pilorama: Support tree migration between forests

Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
pilorama/tests: Remove magic constants for inmemory type
2024-01-31 20:19:46 +03:00 · 2024-01-31 18:43:43 +03:00 · 2024-01-26 12:19:20 +03:00 · 2024-01-26 08:52:29 +00:00 · 2024-01-25 20:26:13 +03:00 · 2024-01-25 20:26:13 +03:00
1199 changed files with 51236 additions and 41468 deletions
--- a/.docker/Dockerfile.adm
+++ b/.docker/Dockerfile.adm
@ -1,4 +1,4 @@
-FROM golang:1.18 as builder
+FROM golang:1.21 as builder
 ARG BUILD=now
 ARG VERSION=dev
 ARG REPO=repository
--- a/.docker/Dockerfile.ci
+++ b/.docker/Dockerfile.ci
@ -0,0 +1,25 @@
+FROM golang:1.21
+
+WORKDIR /tmp
+
+# Install apt packages
+RUN apt-get update && apt-get install --no-install-recommends -y \
+  pip \
+  && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
+  && rm -rf /var/lib/apt/lists/*
+
+# Dash → Bash
+RUN echo "dash dash/sh boolean false" | debconf-set-selections
+RUN DEBIAN_FRONTEND=noninteractive dpkg-reconfigure dash
+
+RUN useradd -u 1234 -d /home/ci -m ci
+USER ci
+
+ENV PATH="$PATH:/home/ci/.local/bin"
+
+COPY .pre-commit-config.yaml .
+
+RUN pip install "pre-commit==3.1.1" \
+  && git init . \
+  && pre-commit install-hooks \
+  && rm -rf /tmp/*
--- a/.docker/Dockerfile.cli
+++ b/.docker/Dockerfile.cli
@ -1,4 +1,4 @@
-FROM golang:1.18 as builder
+FROM golang:1.21 as builder
 ARG BUILD=now
 ARG VERSION=dev
 ARG REPO=repository
--- a/.docker/Dockerfile.ir
+++ b/.docker/Dockerfile.ir
@ -1,4 +1,4 @@
-FROM golang:1.18 as builder
+FROM golang:1.21 as builder
 ARG BUILD=now
 ARG VERSION=dev
 ARG REPO=repository
--- a/.docker/Dockerfile.storage
+++ b/.docker/Dockerfile.storage
@ -1,4 +1,4 @@
-FROM golang:1.18 as builder
+FROM golang:1.21 as builder
 ARG BUILD=now
 ARG VERSION=dev
 ARG REPO=repository
--- a/.docker/Dockerfile.storage-testnet
+++ b/.docker/Dockerfile.storage-testnet
@ -1,19 +0,0 @@
-FROM golang:1.18 as builder
-ARG BUILD=now
-ARG VERSION=dev
-ARG REPO=repository
-WORKDIR /src
-COPY . /src
-
-RUN make bin/frostfs-node
-
-# Executable image
-FROM alpine AS frostfs-node
-RUN apk add --no-cache bash
-
-WORKDIR /
-
-COPY --from=builder /src/bin/frostfs-node /bin/frostfs-node
-COPY --from=builder /src/config/testnet/config.yml /config.yml
-
-CMD ["frostfs-node", "--config", "/config.yml"]
--- a/.dockerignore
+++ b/.dockerignore
@ -5,4 +5,5 @@ docker-compose.yml
 Dockerfile
 temp
 .dockerignore
-docker
+docker
+.cache
--- a/.forgejo/workflows/build.yml
+++ b/.forgejo/workflows/build.yml
@ -0,0 +1,41 @@
+name: Build
+
+on: [pull_request]
+
+jobs:
+  build:
+    name: Build Components
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        go_versions: [ '1.20', '1.21' ]
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          # Allows to fetch all history for all branches and tags.
+          # Need this for proper versioning.
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: '${{ matrix.go_versions }}'
+
+      - name: Build CLI
+        run: make bin/frostfs-cli
+      - run: bin/frostfs-cli --version
+
+      - name: Build NODE
+        run: make bin/frostfs-node
+
+      - name: Build IR
+        run: make bin/frostfs-ir
+
+      - name: Build ADM
+        run: make bin/frostfs-adm
+      - run: bin/frostfs-adm --version
+
+      - name: Build LENS
+        run: make bin/frostfs-lens
+      - run: bin/frostfs-lens --version
--- a/.forgejo/workflows/dco.yml
+++ b/.forgejo/workflows/dco.yml
@ -0,0 +1,21 @@
+name: DCO action
+on: [pull_request]
+
+jobs:
+  dco:
+    name: DCO
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: '1.21'
+
+      - name: Run commit format checker
+        uses: https://git.frostfs.info/TrueCloudLab/dco-go@v3
+        with:
+          from: 'origin/${{ github.event.pull_request.base.ref }}'
--- a/.forgejo/workflows/tests.yml
+++ b/.forgejo/workflows/tests.yml
@ -0,0 +1,73 @@
+name: Tests and linters
+on: [pull_request]
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: '1.21'
+          cache: true
+
+      - name: Install linters
+        run: make lint-install
+
+      - name: Run linters
+        run: make lint
+
+  tests:
+    name: Tests
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        go_versions: [ '1.20', '1.21' ]
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: '${{ matrix.go_versions }}'
+          cache: true
+
+      - name: Run tests
+        run: make test
+
+  tests-race:
+    name: Tests with -race
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: '1.21'
+          cache: true
+
+      - name: Run tests
+        run: go test ./... -count=1 -race
+
+  staticcheck:
+    name: Staticcheck
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: '1.21'
+          cache: true
+
+      - name: Install staticcheck
+        run: make staticcheck-install
+
+      - name: Run staticcheck
+        run: make staticcheck-run
--- a/.forgejo/workflows/vulncheck.yml
+++ b/.forgejo/workflows/vulncheck.yml
@ -0,0 +1,22 @@
+name: Vulncheck
+on: [pull_request]
+
+jobs:
+  vulncheck:
+    name: Vulncheck
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: '1.21'
+
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: Run govulncheck
+        run: govulncheck ./...
--- a/.gitattributes
+++ b/.gitattributes
@ -1,2 +1,3 @@
 /**/*.pb.go -diff -merge
 /**/*.pb.go linguist-generated=true
+/go.sum -diff
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -1 +0,0 @@
-*   @TrueCloudLab/storage-core @TrueCloudLab/committers
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -2,7 +2,7 @@
 name: Bug report
 about: Create a report to help us improve
 title: ''
-labels: community, triage
+labels: community, triage, bug
 assignees: ''

 ---
@ -18,8 +18,11 @@ assignees: ''
     If suggesting a change/improvement, explain the difference from current behavior -->

 ## Possible Solution
-<!-- Not obligatory, but suggest a fix/reason for the bug,
-     or ideas how to implement the addition or change -->
+<!-- Not obligatory
+     If no reason/fix/additions for the bug can be suggested,
+     uncomment the following phrase:
+
+     No fix can be suggested by a QA engineer. Further solutions shall be up to developers. -->

 ## Steps to Reproduce (for bugs)
 <!-- Provide a link to a live example, or an unambiguous set of steps
@ -41,10 +44,3 @@ assignees: ''
 * Version used:
 * Server setup and configuration:
 * Operating System and version (`uname -a`):
-
-## Don't forget to add labels!
- component label (`frostfs-adm`, `frostfs-storage`, ...)
- `goodfirstissue`, `helpwanted` if needed
- does this issue belong to an epic?
- priority (`P0`-`P4`) if already triaged
- quarter label (`202XQY`) if possible
--- a/.github/workflows/changelog.yml
+++ b/.github/workflows/changelog.yml
@ -1,29 +0,0 @@
-name: CHANGELOG check
-
-on:
-  pull_request:
-    branches:
-      - master
-      - support/**
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    name: Check for updates
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Get changed CHANGELOG
-        id: changelog-diff
-        uses: tj-actions/changed-files@v29
-        with:
-          files: CHANGELOG.md
-
-      - name: Fail if changelog not updated
-        if: steps.changelog-diff.outputs.any_changed == 'false'
-        uses: actions/github-script@v3
-        with:
-          script: |
-            core.setFailed('CHANGELOG.md has not been updated')
--- a/.github/workflows/config-update.yml
+++ b/.github/workflows/config-update.yml
@ -1,37 +0,0 @@
-name: Configuration check
-
-on:
-  pull_request:
-    branches:
-      - master
-      - support/**
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    name: config-check
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Get changed config-related files
-        id: config-diff
-        uses: tj-actions/changed-files@v29
-        with:
-          files: |
-            config/**
-            cmd/neofs-node/config/**
-
-      - name: Get changed doc files
-        id: docs-diff
-        uses: tj-actions/changed-files@v29
-        with:
-          files: docs/**
-
-      - name: Fail if config files are changed but the documentation is not updated
-        if: steps.config-diff.outputs.any_changed == 'true' && steps.docs-diff.outputs.any_changed == 'false'
-        uses: actions/github-script@v3
-        with:
-          script: |
-            core.setFailed('Documentation has not been updated')
--- a/.github/workflows/dco.yml
+++ b/.github/workflows/dco.yml
@ -1,22 +0,0 @@
-name: DCO check
-
-on:
-  pull_request:
-    branches:
-      - master
-      - support/**
-
-jobs:
-  commits_check_job:
-    runs-on: ubuntu-latest
-    name: Commits Check
-    steps:
-    - name: Get PR Commits
-      id: 'get-pr-commits'
-      uses: tim-actions/get-pr-commits@master
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-    - name: DCO Check
-      uses: tim-actions/dco@master
-      with:
-        commits: ${{ steps.get-pr-commits.outputs.commits }}
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@ -1,60 +0,0 @@
-name: frostfs-node tests
-
-on:
-  push:
-    branches:
-      - master
-      - support/**
-    paths-ignore:
-      - '*.md'
-  pull_request:
-    branches:
-      - master
-      - support/**
-    paths-ignore:
-      - '*.md'
-
-jobs:
-  test:
-    runs-on: ubuntu-20.04
-    strategy:
-      matrix:
-        go: [ '1.18.x', '1.19.x' ]
-    steps:
-      - name: Setup go
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ matrix.go }}
-
-      - name: Check out code
-        uses: actions/checkout@v3
-
-      - name: Cache go mod
-        uses: actions/cache@v3
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ matrix.go }}-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-${{ matrix.go }}-
-
-      - name: Run go test
-        run: go test -coverprofile=coverage.txt -covermode=atomic ./...
-
-      - name: Codecov
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        run: bash <(curl -s https://codecov.io/bash)
-
-  lint:
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/setup-go@v3
-        with:
-          go-version: 1.19
-      - uses: actions/checkout@v3
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
-        with:
-          version: v1.50.0
-          args: --timeout=5m
-          only-new-issues: true
--- a/.gitlint
+++ b/.gitlint
@ -0,0 +1,11 @@
+[general]
+fail-without-commits=True
+regex-style-search=True
+contrib=CC1
+
+[title-match-regex]
+regex=^\[\#[0-9Xx]+\]\s
+
+[ignore-by-title]
+regex=^Release(.*)
+ignore=title-match-regex
--- a/.golangci.yml
+++ b/.golangci.yml
@ -4,7 +4,7 @@
 # options for analysis running
 run:
  # timeout for analysis, e.g. 30s, 5m, default is 1m
-  timeout: 5m
+  timeout: 20m

  # include test files or not, default is true
  tests: false
@ -24,6 +24,28 @@ linters-settings:
  govet:
    # report about shadowed variables
    check-shadowing: false
+  staticcheck:
+    checks: ["all", "-SA1019"] # TODO Enable SA1019 after deprecated warning are fixed.
+  funlen:
+    lines: 80 # default 60
+    statements: 60 # default 40
+  gocognit:
+    min-complexity: 40 # default 30
+  importas:
+    no-unaliased: true
+    no-extra-aliases: false
+    alias:
+      pkg: git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object
+      alias: objectSDK
+  custom:
+    truecloudlab-linters:
+      path: bin/linters/external_linters.so
+      original-url: git.frostfs.info/TrueCloudLab/linters.git
+      settings:
+        noliteral:
+          target-methods : ["reportFlushError", "reportError"]
+          disable-packages: ["codes", "err", "res","exec"]
+          constants-package: "git.frostfs.info/TrueCloudLab/frostfs-node/internal/logs"

 linters:
  enable:
@ -51,6 +73,14 @@ linters:
    - predeclared
    - reassign
    - whitespace
+    - containedctx
+    - funlen
+    - gocognit
+    - contextcheck
+    - importas
+    - truecloudlab-linters
+    - perfsprint
+    - testifylint
+    - protogetter
  disable-all: true
  fast: false
-
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -0,0 +1,63 @@
+ci:
+  autofix_prs: false
+
+repos:
+  - repo: https://github.com/jorisroovers/gitlint
+    rev:  v0.19.1
+    hooks:
+      - id: gitlint
+        stages: [commit-msg]
+      - id: gitlint-ci
+
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.5.0
+    hooks:
+    - id: check-added-large-files
+    - id: check-case-conflict
+    - id: check-executables-have-shebangs
+    - id: check-shebang-scripts-are-executable
+    - id: check-merge-conflict
+    - id: check-json
+    - id: check-xml
+    - id: check-yaml
+    - id: trailing-whitespace
+      args: [--markdown-linebreak-ext=md]
+    - id: end-of-file-fixer
+      exclude: ".key$"
+
+  - repo: https://github.com/shellcheck-py/shellcheck-py
+    rev: v0.9.0.6
+    hooks:
+      - id: shellcheck
+
+  - repo: local
+    hooks:
+      - id: make-lint
+        name: Run Make Lint
+        entry: make lint
+        language: system
+        pass_filenames: false
+
+  - repo: local
+    hooks:
+       - id: go-unit-tests
+         name: go unit tests
+         entry: make test
+         pass_filenames: false
+         types: [go]
+         language: system
+
+  - repo: local
+    hooks:
+       - id: gofumpt
+         name: gofumpt
+         entry: make fumpt
+         pass_filenames: false
+         types: [go]
+         language: system
+
+  - repo: https://github.com/TekWizely/pre-commit-golang
+    rev: v1.0.0-rc.1
+    hooks:
+       - id: go-staticcheck-repo-mod
+       - id: go-mod-tidy
--- a/.woodpecker/pre-commit.yml
+++ b/.woodpecker/pre-commit.yml
@ -0,0 +1,11 @@
+pipeline:
+  # Kludge for non-root containers under WoodPecker
+  fix-ownership:
+    image: alpine:latest
+    commands: chown -R 1234:1234 .
+
+  pre-commit:
+    image: git.frostfs.info/truecloudlab/frostfs-ci:v0.36
+    commands:
+      - export HOME="$(getent passwd $(id -u) | cut '-d:' -f6)"
+      - pre-commit run --hook-stage manual
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -3,8 +3,8 @@
 First, thank you for contributing! We love and encourage pull requests from
 everyone. Please follow the guidelines:

- Check the open [issues](https://github.com/TrueCloudLab/frostfs-node/issues) and
-  [pull requests](https://github.com/TrueCloudLab/frostfs-node/pulls) for existing
+- Check the open [issues](https://git.frostfs.info/TrueCloudLab/frostfs-node/issues) and
+  [pull requests](https://git.frostfs.info/TrueCloudLab/frostfs-node/pulls) for existing
  discussions.

 - Open an issue first, to discuss a new feature or enhancement.
@ -27,19 +27,19 @@ Start by forking the `frostfs-node` repository, make changes in a branch and the
 send a pull request. We encourage pull requests to discuss code changes. Here
 are the steps in details:

-### Set up your GitHub Repository
-Fork [FrostFS node upstream](https://github.com/TrueCloudLab/frostfs-node/fork) source
+### Set up your Forgejo repository
+Fork [FrostFS node upstream](https://git.frostfs.info/TrueCloudLab/frostfs-node) source
 repository to your own personal repository. Copy the URL of your fork (you will
 need it for the `git clone` command below).

 ```sh
-$ git clone https://github.com/TrueCloudLab/frostfs-node
+$ git clone https://git.frostfs.info/TrueCloudLab/frostfs-node
 ```

 ### Set up git remote as ``upstream``
 ```sh
 $ cd frostfs-node
-$ git remote add upstream https://github.com/TrueCloudLab/frostfs-node
+$ git remote add upstream https://git.frostfs.info/TrueCloudLab/frostfs-node
 $ git fetch upstream
 $ git merge upstream/master
 ...
@ -58,7 +58,7 @@ $ git checkout -b feature/123-something_awesome
 After your code changes, make sure

 - To add test cases for the new code.
- To run `make lint`
+- To run `make lint` and `make staticcheck-run`
 - To squash your commits into a single commit or a series of logically separated
  commits run `git rebase -i`. It's okay to force update your pull request.
 - To run `make test` and `make all` completes.
@ -89,8 +89,8 @@ $ git push origin feature/123-something_awesome
 ```

 ### Create a Pull Request
-Pull requests can be created via GitHub. Refer to [this
-document](https://help.github.com/articles/creating-a-pull-request/) for
+Pull requests can be created via Forgejo. Refer to [this
+document](https://docs.codeberg.org/collaborating/pull-requests-and-git-flow/) for
 detailed steps on how to create a pull request. After a Pull Request gets peer
 reviewed and approved, it will be merged.

--- a/CREDITS.md
+++ b/CREDITS.md
@ -10,7 +10,7 @@ In alphabetical order:
 - Alexey Vanin
 - Anastasia Prasolova
 - Anatoly Bogatyrev
- Evgeny Kulikov 
+- Evgeny Kulikov
 - Evgeny Stratonikov
 - Leonard Liubich
 - Sergei Liubich
--- a/147
+++ b/147
@ -7,8 +7,17 @@ VERSION ?= $(shell git describe --tags --dirty --match "v*" --always --abbrev=8
 HUB_IMAGE ?= truecloudlab/frostfs
 HUB_TAG ?= "$(shell echo ${VERSION} | sed 's/^v//')"

-GO_VERSION ?= 1.19
-LINT_VERSION ?= 1.50.0
+GO_VERSION ?= 1.21
+LINT_VERSION ?= 1.55.2
+TRUECLOUDLAB_LINT_VERSION ?= 0.0.3
+PROTOC_VERSION ?= 25.0
+PROTOC_GEN_GO_VERSION ?= $(shell go list -f '{{.Version}}' -m google.golang.org/protobuf)
+PROTOGEN_FROSTFS_VERSION ?= $(shell go list -f '{{.Version}}' -m git.frostfs.info/TrueCloudLab/frostfs-api-go/v2)
+PROTOC_OS_VERSION=osx-x86_64
+ifeq ($(shell uname), Linux)
+	PROTOC_OS_VERSION=linux-x86_64
+endif
+STATICCHECK_VERSION ?= 2023.1.6
 ARCH = amd64

 BIN = bin
@ -25,8 +34,22 @@ PKG_VERSION ?= $(shell echo $(VERSION) | sed "s/^v//" | \
 			sed -E "s/(.*)-(g[a-fA-F0-9]{6,8})(.*)/\1\3~\2/" | \
 			sed "s/-/~/")-${OS_RELEASE}

-.PHONY: help all images dep clean fmts fmt imports test lint docker/lint
-		prepare-release debpackage
+OUTPUT_LINT_DIR ?= $(abspath $(BIN))/linters
+LINT_DIR = $(OUTPUT_LINT_DIR)/golangci-lint-$(LINT_VERSION)-v$(TRUECLOUDLAB_LINT_VERSION)
+TMP_DIR := .cache
+PROTOBUF_DIR ?= $(abspath $(BIN))/protobuf
+PROTOC_DIR ?= $(PROTOBUF_DIR)/protoc-v$(PROTOC_VERSION)
+PROTOC_GEN_GO_DIR ?= $(PROTOBUF_DIR)/protoc-gen-go-$(PROTOC_GEN_GO_VERSION)
+PROTOGEN_FROSTFS_DIR ?= $(PROTOBUF_DIR)/protogen-$(PROTOGEN_FROSTFS_VERSION)
+STATICCHECK_DIR ?= $(abspath $(BIN))/staticcheck
+STATICCHECK_VERSION_DIR ?= $(STATICCHECK_DIR)/$(STATICCHECK_VERSION)
+
+FROSTFS_CONTRACTS_PATH=$(abspath ./../frostfs-contract)
+LOCODE_DB_PATH=$(abspath ./.cache/locode_db)
+LOCODE_DB_VERSION=v0.4.0
+
+.PHONY: help all images dep clean fmts fumpt imports test lint docker/lint
+		prepare-release debpackage pre-commit unpre-commit

 # To build a specific binary, use it's name prefix with bin/ as a target
 # For example `make bin/frostfs-node` will build only storage node binary
@ -65,24 +88,40 @@ dep:
 	CGO_ENABLED=0 \
 	go mod tidy -v && echo OK

