
 		emit.AppCall(bw.BinWriter, ch, "get", callflag.All, hv.BytesBE())
 		res, err := wCtx.Client.InvokeScript(bw.Bytes(), nil)
 		if err != nil {
 			return fmt.Errorf("can't check if container is already restored: %w", err)
 		}
 		if len(res.Stack) == 0 {
 			return errors.New("empty stack")
 		}
 		old := new(Container)
 		if err := old.FromStackItem(res.Stack[0]); err != nil {
 			return fmt.Errorf("%w: %v", errInvalidContainerResponse, err)
 		}
 		if len(old.Value) != 0 {
 			var id cid.ID
 			id.SetSHA256(hv)
 			cmd.Printf("Container %s is already deployed.\n", id)
 			continue
 		}
 		bw.Reset()
 		emit.AppCall(bw.BinWriter, ch, "put", callflag.All,
 			cnt.Value, cnt.Signature, cnt.PublicKey, cnt.Token)
 		if ea := cnt.EACL; ea != nil {
 			emit.AppCall(bw.BinWriter, ch, "setEACL", callflag.All,
 				ea.Value, ea.Signature, ea.PublicKey, ea.Token)
 		}
 		if bw.Err != nil {
 			panic(bw.Err)
 		}
 		if err := wCtx.sendConsensusTx(bw.Bytes()); err != nil {
 			return err
 		}
 	}
 	return wCtx.awaitTx()
 }
 // Container represents container struct in contract storage.
 type Container struct {
 	Value     []byte `json:"value"`
 	Signature []byte `json:"signature"`
 	PublicKey []byte `json:"public_key"`
 	Token     []byte `json:"token"`
 	EACL      *EACL  `json:"eacl"`
 }
 // EACL represents extended ACL struct in contract storage.
 type EACL struct {
 	Value     []byte `json:"value"`
 	Signature []byte `json:"signature"`
 	PublicKey []byte `json:"public_key"`
 	Token     []byte `json:"token"`
 }
 // ToStackItem implements stackitem.Convertible.
 func (c *Container) ToStackItem() (stackitem.Item, error) {
 	return stackitem.NewStruct([]stackitem.Item{
 		stackitem.NewByteArray(c.Value),
 		stackitem.NewByteArray(c.Signature),
 		stackitem.NewByteArray(c.PublicKey),
 		stackitem.NewByteArray(c.Token),
 	}), nil
 }
 // FromStackItem implements stackitem.Convertible.
 func (c *Container) FromStackItem(item stackitem.Item) error {
 	arr, ok := item.Value().([]stackitem.Item)
 	if !ok || len(arr) != 4 {
 		return errors.New("invalid stack item type")
 	}
 	value, err := arr[0].TryBytes()
 	if err != nil {
 		return errors.New("invalid container value")
 	}
 	sig, err := arr[1].TryBytes()
 	if err != nil {
 		return errors.New("invalid container signature")
 	}
 	pub, err := arr[2].TryBytes()
 	if err != nil {
 		return errors.New("invalid container public key")
 	}
 	tok, err := arr[3].TryBytes()
 	if err != nil {
 		return errors.New("invalid container token")
 	}
 	c.Value = value
 	c.Signature = sig
 	c.PublicKey = pub
 	c.Token = tok
 	return nil
 }
 // ToStackItem implements stackitem.Convertible.
 func (c *EACL) ToStackItem() (stackitem.Item, error) {
 	return stackitem.NewStruct([]stackitem.Item{
 		stackitem.NewByteArray(c.Value),
 		stackitem.NewByteArray(c.Signature),
 		stackitem.NewByteArray(c.PublicKey),
 		stackitem.NewByteArray(c.Token),
 	}), nil
 }
 // FromStackItem implements stackitem.Convertible.
 func (c *EACL) FromStackItem(item stackitem.Item) error {
 	arr, ok := item.Value().([]stackitem.Item)
 	if !ok || len(arr) != 4 {
 		return errors.New("invalid stack item type")
 	}
 	value, err := arr[0].TryBytes()
 	if err != nil {
 		return errors.New("invalid eACL value")
 	}
 	sig, err := arr[1].TryBytes()
 	if err != nil {
 		return errors.New("invalid eACL signature")
 	}
 	pub, err := arr[2].TryBytes()
 	if err != nil {
 		return errors.New("invalid eACL public key")
 	}
 	tok, err := arr[3].TryBytes()
 	if err != nil {
 		return errors.New("invalid eACL token")
 	}
 	c.Value = value
 	c.Signature = sig
 	c.PublicKey = pub
 	c.Token = tok
 	return nil
 }
 // getCIDFilterFunc returns filtering function for container IDs.
 // Raw byte slices are used because it works with structures returned
 // from contract.
 func getCIDFilterFunc(cmd *cobra.Command) (func([]byte) bool, error) {
 	rawIDs, err := cmd.Flags().GetStringSlice(containerIDsFlag)
 	if err != nil {
 		return nil, err
 	}
 	if len(rawIDs) == 0 {
 		return func([]byte) bool { return true }, nil
 	}
 	for i := range rawIDs {
 		err := new(cid.ID).DecodeString(rawIDs[i])
 		if err != nil {
 			return nil, fmt.Errorf("can't parse CID %s: %w", rawIDs[i], err)
 		}
 	}
 	sort.Strings(rawIDs)
 	return func(rawID []byte) bool {
 		var v [32]byte
 		copy(v[:], rawID)
 		var id cid.ID
 		id.SetSHA256(v)
 		idStr := id.EncodeToString()
 		n := sort.Search(len(rawIDs), func(i int) bool { return rawIDs[i] >= idStr })
 		return n < len(rawIDs) && rawIDs[n] == idStr
 	}, nil
 }
--- a/cmd/frostfs-adm/internal/modules/morph/deploy.go
+++ b/cmd/frostfs-adm/internal/modules/morph/deploy.go
@ -0,0 +1,224 @@
 package morph
 import (
 	"encoding/json"
 	"fmt"
 	"os"
 	"strings"
 	"github.com/TrueCloudLab/frostfs-contract/nns"
 	"github.com/nspcc-dev/neo-go/cli/cmdargs"
 	"github.com/nspcc-dev/neo-go/pkg/core/state"
 	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
 	"github.com/nspcc-dev/neo-go/pkg/io"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/management"
 	"github.com/nspcc-dev/neo-go/pkg/services/rpcsrv/params"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
 	"github.com/nspcc-dev/neo-go/pkg/vm/opcode"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 const (
 	contractPathFlag = "contract"
 	updateFlag       = "update"
 	customZoneFlag   = "domain"
 )
 var deployCmd = &cobra.Command{
 	Use:   "deploy",
 	Short: "Deploy additional smart-contracts",
 	Long: `Deploy additional smart-contract which are not related to core.
 All contracts are deployed by the committee, so access to the alphabet wallets is required.
 Optionally, arguments can be provided to be passed to a contract's _deploy function.
 The syntax is the same as for 'neo-go contract testinvokefunction' command.
 Compiled contract file name must contain '_contract.nef' suffix.
 Contract's manifest file name must be 'config.json'.
 NNS name is taken by stripping '_contract.nef' from the NEF file (similar to frostfs contracts).`,
 	PreRun: func(cmd *cobra.Command, _ []string) {
 		_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
 		_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
 	},
 	RunE: deployContractCmd,
 }
 func init() {
 	ff := deployCmd.Flags()
 	ff.String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
 	_ = deployCmd.MarkFlagFilename(alphabetWalletsFlag)
 	ff.StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
 	ff.String(contractPathFlag, "", "Path to the contract directory")
 	_ = deployCmd.MarkFlagFilename(contractPathFlag)
 	ff.Bool(updateFlag, false, "Update an existing contract")
 	ff.String(customZoneFlag, "frostfs", "Custom zone for NNS")
 }
 func deployContractCmd(cmd *cobra.Command, args []string) error {
 	v := viper.GetViper()
 	c, err := newInitializeContext(cmd, v)
 	if err != nil {
 		return fmt.Errorf("initialization error: %w", err)
 	}
 	defer c.close()
 	ctrPath, _ := cmd.Flags().GetString(contractPathFlag)
 	ctrName, err := probeContractName(ctrPath)
 	if err != nil {
 		return err
 	}
 	cs, err := readContract(ctrPath, ctrName)
 	if err != nil {
 		return err
 	}
 	nnsCs, err := c.Client.GetContractStateByID(1)
 	if err != nil {
 		return fmt.Errorf("can't fetch NNS contract state: %w", err)
 	}
 	callHash := management.Hash
 	method := deployMethodName
 	zone, _ := cmd.Flags().GetString(customZoneFlag)
 	domain := ctrName + "." + zone
 	isUpdate, _ := cmd.Flags().GetBool(updateFlag)
 	if isUpdate {
 		cs.Hash, err = nnsResolveHash(c.ReadOnlyInvoker, nnsCs.Hash, domain)
 		if err != nil {
 			return fmt.Errorf("can't fetch contract hash from NNS: %w", err)
 		}
 		callHash = cs.Hash
 		method = updateMethodName
 	} else {
 		cs.Hash = state.CreateContractHash(
 			c.CommitteeAcc.Contract.ScriptHash(),
 			cs.NEF.Checksum,
 			cs.Manifest.Name)
 	}
 	w := io.NewBufBinWriter()
 	if err := emitDeploymentArguments(w.BinWriter, args); err != nil {
 		return err
 	}
 	emit.Bytes(w.BinWriter, cs.RawManifest)
 	emit.Bytes(w.BinWriter, cs.RawNEF)
 	emit.Int(w.BinWriter, 3)
 	emit.Opcodes(w.BinWriter, opcode.PACK)
 	emit.AppCallNoArgs(w.BinWriter, callHash, method, callflag.All)
 	emit.Opcodes(w.BinWriter, opcode.DROP) // contract state on stack
 	if !isUpdate {
 		bw := io.NewBufBinWriter()
 		emit.Instruction(bw.BinWriter, opcode.INITSSLOT, []byte{1})
 		emit.AppCall(bw.BinWriter, nnsCs.Hash, "getPrice", callflag.All)
 		emit.Opcodes(bw.BinWriter, opcode.STSFLD0)
 		emit.AppCall(bw.BinWriter, nnsCs.Hash, "setPrice", callflag.All, 1)
 		start := bw.Len()
 		needRecord := false
 		ok, err := c.nnsRootRegistered(nnsCs.Hash, zone)
 		if err != nil {
 			return err
 		} else if !ok {
 			needRecord = true
 			emit.AppCall(bw.BinWriter, nnsCs.Hash, "register", callflag.All,
 				zone, c.CommitteeAcc.Contract.ScriptHash(),
 				"ops@nspcc.ru", int64(3600), int64(600), int64(defaultExpirationTime), int64(3600))
 			emit.Opcodes(bw.BinWriter, opcode.ASSERT)
 			emit.AppCall(bw.BinWriter, nnsCs.Hash, "register", callflag.All,
 				domain, c.CommitteeAcc.Contract.ScriptHash(),
 				"ops@nspcc.ru", int64(3600), int64(600), int64(defaultExpirationTime), int64(3600))
 			emit.Opcodes(bw.BinWriter, opcode.ASSERT)
 		} else {
 			s, ok, err := c.nnsRegisterDomainScript(nnsCs.Hash, cs.Hash, domain)
 			if err != nil {
 				return err
 			}
 			needRecord = !ok
 			if len(s) != 0 {
 				bw.WriteBytes(s)
 			}
 		}
 		if needRecord {
 			emit.AppCall(bw.BinWriter, nnsCs.Hash, "deleteRecords", callflag.All, domain, int64(nns.TXT))
 			emit.AppCall(bw.BinWriter, nnsCs.Hash, "addRecord", callflag.All,
 				domain, int64(nns.TXT), address.Uint160ToString(cs.Hash))
 		}
 		if bw.Err != nil {
 			panic(fmt.Errorf("BUG: can't create deployment script: %w", w.Err))
 		} else if bw.Len() != start {
 			w.WriteBytes(bw.Bytes())
 			emit.Opcodes(w.BinWriter, opcode.LDSFLD0, opcode.PUSH1, opcode.PACK)
 			emit.AppCallNoArgs(w.BinWriter, nnsCs.Hash, "setPrice", callflag.All)
 			if needRecord {
 				c.Command.Printf("NNS: Set %s -> %s\n", domain, cs.Hash.StringLE())
 			}
 		}
 	}
 	if w.Err != nil {
 		panic(fmt.Errorf("BUG: can't create deployment script: %w", w.Err))
 	}
 	if err := c.sendCommitteeTx(w.Bytes(), false); err != nil {
 		return err
 	}
 	return c.awaitTx()
 }
 func emitDeploymentArguments(w *io.BinWriter, args []string) error {
 	_, ps, err := cmdargs.ParseParams(args, true)
 	if err != nil {
 		return err
 	}
 	if len(ps) == 0 {
 		emit.Opcodes(w, opcode.NEWARRAY0)
 		return nil
 	}
 	if len(ps) != 1 {
 		return fmt.Errorf("at most one argument is expected for deploy, got %d", len(ps))
 	}
 	// We could emit this directly, but round-trip through JSON is more robust.
 	// This a CLI, so optimizing the conversion is not worth the effort.
 	data, err := json.Marshal(ps)
 	if err != nil {
 		return err
 	}
 	var pp params.Params
 	if err := json.Unmarshal(data, &pp); err != nil {
 		return err
 	}
 	return params.ExpandArrayIntoScript(w, pp)
 }
 func probeContractName(ctrPath string) (string, error) {
 	ds, err := os.ReadDir(ctrPath)
 	if err != nil {
 		return "", fmt.Errorf("can't read directory: %w", err)
 	}
 	var ctrName string
 	for i := range ds {
 		if strings.HasSuffix(ds[i].Name(), "_contract.nef") {
 			ctrName = strings.TrimSuffix(ds[i].Name(), "_contract.nef")
 			break
 		}
 	}
 	if ctrName == "" {
 		return "", fmt.Errorf("can't find any NEF files in %s", ctrPath)
 	}
 	return ctrName, nil
 }
--- a/cmd/frostfs-adm/internal/modules/morph/download.go
+++ b/cmd/frostfs-adm/internal/modules/morph/download.go
@ -0,0 +1,40 @@
 package morph
 import (
 	"context"
 	"errors"
 	"fmt"
 	"io"
 	"net/http"
 	"strings"
 	"github.com/google/go-github/v39/github"
 	"github.com/spf13/cobra"
 )
 func downloadContractsFromGithub(cmd *cobra.Command) (io.ReadCloser, error) {
 	gcl := github.NewClient(nil)
 	release, _, err := gcl.Repositories.GetLatestRelease(context.Background(), "nspcc-dev", "frostfs-contract")
 	if err != nil {
 		return nil, fmt.Errorf("can't fetch release info: %w", err)
 	}
 	cmd.Printf("Found %s (%s), downloading...\n", release.GetTagName(), release.GetName())
 	var url string
 	for _, a := range release.Assets {
 		if strings.HasPrefix(a.GetName(), "frostfs-contract") {
 			url = a.GetBrowserDownloadURL()
 			break
 		}
 	}
 	if url == "" {
 		return nil, errors.New("can't find contracts archive in release assets")
 	}
 	resp, err := http.Get(url)
 	if err != nil {
 		return nil, fmt.Errorf("can't fetch contracts archive: %w", err)
 	}
 	return resp.Body, nil
 }
--- a/cmd/frostfs-adm/internal/modules/morph/dump_hashes.go
+++ b/cmd/frostfs-adm/internal/modules/morph/dump_hashes.go
@ -0,0 +1,250 @@
 package morph
 import (
 	"bytes"
 	"errors"
 	"fmt"
 	"strings"
 	"text/tabwriter"
 	"github.com/TrueCloudLab/frostfs-contract/nns"
 	"github.com/nspcc-dev/neo-go/pkg/io"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
 	"github.com/nspcc-dev/neo-go/pkg/vm/opcode"
 	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
 	"github.com/nspcc-dev/neo-go/pkg/vm/vmstate"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 const lastGlagoliticLetter = 41
 type contractDumpInfo struct {
 	hash    util.Uint160
 	name    string
 	version string
 }
 func dumpContractHashes(cmd *cobra.Command, _ []string) error {
 	c, err := getN3Client(viper.GetViper())
 	if err != nil {
 		return fmt.Errorf("can't create N3 client: %w", err)
 	}
 	cs, err := c.GetContractStateByID(1)
 	if err != nil {
 		return err
 	}
 	zone, _ := cmd.Flags().GetString(customZoneFlag)
 	if zone != "" {
 		return dumpCustomZoneHashes(cmd, cs.Hash, zone, c)
 	}
 	infos := []contractDumpInfo{{name: nnsContract, hash: cs.Hash}}
 	irSize := 0
 	for ; irSize < lastGlagoliticLetter; irSize++ {
 		ok, err := nnsIsAvailable(c, cs.Hash, getAlphabetNNSDomain(irSize))
 		if err != nil {
 			return err
 		} else if ok {
 			break
 		}
 	}
 	bw := io.NewBufBinWriter()
 	if irSize != 0 {
 		bw.Reset()
 		for i := 0; i < irSize; i++ {
 			emit.AppCall(bw.BinWriter, cs.Hash, "resolve", callflag.ReadOnly,
 				getAlphabetNNSDomain(i),
 				int64(nns.TXT))
 		}
 		alphaRes, err := c.InvokeScript(bw.Bytes(), nil)
 		if err != nil {
 			return fmt.Errorf("can't fetch info from NNS: %w", err)
 		}
 		for i := 0; i < irSize; i++ {
 			info := contractDumpInfo{name: fmt.Sprintf("alphabet %d", i)}
 			if h, err := parseNNSResolveResult(alphaRes.Stack[i]); err == nil {
 				info.hash = h
 			}
 			infos = append(infos, info)
 		}
 	}
 	for _, ctrName := range contractList {
 		bw.Reset()
 		emit.AppCall(bw.BinWriter, cs.Hash, "resolve", callflag.ReadOnly,
 			ctrName+".frostfs", int64(nns.TXT))
 		res, err := c.InvokeScript(bw.Bytes(), nil)
 		if err != nil {
 			return fmt.Errorf("can't fetch info from NNS: %w", err)
 		}
 		info := contractDumpInfo{name: ctrName}
 		if len(res.Stack) != 0 {
 			if h, err := parseNNSResolveResult(res.Stack[0]); err == nil {
 				info.hash = h
 			}
 		}
 		infos = append(infos, info)
 	}
 	fillContractVersion(cmd, c, infos)
 	printContractInfo(cmd, infos)
 	return nil
 }
 func dumpCustomZoneHashes(cmd *cobra.Command, nnsHash util.Uint160, zone string, c Client) error {
 	const nnsMaxTokens = 100
 	inv := invoker.New(c, nil)
 	if !strings.HasPrefix(zone, ".") {
 		zone = "." + zone
 	}
 	var infos []contractDumpInfo
 	processItem := func(item stackitem.Item) {
 		bs, err := item.TryBytes()
 		if err != nil {
 			cmd.PrintErrf("Invalid NNS record: %v\n", err)
 			return
 		}
 		if !bytes.HasSuffix(bs, []byte(zone)) {
 			// Related https://github.com/nspcc-dev/neofs-contract/issues/316.
 			return
 		}
 		h, err := nnsResolveHash(inv, nnsHash, string(bs))
 		if err != nil {
 			cmd.PrintErrf("Could not resolve name %s: %v\n", string(bs), err)
 			return
 		}
 		infos = append(infos, contractDumpInfo{
 			hash: h,
 			name: strings.TrimSuffix(string(bs), zone),
 		})
 	}
 	sessionID, iter, err := unwrap.SessionIterator(inv.Call(nnsHash, "tokens"))
 	if err != nil {
 		if errors.Is(err, unwrap.ErrNoSessionID) {
 			items, err := unwrap.Array(inv.CallAndExpandIterator(nnsHash, "tokens", nnsMaxTokens))
 			if err != nil {
 				return fmt.Errorf("can't get a list of NNS domains: %w", err)
 			}
 			if len(items) == nnsMaxTokens {
 				cmd.PrintErrln("Provided RPC endpoint doesn't support sessions, some hashes might be lost.")
 			}
 			for i := range items {
 				processItem(items[i])
 			}
 		} else {
 			return err
 		}
 	} else {
 		defer func() {
 			_ = inv.TerminateSession(sessionID)
 		}()
 		items, err := inv.TraverseIterator(sessionID, &iter, nnsMaxTokens)
 		for err == nil && len(items) != 0 {
 			for i := range items {
 				processItem(items[i])
 			}
 			items, err = inv.TraverseIterator(sessionID, &iter, nnsMaxTokens)
 		}
 		if err != nil {
 			return fmt.Errorf("error during NNS domains iteration: %w", err)
 		}
 	}
 	fillContractVersion(cmd, c, infos)
 	printContractInfo(cmd, infos)
 	return nil
 }
 func parseContractVersion(item stackitem.Item) string {
 	bi, err := item.TryInteger()
 	if err != nil || bi.Sign() == 0 || !bi.IsInt64() {
 		return "unknown"
 	}
 	v := bi.Int64()
 	major := v / 1_000_000
 	minor := (v % 1_000_000) / 1000
 	patch := v % 1_000
 	return fmt.Sprintf("v%d.%d.%d", major, minor, patch)
 }
 func printContractInfo(cmd *cobra.Command, infos []contractDumpInfo) {
 	if len(infos) == 0 {
 		return
 	}
 	buf := bytes.NewBuffer(nil)
 	tw := tabwriter.NewWriter(buf, 0, 2, 2, ' ', 0)
 	for _, info := range infos {
 		if info.version == "" {
 			info.version = "unknown"
 		}
 		_, _ = tw.Write([]byte(fmt.Sprintf("%s\t(%s):\t%s\n",
 			info.name, info.version, info.hash.StringLE())))
 	}
 	_ = tw.Flush()
 	cmd.Print(buf.String())
 }
 func fillContractVersion(cmd *cobra.Command, c Client, infos []contractDumpInfo) {
 	bw := io.NewBufBinWriter()
 	sub := io.NewBufBinWriter()
 	for i := range infos {
 		if infos[i].hash.Equals(util.Uint160{}) {
 			emit.Int(bw.BinWriter, 0)
 		} else {
 			sub.Reset()
 			emit.AppCall(sub.BinWriter, infos[i].hash, "version", callflag.NoneFlag)
 			if sub.Err != nil {
 				panic(fmt.Errorf("BUG: can't create version script: %w", bw.Err))
 			}
 			script := sub.Bytes()
 			emit.Instruction(bw.BinWriter, opcode.TRY, []byte{byte(3 + len(script) + 2), 0})
 			bw.BinWriter.WriteBytes(script)
 			emit.Instruction(bw.BinWriter, opcode.ENDTRY, []byte{2 + 1})
 			emit.Opcodes(bw.BinWriter, opcode.PUSH0)
 		}
 	}
 	emit.Opcodes(bw.BinWriter, opcode.NOP) // for the last ENDTRY target
 	if bw.Err != nil {
 		panic(fmt.Errorf("BUG: can't create version script: %w", bw.Err))
 	}
 	res, err := c.InvokeScript(bw.Bytes(), nil)
 	if err != nil {
 		cmd.Printf("Can't fetch version from NNS: %v\n", err)
 		return
 	}
 	if res.State == vmstate.Halt.String() {
 		for i := range res.Stack {
 			infos[i].version = parseContractVersion(res.Stack[i])
 		}
 	}
 }
--- a/cmd/frostfs-adm/internal/modules/morph/epoch.go
+++ b/cmd/frostfs-adm/internal/modules/morph/epoch.go
@ -0,0 +1,57 @@
 package morph
 import (
 	"errors"
 	"fmt"
 	"github.com/nspcc-dev/neo-go/pkg/io"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 func forceNewEpochCmd(cmd *cobra.Command, args []string) error {
 	wCtx, err := newInitializeContext(cmd, viper.GetViper())
 	if err != nil {
 		return fmt.Errorf("can't to initialize context: %w", err)
 	}
 	cs, err := wCtx.Client.GetContractStateByID(1)
 	if err != nil {
 		return fmt.Errorf("can't get NNS contract info: %w", err)
 	}
 	nmHash, err := nnsResolveHash(wCtx.ReadOnlyInvoker, cs.Hash, netmapContract+".frostfs")
 	if err != nil {
 		return fmt.Errorf("can't get netmap contract hash: %w", err)
 	}
 	bw := io.NewBufBinWriter()
 	if err := emitNewEpochCall(bw, wCtx, nmHash); err != nil {
 		return err
 	}
 	if err := wCtx.sendConsensusTx(bw.Bytes()); err != nil {
 		return err
 	}
 	return wCtx.awaitTx()
 }
 func emitNewEpochCall(bw *io.BufBinWriter, wCtx *initializeContext, nmHash util.Uint160) error {
 	curr, err := unwrap.Int64(wCtx.ReadOnlyInvoker.Call(nmHash, "epoch"))
 	if err != nil {
 		return errors.New("can't fetch current epoch from the netmap contract")
 	}
 	newEpoch := curr + 1
 	wCtx.Command.Printf("Current epoch: %d, increase to %d.\n", curr, newEpoch)
 	// In NeoFS this is done via Notary contract. Here, however, we can form the
 	// transaction locally.
 	emit.AppCall(bw.BinWriter, nmHash, "newEpoch", callflag.All, newEpoch)
 	return bw.Err
 }
--- a/cmd/frostfs-adm/internal/modules/morph/generate.go
+++ b/cmd/frostfs-adm/internal/modules/morph/generate.go
@ -0,0 +1,225 @@
 package morph
 import (
 	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
 	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/config"
 	"github.com/TrueCloudLab/frostfs-node/pkg/innerring"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
 	"github.com/nspcc-dev/neo-go/pkg/encoding/fixedn"
 	"github.com/nspcc-dev/neo-go/pkg/io"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/gas"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
 	"github.com/nspcc-dev/neo-go/pkg/vm/opcode"
 	"github.com/nspcc-dev/neo-go/pkg/wallet"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 const (
 	singleAccountName    = "single"
 	committeeAccountName = "committee"
 	consensusAccountName = "consensus"
 )
 func generateAlphabetCreds(cmd *cobra.Command, args []string) error {
 	// alphabet size is not part of the config
 	size, err := cmd.Flags().GetUint(alphabetSizeFlag)
 	if err != nil {
 		return err
 	}
 	if size == 0 {
 		return errors.New("size must be > 0")
 	}
 	v := viper.GetViper()
 	walletDir := config.ResolveHomePath(viper.GetString(alphabetWalletsFlag))
 	pwds, err := initializeWallets(v, walletDir, int(size))
 	if err != nil {
 		return err
 	}
 	_, err = initializeContractWallet(v, walletDir)
 	if err != nil {
 		return err
 	}
 	cmd.Println("size:", size)
 	cmd.Println("alphabet-wallets:", walletDir)
 	for i := range pwds {
 		cmd.Printf("wallet[%d]: %s\n", i, pwds[i])
 	}
 	return nil
 }
 func initializeWallets(v *viper.Viper, walletDir string, size int) ([]string, error) {
 	wallets := make([]*wallet.Wallet, size)
 	pubs := make(keys.PublicKeys, size)
 	passwords := make([]string, size)
 	for i := range wallets {
 		password, err := config.GetPassword(v, innerring.GlagoliticLetter(i).String())
 		if err != nil {
 			return nil, fmt.Errorf("can't fetch password: %w", err)
 		}
 		p := filepath.Join(walletDir, innerring.GlagoliticLetter(i).String()+".json")
 		f, err := os.OpenFile(p, os.O_CREATE, 0644)
 		if err != nil {
 			return nil, fmt.Errorf("can't create wallet file: %w", err)
 		}
 		if err := f.Close(); err != nil {
 			return nil, fmt.Errorf("can't close wallet file: %w", err)
 		}
 		w, err := wallet.NewWallet(p)
 		if err != nil {
 			return nil, fmt.Errorf("can't create wallet: %w", err)
 		}
 		if err := w.CreateAccount(singleAccountName, password); err != nil {
 			return nil, fmt.Errorf("can't create account: %w", err)
 		}
 		passwords[i] = password
 		wallets[i] = w
 		pubs[i] = w.Accounts[0].PrivateKey().PublicKey()
 	}
 	// Create committee account with N/2+1 multi-signature.
 	majCount := smartcontract.GetMajorityHonestNodeCount(size)
 	for i, w := range wallets {
 		if err := addMultisigAccount(w, majCount, committeeAccountName, passwords[i], pubs); err != nil {
 			return nil, fmt.Errorf("can't create committee account: %w", err)
 		}
 	}
 	// Create consensus account with 2*N/3+1 multi-signature.