+# Build export-metrics
+export-metrics: dep
+	@printf "⇒ Build export-metrics\n"
+	CGO_ENABLED=0 \
+	go build -v -trimpath -o bin/export-metrics ./scripts/export-metrics
+
 # Regenerate proto files:
 protoc:
-	@GOPRIVATE=github.com/TrueCloudLab go mod vendor
-	# Install specific version for protobuf lib
-	@go list -f '{{.Path}}/...@{{.Version}}' -m  github.com/golang/protobuf | xargs go install -v
-	@GOBIN=$(abspath $(BIN)) go install -mod=mod -v github.com/TrueCloudLab/frostfs-api-go/v2/util/protogen
-	# Protoc generate
-	@for f in `find . -type f -name '*.proto' -not -path './vendor/*'`; do \
+	@if [ ! -d "$(PROTOC_DIR)" ] || [ ! -d "$(PROTOC_GEN_GO_DIR)" ] || [ ! -d "$(PROTOGEN_FROSTFS_DIR)" ]; then \
+		make protoc-install; \
+	fi
+	@for f in `find . -type f -name '*.proto' -not -path './bin/*'`; do \
 		echo "⇒ Processing $$f "; \
-		protoc \
-			--proto_path=.:./vendor:/usr/local/include \
-			--plugin=protoc-gen-go-frostfs=$(BIN)/protogen \
+		$(PROTOC_DIR)/bin/protoc \
+			--proto_path=.:$(PROTOC_DIR)/include:/usr/local/include \
+			--plugin=protoc-gen-go=$(PROTOC_GEN_GO_DIR)/protoc-gen-go \
+			--plugin=protoc-gen-go-frostfs=$(PROTOGEN_FROSTFS_DIR)/protogen \
 			--go-frostfs_out=. --go-frostfs_opt=paths=source_relative \
 			--go_out=. --go_opt=paths=source_relative \
 			--go-grpc_opt=require_unimplemented_servers=false \
 			--go-grpc_out=. --go-grpc_opt=paths=source_relative $$f; \
 	done
-	rm -rf vendor
+
+protoc-install:
+	@rm -rf $(PROTOBUF_DIR)
+	@mkdir $(PROTOBUF_DIR)
+	@echo "⇒ Installing protoc... "
+	@wget -q -O $(PROTOBUF_DIR)/protoc-$(PROTOC_VERSION).zip 'https://github.com/protocolbuffers/protobuf/releases/download/v$(PROTOC_VERSION)/protoc-$(PROTOC_VERSION)-$(PROTOC_OS_VERSION).zip'
+	@unzip -q -o $(PROTOBUF_DIR)/protoc-$(PROTOC_VERSION).zip -d $(PROTOC_DIR)
+	@rm $(PROTOBUF_DIR)/protoc-$(PROTOC_VERSION).zip
+	@echo "⇒ Installing protoc-gen-go..."
+	@GOBIN=$(PROTOC_GEN_GO_DIR) go install -v google.golang.org/protobuf/...@$(PROTOC_GEN_GO_VERSION)
+	@echo "⇒ Instaling protogen FrostFS plugin..."
+	@GOBIN=$(PROTOGEN_FROSTFS_DIR) go install -mod=mod -v git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/util/protogen@$(PROTOGEN_FROSTFS_VERSION)

 # Build FrostFS component's docker image
 image-%:
@ -95,7 +134,7 @@ image-%:
 		-t $(HUB_IMAGE)-$*:$(HUB_TAG) .

 # Build all Docker images
-images: image-storage image-ir image-cli image-adm image-storage-testnet
+images: image-storage image-ir image-cli image-adm

 # Build dirty local Docker images
 dirty-images: image-dirty-storage image-dirty-ir image-dirty-cli image-dirty-adm
@ -111,26 +150,56 @@ docker/%:


 # Run all code formatters
-fmts: fmt imports
-
-# Reformat code
-fmt:
-	@echo "⇒ Processing gofmt check"
-	@gofmt -s -w cmd/ pkg/ misc/
+fmts: fumpt imports

 # Reformat imports
 imports:
 	@echo "⇒ Processing goimports check"
 	@goimports -w cmd/ pkg/ misc/

+fumpt:
+	@echo "⇒ Processing gofumpt check"
+	@gofumpt -l -w cmd/ pkg/ misc/
+
 # Run Unit Test with go test
 test:
 	@echo "⇒ Running go test"
-	@go test ./...
+	@go test ./... -count=1
+
+pre-commit-run:
+	@pre-commit run -a --hook-stage manual
+
+# Install linters
+lint-install:
+	@rm -rf $(OUTPUT_LINT_DIR)
+	@mkdir $(OUTPUT_LINT_DIR)
+	@mkdir -p $(TMP_DIR)
+	@rm -rf $(TMP_DIR)/linters
+	@git -c advice.detachedHead=false clone --branch v$(TRUECLOUDLAB_LINT_VERSION) https://git.frostfs.info/TrueCloudLab/linters.git $(TMP_DIR)/linters
+	@@make -C $(TMP_DIR)/linters lib CGO_ENABLED=1 OUT_DIR=$(OUTPUT_LINT_DIR)
+	@rm -rf $(TMP_DIR)/linters
+	@rmdir $(TMP_DIR) 2>/dev/null || true
+	@CGO_ENABLED=1 GOBIN=$(LINT_DIR) go install github.com/golangci/golangci-lint/cmd/golangci-lint@v$(LINT_VERSION)

 # Run linters
 lint:
-	@golangci-lint --timeout=5m run
+	@if [ ! -d "$(LINT_DIR)" ]; then \
+		make lint-install; \
+	fi
+	$(LINT_DIR)/golangci-lint run
+
+# Install staticcheck
+staticcheck-install:
+	@rm -rf $(STATICCHECK_DIR)
+	@mkdir $(STATICCHECK_DIR)
+	@GOBIN=$(STATICCHECK_VERSION_DIR) go install honnef.co/go/tools/cmd/staticcheck@$(STATICCHECK_VERSION)
+
+# Run staticcheck
+staticcheck-run:
+	@if [ ! -d "$(STATICCHECK_VERSION_DIR)" ]; then \
+		make staticcheck-install; \
+	fi
+	@$(STATICCHECK_VERSION_DIR)/staticcheck ./...

 # Run linters in Docker
 docker/lint:
@ -140,12 +209,20 @@ docker/lint:
 	--env HOME=/src \
 	golangci/golangci-lint:v$(LINT_VERSION) bash -c 'cd /src/ && make lint'

+# Activate pre-commit hooks
+pre-commit:
+	pre-commit install -t pre-commit -t commit-msg
+
+# Deactivate pre-commit hooks
+unpre-commit:
+	pre-commit uninstall -t pre-commit -t commit-msg
+
 # Print version
 version:
 	@echo $(VERSION)

+# Delete built artifacts
 clean:
-	rm -rf vendor
 	rm -rf .cache
 	rm -rf $(BIN)
 	rm -rf $(RELEASE)
@ -161,3 +238,25 @@ debpackage:

 debclean:
 	dh clean
+
+locode-download:
+	@wget -q -O ./.cache/locode_db.gz 'https://git.frostfs.info/TrueCloudLab/frostfs-locode-db/releases/download/${LOCODE_DB_VERSION}/locode_db.gz'
+	gzip -dfk ./.cache/locode_db.gz
+
+env-up: all
+	docker compose -f dev/docker-compose.yml up -d
+	@if [ ! -d "$(FROSTFS_CONTRACTS_PATH)" ]; then \
+		echo "Frostfs contracts not found"; exit 1; \
+	fi
+	${BIN}/frostfs-adm --config ./dev/adm/frostfs-adm.yml morph init --contracts ${FROSTFS_CONTRACTS_PATH}
+	${BIN}/frostfs-adm --config ./dev/adm/frostfs-adm.yml morph refill-gas --storage-wallet ./dev/storage/wallet.json --gas 10.0
+	@if [ ! -f "$(LOCODE_DB_PATH)" ]; then \
+		make locode-download; \
+	fi
+
+env-down:
+	docker compose -f dev/docker-compose.yml down
+	docker volume rm -f frostfs-node_neo-go
+	rm -f ./.cache/.frostfs-ir-state
+	rm -f ./.cache/.frostfs-node-state
+	rm -rf ./.cache/storage
--- a/README.md
+++ b/README.md
@ -31,7 +31,7 @@ dApps directly from
 code level. This way dApps are not limited to on-chain storage and can
 manipulate large amounts of data without paying a prohibitive price.

-FrostFS has a native [gRPC API](https://github.com/TrueCloudLab/frostfs-api) and has
+FrostFS has a native [gRPC API](https://git.frostfs.info/TrueCloudLab/frostfs-api) and has
 protocol gateways for popular protocols such as [AWS
 S3](https://github.com/TrueCloudLab/frostfs-s3-gw),
 [HTTP](https://github.com/TrueCloudLab/frostfs-http-gw),
@ -49,7 +49,7 @@ The latest version of frostfs-node works with frostfs-contract

 # Building

-To make all binaries you need Go 1.18+ and `make`:
+To make all binaries you need Go 1.20+ and `make`:
 ```
 make all
 ```
@ -76,6 +76,45 @@ To make docker images suitable for use in [frostfs-dev-env](https://github.com/T
 make images
 ```

+# Debugging
+
+## VSCode
+
+To run and debug single node cluster with VSCode:
+
+1. Clone and build [frostfs-contract](https://git.frostfs.info/TrueCloudLab/frostfs-contract) repository to the same directory level as `frostfs-node`. For example:
+
+```
+/
+├── src
+    ├── frostfs-node
+    └── frostfs-contract
+```
+See `frostfs-contract`'s README.md for build instructions.
+
+2. Copy `launch.json` and `tasks.json` from `dev/.vscode-example` directory to `.vscode` directory. If you already have such files in `.vscode` directory, then merge them manually.
+
+3. Go to **Run and Debug** (`Ctrl+Shift+D`) and start `IR+Storage node` configuration.
+
+4. To create container and put object into it run (container and object IDs will be different):
+
+```
+./bin/frostfs-cli container create -r 127.0.0.1:8080 --wallet ./dev/wallet.json --policy "REP 1 IN X CBF 1 SELECT 1 FROM * AS X" --basic-acl public-read-write --await
+Enter password >  <- press ENTER, the is no password for wallet
+CID: CfPhEuHQ2PRvM4gfBQDC4dWZY3NccovyfcnEdiq2ixju
+
+./bin/frostfs-cli object put -r 127.0.0.1:8080 --wallet ./dev/wallet.json --file README.md --cid CfPhEuHQ2PRvM4gfBQDC4dWZY3NccovyfcnEdiq2ixju
+Enter password > 
+ 4300 / 4300 [===========================================================================================================================================================================================================] 100.00% 0s
+[README.md] Object successfully stored
+  OID: 78sohnudVMnPsczXqsTUcvezosan2YDNVZwDE8Kq5YwU
+  CID: CfPhEuHQ2PRvM4gfBQDC4dWZY3NccovyfcnEdiq2ixju
+
+./bin/frostfs-cli object get -r 127.0.0.1:8080 --wallet ./dev/wallet.json --cid CfPhEuHQ2PRvM4gfBQDC4dWZY3NccovyfcnEdiq2ixju --oid 78sohnudVMnPsczXqsTUcvezosan2YDNVZwDE8Kq5YwU
+...
+
+```
+
 # Contributing

 Feel free to contribute to this project after reading the [contributing
--- a/2
+++ b/2
@ -1 +1 @@
-v0.35.0
+v0.36.0
--- a/cmd/frostfs-adm/README.md
+++ b/cmd/frostfs-adm/README.md
@ -3,23 +3,22 @@
 ## Overview

 Admin tool provides an easier way to deploy and maintain private installation
-of FrostFS. Private installation provides a set of N3 consensus nodes, FrostFS 
-Alphabet, and Storage nodes. Admin tool generates consensus keys, initializes 
+of FrostFS. Private installation provides a set of N3 consensus nodes, FrostFS
+Alphabet, and Storage nodes. Admin tool generates consensus keys, initializes
 the sidechain, and provides functions to update the network and register new
 Storage nodes.

 ## Build

-To build binary locally, use `make bin/frostfs-adm` command. 
+To build binary locally, use `make bin/frostfs-adm` command.

-For clean build inside a docker container, use `make docker/bin/frostfs-adm`. 
+For clean build inside a docker container, use `make docker/bin/frostfs-adm`.

 Build docker image with `make image-adm`.

-At FrostFS private install deployment, frostfs-adm requires compiled FrostFS 
-contracts. Find them in the latest release of 
-[frostfs-contract repository](https://github.com/TrueCloudLab/frostfs-contract/releases).
-
+At FrostFS private install deployment, frostfs-adm requires compiled FrostFS
+contracts. Find them in the latest release of
+[frostfs-contract repository](https://git.frostfs.info/TrueCloudLab/frostfs-contract/releases).

 ## Commands

@ -27,7 +26,7 @@ contracts. Find them in the latest release of

 Config section provides `init` command that creates a configuration file for
 private installation deployment and updates. Config file is optional, all
-parameters can be passed by arguments or read from standard input (wallet 
+parameters can be passed by arguments or read from standard input (wallet
 passwords).

 Config example:
@ -37,9 +36,7 @@ alphabet-wallets: /path            # path to consensus node / alphabet wallets s
 network:
  max_object_size: 67108864 # max size of a single FrostFS object, bytes
  epoch_duration: 240       # duration of a FrostFS epoch in blocks, consider block generation frequency in the sidechain
-  basic_income_rate: 0      # basic income rate, for private consider 0
  fee:
-    audit: 0     # network audit fee, for private installation consider 0
    candidate: 0 # inner ring candidate registration fee, for private installation consider 0
    container: 0 # container creation fee, for private installation consider 0
    container_alias: 0 # container nice-name registration fee, for private installation consider 0
@ -58,14 +55,14 @@ credentials:     # passwords for consensus node / alphabet wallets

 #### Network deployment

- `generate-alphabet` generates a set of wallets for consensus and 
-  Alphabet nodes. 
+- `generate-alphabet` generates a set of wallets for consensus and
+  Alphabet nodes.

 - `init` initializes the sidechain by deploying smart contracts and
  setting provided FrostFS network configuration.

- `generate-storage-wallet` generates a wallet for the Storage node that 
-  is ready for deployment. It also transfers a bit of sidechain GAS, so this 
+- `generate-storage-wallet` generates a wallet for the Storage node that
+  is ready for deployment. It also transfers a bit of sidechain GAS, so this
  wallet can be used for FrostFS bootstrap.

 #### Network maintenance
@ -75,7 +72,7 @@ credentials:     # passwords for consensus node / alphabet wallets
 - `force-new-epoch` increments FrostFS epoch number and executes new epoch
  handlers in FrostFS nodes.

- `refill-gas` transfers sidechain GAS to the specified wallet. 
+- `refill-gas` transfers sidechain GAS to the specified wallet.

 - `update-contracts` updates contracts to a new version.

@ -87,7 +84,7 @@ info. These commands **do not migrate actual objects**.
 - `dump-containers` saves all containers and metadata registered in the container
  contract to a file.

- `restore-containers` restores previously saved containers by their repeated registration in 
+- `restore-containers` restores previously saved containers by their repeated registration in
 the container contract.

 - `list-containers` output all containers ids.
--- a/cmd/frostfs-adm/docs/deploy.md
+++ b/cmd/frostfs-adm/docs/deploy.md
@ -2,7 +2,7 @@

 This is a short guide on how to deploy a private FrostFS storage network on bare
 metal without docker images. This guide does not cover details on how to start
-consensus, Alphabet, or Storage nodes. This guide covers only `frostfs-adm` 
+consensus, Alphabet, or Storage nodes. This guide covers only `frostfs-adm`
 related configuration details.

 ## Prerequisites
@ -12,12 +12,13 @@ To follow this guide you need:
 - latest released version of [frostfs-adm](https://github.com/TrueCloudLab/frostfs-node/releases) utility (v0.25.1 at the moment),
 - latest released version of compiled [frostfs-contract](https://github.com/TrueCloudLab/frostfs-contract/releases) (v0.11.0 at the moment).

-## Step 1: Prepare network configuration 
+## Step 1: Prepare network configuration

-To start a network, you need a set of consensus nodes, the same number of 
-Alphabet nodes and any number of Storage nodes. While the number of Storage 
-nodes can be scaled almost infinitely, the number of consensus and Alphabet 
+To start a network, you need a set of consensus nodes, the same number of
+Alphabet nodes and any number of Storage nodes. While the number of Storage
+nodes can be scaled almost infinitely, the number of consensus and Alphabet
 nodes can't be changed so easily right now. Consider this before going any further.
+Note also that there is an upper limit on the number of alphabet nodes (currently 22).

 It is easier to use`frostfs-adm` with a predefined configuration. First, create
 a network configuration file. In this example, there is going to be only one
@ -27,15 +28,13 @@ consensus / Alphabet node in the network.
 $ frostfs-adm config init --path foo.network.yml
 Initial config file saved to foo.network.yml

-$ cat foo.network.yml 
+$ cat foo.network.yml
 rpc-endpoint: https://neo.rpc.node:30333
 alphabet-wallets: /home/user/deploy/alphabet-wallets
 network:
  max_object_size: 67108864
  epoch_duration: 240
-  basic_income_rate: 0
  fee:
-    audit: 0
    candidate: 0
    container: 0
    withdraw: 0
@ -43,17 +42,17 @@ credentials:
  az: hunter2
 ```

-For private installation, it is recommended to set all **fees** and **basic 
-income rate** to 0. 
+For private installation, it is recommended to set all **fees** and **basic
+income rate** to 0.

-As for **epoch duration**, consider consensus node block generation frequency. 
-With default 15 seconds per block, 240 blocks are going to be a 1-hour epoch. 
+As for **epoch duration**, consider consensus node block generation frequency.
+With default 15 seconds per block, 240 blocks are going to be a 1-hour epoch.

-For **max object size**, 67108864 (64 MiB) or 134217728 (128 MiB) should provide 
+For **max object size**, 67108864 (64 MiB) or 134217728 (128 MiB) should provide
 good chunk distribution in most cases.

 With this config, generate wallets (private keys) of consensus nodes. The same
-wallets will be used for Alphabet nodes. Make sure, that dir for alphabet 
+wallets will be used for Alphabet nodes. Make sure, that dir for alphabet
 wallets already exists.

 ```
@ -69,14 +68,14 @@ storage.
 ## Step 2: Launch consensus nodes

 Configure blockchain nodes with the generated wallets from the previous step.
-Config examples can be found in 
+Config examples can be found in
 [neo-go repository](https://github.com/nspcc-dev/neo-go/tree/master/config).

 Gather public keys from **all** generated wallets. We are interested in the first
 `simple signature contract` public key.

 ```
-$ neo-go wallet dump-keys -w alphabet-wallets/az.json 
+$ neo-go wallet dump-keys -w alphabet-wallets/az.json
 NitdS4k4f1Hh5mbLJhAswBK3WC2gQgPN1o (simple signature contract):
 02c1cc85f9c856dbe2d02017349bcb7b4e5defa78b8056a09b3240ba2a8c078869

@ -87,10 +86,10 @@ NiMKabp3ddi3xShmLAXhTfbnuWb4cSJT6E (1 out of 1 multisig contract):
 02c1cc85f9c856dbe2d02017349bcb7b4e5defa78b8056a09b3240ba2a8c078869
 ```

-Put the list of public keys into `ProtocolConfiguration.StandbyCommittee` 
+Put the list of public keys into `ProtocolConfiguration.StandbyCommittee`
 section. Specify the wallet path and the password in `ApplicationConfiguration.P2PNotary`
 and `ApplicationConfiguration.UnlockWallet` sections. If config includes
-`ProtocolConfiguration.NativeActivations` section, add notary 
+`ProtocolConfiguration.NativeActivations` section, add notary
 contract `Notary: [0]`.

 ```yaml
@ -121,7 +120,7 @@ and possible overload issues.
 Use archive with compiled FrostFS contracts to initialize the sidechain.

 ```
-$ tar -xzvf frostfs-contract-v0.11.0.tar.gz 
+$ tar -xzvf frostfs-contract-v0.11.0.tar.gz

 $ ./frostfs-adm -c foo.network.yml morph init --contracts ./frostfs-contract-v0.11.0
 Stage 1: transfer GAS to alphabet nodes.
@ -141,20 +140,18 @@ Waiting for transactions to persist...
 Stage 7: set addresses in NNS.
 Waiting for transactions to persist...
 NNS: Set alphabet0.frostfs -> f692dfb4d43a15b464eb51a7041160fb29c44b6a
-NNS: Set audit.frostfs -> 7df847b993affb3852074345a7c2bd622171ee0d
 NNS: Set balance.frostfs -> 103519b3067a66307080a66570c0491ee8f68879
 NNS: Set container.frostfs -> cae60bdd689d185901e495352d0247752ce50846
 NNS: Set frostfsid.frostfs -> c421fb60a3895865a8f24d197d6a80ef686041d2
 NNS: Set netmap.frostfs -> 894eb854632f50fb124412ce7951ebc00763525e
 NNS: Set proxy.frostfs -> ac6e6fe4b373d0ca0ca4969d1e58fa0988724e7d
-NNS: Set reputation.frostfs -> 6eda57c9d93d990573646762d1fea327ce41191f
 Waiting for transactions to persist...
 ```

 ## Step 4: Launch Alphabet nodes

-Configure Alphabet nodes with the wallets generated in step 1. For 
-`morph.validators` use a list of public keys from 
+Configure Alphabet nodes with the wallets generated in step 1. For
+`morph.validators` use a list of public keys from
 `ProtocolConfiguration.StandbyCommittee`.

 ```yaml
@ -178,10 +175,10 @@ Generate a new wallet for a Storage node.

 ```
 $ frostfs-adm -c foo.network.yml morph generate-storage-wallet --storage-wallet ./sn01.json --initial-gas 10.0
-New password > 
+New password >
 Waiting for transactions to persist...

-$ neo-go wallet dump-keys -w sn01.json 
+$ neo-go wallet dump-keys -w sn01.json
 Ngr7p8Z9S22XDH6VkUG9oXobv8zZRAWwwv (simple signature contract):
 0355eccb72cd46f09a3e5237eaa0f4949cceb5ecfa5a225bd3bb9fd021c4d75b85
 ```
@ -205,7 +202,7 @@ Current epoch: 8, increase to 9.
 Waiting for transactions to persist...
 ```

--- 
+---

 After that, FrostFS Storage is ready to work. You can access it directly or
 with protocol gates.
--- a/cmd/frostfs-adm/docs/subnetwork-creation.md
+++ b/cmd/frostfs-adm/docs/subnetwork-creation.md
@ -1,39 +0,0 @@
-# FrostFS subnetwork creation
-
-This is a short guide on how to create FrostFS subnetworks. This guide 
-considers that the sidechain and the inner ring (alphabet nodes) have already been 
-deployed and the sidechain contains a deployed `subnet` contract.
-
-## Prerequisites
-
-To follow this guide, you need:
- neo-go sidechain RPC endpoint;
- latest released version of [frostfs-adm](https://github.com/TrueCloudLab/frostfs-node/releases);
- wallet with FrostFS account.
-
-## Creation
-
-```shell
-$ frostfs-adm morph subnet create \
-    -r <side_chain_RPC_endpoint> \
-    -w </path/to/owner/wallet> \
-    --notary
-Create subnet request sent successfully. ID: 4223489767.
-```
-
-**NOTE:** in notary-enabled environment you should have a sufficient
-notary deposit (not expired, with enough GAS balance). Your subnet ID
-will differ from the example.
-
-The default account in the wallet that has been passed with `-w` flag is the owner
-of the just created subnetwork.
-
-You can check if your subnetwork was created successfully:
-
-```shell
-$ frostfs-adm morph subnet get \
-    -r <side_chain_RPC_endpoint> \
-    --subnet <subnet_ID>
-Owner: NUc734PMJXiqa2J9jRtvskU3kCdyyuSN8Q
-```
-Your owner will differ from the example.
--- a/cmd/frostfs-adm/docs/subnetwork-usage.md
+++ b/cmd/frostfs-adm/docs/subnetwork-usage.md
@ -1,137 +0,0 @@
-# Managing Subnetworks
-
-This is a short guide on how to manage FrostFS subnetworks. This guide
-considers that the sidechain and the inner ring (alphabet nodes) have already been
-deployed, and the sidechain contains a deployed `subnet` contract.
-
-## Prerequisites
-
- neo-go sidechain RPC endpoint;
- latest released version of [frostfs-adm](https://github.com/TrueCloudLab/frostfs-node/releases);
- [created](subnetwork-creation.md) subnetwork;
- wallet with the account that owns the subnetwork;
- public key of the Storage Node;
- public keys of the node and client administrators;
- owner IDs of the FrostFS users.
-
-## Add node administrator
-
-Node administrators are accounts that can manage (add and delete nodes)
-the whitelist of the nodes which can be included to a subnetwork. Only the subnet
-owner is allowed to add and remove node administrators from the subnetwork.
-
-```shell
-$ frostfs-adm morph subnet admin add \
-    -r <side_chain_RPC_endpoint> \
-    -w </path/to/owner/wallet> \
-    --admin <HEX_admin_public_key> \
-    --subnet <subnet_ID>
-Add admin request sent successfully.
-```
-
-## Add node
-
-Adding a node to a subnetwork means that the node becomes able to service
-containers that have been created in that subnetwork. Addition only changes
-the list of the allowed nodes. Node is not required to be bootstrapped at the
-moment of its inclusion.
-
-```shell
-$ frostfs-adm morph subnet node add \
-    -r <side_chain_RPC_endpoint> \
-    -w </path/to/node_admin/wallet> \
-    --node <HEX_node_public_key> \
-    --subnet <subnet_ID>
-Add node request sent successfully.
-```
-
-**NOTE:** the owner of the subnetwork is also allowed to add nodes.
-
-## Add client administrator
-
-Client administrators are accounts that can manage (add and delete
-nodes) the whitelist of the clients that can create containers in the
-subnetwork. Only the subnet owner is allowed to add and remove client
-administrators from the subnetwork.
-
-```shell
-$ frostfs-adm morph subnet admin add \
-    -r <side_chain_RPC_endpoint> \
-    -w </path/to/owner/wallet> \
-    --admin <HEX_admin_public_key> \
-    --subnet <subnet_ID> \
-    --client \
-    --group <group_ID>
-Add admin request sent successfully.
-```
-
-**NOTE:** you do not need to create a group explicitly, it will be created
-right after the first client admin is added. Group ID is a 4-byte
-positive integer number.
-
-## Add client
-
-```shell
-$ frostfs-adm morph subnet client add \
-    -r <side_chain_RPC_endpoint> \
-    -w </path/to/client_admin/wallet> \
-    --client <client_ownerID> \
-    --subnet <subnet_ID> \
-    --group <group_ID>
-Add client request sent successfully.
-```
-
-**NOTE:** the owner of the subnetwork is also allowed to add clients. This is
-the only one command that accepts `ownerID`, not the public key.
-Administrator can manage only their group (a group where that administrator
-has been added by the subnet owner).
-
-# Bootstrapping Storage Node
-
-After a subnetwork [is created](subnetwork-creation.md) and a node is included into it, the 
-node could be bootstrapped and service subnetwork containers.
-
-For bootstrapping, you need to specify the ID of the subnetwork in the node's 
-configuration: 
-
-```yaml
-...
-node:
-  ...
-  subnet:
-    entries: # list of IDs of subnets to enter in a text format of FrostFS API protocol (overrides corresponding attributes)
-      - <subnetwork_ID>
-  ...
-...
-```
-
-**NOTE:** specifying subnetwork that is denied for the node is not an error:
-that configuration value would be ignored. You do not need to specify zero 
-(with 0 ID) subnetwork: its inclusion is implicit. On the contrary, to exclude
-a node from the default zero subnetwork, you need to specify it explicitly:
-
-```yaml
-...
-node:
-  ...
-  subnet:
-    exit_zero: true # toggle entrance to zero subnet (overrides corresponding attribute and occurrence in `entries`)
-  ...
-...
-```
-
-# Creating container in non-zero subnetwork
-
-Creating containers without using `--subnet` flag is equivalent to 
-creating container in the zero subnetwork.
-
-To create a container in a private network, your wallet must be added to
-the client whitelist by the client admins or the subnet owners:
-
-```shell
-$ frostfs-cli container create \
-    --policy 'REP 1' \
-    -w </path/to/wallet> \
-    -r s01.frostfs.devenv:8080 \
-    --subnet <subnet_ID>
-```
--- a/cmd/frostfs-adm/internal/modules/config/config.go
+++ b/cmd/frostfs-adm/internal/modules/config/config.go
@ -7,7 +7,7 @@ import (
 	"path/filepath"
 	"text/template"

-	"github.com/TrueCloudLab/frostfs-node/pkg/innerring"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/innerring"
 	"github.com/nspcc-dev/neo-go/cli/input"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
@ -18,8 +18,6 @@ type configTemplate struct {
 	AlphabetDir             string
 	MaxObjectSize           int
 	EpochDuration           int
-	BasicIncomeRate         int
-	AuditFee                int
 	CandidateFee            int
 	ContainerFee            int
 	ContainerAliasFee       int
@ -33,10 +31,8 @@ alphabet-wallets: {{ .AlphabetDir}}
 network:
  max_object_size: {{ .MaxObjectSize}}
  epoch_duration: {{ .EpochDuration}}
-  basic_income_rate: {{ .BasicIncomeRate}}
  homomorphic_hash_disabled: {{ .HomomorphicHashDisabled}}
  fee:
-    audit: {{ .AuditFee}}
    candidate: {{ .CandidateFee}}
    container: {{ .ContainerFee}}
    container_alias: {{ .ContainerAliasFee }}
@ -47,19 +43,19 @@ credentials:
  {{.}}: password{{end}}
 `

-func initConfig(cmd *cobra.Command, args []string) error {
+func initConfig(cmd *cobra.Command, _ []string) error {
 	configPath, err := readConfigPathFromArgs(cmd)
 	if err != nil {
 		return nil
 	}

 	pathDir := filepath.Dir(configPath)
-	err = os.MkdirAll(pathDir, 0700)
+	err = os.MkdirAll(pathDir, 0o700)
 	if err != nil {
 		return fmt.Errorf("create dir %s: %w", pathDir, err)
 	}

-	f, err := os.OpenFile(configPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC|os.O_SYNC, 0600)
+	f, err := os.OpenFile(configPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC|os.O_SYNC, 0o600)
 	if err != nil {
 		return fmt.Errorf("open %s: %w", configPath, err)
 	}
@ -111,9 +107,7 @@ func generateConfigExample(appDir string, credSize int) (string, error) {
 		Endpoint:                "https://neo.rpc.node:30333",
 		MaxObjectSize:           67108864,      // 64 MiB
 		EpochDuration:           240,           // 1 hour with 15s per block
-		BasicIncomeRate:         1_0000_0000,   // 0.0001 GAS per GiB (Fixed12)
 		HomomorphicHashDisabled: false,         // object homomorphic hash is enabled
-		AuditFee:                1_0000,        // 0.00000001 GAS per audit (Fixed12)
 		CandidateFee:            100_0000_0000, // 100.0 GAS (Fixed8)
 		ContainerFee:            1000,          // 0.000000001 * 7 GAS per container (Fixed12)
 		ContainerAliasFee:       500,           // ContainerFee / 2
--- a/cmd/frostfs-adm/internal/modules/config/config_test.go
+++ b/cmd/frostfs-adm/internal/modules/config/config_test.go
@ -5,7 +5,7 @@ import (
 	"path/filepath"
 	"testing"

-	"github.com/TrueCloudLab/frostfs-node/pkg/innerring"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/innerring"
 	"github.com/spf13/viper"
 	"github.com/stretchr/testify/require"
 )
@ -28,8 +28,6 @@ func TestGenerateConfigExample(t *testing.T) {
 	require.Equal(t, filepath.Join(appDir, "alphabet-wallets"), v.GetString("alphabet-wallets"))
 	require.Equal(t, 67108864, v.GetInt("network.max_object_size"))
 	require.Equal(t, 240, v.GetInt("network.epoch_duration"))
-	require.Equal(t, 100000000, v.GetInt("network.basic_income_rate"))
-	require.Equal(t, 10000, v.GetInt("network.fee.audit"))
 	require.Equal(t, 10000000000, v.GetInt("network.fee.candidate"))
 	require.Equal(t, 1000, v.GetInt("network.fee.container"))
 	require.Equal(t, 100000000, v.GetInt("network.fee.withdraw"))
--- a/cmd/frostfs-adm/internal/modules/morph/ape.go
+++ b/cmd/frostfs-adm/internal/modules/morph/ape.go
@ -0,0 +1,220 @@
+package morph
+
+import (
+	"bytes"
+	"encoding/json"
+
+	parseutil "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
+	"github.com/nspcc-dev/neo-go/pkg/util"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+const (
+	namespaceTarget  = "namespace"
+	containerTarget  = "container"
+	jsonFlag         = "json"
+	jsonFlagDesc     = "Output rule chains in JSON format"
+	chainIDFlag      = "chain-id"
+	chainIDDesc      = "Rule chain ID"
+	ruleFlag         = "rule"
+	ruleFlagDesc     = "Rule chain in text format"
+	ruleJSONFlag     = "rule-json"
+	ruleJSONFlagDesc = "Chain rule in JSON format or path to the file"
+	targetNameFlag   = "target-name"
+	targetNameDesc   = "Resource name in APE resource name format"
+	targetTypeFlag   = "target-type"
+	targetTypeDesc   = "Resource type(container/namespace)"
+	addrAdminFlag    = "addr"
+	addrAdminDesc    = "The address of the admins wallet"
+)
+
+var (
+	apeCmd = &cobra.Command{
+		Use:   "ape",
+		Short: "Section for APE configuration commands",
+	}
+
+	addRuleChainCmd = &cobra.Command{
+		Use:   "add-rule-chain",
+		Short: "Add rule chain",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+		},
+		Run: addRuleChain,
+	}
+
+	removeRuleChainCmd = &cobra.Command{
+		Use:   "rm-rule-chain",
+		Short: "Remove rule chain",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+		},
+		Run: removeRuleChain,
+	}
+
+	listRuleChainsCmd = &cobra.Command{
+		Use:   "list-rule-chains",
+		Short: "List rule chains",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+		},
+		Run: listRuleChains,
+	}
+
+	setAdminCmd = &cobra.Command{
+		Use:   "set-admin",
+		Short: "Set admin",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+		},
+		Run: setAdmin,
+	}
+
+	getAdminCmd = &cobra.Command{
+		Use:   "get-admin",
+		Short: "Get admin",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+		},
+		Run: getAdmin,
+	}
+)
+
+func initAddRuleChainCmd() {
+	apeCmd.AddCommand(addRuleChainCmd)
+
+	addRuleChainCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	addRuleChainCmd.Flags().String(alphabetWalletsFlag, "", alphabetWalletsFlagDesc)
+
+	addRuleChainCmd.Flags().String(targetTypeFlag, "", targetTypeDesc)
+	_ = addRuleChainCmd.MarkFlagRequired(targetTypeFlag)
+	addRuleChainCmd.Flags().String(targetNameFlag, "", targetNameDesc)
+	_ = addRuleChainCmd.MarkFlagRequired(targetNameFlag)
+
+	addRuleChainCmd.Flags().String(chainIDFlag, "", chainIDDesc)
+	_ = addRuleChainCmd.MarkFlagRequired(chainIDFlag)
+	addRuleChainCmd.Flags().String(ruleFlag, "", ruleFlagDesc)
+	addRuleChainCmd.Flags().String(ruleJSONFlag, "", ruleJSONFlagDesc)
+
+	addRuleChainCmd.MarkFlagsMutuallyExclusive(ruleFlag, ruleJSONFlag)
+}
+
+func initRemoveRuleChainCmd() {
+	apeCmd.AddCommand(removeRuleChainCmd)
+
+	removeRuleChainCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	removeRuleChainCmd.Flags().String(alphabetWalletsFlag, "", alphabetWalletsFlagDesc)
+
+	removeRuleChainCmd.Flags().String(targetTypeFlag, "", targetTypeDesc)
+	_ = removeRuleChainCmd.MarkFlagRequired(targetTypeFlag)
+	removeRuleChainCmd.Flags().String(targetNameFlag, "", targetNameDesc)
+	_ = removeRuleChainCmd.MarkFlagRequired(targetNameFlag)
+	removeRuleChainCmd.Flags().String(chainIDFlag, "", chainIDDesc)
+	_ = removeRuleChainCmd.MarkFlagRequired(chainIDFlag)
+}
+
+func initListRuleChainsCmd() {
+	apeCmd.AddCommand(listRuleChainsCmd)
+
+	listRuleChainsCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	listRuleChainsCmd.Flags().String(alphabetWalletsFlag, "", alphabetWalletsFlagDesc)
+	listRuleChainsCmd.Flags().StringP(targetTypeFlag, "t", "", targetTypeDesc)
+	_ = listRuleChainsCmd.MarkFlagRequired(targetTypeFlag)
+	listRuleChainsCmd.Flags().String(targetNameFlag, "", targetNameDesc)
+	_ = listRuleChainsCmd.MarkFlagRequired(targetNameFlag)
+	listRuleChainsCmd.Flags().Bool(jsonFlag, false, jsonFlagDesc)
+}
+
+func initSetAdminCmd() {
+	apeCmd.AddCommand(setAdminCmd)
+
+	setAdminCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	setAdminCmd.Flags().String(alphabetWalletsFlag, "", alphabetWalletsFlagDesc)
+	setAdminCmd.Flags().String(addrAdminFlag, "", addrAdminDesc)
+	_ = setAdminCmd.MarkFlagRequired(addrAdminFlag)
+}
+
+func initGetAdminCmd() {
+	apeCmd.AddCommand(getAdminCmd)
+
+	getAdminCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	getAdminCmd.Flags().String(alphabetWalletsFlag, "", alphabetWalletsFlagDesc)
+}
+
+func addRuleChain(cmd *cobra.Command, _ []string) {
+	chain := parseChain(cmd)
+	target := parseTarget(cmd)
+	pci, ac := newPolicyContractInterface(cmd)
+	h, vub, err := pci.AddMorphRuleChain(apechain.Ingress, target, chain)
+	cmd.Println("Waiting for transaction to persist...")
+	_, err = ac.Wait(h, vub, err)
+	commonCmd.ExitOnErr(cmd, "add rule chain error: %w", err)
+	cmd.Println("Rule chain added successfully")
+}
+
+func removeRuleChain(cmd *cobra.Command, _ []string) {
+	chainID := parseChainID(cmd)
+	target := parseTarget(cmd)
+	pci, ac := newPolicyContractInterface(cmd)
+	h, vub, err := pci.RemoveMorphRuleChain(apechain.Ingress, target, chainID)
+	cmd.Println("Waiting for transaction to persist...")
+	_, err = ac.Wait(h, vub, err)
+	commonCmd.ExitOnErr(cmd, "remove rule chain error: %w", err)
+	cmd.Println("Rule chain removed successfully")
+}
+
+func listRuleChains(cmd *cobra.Command, _ []string) {
+	target := parseTarget(cmd)
+	pci, _ := newPolicyContractInterface(cmd)
+	chains, err := pci.ListMorphRuleChains(apechain.Ingress, target)
+	commonCmd.ExitOnErr(cmd, "list rule chains error: %w", err)
+	if len(chains) == 0 {
+		return
+	}
+
+	toJSON, _ := cmd.Flags().GetBool(jsonFlag)
+	if toJSON {
+		prettyJSONFormat(cmd, chains)
+	} else {
+		for _, c := range chains {
+			parseutil.PrintHumanReadableAPEChain(cmd, c)
+		}
+	}
+}
+
+func setAdmin(cmd *cobra.Command, _ []string) {
+	s, _ := cmd.Flags().GetString(addrAdminFlag)
+	addr, err := util.Uint160DecodeStringLE(s)
+	commonCmd.ExitOnErr(cmd, "can't decode admin addr: %w", err)
+	pci, ac := newPolicyContractInterface(cmd)
+	h, vub, err := pci.SetAdmin(addr)
+	cmd.Println("Waiting for transaction to persist...")
+	_, err = ac.Wait(h, vub, err)
+	commonCmd.ExitOnErr(cmd, "can't set admin: %w", err)
+	cmd.Println("Admin set successfully")
+}
+
+func getAdmin(cmd *cobra.Command, _ []string) {
+	pci, _ := newPolicyContractInterface(cmd)
+	addr, err := pci.GetAdmin()
+	commonCmd.ExitOnErr(cmd, "unable to get admin: %w", err)
+	cmd.Println(addr.StringLE())
+}
+
+func prettyJSONFormat(cmd *cobra.Command, chains []*apechain.Chain) {
+	wr := bytes.NewBufferString("")
+	data, err := json.Marshal(chains)
+	if err == nil {
+		err = json.Indent(wr, data, "", " ")
+	}
+	commonCmd.ExitOnErr(cmd, "print rule chain error: %w", err)
+	cmd.Println(wr)
+}
--- a/cmd/frostfs-adm/internal/modules/morph/ape_util.go
+++ b/cmd/frostfs-adm/internal/modules/morph/ape_util.go
@ -0,0 +1,103 @@
+package morph
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/config"
+	parseutil "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
+	policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
+	morph "git.frostfs.info/TrueCloudLab/policy-engine/pkg/morph/policy"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/management"
+	"github.com/nspcc-dev/neo-go/pkg/util"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+func parseTarget(cmd *cobra.Command) policyengine.Target {
+	var targetType policyengine.TargetType
+	typ, _ := cmd.Flags().GetString(targetTypeFlag)
+	switch typ {
+	case namespaceTarget:
+		targetType = policyengine.Namespace
+	case containerTarget:
+		targetType = policyengine.Container
+	default:
+		commonCmd.ExitOnErr(cmd, "read target type error: %w", fmt.Errorf("unknown target type"))
+	}
+	name, _ := cmd.Flags().GetString(targetNameFlag)
+
+	return policyengine.Target{
+		Name: name,
+		Type: targetType,
+	}
+}
+
+func parseChainID(cmd *cobra.Command) apechain.ID {
+	chainID, _ := cmd.Flags().GetString(chainIDFlag)
+	if chainID == "" {
+		commonCmd.ExitOnErr(cmd, "read chain id error: %w",
+			fmt.Errorf("chain id cannot be empty"))
+	}
+	return apechain.ID(chainID)
+}
+
+func parseChain(cmd *cobra.Command) *apechain.Chain {
+	chain := new(apechain.Chain)
+
+	if ruleStmt, _ := cmd.Flags().GetString(ruleFlag); ruleStmt != "" {
+		parseErr := parseutil.ParseAPEChain(chain, []string{ruleStmt})
+		commonCmd.ExitOnErr(cmd, "ape chain parser error: %w", parseErr)
+	} else if ruleJSON, _ := cmd.Flags().GetString(ruleJSONFlag); ruleJSON != "" {
+		var rule []byte
+		if _, err := os.Stat(ruleJSON); err == nil {
+			rule, err = os.ReadFile(ruleJSON)
+			commonCmd.ExitOnErr(cmd, "read file error: %w", err)
+		} else {
+			rule = []byte(ruleJSON)
+			if !json.Valid(rule) {
+				commonCmd.ExitOnErr(cmd, "read raw rule error: %w",
+					fmt.Errorf("invalid JSON"))
+			}
+		}
+		err := chain.DecodeBytes(rule)
+		commonCmd.ExitOnErr(cmd, "chain decode error: %w", err)
+	} else {
+		commonCmd.ExitOnErr(cmd, "", fmt.Errorf("rule is not passed"))
+	}
+
+	chain.ID = parseChainID(cmd)
+
+	return chain
+}
+
+func newPolicyContractInterface(cmd *cobra.Command) (*morph.ContractStorage, *actor.Actor) {
+	v := viper.GetViper()
+	c, err := getN3Client(v)
+	commonCmd.ExitOnErr(cmd, "unable to create NEO rpc client: %w", err)
+
+	walletDir := config.ResolveHomePath(viper.GetString(alphabetWalletsFlag))
+	wallets, err := getAlphabetWallets(v, walletDir)
+	commonCmd.ExitOnErr(cmd, "unable to get alphabet wallets: %w", err)
+
+	committeeAcc, err := getWalletAccount(wallets[0], committeeAccountName)
+	commonCmd.ExitOnErr(cmd, "can't find committee account: %w", err)
+
+	ac, err := newActor(c, committeeAcc)
+	commonCmd.ExitOnErr(cmd, "can't create actor: %w", err)
+
+	inv := &ac.Invoker
+	var ch util.Uint160
+	r := management.NewReader(inv)
+	nnsCs, err := r.GetContractByID(1)
+	commonCmd.ExitOnErr(cmd, "can't get NNS contract state: %w", err)
+
+	ch, err = nnsResolveHash(inv, nnsCs.Hash, domainOf(policyContract))
+	commonCmd.ExitOnErr(cmd, "unable to resolve policy contract hash: %w", err)
+
+	return morph.NewContractStorage(ac, ch), ac
+}
--- a/cmd/frostfs-adm/internal/modules/morph/balance.go
+++ b/cmd/frostfs-adm/internal/modules/morph/balance.go
@ -6,8 +6,8 @@ import (
 	"fmt"
 	"math/big"