 	bftCount := smartcontract.GetDefaultHonestNodeCount(size)
 	for i, w := range wallets {
 		if err := addMultisigAccount(w, bftCount, consensusAccountName, passwords[i], pubs); err != nil {
 			return nil, fmt.Errorf("can't create consensus account: %w", err)
 		}
 	}
 	for _, w := range wallets {
 		if err := w.SavePretty(); err != nil {
 			return nil, fmt.Errorf("can't save wallet: %w", err)
 		}
 	}
 	return passwords, nil
 }
 func addMultisigAccount(w *wallet.Wallet, m int, name, password string, pubs keys.PublicKeys) error {
 	acc := wallet.NewAccountFromPrivateKey(w.Accounts[0].PrivateKey())
 	acc.Label = name
 	if err := acc.ConvertMultisig(m, pubs); err != nil {
 		return err
 	}
 	if err := acc.Encrypt(password, keys.NEP2ScryptParams()); err != nil {
 		return err
 	}
 	w.AddAccount(acc)
 	return nil
 }
 func generateStorageCreds(cmd *cobra.Command, _ []string) error {
 	return refillGas(cmd, storageGasConfigFlag, true)
 }
 func refillGas(cmd *cobra.Command, gasFlag string, createWallet bool) (err error) {
 	// storage wallet path is not part of the config
 	storageWalletPath, _ := cmd.Flags().GetString(storageWalletFlag)
 	// wallet address is not part of the config
 	walletAddress, _ := cmd.Flags().GetString(walletAddressFlag)
 	var gasReceiver util.Uint160
 	if len(walletAddress) != 0 {
 		gasReceiver, err = address.StringToUint160(walletAddress)
 		if err != nil {
 			return fmt.Errorf("invalid wallet address %s: %w", walletAddress, err)
 		}
 	} else {
 		if storageWalletPath == "" {
 			return fmt.Errorf("missing wallet path (use '--%s <out.json>')", storageWalletFlag)
 		}
 		var w *wallet.Wallet
 		if createWallet {
 			w, err = wallet.NewWallet(storageWalletPath)
 		} else {
 			w, err = wallet.NewWalletFromFile(storageWalletPath)
 		}
 		if err != nil {
 			return fmt.Errorf("can't create wallet: %w", err)
 		}
 		if createWallet {
 			var password string
 			label, _ := cmd.Flags().GetString(storageWalletLabelFlag)
 			password, err := config.GetStoragePassword(viper.GetViper(), label)
 			if err != nil {
 				return fmt.Errorf("can't fetch password: %w", err)
 			}
 			if label == "" {
 				label = singleAccountName
 			}
 			if err := w.CreateAccount(label, password); err != nil {
 				return fmt.Errorf("can't create account: %w", err)
 			}
 		}
 		gasReceiver = w.Accounts[0].Contract.ScriptHash()
 	}
 	gasStr := viper.GetString(gasFlag)
 	gasAmount, err := parseGASAmount(gasStr)
 	if err != nil {
 		return err
 	}
 	wCtx, err := newInitializeContext(cmd, viper.GetViper())
 	if err != nil {
 		return err
 	}
 	bw := io.NewBufBinWriter()
 	emit.AppCall(bw.BinWriter, gas.Hash, "transfer", callflag.All,
 		wCtx.CommitteeAcc.Contract.ScriptHash(), gasReceiver, int64(gasAmount), nil)
 	emit.Opcodes(bw.BinWriter, opcode.ASSERT)
 	if bw.Err != nil {
 		return fmt.Errorf("BUG: invalid transfer arguments: %w", bw.Err)
 	}
 	if err := wCtx.sendCommitteeTx(bw.Bytes(), false); err != nil {
 		return err
 	}
 	return wCtx.awaitTx()
 }
 func parseGASAmount(s string) (fixedn.Fixed8, error) {
 	gasAmount, err := fixedn.Fixed8FromString(s)
 	if err != nil {
 		return 0, fmt.Errorf("invalid GAS amount %s: %w", s, err)
 	}
 	if gasAmount <= 0 {
 		return 0, fmt.Errorf("GAS amount must be positive (got %d)", gasAmount)
 	}
 	return gasAmount, nil
 }
--- a/cmd/frostfs-adm/internal/modules/morph/generate_test.go
+++ b/cmd/frostfs-adm/internal/modules/morph/generate_test.go
@ -0,0 +1,112 @@
 package morph
 import (
 	"bytes"
 	"io"
 	"math/rand"
 	"os"
 	"path/filepath"
 	"strconv"
 	"testing"
 	"github.com/TrueCloudLab/frostfs-node/pkg/innerring"
 	"github.com/nspcc-dev/neo-go/cli/input"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract"
 	"github.com/nspcc-dev/neo-go/pkg/wallet"
 	"github.com/spf13/viper"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/term"
 )
 const testContractPassword = "grouppass"
 func TestGenerateAlphabet(t *testing.T) {
 	const size = 4
 	walletDir := t.TempDir()
 	buf := setupTestTerminal(t)
 	cmd := generateAlphabetCmd
 	v := viper.GetViper()
 	t.Run("zero size", func(t *testing.T) {
 		buf.Reset()
 		v.Set(alphabetWalletsFlag, walletDir)
 		require.NoError(t, cmd.Flags().Set(alphabetSizeFlag, "0"))
 		buf.WriteString("pass\r")
 		require.Error(t, generateAlphabetCreds(cmd, nil))
 	})
 	t.Run("no password provided", func(t *testing.T) {
 		buf.Reset()
 		v.Set(alphabetWalletsFlag, walletDir)
 		require.NoError(t, cmd.Flags().Set(alphabetSizeFlag, "1"))
 		require.Error(t, generateAlphabetCreds(cmd, nil))
 	})
 	t.Run("missing directory", func(t *testing.T) {
 		buf.Reset()
 		dir := filepath.Join(os.TempDir(), "notexist."+strconv.FormatUint(rand.Uint64(), 10))
 		v.Set(alphabetWalletsFlag, dir)
 		require.NoError(t, cmd.Flags().Set(alphabetSizeFlag, "1"))
 		buf.WriteString("pass\r")
 		require.Error(t, generateAlphabetCreds(cmd, nil))
 	})
 	t.Run("no password for contract group wallet", func(t *testing.T) {
 		buf.Reset()
 		v.Set(alphabetWalletsFlag, walletDir)
 		require.NoError(t, cmd.Flags().Set(alphabetSizeFlag, strconv.FormatUint(size, 10)))
 		for i := uint64(0); i < size; i++ {
 			buf.WriteString(strconv.FormatUint(i, 10) + "\r")
 		}
 		require.Error(t, generateAlphabetCreds(cmd, nil))
 	})
 	buf.Reset()
 	v.Set(alphabetWalletsFlag, walletDir)
 	require.NoError(t, generateAlphabetCmd.Flags().Set(alphabetSizeFlag, strconv.FormatUint(size, 10)))
 	for i := uint64(0); i < size; i++ {
 		buf.WriteString(strconv.FormatUint(i, 10) + "\r")
 	}
 	buf.WriteString(testContractPassword + "\r")
 	require.NoError(t, generateAlphabetCreds(generateAlphabetCmd, nil))
 	for i := uint64(0); i < size; i++ {
 		p := filepath.Join(walletDir, innerring.GlagoliticLetter(i).String()+".json")
 		w, err := wallet.NewWalletFromFile(p)
 		require.NoError(t, err, "wallet doesn't exist")
 		require.Equal(t, 3, len(w.Accounts), "not all accounts were created")
 		for _, a := range w.Accounts {
 			err := a.Decrypt(strconv.FormatUint(i, 10), keys.NEP2ScryptParams())
 			require.NoError(t, err, "can't decrypt account")
 			switch a.Label {
 			case consensusAccountName:
 				require.Equal(t, smartcontract.GetDefaultHonestNodeCount(size), len(a.Contract.Parameters))
 			case committeeAccountName:
 				require.Equal(t, smartcontract.GetMajorityHonestNodeCount(size), len(a.Contract.Parameters))
 			default:
 				require.Equal(t, singleAccountName, a.Label)
 			}
 		}
 	}
 	t.Run("check contract group wallet", func(t *testing.T) {
 		p := filepath.Join(walletDir, contractWalletFilename)
 		w, err := wallet.NewWalletFromFile(p)
 		require.NoError(t, err, "contract wallet doesn't exist")
 		require.Equal(t, 1, len(w.Accounts), "contract wallet must have 1 accout")
 		require.NoError(t, w.Accounts[0].Decrypt(testContractPassword, keys.NEP2ScryptParams()))
 	})
 }
 func setupTestTerminal(t *testing.T) *bytes.Buffer {
 	in := bytes.NewBuffer(nil)
 	input.Terminal = term.NewTerminal(input.ReadWriter{
 		Reader: in,
 		Writer: io.Discard,
 	}, "")
 	t.Cleanup(func() { input.Terminal = nil })
 	return in
 }
--- a/cmd/frostfs-adm/internal/modules/morph/group.go
+++ b/cmd/frostfs-adm/internal/modules/morph/group.go
@ -0,0 +1,106 @@
 package morph
 import (
 	"encoding/json"
 	"fmt"
 	"os"
 	"path/filepath"
 	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/config"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/manifest"
 	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/nspcc-dev/neo-go/pkg/wallet"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 const (
 	contractWalletFilename    = "contract.json"
 	contractWalletPasswordKey = "contract"
 )
 func initializeContractWallet(v *viper.Viper, walletDir string) (*wallet.Wallet, error) {
 	password, err := config.GetPassword(v, contractWalletPasswordKey)
 	if err != nil {
 		return nil, err
 	}
 	w, err := wallet.NewWallet(filepath.Join(walletDir, contractWalletFilename))
 	if err != nil {
 		return nil, err
 	}
 	acc, err := wallet.NewAccount()
 	if err != nil {
 		return nil, err
 	}
 	err = acc.Encrypt(password, keys.NEP2ScryptParams())
 	if err != nil {
 		return nil, err
 	}
 	w.AddAccount(acc)
 	if err := w.SavePretty(); err != nil {
 		return nil, err
 	}
 	return w, nil
 }
 func openContractWallet(v *viper.Viper, cmd *cobra.Command, walletDir string) (*wallet.Wallet, error) {
 	p := filepath.Join(walletDir, contractWalletFilename)
 	w, err := wallet.NewWalletFromFile(p)
 	if err != nil {
 		if !os.IsNotExist(err) {
 			return nil, fmt.Errorf("can't open wallet: %w", err)
 		}
 		cmd.Printf("Contract group wallet is missing, initialize at %s\n", p)
 		return initializeContractWallet(v, walletDir)
 	}
 	password, err := config.GetPassword(v, contractWalletPasswordKey)
 	if err != nil {
 		return nil, err
 	}
 	for i := range w.Accounts {
 		if err := w.Accounts[i].Decrypt(password, keys.NEP2ScryptParams()); err != nil {
 			return nil, fmt.Errorf("can't unlock wallet: %w", err)
 		}
 	}
 	return w, nil
 }
 func (c *initializeContext) addManifestGroup(h util.Uint160, cs *contractState) error {
 	priv := c.ContractWallet.Accounts[0].PrivateKey()
 	pub := priv.PublicKey()
 	sig := priv.Sign(h.BytesBE())
 	found := false
 	for i := range cs.Manifest.Groups {
 		if cs.Manifest.Groups[i].PublicKey.Equal(pub) {
 			cs.Manifest.Groups[i].Signature = sig
 			found = true
 			break
 		}
 	}
 	if !found {
 		cs.Manifest.Groups = append(cs.Manifest.Groups, manifest.Group{
 			PublicKey: pub,
 			Signature: sig,
 		})
 	}
 	data, err := json.Marshal(cs.Manifest)
 	if err != nil {
 		return err
 	}
 	cs.RawManifest = data
 	return nil
 }
--- a/cmd/frostfs-adm/internal/modules/morph/initialize.go
+++ b/cmd/frostfs-adm/internal/modules/morph/initialize.go
@ -0,0 +1,465 @@
 package morph
 import (
 	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
 	"time"
 	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/config"
 	"github.com/TrueCloudLab/frostfs-node/pkg/innerring"
 	morphClient "github.com/TrueCloudLab/frostfs-node/pkg/morph/client"
 	"github.com/nspcc-dev/neo-go/pkg/core/native/nativenames"
 	"github.com/nspcc-dev/neo-go/pkg/core/state"
 	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/trigger"
 	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/nspcc-dev/neo-go/pkg/vm/vmstate"
 	"github.com/nspcc-dev/neo-go/pkg/wallet"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 type cache struct {
 	nnsCs    *state.Contract
 	groupKey *keys.PublicKey
 }
 type initializeContext struct {
 	clientContext
 	cache
 	// CommitteeAcc is used for retrieving the committee address and the verification script.
 	CommitteeAcc *wallet.Account
 	// ConsensusAcc is used for retrieving the committee address and the verification script.
 	ConsensusAcc *wallet.Account
 	Wallets      []*wallet.Wallet
 	// ContractWallet is a wallet for providing the contract group signature.
 	ContractWallet *wallet.Wallet
 	// Accounts contains simple signature accounts in the same order as in Wallets.
 	Accounts     []*wallet.Account
 	Contracts    map[string]*contractState
 	Command      *cobra.Command
 	ContractPath string
 }
 func initializeSideChainCmd(cmd *cobra.Command, args []string) error {
 	initCtx, err := newInitializeContext(cmd, viper.GetViper())
 	if err != nil {
 		return fmt.Errorf("initialization error: %w", err)
 	}
 	defer initCtx.close()
 	// 1. Transfer funds to committee accounts.
 	cmd.Println("Stage 1: transfer GAS to alphabet nodes.")
 	if err := initCtx.transferFunds(); err != nil {
 		return err
 	}
 	cmd.Println("Stage 2: set notary and alphabet nodes in designate contract.")
 	if err := initCtx.setNotaryAndAlphabetNodes(); err != nil {
 		return err
 	}
 	// 3. Deploy NNS contract.
 	cmd.Println("Stage 3: deploy NNS contract.")
 	if err := initCtx.deployNNS(deployMethodName); err != nil {
 		return err
 	}
 	// 4. Deploy NeoFS contracts.
 	cmd.Println("Stage 4: deploy NeoFS contracts.")
 	if err := initCtx.deployContracts(); err != nil {
 		return err
 	}
 	cmd.Println("Stage 4.1: Transfer GAS to proxy contract.")
 	if err := initCtx.transferGASToProxy(); err != nil {
 		return err
 	}
 	cmd.Println("Stage 5: register candidates.")
 	if err := initCtx.registerCandidates(); err != nil {
 		return err
 	}
 	cmd.Println("Stage 6: transfer NEO to alphabet contracts.")
 	if err := initCtx.transferNEOToAlphabetContracts(); err != nil {
 		return err
 	}
 	cmd.Println("Stage 7: set addresses in NNS.")
 	if err := initCtx.setNNS(); err != nil {
 		return err
 	}
 	return nil
 }
 func (c *initializeContext) close() {
 	if local, ok := c.Client.(*localClient); ok {
 		err := local.dump()
 		if err != nil {
 			c.Command.PrintErrf("Can't write dump: %v\n", err)
 			os.Exit(1)
 		}
 	}
 }
 func newInitializeContext(cmd *cobra.Command, v *viper.Viper) (*initializeContext, error) {
 	walletDir := config.ResolveHomePath(viper.GetString(alphabetWalletsFlag))
 	wallets, err := openAlphabetWallets(v, walletDir)
 	if err != nil {
 		return nil, err
 	}
 	needContracts := cmd.Name() == "update-contracts" || cmd.Name() == "init"
 	var w *wallet.Wallet
 	if needContracts {
 		w, err = openContractWallet(v, cmd, walletDir)
 		if err != nil {
 			return nil, err
 		}
 	}
 	var c Client
 	if v.GetString(localDumpFlag) != "" {
 		if v.GetString(endpointFlag) != "" {
 			return nil, fmt.Errorf("`%s` and `%s` flags are mutually exclusive", endpointFlag, localDumpFlag)
 		}
 		c, err = newLocalClient(cmd, v, wallets)
 	} else {
 		c, err = getN3Client(v)
 	}
 	if err != nil {
 		return nil, fmt.Errorf("can't create N3 client: %w", err)
 	}
 	committeeAcc, err := getWalletAccount(wallets[0], committeeAccountName)
 	if err != nil {
 		return nil, fmt.Errorf("can't find committee account: %w", err)
 	}
 	consensusAcc, err := getWalletAccount(wallets[0], consensusAccountName)
 	if err != nil {
 		return nil, fmt.Errorf("can't find consensus account: %w", err)
 	}
 	var ctrPath string
 	if cmd.Name() == "init" {
 		if viper.GetInt64(epochDurationInitFlag) <= 0 {
 			return nil, fmt.Errorf("epoch duration must be positive")
 		}
 		if viper.GetInt64(maxObjectSizeInitFlag) <= 0 {
 			return nil, fmt.Errorf("max object size must be positive")
 		}
 	}
 	if needContracts {
 		ctrPath, err = cmd.Flags().GetString(contractsInitFlag)
 		if err != nil {
 			return nil, fmt.Errorf("invalid contracts path: %w", err)
 		}
 	}
 	if err := checkNotaryEnabled(c); err != nil {
 		return nil, err
 	}
 	accounts := make([]*wallet.Account, len(wallets))
 	for i, w := range wallets {
 		acc, err := getWalletAccount(w, singleAccountName)
 		if err != nil {
 			return nil, fmt.Errorf("wallet %s is invalid (no single account): %w", w.Path(), err)
 		}
 		accounts[i] = acc
 	}
 	cliCtx, err := defaultClientContext(c, committeeAcc)
 	if err != nil {
 		return nil, fmt.Errorf("client context: %w", err)
 	}
 	initCtx := &initializeContext{
 		clientContext:  *cliCtx,
 		ConsensusAcc:   consensusAcc,
 		CommitteeAcc:   committeeAcc,
 		ContractWallet: w,
 		Wallets:        wallets,
 		Accounts:       accounts,
 		Command:        cmd,
 		Contracts:      make(map[string]*contractState),
 		ContractPath:   ctrPath,
 	}
 	if needContracts {
 		err := initCtx.readContracts(fullContractList)
 		if err != nil {
 			return nil, err
 		}
 	}
 	return initCtx, nil
 }
 func openAlphabetWallets(v *viper.Viper, walletDir string) ([]*wallet.Wallet, error) {
 	walletFiles, err := os.ReadDir(walletDir)
 	if err != nil {
 		return nil, fmt.Errorf("can't read alphabet wallets dir: %w", err)
 	}
 	var size int
 loop:
 	for i := 0; i < len(walletFiles); i++ {
 		name := innerring.GlagoliticLetter(i).String() + ".json"
 		for j := range walletFiles {
 			if walletFiles[j].Name() == name {
 				size++
 				continue loop
 			}
 		}
 		break
 	}
 	if size == 0 {
 		return nil, errors.New("alphabet wallets dir is empty (run `generate-alphabet` command first)")
 	}
 	wallets := make([]*wallet.Wallet, size)
 	for i := 0; i < size; i++ {
 		letter := innerring.GlagoliticLetter(i).String()
 		p := filepath.Join(walletDir, letter+".json")
 		w, err := wallet.NewWalletFromFile(p)
 		if err != nil {
 			return nil, fmt.Errorf("can't open wallet: %w", err)
 		}
 		password, err := config.GetPassword(v, letter)
 		if err != nil {
 			return nil, fmt.Errorf("can't fetch password: %w", err)
 		}
 		for i := range w.Accounts {
 			if err := w.Accounts[i].Decrypt(password, keys.NEP2ScryptParams()); err != nil {
 				return nil, fmt.Errorf("can't unlock wallet: %w", err)
 			}
 		}
 		wallets[i] = w
 	}
 	return wallets, nil
 }
 func (c *initializeContext) awaitTx() error {
 	return c.clientContext.awaitTx(c.Command)
 }
 func (c *initializeContext) nnsContractState() (*state.Contract, error) {
 	if c.nnsCs != nil {
 		return c.nnsCs, nil
 	}
 	cs, err := c.Client.GetContractStateByID(1)
 	if err != nil {
 		return nil, err
 	}
 	c.nnsCs = cs
 	return cs, nil
 }
 func (c *initializeContext) getSigner(tryGroup bool, acc *wallet.Account) transaction.Signer {
 	if tryGroup && c.groupKey != nil {
 		return transaction.Signer{
 			Account:       acc.Contract.ScriptHash(),
 			Scopes:        transaction.CustomGroups,
 			AllowedGroups: keys.PublicKeys{c.groupKey},
 		}
 	}
 	signer := transaction.Signer{
 		Account: acc.Contract.ScriptHash(),
 		Scopes:  transaction.Global, // Scope is important, as we have nested call to container contract.
 	}
 	if !tryGroup {
 		return signer
 	}
 	nnsCs, err := c.nnsContractState()
 	if err != nil {
 		return signer
 	}
 	groupKey, err := nnsResolveKey(c.ReadOnlyInvoker, nnsCs.Hash, morphClient.NNSGroupKeyName)
 	if err == nil {
 		c.groupKey = groupKey
 		signer.Scopes = transaction.CustomGroups
 		signer.AllowedGroups = keys.PublicKeys{groupKey}
 	}
 	return signer
 }
 func (c *clientContext) awaitTx(cmd *cobra.Command) error {
 	if len(c.SentTxs) == 0 {
 		return nil
 	}
 	if local, ok := c.Client.(*localClient); ok {
 		if err := local.putTransactions(); err != nil {
 			return fmt.Errorf("can't persist transactions: %w", err)
 		}
 	}
 	err := awaitTx(cmd, c.Client, c.SentTxs)
 	c.SentTxs = c.SentTxs[:0]
 	return err
 }
 func awaitTx(cmd *cobra.Command, c Client, txs []hashVUBPair) error {
 	cmd.Println("Waiting for transactions to persist...")
 	const pollInterval = time.Second
 	tick := time.NewTicker(pollInterval)
 	defer tick.Stop()
 	at := trigger.Application
 	var retErr error
 	currBlock, err := c.GetBlockCount()
 	if err != nil {
 		return fmt.Errorf("can't fetch current block height: %w", err)
 	}
 loop:
 	for i := range txs {
 		res, err := c.GetApplicationLog(txs[i].hash, &at)
 		if err == nil {
 			if retErr == nil && len(res.Executions) > 0 && res.Executions[0].VMState != vmstate.Halt {
 				retErr = fmt.Errorf("tx %d persisted in %s state: %s",
 					i, res.Executions[0].VMState, res.Executions[0].FaultException)
 			}
 			continue loop
 		}
 		if txs[i].vub < currBlock {
 			return fmt.Errorf("tx was not persisted: vub=%d, height=%d", txs[i].vub, currBlock)
 		}
 		for range tick.C {
 			// We must fetch current height before application log, to avoid race condition.
 			currBlock, err = c.GetBlockCount()
 			if err != nil {
 				return fmt.Errorf("can't fetch current block height: %w", err)
 			}
 			res, err := c.GetApplicationLog(txs[i].hash, &at)
 			if err == nil {
 				if retErr == nil && len(res.Executions) > 0 && res.Executions[0].VMState != vmstate.Halt {
 					retErr = fmt.Errorf("tx %d persisted in %s state: %s",
 						i, res.Executions[0].VMState, res.Executions[0].FaultException)
 				}
 				continue loop
 			}
 			if txs[i].vub < currBlock {
 				return fmt.Errorf("tx was not persisted: vub=%d, height=%d", txs[i].vub, currBlock)
 			}
 		}
 	}
 	return retErr
 }
 // sendCommitteeTx creates transaction from script, signs it by committee nodes and sends it to RPC.
 // If tryGroup is false, global scope is used for the signer (useful when
 // working with native contracts).
 func (c *initializeContext) sendCommitteeTx(script []byte, tryGroup bool) error {
 	return c.sendMultiTx(script, tryGroup, false)
 }
 // sendConsensusTx creates transaction from script, signs it by alphabet nodes and sends it to RPC.
 // Not that because this is used only after the contracts were initialized and deployed,
 // we always try to have a group scope.
 func (c *initializeContext) sendConsensusTx(script []byte) error {
 	return c.sendMultiTx(script, true, true)
 }
 func (c *initializeContext) sendMultiTx(script []byte, tryGroup bool, withConsensus bool) error {
 	var act *actor.Actor
 	var err error
 	withConsensus = withConsensus && !c.ConsensusAcc.Contract.ScriptHash().Equals(c.CommitteeAcc.ScriptHash())
 	if tryGroup {
 		// Even for consensus signatures we need the committee to pay.
 		signers := make([]actor.SignerAccount, 1, 2)
 		signers[0] = actor.SignerAccount{
 			Signer:  c.getSigner(tryGroup, c.CommitteeAcc),
 			Account: c.CommitteeAcc,
 		}
 		if withConsensus {
 			signers = append(signers, actor.SignerAccount{
 				Signer:  c.getSigner(tryGroup, c.ConsensusAcc),
 				Account: c.ConsensusAcc,
 			})
 		}
 		act, err = actor.New(c.Client, signers)
 	} else {
 		if withConsensus {
 			panic("BUG: should never happen")
 		}
 		act, err = c.CommitteeAct, nil
 	}
 	if err != nil {
 		return fmt.Errorf("could not create actor: %w", err)
 	}
 	tx, err := act.MakeUnsignedRun(script, []transaction.Attribute{{Type: transaction.HighPriority}})
 	if err != nil {
 		return fmt.Errorf("could not perform test invocation: %w", err)
 	}
 	if err := c.multiSign(tx, committeeAccountName); err != nil {
 		return err
 	}
 	if withConsensus {
 		if err := c.multiSign(tx, consensusAccountName); err != nil {
 			return err
 		}
 	}
 	return c.sendTx(tx, c.Command, false)
 }
 func getWalletAccount(w *wallet.Wallet, typ string) (*wallet.Account, error) {
 	for i := range w.Accounts {
 		if w.Accounts[i].Label == typ {
 			return w.Accounts[i], nil
 		}
 	}
 	return nil, fmt.Errorf("account for '%s' not found", typ)
 }
 func checkNotaryEnabled(c Client) error {
 	ns, err := c.GetNativeContracts()
 	if err != nil {
 		return fmt.Errorf("can't get native contract hashes: %w", err)
 	}
 	notaryEnabled := false
 	nativeHashes := make(map[string]util.Uint160, len(ns))
 	for i := range ns {
 		if ns[i].Manifest.Name == nativenames.Notary {
 			notaryEnabled = len(ns[i].UpdateHistory) > 0
 		}
 		nativeHashes[ns[i].Manifest.Name] = ns[i].Hash
 	}
 	if !notaryEnabled {
 		return errors.New("notary contract must be enabled")
 	}
 	return nil
 }
--- a/cmd/frostfs-adm/internal/modules/morph/initialize_deploy.go
+++ b/cmd/frostfs-adm/internal/modules/morph/initialize_deploy.go
@ -0,0 +1,592 @@
 package morph
 import (
 	"archive/tar"
 	"compress/gzip"
 	"encoding/hex"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 	"os"
 	"path/filepath"
 	"strings"
 	"github.com/TrueCloudLab/frostfs-contract/common"
 	"github.com/TrueCloudLab/frostfs-contract/nns"
 	"github.com/TrueCloudLab/frostfs-node/pkg/innerring"
 	morphClient "github.com/TrueCloudLab/frostfs-node/pkg/morph/client"
 	"github.com/nspcc-dev/neo-go/pkg/core/state"
 	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
 	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
 	io2 "github.com/nspcc-dev/neo-go/pkg/io"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/management"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/manifest"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/nef"
 	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
 	"github.com/nspcc-dev/neo-go/pkg/vm/opcode"
 	"github.com/nspcc-dev/neo-go/pkg/vm/vmstate"
 	"github.com/spf13/viper"
 )
 const (
 	nnsContract        = "nns"
 	frostfsContract    = "frostfs"    // not deployed in side-chain.
 	processingContract = "processing" // not deployed in side-chain.
 	alphabetContract   = "alphabet"
 	auditContract      = "audit"
 	balanceContract    = "balance"
 	containerContract  = "container"
 	frostfsIDContract  = "frostfsid"
 	netmapContract     = "netmap"
 	proxyContract      = "proxy"
 	reputationContract = "reputation"
 	subnetContract     = "subnet"
 )
 const (
 	netmapEpochKey                   = "EpochDuration"
 	netmapMaxObjectSizeKey           = "MaxObjectSize"
 	netmapAuditFeeKey                = "AuditFee"
 	netmapContainerFeeKey            = "ContainerFee"
 	netmapContainerAliasFeeKey       = "ContainerAliasFee"
 	netmapEigenTrustIterationsKey    = "EigenTrustIterations"
 	netmapEigenTrustAlphaKey         = "EigenTrustAlpha"
 	netmapBasicIncomeRateKey         = "BasicIncomeRate"
 	netmapInnerRingCandidateFeeKey   = "InnerRingCandidateFee"
 	netmapWithdrawFeeKey             = "WithdrawFee"
 	netmapHomomorphicHashDisabledKey = "HomomorphicHashingDisabled"
 	netmapMaintenanceAllowedKey      = "MaintenanceModeAllowed"
 	defaultEigenTrustIterations = 4
 	defaultEigenTrustAlpha      = "0.1"
 )
 var (
 	contractList = []string{
 		auditContract,
 		balanceContract,
 		containerContract,
 		frostfsIDContract,
 		netmapContract,
 		proxyContract,
 		reputationContract,
 		subnetContract,
 	}
 	fullContractList = append([]string{
 		frostfsContract,
 		processingContract,
 		nnsContract,
 		alphabetContract,
 	}, contractList...)
 )
 type contractState struct {
 	NEF         *nef.File
 	RawNEF      []byte
 	Manifest    *manifest.Manifest
 	RawManifest []byte
 	Hash        util.Uint160
 }
 const (
 	updateMethodName = "update"
 	deployMethodName = "deploy"
 )
 func (c *initializeContext) deployNNS(method string) error {
 	cs := c.getContract(nnsContract)
 	h := cs.Hash
 	nnsCs, err := c.nnsContractState()
 	if err == nil {
 		if nnsCs.NEF.Checksum == cs.NEF.Checksum {
 			if method == deployMethodName {
 				c.Command.Println("NNS contract is already deployed.")
 			} else {
 				c.Command.Println("NNS contract is already updated.")
 			}
 			return nil
 		}
 		h = nnsCs.Hash
 	}
 	err = c.addManifestGroup(h, cs)
 	if err != nil {
 		return fmt.Errorf("can't sign manifest group: %v", err)
 	}
 	params := getContractDeployParameters(cs, nil)
 	signer := transaction.Signer{
 		Account: c.CommitteeAcc.Contract.ScriptHash(),
 		Scopes:  transaction.CalledByEntry,
 	}
 	invokeHash := management.Hash
 	if method == updateMethodName {
 		invokeHash = nnsCs.Hash
 	}
 	res, err := invokeFunction(c.Client, invokeHash, method, params, []transaction.Signer{signer})
 	if err != nil {
 		return fmt.Errorf("can't deploy NNS contract: %w", err)
 	}
 	if res.State != vmstate.Halt.String() {
 		return fmt.Errorf("can't deploy NNS contract: %s", res.FaultException)
 	}
 	tx, err := c.Client.CreateTxFromScript(res.Script, c.CommitteeAcc, res.GasConsumed, 0, []rpcclient.SignerAccount{{
 		Signer:  signer,
 		Account: c.CommitteeAcc,
 	}})
 	if err != nil {
 		return fmt.Errorf("failed to create deploy tx for %s: %w", nnsContract, err)
 	}
 	if err := c.multiSignAndSend(tx, committeeAccountName); err != nil {
 		return fmt.Errorf("can't send deploy transaction: %w", err)
 	}
 	return c.awaitTx()
 }
 func (c *initializeContext) updateContracts() error {
 	alphaCs := c.getContract(alphabetContract)
 	nnsCs, err := c.nnsContractState()
 	if err != nil {
 		return err
 	}
 	nnsHash := nnsCs.Hash
 	w := io2.NewBufBinWriter()
 	var keysParam []any
 	// Update script size for a single-node committee is close to the maximum allowed size of 65535.
 	// Because of this we want to reuse alphabet contract NEF and manifest for different updates.
 	// The generated script is as following.
 	// 1. Initialize static slot for alphabet NEF.
 	// 2. Store NEF into the static slot.
 	// 3. Push parameters for each alphabet contract on stack.
 	// 4. Add contract group to the manifest.
 	// 5. For each alphabet contract, invoke `update` using parameters on stack and
 	//    NEF from step 2 and manifest from step 4.
 	emit.Instruction(w.BinWriter, opcode.INITSSLOT, []byte{1})
 	emit.Bytes(w.BinWriter, alphaCs.RawNEF)
 	emit.Opcodes(w.BinWriter, opcode.STSFLD0)
 	baseGroups := alphaCs.Manifest.Groups
 	// alphabet contracts should be deployed by individual nodes to get different hashes.
 	for i, acc := range c.Accounts {
 		ctrHash, err := nnsResolveHash(c.ReadOnlyInvoker, nnsHash, getAlphabetNNSDomain(i))
 		if err != nil {
 			return fmt.Errorf("can't resolve hash for contract update: %w", err)
 		}
 		keysParam = append(keysParam, acc.PrivateKey().PublicKey().Bytes())
 		params := c.getAlphabetDeployItems(i, len(c.Wallets))
 		emit.Array(w.BinWriter, params...)
 		alphaCs.Manifest.Groups = baseGroups
 		err = c.addManifestGroup(ctrHash, alphaCs)
 		if err != nil {
 			return fmt.Errorf("can't sign manifest group: %v", err)
 		}
 		emit.Bytes(w.BinWriter, alphaCs.RawManifest)
 		emit.Opcodes(w.BinWriter, opcode.LDSFLD0)
 		emit.Int(w.BinWriter, 3)
 		emit.Opcodes(w.BinWriter, opcode.PACK)
 		emit.AppCallNoArgs(w.BinWriter, ctrHash, updateMethodName, callflag.All)
 	}
 	if err := c.sendCommitteeTx(w.Bytes(), false); err != nil {
 		if !strings.Contains(err.Error(), common.ErrAlreadyUpdated) {
 			return err
 		}
 		c.Command.Println("Alphabet contracts are already updated.")