-	"github.com/TrueCloudLab/frostfs-contract/nns"
-	"github.com/TrueCloudLab/frostfs-sdk-go/netmap"
+	"git.frostfs.info/TrueCloudLab/frostfs-contract/nns"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/netmap"
 	"github.com/nspcc-dev/neo-go/pkg/core/native/noderoles"
 	"github.com/nspcc-dev/neo-go/pkg/core/state"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
@ -16,6 +16,7 @@ import (
 	"github.com/nspcc-dev/neo-go/pkg/io"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/gas"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/management"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/rolemgmt"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
@ -37,11 +38,6 @@ const (
 	dumpBalancesAlphabetFlag      = "alphabet"
 	dumpBalancesProxyFlag         = "proxy"
 	dumpBalancesUseScriptHashFlag = "script-hash"
-
-	// notaryEnabled signifies whether contracts were deployed in a notary-enabled environment.
-	// The setting is here to simplify testing and building the command for testnet (notary currently disabled).
-	// It will be removed eventually.
-	notaryEnabled = true
 )

 func dumpBalances(cmd *cobra.Command, _ []string) error {
@ -60,19 +56,20 @@ func dumpBalances(cmd *cobra.Command, _ []string) error {

 	inv := invoker.New(c, nil)

-	if !notaryEnabled || dumpStorage || dumpAlphabet || dumpProxy {
-		nnsCs, err = c.GetContractStateByID(1)
+	if dumpStorage || dumpAlphabet || dumpProxy {
+		r := management.NewReader(inv)
+		nnsCs, err = r.GetContractByID(1)
 		if err != nil {
 			return fmt.Errorf("can't get NNS contract info: %w", err)
 		}

-		nmHash, err = nnsResolveHash(inv, nnsCs.Hash, netmapContract+".frostfs")
+		nmHash, err = nnsResolveHash(inv, nnsCs.Hash, domainOf(netmapContract))
 		if err != nil {
 			return fmt.Errorf("can't get netmap contract hash: %w", err)
 		}
 	}

-	irList, err := fetchIRNodes(c, nmHash, rolemgmt.Hash)
+	irList, err := fetchIRNodes(c, rolemgmt.Hash)
 	if err != nil {
 		return err
 	}
@ -83,120 +80,126 @@ func dumpBalances(cmd *cobra.Command, _ []string) error {
 	printBalances(cmd, "Inner ring nodes balances:", irList)

 	if dumpStorage {
-		arr, err := unwrap.Array(inv.Call(nmHash, "netmap"))
-		if err != nil {
-			return errors.New("can't fetch the list of storage nodes")
-		}
-
-		snList := make([]accBalancePair, len(arr))
-		for i := range arr {
-			node, ok := arr[i].Value().([]stackitem.Item)
-			if !ok || len(node) == 0 {
-				return errors.New("can't parse the list of storage nodes")
-			}
-			bs, err := node[0].TryBytes()
-			if err != nil {
-				return errors.New("can't parse the list of storage nodes")
-			}
-			var ni netmap.NodeInfo
-			if err := ni.Unmarshal(bs); err != nil {
-				return fmt.Errorf("can't parse the list of storage nodes: %w", err)
-			}
-			pub, err := keys.NewPublicKeyFromBytes(ni.PublicKey(), elliptic.P256())
-			if err != nil {
-				return fmt.Errorf("can't parse storage node public key: %w", err)
-			}
-			snList[i].scriptHash = pub.GetScriptHash()
-		}
-
-		if err := fetchBalances(inv, gas.Hash, snList); err != nil {
+		if err := printStorageNodeBalances(cmd, inv, nmHash); err != nil {
 			return err
 		}
-		printBalances(cmd, "\nStorage node balances:", snList)
 	}

 	if dumpProxy {
-		h, err := nnsResolveHash(inv, nnsCs.Hash, proxyContract+".frostfs")
-		if err != nil {
-			return fmt.Errorf("can't get hash of the proxy contract: %w", err)
-		}
-
-		proxyList := []accBalancePair{{scriptHash: h}}
-		if err := fetchBalances(inv, gas.Hash, proxyList); err != nil {
+		if err := printProxyContractBalance(cmd, inv, nnsCs.Hash); err != nil {
 			return err
 		}
-		printBalances(cmd, "\nProxy contract balance:", proxyList)
 	}

 	if dumpAlphabet {
-		alphaList := make([]accBalancePair, len(irList))
-
-		w := io.NewBufBinWriter()
-		for i := range alphaList {
-			emit.AppCall(w.BinWriter, nnsCs.Hash, "resolve", callflag.ReadOnly,
-				getAlphabetNNSDomain(i),
-				int64(nns.TXT))
-		}
-		if w.Err != nil {
-			panic(w.Err)
-		}
-
-		alphaRes, err := c.InvokeScript(w.Bytes(), nil)
-		if err != nil {
-			return fmt.Errorf("can't fetch info from NNS: %w", err)
-		}
-
-		for i := range alphaList {
-			h, err := parseNNSResolveResult(alphaRes.Stack[i])
-			if err != nil {
-				return fmt.Errorf("can't fetch the alphabet contract #%d hash: %w", i, err)
-			}
-			alphaList[i].scriptHash = h
-		}
-
-		if err := fetchBalances(inv, gas.Hash, alphaList); err != nil {
+		if err := printAlphabetContractBalances(cmd, c, inv, len(irList), nnsCs.Hash); err != nil {
 			return err
 		}
-		printBalances(cmd, "\nAlphabet contracts balances:", alphaList)
 	}

 	return nil
 }

-func fetchIRNodes(c Client, nmHash, desigHash util.Uint160) ([]accBalancePair, error) {
-	var irList []accBalancePair
+func printStorageNodeBalances(cmd *cobra.Command, inv *invoker.Invoker, nmHash util.Uint160) error {
+	arr, err := unwrap.Array(inv.Call(nmHash, "netmap"))
+	if err != nil {
+		return errors.New("can't fetch the list of storage nodes")
+	}

+	snList := make([]accBalancePair, len(arr))
+	for i := range arr {
+		node, ok := arr[i].Value().([]stackitem.Item)
+		if !ok || len(node) == 0 {
+			return errors.New("can't parse the list of storage nodes")
+		}
+		bs, err := node[0].TryBytes()
+		if err != nil {
+			return errors.New("can't parse the list of storage nodes")
+		}
+		var ni netmap.NodeInfo
+		if err := ni.Unmarshal(bs); err != nil {
+			return fmt.Errorf("can't parse the list of storage nodes: %w", err)
+		}
+		pub, err := keys.NewPublicKeyFromBytes(ni.PublicKey(), elliptic.P256())
+		if err != nil {
+			return fmt.Errorf("can't parse storage node public key: %w", err)
+		}
+		snList[i].scriptHash = pub.GetScriptHash()
+	}
+
+	if err := fetchBalances(inv, gas.Hash, snList); err != nil {
+		return err
+	}
+
+	printBalances(cmd, "\nStorage node balances:", snList)
+	return nil
+}
+
+func printProxyContractBalance(cmd *cobra.Command, inv *invoker.Invoker, nnsHash util.Uint160) error {
+	h, err := nnsResolveHash(inv, nnsHash, domainOf(proxyContract))
+	if err != nil {
+		return fmt.Errorf("can't get hash of the proxy contract: %w", err)
+	}
+
+	proxyList := []accBalancePair{{scriptHash: h}}
+	if err := fetchBalances(inv, gas.Hash, proxyList); err != nil {
+		return err
+	}
+
+	printBalances(cmd, "\nProxy contract balance:", proxyList)
+	return nil
+}
+
+func printAlphabetContractBalances(cmd *cobra.Command, c Client, inv *invoker.Invoker, count int, nnsHash util.Uint160) error {
+	alphaList := make([]accBalancePair, count)
+
+	w := io.NewBufBinWriter()
+	for i := range alphaList {
+		emit.AppCall(w.BinWriter, nnsHash, "resolve", callflag.ReadOnly,
+			getAlphabetNNSDomain(i),
+			int64(nns.TXT))
+	}
+	if w.Err != nil {
+		panic(w.Err)
+	}
+
+	alphaRes, err := c.InvokeScript(w.Bytes(), nil)
+	if err != nil {
+		return fmt.Errorf("can't fetch info from NNS: %w", err)
+	}
+
+	for i := range alphaList {
+		h, err := parseNNSResolveResult(alphaRes.Stack[i])
+		if err != nil {
+			return fmt.Errorf("can't fetch the alphabet contract #%d hash: %w", i, err)
+		}
+		alphaList[i].scriptHash = h
+	}
+
+	if err := fetchBalances(inv, gas.Hash, alphaList); err != nil {
+		return err
+	}
+
+	printBalances(cmd, "\nAlphabet contracts balances:", alphaList)
+	return nil
+}
+
+func fetchIRNodes(c Client, desigHash util.Uint160) ([]accBalancePair, error) {
 	inv := invoker.New(c, nil)

-	if notaryEnabled {
-		height, err := c.GetBlockCount()
-		if err != nil {
-			return nil, fmt.Errorf("can't get block height: %w", err)
-		}
+	height, err := c.GetBlockCount()
+	if err != nil {
+		return nil, fmt.Errorf("can't get block height: %w", err)
+	}

-		arr, err := getDesignatedByRole(inv, desigHash, noderoles.NeoFSAlphabet, height)
-		if err != nil {
-			return nil, errors.New("can't fetch list of IR nodes from the netmap contract")
-		}
+	arr, err := getDesignatedByRole(inv, desigHash, noderoles.NeoFSAlphabet, height)
+	if err != nil {
+		return nil, errors.New("can't fetch list of IR nodes from the netmap contract")
+	}

-		irList = make([]accBalancePair, len(arr))
-		for i := range arr {
-			irList[i].scriptHash = arr[i].GetScriptHash()
-		}
-	} else {
-		arr, err := unwrap.ArrayOfBytes(inv.Call(nmHash, "innerRingList"))
-		if err != nil {
-			return nil, errors.New("can't fetch list of IR nodes from the netmap contract")
-		}
-
-		irList = make([]accBalancePair, len(arr))
-		for i := range arr {
-			pub, err := keys.NewPublicKeyFromBytes(arr[i], elliptic.P256())
-			if err != nil {
-				return nil, fmt.Errorf("can't parse IR node public key: %w", err)
-			}
-			irList[i].scriptHash = pub.GetScriptHash()
-		}
+	irList := make([]accBalancePair, len(arr))
+	for i := range arr {
+		irList[i].scriptHash = arr[i].GetScriptHash()
 	}
 	return irList, nil
 }
--- a/cmd/frostfs-adm/internal/modules/morph/config.go
+++ b/cmd/frostfs-adm/internal/modules/morph/config.go
@ -10,12 +10,13 @@ import (
 	"strings"
 	"text/tabwriter"

+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/client/netmap"
 	"github.com/nspcc-dev/neo-go/pkg/io"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/management"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
-	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
@ -29,13 +30,14 @@ func dumpNetworkConfig(cmd *cobra.Command, _ []string) error {
 	}

 	inv := invoker.New(c, nil)
+	r := management.NewReader(inv)

-	cs, err := c.GetContractStateByID(1)
+	cs, err := r.GetContractByID(1)
 	if err != nil {
 		return fmt.Errorf("can't get NNS contract info: %w", err)
 	}

-	nmHash, err := nnsResolveHash(inv, cs.Hash, netmapContract+".frostfs")
+	nmHash, err := nnsResolveHash(inv, cs.Hash, domainOf(netmapContract))
 	if err != nil {
 		return fmt.Errorf("can't get netmap contract hash: %w", err)
 	}
@ -48,41 +50,24 @@ func dumpNetworkConfig(cmd *cobra.Command, _ []string) error {
 	buf := bytes.NewBuffer(nil)
 	tw := tabwriter.NewWriter(buf, 0, 2, 2, ' ', 0)

-	for _, param := range arr {
-		tuple, ok := param.Value().([]stackitem.Item)
-		if !ok || len(tuple) != 2 {
-			return errors.New("invalid ListConfig response from netmap contract")
-		}
-
-		k, err := tuple[0].TryBytes()
-		if err != nil {
-			return errors.New("invalid config key from netmap contract")
-		}
-
-		v, err := tuple[1].TryBytes()
-		if err != nil {
-			return invalidConfigValueErr(k)
-		}
-
-		switch string(k) {
-		case netmapAuditFeeKey, netmapBasicIncomeRateKey,
-			netmapContainerFeeKey, netmapContainerAliasFeeKey,
-			netmapEigenTrustIterationsKey,
-			netmapEpochKey, netmapInnerRingCandidateFeeKey,
-			netmapMaxObjectSizeKey, netmapWithdrawFeeKey:
+	m, err := parseConfigFromNetmapContract(arr)
+	if err != nil {
+		return err
+	}
+	for k, v := range m {
+		switch k {
+		case netmap.ContainerFeeConfig, netmap.ContainerAliasFeeConfig,
+			netmap.EpochDurationConfig, netmap.IrCandidateFeeConfig,
+			netmap.MaxObjectSizeConfig, netmap.WithdrawFeeConfig:
 			nbuf := make([]byte, 8)
 			copy(nbuf[:], v)
 			n := binary.LittleEndian.Uint64(nbuf)
 			_, _ = tw.Write([]byte(fmt.Sprintf("%s:\t%d (int)\n", k, n)))
-		case netmapEigenTrustAlphaKey:
-			_, _ = tw.Write([]byte(fmt.Sprintf("%s:\t%s (str)\n", k, v)))
-		case netmapHomomorphicHashDisabledKey, netmapMaintenanceAllowedKey:
-			vBool, err := tuple[1].TryBool()
-			if err != nil {
+		case netmap.HomomorphicHashingDisabledKey, netmap.MaintenanceModeAllowedConfig:
+			if len(v) == 0 || len(v) > 1 {
 				return invalidConfigValueErr(k)
 			}
-
-			_, _ = tw.Write([]byte(fmt.Sprintf("%s:\t%t (bool)\n", k, vBool)))
+			_, _ = tw.Write([]byte(fmt.Sprintf("%s:\t%t (bool)\n", k, v[0] == 1)))
 		default:
 			_, _ = tw.Write([]byte(fmt.Sprintf("%s:\t%s (hex)\n", k, hex.EncodeToString(v))))
 		}
@ -104,12 +89,13 @@ func setConfigCmd(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("can't initialize context: %w", err)
 	}

-	cs, err := wCtx.Client.GetContractStateByID(1)
+	r := management.NewReader(wCtx.ReadOnlyInvoker)
+	cs, err := r.GetContractByID(1)
 	if err != nil {
 		return fmt.Errorf("can't get NNS contract info: %w", err)
 	}

-	nmHash, err := nnsResolveHash(wCtx.ReadOnlyInvoker, cs.Hash, netmapContract+".frostfs")
+	nmHash, err := nnsResolveHash(wCtx.ReadOnlyInvoker, cs.Hash, domainOf(netmapContract))
 	if err != nil {
 		return fmt.Errorf("can't get netmap contract hash: %w", err)
 	}
@ -150,25 +136,14 @@ func parseConfigPair(kvStr string, force bool) (key string, val any, err error)
 	valRaw := v

 	switch key {
-	case netmapAuditFeeKey, netmapBasicIncomeRateKey,
-		netmapContainerFeeKey, netmapContainerAliasFeeKey,
-		netmapEigenTrustIterationsKey,
-		netmapEpochKey, netmapInnerRingCandidateFeeKey,
-		netmapMaxObjectSizeKey, netmapWithdrawFeeKey:
+	case netmap.ContainerFeeConfig, netmap.ContainerAliasFeeConfig,
+		netmap.EpochDurationConfig, netmap.IrCandidateFeeConfig,
+		netmap.MaxObjectSizeConfig, netmap.WithdrawFeeConfig:
 		val, err = strconv.ParseInt(valRaw, 10, 64)
 		if err != nil {
 			err = fmt.Errorf("could not parse %s's value '%s' as int: %w", key, valRaw, err)
 		}
-	case netmapEigenTrustAlphaKey:
-		// just check that it could
-		// be parsed correctly
-		_, err = strconv.ParseFloat(v, 64)
-		if err != nil {
-			err = fmt.Errorf("could not parse %s's value '%s' as float: %w", key, valRaw, err)
-		}
-
-		val = valRaw
-	case netmapHomomorphicHashDisabledKey, netmapMaintenanceAllowedKey:
+	case netmap.HomomorphicHashingDisabledKey, netmap.MaintenanceModeAllowedConfig:
 		val, err = strconv.ParseBool(valRaw)
 		if err != nil {
 			err = fmt.Errorf("could not parse %s's value '%s' as bool: %w", key, valRaw, err)
@ -187,6 +162,6 @@ func parseConfigPair(kvStr string, force bool) (key string, val any, err error)
 	return
 }

-func invalidConfigValueErr(key []byte) error {
+func invalidConfigValueErr(key string) error {
 	return fmt.Errorf("invalid %s config value from netmap contract", key)
 }
--- a/cmd/frostfs-adm/internal/modules/morph/container.go
+++ b/cmd/frostfs-adm/internal/modules/morph/container.go
@ -7,10 +7,11 @@ import (
 	"os"
 	"sort"

-	cid "github.com/TrueCloudLab/frostfs-sdk-go/container/id"
+	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/hash"
 	"github.com/nspcc-dev/neo-go/pkg/io"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/management"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	"github.com/nspcc-dev/neo-go/pkg/util"
@ -22,18 +23,19 @@ import (

 var errInvalidContainerResponse = errors.New("invalid response from container contract")

-func getContainerContractHash(cmd *cobra.Command, inv *invoker.Invoker, c Client) (util.Uint160, error) {
+func getContainerContractHash(cmd *cobra.Command, inv *invoker.Invoker) (util.Uint160, error) {
 	s, err := cmd.Flags().GetString(containerContractFlag)
 	var ch util.Uint160
 	if err == nil {
 		ch, err = util.Uint160DecodeStringLE(s)
 	}
 	if err != nil {
-		nnsCs, err := c.GetContractStateByID(1)
+		r := management.NewReader(inv)
+		nnsCs, err := r.GetContractByID(1)
 		if err != nil {
 			return util.Uint160{}, fmt.Errorf("can't get NNS contract state: %w", err)
 		}
-		ch, err = nnsResolveHash(inv, nnsCs.Hash, containerContract+".frostfs")
+		ch, err = nnsResolveHash(inv, nnsCs.Hash, domainOf(containerContract))
 		if err != nil {
 			return util.Uint160{}, err
 		}
@ -41,16 +43,28 @@ func getContainerContractHash(cmd *cobra.Command, inv *invoker.Invoker, c Client
 	return ch, nil
 }

-func getContainersList(inv *invoker.Invoker, ch util.Uint160) ([][]byte, error) {
-	res, err := inv.Call(ch, "list", "")
+func iterateContainerList(inv *invoker.Invoker, ch util.Uint160, f func([]byte) error) error {
+	sid, r, err := unwrap.SessionIterator(inv.Call(ch, "containersOf", ""))
 	if err != nil {
-		return nil, fmt.Errorf("%w: %v", errInvalidContainerResponse, err)
+		return fmt.Errorf("%w: %v", errInvalidContainerResponse, err)
 	}
-	itm, err := unwrap.Item(res, err)
-	if _, ok := itm.(stackitem.Null); !ok {
-		return unwrap.ArrayOfBytes(res, err)
+	// Nothing bad, except live session on the server, do not report to the user.
+	defer func() { _ = inv.TerminateSession(sid) }()
+
+	items, err := inv.TraverseIterator(sid, &r, 0)
+	for err == nil && len(items) != 0 {
+		for j := range items {
+			b, err := items[j].TryBytes()
+			if err != nil {
+				return fmt.Errorf("%w: %v", errInvalidContainerResponse, err)
+			}
+			if err := f(b); err != nil {
+				return err
+			}
+		}
+		items, err = inv.TraverseIterator(sid, &r, 0)
 	}
-	return nil, nil
+	return err
 }

 func dumpContainers(cmd *cobra.Command, _ []string) error {
@ -66,61 +80,86 @@ func dumpContainers(cmd *cobra.Command, _ []string) error {

 	inv := invoker.New(c, nil)

-	ch, err := getContainerContractHash(cmd, inv, c)
+	ch, err := getContainerContractHash(cmd, inv)
 	if err != nil {
 		return fmt.Errorf("unable to get contaract hash: %w", err)
 	}

-	cids, err := getContainersList(inv, ch)
-	if err != nil {
-		return fmt.Errorf("%w: %v", errInvalidContainerResponse, err)
-	}
-
 	isOK, err := getCIDFilterFunc(cmd)
 	if err != nil {
 		return err
 	}

-	var containers []*Container
-	bw := io.NewBufBinWriter()
-	for _, id := range cids {
-		if !isOK(id) {
-			continue
-		}
-		bw.Reset()
-		emit.AppCall(bw.BinWriter, ch, "get", callflag.All, id)
-		emit.AppCall(bw.BinWriter, ch, "eACL", callflag.All, id)
-		res, err := inv.Run(bw.Bytes())
-		if err != nil {
-			return fmt.Errorf("can't get container info: %w", err)
-		}
-		if len(res.Stack) != 2 {
-			return fmt.Errorf("%w: expected 2 items on stack", errInvalidContainerResponse)
-		}
-
-		cnt := new(Container)
-		err = cnt.FromStackItem(res.Stack[0])
-		if err != nil {
-			return fmt.Errorf("%w: %v", errInvalidContainerResponse, err)
-		}
-
-		ea := new(EACL)
-		err = ea.FromStackItem(res.Stack[1])
-		if err != nil {
-			return fmt.Errorf("%w: %v", errInvalidContainerResponse, err)
-		}
-		if len(ea.Value) != 0 {
-			cnt.EACL = ea
-		}
-
-		containers = append(containers, cnt)
-	}
-
-	out, err := json.Marshal(containers)
+	f, err := os.OpenFile(filename, os.O_RDWR|os.O_TRUNC|os.O_CREATE, 0o660)
 	if err != nil {
 		return err
 	}
-	return os.WriteFile(filename, out, 0o660)
+	defer f.Close()
+
+	_, err = f.Write([]byte{'['})
+	if err != nil {
+		return err
+	}
+
+	written := 0
+	enc := json.NewEncoder(f)
+	bw := io.NewBufBinWriter()
+	iterErr := iterateContainerList(inv, ch, func(id []byte) error {
+		if !isOK(id) {
+			return nil
+		}
+
+		cnt, err := dumpSingleContainer(bw, ch, inv, id)
+		if err != nil {
+			return err
+		}
+
+		// Writing directly to the file is ok, because json.Encoder does no internal buffering.
+		if written != 0 {
+			_, err = f.Write([]byte{','})
+			if err != nil {
+				return err
+			}
+		}
+
+		written++
+		return enc.Encode(cnt)
+	})
+	if iterErr != nil {
+		return iterErr
+	}
+
+	_, err = f.Write([]byte{']'})
+	return err
+}
+
+func dumpSingleContainer(bw *io.BufBinWriter, ch util.Uint160, inv *invoker.Invoker, id []byte) (*Container, error) {
+	bw.Reset()
+	emit.AppCall(bw.BinWriter, ch, "get", callflag.All, id)
+	emit.AppCall(bw.BinWriter, ch, "eACL", callflag.All, id)
+	res, err := inv.Run(bw.Bytes())
+	if err != nil {
+		return nil, fmt.Errorf("can't get container info: %w", err)
+	}
+	if len(res.Stack) != 2 {
+		return nil, fmt.Errorf("%w: expected 2 items on stack", errInvalidContainerResponse)
+	}
+
+	cnt := new(Container)
+	err = cnt.FromStackItem(res.Stack[0])
+	if err != nil {
+		return nil, fmt.Errorf("%w: %v", errInvalidContainerResponse, err)
+	}
+
+	ea := new(EACL)
+	err = ea.FromStackItem(res.Stack[1])
+	if err != nil {
+		return nil, fmt.Errorf("%w: %v", errInvalidContainerResponse, err)
+	}
+	if len(ea.Value) != 0 {
+		cnt.EACL = ea
+	}
+	return cnt, nil
 }

 func listContainers(cmd *cobra.Command, _ []string) error {
@ -131,25 +170,20 @@ func listContainers(cmd *cobra.Command, _ []string) error {

 	inv := invoker.New(c, nil)

-	ch, err := getContainerContractHash(cmd, inv, c)
+	ch, err := getContainerContractHash(cmd, inv)
 	if err != nil {
 		return fmt.Errorf("unable to get contaract hash: %w", err)
 	}

-	cids, err := getContainersList(inv, ch)
-	if err != nil {
-		return fmt.Errorf("%w: %v", errInvalidContainerResponse, err)
-	}
-
-	for _, id := range cids {
+	return iterateContainerList(inv, ch, func(id []byte) error {
 		var idCnr cid.ID
 		err = idCnr.Decode(id)
 		if err != nil {
 			return fmt.Errorf("unable to decode container id: %w", err)
 		}
 		cmd.Println(idCnr)
-	}
-	return nil
+		return nil
+	})
 }

 func restoreContainers(cmd *cobra.Command, _ []string) error {
@ -164,25 +198,14 @@ func restoreContainers(cmd *cobra.Command, _ []string) error {
 	}
 	defer wCtx.close()

-	nnsCs, err := wCtx.Client.GetContractStateByID(1)
+	containers, err := parseContainers(filename)
 	if err != nil {
-		return fmt.Errorf("can't get NNS contract state: %w", err)
+		return err
 	}

-	ch, err := nnsResolveHash(wCtx.ReadOnlyInvoker, nnsCs.Hash, containerContract+".frostfs")
+	ch, err := fetchContainerContractHash(wCtx)
 	if err != nil {
-		return fmt.Errorf("can't fetch container contract hash: %w", err)
-	}
-
-	data, err := os.ReadFile(filename)
-	if err != nil {
-		return fmt.Errorf("can't read dump file: %w", err)
-	}
-
-	var containers []Container
-	err = json.Unmarshal(data, &containers)
-	if err != nil {
-		return fmt.Errorf("can't parse dump file: %w", err)
+		return err
 	}

 	isOK, err := getCIDFilterFunc(cmd)
@ -190,6 +213,15 @@ func restoreContainers(cmd *cobra.Command, _ []string) error {
 		return err
 	}

+	err = restoreOrPutContainers(containers, isOK, cmd, wCtx, ch)
+	if err != nil {
+		return err
+	}
+
+	return wCtx.awaitTx()
+}
+
+func restoreOrPutContainers(containers []Container, isOK func([]byte) bool, cmd *cobra.Command, wCtx *initializeContext, ch util.Uint160) error {
 	bw := io.NewBufBinWriter()
 	for _, cnt := range containers {
 		hv := hash.Sha256(cnt.Value)
@ -197,33 +229,18 @@ func restoreContainers(cmd *cobra.Command, _ []string) error {
 			continue
 		}
 		bw.Reset()
-		emit.AppCall(bw.BinWriter, ch, "get", callflag.All, hv.BytesBE())
-		res, err := wCtx.Client.InvokeScript(bw.Bytes(), nil)
+		restored, err := isContainerRestored(cmd, wCtx, ch, bw, hv)
 		if err != nil {
-			return fmt.Errorf("can't check if container is already restored: %w", err)
+			return err
 		}
-		if len(res.Stack) == 0 {
-			return errors.New("empty stack")
-		}
-
-		old := new(Container)
-		if err := old.FromStackItem(res.Stack[0]); err != nil {
-			return fmt.Errorf("%w: %v", errInvalidContainerResponse, err)
-		}
-		if len(old.Value) != 0 {
-			var id cid.ID
-			id.SetSHA256(hv)
-			cmd.Printf("Container %s is already deployed.\n", id)
+		if restored {
 			continue
 		}

 		bw.Reset()
-		emit.AppCall(bw.BinWriter, ch, "put", callflag.All,
-			cnt.Value, cnt.Signature, cnt.PublicKey, cnt.Token)
-		if ea := cnt.EACL; ea != nil {
-			emit.AppCall(bw.BinWriter, ch, "setEACL", callflag.All,
-				ea.Value, ea.Signature, ea.PublicKey, ea.Token)
-		}
+
+		putContainer(bw, ch, cnt)
+
 		if bw.Err != nil {
 			panic(bw.Err)
 		}
@ -232,8 +249,68 @@ func restoreContainers(cmd *cobra.Command, _ []string) error {
 			return err
 		}
 	}
+	return nil
+}

-	return wCtx.awaitTx()
+func putContainer(bw *io.BufBinWriter, ch util.Uint160, cnt Container) {
+	emit.AppCall(bw.BinWriter, ch, "put", callflag.All,
+		cnt.Value, cnt.Signature, cnt.PublicKey, cnt.Token)
+	if ea := cnt.EACL; ea != nil {
+		emit.AppCall(bw.BinWriter, ch, "setEACL", callflag.All,
+			ea.Value, ea.Signature, ea.PublicKey, ea.Token)
+	}
+}
+
+func isContainerRestored(cmd *cobra.Command, wCtx *initializeContext, containerHash util.Uint160, bw *io.BufBinWriter, hashValue util.Uint256) (bool, error) {
+	emit.AppCall(bw.BinWriter, containerHash, "get", callflag.All, hashValue.BytesBE())
+	res, err := wCtx.Client.InvokeScript(bw.Bytes(), nil)
+	if err != nil {
+		return false, fmt.Errorf("can't check if container is already restored: %w", err)
+	}
+	if len(res.Stack) == 0 {
+		return false, errors.New("empty stack")
+	}
+
+	old := new(Container)
+	if err := old.FromStackItem(res.Stack[0]); err != nil {
+		return false, fmt.Errorf("%w: %v", errInvalidContainerResponse, err)
+	}
+	if len(old.Value) != 0 {
+		var id cid.ID
+		id.SetSHA256(hashValue)
+		cmd.Printf("Container %s is already deployed.\n", id)
+		return true, nil
+	}
+
+	return false, nil
+}
+
+func parseContainers(filename string) ([]Container, error) {
+	data, err := os.ReadFile(filename)
+	if err != nil {
+		return nil, fmt.Errorf("can't read dump file: %w", err)
+	}
+
+	var containers []Container
+	err = json.Unmarshal(data, &containers)
+	if err != nil {
+		return nil, fmt.Errorf("can't parse dump file: %w", err)
+	}
+	return containers, nil
+}
+
+func fetchContainerContractHash(wCtx *initializeContext) (util.Uint160, error) {
+	r := management.NewReader(wCtx.ReadOnlyInvoker)
+	nnsCs, err := r.GetContractByID(1)
+	if err != nil {
+		return util.Uint160{}, fmt.Errorf("can't get NNS contract state: %w", err)
+	}
+
+	ch, err := nnsResolveHash(wCtx.ReadOnlyInvoker, nnsCs.Hash, domainOf(containerContract))
+	if err != nil {
+		return util.Uint160{}, fmt.Errorf("can't fetch container contract hash: %w", err)
+	}
+	return ch, nil
 }

 // Container represents container struct in contract storage.
--- a/cmd/frostfs-adm/internal/modules/morph/deploy.go
+++ b/cmd/frostfs-adm/internal/modules/morph/deploy.go
@ -6,7 +6,7 @@ import (
 	"os"
 	"strings"

-	"github.com/TrueCloudLab/frostfs-contract/nns"
+	"git.frostfs.info/TrueCloudLab/frostfs-contract/nns"
 	"github.com/nspcc-dev/neo-go/cli/cmdargs"
 	"github.com/nspcc-dev/neo-go/pkg/core/state"
 	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
@ -46,10 +46,10 @@ NNS name is taken by stripping '_contract.nef' from the NEF file (similar to fro
 func init() {
 	ff := deployCmd.Flags()

-	ff.String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
+	ff.String(alphabetWalletsFlag, "", alphabetWalletsFlagDesc)
 	_ = deployCmd.MarkFlagFilename(alphabetWalletsFlag)

-	ff.StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
+	ff.StringP(endpointFlag, "r", "", endpointFlagDesc)
 	ff.String(contractPathFlag, "", "Path to the contract directory")
 	_ = deployCmd.MarkFlagFilename(contractPathFlag)

@ -76,7 +76,8 @@ func deployContractCmd(cmd *cobra.Command, args []string) error {
 		return err
 	}

-	nnsCs, err := c.Client.GetContractStateByID(1)
+	r := management.NewReader(c.ReadOnlyInvoker)
+	nnsCs, err := r.GetContractByID(1)
 	if err != nil {
 		return fmt.Errorf("can't fetch NNS contract state: %w", err)
 	}
@ -100,80 +101,88 @@ func deployContractCmd(cmd *cobra.Command, args []string) error {
 			cs.Manifest.Name)
 	}

-	w := io.NewBufBinWriter()
-	if err := emitDeploymentArguments(w.BinWriter, args); err != nil {
+	writer := io.NewBufBinWriter()
+	if err := emitDeploymentArguments(writer.BinWriter, args); err != nil {
 		return err
 	}
-	emit.Bytes(w.BinWriter, cs.RawManifest)
-	emit.Bytes(w.BinWriter, cs.RawNEF)
-	emit.Int(w.BinWriter, 3)
-	emit.Opcodes(w.BinWriter, opcode.PACK)
-	emit.AppCallNoArgs(w.BinWriter, callHash, method, callflag.All)
-	emit.Opcodes(w.BinWriter, opcode.DROP) // contract state on stack
+	emit.Bytes(writer.BinWriter, cs.RawManifest)
+	emit.Bytes(writer.BinWriter, cs.RawNEF)
+	emit.Int(writer.BinWriter, 3)
+	emit.Opcodes(writer.BinWriter, opcode.PACK)
+	emit.AppCallNoArgs(writer.BinWriter, callHash, method, callflag.All)
+	emit.Opcodes(writer.BinWriter, opcode.DROP) // contract state on stack
 	if !isUpdate {
-		bw := io.NewBufBinWriter()
-		emit.Instruction(bw.BinWriter, opcode.INITSSLOT, []byte{1})
-		emit.AppCall(bw.BinWriter, nnsCs.Hash, "getPrice", callflag.All)
-		emit.Opcodes(bw.BinWriter, opcode.STSFLD0)
-		emit.AppCall(bw.BinWriter, nnsCs.Hash, "setPrice", callflag.All, 1)
-
-		start := bw.Len()
-		needRecord := false
-
-		ok, err := c.nnsRootRegistered(nnsCs.Hash, zone)
+		err := registerNNS(nnsCs, c, zone, domain, cs, writer)
 		if err != nil {
 			return err
-		} else if !ok {
-			needRecord = true
-
-			emit.AppCall(bw.BinWriter, nnsCs.Hash, "register", callflag.All,
-				zone, c.CommitteeAcc.Contract.ScriptHash(),
-				"ops@nspcc.ru", int64(3600), int64(600), int64(defaultExpirationTime), int64(3600))
-			emit.Opcodes(bw.BinWriter, opcode.ASSERT)
-
-			emit.AppCall(bw.BinWriter, nnsCs.Hash, "register", callflag.All,
-				domain, c.CommitteeAcc.Contract.ScriptHash(),
-				"ops@nspcc.ru", int64(3600), int64(600), int64(defaultExpirationTime), int64(3600))
-			emit.Opcodes(bw.BinWriter, opcode.ASSERT)
-		} else {
-			s, ok, err := c.nnsRegisterDomainScript(nnsCs.Hash, cs.Hash, domain)
-			if err != nil {
-				return err
-			}
-			needRecord = !ok
-			if len(s) != 0 {
-				bw.WriteBytes(s)
-			}
-		}
-		if needRecord {
-			emit.AppCall(bw.BinWriter, nnsCs.Hash, "deleteRecords", callflag.All, domain, int64(nns.TXT))
-			emit.AppCall(bw.BinWriter, nnsCs.Hash, "addRecord", callflag.All,
-				domain, int64(nns.TXT), address.Uint160ToString(cs.Hash))
-		}
-
-		if bw.Err != nil {
-			panic(fmt.Errorf("BUG: can't create deployment script: %w", w.Err))
-		} else if bw.Len() != start {
-			w.WriteBytes(bw.Bytes())
-			emit.Opcodes(w.BinWriter, opcode.LDSFLD0, opcode.PUSH1, opcode.PACK)
-			emit.AppCallNoArgs(w.BinWriter, nnsCs.Hash, "setPrice", callflag.All)
-
-			if needRecord {
-				c.Command.Printf("NNS: Set %s -> %s\n", domain, cs.Hash.StringLE())
-			}
 		}
 	}

-	if w.Err != nil {
-		panic(fmt.Errorf("BUG: can't create deployment script: %w", w.Err))
+	if writer.Err != nil {
+		panic(fmt.Errorf("BUG: can't create deployment script: %w", writer.Err))
 	}

-	if err := c.sendCommitteeTx(w.Bytes(), false); err != nil {
+	if err := c.sendCommitteeTx(writer.Bytes(), false); err != nil {
 		return err
 	}
 	return c.awaitTx()
 }