 	}
 	w.Reset()
 	emit.Instruction(w.BinWriter, opcode.INITSSLOT, []byte{1})
 	emit.AppCall(w.BinWriter, nnsHash, "getPrice", callflag.All)
 	emit.Opcodes(w.BinWriter, opcode.STSFLD0)
 	emit.AppCall(w.BinWriter, nnsHash, "setPrice", callflag.All, 1)
 	for _, ctrName := range contractList {
 		cs := c.getContract(ctrName)
 		method := updateMethodName
 		ctrHash, err := nnsResolveHash(c.ReadOnlyInvoker, nnsHash, ctrName+".frostfs")
 		if err != nil {
 			if errors.Is(err, errMissingNNSRecord) {
 				// if contract not found we deploy it instead of update
 				method = deployMethodName
 			} else {
 				return fmt.Errorf("can't resolve hash for contract update: %w", err)
 			}
 		}
 		err = c.addManifestGroup(ctrHash, cs)
 		if err != nil {
 			return fmt.Errorf("can't sign manifest group: %v", err)
 		}
 		invokeHash := management.Hash
 		if method == updateMethodName {
 			invokeHash = ctrHash
 		}
 		params := getContractDeployParameters(cs, c.getContractDeployData(ctrName, keysParam))
 		res, err := c.CommitteeAct.MakeCall(invokeHash, method, params...)
 		if err != nil {
 			if method != updateMethodName || !strings.Contains(err.Error(), common.ErrAlreadyUpdated) {
 				return fmt.Errorf("deploy contract: %w", err)
 			}
 			c.Command.Printf("%s contract is already updated.\n", ctrName)
 			continue
 		}
 		w.WriteBytes(res.Script)
 		if method == deployMethodName {
 			// same actions are done in initializeContext.setNNS, can be unified
 			domain := ctrName + ".frostfs"
 			script, ok, err := c.nnsRegisterDomainScript(nnsHash, cs.Hash, domain)
 			if err != nil {
 				return err
 			}
 			if !ok {
 				w.WriteBytes(script)
 				emit.AppCall(w.BinWriter, nnsHash, "deleteRecords", callflag.All, domain, int64(nns.TXT))
 				emit.AppCall(w.BinWriter, nnsHash, "addRecord", callflag.All,
 					domain, int64(nns.TXT), cs.Hash.StringLE())
 				emit.AppCall(w.BinWriter, nnsHash, "addRecord", callflag.All,
 					domain, int64(nns.TXT), address.Uint160ToString(cs.Hash))
 			}
 			c.Command.Printf("NNS: Set %s -> %s\n", domain, cs.Hash.StringLE())
 		}
 	}
 	groupKey := c.ContractWallet.Accounts[0].PrivateKey().PublicKey()
 	_, _, err = c.emitUpdateNNSGroupScript(w, nnsHash, groupKey)
 	if err != nil {
 		return err
 	}
 	c.Command.Printf("NNS: Set %s -> %s\n", morphClient.NNSGroupKeyName, hex.EncodeToString(groupKey.Bytes()))
 	emit.Opcodes(w.BinWriter, opcode.LDSFLD0)
 	emit.Int(w.BinWriter, 1)
 	emit.Opcodes(w.BinWriter, opcode.PACK)
 	emit.AppCallNoArgs(w.BinWriter, nnsHash, "setPrice", callflag.All)
 	if err := c.sendCommitteeTx(w.Bytes(), false); err != nil {
 		return err
 	}
 	return c.awaitTx()
 }
 func (c *initializeContext) deployContracts() error {
 	alphaCs := c.getContract(alphabetContract)
 	var keysParam []any
 	baseGroups := alphaCs.Manifest.Groups
 	// alphabet contracts should be deployed by individual nodes to get different hashes.
 	for i, acc := range c.Accounts {
 		ctrHash := state.CreateContractHash(acc.Contract.ScriptHash(), alphaCs.NEF.Checksum, alphaCs.Manifest.Name)
 		if c.isUpdated(ctrHash, alphaCs) {
 			c.Command.Printf("Alphabet contract #%d is already deployed.\n", i)
 			continue
 		}
 		alphaCs.Manifest.Groups = baseGroups
 		err := c.addManifestGroup(ctrHash, alphaCs)
 		if err != nil {
 			return fmt.Errorf("can't sign manifest group: %v", err)
 		}
 		keysParam = append(keysParam, acc.PrivateKey().PublicKey().Bytes())
 		params := getContractDeployParameters(alphaCs, c.getAlphabetDeployItems(i, len(c.Wallets)))
 		act, err := actor.NewSimple(c.Client, acc)
 		if err != nil {
 			return fmt.Errorf("could not create actor: %w", err)
 		}
 		txHash, vub, err := act.SendCall(management.Hash, deployMethodName, params...)
 		if err != nil {
 			return fmt.Errorf("can't deploy alphabet #%d contract: %w", i, err)
 		}
 		c.SentTxs = append(c.SentTxs, hashVUBPair{hash: txHash, vub: vub})
 	}
 	for _, ctrName := range contractList {
 		cs := c.getContract(ctrName)
 		ctrHash := cs.Hash
 		if c.isUpdated(ctrHash, cs) {
 			c.Command.Printf("%s contract is already deployed.\n", ctrName)
 			continue
 		}
 		err := c.addManifestGroup(ctrHash, cs)
 		if err != nil {
 			return fmt.Errorf("can't sign manifest group: %v", err)
 		}
 		params := getContractDeployParameters(cs, c.getContractDeployData(ctrName, keysParam))
 		res, err := c.CommitteeAct.MakeCall(management.Hash, deployMethodName, params...)
 		if err != nil {
 			return fmt.Errorf("can't deploy %s contract: %w", ctrName, err)
 		}
 		if err := c.sendCommitteeTx(res.Script, false); err != nil {
 			return err
 		}
 	}
 	return c.awaitTx()
 }
 func (c *initializeContext) isUpdated(ctrHash util.Uint160, cs *contractState) bool {
 	realCs, err := c.Client.GetContractStateByHash(ctrHash)
 	return err == nil && realCs.NEF.Checksum == cs.NEF.Checksum
 }
 func (c *initializeContext) getContract(ctrName string) *contractState {
 	return c.Contracts[ctrName]
 }
 func (c *initializeContext) readContracts(names []string) error {
 	var (
 		fi  os.FileInfo
 		err error
 	)
 	if c.ContractPath != "" {
 		fi, err = os.Stat(c.ContractPath)
 		if err != nil {
 			return fmt.Errorf("invalid contracts path: %w", err)
 		}
 	}
 	if c.ContractPath != "" && fi.IsDir() {
 		for _, ctrName := range names {
 			cs, err := readContract(filepath.Join(c.ContractPath, ctrName), ctrName)
 			if err != nil {
 				return err
 			}
 			c.Contracts[ctrName] = cs
 		}
 	} else {
 		var r io.ReadCloser
 		if c.ContractPath == "" {
 			c.Command.Println("Contracts flag is missing, latest release will be fetched from Github.")
 			r, err = downloadContractsFromGithub(c.Command)
 		} else {
 			r, err = os.Open(c.ContractPath)
 		}
 		if err != nil {
 			return fmt.Errorf("can't open contracts archive: %w", err)
 		}
 		defer r.Close()
 		m, err := readContractsFromArchive(r, names)
 		if err != nil {
 			return err
 		}
 		for _, name := range names {
 			if err := m[name].parse(); err != nil {
 				return err
 			}
 			c.Contracts[name] = m[name]
 		}
 	}
 	for _, ctrName := range names {
 		if ctrName != alphabetContract {
 			cs := c.Contracts[ctrName]
 			cs.Hash = state.CreateContractHash(c.CommitteeAcc.Contract.ScriptHash(),
 				cs.NEF.Checksum, cs.Manifest.Name)
 		}
 	}
 	return nil
 }
 func readContract(ctrPath, ctrName string) (*contractState, error) {
 	rawNef, err := os.ReadFile(filepath.Join(ctrPath, ctrName+"_contract.nef"))
 	if err != nil {
 		return nil, fmt.Errorf("can't read NEF file for %s contract: %w", ctrName, err)
 	}
 	rawManif, err := os.ReadFile(filepath.Join(ctrPath, "config.json"))
 	if err != nil {
 		return nil, fmt.Errorf("can't read manifest file for %s contract: %w", ctrName, err)
 	}
 	cs := &contractState{
 		RawNEF:      rawNef,
 		RawManifest: rawManif,
 	}
 	return cs, cs.parse()
 }
 func (cs *contractState) parse() error {
 	nf, err := nef.FileFromBytes(cs.RawNEF)
 	if err != nil {
 		return fmt.Errorf("can't parse NEF file: %w", err)
 	}
 	m := new(manifest.Manifest)
 	if err := json.Unmarshal(cs.RawManifest, m); err != nil {
 		return fmt.Errorf("can't parse manifest file: %w", err)
 	}
 	cs.NEF = &nf
 	cs.Manifest = m
 	return nil
 }
 func readContractsFromArchive(file io.Reader, names []string) (map[string]*contractState, error) {
 	m := make(map[string]*contractState, len(names))
 	for i := range names {
 		m[names[i]] = new(contractState)
 	}
 	gr, err := gzip.NewReader(file)
 	if err != nil {
 		return nil, fmt.Errorf("contracts file must be tar.gz archive: %w", err)
 	}
 	r := tar.NewReader(gr)
 	for h, err := r.Next(); ; h, err = r.Next() {
 		if err != nil {
 			break
 		}
 		dir, _ := filepath.Split(h.Name)
 		ctrName := filepath.Base(dir)
 		cs, ok := m[ctrName]
 		if !ok {
 			continue
 		}
 		switch {
 		case strings.HasSuffix(h.Name, filepath.Join(ctrName, ctrName+"_contract.nef")):
 			cs.RawNEF, err = io.ReadAll(r)
 			if err != nil {
 				return nil, fmt.Errorf("can't read NEF file for %s contract: %w", ctrName, err)
 			}
 		case strings.HasSuffix(h.Name, "config.json"):
 			cs.RawManifest, err = io.ReadAll(r)
 			if err != nil {
 				return nil, fmt.Errorf("can't read manifest file for %s contract: %w", ctrName, err)
 			}
 		}
 		m[ctrName] = cs
 	}
 	for ctrName, cs := range m {
 		if cs.RawNEF == nil {
 			return nil, fmt.Errorf("NEF for %s contract wasn't found", ctrName)
 		}
 		if cs.RawManifest == nil {
 			return nil, fmt.Errorf("manifest for %s contract wasn't found", ctrName)
 		}
 	}
 	return m, nil
 }
 func getContractDeployParameters(cs *contractState, deployData []any) []any {
 	return []any{cs.RawNEF, cs.RawManifest, deployData}
 }
 func (c *initializeContext) getContractDeployData(ctrName string, keysParam []any) []any {
 	items := make([]any, 1, 6)
 	items[0] = false // notaryDisabled is false
 	switch ctrName {
 	case frostfsContract:
 		items = append(items,
 			c.Contracts[processingContract].Hash,
 			keysParam,
 			smartcontract.Parameter{})
 	case processingContract:
 		items = append(items, c.Contracts[frostfsContract].Hash)
 		return items[1:] // no notary info
 	case auditContract:
 		items = append(items, c.Contracts[netmapContract].Hash)
 	case balanceContract:
 		items = append(items,
 			c.Contracts[netmapContract].Hash,
 			c.Contracts[containerContract].Hash)
 	case containerContract:
 		// In case if NNS is updated multiple times, we can't calculate
 		// it's actual hash based on local data, thus query chain.
 		nnsCs, err := c.Client.GetContractStateByID(1)
 		if err != nil {
 			panic("NNS is not yet deployed")
 		}
 		items = append(items,
 			c.Contracts[netmapContract].Hash,
 			c.Contracts[balanceContract].Hash,
 			c.Contracts[frostfsIDContract].Hash,
 			nnsCs.Hash,
 			"container")
 	case frostfsIDContract:
 		items = append(items,
 			c.Contracts[netmapContract].Hash,
 			c.Contracts[containerContract].Hash)
 	case netmapContract:
 		configParam := []any{
 			netmapEpochKey, viper.GetInt64(epochDurationInitFlag),
 			netmapMaxObjectSizeKey, viper.GetInt64(maxObjectSizeInitFlag),
 			netmapAuditFeeKey, viper.GetInt64(auditFeeInitFlag),
 			netmapContainerFeeKey, viper.GetInt64(containerFeeInitFlag),
 			netmapContainerAliasFeeKey, viper.GetInt64(containerAliasFeeInitFlag),
 			netmapEigenTrustIterationsKey, int64(defaultEigenTrustIterations),
 			netmapEigenTrustAlphaKey, defaultEigenTrustAlpha,
 			netmapBasicIncomeRateKey, viper.GetInt64(incomeRateInitFlag),
 			netmapInnerRingCandidateFeeKey, viper.GetInt64(candidateFeeInitFlag),
 			netmapWithdrawFeeKey, viper.GetInt64(withdrawFeeInitFlag),
 			netmapHomomorphicHashDisabledKey, viper.GetBool(homomorphicHashDisabledInitFlag),
 			netmapMaintenanceAllowedKey, viper.GetBool(maintenanceModeAllowedInitFlag),
 		}
 		items = append(items,
 			c.Contracts[balanceContract].Hash,
 			c.Contracts[containerContract].Hash,
 			keysParam,
 			configParam)
 	case proxyContract:
 		items = nil
 	case reputationContract:
 	case subnetContract:
 	default:
 		panic(fmt.Sprintf("invalid contract name: %s", ctrName))
 	}
 	return items
 }
 func (c *initializeContext) getAlphabetDeployItems(i, n int) []any {
 	items := make([]any, 6)
 	items[0] = false
 	items[1] = c.Contracts[netmapContract].Hash
 	items[2] = c.Contracts[proxyContract].Hash
 	items[3] = innerring.GlagoliticLetter(i).String()
 	items[4] = int64(i)
 	items[5] = int64(n)
 	return items
 }
--- a/cmd/frostfs-adm/internal/modules/morph/initialize_nns.go
+++ b/cmd/frostfs-adm/internal/modules/morph/initialize_nns.go
@ -0,0 +1,291 @@
 package morph
 import (
 	"encoding/hex"
 	"errors"
 	"fmt"
 	"strconv"
 	"time"
 	"github.com/TrueCloudLab/frostfs-contract/nns"
 	morphClient "github.com/TrueCloudLab/frostfs-node/pkg/morph/client"
 	"github.com/nspcc-dev/neo-go/pkg/core/state"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
 	"github.com/nspcc-dev/neo-go/pkg/io"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
 	"github.com/nspcc-dev/neo-go/pkg/vm/opcode"
 	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
 	"github.com/nspcc-dev/neo-go/pkg/vm/vmstate"
 )
 const defaultExpirationTime = 10 * 365 * 24 * time.Hour / time.Second
 func (c *initializeContext) setNNS() error {
 	nnsCs, err := c.Client.GetContractStateByID(1)
 	if err != nil {
 		return err
 	}
 	ok, err := c.nnsRootRegistered(nnsCs.Hash, "frostfs")
 	if err != nil {
 		return err
 	} else if !ok {
 		bw := io.NewBufBinWriter()
 		emit.AppCall(bw.BinWriter, nnsCs.Hash, "register", callflag.All,
 			"frostfs", c.CommitteeAcc.Contract.ScriptHash(),
 			"ops@nspcc.ru", int64(3600), int64(600), int64(defaultExpirationTime), int64(3600))
 		emit.Opcodes(bw.BinWriter, opcode.ASSERT)
 		if err := c.sendCommitteeTx(bw.Bytes(), true); err != nil {
 			return fmt.Errorf("can't add domain root to NNS: %w", err)
 		}
 		if err := c.awaitTx(); err != nil {
 			return err
 		}
 	}
 	alphaCs := c.getContract(alphabetContract)
 	for i, acc := range c.Accounts {
 		alphaCs.Hash = state.CreateContractHash(acc.Contract.ScriptHash(), alphaCs.NEF.Checksum, alphaCs.Manifest.Name)
 		domain := getAlphabetNNSDomain(i)
 		if err := c.nnsRegisterDomain(nnsCs.Hash, alphaCs.Hash, domain); err != nil {
 			return err
 		}
 		c.Command.Printf("NNS: Set %s -> %s\n", domain, alphaCs.Hash.StringLE())
 	}
 	for _, ctrName := range contractList {
 		cs := c.getContract(ctrName)
 		domain := ctrName + ".frostfs"
 		if err := c.nnsRegisterDomain(nnsCs.Hash, cs.Hash, domain); err != nil {
 			return err
 		}
 		c.Command.Printf("NNS: Set %s -> %s\n", domain, cs.Hash.StringLE())
 	}
 	groupKey := c.ContractWallet.Accounts[0].PrivateKey().PublicKey()
 	err = c.updateNNSGroup(nnsCs.Hash, groupKey)
 	if err != nil {
 		return err
 	}
 	c.Command.Printf("NNS: Set %s -> %s\n", morphClient.NNSGroupKeyName, hex.EncodeToString(groupKey.Bytes()))
 	return c.awaitTx()
 }
 func (c *initializeContext) updateNNSGroup(nnsHash util.Uint160, pub *keys.PublicKey) error {
 	bw := io.NewBufBinWriter()
 	needUpdate, needRegister, err := c.emitUpdateNNSGroupScript(bw, nnsHash, pub)
 	if !needUpdate || err != nil {
 		return err
 	}
 	script := bw.Bytes()
 	if needRegister {
 		w := io.NewBufBinWriter()
 		emit.Instruction(w.BinWriter, opcode.INITSSLOT, []byte{1})
 		wrapRegisterScriptWithPrice(w, nnsHash, script)
 		script = w.Bytes()
 	}
 	return c.sendCommitteeTx(script, true)
 }
 // emitUpdateNNSGroupScript emits script for updating group key stored in NNS.
 // First return value is true iff the key is already there and nothing should be done.
 // Second return value is true iff a domain registration code was emitted.
 func (c *initializeContext) emitUpdateNNSGroupScript(bw *io.BufBinWriter, nnsHash util.Uint160, pub *keys.PublicKey) (bool, bool, error) {
 	isAvail, err := nnsIsAvailable(c.Client, nnsHash, morphClient.NNSGroupKeyName)
 	if err != nil {
 		return false, false, err
 	}
 	if !isAvail {
 		currentPub, err := nnsResolveKey(c.ReadOnlyInvoker, nnsHash, morphClient.NNSGroupKeyName)
 		if err != nil {
 			return false, false, err
 		}
 		if pub.Equal(currentPub) {
 			return true, false, nil
 		}
 	}
 	if isAvail {
 		emit.AppCall(bw.BinWriter, nnsHash, "register", callflag.All,
 			morphClient.NNSGroupKeyName, c.CommitteeAcc.Contract.ScriptHash(),
 			"ops@nspcc.ru", int64(3600), int64(600), int64(defaultExpirationTime), int64(3600))
 		emit.Opcodes(bw.BinWriter, opcode.ASSERT)
 	}
 	emit.AppCall(bw.BinWriter, nnsHash, "deleteRecords", callflag.All, "group.frostfs", int64(nns.TXT))
 	emit.AppCall(bw.BinWriter, nnsHash, "addRecord", callflag.All,
 		"group.frostfs", int64(nns.TXT), hex.EncodeToString(pub.Bytes()))
 	return false, isAvail, nil
 }
 func getAlphabetNNSDomain(i int) string {
 	return alphabetContract + strconv.FormatUint(uint64(i), 10) + ".frostfs"
 }
 // wrapRegisterScriptWithPrice wraps a given script with `getPrice`/`setPrice` calls for NNS.
 // It is intended to be used for a single transaction, and not as a part of other scripts.
 // It is assumed that script already contains static slot initialization code, the first one
 // (with index 0) is used to store the price.
 func wrapRegisterScriptWithPrice(w *io.BufBinWriter, nnsHash util.Uint160, s []byte) {
 	if len(s) == 0 {
 		return
 	}
 	emit.AppCall(w.BinWriter, nnsHash, "getPrice", callflag.All)
 	emit.Opcodes(w.BinWriter, opcode.STSFLD0)
 	emit.AppCall(w.BinWriter, nnsHash, "setPrice", callflag.All, 1)
 	w.WriteBytes(s)
 	emit.Opcodes(w.BinWriter, opcode.LDSFLD0, opcode.PUSH1, opcode.PACK)
 	emit.AppCallNoArgs(w.BinWriter, nnsHash, "setPrice", callflag.All)
 	if w.Err != nil {
 		panic(fmt.Errorf("BUG: can't wrap register script: %w", w.Err))
 	}
 }
 func (c *initializeContext) nnsRegisterDomainScript(nnsHash, expectedHash util.Uint160, domain string) ([]byte, bool, error) {
 	ok, err := nnsIsAvailable(c.Client, nnsHash, domain)
 	if err != nil {
 		return nil, false, err
 	}
 	if ok {
 		bw := io.NewBufBinWriter()
 		emit.AppCall(bw.BinWriter, nnsHash, "register", callflag.All,
 			domain, c.CommitteeAcc.Contract.ScriptHash(),
 			"ops@nspcc.ru", int64(3600), int64(600), int64(defaultExpirationTime), int64(3600))
 		emit.Opcodes(bw.BinWriter, opcode.ASSERT)
 		if bw.Err != nil {
 			panic(bw.Err)
 		}
 		return bw.Bytes(), false, nil
 	}
 	s, err := nnsResolveHash(c.ReadOnlyInvoker, nnsHash, domain)
 	if err != nil {
 		return nil, false, err
 	}
 	return nil, s == expectedHash, nil
 }
 func (c *initializeContext) nnsRegisterDomain(nnsHash, expectedHash util.Uint160, domain string) error {
 	script, ok, err := c.nnsRegisterDomainScript(nnsHash, expectedHash, domain)
 	if ok || err != nil {
 		return err
 	}
 	w := io.NewBufBinWriter()
 	emit.Instruction(w.BinWriter, opcode.INITSSLOT, []byte{1})
 	wrapRegisterScriptWithPrice(w, nnsHash, script)
 	emit.AppCall(w.BinWriter, nnsHash, "deleteRecords", callflag.All, domain, int64(nns.TXT))
 	emit.AppCall(w.BinWriter, nnsHash, "addRecord", callflag.All,
 		domain, int64(nns.TXT), expectedHash.StringLE())
 	emit.AppCall(w.BinWriter, nnsHash, "addRecord", callflag.All,
 		domain, int64(nns.TXT), address.Uint160ToString(expectedHash))
 	return c.sendCommitteeTx(w.Bytes(), true)
 }
 func (c *initializeContext) nnsRootRegistered(nnsHash util.Uint160, zone string) (bool, error) {
 	res, err := c.CommitteeAct.Call(nnsHash, "isAvailable", "name."+zone)
 	if err != nil {
 		return false, err
 	}
 	return res.State == vmstate.Halt.String(), nil
 }
 var errMissingNNSRecord = errors.New("missing NNS record")
 // Returns errMissingNNSRecord if invocation fault exception contains "token not found".
 func nnsResolveHash(inv *invoker.Invoker, nnsHash util.Uint160, domain string) (util.Uint160, error) {
 	item, err := nnsResolve(inv, nnsHash, domain)
 	if err != nil {
 		return util.Uint160{}, err
 	}
 	return parseNNSResolveResult(item)
 }
 func nnsResolve(inv *invoker.Invoker, nnsHash util.Uint160, domain string) (stackitem.Item, error) {
 	return unwrap.Item(inv.Call(nnsHash, "resolve", domain, int64(nns.TXT)))
 }
 func nnsResolveKey(inv *invoker.Invoker, nnsHash util.Uint160, domain string) (*keys.PublicKey, error) {
 	item, err := nnsResolve(inv, nnsHash, domain)
 	if err != nil {
 		return nil, err
 	}
 	v, ok := item.Value().(stackitem.Null)
 	if ok {
 		return nil, errors.New("NNS record is missing")
 	}
 	bs, err := v.TryBytes()
 	if err != nil {
 		return nil, errors.New("malformed response")
 	}
 	return keys.NewPublicKeyFromString(string(bs))
 }
 // parseNNSResolveResult parses the result of resolving NNS record.
 // It works with multiple formats (corresponding to multiple NNS versions).
 // If array of hashes is provided, it returns only the first one.
 func parseNNSResolveResult(res stackitem.Item) (util.Uint160, error) {
 	arr, ok := res.Value().([]stackitem.Item)
 	if !ok {
 		arr = []stackitem.Item{res}
 	}
 	if _, ok := res.Value().(stackitem.Null); ok || len(arr) == 0 {
 		return util.Uint160{}, errors.New("NNS record is missing")
 	}
 	for i := range arr {
 		bs, err := arr[i].TryBytes()
 		if err != nil {
 			continue
 		}
 		// We support several formats for hash encoding, this logic should be maintained in sync
 		// with nnsResolve from pkg/morph/client/nns.go
 		h, err := util.Uint160DecodeStringLE(string(bs))
 		if err == nil {
 			return h, nil
 		}
 		h, err = address.StringToUint160(string(bs))
 		if err == nil {
 			return h, nil
 		}
 	}
 	return util.Uint160{}, errors.New("no valid hashes are found")
 }
 func nnsIsAvailable(c Client, nnsHash util.Uint160, name string) (bool, error) {
 	switch ct := c.(type) {
 	case *rpcclient.Client:
 		return ct.NNSIsAvailable(nnsHash, name)
 	default:
 		b, err := unwrap.Bool(invokeFunction(c, nnsHash, "isAvailable", []any{name}, nil))
 		if err != nil {
 			return false, fmt.Errorf("`isAvailable`: invalid response: %w", err)
 		}
 		return b, nil
 	}
 }
--- a/cmd/frostfs-adm/internal/modules/morph/initialize_register.go
+++ b/cmd/frostfs-adm/internal/modules/morph/initialize_register.go
@ -0,0 +1,137 @@
 package morph
 import (
 	"errors"
 	"fmt"
 	"github.com/nspcc-dev/neo-go/pkg/core/native"
 	"github.com/nspcc-dev/neo-go/pkg/core/state"
 	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
 	"github.com/nspcc-dev/neo-go/pkg/io"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/neo"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
 	"github.com/nspcc-dev/neo-go/pkg/vm/opcode"
 )
 // initialAlphabetNEOAmount represents the total amount of GAS distributed between alphabet nodes.
 const initialAlphabetNEOAmount = native.NEOTotalSupply
 func (c *initializeContext) registerCandidates() error {
 	neoHash := neo.Hash
 	cc, err := unwrap.Array(c.ReadOnlyInvoker.Call(neoHash, "getCandidates"))
 	if err != nil {
 		return fmt.Errorf("`getCandidates`: %w", err)
 	}
 	if len(cc) > 0 {
 		c.Command.Println("Candidates are already registered.")
 		return nil
 	}
 	regPrice, err := c.getCandidateRegisterPrice()
 	if err != nil {
 		return fmt.Errorf("can't fetch registration price: %w", err)
 	}
 	w := io.NewBufBinWriter()
 	emit.AppCall(w.BinWriter, neoHash, "setRegisterPrice", callflag.States, 1)
 	for _, acc := range c.Accounts {
 		emit.AppCall(w.BinWriter, neoHash, "registerCandidate", callflag.States, acc.PrivateKey().PublicKey().Bytes())
 		emit.Opcodes(w.BinWriter, opcode.ASSERT)
 	}
 	emit.AppCall(w.BinWriter, neoHash, "setRegisterPrice", callflag.States, regPrice)
 	if w.Err != nil {
 		panic(fmt.Sprintf("BUG: %v", w.Err))
 	}
 	signers := []rpcclient.SignerAccount{{
 		Signer:  c.getSigner(false, c.CommitteeAcc),
 		Account: c.CommitteeAcc,
 	}}
 	for i := range c.Accounts {
 		signers = append(signers, rpcclient.SignerAccount{
 			Signer: transaction.Signer{
 				Account:          c.Accounts[i].Contract.ScriptHash(),
 				Scopes:           transaction.CustomContracts,
 				AllowedContracts: []util.Uint160{neoHash},
 			},
 			Account: c.Accounts[i],
 		})
 	}
 	tx, err := c.Client.CreateTxFromScript(w.Bytes(), c.CommitteeAcc, -1, 0, signers)
 	if err != nil {
 		return fmt.Errorf("can't create tx: %w", err)
 	}
 	if err := c.multiSign(tx, committeeAccountName); err != nil {
 		return fmt.Errorf("can't sign a transaction: %w", err)
 	}
 	network := c.CommitteeAct.GetNetwork()
 	for i := range c.Accounts {
 		if err := c.Accounts[i].SignTx(network, tx); err != nil {
 			return fmt.Errorf("can't sign a transaction: %w", err)
 		}
 	}
 	return c.sendTx(tx, c.Command, true)
 }
 func (c *initializeContext) transferNEOToAlphabetContracts() error {
 	neoHash := neo.Hash
 	ok, err := c.transferNEOFinished(neoHash)
 	if ok || err != nil {
 		return err
 	}
 	cs := c.getContract(alphabetContract)
 	amount := initialAlphabetNEOAmount / len(c.Wallets)
 	bw := io.NewBufBinWriter()
 	for _, acc := range c.Accounts {
 		h := state.CreateContractHash(acc.Contract.ScriptHash(), cs.NEF.Checksum, cs.Manifest.Name)
 		emit.AppCall(bw.BinWriter, neoHash, "transfer", callflag.All,
 			c.CommitteeAcc.Contract.ScriptHash(), h, int64(amount), nil)
 		emit.Opcodes(bw.BinWriter, opcode.ASSERT)
 	}
 	if err := c.sendCommitteeTx(bw.Bytes(), false); err != nil {
 		return err
 	}
 	return c.awaitTx()
 }
 func (c *initializeContext) transferNEOFinished(neoHash util.Uint160) (bool, error) {
 	bal, err := c.Client.NEP17BalanceOf(neoHash, c.CommitteeAcc.Contract.ScriptHash())
 	return bal < native.NEOTotalSupply, err
 }
 var errGetPriceInvalid = errors.New("`getRegisterPrice`: invalid response")
 func (c *initializeContext) getCandidateRegisterPrice() (int64, error) {
 	switch ct := c.Client.(type) {
 	case *rpcclient.Client:
 		return ct.GetCandidateRegisterPrice()
 	default:
 		neoHash := neo.Hash
 		res, err := invokeFunction(c.Client, neoHash, "getRegisterPrice", nil, nil)
 		if err != nil {
 			return 0, err
 		}
 		if len(res.Stack) == 0 {
 			return 0, errGetPriceInvalid
 		}
 		bi, err := res.Stack[0].TryInteger()
 		if err != nil || !bi.IsInt64() {
 			return 0, errGetPriceInvalid
 		}
 		return bi.Int64(), nil
 	}
 }
--- a/cmd/frostfs-adm/internal/modules/morph/initialize_roles.go
+++ b/cmd/frostfs-adm/internal/modules/morph/initialize_roles.go
@ -0,0 +1,45 @@
 package morph
 import (
 	"github.com/nspcc-dev/neo-go/pkg/core/native/noderoles"
 	"github.com/nspcc-dev/neo-go/pkg/io"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/rolemgmt"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
 )
 func (c *initializeContext) setNotaryAndAlphabetNodes() error {
 	if ok, err := c.setRolesFinished(); ok || err != nil {
 		if err == nil {
 			c.Command.Println("Stage 2: already performed.")
 		}
 		return err
 	}
 	var pubs []any
 	for _, acc := range c.Accounts {
 		pubs = append(pubs, acc.PrivateKey().PublicKey().Bytes())
 	}
 	w := io.NewBufBinWriter()
 	emit.AppCall(w.BinWriter, rolemgmt.Hash, "designateAsRole",
 		callflag.States|callflag.AllowNotify, int64(noderoles.P2PNotary), pubs)
 	emit.AppCall(w.BinWriter, rolemgmt.Hash, "designateAsRole",
 		callflag.States|callflag.AllowNotify, int64(noderoles.NeoFSAlphabet), pubs)
 	if err := c.sendCommitteeTx(w.Bytes(), false); err != nil {
 		return err
 	}
 	return c.awaitTx()
 }
 func (c *initializeContext) setRolesFinished() (bool, error) {
 	height, err := c.Client.GetBlockCount()
 	if err != nil {
 		return false, err
 	}
 	pubs, err := getDesignatedByRole(c.ReadOnlyInvoker, rolemgmt.Hash, noderoles.NeoFSAlphabet, height)
 	return len(pubs) == len(c.Wallets), err
 }
--- a/cmd/frostfs-adm/internal/modules/morph/initialize_test.go
+++ b/cmd/frostfs-adm/internal/modules/morph/initialize_test.go
@ -0,0 +1,121 @@
 package morph
 import (
 	"encoding/hex"
 	"os"
 	"path/filepath"
 	"strconv"
 	"testing"
 	"github.com/TrueCloudLab/frostfs-node/pkg/innerring"
 	"github.com/nspcc-dev/neo-go/pkg/config"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/vm"
 	"github.com/nspcc-dev/neo-go/pkg/wallet"
 	"github.com/spf13/viper"
 	"github.com/stretchr/testify/require"
 	"gopkg.in/yaml.v3"
 )
 const (
 	contractsPath = "../../../../../../frostfs-contract/frostfs-contract-v0.16.0.tar.gz"
 	protoFileName = "proto.yml"
 )
 func TestInitialize(t *testing.T) {
 	// This test needs frostfs-contract tarball, so it is skipped by default.