+func registerNNS(nnsCs *state.Contract, c *initializeContext, zone string, domain string, cs *contractState, writer *io.BufBinWriter) error {
+	bw := io.NewBufBinWriter()
+	emit.Instruction(bw.BinWriter, opcode.INITSSLOT, []byte{1})
+	emit.AppCall(bw.BinWriter, nnsCs.Hash, "getPrice", callflag.All)
+	emit.Opcodes(bw.BinWriter, opcode.STSFLD0)
+	emit.AppCall(bw.BinWriter, nnsCs.Hash, "setPrice", callflag.All, 1)
+
+	start := bw.Len()
+	needRecord := false
+
+	ok, err := c.nnsRootRegistered(nnsCs.Hash, zone)
+	if err != nil {
+		return err
+	} else if !ok {
+		needRecord = true
+
+		emit.AppCall(bw.BinWriter, nnsCs.Hash, "register", callflag.All,
+			zone, c.CommitteeAcc.Contract.ScriptHash(),
+			frostfsOpsEmail, int64(3600), int64(600), int64(defaultExpirationTime), int64(3600))
+		emit.Opcodes(bw.BinWriter, opcode.ASSERT)
+
+		emit.AppCall(bw.BinWriter, nnsCs.Hash, "register", callflag.All,
+			domain, c.CommitteeAcc.Contract.ScriptHash(),
+			frostfsOpsEmail, int64(3600), int64(600), int64(defaultExpirationTime), int64(3600))
+		emit.Opcodes(bw.BinWriter, opcode.ASSERT)
+	} else {
+		s, ok, err := c.nnsRegisterDomainScript(nnsCs.Hash, cs.Hash, domain)
+		if err != nil {
+			return err
+		}
+		needRecord = !ok
+		if len(s) != 0 {
+			bw.WriteBytes(s)
+		}
+	}
+	if needRecord {
+		emit.AppCall(bw.BinWriter, nnsCs.Hash, "deleteRecords", callflag.All, domain, int64(nns.TXT))
+		emit.AppCall(bw.BinWriter, nnsCs.Hash, "addRecord", callflag.All,
+			domain, int64(nns.TXT), address.Uint160ToString(cs.Hash))
+	}
+
+	if bw.Err != nil {
+		panic(fmt.Errorf("BUG: can't create deployment script: %w", writer.Err))
+	} else if bw.Len() != start {
+		writer.WriteBytes(bw.Bytes())
+		emit.Opcodes(writer.BinWriter, opcode.LDSFLD0, opcode.PUSH1, opcode.PACK)
+		emit.AppCallNoArgs(writer.BinWriter, nnsCs.Hash, "setPrice", callflag.All)
+
+		if needRecord {
+			c.Command.Printf("NNS: Set %s -> %s\n", domain, cs.Hash.StringLE())
+		}
+	}
+	return nil
+}
+
 func emitDeploymentArguments(w *io.BinWriter, args []string) error {
 	_, ps, err := cmdargs.ParseParams(args, true)
 	if err != nil {
--- a/cmd/frostfs-adm/internal/modules/morph/download.go
+++ b/cmd/frostfs-adm/internal/modules/morph/download.go
@ -1,40 +0,0 @@
-package morph
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"io"
-	"net/http"
-	"strings"
-
-	"github.com/google/go-github/v39/github"
-	"github.com/spf13/cobra"
-)
-
-func downloadContractsFromGithub(cmd *cobra.Command) (io.ReadCloser, error) {
-	gcl := github.NewClient(nil)
-	release, _, err := gcl.Repositories.GetLatestRelease(context.Background(), "nspcc-dev", "frostfs-contract")
-	if err != nil {
-		return nil, fmt.Errorf("can't fetch release info: %w", err)
-	}
-
-	cmd.Printf("Found %s (%s), downloading...\n", release.GetTagName(), release.GetName())
-
-	var url string
-	for _, a := range release.Assets {
-		if strings.HasPrefix(a.GetName(), "frostfs-contract") {
-			url = a.GetBrowserDownloadURL()
-			break
-		}
-	}
-	if url == "" {
-		return nil, errors.New("can't find contracts archive in release assets")
-	}
-
-	resp, err := http.Get(url)
-	if err != nil {
-		return nil, fmt.Errorf("can't fetch contracts archive: %w", err)
-	}
-	return resp.Body, nil
-}
--- a/cmd/frostfs-adm/internal/modules/morph/dump_hashes.go
+++ b/cmd/frostfs-adm/internal/modules/morph/dump_hashes.go
@ -7,10 +7,13 @@ import (
 	"strings"
 	"text/tabwriter"

-	"github.com/TrueCloudLab/frostfs-contract/nns"
+	"git.frostfs.info/TrueCloudLab/frostfs-contract/nns"
+	morphClient "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/client"
 	"github.com/nspcc-dev/neo-go/pkg/io"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/management"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
+	"github.com/nspcc-dev/neo-go/pkg/smartcontract"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
@ -35,7 +38,8 @@ func dumpContractHashes(cmd *cobra.Command, _ []string) error {
 		return fmt.Errorf("can't create N3 client: %w", err)
 	}

-	cs, err := c.GetContractStateByID(1)
+	r := management.NewReader(invoker.New(c, nil))
+	cs, err := r.GetContractByID(1)
 	if err != nil {
 		return err
 	}
@ -84,7 +88,7 @@ func dumpContractHashes(cmd *cobra.Command, _ []string) error {
 	for _, ctrName := range contractList {
 		bw.Reset()
 		emit.AppCall(bw.BinWriter, cs.Hash, "resolve", callflag.ReadOnly,
-			ctrName+".frostfs", int64(nns.TXT))
+			domainOf(ctrName), int64(nns.TXT))

 		res, err := c.InvokeScript(bw.Bytes(), nil)
 		if err != nil {
@ -123,7 +127,7 @@ func dumpCustomZoneHashes(cmd *cobra.Command, nnsHash util.Uint160, zone string,
 			return
 		}

-		if !bytes.HasSuffix(bs, []byte(zone)) {
+		if !bytes.HasSuffix(bs, []byte(zone)) || bytes.HasPrefix(bs, []byte(morphClient.NNSGroupKeyName)) {
 			// Related https://github.com/nspcc-dev/neofs-contract/issues/316.
 			return
 		}
@ -140,7 +144,12 @@ func dumpCustomZoneHashes(cmd *cobra.Command, nnsHash util.Uint160, zone string,
 		})
 	}

-	sessionID, iter, err := unwrap.SessionIterator(inv.Call(nnsHash, "tokens"))
+	script, err := smartcontract.CreateCallAndPrefetchIteratorScript(nnsHash, "tokens", nnsMaxTokens)
+	if err != nil {
+		return fmt.Errorf("create prefetch script: %w", err)
+	}
+
+	arr, sessionID, iter, err := unwrap.ArrayAndSessionIterator(inv.Run(script))
 	if err != nil {
 		if errors.Is(err, unwrap.ErrNoSessionID) {
 			items, err := unwrap.Array(inv.CallAndExpandIterator(nnsHash, "tokens", nnsMaxTokens))
@ -157,6 +166,10 @@ func dumpCustomZoneHashes(cmd *cobra.Command, nnsHash util.Uint160, zone string,
 			return err
 		}
 	} else {
+		for i := range arr {
+			processItem(arr[i])
+		}
+
 		defer func() {
 			_ = inv.TerminateSession(sessionID)
 		}()
--- a/cmd/frostfs-adm/internal/modules/morph/epoch.go
+++ b/cmd/frostfs-adm/internal/modules/morph/epoch.go
@ -3,8 +3,10 @@ package morph
 import (
 	"errors"
 	"fmt"
+	"strings"

 	"github.com/nspcc-dev/neo-go/pkg/io"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/management"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	"github.com/nspcc-dev/neo-go/pkg/util"
@ -13,18 +15,19 @@ import (
 	"github.com/spf13/viper"
 )

-func forceNewEpochCmd(cmd *cobra.Command, args []string) error {
+func forceNewEpochCmd(cmd *cobra.Command, _ []string) error {
 	wCtx, err := newInitializeContext(cmd, viper.GetViper())
 	if err != nil {
 		return fmt.Errorf("can't to initialize context: %w", err)
 	}

-	cs, err := wCtx.Client.GetContractStateByID(1)
+	r := management.NewReader(wCtx.ReadOnlyInvoker)
+	cs, err := r.GetContractByID(1)
 	if err != nil {
 		return fmt.Errorf("can't get NNS contract info: %w", err)
 	}

-	nmHash, err := nnsResolveHash(wCtx.ReadOnlyInvoker, cs.Hash, netmapContract+".frostfs")
+	nmHash, err := nnsResolveHash(wCtx.ReadOnlyInvoker, cs.Hash, domainOf(netmapContract))
 	if err != nil {
 		return fmt.Errorf("can't get netmap contract hash: %w", err)
 	}
@ -38,7 +41,14 @@ func forceNewEpochCmd(cmd *cobra.Command, args []string) error {
 		return err
 	}

-	return wCtx.awaitTx()
+	if err := wCtx.awaitTx(); err != nil {
+		if strings.Contains(err.Error(), "invalid epoch") {
+			cmd.Println("Epoch has already ticked.")
+			return nil
+		}
+		return err
+	}
+	return nil
 }

 func emitNewEpochCall(bw *io.BufBinWriter, wCtx *initializeContext, nmHash util.Uint160) error {
--- a/cmd/frostfs-adm/internal/modules/morph/frostfsid.go
+++ b/cmd/frostfs-adm/internal/modules/morph/frostfsid.go
@ -0,0 +1,460 @@
+package morph
+
+import (
+	"errors"
+	"fmt"
+	"sort"
+
+	frostfsidclient "git.frostfs.info/TrueCloudLab/frostfs-contract/frostfsid/client"
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"github.com/nspcc-dev/neo-go/pkg/core/state"
+	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
+	"github.com/nspcc-dev/neo-go/pkg/io"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/management"
+	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
+	"github.com/nspcc-dev/neo-go/pkg/util"
+	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+const (
+	namespaceFlag      = "namespace"
+	subjectNameFlag    = "subject-name"
+	subjectKeyFlag     = "subject-key"
+	subjectAddressFlag = "subject-address"
+	includeNamesFlag   = "include-names"
+	groupNameFlag      = "group-name"
+	groupIDFlag        = "group-id"
+)
+
+const rootNamespacePlaceholder = "<root>"
+
+var (
+	frostfsidCmd = &cobra.Command{
+		Use:   "frostfsid",
+		Short: "Section for frostfsid interactions commands",
+	}
+
+	frostfsidCreateNamespaceCmd = &cobra.Command{
+		Use:   "create-namespace",
+		Short: "Create new namespace in frostfsid contract",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+		},
+		Run: frostfsidCreateNamespace,
+	}
+
+	frostfsidListNamespacesCmd = &cobra.Command{
+		Use:   "list-namespaces",
+		Short: "List all namespaces in frostfsid",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+		},
+		Run: frostfsidListNamespaces,
+	}
+
+	frostfsidCreateSubjectCmd = &cobra.Command{
+		Use:   "create-subject",
+		Short: "Create subject in frostfsid contract",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+		},
+		Run: frostfsidCreateSubject,
+	}
+
+	frostfsidDeleteSubjectCmd = &cobra.Command{
+		Use:   "delete-subject",
+		Short: "Delete subject from frostfsid contract",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+		},
+		Run: frostfsidDeleteSubject,
+	}
+
+	frostfsidListSubjectsCmd = &cobra.Command{
+		Use:   "list-subjects",
+		Short: "List subjects in namespace",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+		},
+		Run: frostfsidListSubjects,
+	}
+
+	frostfsidCreateGroupCmd = &cobra.Command{
+		Use:   "create-group",
+		Short: "Create group in frostfsid contract",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+		},
+		Run: frostfsidCreateGroup,
+	}
+
+	frostfsidDeleteGroupCmd = &cobra.Command{
+		Use:   "delete-group",
+		Short: "Delete group from frostfsid contract",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+		},
+		Run: frostfsidDeleteGroup,
+	}
+
+	frostfsidListGroupsCmd = &cobra.Command{
+		Use:   "list-groups",
+		Short: "List groups in namespace",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+		},
+		Run: frostfsidListGroups,
+	}
+
+	frostfsidAddSubjectToGroupCmd = &cobra.Command{
+		Use:   "add-subject-to-group",
+		Short: "Add subject to group",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+		},
+		Run: frostfsidAddSubjectToGroup,
+	}
+
+	frostfsidRemoveSubjectFromGroupCmd = &cobra.Command{
+		Use:   "remove-subject-from-group",
+		Short: "Remove subject from group",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+		},
+		Run: frostfsidRemoveSubjectFromGroup,
+	}
+
+	frostfsidListGroupSubjectsCmd = &cobra.Command{
+		Use:   "list-group-subjects",
+		Short: "List subjects in group",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+		},
+		Run: frostfsidListGroupSubjects,
+	}
+)
+
+func initFrostfsIDCreateNamespaceCmd() {
+	frostfsidCmd.AddCommand(frostfsidCreateNamespaceCmd)
+	frostfsidCreateNamespaceCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	frostfsidCreateNamespaceCmd.Flags().String(namespaceFlag, "", "Namespace name to create")
+}
+
+func initFrostfsIDListNamespacesCmd() {
+	frostfsidCmd.AddCommand(frostfsidListNamespacesCmd)
+	frostfsidListNamespacesCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+}
+
+func initFrostfsIDCreateSubjectCmd() {
+	frostfsidCmd.AddCommand(frostfsidCreateSubjectCmd)
+	frostfsidCreateSubjectCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	frostfsidCreateSubjectCmd.Flags().String(namespaceFlag, "", "Namespace where create subject")
+	frostfsidCreateSubjectCmd.Flags().String(subjectNameFlag, "", "Subject name, must be unique in namespace")
+	frostfsidCreateSubjectCmd.Flags().String(subjectKeyFlag, "", "Subject hex-encoded public key")
+}
+
+func initFrostfsIDDeleteSubjectCmd() {
+	frostfsidCmd.AddCommand(frostfsidDeleteSubjectCmd)
+	frostfsidDeleteSubjectCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	frostfsidDeleteSubjectCmd.Flags().String(subjectAddressFlag, "", "Subject address")
+}
+
+func initFrostfsIDListSubjectsCmd() {
+	frostfsidCmd.AddCommand(frostfsidListSubjectsCmd)
+	frostfsidListSubjectsCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	frostfsidListSubjectsCmd.Flags().String(namespaceFlag, "", "Namespace to list subjects")
+	frostfsidListSubjectsCmd.Flags().Bool(includeNamesFlag, false, "Whether include subject name (require additional requests)")
+}
+
+func initFrostfsIDCreateGroupCmd() {
+	frostfsidCmd.AddCommand(frostfsidCreateGroupCmd)
+	frostfsidCreateGroupCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	frostfsidCreateGroupCmd.Flags().String(namespaceFlag, "", "Namespace where create group")
+	frostfsidCreateGroupCmd.Flags().String(groupNameFlag, "", "Group name, must be unique in namespace")
+}
+
+func initFrostfsIDDeleteGroupCmd() {
+	frostfsidCmd.AddCommand(frostfsidDeleteGroupCmd)
+	frostfsidDeleteGroupCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	frostfsidDeleteGroupCmd.Flags().String(namespaceFlag, "", "Namespace to delete group")
+	frostfsidDeleteGroupCmd.Flags().Int64(groupIDFlag, 0, "Group id")
+}
+
+func initFrostfsIDListGroupsCmd() {
+	frostfsidCmd.AddCommand(frostfsidListGroupsCmd)
+	frostfsidListGroupsCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	frostfsidListGroupsCmd.Flags().String(namespaceFlag, "", "Namespace to list groups")
+}
+
+func initFrostfsIDAddSubjectToGroupCmd() {
+	frostfsidCmd.AddCommand(frostfsidAddSubjectToGroupCmd)
+	frostfsidAddSubjectToGroupCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	frostfsidAddSubjectToGroupCmd.Flags().String(subjectAddressFlag, "", "Subject address")
+	frostfsidAddSubjectToGroupCmd.Flags().Int64(groupIDFlag, 0, "Group id")
+}
+
+func initFrostfsIDRemoveSubjectFromGroupCmd() {
+	frostfsidCmd.AddCommand(frostfsidRemoveSubjectFromGroupCmd)
+	frostfsidRemoveSubjectFromGroupCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	frostfsidRemoveSubjectFromGroupCmd.Flags().String(subjectAddressFlag, "", "Subject address")
+	frostfsidRemoveSubjectFromGroupCmd.Flags().Int64(groupIDFlag, 0, "Group id")
+}
+
+func initFrostfsIDListGroupSubjectsCmd() {
+	frostfsidCmd.AddCommand(frostfsidListGroupSubjectsCmd)
+	frostfsidListGroupSubjectsCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	frostfsidListGroupSubjectsCmd.Flags().String(namespaceFlag, "", "Namespace name")
+	frostfsidListGroupSubjectsCmd.Flags().Int64(groupIDFlag, 0, "Group id")
+	frostfsidListGroupSubjectsCmd.Flags().Bool(includeNamesFlag, false, "Whether include subject name (require additional requests)")
+}
+
+func frostfsidCreateNamespace(cmd *cobra.Command, _ []string) {
+	ns := getFrostfsIDNamespace(cmd)
+
+	ffsid, err := newFrostfsIDClient(cmd)
+	commonCmd.ExitOnErr(cmd, "init contract client: %w", err)
+
+	ffsid.addCall(ffsid.roCli.CreateNamespaceCall(ns))
+
+	err = ffsid.sendWait()
+	commonCmd.ExitOnErr(cmd, "create namespace error: %w", err)
+}
+
+func frostfsidListNamespaces(cmd *cobra.Command, _ []string) {
+	ffsid, err := newFrostfsIDClient(cmd)
+	commonCmd.ExitOnErr(cmd, "init contract invoker: %w", err)
+
+	namespaces, err := ffsid.roCli.ListNamespaces()
+	commonCmd.ExitOnErr(cmd, "list namespaces: %w", err)
+
+	sort.Slice(namespaces, func(i, j int) bool { return namespaces[i].Name < namespaces[j].Name })
+
+	for _, namespace := range namespaces {
+		if namespace.Name == "" {
+			namespace.Name = rootNamespacePlaceholder
+		}
+		cmd.Printf("%s\n", namespace.Name)
+	}
+}
+
+func frostfsidCreateSubject(cmd *cobra.Command, _ []string) {
+	ns := getFrostfsIDNamespace(cmd)
+	subjName := getFrostfsIDSubjectName(cmd)
+	subjKey := getFrostfsIDSubjectKey(cmd)
+
+	ffsid, err := newFrostfsIDClient(cmd)
+	commonCmd.ExitOnErr(cmd, "init contract client: %w", err)
+
+	ffsid.addCall(ffsid.roCli.CreateSubjectCall(ns, subjKey))
+	if subjName != "" {
+		ffsid.addCall(ffsid.roCli.SetSubjectNameCall(subjKey.GetScriptHash(), subjName))
+	}
+
+	err = ffsid.sendWait()
+	commonCmd.ExitOnErr(cmd, "create subject: %w", err)
+}
+
+func frostfsidDeleteSubject(cmd *cobra.Command, _ []string) {
+	subjectAddress := getFrostfsIDSubjectAddress(cmd)
+
+	ffsid, err := newFrostfsIDClient(cmd)
+	commonCmd.ExitOnErr(cmd, "init contract client: %w", err)
+
+	ffsid.addCall(ffsid.roCli.DeleteSubjectCall(subjectAddress))
+
+	err = ffsid.sendWait()
+	commonCmd.ExitOnErr(cmd, "delete subject error: %w", err)
+}
+
+func frostfsidListSubjects(cmd *cobra.Command, _ []string) {
+	ns := getFrostfsIDNamespace(cmd)
+	includeNames, _ := cmd.Flags().GetBool(includeNamesFlag)
+
+	ffsid, err := newFrostfsIDClient(cmd)
+	commonCmd.ExitOnErr(cmd, "init contract invoker: %w", err)
+
+	subAddresses, err := ffsid.roCli.ListNamespaceSubjects(ns)
+	commonCmd.ExitOnErr(cmd, "list subjects: %w", err)
+
+	sort.Slice(subAddresses, func(i, j int) bool { return subAddresses[i].Less(subAddresses[j]) })
+
+	for _, addr := range subAddresses {
+		if !includeNames {
+			cmd.Println(address.Uint160ToString(addr))
+			continue
+		}
+
+		subj, err := ffsid.roCli.GetSubject(addr)
+		commonCmd.ExitOnErr(cmd, "get subject: %w", err)
+
+		cmd.Printf("%s (%s)\n", address.Uint160ToString(addr), subj.Name)
+	}
+}
+
+func frostfsidCreateGroup(cmd *cobra.Command, _ []string) {
+	ns := getFrostfsIDNamespace(cmd)
+	groupName := getFrostfsIDGroupName(cmd)
+
+	ffsid, err := newFrostfsIDClient(cmd)
+	commonCmd.ExitOnErr(cmd, "init contract client: %w", err)
+
+	ffsid.addCall(ffsid.roCli.CreateGroupCall(ns, groupName))
+
+	groupID, err := ffsid.roCli.ParseGroupID(ffsid.sendWaitRes())
+	commonCmd.ExitOnErr(cmd, "create group: %w", err)
+
+	cmd.Printf("group '%s' created with id: %d\n", groupName, groupID)
+}
+
+func frostfsidDeleteGroup(cmd *cobra.Command, _ []string) {
+	ns := getFrostfsIDNamespace(cmd)
+	groupID := getFrostfsIDGroupID(cmd)
+
+	ffsid, err := newFrostfsIDClient(cmd)
+	commonCmd.ExitOnErr(cmd, "init contract client: %w", err)
+
+	ffsid.addCall(ffsid.roCli.DeleteGroupCall(ns, groupID))
+
+	err = ffsid.sendWait()
+	commonCmd.ExitOnErr(cmd, "delete group error: %w", err)
+}
+
+func frostfsidListGroups(cmd *cobra.Command, _ []string) {
+	ns := getFrostfsIDNamespace(cmd)
+
+	ffsid, err := newFrostfsIDClient(cmd)
+	commonCmd.ExitOnErr(cmd, "init contract invoker: %w", err)
+
+	groups, err := ffsid.roCli.ListGroups(ns)
+	commonCmd.ExitOnErr(cmd, "list groups: %w", err)
+
+	sort.Slice(groups, func(i, j int) bool { return groups[i].Name < groups[j].Name })
+
+	for _, group := range groups {
+		cmd.Printf("%s (%d)\n", group.Name, group.ID)
+	}
+}
+
+func frostfsidAddSubjectToGroup(cmd *cobra.Command, _ []string) {
+	subjectAddress := getFrostfsIDSubjectAddress(cmd)
+	groupID := getFrostfsIDGroupID(cmd)
+
+	ffsid, err := newFrostfsIDClient(cmd)
+	commonCmd.ExitOnErr(cmd, "init contract client: %w", err)
+
+	ffsid.addCall(ffsid.roCli.AddSubjectToGroupCall(subjectAddress, groupID))
+
+	err = ffsid.sendWait()
+	commonCmd.ExitOnErr(cmd, "add subject to group error: %w", err)
+}
+
+func frostfsidRemoveSubjectFromGroup(cmd *cobra.Command, _ []string) {
+	subjectAddress := getFrostfsIDSubjectAddress(cmd)
+	groupID := getFrostfsIDGroupID(cmd)
+
+	ffsid, err := newFrostfsIDClient(cmd)
+	commonCmd.ExitOnErr(cmd, "init contract client: %w", err)
+
+	ffsid.addCall(ffsid.roCli.RemoveSubjectFromGroupCall(subjectAddress, groupID))
+
+	err = ffsid.sendWait()
+	commonCmd.ExitOnErr(cmd, "remove subject from group error: %w", err)
+}
+
+func frostfsidListGroupSubjects(cmd *cobra.Command, _ []string) {
+	ns := getFrostfsIDNamespace(cmd)
+	groupID := getFrostfsIDGroupID(cmd)
+	includeNames, _ := cmd.Flags().GetBool(includeNamesFlag)
+
+	ffsid, err := newFrostfsIDClient(cmd)
+	commonCmd.ExitOnErr(cmd, "init contract client: %w", err)
+
+	subjects, err := ffsid.roCli.ListGroupSubjects(ns, groupID)
+	commonCmd.ExitOnErr(cmd, "list group subjects: %w", err)
+
+	sort.Slice(subjects, func(i, j int) bool { return subjects[i].Less(subjects[j]) })
+
+	for _, subjAddr := range subjects {
+		if !includeNames {
+			cmd.Println(address.Uint160ToString(subjAddr))
+			continue
+		}
+
+		subj, err := ffsid.roCli.GetSubject(subjAddr)
+		commonCmd.ExitOnErr(cmd, "get subject: %w", err)
+
+		cmd.Printf("%s (%s)\n", address.Uint160ToString(subjAddr), subj.Name)
+	}
+}
+
+type frostfsidClient struct {
+	bw           *io.BufBinWriter
+	contractHash util.Uint160
+	roCli        *frostfsidclient.Client // client can be used only for waiting tx, parsing and forming method params
+	wCtx         *initializeContext
+}
+
+func newFrostfsIDClient(cmd *cobra.Command) (*frostfsidClient, error) {
+	wCtx, err := newInitializeContext(cmd, viper.GetViper())
+	if err != nil {
+		return nil, fmt.Errorf("can't to initialize context: %w", err)
+	}
+
+	r := management.NewReader(wCtx.ReadOnlyInvoker)
+	cs, err := r.GetContractByID(1)
+	if err != nil {
+		return nil, fmt.Errorf("can't get NNS contract info: %w", err)
+	}
+
+	ffsidHash, err := nnsResolveHash(wCtx.ReadOnlyInvoker, cs.Hash, domainOf(frostfsIDContract))
+	if err != nil {
+		return nil, fmt.Errorf("can't get proxy contract hash: %w", err)
+	}
+
+	return &frostfsidClient{
+		bw:           io.NewBufBinWriter(),
+		contractHash: ffsidHash,
+		roCli:        frostfsidclient.NewSimple(wCtx.CommitteeAct, ffsidHash),
+		wCtx:         wCtx,
+	}, nil
+}
+
+func (f *frostfsidClient) addCall(method string, args []any) {
+	emit.AppCall(f.bw.BinWriter, f.contractHash, method, callflag.All, args...)
+}
+
+func (f *frostfsidClient) sendWait() error {
+	if err := f.wCtx.sendConsensusTx(f.bw.Bytes()); err != nil {
+		return err
+	}
+	f.bw.Reset()
+
+	return f.wCtx.awaitTx()
+}
+
+func (f *frostfsidClient) sendWaitRes() (*state.AppExecResult, error) {
+	if err := f.wCtx.sendConsensusTx(f.bw.Bytes()); err != nil {
+		return nil, err
+	}
+	f.bw.Reset()
+
+	if len(f.wCtx.SentTxs) == 0 {
+		return nil, errors.New("no transactions to wait")
+	}
+
+	f.wCtx.Command.Println("Waiting for transactions to persist...")
+	return f.roCli.Wait(f.wCtx.SentTxs[0].hash, f.wCtx.SentTxs[0].vub, nil)
+}
--- a/cmd/frostfs-adm/internal/modules/morph/frostfsid_util.go
+++ b/cmd/frostfs-adm/internal/modules/morph/frostfsid_util.go
@ -0,0 +1,109 @@
+package morph
+
+import (
+	"errors"
+	"fmt"
+	"regexp"
+
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
+	"github.com/nspcc-dev/neo-go/pkg/util"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+var (
+	frostfsidSubjectNameRegexp = regexp.MustCompile(`^[\w+=,.@-]{1,64}$`)
+	frostfsidGroupNameRegexp   = regexp.MustCompile(`^[\w+=,.@-]{1,128}$`)
+
+	// frostfsidNamespaceNameRegexp similar to https://git.frostfs.info/TrueCloudLab/frostfs-contract/src/commit/f2a82aa635aa57d9b05092d8cf15b170b53cc324/nns/nns_contract.go#L690
+	frostfsidNamespaceNameRegexp = regexp.MustCompile(`(^$)|(^[a-z0-9]{1,2}$)|(^[a-z0-9][a-z0-9-]{1,48}[a-z0-9]$)`)
+)
+
+func getFrostfsIDAdmin(v *viper.Viper) (util.Uint160, bool, error) {
+	admin := v.GetString(frostfsIDAdminConfigKey)
+	if admin == "" {
+		return util.Uint160{}, false, nil
+	}
+
+	h, err := address.StringToUint160(admin)
+	if err == nil {
+		return h, true, nil
+	}
+
+	h, err = util.Uint160DecodeStringLE(admin)
+	if err == nil {
+		return h, true, nil
+	}
+
+	pk, err := keys.NewPublicKeyFromString(admin)
+	if err == nil {
+		return pk.GetScriptHash(), true, nil
+	}
+	return util.Uint160{}, true, fmt.Errorf("frostfsid: admin is invalid: '%s'", admin)
+}
+
+func getFrostfsIDSubjectKey(cmd *cobra.Command) *keys.PublicKey {
+	subjKeyHex, _ := cmd.Flags().GetString(subjectKeyFlag)
+	subjKey, err := keys.NewPublicKeyFromString(subjKeyHex)
+	commonCmd.ExitOnErr(cmd, "invalid subject key: %w", err)
+	return subjKey
+}
+
+func getFrostfsIDSubjectAddress(cmd *cobra.Command) util.Uint160 {
+	subjAddress, _ := cmd.Flags().GetString(subjectAddressFlag)
+	subjAddr, err := address.StringToUint160(subjAddress)
+	commonCmd.ExitOnErr(cmd, "invalid subject address: %w", err)
+	return subjAddr
+}
+
+func getFrostfsIDSubjectName(cmd *cobra.Command) string {
+	subjectName, _ := cmd.Flags().GetString(subjectNameFlag)
+
+	if subjectName == "" {
+		return ""
+	}
+
+	if !frostfsidSubjectNameRegexp.MatchString(subjectName) {
+		commonCmd.ExitOnErr(cmd, "invalid subject name: %w",
+			fmt.Errorf("name must match regexp: %s", frostfsidSubjectNameRegexp.String()))
+	}
+
+	return subjectName
+}
+
+func getFrostfsIDGroupName(cmd *cobra.Command) string {
+	groupName, _ := cmd.Flags().GetString(groupNameFlag)
+
+	if !frostfsidGroupNameRegexp.MatchString(groupName) {
+		commonCmd.ExitOnErr(cmd, "invalid group name: %w",
+			fmt.Errorf("name must match regexp: %s", frostfsidGroupNameRegexp.String()))
+	}
+
+	return groupName
+}
+
+func getFrostfsIDGroupID(cmd *cobra.Command) int64 {
+	groupID, _ := cmd.Flags().GetInt64(groupIDFlag)
+	if groupID <= 0 {
+		commonCmd.ExitOnErr(cmd, "invalid group id: %w",
+			errors.New("group id must be positive integer"))
+	}
+
+	return groupID
+}
+
+func getFrostfsIDNamespace(cmd *cobra.Command) string {
+	ns, _ := cmd.Flags().GetString(namespaceFlag)
+	if ns == rootNamespacePlaceholder {
+		ns = ""
+	}
+
+	if !frostfsidNamespaceNameRegexp.MatchString(ns) {
+		commonCmd.ExitOnErr(cmd, "invalid namespace: %w",
+			fmt.Errorf("name must match regexp: %s", frostfsidNamespaceNameRegexp.String()))
+	}
+
+	return ns
+}
--- a/cmd/frostfs-adm/internal/modules/morph/frostfsid_util_test.go
+++ b/cmd/frostfs-adm/internal/modules/morph/frostfsid_util_test.go
@ -0,0 +1,172 @@
+package morph
+
+import (
+	"encoding/hex"
+	"testing"
+
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
+	"github.com/spf13/viper"
+	"github.com/stretchr/testify/require"
+)
+
+func TestFrostfsIDConfig(t *testing.T) {
+	pks := make([]*keys.PrivateKey, 4)
+	for i := range pks {
+		pk, err := keys.NewPrivateKey()
+		require.NoError(t, err)
+		pks[i] = pk
+	}
+
+	fmts := []string{
+		pks[0].GetScriptHash().StringLE(),
+		address.Uint160ToString(pks[1].GetScriptHash()),
+		hex.EncodeToString(pks[2].PublicKey().UncompressedBytes()),
+		hex.EncodeToString(pks[3].PublicKey().Bytes()),
+	}
+
+	for i := range fmts {
+		v := viper.New()
+		v.Set("frostfsid.admin", fmts[i])
+
+		actual, found, err := getFrostfsIDAdmin(v)
+		require.NoError(t, err)
+		require.True(t, found)
+		require.Equal(t, pks[i].GetScriptHash(), actual)
+	}
+
+	t.Run("bad key", func(t *testing.T) {
+		v := viper.New()
+		v.Set("frostfsid.admin", "abc")
+
+		_, found, err := getFrostfsIDAdmin(v)
+		require.Error(t, err)
+		require.True(t, found)
+	})
+	t.Run("missing key", func(t *testing.T) {
+		v := viper.New()
+
+		_, found, err := getFrostfsIDAdmin(v)
+		require.NoError(t, err)
+		require.False(t, found)
+	})
+}
+
+func TestNamespaceRegexp(t *testing.T) {
+	for _, tc := range []struct {
+		name      string
+		namespace string
+		matched   bool
+	}{
+		{
+			name:      "root empty ns",
+			namespace: "",
+			matched:   true,
+		},
+		{
+			name:      "simple valid ns",
+			namespace: "my-namespace-123",
+			matched:   true,
+		},
+		{
+			name:      "root placeholder",
+			namespace: "<root>",
+			matched:   false,
+		},
+		{
+			name:      "too long",
+			namespace: "abcdefghijklmnopkrstuvwxyzabcdefghijklmnopkrstuvwxyz",
+			matched:   false,
+		},
+		{
+			name:      "start with hyphen",
+			namespace: "-ns",
+			matched:   false,
+		},
+		{
+			name:      "end with hyphen",
+			namespace: "ns-",
+			matched:   false,
+		},
+		{
+			name:      "with spaces",
+			namespace: "ns ns",
+			matched:   false,
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			require.Equal(t, tc.matched, frostfsidNamespaceNameRegexp.MatchString(tc.namespace))
+		})
+	}
+}
+
+func TestSubjectNameRegexp(t *testing.T) {
+	for _, tc := range []struct {
+		name    string
+		subject string
+		matched bool
+	}{
+		{
+			name:    "empty",
+			subject: "",
+			matched: false,
+		},
+		{
+			name:    "invalid",
+			subject: "invalid{name}",
+			matched: false,
+		},
+		{
+			name:    "too long",
+			subject: "abcdefghijklmnopkrstuvwxyzabcdefghijklmnopkrstuvwxyzabcdefghijklmnopkrstuvwxyz",
+			matched: false,
+		},
+		{
+			name:    "valid",
+			subject: "valid_name.012345@6789",
+			matched: true,
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			require.Equal(t, tc.matched, frostfsidSubjectNameRegexp.MatchString(tc.subject))
+		})
+	}
+}
+
+func TestSubjectGroupRegexp(t *testing.T) {
+	for _, tc := range []struct {
+		name    string
+		subject string
+		matched bool
+	}{
+		{
+			name:    "empty",
+			subject: "",
+			matched: false,
+		},
+		{
+			name:    "invalid",
+			subject: "invalid{name}",
+			matched: false,
+		},
+		{
+			name:    "too long",
+			subject: "abcdefghijklmnopkrstuvwxyzabcdefghijklmnopkrstuvwxyzabcdefghijklmnopkrstuvwxyzabcdefghijklmnopkrstuvwxyzabcdefghijklmnopkrstuvwxyz",
+			matched: false,
+		},
+		{
+			name:    "long",
+			subject: "abcdefghijklmnopkrstuvwxyzabcdefghijklmnopkrstuvwxyzabcdefghijklmnopkrstuvwxyz",
+			matched: true,
+		},
+		{
+			name:    "valid",
+			subject: "valid_name.012345@6789",
+			matched: true,
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			require.Equal(t, tc.matched, frostfsidGroupNameRegexp.MatchString(tc.subject))
+		})
+	}
+}
--- a/cmd/frostfs-adm/internal/modules/morph/generate.go
+++ b/cmd/frostfs-adm/internal/modules/morph/generate.go
@ -6,8 +6,8 @@ import (
 	"os"
 	"path/filepath"

-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/config"
-	"github.com/TrueCloudLab/frostfs-node/pkg/innerring"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/config"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/innerring"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
 	"github.com/nspcc-dev/neo-go/pkg/encoding/fixedn"
@ -21,6 +21,7 @@ import (
 	"github.com/nspcc-dev/neo-go/pkg/wallet"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
+	"golang.org/x/sync/errgroup"
 )

 const (
@ -29,7 +30,7 @@ const (
 	consensusAccountName = "consensus"
 )

-func generateAlphabetCreds(cmd *cobra.Command, args []string) error {
+func generateAlphabetCreds(cmd *cobra.Command, _ []string) error {
 	// alphabet size is not part of the config
 	size, err := cmd.Flags().GetUint(alphabetSizeFlag)
 	if err != nil {
@ -38,6 +39,9 @@ func generateAlphabetCreds(cmd *cobra.Command, args []string) error {
 	if size == 0 {
 		return errors.New("size must be > 0")
 	}
+	if size > maxAlphabetNodes {
+		return ErrTooManyAlphabetNodes
+	}

 	v := viper.GetViper()
 	walletDir := config.ResolveHomePath(viper.GetString(alphabetWalletsFlag))
@ -72,7 +76,7 @@ func initializeWallets(v *viper.Viper, walletDir string, size int) ([]string, er
 		}

 		p := filepath.Join(walletDir, innerring.GlagoliticLetter(i).String()+".json")
-		f, err := os.OpenFile(p, os.O_CREATE, 0644)
+		f, err := os.OpenFile(p, os.O_CREATE, 0o644)
 		if err != nil {
 			return nil, fmt.Errorf("can't create wallet file: %w", err)
 		}
@ -92,28 +96,31 @@ func initializeWallets(v *viper.Viper, walletDir string, size int) ([]string, er
 		pubs[i] = w.Accounts[0].PrivateKey().PublicKey()
 	}

+	var errG errgroup.Group
+
 	// Create committee account with N/2+1 multi-signature.
 	majCount := smartcontract.GetMajorityHonestNodeCount(size)
-	for i, w := range wallets {
-		if err := addMultisigAccount(w, majCount, committeeAccountName, passwords[i], pubs); err != nil {
-			return nil, fmt.Errorf("can't create committee account: %w", err)
-		}
-	}
-
 	// Create consensus account with 2*N/3+1 multi-signature.
 	bftCount := smartcontract.GetDefaultHonestNodeCount(size)
-	for i, w := range wallets {
-		if err := addMultisigAccount(w, bftCount, consensusAccountName, passwords[i], pubs); err != nil {
-			return nil, fmt.Errorf("can't create consensus account: %w", err)
-		}
+	for i := range wallets {
+		i := i
+		ps := pubs.Copy()
+		errG.Go(func() error {
+			if err := addMultisigAccount(wallets[i], majCount, committeeAccountName, passwords[i], ps); err != nil {
+				return fmt.Errorf("can't create committee account: %w", err)
+			}
+			if err := addMultisigAccount(wallets[i], bftCount, consensusAccountName, passwords[i], ps); err != nil {
+				return fmt.Errorf("can't create consentus account: %w", err)
+			}
+			if err := wallets[i].SavePretty(); err != nil {
+				return fmt.Errorf("can't save wallet: %w", err)
+			}
+			return nil
+		})
 	}
-
-	for _, w := range wallets {
-		if err := w.SavePretty(); err != nil {
-			return nil, fmt.Errorf("can't save wallet: %w", err)
-		}
+	if err := errG.Wait(); err != nil {
+		return nil, err
 	}
-
 	return passwords, nil
 }

--- a/cmd/frostfs-adm/internal/modules/morph/generate_test.go
+++ b/cmd/frostfs-adm/internal/modules/morph/generate_test.go
@ -7,9 +7,10 @@ import (
 	"os"
 	"path/filepath"
 	"strconv"
+	"sync"
 	"testing"

-	"github.com/TrueCloudLab/frostfs-node/pkg/innerring"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/innerring"
 	"github.com/nspcc-dev/neo-go/cli/input"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract"
@ -71,24 +72,32 @@ func TestGenerateAlphabet(t *testing.T) {
 	buf.WriteString(testContractPassword + "\r")
 	require.NoError(t, generateAlphabetCreds(generateAlphabetCmd, nil))

+	var wg sync.WaitGroup
 	for i := uint64(0); i < size; i++ {
-		p := filepath.Join(walletDir, innerring.GlagoliticLetter(i).String()+".json")
-		w, err := wallet.NewWalletFromFile(p)
-		require.NoError(t, err, "wallet doesn't exist")
-		require.Equal(t, 3, len(w.Accounts), "not all accounts were created")
-		for _, a := range w.Accounts {
-			err := a.Decrypt(strconv.FormatUint(i, 10), keys.NEP2ScryptParams())
-			require.NoError(t, err, "can't decrypt account")
-			switch a.Label {
-			case consensusAccountName:
-				require.Equal(t, smartcontract.GetDefaultHonestNodeCount(size), len(a.Contract.Parameters))
-			case committeeAccountName:
-				require.Equal(t, smartcontract.GetMajorityHonestNodeCount(size), len(a.Contract.Parameters))
-			default:
-				require.Equal(t, singleAccountName, a.Label)
+		i := i
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			p := filepath.Join(walletDir, innerring.GlagoliticLetter(i).String()+".json")
+			w, err := wallet.NewWalletFromFile(p)
+			require.NoError(t, err, "wallet doesn't exist")
+			require.Equal(t, 3, len(w.Accounts), "not all accounts were created")
+
+			for _, a := range w.Accounts {
+				err := a.Decrypt(strconv.FormatUint(i, 10), keys.NEP2ScryptParams())
+				require.NoError(t, err, "can't decrypt account")
+				switch a.Label {
+				case consensusAccountName:
+					require.Equal(t, smartcontract.GetDefaultHonestNodeCount(size), len(a.Contract.Parameters))
+				case committeeAccountName:
+					require.Equal(t, smartcontract.GetMajorityHonestNodeCount(size), len(a.Contract.Parameters))
+				default:
+					require.Equal(t, singleAccountName, a.Label)
+				}
 			}
-		}
+		}()
 	}
+	wg.Wait()

 	t.Run("check contract group wallet", func(t *testing.T) {
 		p := filepath.Join(walletDir, contractWalletFilename)
--- a/cmd/frostfs-adm/internal/modules/morph/group.go
+++ b/cmd/frostfs-adm/internal/modules/morph/group.go
@ -6,7 +6,7 @@ import (
 	"os"
 	"path/filepath"