 	// It is here for performing local testing after the changes.
 	t.Skip()
 	t.Run("1 nodes", func(t *testing.T) {
 		testInitialize(t, 1)
 	})
 	t.Run("4 nodes", func(t *testing.T) {
 		testInitialize(t, 4)
 	})
 	t.Run("7 nodes", func(t *testing.T) {
 		testInitialize(t, 7)
 	})
 }
 func testInitialize(t *testing.T, committeeSize int) {
 	testdataDir := t.TempDir()
 	v := viper.GetViper()
 	generateTestData(t, testdataDir, committeeSize)
 	v.Set(protoConfigPath, filepath.Join(testdataDir, protoFileName))
 	// Set to the path or remove the next statement to download from the network.
 	require.NoError(t, initCmd.Flags().Set(contractsInitFlag, contractsPath))
 	v.Set(localDumpFlag, filepath.Join(testdataDir, "out"))
 	v.Set(alphabetWalletsFlag, testdataDir)
 	v.Set(epochDurationInitFlag, 1)
 	v.Set(maxObjectSizeInitFlag, 1024)
 	setTestCredentials(v, committeeSize)
 	require.NoError(t, initializeSideChainCmd(initCmd, nil))
 	t.Run("force-new-epoch", func(t *testing.T) {
 		require.NoError(t, forceNewEpochCmd(forceNewEpoch, nil))
 	})
 	t.Run("set-config", func(t *testing.T) {
 		require.NoError(t, setConfigCmd(setConfig, []string{"MaintenanceModeAllowed=true"}))
 	})
 	t.Run("set-policy", func(t *testing.T) {
 		require.NoError(t, setPolicyCmd(setPolicy, []string{"ExecFeeFactor=1"}))
 	})
 	t.Run("remove-node", func(t *testing.T) {
 		pk, err := keys.NewPrivateKey()
 		require.NoError(t, err)
 		pub := hex.EncodeToString(pk.PublicKey().Bytes())
 		require.NoError(t, removeNodesCmd(removeNodes, []string{pub}))
 	})
 }
 func generateTestData(t *testing.T, dir string, size int) {
 	v := viper.GetViper()
 	v.Set(alphabetWalletsFlag, dir)
 	sizeStr := strconv.FormatUint(uint64(size), 10)
 	require.NoError(t, generateAlphabetCmd.Flags().Set(alphabetSizeFlag, sizeStr))
 	setTestCredentials(v, size)
 	require.NoError(t, generateAlphabetCreds(generateAlphabetCmd, nil))
 	var pubs []string
 	for i := 0; i < size; i++ {
 		p := filepath.Join(dir, innerring.GlagoliticLetter(i).String()+".json")
 		w, err := wallet.NewWalletFromFile(p)
 		require.NoError(t, err, "wallet doesn't exist")
 		for _, acc := range w.Accounts {
 			if acc.Label == singleAccountName {
 				pub, ok := vm.ParseSignatureContract(acc.Contract.Script)
 				require.True(t, ok)
 				pubs = append(pubs, hex.EncodeToString(pub))
 				continue
 			}
 		}
 	}
 	cfg := config.Config{}
 	cfg.ProtocolConfiguration.Magic = 12345
 	cfg.ProtocolConfiguration.ValidatorsCount = size
 	cfg.ProtocolConfiguration.SecondsPerBlock = 1
 	cfg.ProtocolConfiguration.StandbyCommittee = pubs // sorted by glagolic letters
 	cfg.ProtocolConfiguration.P2PSigExtensions = true
 	cfg.ProtocolConfiguration.VerifyTransactions = true
 	cfg.ProtocolConfiguration.VerifyBlocks = true
 	data, err := yaml.Marshal(cfg)
 	require.NoError(t, err)
 	protoPath := filepath.Join(dir, protoFileName)
 	require.NoError(t, os.WriteFile(protoPath, data, os.ModePerm))
 }
 func setTestCredentials(v *viper.Viper, size int) {
 	for i := 0; i < size; i++ {
 		v.Set("credentials."+innerring.GlagoliticLetter(i).String(), strconv.FormatUint(uint64(i), 10))
 	}
 	v.Set("credentials.contract", testContractPassword)
 }
--- a/cmd/frostfs-adm/internal/modules/morph/initialize_transfer.go
+++ b/cmd/frostfs-adm/internal/modules/morph/initialize_transfer.go
@ -0,0 +1,190 @@
 package morph
 import (
 	"fmt"
 	"github.com/nspcc-dev/neo-go/pkg/core/native"
 	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
 	"github.com/nspcc-dev/neo-go/pkg/io"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/gas"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/neo"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	scContext "github.com/nspcc-dev/neo-go/pkg/smartcontract/context"
 	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
 	"github.com/nspcc-dev/neo-go/pkg/vm/opcode"
 	"github.com/nspcc-dev/neo-go/pkg/wallet"
 )
 const (
 	gasInitialTotalSupply = 30000000 * native.GASFactor
 	// initialAlphabetGASAmount represents the amount of GAS given to each alphabet node.
 	initialAlphabetGASAmount = 10_000 * native.GASFactor
 	// initialProxyGASAmount represents the amount of GAS given to a proxy contract.
 	initialProxyGASAmount = 50_000 * native.GASFactor
 )
 func (c *initializeContext) transferFunds() error {
 	ok, err := c.transferFundsFinished()
 	if ok || err != nil {
 		if err == nil {
 			c.Command.Println("Stage 1: already performed.")
 		}
 		return err
 	}
 	var transfers []rpcclient.TransferTarget
 	for _, acc := range c.Accounts {
 		to := acc.Contract.ScriptHash()
 		transfers = append(transfers,
 			rpcclient.TransferTarget{
 				Token:   gas.Hash,
 				Address: to,
 				Amount:  initialAlphabetGASAmount,
 			},
 		)
 	}
 	// It is convenient to have all funds at the committee account.
 	transfers = append(transfers,
 		rpcclient.TransferTarget{
 			Token:   gas.Hash,
 			Address: c.CommitteeAcc.Contract.ScriptHash(),
 			Amount:  (gasInitialTotalSupply - initialAlphabetGASAmount*int64(len(c.Wallets))) / 2,
 		},
 		rpcclient.TransferTarget{
 			Token:   neo.Hash,
 			Address: c.CommitteeAcc.Contract.ScriptHash(),
 			Amount:  native.NEOTotalSupply,
 		},
 	)
 	tx, err := createNEP17MultiTransferTx(c.Client, c.ConsensusAcc, 0, transfers, []rpcclient.SignerAccount{{
 		Signer: transaction.Signer{
 			Account: c.ConsensusAcc.Contract.ScriptHash(),
 			Scopes:  transaction.CalledByEntry,
 		},
 		Account: c.ConsensusAcc,
 	}})
 	if err != nil {
 		return fmt.Errorf("can't create transfer transaction: %w", err)
 	}
 	if err := c.multiSignAndSend(tx, consensusAccountName); err != nil {
 		return fmt.Errorf("can't send transfer transaction: %w", err)
 	}
 	return c.awaitTx()
 }
 func (c *initializeContext) transferFundsFinished() (bool, error) {
 	acc := c.Accounts[0]
 	res, err := c.Client.NEP17BalanceOf(gas.Hash, acc.Contract.ScriptHash())
 	return res > initialAlphabetGASAmount/2, err
 }
 func (c *initializeContext) multiSignAndSend(tx *transaction.Transaction, accType string) error {
 	if err := c.multiSign(tx, accType); err != nil {
 		return err
 	}
 	return c.sendTx(tx, c.Command, false)
 }
 func (c *initializeContext) multiSign(tx *transaction.Transaction, accType string) error {
 	network, err := c.Client.GetNetwork()
 	if err != nil {
 		// error appears only if client
 		// has not been initialized
 		panic(err)
 	}
 	// Use parameter context to avoid dealing with signature order.
 	pc := scContext.NewParameterContext("", network, tx)
 	h := c.CommitteeAcc.Contract.ScriptHash()
 	if accType == consensusAccountName {
 		h = c.ConsensusAcc.Contract.ScriptHash()
 	}
 	for _, w := range c.Wallets {
 		acc, err := getWalletAccount(w, accType)
 		if err != nil {
 			return fmt.Errorf("can't find %s wallet account: %w", accType, err)
 		}
 		priv := acc.PrivateKey()
 		sign := priv.SignHashable(uint32(network), tx)
 		if err := pc.AddSignature(h, acc.Contract, priv.PublicKey(), sign); err != nil {
 			return fmt.Errorf("can't add signature: %w", err)
 		}
 		if len(pc.Items[h].Signatures) == len(acc.Contract.Parameters) {
 			break
 		}
 	}
 	w, err := pc.GetWitness(h)
 	if err != nil {
 		return fmt.Errorf("incomplete signature: %w", err)
 	}
 	for i := range tx.Signers {
 		if tx.Signers[i].Account == h {
 			if i < len(tx.Scripts) {
 				tx.Scripts[i] = *w
 			} else if i == len(tx.Scripts) {
 				tx.Scripts = append(tx.Scripts, *w)
 			} else {
 				panic("BUG: invalid signing order")
 			}
 			return nil
 		}
 	}
 	return fmt.Errorf("%s account was not found among transaction signers", accType)
 }
 func (c *initializeContext) transferGASToProxy() error {
 	proxyCs := c.getContract(proxyContract)
 	bal, err := c.Client.NEP17BalanceOf(gas.Hash, proxyCs.Hash)
 	if err != nil || bal > 0 {
 		return err
 	}
 	tx, err := createNEP17MultiTransferTx(c.Client, c.CommitteeAcc, 0, []rpcclient.TransferTarget{{
 		Token:   gas.Hash,
 		Address: proxyCs.Hash,
 		Amount:  initialProxyGASAmount,
 	}}, nil)
 	if err != nil {
 		return err
 	}
 	if err := c.multiSignAndSend(tx, committeeAccountName); err != nil {
 		return err
 	}
 	return c.awaitTx()
 }
 func createNEP17MultiTransferTx(c Client, acc *wallet.Account, netFee int64,
 	recipients []rpcclient.TransferTarget, cosigners []rpcclient.SignerAccount) (*transaction.Transaction, error) {
 	from := acc.Contract.ScriptHash()
 	w := io.NewBufBinWriter()
 	for i := range recipients {
 		emit.AppCall(w.BinWriter, recipients[i].Token, "transfer", callflag.All,
 			from, recipients[i].Address, recipients[i].Amount, recipients[i].Data)
 		emit.Opcodes(w.BinWriter, opcode.ASSERT)
 	}
 	if w.Err != nil {
 		return nil, fmt.Errorf("failed to create transfer script: %w", w.Err)
 	}
 	return c.CreateTxFromScript(w.Bytes(), acc, -1, netFee, append([]rpcclient.SignerAccount{{
 		Signer: transaction.Signer{
 			Account: from,
 			Scopes:  transaction.CalledByEntry,
 		},
 		Account: acc,
 	}}, cosigners...))
 }
--- a/cmd/frostfs-adm/internal/modules/morph/internal/types.go
+++ b/cmd/frostfs-adm/internal/modules/morph/internal/types.go
@ -0,0 +1,65 @@
 package internal
 import (
 	"fmt"
 	"strconv"
 	"google.golang.org/protobuf/proto"
 )
 // StringifySubnetClientGroupID returns string representation of SubnetClientGroupID using MarshalText.
 // Returns a string with a message on error.
 func StringifySubnetClientGroupID(id *SubnetClientGroupID) string {
 	text, err := id.MarshalText()
 	if err != nil {
 		return fmt.Sprintf("<invalid> %v", err)
 	}
 	return string(text)
 }
 // MarshalText encodes SubnetClientGroupID into text format according to FrostFS API V2 protocol:
 // value in base-10 integer string format.
 //
 // It implements encoding.TextMarshaler.
 func (x *SubnetClientGroupID) MarshalText() ([]byte, error) {
 	num := x.GetValue() // NPE safe, returns zero on nil
 	return []byte(strconv.FormatUint(uint64(num), 10)), nil
 }
 // UnmarshalText decodes the SubnetID from the text according to FrostFS API V2 protocol:
 // should be base-10 integer string format with bitsize = 32.
 //
 // Returns strconv.ErrRange if integer overflows uint32.
 //
 // Must not be called on nil.
 //
 // Implements encoding.TextUnmarshaler.
 func (x *SubnetClientGroupID) UnmarshalText(txt []byte) error {
 	num, err := strconv.ParseUint(string(txt), 10, 32)
 	if err != nil {
 		return fmt.Errorf("invalid numeric value: %w", err)
 	}
 	x.SetNumber(uint32(num))
 	return nil
 }
 // Marshal encodes the SubnetClientGroupID into a binary format of FrostFS API V2 protocol
 // (Protocol Buffers with direct field order).
 func (x *SubnetClientGroupID) Marshal() ([]byte, error) {
 	return proto.Marshal(x)
 }
 // Unmarshal decodes the SubnetClientGroupID from FrostFS API V2 binary format (see Marshal). Must not be called on nil.
 func (x *SubnetClientGroupID) Unmarshal(data []byte) error {
 	return proto.Unmarshal(data, x)
 }
 // SetNumber sets SubnetClientGroupID value in uint32 format. Must not be called on nil.
 // By default, number is 0.
 func (x *SubnetClientGroupID) SetNumber(num uint32) {
 	x.Value = num
 }
--- a/cmd/frostfs-adm/internal/modules/morph/internal/types.pb.go
+++ b/cmd/frostfs-adm/internal/modules/morph/internal/types.pb.go
@ -0,0 +1,156 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.26.0
 // 	protoc        v3.21.12
 // source: cmd/frostfs-adm/internal/modules/morph/internal/types.proto
 package internal
 import (
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
 )
 const (
 	// Verify that this generated code is sufficiently up-to-date.
 	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
 	// Verify that runtime/protoimpl is sufficiently up-to-date.
 	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
 )
 // Client group identifier in the FrostFS subnet.
 //
 // String representation of a value is base-10 integer.
 //
 // JSON representation is an object containing single `value` number field.
 type SubnetClientGroupID struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	// 4-byte integer identifier of the subnet client group.
 	Value uint32 `protobuf:"fixed32,1,opt,name=value,proto3" json:"value,omitempty"`
 }
 func (x *SubnetClientGroupID) Reset() {
 	*x = SubnetClientGroupID{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_cmd_frostfs_adm_internal_modules_morph_internal_types_proto_msgTypes[0]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
 }
 func (x *SubnetClientGroupID) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 func (*SubnetClientGroupID) ProtoMessage() {}
 func (x *SubnetClientGroupID) ProtoReflect() protoreflect.Message {
 	mi := &file_cmd_frostfs_adm_internal_modules_morph_internal_types_proto_msgTypes[0]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
 		}
 		return ms
 	}
 	return mi.MessageOf(x)
 }
 // Deprecated: Use SubnetClientGroupID.ProtoReflect.Descriptor instead.
 func (*SubnetClientGroupID) Descriptor() ([]byte, []int) {
 	return file_cmd_frostfs_adm_internal_modules_morph_internal_types_proto_rawDescGZIP(), []int{0}
 }
 func (x *SubnetClientGroupID) GetValue() uint32 {
 	if x != nil {
 		return x.Value
 	}
 	return 0
 }
 var File_cmd_frostfs_adm_internal_modules_morph_internal_types_proto protoreflect.FileDescriptor
 var file_cmd_frostfs_adm_internal_modules_morph_internal_types_proto_rawDesc = []byte{
 	0x0a, 0x3b, 0x63, 0x6d, 0x64, 0x2f, 0x66, 0x72, 0x6f, 0x73, 0x74, 0x66, 0x73, 0x2d, 0x61, 0x64,
 	0x6d, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x6d, 0x6f, 0x64, 0x75, 0x6c,
 	0x65, 0x73, 0x2f, 0x6d, 0x6f, 0x72, 0x70, 0x68, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61,
 	0x6c, 0x2f, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0e, 0x6e,
 	0x65, 0x6f, 0x2e, 0x66, 0x73, 0x2e, 0x76, 0x32, 0x2e, 0x72, 0x65, 0x66, 0x73, 0x22, 0x2b, 0x0a,
 	0x13, 0x53, 0x75, 0x62, 0x6e, 0x65, 0x74, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x47, 0x72, 0x6f,
 	0x75, 0x70, 0x49, 0x44, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20,
 	0x01, 0x28, 0x07, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x42, 0x56, 0x5a, 0x54, 0x67, 0x69,
 	0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x54, 0x72, 0x75, 0x65, 0x43, 0x6c, 0x6f,
 	0x75, 0x64, 0x4c, 0x61, 0x62, 0x2f, 0x66, 0x72, 0x6f, 0x73, 0x74, 0x66, 0x73, 0x2d, 0x6e, 0x6f,
 	0x64, 0x65, 0x2f, 0x63, 0x6d, 0x64, 0x2f, 0x66, 0x72, 0x6f, 0x73, 0x74, 0x66, 0x73, 0x2d, 0x61,
 	0x64, 0x6d, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x6d, 0x6f, 0x64, 0x75,
 	0x6c, 0x65, 0x73, 0x2f, 0x6d, 0x6f, 0x72, 0x70, 0x68, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e,
 	0x61, 0x6c, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 var (
 	file_cmd_frostfs_adm_internal_modules_morph_internal_types_proto_rawDescOnce sync.Once
 	file_cmd_frostfs_adm_internal_modules_morph_internal_types_proto_rawDescData = file_cmd_frostfs_adm_internal_modules_morph_internal_types_proto_rawDesc
 )
 func file_cmd_frostfs_adm_internal_modules_morph_internal_types_proto_rawDescGZIP() []byte {
 	file_cmd_frostfs_adm_internal_modules_morph_internal_types_proto_rawDescOnce.Do(func() {
 		file_cmd_frostfs_adm_internal_modules_morph_internal_types_proto_rawDescData = protoimpl.X.CompressGZIP(file_cmd_frostfs_adm_internal_modules_morph_internal_types_proto_rawDescData)
 	})
 	return file_cmd_frostfs_adm_internal_modules_morph_internal_types_proto_rawDescData
 }
 var file_cmd_frostfs_adm_internal_modules_morph_internal_types_proto_msgTypes = make([]protoimpl.MessageInfo, 1)
 var file_cmd_frostfs_adm_internal_modules_morph_internal_types_proto_goTypes = []interface{}{
 	(*SubnetClientGroupID)(nil), // 0: neo.fs.v2.refs.SubnetClientGroupID
 }
 var file_cmd_frostfs_adm_internal_modules_morph_internal_types_proto_depIdxs = []int32{
 	0, // [0:0] is the sub-list for method output_type
 	0, // [0:0] is the sub-list for method input_type
 	0, // [0:0] is the sub-list for extension type_name
 	0, // [0:0] is the sub-list for extension extendee
 	0, // [0:0] is the sub-list for field type_name
 }
 func init() { file_cmd_frostfs_adm_internal_modules_morph_internal_types_proto_init() }
 func file_cmd_frostfs_adm_internal_modules_morph_internal_types_proto_init() {
 	if File_cmd_frostfs_adm_internal_modules_morph_internal_types_proto != nil {
 		return
 	}
 	if !protoimpl.UnsafeEnabled {
 		file_cmd_frostfs_adm_internal_modules_morph_internal_types_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*SubnetClientGroupID); i {
 			case 0:
 				return &v.state
 			case 1:
 				return &v.sizeCache
 			case 2:
 				return &v.unknownFields
 			default:
 				return nil
 			}
 		}
 	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_cmd_frostfs_adm_internal_modules_morph_internal_types_proto_rawDesc,
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
 		GoTypes:           file_cmd_frostfs_adm_internal_modules_morph_internal_types_proto_goTypes,
 		DependencyIndexes: file_cmd_frostfs_adm_internal_modules_morph_internal_types_proto_depIdxs,
 		MessageInfos:      file_cmd_frostfs_adm_internal_modules_morph_internal_types_proto_msgTypes,
 	}.Build()
 	File_cmd_frostfs_adm_internal_modules_morph_internal_types_proto = out.File
 	file_cmd_frostfs_adm_internal_modules_morph_internal_types_proto_rawDesc = nil
 	file_cmd_frostfs_adm_internal_modules_morph_internal_types_proto_goTypes = nil
 	file_cmd_frostfs_adm_internal_modules_morph_internal_types_proto_depIdxs = nil
 }
--- a/cmd/frostfs-adm/internal/modules/morph/internal/types.proto
+++ b/cmd/frostfs-adm/internal/modules/morph/internal/types.proto
@ -0,0 +1,15 @@
 syntax = "proto3";
 package neo.fs.v2.refs;
 option go_package = "github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph/internal";
 // Client group identifier in the FrostFS subnet.
 //
 // String representation of a value is base-10 integer.
 //
 // JSON representation is an object containing single `value` number field.
 message SubnetClientGroupID {
  // 4-byte integer identifier of the subnet client group.
  fixed32 value = 1 [json_name = "value"];
 }
--- a/cmd/frostfs-adm/internal/modules/morph/local_client.go
+++ b/cmd/frostfs-adm/internal/modules/morph/local_client.go
@ -0,0 +1,505 @@
 package morph
 import (
 	"crypto/elliptic"
 	"errors"
 	"fmt"
 	"os"
 	"sort"
 	"time"
 	"github.com/google/uuid"
 	"github.com/nspcc-dev/neo-go/pkg/config"
 	"github.com/nspcc-dev/neo-go/pkg/config/netmode"
 	"github.com/nspcc-dev/neo-go/pkg/core"
 	"github.com/nspcc-dev/neo-go/pkg/core/block"
 	"github.com/nspcc-dev/neo-go/pkg/core/chaindump"
 	"github.com/nspcc-dev/neo-go/pkg/core/fee"
 	"github.com/nspcc-dev/neo-go/pkg/core/native/noderoles"
 	"github.com/nspcc-dev/neo-go/pkg/core/state"
 	"github.com/nspcc-dev/neo-go/pkg/core/storage"
 	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/hash"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
 	"github.com/nspcc-dev/neo-go/pkg/encoding/fixedn"
 	"github.com/nspcc-dev/neo-go/pkg/io"
 	"github.com/nspcc-dev/neo-go/pkg/neorpc/result"
 	"github.com/nspcc-dev/neo-go/pkg/network/payload"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/trigger"
 	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
 	"github.com/nspcc-dev/neo-go/pkg/vm/opcode"
 	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
 	"github.com/nspcc-dev/neo-go/pkg/vm/vmstate"
 	"github.com/nspcc-dev/neo-go/pkg/wallet"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 	"go.uber.org/zap"
 )
 type localClient struct {
 	bc           *core.Blockchain
 	transactions []*transaction.Transaction
 	dumpPath     string
 	accounts     []*wallet.Account
 	maxGasInvoke int64
 }
 func newLocalClient(cmd *cobra.Command, v *viper.Viper, wallets []*wallet.Wallet) (*localClient, error) {
 	cfg, err := config.LoadFile(v.GetString(protoConfigPath))
 	if err != nil {
 		return nil, err
 	}
 	bc, err := core.NewBlockchain(storage.NewMemoryStore(), cfg.Blockchain(), zap.NewNop())
 	if err != nil {
 		return nil, err
 	}
 	m := smartcontract.GetDefaultHonestNodeCount(cfg.ProtocolConfiguration.ValidatorsCount)
 	accounts := make([]*wallet.Account, len(wallets))
 	for i := range accounts {
 		accounts[i], err = getWalletAccount(wallets[i], consensusAccountName)
 		if err != nil {
 			return nil, err
 		}
 	}
 	indexMap := make(map[string]int)
 	for i, pub := range cfg.ProtocolConfiguration.StandbyCommittee {
 		indexMap[pub] = i
 	}
 	sort.Slice(accounts, func(i, j int) bool {
 		pi := accounts[i].PrivateKey().PublicKey().Bytes()
 		pj := accounts[j].PrivateKey().PublicKey().Bytes()
 		return indexMap[string(pi)] < indexMap[string(pj)]
 	})
 	sort.Slice(accounts[:cfg.ProtocolConfiguration.ValidatorsCount], func(i, j int) bool {
 		return accounts[i].PublicKey().Cmp(accounts[j].PublicKey()) == -1
 	})
 	go bc.Run()
 	dumpPath := v.GetString(localDumpFlag)
 	if cmd.Name() != "init" {
 		f, err := os.OpenFile(dumpPath, os.O_RDONLY, 0600)
 		if err != nil {
 			return nil, fmt.Errorf("can't open local dump: %w", err)
 		}
 		defer f.Close()
 		r := io.NewBinReaderFromIO(f)
 		var skip uint32
 		if bc.BlockHeight() != 0 {
 			skip = bc.BlockHeight() + 1
 		}
 		count := r.ReadU32LE() - skip
 		if err := chaindump.Restore(bc, r, skip, count, nil); err != nil {
 			return nil, fmt.Errorf("can't restore local dump: %w", err)
 		}
 	}
 	return &localClient{
 		bc:           bc,
 		dumpPath:     dumpPath,
 		accounts:     accounts[:m],
 		maxGasInvoke: 15_0000_0000,
 	}, nil
 }
 func (l *localClient) GetBlockCount() (uint32, error) {
 	return l.bc.BlockHeight(), nil
 }
 func (l *localClient) GetContractStateByID(id int32) (*state.Contract, error) {
 	h, err := l.bc.GetContractScriptHash(id)
 	if err != nil {
 		return nil, err
 	}
 	return l.GetContractStateByHash(h)
 }
 func (l *localClient) GetContractStateByHash(h util.Uint160) (*state.Contract, error) {
 	if cs := l.bc.GetContractState(h); cs != nil {
 		return cs, nil
 	}
 	return nil, storage.ErrKeyNotFound
 }
 func (l *localClient) GetNativeContracts() ([]state.NativeContract, error) {
 	return l.bc.GetNatives(), nil
 }
 func (l *localClient) GetNetwork() (netmode.Magic, error) {
 	return l.bc.GetConfig().Magic, nil
 }
 func (l *localClient) GetApplicationLog(h util.Uint256, t *trigger.Type) (*result.ApplicationLog, error) {
 	aer, err := l.bc.GetAppExecResults(h, *t)
 	if err != nil {
 		return nil, err
 	}
 	a := result.NewApplicationLog(h, aer, *t)
 	return &a, nil
 }
 func (l *localClient) CreateTxFromScript(script []byte, acc *wallet.Account, sysFee int64, netFee int64, cosigners []rpcclient.SignerAccount) (*transaction.Transaction, error) {
 	signers, accounts, err := getSigners(acc, cosigners)
 	if err != nil {
 		return nil, fmt.Errorf("failed to construct tx signers: %w", err)
 	}
 	if sysFee < 0 {
 		res, err := l.InvokeScript(script, signers)
 		if err != nil {
 			return nil, fmt.Errorf("can't add system fee to transaction: %w", err)
 		}
 		if res.State != "HALT" {
 			return nil, fmt.Errorf("can't add system fee to transaction: bad vm state: %s due to an error: %s", res.State, res.FaultException)
 		}
 		sysFee = res.GasConsumed
 	}
 	tx := transaction.New(script, sysFee)
 	tx.Signers = signers
 	tx.ValidUntilBlock = l.bc.BlockHeight() + 2
 	err = l.AddNetworkFee(tx, netFee, accounts...)
 	if err != nil {
 		return nil, fmt.Errorf("failed to add network fee: %w", err)
 	}
 	return tx, nil
 }
 func (l *localClient) GetCommittee() (keys.PublicKeys, error) {
 	// not used by `morph init` command
 	panic("unexpected call")
 }
 // InvokeFunction is implemented via `InvokeScript`.
 func (l *localClient) InvokeFunction(h util.Uint160, method string, sPrm []smartcontract.Parameter, ss []transaction.Signer) (*result.Invoke, error) {
 	var err error
 	pp := make([]any, len(sPrm))
 	for i, p := range sPrm {
 		pp[i], err = smartcontract.ExpandParameterToEmitable(p)
 		if err != nil {
 			return nil, fmt.Errorf("incorrect parameter type %s: %w", p.Type, err)
 		}
 	}
 	return invokeFunction(l, h, method, pp, ss)
 }
 func (l *localClient) CalculateNotaryFee(_ uint8) (int64, error) {
 	// not used by `morph init` command
 	panic("unexpected call")
 }
 func (l *localClient) SignAndPushP2PNotaryRequest(_ *transaction.Transaction, _ []byte, _ int64, _ int64, _ uint32, _ *wallet.Account) (*payload.P2PNotaryRequest, error) {
 	// not used by `morph init` command
 	panic("unexpected call")
 }
 func (l *localClient) SignAndPushInvocationTx(_ []byte, _ *wallet.Account, _ int64, _ fixedn.Fixed8, _ []rpcclient.SignerAccount) (util.Uint256, error) {
 	// not used by `morph init` command
 	panic("unexpected call")
 }
 func (l *localClient) TerminateSession(_ uuid.UUID) (bool, error) {
 	// not used by `morph init` command
 	panic("unexpected call")
 }
 func (l *localClient) TraverseIterator(_, _ uuid.UUID, _ int) ([]stackitem.Item, error) {
 	// not used by `morph init` command
 	panic("unexpected call")
 }
 // GetVersion return default version.
 func (l *localClient) GetVersion() (*result.Version, error) {
 	c := l.bc.GetConfig()
 	return &result.Version{
 		Protocol: result.Protocol{
 			AddressVersion:              address.NEO3Prefix,
 			Network:                     c.Magic,
 			MillisecondsPerBlock:        int(c.TimePerBlock / time.Millisecond),
 			MaxTraceableBlocks:          c.MaxTraceableBlocks,
 			MaxValidUntilBlockIncrement: c.MaxValidUntilBlockIncrement,
 			MaxTransactionsPerBlock:     c.MaxTransactionsPerBlock,
 			MemoryPoolMaxTransactions:   c.MemPoolSize,
 			ValidatorsCount:             byte(c.ValidatorsCount),
 			InitialGasDistribution:      c.InitialGASSupply,
 			CommitteeHistory:            c.CommitteeHistory,
 			P2PSigExtensions:            c.P2PSigExtensions,
 			StateRootInHeader:           c.StateRootInHeader,
 			ValidatorsHistory:           c.ValidatorsHistory,
 		},
 	}, nil
 }
 func (l *localClient) InvokeContractVerify(contract util.Uint160, params []smartcontract.Parameter, signers []transaction.Signer, witnesses ...transaction.Witness) (*result.Invoke, error) {
 	// not used by `morph init` command
 	panic("unexpected call")
 }
 // CalculateNetworkFee calculates network fee for the given transaction.
 // Copied from neo-go with minor corrections (no need to support non-notary mode):
 // https://github.com/nspcc-dev/neo-go/blob/v0.99.2/pkg/services/rpcsrv/server.go#L744
 func (l *localClient) CalculateNetworkFee(tx *transaction.Transaction) (int64, error) {
 	hashablePart, err := tx.EncodeHashableFields()
 	if err != nil {
 		return 0, fmt.Errorf("failed to compute tx size: %w", err)
 	}
 	size := len(hashablePart) + io.GetVarSize(len(tx.Signers))
 	ef := l.bc.GetBaseExecFee()
 	var netFee int64
 	for i, signer := range tx.Signers {
 		var verificationScript []byte
 		for _, w := range tx.Scripts {
 			if w.VerificationScript != nil && hash.Hash160(w.VerificationScript).Equals(signer.Account) {
 				verificationScript = w.VerificationScript
 				break
 			}
 		}
 		if verificationScript == nil {
 			gasConsumed, err := l.bc.VerifyWitness(signer.Account, tx, &tx.Scripts[i], l.maxGasInvoke)
 			if err != nil {
 				return 0, fmt.Errorf("invalid signature: %w", err)
 			}
 			netFee += gasConsumed
 			size += io.GetVarSize([]byte{}) + io.GetVarSize(tx.Scripts[i].InvocationScript)
 			continue
 		}
 		fee, sizeDelta := fee.Calculate(ef, verificationScript)
 		netFee += fee
 		size += sizeDelta
 	}
 	fee := l.bc.FeePerByte()
 	netFee += int64(size) * fee
 	return netFee, nil
 }
 // AddNetworkFee adds network fee for each witness script and optional extra
 // network fee to transaction. `accs` is an array signer's accounts.
 // Copied from neo-go with minor corrections (no need to support contract signers):
 // https://github.com/nspcc-dev/neo-go/blob/6ff11baa1b9e4c71ef0d1de43b92a8c541ca732c/pkg/rpc/client/rpc.go#L960
 func (l *localClient) AddNetworkFee(tx *transaction.Transaction, extraFee int64, accs ...*wallet.Account) error {
 	if len(tx.Signers) != len(accs) {
 		return errors.New("number of signers must match number of scripts")
 	}
 	size := io.GetVarSize(tx)
 	ef := l.bc.GetBaseExecFee()
 	for i := range tx.Signers {
 		netFee, sizeDelta := fee.Calculate(ef, accs[i].Contract.Script)
 		tx.NetworkFee += netFee
 		size += sizeDelta
 	}
 	tx.NetworkFee += int64(size)*l.bc.FeePerByte() + extraFee
 	return nil
 }
 // getSigners returns an array of transaction signers and corresponding accounts from
 // given sender and cosigners. If cosigners list already contains sender, the sender
 // will be placed at the start of the list.
 // Copied from neo-go with minor corrections:
 // https://github.com/nspcc-dev/neo-go/blob/6ff11baa1b9e4c71ef0d1de43b92a8c541ca732c/pkg/rpc/client/rpc.go#L735
 func getSigners(sender *wallet.Account, cosigners []rpcclient.SignerAccount) ([]transaction.Signer, []*wallet.Account, error) {
 	var (
 		signers  []transaction.Signer
 		accounts []*wallet.Account
 	)
 	from := sender.Contract.ScriptHash()
 	s := transaction.Signer{
 		Account: from,
 		Scopes:  transaction.None,
 	}
 	for _, c := range cosigners {
 		if c.Signer.Account == from {
 			s = c.Signer
 			continue
 		}
 		signers = append(signers, c.Signer)
 		accounts = append(accounts, c.Account)
 	}
 	signers = append([]transaction.Signer{s}, signers...)
 	accounts = append([]*wallet.Account{sender}, accounts...)
 	return signers, accounts, nil
 }
 func (l *localClient) NEP17BalanceOf(h util.Uint160, acc util.Uint160) (int64, error) {
 	res, err := invokeFunction(l, h, "balanceOf", []any{acc}, nil)
 	if err != nil {
 		return 0, err
 	}
 	if res.State != vmstate.Halt.String() || len(res.Stack) == 0 {
 		return 0, fmt.Errorf("`balance`: invalid response (empty: %t): %s",
 			len(res.Stack) == 0, res.FaultException)
 	}
 	bi, err := res.Stack[0].TryInteger()
 	if err != nil || !bi.IsInt64() {
 		return 0, fmt.Errorf("`balance`: invalid response")
 	}
 	return bi.Int64(), nil
 }
 func (l *localClient) InvokeScript(script []byte, signers []transaction.Signer) (*result.Invoke, error) {
 	lastBlock, err := l.bc.GetBlock(l.bc.CurrentBlockHash())
 	if err != nil {
 		return nil, err
 	}
 	tx := transaction.New(script, 0)
 	tx.Signers = signers
 	tx.ValidUntilBlock = l.bc.BlockHeight() + 2
 	ic, err := l.bc.GetTestVM(trigger.Application, tx, &block.Block{
 		Header: block.Header{
 			Index:     lastBlock.Index + 1,
 			Timestamp: lastBlock.Timestamp + 1,
 		},
 	})
 	if err != nil {
 		return nil, fmt.Errorf("get test VM: %w", err)
 	}
 	ic.VM.GasLimit = 100_0000_0000
 	ic.VM.LoadScriptWithFlags(script, callflag.All)
 	var errStr string
 	if err := ic.VM.Run(); err != nil {
 		errStr = err.Error()
 	}
 	return &result.Invoke{
 		State:          ic.VM.State().String(),
 		GasConsumed:    ic.VM.GasConsumed(),
 		Script:         script,
 		Stack:          ic.VM.Estack().ToArray(),
 		FaultException: errStr,
 	}, nil
 }
 func (l *localClient) SendRawTransaction(tx *transaction.Transaction) (util.Uint256, error) {
 	// We need to test that transaction was formed correctly to catch as many errors as we can.
 	bs := tx.Bytes()
 	_, err := transaction.NewTransactionFromBytes(bs)
 	if err != nil {
 		return tx.Hash(), fmt.Errorf("invalid transaction: %w", err)
 	}
 	l.transactions = append(l.transactions, tx)
 	return tx.Hash(), nil
 }
 func (l *localClient) putTransactions() error {
 	// 1. Prepare new block.
 	lastBlock, err := l.bc.GetBlock(l.bc.CurrentBlockHash())
 	if err != nil {
 		panic(err)
 	}
 	defer func() { l.transactions = l.transactions[:0] }()
 	b := &block.Block{
 		Header: block.Header{
 			NextConsensus: l.accounts[0].Contract.ScriptHash(),
 			Script: transaction.Witness{
 				VerificationScript: l.accounts[0].Contract.Script,
 			},
 			Timestamp: lastBlock.Timestamp + 1,
 		},
 		Transactions: l.transactions,
 	}
 	if l.bc.GetConfig().StateRootInHeader {
 		b.StateRootEnabled = true
 		b.PrevStateRoot = l.bc.GetStateModule().CurrentLocalStateRoot()
 	}
 	b.PrevHash = lastBlock.Hash()
 	b.Index = lastBlock.Index + 1
 	b.RebuildMerkleRoot()
 	// 2. Sign prepared block.
 	var invocationScript []byte
 	magic := l.bc.GetConfig().Magic
 	for _, acc := range l.accounts {
 		sign := acc.PrivateKey().SignHashable(uint32(magic), b)
 		invocationScript = append(invocationScript, byte(opcode.PUSHDATA1), 64)
 		invocationScript = append(invocationScript, sign...)
 	}
 	b.Script.InvocationScript = invocationScript
 	// 3. Persist block.
 	return l.bc.AddBlock(b)
 }
 func invokeFunction(c Client, h util.Uint160, method string, parameters []any, signers []transaction.Signer) (*result.Invoke, error) {
 	w := io.NewBufBinWriter()
 	emit.Array(w.BinWriter, parameters...)
 	emit.AppCallNoArgs(w.BinWriter, h, method, callflag.All)
 	if w.Err != nil {
 		panic(fmt.Sprintf("BUG: invalid parameters for '%s': %v", method, w.Err))
 	}
 	return c.InvokeScript(w.Bytes(), signers)
 }
 var errGetDesignatedByRoleResponse = errors.New("`getDesignatedByRole`: invalid response")
 func getDesignatedByRole(inv *invoker.Invoker, h util.Uint160, role noderoles.Role, u uint32) (keys.PublicKeys, error) {
 	arr, err := unwrap.Array(inv.Call(h, "getDesignatedByRole", int64(role), int64(u)))
 	if err != nil {
 		return nil, errGetDesignatedByRoleResponse
 	}
 	pubs := make(keys.PublicKeys, len(arr))
 	for i := range arr {
 		bs, err := arr[i].TryBytes()
 		if err != nil {
 			return nil, errGetDesignatedByRoleResponse
 		}
 		pubs[i], err = keys.NewPublicKeyFromBytes(bs, elliptic.P256())
 		if err != nil {
 			return nil, errGetDesignatedByRoleResponse
 		}
 	}
 	return pubs, nil
 }
 func (l *localClient) dump() (err error) {
 	defer l.bc.Close()
 	f, err := os.Create(l.dumpPath)
 	if err != nil {
 		return err
 	}
 	defer func() {
 		closeErr := f.Close()
 		if err == nil && closeErr != nil {
 			err = closeErr
 		}
 	}()
 	w := io.NewBinWriterFromIO(f)
 	w.WriteU32LE(l.bc.BlockHeight() + 1)
 	err = chaindump.Dump(l.bc, w, 0, l.bc.BlockHeight()+1)
 	return
 }
--- a/cmd/frostfs-adm/internal/modules/morph/n3client.go
+++ b/cmd/frostfs-adm/internal/modules/morph/n3client.go
@ -0,0 +1,122 @@
 package morph
 import (
 	"context"
 	"errors"
 	"fmt"
 	"time"
 	"github.com/nspcc-dev/neo-go/pkg/config/netmode"
 	"github.com/nspcc-dev/neo-go/pkg/core/state"
 	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/encoding/fixedn"
 	"github.com/nspcc-dev/neo-go/pkg/neorpc/result"
 	"github.com/nspcc-dev/neo-go/pkg/network/payload"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/trigger"
 	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/nspcc-dev/neo-go/pkg/wallet"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 // Client represents N3 client interface capable of test-invoking scripts
 // and sending signed transactions to chain.
 type Client interface {
 	invoker.RPCInvoke
 	GetBlockCount() (uint32, error)
 	GetContractStateByID(int32) (*state.Contract, error)
 	GetContractStateByHash(util.Uint160) (*state.Contract, error)
 	GetNativeContracts() ([]state.NativeContract, error)
 	GetNetwork() (netmode.Magic, error)
 	GetApplicationLog(util.Uint256, *trigger.Type) (*result.ApplicationLog, error)
 	GetVersion() (*result.Version, error)
 	CreateTxFromScript([]byte, *wallet.Account, int64, int64, []rpcclient.SignerAccount) (*transaction.Transaction, error)
 	NEP17BalanceOf(util.Uint160, util.Uint160) (int64, error)
 	SendRawTransaction(*transaction.Transaction) (util.Uint256, error)
 	GetCommittee() (keys.PublicKeys, error)
 	CalculateNotaryFee(uint8) (int64, error)
 	CalculateNetworkFee(tx *transaction.Transaction) (int64, error)
 	AddNetworkFee(*transaction.Transaction, int64, ...*wallet.Account) error
 	SignAndPushInvocationTx([]byte, *wallet.Account, int64, fixedn.Fixed8, []rpcclient.SignerAccount) (util.Uint256, error)
 	SignAndPushP2PNotaryRequest(*transaction.Transaction, []byte, int64, int64, uint32, *wallet.Account) (*payload.P2PNotaryRequest, error)
 }
 type hashVUBPair struct {
 	hash util.Uint256
 	vub  uint32
 }
 type clientContext struct {
 	Client          Client           // a raw neo-go client OR a local chain implementation
 	CommitteeAct    *actor.Actor     // committee actor with the Global witness scope
 	ReadOnlyInvoker *invoker.Invoker // R/O contract invoker, does not contain any signer
 	SentTxs         []hashVUBPair
 }
 func getN3Client(v *viper.Viper) (Client, error) {
 	// number of opened connections
 	// by neo-go client per one host
 	const (
 		maxConnsPerHost = 10
 		requestTimeout  = time.Second * 10
 	)
 	ctx := context.Background()
 	endpoint := v.GetString(endpointFlag)
 	if endpoint == "" {
 		return nil, errors.New("missing endpoint")
 	}
 	c, err := rpcclient.New(ctx, endpoint, rpcclient.Options{
 		MaxConnsPerHost: maxConnsPerHost,
 		RequestTimeout:  requestTimeout,
 	})
 	if err != nil {
 		return nil, err
 	}
 	if err := c.Init(); err != nil {
 		return nil, err
 	}
 	return c, nil
 }
 func defaultClientContext(c Client, committeeAcc *wallet.Account) (*clientContext, error) {
 	commAct, err := actor.New(c, []actor.SignerAccount{{
 		Signer: transaction.Signer{
 			Account: committeeAcc.Contract.ScriptHash(),
 			Scopes:  transaction.Global,
 		},
 		Account: committeeAcc,
 	}})
 	if err != nil {
 		return nil, err
 	}
 	return &clientContext{
 		Client:          c,
 		CommitteeAct:    commAct,
 		ReadOnlyInvoker: invoker.New(c, nil),
 	}, nil
 }
 func (c *clientContext) sendTx(tx *transaction.Transaction, cmd *cobra.Command, await bool) error {
 	h, err := c.Client.SendRawTransaction(tx)
 	if err != nil {
 		return err
 	}
 	if h != tx.Hash() {
 		return fmt.Errorf("sent and actual tx hashes mismatch:\n\tsent: %v\n\tactual: %v", tx.Hash().StringLE(), h.StringLE())
 	}
 	c.SentTxs = append(c.SentTxs, hashVUBPair{hash: h, vub: tx.ValidUntilBlock})
 	if await {
 		return c.awaitTx(cmd)
 	}
 	return nil
 }
--- a/cmd/frostfs-adm/internal/modules/morph/netmap_candidates.go
+++ b/cmd/frostfs-adm/internal/modules/morph/netmap_candidates.go
@ -0,0 +1,29 @@
 package morph
 import (
 	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/commonflags"
 	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
 	"github.com/TrueCloudLab/frostfs-node/pkg/morph/client/netmap"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 func listNetmapCandidatesNodes(cmd *cobra.Command, _ []string) {
 	c, err := getN3Client(viper.GetViper())
 	commonCmd.ExitOnErr(cmd, "can't create N3 client: %w", err)
 	inv := invoker.New(c, nil)
 	cs, err := c.GetContractStateByID(1)
 	commonCmd.ExitOnErr(cmd, "can't get NNS contract info: %w", err)
 	nmHash, err := nnsResolveHash(inv, cs.Hash, netmapContract+".frostfs")
 	commonCmd.ExitOnErr(cmd, "can't get netmap contract hash: %w", err)
 	res, err := inv.Call(nmHash, "netmapCandidates")
 	commonCmd.ExitOnErr(cmd, "can't fetch list of network config keys from the netmap contract", err)
 	nm, err := netmap.DecodeNetMap(res.Stack)
 	commonCmd.ExitOnErr(cmd, "unable to decode netmap: %w", err)
 	commonCmd.PrettyPrintNetMap(cmd, *nm, !viper.GetBool(commonflags.Verbose))
 }
--- a/cmd/frostfs-adm/internal/modules/morph/notary.go
+++ b/cmd/frostfs-adm/internal/modules/morph/notary.go
@ -0,0 +1,121 @@
 package morph
 import (
 	"fmt"
 	"math/big"
 	"strconv"
 	"github.com/nspcc-dev/neo-go/cli/input"
 	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/gas"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/nep17"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/notary"
 	"github.com/nspcc-dev/neo-go/pkg/wallet"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 // defaultNotaryDepositLifetime is an amount of blocks notary deposit stays valid.
 // https://github.com/nspcc-dev/neo-go/blob/master/pkg/core/native/notary.go#L48
 const defaultNotaryDepositLifetime = 5760
 func depositNotary(cmd *cobra.Command, _ []string) error {
 	p, err := cmd.Flags().GetString(storageWalletFlag)
 	if err != nil {
 		return err
 	} else if p == "" {
 		return fmt.Errorf("missing wallet path (use '--%s <out.json>')", storageWalletFlag)
 	}
 	w, err := wallet.NewWalletFromFile(p)
 	if err != nil {
 		return fmt.Errorf("can't open wallet: %v", err)
 	}
 	accHash := w.GetChangeAddress()
 	if addr, err := cmd.Flags().GetString(walletAccountFlag); err == nil {
 		accHash, err = address.StringToUint160(addr)
 		if err != nil {
 			return fmt.Errorf("invalid address: %s", addr)
 		}
 	}
 	acc := w.GetAccount(accHash)
 	if acc == nil {
 		return fmt.Errorf("can't find account for %s", accHash)
 	}
 	prompt := fmt.Sprintf("Enter password for %s >", address.Uint160ToString(accHash))
 	pass, err := input.ReadPassword(prompt)
 	if err != nil {
 		return fmt.Errorf("can't get password: %v", err)
 	}
 	err = acc.Decrypt(pass, keys.NEP2ScryptParams())
 	if err != nil {
 		return fmt.Errorf("can't unlock account: %v", err)
 	}
 	gasStr, err := cmd.Flags().GetString(refillGasAmountFlag)
 	if err != nil {
 		return err
 	}
 	gasAmount, err := parseGASAmount(gasStr)
 	if err != nil {
 		return err
 	}
 	till := int64(defaultNotaryDepositLifetime)
 	tillStr, err := cmd.Flags().GetString(notaryDepositTillFlag)
 	if err != nil {
 		return err
 	}
 	if tillStr != "" {
 		till, err = strconv.ParseInt(tillStr, 10, 64)
 		if err != nil || till <= 0 {
 			return fmt.Errorf("notary deposit lifetime must be a positive integer")
 		}
 	}
 	c, err := getN3Client(viper.GetViper())
 	if err != nil {
 		return err
 	}
 	if err := checkNotaryEnabled(c); err != nil {
 		return err
 	}
 	height, err := c.GetBlockCount()
 	if err != nil {
 		return fmt.Errorf("can't get current height: %v", err)
 	}
 	act, err := actor.New(c, []actor.SignerAccount{{
 		Signer: transaction.Signer{
 			Account: acc.Contract.ScriptHash(),
 			Scopes:  transaction.Global,
 		},
 		Account: acc,
 	}})
 	if err != nil {
 		return fmt.Errorf("could not create actor: %w", err)
 	}
 	gasActor := nep17.New(act, gas.Hash)
 	txHash, vub, err := gasActor.Transfer(
 		accHash,
 		notary.Hash,
 		big.NewInt(int64(gasAmount)),
 		[]any{nil, int64(height) + till},
 	)
 	if err != nil {
 		return fmt.Errorf("could not send tx: %w", err)
 	}
 	return awaitTx(cmd, c, []hashVUBPair{{hash: txHash, vub: vub}})
 }
--- a/cmd/frostfs-adm/internal/modules/morph/policy.go
+++ b/cmd/frostfs-adm/internal/modules/morph/policy.go
@ -0,0 +1,54 @@
 package morph
 import (
 	"fmt"
 	"strconv"
 	"strings"
 	"github.com/nspcc-dev/neo-go/pkg/io"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/policy"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 const (
 	execFeeParam      = "ExecFeeFactor"
 	storagePriceParam = "StoragePrice"
 	setFeeParam       = "FeePerByte"
 )
 func setPolicyCmd(cmd *cobra.Command, args []string) error {
 	wCtx, err := newInitializeContext(cmd, viper.GetViper())
 	if err != nil {
 		return fmt.Errorf("can't to initialize context: %w", err)
 	}
 	bw := io.NewBufBinWriter()
 	for i := range args {
 		k, v, found := strings.Cut(args[i], "=")
 		if !found {
 			return fmt.Errorf("invalid parameter format, must be Parameter=Value")
 		}
 		switch k {
 		case execFeeParam, storagePriceParam, setFeeParam:
 		default:
 			return fmt.Errorf("parameter must be one of %s, %s and %s", execFeeParam, storagePriceParam, setFeeParam)
 		}
 		value, err := strconv.ParseUint(v, 10, 32)
 		if err != nil {
 			return fmt.Errorf("can't parse parameter value '%s': %w", args[1], err)
 		}
 		emit.AppCall(bw.BinWriter, policy.Hash, "set"+k, callflag.All, int64(value))
 	}
 	if err := wCtx.sendCommitteeTx(bw.Bytes(), false); err != nil {
 		return err
 	}
 	return wCtx.awaitTx()
 }
--- a/cmd/frostfs-adm/internal/modules/morph/remove_node.go
+++ b/cmd/frostfs-adm/internal/modules/morph/remove_node.go
@ -0,0 +1,61 @@
 package morph
 import (
 	"errors"
 	"fmt"
 	netmapcontract "github.com/TrueCloudLab/frostfs-contract/netmap"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/io"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 func removeNodesCmd(cmd *cobra.Command, args []string) error {
 	if len(args) == 0 {
 		return errors.New("at least one node key must be provided")
 	}
 	nodeKeys := make(keys.PublicKeys, len(args))
 	for i := range args {
 		var err error
 		nodeKeys[i], err = keys.NewPublicKeyFromString(args[i])
 		if err != nil {
 			return fmt.Errorf("can't parse node public key: %w", err)
 		}
 	}
 	wCtx, err := newInitializeContext(cmd, viper.GetViper())
 	if err != nil {
 		return fmt.Errorf("can't initialize context: %w", err)
 	}
 	defer wCtx.close()
 	cs, err := wCtx.Client.GetContractStateByID(1)
 	if err != nil {
 		return fmt.Errorf("can't get NNS contract info: %w", err)
 	}
 	nmHash, err := nnsResolveHash(wCtx.ReadOnlyInvoker, cs.Hash, netmapContract+".frostfs")
 	if err != nil {
 		return fmt.Errorf("can't get netmap contract hash: %w", err)
 	}
 	bw := io.NewBufBinWriter()
 	for i := range nodeKeys {
 		emit.AppCall(bw.BinWriter, nmHash, "updateStateIR", callflag.All,
 			int64(netmapcontract.NodeStateOffline), nodeKeys[i].Bytes())
 	}
 	if err := emitNewEpochCall(bw, wCtx, nmHash); err != nil {
 		return err
 	}
 	if err := wCtx.sendConsensusTx(bw.Bytes()); err != nil {
 		return err
 	}
 	return wCtx.awaitTx()
 }
--- a/cmd/frostfs-adm/internal/modules/morph/root.go
+++ b/cmd/frostfs-adm/internal/modules/morph/root.go
@ -0,0 +1,339 @@
 package morph
 import (
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 const (
 	alphabetWalletsFlag             = "alphabet-wallets"
 	alphabetSizeFlag                = "size"
 	endpointFlag                    = "rpc-endpoint"
 	storageWalletFlag               = "storage-wallet"
 	storageWalletLabelFlag          = "label"
 	storageGasCLIFlag               = "initial-gas"
 	storageGasConfigFlag            = "storage.initial_gas"
 	contractsInitFlag               = "contracts"
 	maxObjectSizeInitFlag           = "network.max_object_size"
 	maxObjectSizeCLIFlag            = "max-object-size"
 	epochDurationInitFlag           = "network.epoch_duration"
 	epochDurationCLIFlag            = "epoch-duration"
 	incomeRateInitFlag              = "network.basic_income_rate"
 	incomeRateCLIFlag               = "basic-income-rate"
 	auditFeeInitFlag                = "network.fee.audit"
 	auditFeeCLIFlag                 = "audit-fee"
 	containerFeeInitFlag            = "network.fee.container"
 	containerAliasFeeInitFlag       = "network.fee.container_alias"
 	containerFeeCLIFlag             = "container-fee"
 	containerAliasFeeCLIFlag        = "container-alias-fee"
 	candidateFeeInitFlag            = "network.fee.candidate"
 	candidateFeeCLIFlag             = "candidate-fee"
 	homomorphicHashDisabledInitFlag = "network.homomorphic_hash_disabled"
 	maintenanceModeAllowedInitFlag  = "network.maintenance_mode_allowed"
 	homomorphicHashDisabledCLIFlag  = "homomorphic-disabled"
 	withdrawFeeInitFlag             = "network.fee.withdraw"
 	withdrawFeeCLIFlag              = "withdraw-fee"
 	containerDumpFlag               = "dump"
 	containerContractFlag           = "container-contract"
 	containerIDsFlag                = "cid"
 	refillGasAmountFlag             = "gas"
 	walletAccountFlag               = "account"
 	notaryDepositTillFlag           = "till"
 	localDumpFlag                   = "local-dump"
 	protoConfigPath                 = "protocol"
 	walletAddressFlag               = "wallet-address"
 )
 var (
 	// RootCmd is a root command of config section.
 	RootCmd = &cobra.Command{
 		Use:   "morph",
 		Short: "Section for morph network configuration commands",
 	}
 	generateAlphabetCmd = &cobra.Command{
 		Use:   "generate-alphabet",
 		Short: "Generate alphabet wallets for consensus nodes of the morph network",
 		PreRun: func(cmd *cobra.Command, _ []string) {
 			// PreRun fixes https://github.com/spf13/viper/issues/233
 			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
 		},
 		RunE: generateAlphabetCreds,
 	}
 	initCmd = &cobra.Command{
 		Use:   "init",
 		Short: "Initialize side chain network with smart-contracts and network settings",
 		PreRun: func(cmd *cobra.Command, _ []string) {
 			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
 			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
 			_ = viper.BindPFlag(epochDurationInitFlag, cmd.Flags().Lookup(epochDurationCLIFlag))
 			_ = viper.BindPFlag(maxObjectSizeInitFlag, cmd.Flags().Lookup(maxObjectSizeCLIFlag))
 			_ = viper.BindPFlag(incomeRateInitFlag, cmd.Flags().Lookup(incomeRateCLIFlag))
 			_ = viper.BindPFlag(homomorphicHashDisabledInitFlag, cmd.Flags().Lookup(homomorphicHashDisabledCLIFlag))
 			_ = viper.BindPFlag(auditFeeInitFlag, cmd.Flags().Lookup(auditFeeCLIFlag))
 			_ = viper.BindPFlag(candidateFeeInitFlag, cmd.Flags().Lookup(candidateFeeCLIFlag))
 			_ = viper.BindPFlag(containerFeeInitFlag, cmd.Flags().Lookup(containerFeeCLIFlag))
 			_ = viper.BindPFlag(containerAliasFeeInitFlag, cmd.Flags().Lookup(containerAliasFeeCLIFlag))
 			_ = viper.BindPFlag(withdrawFeeInitFlag, cmd.Flags().Lookup(withdrawFeeCLIFlag))
 			_ = viper.BindPFlag(protoConfigPath, cmd.Flags().Lookup(protoConfigPath))
 			_ = viper.BindPFlag(localDumpFlag, cmd.Flags().Lookup(localDumpFlag))
 		},
 		RunE: initializeSideChainCmd,
 	}
 	generateStorageCmd = &cobra.Command{
 		Use:   "generate-storage-wallet",
 		Short: "Generate storage node wallet for the morph network",
 		PreRun: func(cmd *cobra.Command, _ []string) {
 			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
 			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
 			_ = viper.BindPFlag(storageGasConfigFlag, cmd.Flags().Lookup(storageGasCLIFlag))
 		},
 		RunE: generateStorageCreds,
 	}
 	refillGasCmd = &cobra.Command{
 		Use:   "refill-gas",
 		Short: "Refill GAS of storage node's wallet in the morph network",
 		PreRun: func(cmd *cobra.Command, _ []string) {
 			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
 			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
 			_ = viper.BindPFlag(refillGasAmountFlag, cmd.Flags().Lookup(refillGasAmountFlag))
 		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return refillGas(cmd, refillGasAmountFlag, false)
 		},
 	}
 	forceNewEpoch = &cobra.Command{
 		Use:   "force-new-epoch",
 		Short: "Create new FrostFS epoch event in the side chain",
 		PreRun: func(cmd *cobra.Command, _ []string) {
 			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
 			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
 		},
 		RunE: forceNewEpochCmd,
 	}
 	removeNodes = &cobra.Command{
 		Use:   "remove-nodes key1 [key2 [...]]",
 		Short: "Remove storage nodes from the netmap",
 		Long:  `Move nodes to the Offline state in the candidates list and tick an epoch to update the netmap`,
 		PreRun: func(cmd *cobra.Command, _ []string) {
 			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
 			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
 		},
 		RunE: removeNodesCmd,
 	}
 	setConfig = &cobra.Command{
 		Use:                   "set-config key1=val1 [key2=val2 ...]",
 		DisableFlagsInUseLine: true,
 		Short:                 "Add/update global config value in the FrostFS network",
 		PreRun: func(cmd *cobra.Command, _ []string) {
 			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
 			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
 		},
 		Args: cobra.MinimumNArgs(1),
 		RunE: setConfigCmd,
 	}
 	setPolicy = &cobra.Command{
 		Use:                   "set-policy [ExecFeeFactor=<n1>] [StoragePrice=<n2>] [FeePerByte=<n3>]",
 		DisableFlagsInUseLine: true,
 		Short:                 "Set global policy values",
 		PreRun: func(cmd *cobra.Command, _ []string) {
 			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
 			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
 		},
 		RunE: setPolicyCmd,
 		ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 			return []string{"ExecFeeFactor=", "StoragePrice=", "FeePerByte="}, cobra.ShellCompDirectiveNoSpace
 		},
 	}
 	dumpContractHashesCmd = &cobra.Command{
 		Use:   "dump-hashes",
 		Short: "Dump deployed contract hashes",
 		PreRun: func(cmd *cobra.Command, _ []string) {
 			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
 		},
 		RunE: dumpContractHashes,
 	}
 	dumpNetworkConfigCmd = &cobra.Command{
 		Use:   "dump-config",
 		Short: "Dump FrostFS network config",
 		PreRun: func(cmd *cobra.Command, _ []string) {
 			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
 		},
 		RunE: dumpNetworkConfig,
 	}
 	dumpBalancesCmd = &cobra.Command{
 		Use:   "dump-balances",
 		Short: "Dump GAS balances",
 		PreRun: func(cmd *cobra.Command, _ []string) {
 			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
 		},
 		RunE: dumpBalances,
 	}
 	updateContractsCmd = &cobra.Command{
 		Use:   "update-contracts",
 		Short: "Update FrostFS contracts",
 		PreRun: func(cmd *cobra.Command, _ []string) {
 			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
 			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
 		},
 		RunE: updateContracts,
 	}
 	dumpContainersCmd = &cobra.Command{
 		Use:   "dump-containers",
 		Short: "Dump FrostFS containers to file",
 		PreRun: func(cmd *cobra.Command, _ []string) {
 			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
 		},
 		RunE: dumpContainers,
 	}
 	restoreContainersCmd = &cobra.Command{
 		Use:   "restore-containers",
 		Short: "Restore FrostFS containers from file",
 		PreRun: func(cmd *cobra.Command, _ []string) {
 			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
 			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
 		},
 		RunE: restoreContainers,
 	}
 	listContainersCmd = &cobra.Command{
 		Use:   "list-containers",
 		Short: "List FrostFS containers",
 		PreRun: func(cmd *cobra.Command, _ []string) {
 			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
 		},
 		RunE: listContainers,
 	}
 	depositNotaryCmd = &cobra.Command{
 		Use:   "deposit-notary",
 		Short: "Deposit GAS for notary service",
 		PreRun: func(cmd *cobra.Command, _ []string) {
 			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
 		},
 		RunE: depositNotary,
 	}
 	netmapCandidatesCmd = &cobra.Command{
 		Use:   "netmap-candidates",
 		Short: "List netmap candidates nodes",
 		PreRun: func(cmd *cobra.Command, _ []string) {
 			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
 			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
 		},
 		Run: listNetmapCandidatesNodes,
 	}
 )
 func init() {
 	RootCmd.AddCommand(generateAlphabetCmd)
 	generateAlphabetCmd.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
 	generateAlphabetCmd.Flags().Uint(alphabetSizeFlag, 7, "Amount of alphabet wallets to generate")
 	RootCmd.AddCommand(initCmd)
 	initCmd.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
 	initCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
 	initCmd.Flags().String(contractsInitFlag, "", "Path to archive with compiled FrostFS contracts (default fetched from latest github release)")
 	initCmd.Flags().Uint(epochDurationCLIFlag, 240, "Amount of side chain blocks in one FrostFS epoch")
 	initCmd.Flags().Uint(maxObjectSizeCLIFlag, 67108864, "Max single object size in bytes")
 	initCmd.Flags().Bool(homomorphicHashDisabledCLIFlag, false, "Disable object homomorphic hashing")
 	// Defaults are taken from neo-preodolenie.
 	initCmd.Flags().Uint64(containerFeeCLIFlag, 1000, "Container registration fee")
 	initCmd.Flags().Uint64(containerAliasFeeCLIFlag, 500, "Container alias fee")
 	initCmd.Flags().String(protoConfigPath, "", "Path to the consensus node configuration")
 	initCmd.Flags().String(localDumpFlag, "", "Path to the blocks dump file")
 	RootCmd.AddCommand(deployCmd)
 	RootCmd.AddCommand(generateStorageCmd)
 	generateStorageCmd.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
 	generateStorageCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
 	generateStorageCmd.Flags().String(storageWalletFlag, "", "Path to new storage node wallet")
 	generateStorageCmd.Flags().String(storageGasCLIFlag, "", "Initial amount of GAS to transfer")
 	generateStorageCmd.Flags().StringP(storageWalletLabelFlag, "l", "", "Wallet label")
 	RootCmd.AddCommand(forceNewEpoch)
 	forceNewEpoch.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
 	forceNewEpoch.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
 	RootCmd.AddCommand(removeNodes)
 	removeNodes.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
 	removeNodes.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
 	RootCmd.AddCommand(setPolicy)
 	setPolicy.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
 	setPolicy.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
 	RootCmd.AddCommand(dumpContractHashesCmd)
 	dumpContractHashesCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
 	dumpContractHashesCmd.Flags().String(customZoneFlag, "", "Custom zone to search.")
 	RootCmd.AddCommand(dumpNetworkConfigCmd)
 	dumpNetworkConfigCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
 	RootCmd.AddCommand(setConfig)
 	setConfig.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
 	setConfig.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
 	setConfig.Flags().Bool(forceConfigSet, false, "Force setting not well-known configuration key")
 	RootCmd.AddCommand(dumpBalancesCmd)
 	dumpBalancesCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
 	dumpBalancesCmd.Flags().BoolP(dumpBalancesStorageFlag, "s", false, "Dump balances of storage nodes from the current netmap")
 	dumpBalancesCmd.Flags().BoolP(dumpBalancesAlphabetFlag, "a", false, "Dump balances of alphabet contracts")
 	dumpBalancesCmd.Flags().BoolP(dumpBalancesProxyFlag, "p", false, "Dump balances of the proxy contract")
 	dumpBalancesCmd.Flags().Bool(dumpBalancesUseScriptHashFlag, false, "Use script-hash format for addresses")
 	RootCmd.AddCommand(updateContractsCmd)
 	updateContractsCmd.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
 	updateContractsCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
 	updateContractsCmd.Flags().String(contractsInitFlag, "", "Path to archive with compiled FrostFS contracts (default fetched from latest github release)")
 	RootCmd.AddCommand(dumpContainersCmd)
 	dumpContainersCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
 	dumpContainersCmd.Flags().String(containerDumpFlag, "", "File where to save dumped containers")
 	dumpContainersCmd.Flags().String(containerContractFlag, "", "Container contract hash (for networks without NNS)")
 	dumpContainersCmd.Flags().StringSlice(containerIDsFlag, nil, "Containers to dump")
 	RootCmd.AddCommand(restoreContainersCmd)
 	restoreContainersCmd.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
 	restoreContainersCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
 	restoreContainersCmd.Flags().String(containerDumpFlag, "", "File to restore containers from")
 	restoreContainersCmd.Flags().StringSlice(containerIDsFlag, nil, "Containers to restore")
 	RootCmd.AddCommand(listContainersCmd)
 	listContainersCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
 	listContainersCmd.Flags().String(containerContractFlag, "", "Container contract hash (for networks without NNS)")
 	RootCmd.AddCommand(refillGasCmd)
 	refillGasCmd.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
 	refillGasCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
 	refillGasCmd.Flags().String(storageWalletFlag, "", "Path to storage node wallet")
 	refillGasCmd.Flags().String(walletAddressFlag, "", "Address of wallet")
 	refillGasCmd.Flags().String(refillGasAmountFlag, "", "Additional amount of GAS to transfer")
 	refillGasCmd.MarkFlagsMutuallyExclusive(walletAddressFlag, storageWalletFlag)
 	RootCmd.AddCommand(cmdSubnet)
 	RootCmd.AddCommand(depositNotaryCmd)
 	depositNotaryCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
 	depositNotaryCmd.Flags().String(storageWalletFlag, "", "Path to storage node wallet")
 	depositNotaryCmd.Flags().String(walletAccountFlag, "", "Wallet account address")
 	depositNotaryCmd.Flags().String(refillGasAmountFlag, "", "Amount of GAS to deposit")
 	depositNotaryCmd.Flags().String(notaryDepositTillFlag, "", "Notary deposit duration in blocks")
 	RootCmd.AddCommand(netmapCandidatesCmd)
 	netmapCandidatesCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
 }
--- a/cmd/frostfs-adm/internal/modules/morph/subnet.go
+++ b/cmd/frostfs-adm/internal/modules/morph/subnet.go
--- a/cmd/frostfs-adm/internal/modules/morph/update.go
+++ b/cmd/frostfs-adm/internal/modules/morph/update.go
@ -0,0 +1,21 @@
 package morph
 import (
 	"fmt"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 func updateContracts(cmd *cobra.Command, _ []string) error {
 	wCtx, err := newInitializeContext(cmd, viper.GetViper())
 	if err != nil {
 		return fmt.Errorf("initialization error: %w", err)
 	}
 	if err := wCtx.deployNNS(updateMethodName); err != nil {
 		return err
 	}
 	return wCtx.updateContracts()
 }
--- a/cmd/frostfs-adm/internal/modules/root.go
+++ b/cmd/frostfs-adm/internal/modules/root.go
@ -0,0 +1,85 @@
 package modules
 import (
 	"os"
 	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/commonflags"
 	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/config"
 	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph"
 	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/storagecfg"
 	"github.com/TrueCloudLab/frostfs-node/misc"
 	"github.com/TrueCloudLab/frostfs-node/pkg/util/autocomplete"
 	utilConfig "github.com/TrueCloudLab/frostfs-node/pkg/util/config"
 	"github.com/TrueCloudLab/frostfs-node/pkg/util/gendoc"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 var (
 	rootCmd = &cobra.Command{
 		Use:   "frostfs-adm",
 		Short: "FrostFS Administrative Tool",
 		Long: `FrostFS Administrative Tool provides functions to setup and
 manage FrostFS network deployment.`,
 		RunE:         entryPoint,
 		SilenceUsage: true,
 	}
 )
 func init() {
 	cobra.OnInitialize(func() { initConfig(rootCmd) })
 	// we need to init viper config to bind viper and cobra configurations for
 	// rpc endpoint, alphabet wallet dir, key credentials, etc.
 	// use stdout as default output for cmd.Print()
 	rootCmd.SetOut(os.Stdout)
 	rootCmd.PersistentFlags().StringP(commonflags.ConfigFlag, commonflags.ConfigFlagShorthand, "", commonflags.ConfigFlagUsage)
 	rootCmd.PersistentFlags().String(commonflags.ConfigDirFlag, "", commonflags.ConfigDirFlagUsage)
 	rootCmd.PersistentFlags().BoolP(commonflags.Verbose, commonflags.VerboseShorthand, false, commonflags.VerboseUsage)
 	_ = viper.BindPFlag(commonflags.Verbose, rootCmd.PersistentFlags().Lookup(commonflags.Verbose))
 	rootCmd.Flags().Bool("version", false, "Application version")
 	rootCmd.AddCommand(config.RootCmd)
 	rootCmd.AddCommand(morph.RootCmd)
 	rootCmd.AddCommand(storagecfg.RootCmd)
 	rootCmd.AddCommand(autocomplete.Command("frostfs-adm"))
 	rootCmd.AddCommand(gendoc.Command(rootCmd))
 }
 func Execute() error {
 	return rootCmd.Execute()
 }
 func entryPoint(cmd *cobra.Command, args []string) error {
 	printVersion, _ := cmd.Flags().GetBool("version")
 	if printVersion {
 		cmd.Print(misc.BuildInfo("FrostFS Adm"))
 		return nil
 	}
 	return cmd.Usage()
 }
 func initConfig(cmd *cobra.Command) {
 	configFile, err := cmd.Flags().GetString(commonflags.ConfigFlag)
 	if err != nil {
 		return
 	}
 	if configFile != "" {
 		viper.SetConfigType("yml")
 		viper.SetConfigFile(configFile)
 		_ = viper.ReadInConfig() // if config file is set but unavailable, ignore it
 	}
 	configDir, err := cmd.Flags().GetString(commonflags.ConfigDirFlag)
 	if err != nil {
 		return
 	}
 	if configDir != "" {
 		_ = utilConfig.ReadConfigDir(viper.GetViper(), configDir) // if config files cannot be read, ignore it
 	}
 }
--- a/cmd/frostfs-adm/internal/modules/storagecfg/config.go
+++ b/cmd/frostfs-adm/internal/modules/storagecfg/config.go
@ -0,0 +1,138 @@
 package storagecfg
 const configTemplate = `logger:
  level: info  # logger level: one of "debug", "info" (default), "warn", "error", "dpanic", "panic", "fatal"
 node:
  wallet:
    path: {{ .Wallet.Path }}  # path to a NEO wallet; ignored if key is presented
    address: {{ .Wallet.Account }}  # address of a NEO account in the wallet; ignored if key is presented
    password: {{ .Wallet.Password }}  # password for a NEO account in the wallet; ignored if key is presented
  addresses:  # list of addresses announced by Storage node in the Network map
    - {{ .AnnouncedAddress }}
  attribute_0: UN-LOCODE:{{ .Attribute.Locode }}
  relay: {{ .Relay }}  # start Storage node in relay mode without bootstrapping into the Network map
  subnet:
    exit_zero: false # toggle entrance to zero subnet (overrides corresponding attribute and occurrence in entries)
    entries: [] # list of IDs of subnets to enter in a text format of FrostFS API protocol (overrides corresponding attributes)
 grpc:
  num: 1  # total number of listener endpoints
  0:
    endpoint: {{ .Endpoint }}  # endpoint for gRPC server
    tls:{{if .TLSCert}}
      enabled: true  # enable TLS for a gRPC connection (min version is TLS 1.2)
      certificate: {{ .TLSCert }}  # path to TLS certificate
      key: {{ .TLSKey }}  # path to TLS key
    {{- else }}
      enabled: false # disable TLS for a gRPC connection
    {{- end}}
 control:
  authorized_keys:  # list of hex-encoded public keys that have rights to use the Control Service
    {{- range .AuthorizedKeys }}
    - {{.}}{{end}}
  grpc:
    endpoint: {{.ControlEndpoint}}  # endpoint that is listened by the Control Service
 morph:
  dial_timeout: 20s  # timeout for side chain NEO RPC client connection
  cache_ttl: 15s  # use TTL cache for side chain GET operations
  rpc_endpoint:  # side chain N3 RPC endpoints
    {{- range .MorphRPC }}
    - address: wss://{{.}}/ws{{end}}
 {{if not .Relay }}
 storage:
  shard_pool_size: 15  # size of per-shard worker pools used for PUT operations
  shard:
    default: # section with the default shard parameters
      metabase:
        perm: 0644  # permissions for metabase files(directories: +x for current user and group)
      blobstor:
        perm: 0644  # permissions for blobstor files(directories: +x for current user and group)
        depth: 2  # max depth of object tree storage in FS
        small_object_size: 102400  # 100KiB, size threshold for "small" objects which are stored in key-value DB, not in FS, bytes
        compress: true  # turn on/off Zstandard compression (level 3) of stored objects
        compression_exclude_content_types:
          - audio/*
          - video/*
        blobovnicza:
          size: 1073741824  # approximate size limit of single blobovnicza instance, total size will be: size*width^(depth+1), bytes
          depth: 1  # max depth of object tree storage in key-value DB
          width: 4   # max width of object tree storage in key-value DB
          opened_cache_capacity: 50  # maximum number of opened database files
      gc:
        remover_batch_size: 200  # number of objects to be removed by the garbage collector
        remover_sleep_interval: 5m  # frequency of the garbage collector invocation
    0:
      mode: "read-write"  # mode of the shard, must be one of the: "read-write" (default), "read-only"
      metabase:
        path: {{ .MetabasePath }}  # path to the metabase
      blobstor:
        path: {{ .BlobstorPath }}  # path to the blobstor
 {{end}}`
 const (
 	neofsMainnetAddress   = "2cafa46838e8b564468ebd868dcafdd99dce6221"
 	balanceMainnetAddress = "dc1ec98d9d0c5f9dfade16144defe08cffc5ca55"
 	neofsTestnetAddress   = "b65d8243ac63983206d17e5221af0653a7266fa1"
 	balanceTestnetAddress = "e0420c216003747626670d1424569c17c79015bf"
 )
 var n3config = map[string]struct {
 	MorphRPC        []string
 	RPC             []string
 	NeoFSContract   string
 	BalanceContract string
 }{
 	"testnet": {
 		MorphRPC: []string{
 			"rpc01.morph.testnet.fs.neo.org:51331",
 			"rpc02.morph.testnet.fs.neo.org:51331",
 			"rpc03.morph.testnet.fs.neo.org:51331",
 			"rpc04.morph.testnet.fs.neo.org:51331",
 			"rpc05.morph.testnet.fs.neo.org:51331",
 			"rpc06.morph.testnet.fs.neo.org:51331",
 			"rpc07.morph.testnet.fs.neo.org:51331",
 		},
 		RPC: []string{
 			"rpc01.testnet.n3.nspcc.ru:21331",
 			"rpc02.testnet.n3.nspcc.ru:21331",
 			"rpc03.testnet.n3.nspcc.ru:21331",
 			"rpc04.testnet.n3.nspcc.ru:21331",
 			"rpc05.testnet.n3.nspcc.ru:21331",
 			"rpc06.testnet.n3.nspcc.ru:21331",
 			"rpc07.testnet.n3.nspcc.ru:21331",
 		},
 		NeoFSContract:   neofsTestnetAddress,
 		BalanceContract: balanceTestnetAddress,
 	},
 	"mainnet": {
 		MorphRPC: []string{
 			"rpc1.morph.fs.neo.org:40341",
 			"rpc2.morph.fs.neo.org:40341",
 			"rpc3.morph.fs.neo.org:40341",
 			"rpc4.morph.fs.neo.org:40341",
 			"rpc5.morph.fs.neo.org:40341",
 			"rpc6.morph.fs.neo.org:40341",
 			"rpc7.morph.fs.neo.org:40341",
 		},
 		RPC: []string{
 			"rpc1.n3.nspcc.ru:10331",
 			"rpc2.n3.nspcc.ru:10331",
 			"rpc3.n3.nspcc.ru:10331",
 			"rpc4.n3.nspcc.ru:10331",
 			"rpc5.n3.nspcc.ru:10331",
 			"rpc6.n3.nspcc.ru:10331",
 			"rpc7.n3.nspcc.ru:10331",
 		},
 		NeoFSContract:   neofsMainnetAddress,
 		BalanceContract: balanceMainnetAddress,
 	},
 }
--- a/cmd/frostfs-adm/internal/modules/storagecfg/root.go
+++ b/cmd/frostfs-adm/internal/modules/storagecfg/root.go
@ -0,0 +1,417 @@
 package storagecfg
 import (
 	"bytes"
 	"context"
 	"encoding/hex"
 	"errors"
 	"fmt"
 	"math/rand"
 	"net"
 	"net/url"
 	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
 	"text/template"
 	"time"
 	netutil "github.com/TrueCloudLab/frostfs-node/pkg/network"
 	"github.com/chzyer/readline"
 	"github.com/nspcc-dev/neo-go/cli/flags"
 	"github.com/nspcc-dev/neo-go/cli/input"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
 	"github.com/nspcc-dev/neo-go/pkg/encoding/fixedn"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/gas"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/nep17"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/trigger"
 	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/nspcc-dev/neo-go/pkg/wallet"
 	"github.com/spf13/cobra"
 )
 const (
 	walletFlag  = "wallet"
 	accountFlag = "account"
 )
 const (
 	defaultControlEndpoint = "localhost:8090"
 	defaultDataEndpoint    = "localhost"
 )
 // RootCmd is a root command of config section.
 var RootCmd = &cobra.Command{
 	Use:   "storage-config [-w wallet] [-a acccount] [<path-to-config>]",
 	Short: "Section for storage node configuration commands",
 	Run:   storageConfig,
 }
 func init() {
 	fs := RootCmd.Flags()
 	fs.StringP(walletFlag, "w", "", "Path to wallet")
 	fs.StringP(accountFlag, "a", "", "Wallet account")
 }
 type config struct {
 	AnnouncedAddress string
 	AuthorizedKeys   []string
 	ControlEndpoint  string
 	Endpoint         string
 	TLSCert          string
 	TLSKey           string
 	MorphRPC         []string
 	Attribute        struct {
 		Locode string
 	}
 	Wallet struct {
 		Path     string
 		Account  string
 		Password string
 	}
 	Relay        bool
 	BlobstorPath string
 	MetabasePath string
 }
 func storageConfig(cmd *cobra.Command, args []string) {
 	var outPath string
 	if len(args) != 0 {
 		outPath = args[0]
 	} else {
 		outPath = getPath("File to write config at [./config.yml]: ")
 		if outPath == "" {
 			outPath = "./config.yml"
 		}
 	}
 	historyPath := filepath.Join(os.TempDir(), "frostfs-adm.history")
 	readline.SetHistoryPath(historyPath)
 	var c config
 	c.Wallet.Path, _ = cmd.Flags().GetString(walletFlag)
 	if c.Wallet.Path == "" {
 		c.Wallet.Path = getPath("Path to the storage node wallet: ")
 	}
 	w, err := wallet.NewWalletFromFile(c.Wallet.Path)
 	fatalOnErr(err)
 	c.Wallet.Account, _ = cmd.Flags().GetString(accountFlag)
 	if c.Wallet.Account == "" {
 		addr := address.Uint160ToString(w.GetChangeAddress())
 		c.Wallet.Account = getWalletAccount(w, fmt.Sprintf("Wallet account [%s]: ", addr))
 		if c.Wallet.Account == "" {
 			c.Wallet.Account = addr
 		}
 	}
 	accH, err := flags.ParseAddress(c.Wallet.Account)
 	fatalOnErr(err)
 	acc := w.GetAccount(accH)
 	if acc == nil {
 		fatalOnErr(errors.New("can't find account in wallet"))
 	}
 	c.Wallet.Password, err = input.ReadPassword(fmt.Sprintf("Account password for %s: ", c.Wallet.Account))
 	fatalOnErr(err)
 	err = acc.Decrypt(c.Wallet.Password, keys.NEP2ScryptParams())
 	fatalOnErr(err)
 	c.AuthorizedKeys = append(c.AuthorizedKeys, hex.EncodeToString(acc.PrivateKey().PublicKey().Bytes()))
 	var network string
 	for {
 		network = getString("Choose network [mainnet]/testnet: ")
 		switch network {
 		case "":
 			network = "mainnet"
 		case "testnet", "mainnet":
 		default:
 			cmd.Println(`Network must be either "mainnet" or "testnet"`)
 			continue
 		}
 		break
 	}
 	c.MorphRPC = n3config[network].MorphRPC
 	depositGas(cmd, acc, network)
 	c.Attribute.Locode = getString("UN-LOCODE attribute in [XX YYY] format: ")
 	var addr, port string
 	for {
 		c.AnnouncedAddress = getString("Publicly announced address: ")
 		validator := netutil.Address{}
 		err := validator.FromString(c.AnnouncedAddress)
 		if err != nil {
 			cmd.Println("Incorrect address format. See https://github.com/TrueCloudLab/frostfs-node/blob/master/pkg/network/address.go for details.")
 			continue
 		}
 		uriAddr, err := url.Parse(validator.URIAddr())
 		if err != nil {
 			panic(fmt.Errorf("unexpected error: %w", err))
 		}
 		addr = uriAddr.Hostname()
 		port = uriAddr.Port()
 		ip, err := net.ResolveIPAddr("ip", addr)
 		if err != nil {
 			cmd.Printf("Can't resolve IP address %s: %v\n", addr, err)
 			continue
 		}
 		if !ip.IP.IsGlobalUnicast() {
 			cmd.Println("IP must be global unicast.")
 			continue
 		}
 		cmd.Printf("Resolved IP address: %s\n", ip.String())
 		_, err = strconv.ParseUint(port, 10, 16)
 		if err != nil {
 			cmd.Println("Port must be an integer.")
 			continue
 		}
 		break
 	}
 	defaultAddr := net.JoinHostPort(defaultDataEndpoint, port)
 	c.Endpoint = getString(fmt.Sprintf("Listening address [%s]: ", defaultAddr))
 	if c.Endpoint == "" {
 		c.Endpoint = defaultAddr
 	}
 	c.ControlEndpoint = getString(fmt.Sprintf("Listening address (control endpoint) [%s]: ", defaultControlEndpoint))
 	if c.ControlEndpoint == "" {
 		c.ControlEndpoint = defaultControlEndpoint
 	}
 	c.TLSCert = getPath("TLS Certificate (optional): ")
 	if c.TLSCert != "" {
 		c.TLSKey = getPath("TLS Key: ")
 	}
 	c.Relay = getConfirmation(false, "Use node as a relay? yes/[no]: ")
 	if !c.Relay {
 		p := getPath("Path to the storage directory (all available storage will be used): ")
 		c.BlobstorPath = filepath.Join(p, "blob")
 		c.MetabasePath = filepath.Join(p, "meta")
 	}
 	out := applyTemplate(c)
 	fatalOnErr(os.WriteFile(outPath, out, 0644))
 	cmd.Println("Node is ready for work! Run `frostfs-node -config " + outPath + "`")
 }
 func getWalletAccount(w *wallet.Wallet, prompt string) string {
 	addrs := make([]readline.PrefixCompleterInterface, len(w.Accounts))
 	for i := range w.Accounts {
 		addrs[i] = readline.PcItem(w.Accounts[i].Address)
 	}
 	readline.SetAutoComplete(readline.NewPrefixCompleter(addrs...))
 	defer readline.SetAutoComplete(nil)
 	s, err := readline.Line(prompt)
 	fatalOnErr(err)
 	return strings.TrimSpace(s) // autocompleter can return a string with a trailing space
 }
 func getString(prompt string) string {
 	s, err := readline.Line(prompt)
 	fatalOnErr(err)
 	if s != "" {
 		_ = readline.AddHistory(s)
 	}
 	return s
 }
 type filenameCompleter struct{}
 func (filenameCompleter) Do(line []rune, pos int) (newLine [][]rune, length int) {
 	prefix := string(line[:pos])
 	dir := filepath.Dir(prefix)
 	de, err := os.ReadDir(dir)
 	if err != nil {
 		return nil, 0
 	}
 	for i := range de {
 		name := filepath.Join(dir, de[i].Name())
 		if strings.HasPrefix(name, prefix) {
 			tail := []rune(strings.TrimPrefix(name, prefix))
 			if de[i].IsDir() {
 				tail = append(tail, filepath.Separator)
 			}
 			newLine = append(newLine, tail)
 		}
 	}
 	if pos != 0 {
 		return newLine, pos - len([]rune(dir))
 	}
 	return newLine, 0
 }
 func getPath(prompt string) string {
 	readline.SetAutoComplete(filenameCompleter{})
 	defer readline.SetAutoComplete(nil)
 	p, err := readline.Line(prompt)
 	fatalOnErr(err)
 	if p == "" {
 		return p
 	}
 	_ = readline.AddHistory(p)
 	abs, err := filepath.Abs(p)
 	if err != nil {
 		fatalOnErr(fmt.Errorf("can't create an absolute path: %w", err))
 	}
 	return abs
 }
 func getConfirmation(def bool, prompt string) bool {
 	for {
 		s, err := readline.Line(prompt)
 		fatalOnErr(err)
 		switch strings.ToLower(s) {
 		case "y", "yes":
 			return true
 		case "n", "no":
 			return false
 		default:
 			if len(s) == 0 {
 				return def
 			}
 		}
 	}
 }
 func applyTemplate(c config) []byte {
 	tmpl, err := template.New("config").Parse(configTemplate)
 	fatalOnErr(err)
 	b := bytes.NewBuffer(nil)
 	fatalOnErr(tmpl.Execute(b, c))
 	return b.Bytes()
 }
 func fatalOnErr(err error) {
 	if err != nil {
 		_, _ = fmt.Fprintf(os.Stderr, "Error: %v\n", err)
 		os.Exit(1)
 	}
 }
 func depositGas(cmd *cobra.Command, acc *wallet.Account, network string) {
 	sideClient := initClient(n3config[network].MorphRPC)
 	balanceHash, _ := util.Uint160DecodeStringLE(n3config[network].BalanceContract)
 	sideActor, err := actor.NewSimple(sideClient, acc)
 	if err != nil {
 		fatalOnErr(fmt.Errorf("creating actor over side chain client: %w", err))
 	}
 	sideGas := nep17.NewReader(sideActor, balanceHash)
 	accSH := acc.Contract.ScriptHash()
 	balance, err := sideGas.BalanceOf(accSH)
 	if err != nil {
 		fatalOnErr(fmt.Errorf("side chain balance: %w", err))
 	}
 	ok := getConfirmation(false, fmt.Sprintf("Current NeoFS balance is %s, make a deposit? y/[n]: ",
 		fixedn.ToString(balance, 12)))
 	if !ok {
 		return
 	}
 	amountStr := getString("Enter amount in GAS: ")
 	amount, err := fixedn.FromString(amountStr, 8)
 	if err != nil {
 		fatalOnErr(fmt.Errorf("invalid amount: %w", err))
 	}
 	mainClient := initClient(n3config[network].RPC)
 	neofsHash, _ := util.Uint160DecodeStringLE(n3config[network].NeoFSContract)
 	mainActor, err := actor.NewSimple(mainClient, acc)
 	if err != nil {
 		fatalOnErr(fmt.Errorf("creating actor over main chain client: %w", err))
 	}
 	mainGas := nep17.New(mainActor, gas.Hash)
 	txHash, _, err := mainGas.Transfer(accSH, neofsHash, amount, nil)
 	if err != nil {
 		fatalOnErr(fmt.Errorf("sending TX to the NeoFS contract: %w", err))
 	}
 	cmd.Print("Waiting for transactions to persist.")
 	tick := time.NewTicker(time.Second / 2)
 	defer tick.Stop()
 	timer := time.NewTimer(time.Second * 20)
 	defer timer.Stop()
 	at := trigger.Application
 loop:
 	for {
 		select {
 		case <-tick.C:
 			_, err := mainClient.GetApplicationLog(txHash, &at)
 			if err == nil {
 				cmd.Print("\n")
 				break loop
 			}
 			cmd.Print(".")
 		case <-timer.C:
 			cmd.Printf("\nTimeout while waiting for transaction to persist.\n")
 			if getConfirmation(false, "Continue configuration? yes/[no]: ") {
 				return
 			}
 			os.Exit(1)
 		}
 	}
 }
 func initClient(rpc []string) *rpcclient.Client {
 	var c *rpcclient.Client
 	var err error
 	shuffled := make([]string, len(rpc))
 	copy(shuffled, rpc)
 	rand.Shuffle(len(shuffled), func(i, j int) { shuffled[i], shuffled[j] = shuffled[j], shuffled[i] })
 	for _, endpoint := range shuffled {
 		c, err = rpcclient.New(context.Background(), "https://"+endpoint, rpcclient.Options{
 			DialTimeout:    time.Second * 2,
 			RequestTimeout: time.Second * 5,
 		})
 		if err != nil {
 			continue
 		}
 		if err = c.Init(); err != nil {
 			continue
 		}
 		return c
 	}
 	fatalOnErr(fmt.Errorf("can't create N3 client: %w", err))
 	panic("unreachable")
 }
--- a/cmd/frostfs-adm/main.go
+++ b/cmd/frostfs-adm/main.go
@ -0,0 +1,13 @@
 package main
 import (
 	"os"
 	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules"
 )
 func main() {
 	if err := modules.Execute(); err != nil {
 		os.Exit(1)
 	}
 }
--- a/cmd/frostfs-cli/docs/sessions.md
+++ b/cmd/frostfs-cli/docs/sessions.md
@ -0,0 +1,75 @@
 # How FrostFS CLI uses session mechanism of the FrostFS
 ## Overview
 FrostFS sessions implement a mechanism for issuing a power of attorney by one
 party to another. A trusted party can provide a so-called session token as
 proof of the right to act on behalf of another member of the network. The
 client of operations carried out with such a token will be the user who opened
 the session. The token contains information which limits power of attorney like
 action context or lifetime.
 The client confirms trust in a third party by signing its public (session) key
 with his private key. Any operation signed using private session key with
 attached session token is treated as performed by the original client.
 ## Types
 FrostFS CLI supports two ways to execute operation within a session depending on
 whether the user of the command application is an original user (1) or a trusted
 one (2).
 ### Dynamic
 For case (1) CLI user can only open dynamic sessions. Protocol call
 `SessionService.Create` is used for this purpose. As a result of the call, a
 private session key will be generated on the server, thus making the remote
 server trusted. This type of session is useful when the client needs to
 transfer part of the responsibility for the formation of strict system elements
 to the trusted server. At the moment, the approach is applicable only to
 creating objects.
 ```shell
 $ frostfs-cli session create --rpc-endpoint <server_ip> --out ./blank_token
 ```
 After this example command remote node holds session private key while its
 public part is written into the session token encoded into the output file.
 Later this token can be attached to the operations which support dynamic
 sessions. Then the token will be finally formed and signed by CLI itself.
 ### Static
 For case (2) CLI user can act on behalf of the person who issued the session
 token to him. Unlike (1) the token must be fully prepared on the side of the
 original client, and the CLI uses it only for reading. Ready token MUST have:
 - correct context (object, container, etc.)
 - valid lifetime
 - public session key corresponding to the CLI key
 - valid client signature
 To sign the session token, exec:
 ```shell
 $ frostfs-cli --wallet <client_wallet> util sign session-token --from ./blank_token --to ./token
 ```
 Once the token is signed, it MUST NOT be modified.
 ## Commands
 ### Object
 Here are sub-commands of `object` command which support only dynamic sessions (1):
 - `put`
 - `delete`
 - `lock`
 These commands accept blank token of the dynamically opened session or open
 session internally if it has not been opened yet.
 All other `object` sub-commands support only static sessions (2).
 ### Container
 List of commands supporting sessions (static only):
 - `create`
 - `delete`
 - `set-eacl`
--- a/cmd/frostfs-cli/docs/storage-node-xheaders.md
+++ b/cmd/frostfs-cli/docs/storage-node-xheaders.md
@ -0,0 +1,34 @@
 # Extended headers
 ## Overview
 Extended headers are used for request/response. They may contain any
 user-defined headers to be interpreted on application level. Key name must be a
 unique valid UTF-8 string. Value can't be empty. Requests or Responses with
 duplicated header names or headers with empty values are considered invalid.
 ## Existing headers
 There are some "well-known" headers starting with `__FROSTFS__` prefix that
 affect system behaviour. For backward compatibility, the same set of
 "well-known" headers may also use `__NEOFS__` prefix:
 * `__FROSTFS__NETMAP_EPOCH` - netmap epoch to use for object placement calculation. The `value` is string
 encoded `uint64` in decimal presentation. If set to '0' or omitted, the
 current epoch only will be used.
 * `__FROSTFS__NETMAP_LOOKUP_DEPTH` - if object can't be found using current epoch's netmap, this header limits
 how many past epochs the node can look up through. Depth is applied to a current epoch or the value
 of `__FROSTFS__NETMAP_EPOCH` attribute. The `value` is string encoded `uint64` in decimal presentation.
 If set to '0' or not set, only the current epoch is used.
 ## `frostfs-cli` commands with `--xhdr`
 List of commands with support of extended headers:
 * `container list-objects`
 * `object delete/get/hash/head/lock/put/range/search`
 * `storagegroup delete/get/list/put`
 Example:
 ```shell
 $ frostfs-cli object put -r s01.frostfs.devenv:8080 -w wallet.json --cid CID --file FILE --xhdr "__FROSTFS__NETMAP_EPOCH=777"
 ```
--- a/cmd/frostfs-cli/internal/client/client.go
+++ b/cmd/frostfs-cli/internal/client/client.go
@ -0,0 +1,891 @@
 package internal
 import (
 	"bytes"
 	"context"
 	"errors"
 	"fmt"
 	"io"
 	"github.com/TrueCloudLab/frostfs-sdk-go/accounting"
 	"github.com/TrueCloudLab/frostfs-sdk-go/client"
 	containerSDK "github.com/TrueCloudLab/frostfs-sdk-go/container"
 	cid "github.com/TrueCloudLab/frostfs-sdk-go/container/id"
 	"github.com/TrueCloudLab/frostfs-sdk-go/eacl"
 	"github.com/TrueCloudLab/frostfs-sdk-go/netmap"
 	"github.com/TrueCloudLab/frostfs-sdk-go/object"
 	oid "github.com/TrueCloudLab/frostfs-sdk-go/object/id"
 	"github.com/TrueCloudLab/frostfs-sdk-go/version"
 )
 // BalanceOfPrm groups parameters of BalanceOf operation.
 type BalanceOfPrm struct {
 	commonPrm
 	client.PrmBalanceGet
 }
 // BalanceOfRes groups the resulting values of BalanceOf operation.
 type BalanceOfRes struct {
 	cliRes *client.ResBalanceGet
 }
 // Balance returns the current balance.
 func (x BalanceOfRes) Balance() accounting.Decimal {
 	return x.cliRes.Amount()
 }
 // BalanceOf requests the current balance of a FrostFS user.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
 func BalanceOf(prm BalanceOfPrm) (res BalanceOfRes, err error) {
 	res.cliRes, err = prm.cli.BalanceGet(context.Background(), prm.PrmBalanceGet)
 	return
 }
 // ListContainersPrm groups parameters of ListContainers operation.
 type ListContainersPrm struct {
 	commonPrm
 	client.PrmContainerList
 }
 // ListContainersRes groups the resulting values of ListContainers operation.
 type ListContainersRes struct {
 	cliRes *client.ResContainerList
 }
 // IDList returns list of identifiers of user's containers.
 func (x ListContainersRes) IDList() []cid.ID {
 	return x.cliRes.Containers()
 }
 // ListContainers requests a list of FrostFS user's containers.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
 func ListContainers(prm ListContainersPrm) (res ListContainersRes, err error) {
 	res.cliRes, err = prm.cli.ContainerList(context.Background(), prm.PrmContainerList)
 	return
 }
 // PutContainerPrm groups parameters of PutContainer operation.
 type PutContainerPrm struct {
 	commonPrm
 	client.PrmContainerPut
 }
 // PutContainerRes groups the resulting values of PutContainer operation.
 type PutContainerRes struct {
 	cnr cid.ID
 }
 // ID returns identifier of the created container.
 func (x PutContainerRes) ID() cid.ID {
 	return x.cnr
 }
 // PutContainer sends a request to save the container in FrostFS.
 //
 // Operation is asynchronous and not guaranteed even in the absence of errors.
 // The required time is also not predictable.
 //
 // Success can be verified by reading by identifier.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
 func PutContainer(prm PutContainerPrm) (res PutContainerRes, err error) {
 	cliRes, err := prm.cli.ContainerPut(context.Background(), prm.PrmContainerPut)
 	if err == nil {
 		res.cnr = cliRes.ID()
 	}
 	return
 }
 // GetContainerPrm groups parameters of GetContainer operation.
 type GetContainerPrm struct {
 	commonPrm
 	cliPrm client.PrmContainerGet
 }
 // SetContainer sets identifier of the container to be read.
 func (x *GetContainerPrm) SetContainer(id cid.ID) {
 	x.cliPrm.SetContainer(id)
 }
 // GetContainerRes groups the resulting values of GetContainer operation.
 type GetContainerRes struct {
 	cliRes *client.ResContainerGet
 }
 // Container returns structured of the requested container.
 func (x GetContainerRes) Container() containerSDK.Container {
 	return x.cliRes.Container()
 }
 // GetContainer reads a container from FrostFS by ID.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
 func GetContainer(prm GetContainerPrm) (res GetContainerRes, err error) {
 	res.cliRes, err = prm.cli.ContainerGet(context.Background(), prm.cliPrm)
 	return
 }
 // IsACLExtendable checks if ACL of the container referenced by the given identifier
 // can be extended. Client connection MUST BE correctly established in advance.
 func IsACLExtendable(c *client.Client, cnr cid.ID) (bool, error) {
 	var prm GetContainerPrm
 	prm.SetClient(c)
 	prm.SetContainer(cnr)
 	res, err := GetContainer(prm)
 	if err != nil {
 		return false, fmt.Errorf("get container from the FrostFS: %w", err)
 	}
 	return res.Container().BasicACL().Extendable(), nil
 }
 // DeleteContainerPrm groups parameters of DeleteContainerPrm operation.
 type DeleteContainerPrm struct {
 	commonPrm
 	client.PrmContainerDelete
 }
 // DeleteContainerRes groups the resulting values of DeleteContainer operation.
 type DeleteContainerRes struct{}
 // DeleteContainer sends a request to remove a container from FrostFS by ID.
 //
 // Operation is asynchronous and not guaranteed even in the absence of errors.
 // The required time is also not predictable.
 //
 // Success can be verified by reading by identifier.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
 func DeleteContainer(prm DeleteContainerPrm) (res DeleteContainerRes, err error) {
 	_, err = prm.cli.ContainerDelete(context.Background(), prm.PrmContainerDelete)
 	return
 }
 // EACLPrm groups parameters of EACL operation.
 type EACLPrm struct {
 	commonPrm
 	client.PrmContainerEACL
 }
 // EACLRes groups the resulting values of EACL operation.
 type EACLRes struct {
 	cliRes *client.ResContainerEACL
 }
 // EACL returns requested eACL table.
 func (x EACLRes) EACL() eacl.Table {
 	return x.cliRes.Table()
 }
 // EACL reads eACL table from FrostFS by container ID.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
 func EACL(prm EACLPrm) (res EACLRes, err error) {
 	res.cliRes, err = prm.cli.ContainerEACL(context.Background(), prm.PrmContainerEACL)
 	return
 }
 // SetEACLPrm groups parameters of SetEACL operation.
 type SetEACLPrm struct {
 	commonPrm
 	client.PrmContainerSetEACL
 }
 // SetEACLRes groups the resulting values of SetEACL operation.
 type SetEACLRes struct{}
 // SetEACL requests to save an eACL table in FrostFS.
 //
 // Operation is asynchronous and no guaranteed even in the absence of errors.
 // The required time is also not predictable.
 //
 // Success can be verified by reading by container identifier.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
 func SetEACL(prm SetEACLPrm) (res SetEACLRes, err error) {
 	_, err = prm.cli.ContainerSetEACL(context.Background(), prm.PrmContainerSetEACL)
 	return
 }
 // NetworkInfoPrm groups parameters of NetworkInfo operation.
 type NetworkInfoPrm struct {
 	commonPrm
 	client.PrmNetworkInfo
 }
 // NetworkInfoRes groups the resulting values of NetworkInfo operation.
 type NetworkInfoRes struct {
 	cliRes *client.ResNetworkInfo
 }
 // NetworkInfo returns structured information about the FrostFS network.
 func (x NetworkInfoRes) NetworkInfo() netmap.NetworkInfo {
 	return x.cliRes.Info()
 }
 // NetworkInfo reads information about the FrostFS network.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
 func NetworkInfo(prm NetworkInfoPrm) (res NetworkInfoRes, err error) {
 	res.cliRes, err = prm.cli.NetworkInfo(context.Background(), prm.PrmNetworkInfo)
 	return
 }
 // NodeInfoPrm groups parameters of NodeInfo operation.
 type NodeInfoPrm struct {
 	commonPrm
 	client.PrmEndpointInfo
 }
 // NodeInfoRes groups the resulting values of NodeInfo operation.
 type NodeInfoRes struct {
 	cliRes *client.ResEndpointInfo
 }
 // NodeInfo returns information about the node from netmap.
 func (x NodeInfoRes) NodeInfo() netmap.NodeInfo {
 	return x.cliRes.NodeInfo()
 }
 // LatestVersion returns the latest FrostFS API version in use.
 func (x NodeInfoRes) LatestVersion() version.Version {
 	return x.cliRes.LatestVersion()
 }
 // NodeInfo requests information about the remote server from FrostFS netmap.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
 func NodeInfo(prm NodeInfoPrm) (res NodeInfoRes, err error) {
 	res.cliRes, err = prm.cli.EndpointInfo(context.Background(), prm.PrmEndpointInfo)
 	return
 }
 // NetMapSnapshotPrm groups parameters of NetMapSnapshot operation.
 type NetMapSnapshotPrm struct {
 	commonPrm
 }
 // NetMapSnapshotRes groups the resulting values of NetMapSnapshot operation.
 type NetMapSnapshotRes struct {
 	cliRes *client.ResNetMapSnapshot
 }
 // NetMap returns current local snapshot of the FrostFS network map.
 func (x NetMapSnapshotRes) NetMap() netmap.NetMap {
 	return x.cliRes.NetMap()
 }
 // NetMapSnapshot requests current network view of the remote server.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
 func NetMapSnapshot(prm NetMapSnapshotPrm) (res NetMapSnapshotRes, err error) {
 	res.cliRes, err = prm.cli.NetMapSnapshot(context.Background(), client.PrmNetMapSnapshot{})
 	return
 }
 // CreateSessionPrm groups parameters of CreateSession operation.
 type CreateSessionPrm struct {
 	commonPrm
 	client.PrmSessionCreate
 }
 // CreateSessionRes groups the resulting values of CreateSession operation.
 type CreateSessionRes struct {
 	cliRes *client.ResSessionCreate
 }
 // ID returns session identifier.
 func (x CreateSessionRes) ID() []byte {
 	return x.cliRes.ID()
 }
 // SessionKey returns public session key in a binary format.
 func (x CreateSessionRes) SessionKey() []byte {
 	return x.cliRes.PublicKey()
 }
 // CreateSession opens a new unlimited session with the remote node.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
 func CreateSession(prm CreateSessionPrm) (res CreateSessionRes, err error) {
 	res.cliRes, err = prm.cli.SessionCreate(context.Background(), prm.PrmSessionCreate)
 	return
 }
 // PutObjectPrm groups parameters of PutObject operation.
 type PutObjectPrm struct {
 	commonObjectPrm
 	hdr *object.Object
 	rdr io.Reader
 	headerCallback func(*object.Object)
 }
 // SetHeader sets object header.
 func (x *PutObjectPrm) SetHeader(hdr *object.Object) {
 	x.hdr = hdr
 }
 // SetPayloadReader sets reader of the object payload.
 func (x *PutObjectPrm) SetPayloadReader(rdr io.Reader) {
 	x.rdr = rdr
 }
 // SetHeaderCallback sets callback which is called on the object after the header is received
 // but before the payload is written.
 func (x *PutObjectPrm) SetHeaderCallback(f func(*object.Object)) {
 	x.headerCallback = f
 }
 // PutObjectRes groups the resulting values of PutObject operation.
 type PutObjectRes struct {
 	id oid.ID
 }
 // ID returns identifier of the created object.
 func (x PutObjectRes) ID() oid.ID {
 	return x.id
 }
 // PutObject saves the object in FrostFS network.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
 func PutObject(prm PutObjectPrm) (*PutObjectRes, error) {
 	var putPrm client.PrmObjectPutInit
 	if prm.sessionToken != nil {
 		putPrm.WithinSession(*prm.sessionToken)
 	}
 	if prm.bearerToken != nil {
 		putPrm.WithBearerToken(*prm.bearerToken)
 	}
 	if prm.local {
 		putPrm.MarkLocal()
 	}
 	putPrm.WithXHeaders(prm.xHeaders...)
 	wrt, err := prm.cli.ObjectPutInit(context.Background(), putPrm)
 	if err != nil {
 		return nil, fmt.Errorf("init object writing: %w", err)
 	}
 	if wrt.WriteHeader(*prm.hdr) {
 		if prm.headerCallback != nil {
 			prm.headerCallback(prm.hdr)
 		}
 		sz := prm.hdr.PayloadSize()
 		if data := prm.hdr.Payload(); len(data) > 0 {
 			if prm.rdr != nil {
 				prm.rdr = io.MultiReader(bytes.NewReader(data), prm.rdr)
 			} else {
 				prm.rdr = bytes.NewReader(data)
 				sz = uint64(len(data))
 			}
 		}
 		if prm.rdr != nil {
 			const defaultBufferSizePut = 3 << 20 // Maximum chunk size is 3 MiB in the SDK.
 			if sz == 0 || sz > defaultBufferSizePut {
 				sz = defaultBufferSizePut
 			}
 			buf := make([]byte, sz)
 			var n int
 			for {
 				n, err = prm.rdr.Read(buf)
 				if n > 0 {
 					if !wrt.WritePayloadChunk(buf[:n]) {
 						break
 					}
 					continue
 				}
 				if errors.Is(err, io.EOF) {
 					break
 				}
 				return nil, fmt.Errorf("read payload: %w", err)
 			}
 		}
 	}
 	cliRes, err := wrt.Close()
 	if err != nil { // here err already carries both status and client errors
 		return nil, fmt.Errorf("client failure: %w", err)
 	}
 	return &PutObjectRes{
 		id: cliRes.StoredObjectID(),
 	}, nil
 }
 // DeleteObjectPrm groups parameters of DeleteObject operation.
 type DeleteObjectPrm struct {
 	commonObjectPrm
 	objectAddressPrm
 }
 // DeleteObjectRes groups the resulting values of DeleteObject operation.
 type DeleteObjectRes struct {
 	tomb oid.ID
 }
 // Tombstone returns the ID of the created object with tombstone.
 func (x DeleteObjectRes) Tombstone() oid.ID {
 	return x.tomb
 }
 // DeleteObject marks an object to be removed from FrostFS through tombstone placement.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
 func DeleteObject(prm DeleteObjectPrm) (*DeleteObjectRes, error) {
 	var delPrm client.PrmObjectDelete
 	delPrm.FromContainer(prm.objAddr.Container())
 	delPrm.ByID(prm.objAddr.Object())
 	if prm.sessionToken != nil {
 		delPrm.WithinSession(*prm.sessionToken)
 	}
 	if prm.bearerToken != nil {
 		delPrm.WithBearerToken(*prm.bearerToken)
 	}
 	delPrm.WithXHeaders(prm.xHeaders...)
 	cliRes, err := prm.cli.ObjectDelete(context.Background(), delPrm)
 	if err != nil {
 		return nil, fmt.Errorf("remove object via client: %w", err)
 	}
 	return &DeleteObjectRes{
 		tomb: cliRes.Tombstone(),
 	}, nil
 }
 // GetObjectPrm groups parameters of GetObject operation.
 type GetObjectPrm struct {
 	commonObjectPrm
 	objectAddressPrm
 	rawPrm
 	payloadWriterPrm
 	headerCallback func(*object.Object)
 }
 // SetHeaderCallback sets callback which is called on the object after the header is received
 // but before the payload is written.
 func (p *GetObjectPrm) SetHeaderCallback(f func(*object.Object)) {
 	p.headerCallback = f
 }
 // GetObjectRes groups the resulting values of GetObject operation.
 type GetObjectRes struct {
 	hdr *object.Object
 }
 // Header returns the header of the request object.
 func (x GetObjectRes) Header() *object.Object {
 	return x.hdr
 }
 // GetObject reads an object by address.
 //
 // Interrupts on any writer error. If successful, payload is written to the writer.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
 // For raw reading, returns *object.SplitInfoError error if object is virtual.
 func GetObject(prm GetObjectPrm) (*GetObjectRes, error) {
 	var getPrm client.PrmObjectGet
 	getPrm.FromContainer(prm.objAddr.Container())
 	getPrm.ByID(prm.objAddr.Object())
 	if prm.sessionToken != nil {
 		getPrm.WithinSession(*prm.sessionToken)
 	}
 	if prm.bearerToken != nil {
 		getPrm.WithBearerToken(*prm.bearerToken)
 	}
 	if prm.raw {
 		getPrm.MarkRaw()
 	}
 	if prm.local {
 		getPrm.MarkLocal()
 	}
 	getPrm.WithXHeaders(prm.xHeaders...)
 	rdr, err := prm.cli.ObjectGetInit(context.Background(), getPrm)
 	if err != nil {
 		return nil, fmt.Errorf("init object reading on client: %w", err)
 	}
 	var hdr object.Object
 	if !rdr.ReadHeader(&hdr) {
 		_, err = rdr.Close()
 		return nil, fmt.Errorf("read object header: %w", err)
 	}
 	if prm.headerCallback != nil {
 		prm.headerCallback(&hdr)
 	}
 	_, err = io.Copy(prm.wrt, rdr)
 	if err != nil {
 		return nil, fmt.Errorf("copy payload: %w", err)
 	}
 	return &GetObjectRes{
 		hdr: &hdr,
 	}, nil
 }
 // HeadObjectPrm groups parameters of HeadObject operation.
 type HeadObjectPrm struct {
 	commonObjectPrm
 	objectAddressPrm
 	rawPrm
 	mainOnly bool
 }
 // SetMainOnlyFlag sets flag to get only main fields of an object header in terms of FrostFS API.
 func (x *HeadObjectPrm) SetMainOnlyFlag(v bool) {
 	x.mainOnly = v
 }
 // HeadObjectRes groups the resulting values of HeadObject operation.
 type HeadObjectRes struct {
 	hdr *object.Object
 }
 // Header returns the requested object header.
 func (x HeadObjectRes) Header() *object.Object {
 	return x.hdr
 }
 // HeadObject reads an object header by address.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
 // For raw reading, returns *object.SplitInfoError error if object is virtual.
 func HeadObject(prm HeadObjectPrm) (*HeadObjectRes, error) {
 	var cliPrm client.PrmObjectHead
 	cliPrm.FromContainer(prm.objAddr.Container())
 	cliPrm.ByID(prm.objAddr.Object())
 	if prm.sessionToken != nil {
 		cliPrm.WithinSession(*prm.sessionToken)
 	}
 	if prm.bearerToken != nil {
 		cliPrm.WithBearerToken(*prm.bearerToken)
 	}
 	if prm.raw {
 		cliPrm.MarkRaw()
 	}
 	if prm.local {
 		cliPrm.MarkLocal()
 	}
 	cliPrm.WithXHeaders(prm.xHeaders...)
 	res, err := prm.cli.ObjectHead(context.Background(), cliPrm)
 	if err != nil {
 		return nil, fmt.Errorf("read object header via client: %w", err)
 	}
 	var hdr object.Object
 	if !res.ReadHeader(&hdr) {
 		return nil, fmt.Errorf("missing header in response")
 	}
 	return &HeadObjectRes{
 		hdr: &hdr,
 	}, nil
 }
 // SearchObjectsPrm groups parameters of SearchObjects operation.
 type SearchObjectsPrm struct {
 	commonObjectPrm
 	containerIDPrm
 	filters object.SearchFilters
 }
 // SetFilters sets search filters.
 func (x *SearchObjectsPrm) SetFilters(filters object.SearchFilters) {
 	x.filters = filters
 }
 // SearchObjectsRes groups the resulting values of SearchObjects operation.
 type SearchObjectsRes struct {
 	ids []oid.ID
 }
 // IDList returns identifiers of the matched objects.
 func (x SearchObjectsRes) IDList() []oid.ID {
 	return x.ids
 }
 // SearchObjects selects objects from the container which match the filters.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
 func SearchObjects(prm SearchObjectsPrm) (*SearchObjectsRes, error) {
 	var cliPrm client.PrmObjectSearch
 	cliPrm.InContainer(prm.cnrID)
 	cliPrm.SetFilters(prm.filters)
 	if prm.sessionToken != nil {
 		cliPrm.WithinSession(*prm.sessionToken)
 	}
 	if prm.bearerToken != nil {
 		cliPrm.WithBearerToken(*prm.bearerToken)
 	}
 	if prm.local {
 		cliPrm.MarkLocal()
 	}
 	cliPrm.WithXHeaders(prm.xHeaders...)
 	rdr, err := prm.cli.ObjectSearchInit(context.Background(), cliPrm)
 	if err != nil {
 		return nil, fmt.Errorf("init object search: %w", err)
 	}
 	buf := make([]oid.ID, 10)
 	var list []oid.ID
 	var n int
 	var ok bool
 	for {
 		n, ok = rdr.Read(buf)
 		for i := 0; i < n; i++ {
 			list = append(list, buf[i])
 		}
 		if !ok {
 			break
 		}
 	}
 	_, err = rdr.Close()
 	if err != nil {
 		return nil, fmt.Errorf("read object list: %w", err)
 	}
 	return &SearchObjectsRes{
 		ids: list,
 	}, nil
 }
 // HashPayloadRangesPrm groups parameters of HashPayloadRanges operation.
 type HashPayloadRangesPrm struct {
 	commonObjectPrm
 	objectAddressPrm
 	tz bool
 	rngs []*object.Range
 	salt []byte
 }
 // TZ sets flag to request Tillich-Zemor hashes.
 func (x *HashPayloadRangesPrm) TZ() {
 	x.tz = true
 }
 // SetRanges sets a list of payload ranges to hash.
 func (x *HashPayloadRangesPrm) SetRanges(rngs []*object.Range) {
 	x.rngs = rngs
 }
 // SetSalt sets data for each range to be XOR'ed with.
 func (x *HashPayloadRangesPrm) SetSalt(salt []byte) {
 	x.salt = salt
 }
 // HashPayloadRangesRes groups the resulting values of HashPayloadRanges operation.
 type HashPayloadRangesRes struct {
 	cliRes *client.ResObjectHash
 }
 // HashList returns a list of hashes of the payload ranges keeping order.
 func (x HashPayloadRangesRes) HashList() [][]byte {
 	return x.cliRes.Checksums()
 }
 // HashPayloadRanges requests hashes (by default SHA256) of the object payload ranges.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
 // Returns an error if number of received hashes differs with the number of requested ranges.
 func HashPayloadRanges(prm HashPayloadRangesPrm) (*HashPayloadRangesRes, error) {
 	var cliPrm client.PrmObjectHash
 	cliPrm.FromContainer(prm.objAddr.Container())
 	cliPrm.ByID(prm.objAddr.Object())
 	if prm.local {
 		cliPrm.MarkLocal()
 	}
 	cliPrm.UseSalt(prm.salt)
 	rngs := make([]uint64, 2*len(prm.rngs))
 	for i := range prm.rngs {
 		rngs[2*i] = prm.rngs[i].GetOffset()
 		rngs[2*i+1] = prm.rngs[i].GetLength()
 	}
 	cliPrm.SetRangeList(rngs...)
 	if prm.tz {
 		cliPrm.TillichZemorAlgo()
 	}
 	if prm.sessionToken != nil {
 		cliPrm.WithinSession(*prm.sessionToken)
 	}
 	if prm.bearerToken != nil {
 		cliPrm.WithBearerToken(*prm.bearerToken)
 	}
 	cliPrm.WithXHeaders(prm.xHeaders...)
 	res, err := prm.cli.ObjectHash(context.Background(), cliPrm)
 	if err != nil {
 		return nil, fmt.Errorf("read payload hashes via client: %w", err)
 	}
 	return &HashPayloadRangesRes{
 		cliRes: res,
 	}, nil
 }
 // PayloadRangePrm groups parameters of PayloadRange operation.
 type PayloadRangePrm struct {
 	commonObjectPrm
 	objectAddressPrm
 	rawPrm
 	payloadWriterPrm
 	rng *object.Range
 }
 // SetRange sets payload range to read.
 func (x *PayloadRangePrm) SetRange(rng *object.Range) {
 	x.rng = rng
 }
 // PayloadRangeRes groups the resulting values of PayloadRange operation.
 type PayloadRangeRes struct{}
 // PayloadRange reads object payload range from FrostFS and writes it to the specified writer.
 //
 // Interrupts on any writer error.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
 // For raw reading, returns *object.SplitInfoError error if object is virtual.
 func PayloadRange(prm PayloadRangePrm) (*PayloadRangeRes, error) {
 	var cliPrm client.PrmObjectRange
 	cliPrm.FromContainer(prm.objAddr.Container())
 	cliPrm.ByID(prm.objAddr.Object())
 	if prm.sessionToken != nil {
 		cliPrm.WithinSession(*prm.sessionToken)
 	}
 	if prm.bearerToken != nil {
 		cliPrm.WithBearerToken(*prm.bearerToken)
 	}
 	if prm.raw {
 		cliPrm.MarkRaw()
 	}
 	if prm.local {
 		cliPrm.MarkLocal()
 	}
 	cliPrm.SetOffset(prm.rng.GetOffset())
 	cliPrm.SetLength(prm.rng.GetLength())
 	cliPrm.WithXHeaders(prm.xHeaders...)
 	rdr, err := prm.cli.ObjectRangeInit(context.Background(), cliPrm)
 	if err != nil {
 		return nil, fmt.Errorf("init payload reading: %w", err)
 	}
 	_, err = io.Copy(prm.wrt, rdr)
 	if err != nil {
 		return nil, fmt.Errorf("copy payload: %w", err)
 	}
 	return new(PayloadRangeRes), nil
 }
 // SyncContainerPrm groups parameters of SyncContainerSettings operation.
 type SyncContainerPrm struct {
 	commonPrm
 	c *containerSDK.Container
 }
 // SetContainer sets a container that is required to be synced.
 func (s *SyncContainerPrm) SetContainer(c *containerSDK.Container) {
 	s.c = c
 }
 // SyncContainerRes groups resulting values of SyncContainerSettings
 // operation.
 type SyncContainerRes struct{}
 // SyncContainerSettings reads global network config from FrostFS and
 // syncs container settings with it.
 //
 // Interrupts on any writer error.
 //
 // Panics if a container passed as a parameter is nil.
 func SyncContainerSettings(prm SyncContainerPrm) (*SyncContainerRes, error) {
 	if prm.c == nil {
 		panic("sync container settings with the network: nil container")
 	}
 	err := client.SyncContainerWithNetwork(context.Background(), prm.c, prm.cli)
 	if err != nil {
 		return nil, err
 	}
 	return new(SyncContainerRes), nil
 }
--- a/cmd/frostfs-cli/internal/client/doc.go
+++ b/cmd/frostfs-cli/internal/client/doc.go
@ -0,0 +1,15 @@
 // Package internal provides functionality for FrostFS CLI application
 // communication with FrostFS network.
 //
 // The base client for accessing remote nodes via FrostFS API is a FrostFS SDK
 // Go API client. However, although it encapsulates a useful piece of business
 // logic (e.g. the signature mechanism), the FrostFS CLI application does not
 // fully use the client's flexible interface.
 //
 // In this regard, this package provides functions over base API client
 // necessary for the application. This allows you to concentrate the entire
 // spectrum of the client's use in one place (this will be convenient both when
 // updating the base client and for evaluating the UX of SDK library). So it is
 // expected that all application packages will be limited to this package for
 // the development of functionality requiring FrostFS API communication.
 package internal
--- a/cmd/frostfs-cli/internal/client/prm.go
+++ b/cmd/frostfs-cli/internal/client/prm.go
@ -0,0 +1,92 @@
 package internal
 import (
 	"io"
 	"github.com/TrueCloudLab/frostfs-sdk-go/bearer"
 	"github.com/TrueCloudLab/frostfs-sdk-go/client"
 	cid "github.com/TrueCloudLab/frostfs-sdk-go/container/id"
 	oid "github.com/TrueCloudLab/frostfs-sdk-go/object/id"
 	"github.com/TrueCloudLab/frostfs-sdk-go/session"
 )
 // here are small structures with public setters to share between parameter structures
 type commonPrm struct {
 	cli *client.Client
 }
 // SetClient sets the base client for FrostFS API communication.
 func (x *commonPrm) SetClient(cli *client.Client) {
 	x.cli = cli
 }
 type containerIDPrm struct {
 	cnrID cid.ID
 }
 // SetContainerID sets the container identifier.
 func (x *containerIDPrm) SetContainerID(id cid.ID) {
 	x.cnrID = id
 }
 type bearerTokenPrm struct {
 	bearerToken *bearer.Token
 }
 // SetBearerToken sets the bearer token to be attached to the request.
 func (x *bearerTokenPrm) SetBearerToken(tok *bearer.Token) {
 	x.bearerToken = tok
 }
 type objectAddressPrm struct {
 	objAddr oid.Address
 }
 func (x *objectAddressPrm) SetAddress(addr oid.Address) {
 	x.objAddr = addr
 }
 type rawPrm struct {
 	raw bool
 }
 // SetRawFlag sets flag of raw request.
 func (x *rawPrm) SetRawFlag(raw bool) {
 	x.raw = raw
 }
 type payloadWriterPrm struct {
 	wrt io.Writer
 }
 // SetPayloadWriter sets the writer of the object payload.
 func (x *payloadWriterPrm) SetPayloadWriter(wrt io.Writer) {
 	x.wrt = wrt
 }
 type commonObjectPrm struct {
 	commonPrm
 	bearerTokenPrm
 	sessionToken *session.Object
 	local bool
 	xHeaders []string
 }
 // SetTTL sets request TTL value.
 func (x *commonObjectPrm) SetTTL(ttl uint32) {
 	x.local = ttl < 2
 }
 // SetXHeaders sets request X-Headers.
 func (x *commonObjectPrm) SetXHeaders(hs []string) {
 	x.xHeaders = hs
 }
 // SetSessionToken sets the token of the session within which the request should be sent.
 func (x *commonObjectPrm) SetSessionToken(tok *session.Object) {
 	x.sessionToken = tok
 }
--- a/cmd/frostfs-cli/internal/client/sdk.go
+++ b/cmd/frostfs-cli/internal/client/sdk.go
@ -0,0 +1,96 @@
 package internal
 import (
 	"context"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"errors"
 	"fmt"
 	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
 	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
 	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
 	"github.com/TrueCloudLab/frostfs-node/pkg/network"
 	"github.com/TrueCloudLab/frostfs-sdk-go/client"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 var errInvalidEndpoint = errors.New("provided RPC endpoint is incorrect")
 // GetSDKClientByFlag returns default frostfs-sdk-go client using the specified flag for the address.
 // On error, outputs to stderr of cmd and exits with non-zero code.
 func GetSDKClientByFlag(cmd *cobra.Command, key *ecdsa.PrivateKey, endpointFlag string) *client.Client {
 	cli, err := getSDKClientByFlag(cmd, key, endpointFlag)
 	if err != nil {
 		commonCmd.ExitOnErr(cmd, "can't create API client: %w", err)
 	}
 	return cli
 }
 func getSDKClientByFlag(cmd *cobra.Command, key *ecdsa.PrivateKey, endpointFlag string) (*client.Client, error) {
 	var addr network.Address
 	err := addr.FromString(viper.GetString(endpointFlag))
 	if err != nil {
 		return nil, fmt.Errorf("%v: %w", errInvalidEndpoint, err)
 	}
 	return GetSDKClient(cmd, key, addr)
 }
 // GetSDKClient returns default frostfs-sdk-go client.
 func GetSDKClient(cmd *cobra.Command, key *ecdsa.PrivateKey, addr network.Address) (*client.Client, error) {
 	var (
 		c       client.Client
 		prmInit client.PrmInit
 		prmDial client.PrmDial
 	)
 	prmInit.SetDefaultPrivateKey(*key)
 	prmInit.ResolveNeoFSFailures()
 	prmDial.SetServerURI(addr.URIAddr())
 	if timeout := viper.GetDuration(commonflags.Timeout); timeout > 0 {
 		// In CLI we can only set a timeout for the whole operation.
 		// By also setting stream timeout we ensure that no operation hands
 		// for too long.
 		prmDial.SetTimeout(timeout)
 		prmDial.SetStreamTimeout(timeout)
 		common.PrintVerbose(cmd, "Set request timeout to %s.", timeout)
 	}
 	c.Init(prmInit)
 	if err := c.Dial(prmDial); err != nil {
 		return nil, fmt.Errorf("can't init SDK client: %w", err)
 	}
 	return &c, nil
 }
 // GetCurrentEpoch returns current epoch.
 func GetCurrentEpoch(ctx context.Context, cmd *cobra.Command, endpoint string) (uint64, error) {
 	var addr network.Address
 	if err := addr.FromString(endpoint); err != nil {
 		return 0, fmt.Errorf("can't parse RPC endpoint: %w", err)
 	}
 	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		return 0, fmt.Errorf("can't generate key to sign query: %w", err)
 	}
 	c, err := GetSDKClient(cmd, key, addr)
 	if err != nil {
 		return 0, err
 	}
 	ni, err := c.NetworkInfo(ctx, client.PrmNetworkInfo{})
 	if err != nil {
 		return 0, err
 	}
 	return ni.Info().CurrentEpoch(), nil
 }
--- a/cmd/frostfs-cli/internal/common/eacl.go
+++ b/cmd/frostfs-cli/internal/common/eacl.go
@ -0,0 +1,50 @@
 package common
 import (
 	"errors"
 	"os"
 	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
 	"github.com/TrueCloudLab/frostfs-node/pkg/core/version"
 	"github.com/TrueCloudLab/frostfs-sdk-go/eacl"
 	versionSDK "github.com/TrueCloudLab/frostfs-sdk-go/version"
 	"github.com/spf13/cobra"
 )
 var errUnsupportedEACLFormat = errors.New("unsupported eACL format")
 // ReadEACL reads extended ACL table from eaclPath.
 func ReadEACL(cmd *cobra.Command, eaclPath string) *eacl.Table {
 	_, err := os.Stat(eaclPath) // check if `eaclPath` is an existing file
 	if err != nil {
 		commonCmd.ExitOnErr(cmd, "", errors.New("incorrect path to file with EACL"))
 	}
 	PrintVerbose(cmd, "Reading EACL from file: %s", eaclPath)
 	data, err := os.ReadFile(eaclPath)
 	commonCmd.ExitOnErr(cmd, "can't read file with EACL: %w", err)
 	table := eacl.NewTable()
 	if err = table.UnmarshalJSON(data); err == nil {
 		validateAndFixEACLVersion(table)
 		PrintVerbose(cmd, "Parsed JSON encoded EACL table")
 		return table
 	}
 	if err = table.Unmarshal(data); err == nil {
 		validateAndFixEACLVersion(table)
 		PrintVerbose(cmd, "Parsed binary encoded EACL table")
 		return table
 	}
 	commonCmd.ExitOnErr(cmd, "", errUnsupportedEACLFormat)
 	return nil
 }
 func validateAndFixEACLVersion(table *eacl.Table) {
 	if !version.IsValid(table.Version()) {
 		table.SetVersion(versionSDK.Current())
 	}
 }
--- a/cmd/frostfs-cli/internal/common/epoch.go
+++ b/cmd/frostfs-cli/internal/common/epoch.go
@ -0,0 +1,28 @@
 package common
 import (
 	"fmt"
 	"strconv"
 	"github.com/spf13/cobra"
 )
 // ParseEpoch parses epoch argument. Second return value is true if
 // the specified epoch is relative, and false otherwise.
 func ParseEpoch(cmd *cobra.Command, flag string) (uint64, bool, error) {
 	s, _ := cmd.Flags().GetString(flag)
 	if len(s) == 0 {
 		return 0, false, nil
 	}
 	relative := s[0] == '+'
 	if relative {
 		s = s[1:]
 	}
 	epoch, err := strconv.ParseUint(s, 10, 64)
 	if err != nil {
 		return 0, relative, fmt.Errorf("can't parse epoch for %s argument: %w", flag, err)
 	}
 	return epoch, relative, nil
 }
--- a/cmd/frostfs-cli/internal/common/json.go
+++ b/cmd/frostfs-cli/internal/common/json.go
@ -0,0 +1,23 @@
 package common
 import (
 	"bytes"
 	"encoding/json"
 	"github.com/spf13/cobra"
 )
 // PrettyPrintJSON prints m as an indented JSON to the cmd output.
 func PrettyPrintJSON(cmd *cobra.Command, m json.Marshaler, entity string) {
 	data, err := m.MarshalJSON()
 	if err != nil {
 		PrintVerbose(cmd, "Can't convert %s to json: %w", entity, err)
 		return
 	}
 	buf := new(bytes.Buffer)
 	if err := json.Indent(buf, data, "", "  "); err != nil {
 		PrintVerbose(cmd, "Can't pretty print json: %w", err)
 		return
 	}
 	cmd.Println(buf)
 }
--- a/cmd/frostfs-cli/internal/common/token.go
+++ b/cmd/frostfs-cli/internal/common/token.go
@ -0,0 +1,67 @@
 package common
 import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"os"
 	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
 	"github.com/TrueCloudLab/frostfs-sdk-go/bearer"
 	"github.com/spf13/cobra"
 )
 // ReadBearerToken reads bearer token from the path provided in a specified flag.
 func ReadBearerToken(cmd *cobra.Command, flagname string) *bearer.Token {
 	path, err := cmd.Flags().GetString(flagname)
 	commonCmd.ExitOnErr(cmd, "", err)
 	if len(path) == 0 {
 		return nil
 	}
 	PrintVerbose(cmd, "Reading bearer token from file [%s]...", path)
 	var tok bearer.Token
 	err = ReadBinaryOrJSON(cmd, &tok, path)
 	commonCmd.ExitOnErr(cmd, "invalid bearer token: %v", err)
 	return &tok
 }
 // BinaryOrJSON is an interface of entities which provide json.Unmarshaler
 // and FrostFS binary decoder.
 type BinaryOrJSON interface {
 	Unmarshal([]byte) error
 	json.Unmarshaler
 }
 // ReadBinaryOrJSON reads file data using provided path and decodes
 // BinaryOrJSON from the data.
 func ReadBinaryOrJSON(cmd *cobra.Command, dst BinaryOrJSON, fPath string) error {
 	PrintVerbose(cmd, "Reading file [%s]...", fPath)
 	// try to read session token from file
 	data, err := os.ReadFile(fPath)
 	if err != nil {
 		return fmt.Errorf("read file <%s>: %w", fPath, err)
 	}
 	PrintVerbose(cmd, "Trying to decode binary...")
 	err = dst.Unmarshal(data)
 	if err != nil {
 		PrintVerbose(cmd, "Failed to decode binary: %v", err)
 		PrintVerbose(cmd, "Trying to decode JSON...")
 		err = dst.UnmarshalJSON(data)
 		if err != nil {
 			PrintVerbose(cmd, "Failed to decode JSON: %v", err)
 			return errors.New("invalid format")
 		}
 	}
 	return nil
 }
--- a/cmd/frostfs-cli/internal/common/verbose.go
+++ b/cmd/frostfs-cli/internal/common/verbose.go
@ -0,0 +1,46 @@
 package common
 import (
 	"encoding/hex"
 	"strconv"
 	"time"
 	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
 	"github.com/TrueCloudLab/frostfs-sdk-go/checksum"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 // PrintVerbose prints to the stdout if the commonflags.Verbose flag is on.
 func PrintVerbose(cmd *cobra.Command, format string, a ...any) {
 	if viper.GetBool(commonflags.Verbose) {
 		cmd.Printf(format+"\n", a...)
 	}
 }
 // PrettyPrintUnixTime interprets s as unix timestamp and prints it as
 // a date. Is s is invalid, "malformed" is returned.
 func PrettyPrintUnixTime(s string) string {
 	unixTime, err := strconv.ParseInt(s, 10, 64)
 	if err != nil {
 		return "malformed"
 	}
 	timestamp := time.Unix(unixTime, 0)
 	return timestamp.String()
 }
 // PrintChecksum prints checksum.
 func PrintChecksum(cmd *cobra.Command, name string, recv func() (checksum.Checksum, bool)) {
 	var strVal string
 	cs, csSet := recv()
 	if csSet {
 		strVal = hex.EncodeToString(cs.Value())
 	} else {
 		strVal = "<empty>"
 	}
 	cmd.Printf("%s: %s\n", name, strVal)
 }
--- a/cmd/frostfs-cli/internal/commonflags/api.go
+++ b/cmd/frostfs-cli/internal/commonflags/api.go
@ -0,0 +1,33 @@
 package commonflags
 import (
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 const (
 	TTL          = "ttl"
 	TTLShorthand = ""
 	TTLDefault   = 2
 	TTLUsage     = "TTL value in request meta header"
 	XHeadersKey       = "xhdr"
 	XHeadersShorthand = "x"
 	XHeadersUsage     = "Request X-Headers in form of Key=Value"
 )
 // InitAPI inits common flags for storage node services.
 func InitAPI(cmd *cobra.Command) {
 	ff := cmd.Flags()
 	ff.StringSliceP(XHeadersKey, XHeadersShorthand, []string{}, XHeadersUsage)
 	ff.Uint32P(TTL, TTLShorthand, TTLDefault, TTLUsage)
 }
 // BindAPI binds API flags of storage node services to the viper.
 func BindAPI(cmd *cobra.Command) {
 	ff := cmd.Flags()
 	_ = viper.BindPFlag(TTL, ff.Lookup(TTL))
 	_ = viper.BindPFlag(XHeadersKey, ff.Lookup(XHeadersKey))
 }
--- a/cmd/frostfs-cli/internal/commonflags/expiration.go
+++ b/cmd/frostfs-cli/internal/commonflags/expiration.go
@ -0,0 +1,9 @@
 package commonflags
 const (
 	// ExpireAt is a flag for setting last epoch of an object or a token.
 	ExpireAt = "expire-at"
 	// Lifetime is a flag for setting the lifetime of an object or a token,
 	// starting from the current epoch.
 	Lifetime = "lifetime"
 )
--- a/cmd/frostfs-cli/internal/commonflags/flags.go
+++ b/cmd/frostfs-cli/internal/commonflags/flags.go
@ -0,0 +1,84 @@
 package commonflags
 import (
 	"time"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 // Common CLI flag keys, shorthands, default
 // values and their usage descriptions.
 const (
 	GenerateKey          = "generate-key"
 	generateKeyShorthand = "g"
 	generateKeyDefault   = false
 	generateKeyUsage     = "Generate new private key"
 	WalletPath          = "wallet"
 	WalletPathShorthand = "w"
 	WalletPathDefault   = ""
 	WalletPathUsage     = "Path to the wallet or binary key"
 	Account          = "address"
 	AccountShorthand = ""
 	AccountDefault   = ""
 	AccountUsage     = "Address of wallet account"
 	RPC          = "rpc-endpoint"
 	RPCShorthand = "r"
 	RPCDefault   = ""
 	RPCUsage     = "Remote node address (as 'multiaddr' or '<host>:<port>')"
 	Timeout          = "timeout"
 	TimeoutShorthand = "t"
 	TimeoutDefault   = 15 * time.Second
 	TimeoutUsage     = "Timeout for an operation"
 	Verbose          = "verbose"
 	VerboseShorthand = "v"
 	VerboseUsage     = "Verbose output"
 	ForceFlag          = "force"
 	ForceFlagShorthand = "f"
 	CIDFlag      = "cid"
 	CIDFlagUsage = "Container ID."
 	OIDFlag      = "oid"
 	OIDFlagUsage = "Object ID."
 )
 // Init adds common flags to the command:
 // - GenerateKey,
 // - WalletPath,
 // - Account,
 // - RPC,
 // - Timeout.
 func Init(cmd *cobra.Command) {
 	InitWithoutRPC(cmd)
 	ff := cmd.Flags()
 	ff.StringP(RPC, RPCShorthand, RPCDefault, RPCUsage)
 	ff.DurationP(Timeout, TimeoutShorthand, TimeoutDefault, TimeoutUsage)
 }
 // InitWithoutRPC is similar to Init but doesn't create the RPC flag.
 func InitWithoutRPC(cmd *cobra.Command) {
 	ff := cmd.Flags()
 	ff.BoolP(GenerateKey, generateKeyShorthand, generateKeyDefault, generateKeyUsage)
 	ff.StringP(WalletPath, WalletPathShorthand, WalletPathDefault, WalletPathUsage)
 	ff.StringP(Account, AccountShorthand, AccountDefault, AccountUsage)
 }
 // Bind binds common command flags to the viper.
 func Bind(cmd *cobra.Command) {
 	ff := cmd.Flags()
 	_ = viper.BindPFlag(GenerateKey, ff.Lookup(GenerateKey))
 	_ = viper.BindPFlag(WalletPath, ff.Lookup(WalletPath))
 	_ = viper.BindPFlag(Account, ff.Lookup(Account))
 	_ = viper.BindPFlag(RPC, ff.Lookup(RPC))
 	_ = viper.BindPFlag(Timeout, ff.Lookup(Timeout))
 }
--- a/cmd/frostfs-cli/internal/commonflags/json.go
+++ b/cmd/frostfs-cli/internal/commonflags/json.go
@ -0,0 +1,3 @@
 package commonflags
 const JSON = "json"
--- a/cmd/frostfs-cli/internal/commonflags/session.go
+++ b/cmd/frostfs-cli/internal/commonflags/session.go
@ -0,0 +1,19 @@
 package commonflags
 import (
 	"fmt"
 	"github.com/spf13/cobra"
 )
 const SessionToken = "session"
 // InitSession registers SessionToken flag representing file path to the token of
 // the session with the given name. Supports FrostFS-binary and JSON files.
 func InitSession(cmd *cobra.Command, name string) {
 	cmd.Flags().String(
 		SessionToken,
 		"",
 		fmt.Sprintf("Filepath to a JSON- or binary-encoded token of the %s session", name),
 	)
 }
--- a/cmd/frostfs-cli/internal/key/key_test.go
+++ b/cmd/frostfs-cli/internal/key/key_test.go
@ -0,0 +1,126 @@
 package key
 import (
 	"bytes"
 	"io"
 	"os"
 	"path/filepath"
 	"testing"
 	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
 	"github.com/nspcc-dev/neo-go/cli/input"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/wallet"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/term"
 )
 var testCmd = &cobra.Command{
 	Use:   "test",
 	Short: "test",
 	Run:   func(cmd *cobra.Command, args []string) {},
 }
 func Test_getOrGenerate(t *testing.T) {
 	dir := t.TempDir()
 	wallPath := filepath.Join(dir, "wallet.json")
 	w, err := wallet.NewWallet(wallPath)
 	require.NoError(t, err)
 	badWallPath := filepath.Join(dir, "bad_wallet.json")
 	require.NoError(t, os.WriteFile(badWallPath, []byte("bad content"), os.ModePerm))
 	acc1, err := wallet.NewAccount()
 	require.NoError(t, err)
 	require.NoError(t, acc1.Encrypt("pass", keys.NEP2ScryptParams()))
 	w.AddAccount(acc1)
 	acc2, err := wallet.NewAccount()
 	require.NoError(t, err)
 	require.NoError(t, acc2.Encrypt("pass", keys.NEP2ScryptParams()))
 	acc2.Default = true
 	w.AddAccount(acc2)
 	require.NoError(t, w.Save())
 	keyPath := filepath.Join(dir, "binary.key")
 	rawKey, err := keys.NewPrivateKey()
 	require.NoError(t, err)
 	require.NoError(t, os.WriteFile(keyPath, rawKey.Bytes(), os.ModePerm))
 	wifKey, err := keys.NewPrivateKey()
 	require.NoError(t, err)
 	nep2Key, err := keys.NewPrivateKey()
 	require.NoError(t, err)
 	nep2, err := keys.NEP2Encrypt(nep2Key, "pass", keys.NEP2ScryptParams())
 	require.NoError(t, err)
 	in := bytes.NewBuffer(nil)
 	input.Terminal = term.NewTerminal(input.ReadWriter{
 		Reader: in,
 		Writer: io.Discard,
 	}, "")
 	checkKeyError(t, filepath.Join(dir, "badfile"), ErrFs)
 	checkKeyError(t, badWallPath, ErrInvalidKey)
 	t.Run("wallet", func(t *testing.T) {
 		checkKeyError(t, wallPath, ErrInvalidPassword)
 		in.WriteString("invalid\r")
 		checkKeyError(t, wallPath, ErrInvalidPassword)
 		in.WriteString("pass\r")
 		checkKey(t, wallPath, acc2.PrivateKey()) // default account
 		viper.Set(commonflags.Account, acc1.Address)
 		in.WriteString("pass\r")
 		checkKey(t, wallPath, acc1.PrivateKey())
 		viper.Set(commonflags.Account, "not an address")
 		checkKeyError(t, wallPath, ErrInvalidAddress)
 		acc, err := wallet.NewAccount()
 		require.NoError(t, err)
 		viper.Set(commonflags.Account, acc.Address)
 		checkKeyError(t, wallPath, ErrInvalidAddress)
 	})
 	t.Run("WIF", func(t *testing.T) {
 		checkKeyError(t, wifKey.WIF(), ErrFs)
 	})
 	t.Run("NEP-2", func(t *testing.T) {
 		checkKeyError(t, nep2, ErrFs)
 	})
 	t.Run("raw key", func(t *testing.T) {
 		checkKey(t, keyPath, rawKey)
 	})
 	t.Run("generate", func(t *testing.T) {
 		viper.Set(commonflags.GenerateKey, true)
 		actual, err := getOrGenerate(testCmd)
 		require.NoError(t, err)
 		require.NotNil(t, actual)
 		for _, p := range []*keys.PrivateKey{nep2Key, rawKey, wifKey, acc1.PrivateKey(), acc2.PrivateKey()} {
 			require.NotEqual(t, p, actual, "expected new key to be generated")
 		}
 	})
 }
 func checkKeyError(t *testing.T, desc string, err error) {
 	viper.Set(commonflags.WalletPath, desc)
 	_, actualErr := getOrGenerate(testCmd)
 	require.ErrorIs(t, actualErr, err)
 }
 func checkKey(t *testing.T, desc string, expected *keys.PrivateKey) {
 	viper.Set(commonflags.WalletPath, desc)
 	actual, err := getOrGenerate(testCmd)
 	require.NoError(t, err)
 	require.Equal(t, &expected.PrivateKey, actual)
 }
--- a/cmd/frostfs-cli/internal/key/raw.go
+++ b/cmd/frostfs-cli/internal/key/raw.go
@ -0,0 +1,62 @@
 package key
 import (
 	"crypto/ecdsa"
 	"errors"
 	"fmt"
 	"os"
 	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
 	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/wallet"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 var errCantGenerateKey = errors.New("can't generate new private key")
 // Get returns private key from wallet or binary file.
 // Ideally we want to touch file-system on the last step.
 // This function assumes that all flags were bind to viper in a `PersistentPreRun`.
 func Get(cmd *cobra.Command) *ecdsa.PrivateKey {
 	pk, err := get(cmd)
 	commonCmd.ExitOnErr(cmd, "can't fetch private key: %w", err)
 	return pk
 }
 func get(cmd *cobra.Command) (*ecdsa.PrivateKey, error) {
 	keyDesc := viper.GetString(commonflags.WalletPath)
 	data, err := os.ReadFile(keyDesc)
 	if err != nil {
 		return nil, fmt.Errorf("%w: %v", ErrFs, err)
 	}
 	priv, err := keys.NewPrivateKeyFromBytes(data)
 	if err != nil {
 		w, err := wallet.NewWalletFromFile(keyDesc)
 		if err == nil {
 			return FromWallet(cmd, w, viper.GetString(commonflags.Account))
 		}
 		return nil, fmt.Errorf("%w: %v", ErrInvalidKey, err)
 	}
 	return &priv.PrivateKey, nil
 }
 // GetOrGenerate is similar to get but generates a new key if commonflags.GenerateKey is set.
 func GetOrGenerate(cmd *cobra.Command) *ecdsa.PrivateKey {
 	pk, err := getOrGenerate(cmd)
 	commonCmd.ExitOnErr(cmd, "can't fetch private key: %w", err)
 	return pk
 }
 func getOrGenerate(cmd *cobra.Command) (*ecdsa.PrivateKey, error) {
 	if viper.GetBool(commonflags.GenerateKey) {
 		priv, err := keys.NewPrivateKey()
 		if err != nil {
 			return nil, fmt.Errorf("%w: %v", errCantGenerateKey, err)
 		}
 		return &priv.PrivateKey, nil
 	}
 	return get(cmd)
 }
--- a/cmd/frostfs-cli/internal/key/wallet.go
+++ b/cmd/frostfs-cli/internal/key/wallet.go
@ -0,0 +1,70 @@
 package key
 import (
 	"crypto/ecdsa"
 	"errors"
 	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
 	"github.com/nspcc-dev/neo-go/cli/flags"
 	"github.com/nspcc-dev/neo-go/cli/input"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/nspcc-dev/neo-go/pkg/wallet"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 // Key-related errors.
 var (
 	ErrFs              = errors.New("unable to read file from given path")
 	ErrInvalidKey      = errors.New("provided key is incorrect, only wallet or binary key supported")
 	ErrInvalidAddress  = errors.New("--address option must be specified and valid")
 	ErrInvalidPassword = errors.New("invalid password for the encrypted key")
 )
 // FromWallet returns private key of the wallet account.
 func FromWallet(cmd *cobra.Command, w *wallet.Wallet, addrStr string) (*ecdsa.PrivateKey, error) {
 	var (
 		addr util.Uint160
 		err  error
 	)
 	if addrStr == "" {
 		common.PrintVerbose(cmd, "Using default wallet address")
 		addr = w.GetChangeAddress()
 	} else {
 		addr, err = flags.ParseAddress(addrStr)
 		if err != nil {
 			common.PrintVerbose(cmd, "Can't parse address: %s", addrStr)
 			return nil, ErrInvalidAddress
 		}
 	}
 	acc := w.GetAccount(addr)
 	if acc == nil {
 		common.PrintVerbose(cmd, "Can't find wallet account for %s", addrStr)
 		return nil, ErrInvalidAddress
 	}
 	pass, err := getPassword()
 	if err != nil {
 		common.PrintVerbose(cmd, "Can't read password: %v", err)
 		return nil, ErrInvalidPassword
 	}
 	if err := acc.Decrypt(pass, keys.NEP2ScryptParams()); err != nil {
 		common.PrintVerbose(cmd, "Can't decrypt account: %v", err)
 		return nil, ErrInvalidPassword
 	}
 	return &acc.PrivateKey().PrivateKey, nil
 }
 func getPassword() (string, error) {
 	// this check allows empty passwords
 	if viper.IsSet("password") {
 		return viper.GetString("password"), nil
 	}
 	return input.ReadPassword("Enter password > ")
 }
--- a/cmd/frostfs-cli/main.go
+++ b/cmd/frostfs-cli/main.go
@ -0,0 +1,7 @@
 package main
 import cmd "github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules"
 func main() {
 	cmd.Execute()
 }
--- a/cmd/frostfs-cli/modules/accounting/balance.go
+++ b/cmd/frostfs-cli/modules/accounting/balance.go
@ -0,0 +1,70 @@
 package accounting
 import (
 	"math/big"
 	internalclient "github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
 	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
 	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
 	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
 	"github.com/TrueCloudLab/frostfs-node/pkg/util/precision"
 	"github.com/TrueCloudLab/frostfs-sdk-go/accounting"
 	"github.com/TrueCloudLab/frostfs-sdk-go/user"
 	"github.com/nspcc-dev/neo-go/pkg/encoding/fixedn"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 const (
 	ownerFlag = "owner"
 )
 var accountingBalanceCmd = &cobra.Command{
 	Use:   "balance",
 	Short: "Get internal balance of FrostFS account",
 	Long:  `Get internal balance of FrostFS account`,
 	Run: func(cmd *cobra.Command, args []string) {
 		var idUser user.ID
 		pk := key.GetOrGenerate(cmd)
 		balanceOwner, _ := cmd.Flags().GetString(ownerFlag)
 		if balanceOwner == "" {
 			user.IDFromKey(&idUser, pk.PublicKey)
 		} else {
 			commonCmd.ExitOnErr(cmd, "can't decode owner ID wallet address: %w", idUser.DecodeString(balanceOwner))
 		}
 		cli := internalclient.GetSDKClientByFlag(cmd, pk, commonflags.RPC)
 		var prm internalclient.BalanceOfPrm
 		prm.SetClient(cli)
 		prm.SetAccount(idUser)
 		res, err := internalclient.BalanceOf(prm)
 		commonCmd.ExitOnErr(cmd, "rpc error: %w", err)
 		// print to stdout
 		prettyPrintDecimal(cmd, res.Balance())
 	},
 }
 func initAccountingBalanceCmd() {
 	ff := accountingBalanceCmd.Flags()
 	ff.StringP(commonflags.WalletPath, commonflags.WalletPathShorthand, commonflags.WalletPathDefault, commonflags.WalletPathUsage)
 	ff.StringP(commonflags.Account, commonflags.AccountShorthand, commonflags.AccountDefault, commonflags.AccountUsage)
 	ff.StringP(commonflags.RPC, commonflags.RPCShorthand, commonflags.RPCDefault, commonflags.RPCUsage)
 	ff.String(ownerFlag, "", "owner of balance account (omit to use owner from private key)")
 }
 func prettyPrintDecimal(cmd *cobra.Command, decimal accounting.Decimal) {
 	if viper.GetBool(commonflags.Verbose) {
 		cmd.Println("value:", decimal.Value())
 		cmd.Println("precision:", decimal.Precision())
 	} else {
 		amountF8 := precision.Convert(decimal.Precision(), 8, big.NewInt(decimal.Value()))
 		cmd.Println(fixedn.ToString(amountF8, 8))
 	}
 }
--- a/cmd/frostfs-cli/modules/accounting/root.go
+++ b/cmd/frostfs-cli/modules/accounting/root.go
@ -0,0 +1,27 @@
 package accounting
 import (
 	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 // Cmd represents the accounting command.
 var Cmd = &cobra.Command{
 	Use:   "accounting",
 	Short: "Operations with accounts and balances",
 	Long:  `Operations with accounts and balances`,
 	PersistentPreRun: func(cmd *cobra.Command, args []string) {
 		flags := cmd.Flags()
 		_ = viper.BindPFlag(commonflags.WalletPath, flags.Lookup(commonflags.WalletPath))
 		_ = viper.BindPFlag(commonflags.Account, flags.Lookup(commonflags.Account))
 		_ = viper.BindPFlag(commonflags.RPC, flags.Lookup(commonflags.RPC))
 	},
 }
 func init() {
 	Cmd.AddCommand(accountingBalanceCmd)
 	initAccountingBalanceCmd()
 }
--- a/cmd/frostfs-cli/modules/acl/basic/print.go
+++ b/cmd/frostfs-cli/modules/acl/basic/print.go
@ -0,0 +1,28 @@
 package basic
 import (
 	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
 	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
 	"github.com/TrueCloudLab/frostfs-sdk-go/container/acl"
 	"github.com/spf13/cobra"
 )
 var printACLCmd = &cobra.Command{
 	Use:     "print",
 	Short:   "Pretty print basic ACL from the HEX representation",
 	Example: `frostfs-cli acl basic print 0x1C8C8CCC`,
 	Long: `Pretty print basic ACL from the HEX representation.
 Few roles have exclusive default access to set of operation, even if particular bit deny it.
 Container have access to the operations of the data replication mechanism:
    Get, Head, Put, Search, Hash.
 InnerRing members are allowed to data audit ops only:
    Get, Head, Hash, Search.`,
 	Run:  printACL,
 	Args: cobra.ExactArgs(1),
 }
 func printACL(cmd *cobra.Command, args []string) {
 	var bacl acl.Basic
 	commonCmd.ExitOnErr(cmd, "unable to parse basic acl: %w", bacl.DecodeString(args[0]))
 	util.PrettyPrintTableBACL(cmd, &bacl)
 }
--- a/cmd/frostfs-cli/modules/acl/basic/root.go
+++ b/cmd/frostfs-cli/modules/acl/basic/root.go
@ -0,0 +1,14 @@
 package basic
 import (
 	"github.com/spf13/cobra"
 )
 var Cmd = &cobra.Command{
 	Use:   "basic",
 	Short: "Operations with Basic Access Control Lists",
 }
 func init() {
 	Cmd.AddCommand(printACLCmd)
 }
--- a/cmd/frostfs-cli/modules/acl/extended/create.go
+++ b/cmd/frostfs-cli/modules/acl/extended/create.go
@ -0,0 +1,127 @@
 package extended
 import (
 	"bytes"
 	"encoding/json"
 	"os"
 	"strings"
 	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
 	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
 	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
 	cid "github.com/TrueCloudLab/frostfs-sdk-go/container/id"
 	"github.com/TrueCloudLab/frostfs-sdk-go/eacl"
 	"github.com/spf13/cobra"
 )
 var createCmd = &cobra.Command{
 	Use:   "create",
 	Short: "Create extended ACL from the text representation",
 	Long: `Create extended ACL from the text representation.
 Rule consist of these blocks: <action> <operation> [<filter1> ...] [<target1> ...]
 Action is 'allow' or 'deny'.
 Operation is an object service verb: 'get', 'head', 'put', 'search', 'delete', 'getrange', or 'getrangehash'.
 Filter consists of <typ>:<key><match><value>
  Typ is 'obj' for object applied filter or 'req' for request applied filter. 
  Key is a valid unicode string corresponding to object or request header key. 
    Well-known system object headers start with '$Object:' prefix.
    User defined headers start without prefix.
    Read more about filter keys at github.com/TrueCloudLab/frostfs-api/blob/master/proto-docs/acl.md#message-eaclrecordfilter
  Match is '=' for matching and '!=' for non-matching filter.
  Value is a valid unicode string corresponding to object or request header value.
 Target is 
  'user' for container owner, 
  'system' for Storage nodes in container and Inner Ring nodes,
  'others' for all other request senders, 
  'pubkey:<key1>,<key2>,...' for exact request sender, where <key> is a hex-encoded 33-byte public key.
 When both '--rule' and '--file' arguments are used, '--rule' records will be placed higher in resulting extended ACL table.
 `,
 	Example: `frostfs-cli acl extended create --cid EutHBsdT1YCzHxjCfQHnLPL1vFrkSyLSio4vkphfnEk -f rules.txt --out table.json
 frostfs-cli acl extended create --cid EutHBsdT1YCzHxjCfQHnLPL1vFrkSyLSio4vkphfnEk -r 'allow get obj:Key=Value others' -r 'deny put others'`,
 	Run: createEACL,
 }
 func init() {
 	createCmd.Flags().StringArrayP("rule", "r", nil, "Extended ACL table record to apply")
 	createCmd.Flags().StringP("file", "f", "", "Read list of extended ACL table records from text file")
 	createCmd.Flags().StringP("out", "o", "", "Save JSON formatted extended ACL table in file")
 	createCmd.Flags().StringP(commonflags.CIDFlag, "", "", commonflags.CIDFlagUsage)
 	_ = cobra.MarkFlagFilename(createCmd.Flags(), "file")
 	_ = cobra.MarkFlagFilename(createCmd.Flags(), "out")
 }
 func createEACL(cmd *cobra.Command, _ []string) {
 	rules, _ := cmd.Flags().GetStringArray("rule")
 	fileArg, _ := cmd.Flags().GetString("file")
 	outArg, _ := cmd.Flags().GetString("out")
 	cidArg, _ := cmd.Flags().GetString(commonflags.CIDFlag)
 	var containerID cid.ID
 	if cidArg != "" {
 		if err := containerID.DecodeString(cidArg); err != nil {
 			cmd.PrintErrf("invalid container ID: %v\n", err)
 			os.Exit(1)
 		}
 	}
 	rulesFile, err := getRulesFromFile(fileArg)
 	if err != nil {
 		cmd.PrintErrf("can't read rules from file: %v\n", err)
 		os.Exit(1)
 	}
 	rules = append(rules, rulesFile...)
 	if len(rules) == 0 {
 		cmd.PrintErrln("no extended ACL rules has been provided")
 		os.Exit(1)
 	}
 	tb := eacl.NewTable()
 	commonCmd.ExitOnErr(cmd, "unable to parse provided rules: %w", util.ParseEACLRules(tb, rules))
 	tb.SetCID(containerID)
 	data, err := tb.MarshalJSON()
 	if err != nil {
 		cmd.PrintErrln(err)
 		os.Exit(1)
 	}
 	buf := new(bytes.Buffer)
 	err = json.Indent(buf, data, "", "  ")
 	if err != nil {
 		cmd.PrintErrln(err)
 		os.Exit(1)
 	}
 	if len(outArg) == 0 {
 		cmd.Println(buf)
 		return
 	}
 	err = os.WriteFile(outArg, buf.Bytes(), 0644)
 	if err != nil {
 		cmd.PrintErrln(err)
 		os.Exit(1)
 	}
 }
 func getRulesFromFile(filename string) ([]string, error) {
 	if len(filename) == 0 {
 		return nil, nil
 	}
 	data, err := os.ReadFile(filename)
 	if err != nil {
 		return nil, err
 	}
 	return strings.Split(strings.TrimSpace(string(data)), "\n"), nil
 }
--- a/cmd/frostfs-cli/modules/acl/extended/create_test.go
+++ b/cmd/frostfs-cli/modules/acl/extended/create_test.go
@ -0,0 +1,90 @@
 package extended
 import (
 	"testing"
 	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
 	"github.com/TrueCloudLab/frostfs-sdk-go/eacl"
 	"github.com/stretchr/testify/require"
 )
 func TestParseTable(t *testing.T) {
 	tests := [...]struct {
 		name       string // test name
 		rule       string // input extended ACL rule
 		jsonRecord string // produced record after successfull parsing
 	}{
 		{
 			name:       "valid rule with multiple filters",
 			rule:       "deny get obj:a=b req:c=d others",
 			jsonRecord: `{"operation":"GET","action":"DENY","filters":[{"headerType":"OBJECT","matchType":"STRING_EQUAL","key":"a","value":"b"},{"headerType":"REQUEST","matchType":"STRING_EQUAL","key":"c","value":"d"}],"targets":[{"role":"OTHERS","keys":[]}]}`,
 		},
 		{
 			name:       "valid rule without filters",
 			rule:       "allow put user",
 			jsonRecord: `{"operation":"PUT","action":"ALLOW","filters":[],"targets":[{"role":"USER","keys":[]}]}`,
 		},
 		{
 			name:       "valid rule with public key",
 			rule:       "deny getrange pubkey:036410abb260bbbda89f61c0cad65a4fa15ac5cb83b3c3abf8aee403856fcf65ed",
 			jsonRecord: `{"operation":"GETRANGE","action":"DENY","filters":[],"targets":[{"role":"ROLE_UNSPECIFIED","keys":["A2QQq7Jgu72on2HAytZaT6FaxcuDs8Or+K7kA4Vvz2Xt"]}]}`,
 		},
 		{
 			name: "missing action",
 			rule: "get obj:a=b others",
 		},
 		{
 			name: "invalid action",
 			rule: "permit get obj:a=b others",
 		},
 		{
 			name: "missing op",
 			rule: "deny obj:a=b others",
 		},
 		{
 			name: "invalid op action",
 			rule: "deny look obj:a=b others",
 		},
 		{
 			name: "invalid filter type",
 			rule: "deny get invalid:a=b others",
 		},
 		{
 			name: "invalid target group",
 			rule: "deny get obj:a=b helpers",
 		},
 		{
 			name: "invalid public key",
 			rule: "deny get obj:a=b pubkey:0123",
 		},
 	}
 	eaclTable := eacl.NewTable()
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			err := util.ParseEACLRule(eaclTable, test.rule)
 			ok := len(test.jsonRecord) > 0
 			require.Equal(t, ok, err == nil, err)
 			if ok {
 				expectedRecord := eacl.NewRecord()
 				err = expectedRecord.UnmarshalJSON([]byte(test.jsonRecord))
 				require.NoError(t, err)
 				actualRecord := eaclTable.Records()[len(eaclTable.Records())-1]
 				equalRecords(t, expectedRecord, &actualRecord)
 			}
 		})
 	}
 }
 func equalRecords(t *testing.T, r1, r2 *eacl.Record) {
 	d1, err := r1.Marshal()
 	require.NoError(t, err)
 	d2, err := r2.Marshal()
 	require.NoError(t, err)
 	require.Equal(t, d1, d2)
 }
--- a/cmd/frostfs-cli/modules/acl/extended/print.go
+++ b/cmd/frostfs-cli/modules/acl/extended/print.go
@ -0,0 +1,38 @@
 package extended
 import (
 	"os"
 	"strings"
 	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
 	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
 	"github.com/TrueCloudLab/frostfs-sdk-go/eacl"
 	"github.com/spf13/cobra"
 )
 var printEACLCmd = &cobra.Command{
 	Use:   "print",
 	Short: "Pretty print extended ACL from the file(in text or json format) or for given container.",
 	Run:   printEACL,
 }
 func init() {
 	flags := printEACLCmd.Flags()
 	flags.StringP("file", "f", "",
 		"Read list of extended ACL table records from text or json file")
 	_ = printEACLCmd.MarkFlagRequired("file")
 }
 func printEACL(cmd *cobra.Command, _ []string) {
 	file, _ := cmd.Flags().GetString("file")
 	eaclTable := new(eacl.Table)
 	data, err := os.ReadFile(file)
 	commonCmd.ExitOnErr(cmd, "can't read file with EACL: %w", err)
 	if strings.HasSuffix(file, ".json") {
 		commonCmd.ExitOnErr(cmd, "unable to parse json: %w", eaclTable.UnmarshalJSON(data))
 	} else {
 		rules := strings.Split(strings.TrimSpace(string(data)), "\n")
 		commonCmd.ExitOnErr(cmd, "can't parse file with EACL: %w", util.ParseEACLRules(eaclTable, rules))
 	}
 	util.PrettyPrintTableEACL(cmd, eaclTable)
 }
--- a/cmd/frostfs-cli/modules/acl/extended/root.go
+++ b/cmd/frostfs-cli/modules/acl/extended/root.go
@ -0,0 +1,15 @@
 package extended
 import (
 	"github.com/spf13/cobra"
 )
 var Cmd = &cobra.Command{
 	Use:   "extended",
 	Short: "Operations with Extended Access Control Lists",
 }
 func init() {
 	Cmd.AddCommand(createCmd)
 	Cmd.AddCommand(printEACLCmd)
 }
--- a/Show more
+++ b/Show more
		`@ -0,0 +1 @@`
							`* @TrueCloudLab/storage-core @TrueCloudLab/committers`