-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/config"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/config"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/manifest"
 	"github.com/nspcc-dev/neo-go/pkg/util"
--- a/cmd/frostfs-adm/internal/modules/morph/initialize.go
+++ b/cmd/frostfs-adm/internal/modules/morph/initialize.go
@ -4,17 +4,17 @@ import (
 	"errors"
 	"fmt"
 	"os"
-	"path/filepath"
 	"time"

-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/config"
-	"github.com/TrueCloudLab/frostfs-node/pkg/innerring"
-	morphClient "github.com/TrueCloudLab/frostfs-node/pkg/morph/client"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/commonflags"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/config"
+	morphClient "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/client"
 	"github.com/nspcc-dev/neo-go/pkg/core/native/nativenames"
 	"github.com/nspcc-dev/neo-go/pkg/core/state"
 	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/management"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/trigger"
 	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/nspcc-dev/neo-go/pkg/vm/vmstate"
@ -23,6 +23,13 @@ import (
 	"github.com/spf13/viper"
 )

+const (
+	// maxAlphabetNodes is the maximum number of candidates allowed, which is currently limited by the size
+	// of the invocation script.
+	// See: https://github.com/nspcc-dev/neo-go/blob/740488f7f35e367eaa99a71c0a609c315fe2b0fc/pkg/core/transaction/witness.go#L10
+	maxAlphabetNodes = 22
+)
+
 type cache struct {
 	nnsCs    *state.Contract
 	groupKey *keys.PublicKey
@ -45,7 +52,9 @@ type initializeContext struct {
 	ContractPath string
 }

-func initializeSideChainCmd(cmd *cobra.Command, args []string) error {
+var ErrTooManyAlphabetNodes = fmt.Errorf("too many alphabet nodes (maximum allowed is %d)", maxAlphabetNodes)
+
+func initializeSideChainCmd(cmd *cobra.Command, _ []string) error {
 	initCtx, err := newInitializeContext(cmd, viper.GetViper())
 	if err != nil {
 		return fmt.Errorf("initialization error: %w", err)
@ -91,11 +100,7 @@ func initializeSideChainCmd(cmd *cobra.Command, args []string) error {
 	}

 	cmd.Println("Stage 7: set addresses in NNS.")
-	if err := initCtx.setNNS(); err != nil {
-		return err
-	}
-
-	return nil
+	return initCtx.setNNS()
 }

 func (c *initializeContext) close() {
@ -110,7 +115,7 @@ func (c *initializeContext) close() {

 func newInitializeContext(cmd *cobra.Command, v *viper.Viper) (*initializeContext, error) {
 	walletDir := config.ResolveHomePath(viper.GetString(alphabetWalletsFlag))
-	wallets, err := openAlphabetWallets(v, walletDir)
+	wallets, err := getAlphabetWallets(v, walletDir)
 	if err != nil {
 		return nil, err
 	}
@ -118,24 +123,14 @@ func newInitializeContext(cmd *cobra.Command, v *viper.Viper) (*initializeContex
 	needContracts := cmd.Name() == "update-contracts" || cmd.Name() == "init"

 	var w *wallet.Wallet
-	if needContracts {
-		w, err = openContractWallet(v, cmd, walletDir)
-		if err != nil {
-			return nil, err
-		}
+	w, err = getWallet(cmd, v, needContracts, walletDir)
+	if err != nil {
+		return nil, err
 	}

-	var c Client
-	if v.GetString(localDumpFlag) != "" {
-		if v.GetString(endpointFlag) != "" {
-			return nil, fmt.Errorf("`%s` and `%s` flags are mutually exclusive", endpointFlag, localDumpFlag)
-		}
-		c, err = newLocalClient(cmd, v, wallets)
-	} else {
-		c, err = getN3Client(v)
-	}
+	c, err := createClient(cmd, v, wallets)
 	if err != nil {
-		return nil, fmt.Errorf("can't create N3 client: %w", err)
+		return nil, err
 	}

 	committeeAcc, err := getWalletAccount(wallets[0], committeeAccountName)
@ -148,35 +143,22 @@ func newInitializeContext(cmd *cobra.Command, v *viper.Viper) (*initializeContex
 		return nil, fmt.Errorf("can't find consensus account: %w", err)
 	}

-	var ctrPath string
-	if cmd.Name() == "init" {
-		if viper.GetInt64(epochDurationInitFlag) <= 0 {
-			return nil, fmt.Errorf("epoch duration must be positive")
-		}
-
-		if viper.GetInt64(maxObjectSizeInitFlag) <= 0 {
-			return nil, fmt.Errorf("max object size must be positive")
-		}
+	if err := validateInit(cmd); err != nil {
+		return nil, err
 	}

-	if needContracts {
-		ctrPath, err = cmd.Flags().GetString(contractsInitFlag)
-		if err != nil {
-			return nil, fmt.Errorf("invalid contracts path: %w", err)
-		}
+	ctrPath, err := getContractsPath(cmd, needContracts)
+	if err != nil {
+		return nil, err
 	}

 	if err := checkNotaryEnabled(c); err != nil {
 		return nil, err
 	}

-	accounts := make([]*wallet.Account, len(wallets))
-	for i, w := range wallets {
-		acc, err := getWalletAccount(w, singleAccountName)
-		if err != nil {
-			return nil, fmt.Errorf("wallet %s is invalid (no single account): %w", w.Path(), err)
-		}
-		accounts[i] = acc
+	accounts, err := createWalletAccounts(wallets)
+	if err != nil {
+		return nil, err
 	}

 	cliCtx, err := defaultClientContext(c, committeeAcc)
@ -206,52 +188,67 @@ func newInitializeContext(cmd *cobra.Command, v *viper.Viper) (*initializeContex
 	return initCtx, nil
 }

-func openAlphabetWallets(v *viper.Viper, walletDir string) ([]*wallet.Wallet, error) {
-	walletFiles, err := os.ReadDir(walletDir)
+func validateInit(cmd *cobra.Command) error {
+	if cmd.Name() != "init" {
+		return nil
+	}
+	if viper.GetInt64(epochDurationInitFlag) <= 0 {
+		return fmt.Errorf("epoch duration must be positive")
+	}
+
+	if viper.GetInt64(maxObjectSizeInitFlag) <= 0 {
+		return fmt.Errorf("max object size must be positive")
+	}
+
+	return nil
+}
+
+func createClient(cmd *cobra.Command, v *viper.Viper, wallets []*wallet.Wallet) (Client, error) {
+	var c Client
+	var err error
+	if ldf := cmd.Flags().Lookup(localDumpFlag); ldf != nil && ldf.Changed {
+		if cmd.Flags().Changed(endpointFlag) {
+			return nil, fmt.Errorf("`%s` and `%s` flags are mutually exclusive", endpointFlag, localDumpFlag)
+		}
+		c, err = newLocalClient(cmd, v, wallets, ldf.Value.String())
+	} else {
+		c, err = getN3Client(v)
+	}
 	if err != nil {
-		return nil, fmt.Errorf("can't read alphabet wallets dir: %w", err)
+		return nil, fmt.Errorf("can't create N3 client: %w", err)
+	}
+	return c, nil
+}
+
+func getWallet(cmd *cobra.Command, v *viper.Viper, needContracts bool, walletDir string) (*wallet.Wallet, error) {
+	if !needContracts {
+		return nil, nil
+	}
+	return openContractWallet(v, cmd, walletDir)
+}
+
+func getContractsPath(cmd *cobra.Command, needContracts bool) (string, error) {
+	if !needContracts {
+		return "", nil
 	}

-	var size int
-loop:
-	for i := 0; i < len(walletFiles); i++ {
-		name := innerring.GlagoliticLetter(i).String() + ".json"
-		for j := range walletFiles {
-			if walletFiles[j].Name() == name {
-				size++
-				continue loop
-			}
-		}
-		break
-	}
-	if size == 0 {
-		return nil, errors.New("alphabet wallets dir is empty (run `generate-alphabet` command first)")
+	ctrPath, err := cmd.Flags().GetString(contractsInitFlag)
+	if err != nil {
+		return "", fmt.Errorf("invalid contracts path: %w", err)
 	}
+	return ctrPath, nil
+}

-	wallets := make([]*wallet.Wallet, size)
-	for i := 0; i < size; i++ {
-		letter := innerring.GlagoliticLetter(i).String()
-		p := filepath.Join(walletDir, letter+".json")
-		w, err := wallet.NewWalletFromFile(p)
+func createWalletAccounts(wallets []*wallet.Wallet) ([]*wallet.Account, error) {
+	accounts := make([]*wallet.Account, len(wallets))
+	for i, w := range wallets {
+		acc, err := getWalletAccount(w, singleAccountName)
 		if err != nil {
-			return nil, fmt.Errorf("can't open wallet: %w", err)
+			return nil, fmt.Errorf("wallet %s is invalid (no single account): %w", w.Path(), err)
 		}
-
-		password, err := config.GetPassword(v, letter)
-		if err != nil {
-			return nil, fmt.Errorf("can't fetch password: %w", err)
-		}
-
-		for i := range w.Accounts {
-			if err := w.Accounts[i].Decrypt(password, keys.NEP2ScryptParams()); err != nil {
-				return nil, fmt.Errorf("can't unlock wallet: %w", err)
-			}
-		}
-
-		wallets[i] = w
+		accounts[i] = acc
 	}
-
-	return wallets, nil
+	return accounts, nil
 }

 func (c *initializeContext) awaitTx() error {
@ -263,7 +260,8 @@ func (c *initializeContext) nnsContractState() (*state.Contract, error) {
 		return c.nnsCs, nil
 	}

-	cs, err := c.Client.GetContractStateByID(1)
+	r := management.NewReader(c.ReadOnlyInvoker)
+	cs, err := r.GetContractByID(1)
 	if err != nil {
 		return nil, err
 	}
@ -325,36 +323,18 @@ func (c *clientContext) awaitTx(cmd *cobra.Command) error {
 func awaitTx(cmd *cobra.Command, c Client, txs []hashVUBPair) error {
 	cmd.Println("Waiting for transactions to persist...")

-	const pollInterval = time.Second
-
-	tick := time.NewTicker(pollInterval)
-	defer tick.Stop()
-
 	at := trigger.Application

 	var retErr error

-	currBlock, err := c.GetBlockCount()
-	if err != nil {
-		return fmt.Errorf("can't fetch current block height: %w", err)
-	}
-
 loop:
 	for i := range txs {
-		res, err := c.GetApplicationLog(txs[i].hash, &at)
-		if err == nil {
-			if retErr == nil && len(res.Executions) > 0 && res.Executions[0].VMState != vmstate.Halt {
-				retErr = fmt.Errorf("tx %d persisted in %s state: %s",
-					i, res.Executions[0].VMState, res.Executions[0].FaultException)
-			}
-			continue loop
-		}
-		if txs[i].vub < currBlock {
-			return fmt.Errorf("tx was not persisted: vub=%d, height=%d", txs[i].vub, currBlock)
-		}
-		for range tick.C {
+		var it int
+		var pollInterval time.Duration
+		var pollIntervalChanged bool
+		for {
 			// We must fetch current height before application log, to avoid race condition.
-			currBlock, err = c.GetBlockCount()
+			currBlock, err := c.GetBlockCount()
 			if err != nil {
 				return fmt.Errorf("can't fetch current block height: %w", err)
 			}
@ -369,12 +349,43 @@ loop:
 			if txs[i].vub < currBlock {
 				return fmt.Errorf("tx was not persisted: vub=%d, height=%d", txs[i].vub, currBlock)
 			}
+
+			pollInterval, pollIntervalChanged = nextPollInterval(it, pollInterval)
+			if pollIntervalChanged && viper.GetBool(commonflags.Verbose) {
+				cmd.Printf("Pool interval to check transaction persistence changed: %s\n", pollInterval.String())
+			}
+
+			timer := time.NewTimer(pollInterval)
+			select {
+			case <-cmd.Context().Done():
+				return cmd.Context().Err()
+			case <-timer.C:
+			}
+
+			it++
 		}
 	}

 	return retErr
 }

+func nextPollInterval(it int, previous time.Duration) (time.Duration, bool) {
+	const minPollInterval = 1 * time.Second
+	const maxPollInterval = 16 * time.Second
+	const changeAfter = 5
+	if it == 0 {
+		return minPollInterval, true
+	}
+	if it%changeAfter != 0 {
+		return previous, false
+	}
+	nextInterval := previous * 2
+	if nextInterval > maxPollInterval {
+		return maxPollInterval, previous != maxPollInterval
+	}
+	return nextInterval, true
+}
+
 // sendCommitteeTx creates transaction from script, signs it by committee nodes and sends it to RPC.
 // If tryGroup is false, global scope is used for the signer (useful when
 // working with native contracts).
@ -454,7 +465,7 @@ func checkNotaryEnabled(c Client) error {
 	nativeHashes := make(map[string]util.Uint160, len(ns))
 	for i := range ns {
 		if ns[i].Manifest.Name == nativenames.Notary {
-			notaryEnabled = len(ns[i].UpdateHistory) > 0
+			notaryEnabled = true
 		}
 		nativeHashes[ns[i].Manifest.Name] = ns[i].Hash
 	}
--- a/cmd/frostfs-adm/internal/modules/morph/initialize_deploy.go
+++ b/cmd/frostfs-adm/internal/modules/morph/initialize_deploy.go
@ -12,17 +12,17 @@ import (
 	"path/filepath"
 	"strings"

-	"github.com/TrueCloudLab/frostfs-contract/common"
-	"github.com/TrueCloudLab/frostfs-contract/nns"
-	"github.com/TrueCloudLab/frostfs-node/pkg/innerring"
-	morphClient "github.com/TrueCloudLab/frostfs-node/pkg/morph/client"
+	"git.frostfs.info/TrueCloudLab/frostfs-contract/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-contract/nns"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/innerring"
+	morphClient "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/client"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/client/netmap"
 	"github.com/nspcc-dev/neo-go/pkg/core/state"
-	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
 	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
 	io2 "github.com/nspcc-dev/neo-go/pkg/io"
-	"github.com/nspcc-dev/neo-go/pkg/rpcclient"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/management"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/manifest"
@ -30,7 +30,7 @@ import (
 	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
 	"github.com/nspcc-dev/neo-go/pkg/vm/opcode"
-	"github.com/nspcc-dev/neo-go/pkg/vm/vmstate"
+	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
 	"github.com/spf13/viper"
 )

@ -39,44 +39,24 @@ const (
 	frostfsContract    = "frostfs"    // not deployed in side-chain.
 	processingContract = "processing" // not deployed in side-chain.
 	alphabetContract   = "alphabet"
-	auditContract      = "audit"
 	balanceContract    = "balance"
 	containerContract  = "container"
 	frostfsIDContract  = "frostfsid"
 	netmapContract     = "netmap"
+	policyContract     = "policy"
 	proxyContract      = "proxy"
-	reputationContract = "reputation"
-	subnetContract     = "subnet"
 )

-const (
-	netmapEpochKey                   = "EpochDuration"
-	netmapMaxObjectSizeKey           = "MaxObjectSize"
-	netmapAuditFeeKey                = "AuditFee"
-	netmapContainerFeeKey            = "ContainerFee"
-	netmapContainerAliasFeeKey       = "ContainerAliasFee"
-	netmapEigenTrustIterationsKey    = "EigenTrustIterations"
-	netmapEigenTrustAlphaKey         = "EigenTrustAlpha"
-	netmapBasicIncomeRateKey         = "BasicIncomeRate"
-	netmapInnerRingCandidateFeeKey   = "InnerRingCandidateFee"
-	netmapWithdrawFeeKey             = "WithdrawFee"
-	netmapHomomorphicHashDisabledKey = "HomomorphicHashingDisabled"
-	netmapMaintenanceAllowedKey      = "MaintenanceModeAllowed"
-
-	defaultEigenTrustIterations = 4
-	defaultEigenTrustAlpha      = "0.1"
-)
+const frostfsIDAdminConfigKey = "frostfsid.admin"

 var (
 	contractList = []string{
-		auditContract,
 		balanceContract,
 		containerContract,
 		frostfsIDContract,
 		netmapContract,
+		policyContract,
 		proxyContract,
-		reputationContract,
-		subnetContract,
 	}

 	fullContractList = append([]string{
@ -85,6 +65,17 @@ var (
 		nnsContract,
 		alphabetContract,
 	}, contractList...)
+
+	netmapConfigKeys = []string{
+		netmap.EpochDurationConfig,
+		netmap.MaxObjectSizeConfig,
+		netmap.ContainerFeeConfig,
+		netmap.ContainerAliasFeeConfig,
+		netmap.IrCandidateFeeConfig,
+		netmap.WithdrawFeeConfig,
+		netmap.HomomorphicHashingDisabledKey,
+		netmap.MaintenanceModeAllowedConfig,
+	}
 )

 type contractState struct {
@ -100,12 +91,19 @@ const (
 	deployMethodName = "deploy"
 )

+func domainOf(contract string) string {
+	return contract + ".frostfs"
+}
+
 func (c *initializeContext) deployNNS(method string) error {
 	cs := c.getContract(nnsContract)
 	h := cs.Hash

 	nnsCs, err := c.nnsContractState()
-	if err == nil {
+	if err != nil {
+		return err
+	}
+	if nnsCs != nil {
 		if nnsCs.NEF.Checksum == cs.NEF.Checksum {
 			if method == deployMethodName {
 				c.Command.Println("NNS contract is already deployed.")
@ -123,28 +121,13 @@ func (c *initializeContext) deployNNS(method string) error {
 	}

 	params := getContractDeployParameters(cs, nil)
-	signer := transaction.Signer{
-		Account: c.CommitteeAcc.Contract.ScriptHash(),
-		Scopes:  transaction.CalledByEntry,
-	}

 	invokeHash := management.Hash
 	if method == updateMethodName {
 		invokeHash = nnsCs.Hash
 	}

-	res, err := invokeFunction(c.Client, invokeHash, method, params, []transaction.Signer{signer})
-	if err != nil {
-		return fmt.Errorf("can't deploy NNS contract: %w", err)
-	}
-	if res.State != vmstate.Halt.String() {
-		return fmt.Errorf("can't deploy NNS contract: %s", res.FaultException)
-	}
-
-	tx, err := c.Client.CreateTxFromScript(res.Script, c.CommitteeAcc, res.GasConsumed, 0, []rpcclient.SignerAccount{{
-		Signer:  signer,
-		Account: c.CommitteeAcc,
-	}})
+	tx, err := c.CommitteeAct.MakeCall(invokeHash, method, params...)
 	if err != nil {
 		return fmt.Errorf("failed to create deploy tx for %s: %w", nnsContract, err)
 	}
@ -167,8 +150,6 @@ func (c *initializeContext) updateContracts() error {

 	w := io2.NewBufBinWriter()

-	var keysParam []any
-
 	// Update script size for a single-node committee is close to the maximum allowed size of 65535.
 	// Because of this we want to reuse alphabet contract NEF and manifest for different updates.
 	// The generated script is as following.
@ -182,42 +163,36 @@ func (c *initializeContext) updateContracts() error {
 	emit.Bytes(w.BinWriter, alphaCs.RawNEF)
 	emit.Opcodes(w.BinWriter, opcode.STSFLD0)

-	baseGroups := alphaCs.Manifest.Groups
-
-	// alphabet contracts should be deployed by individual nodes to get different hashes.
-	for i, acc := range c.Accounts {
-		ctrHash, err := nnsResolveHash(c.ReadOnlyInvoker, nnsHash, getAlphabetNNSDomain(i))
-		if err != nil {
-			return fmt.Errorf("can't resolve hash for contract update: %w", err)
-		}
-
-		keysParam = append(keysParam, acc.PrivateKey().PublicKey().Bytes())
-
-		params := c.getAlphabetDeployItems(i, len(c.Wallets))
-		emit.Array(w.BinWriter, params...)
-
-		alphaCs.Manifest.Groups = baseGroups
-		err = c.addManifestGroup(ctrHash, alphaCs)
-		if err != nil {
-			return fmt.Errorf("can't sign manifest group: %v", err)
-		}
-
-		emit.Bytes(w.BinWriter, alphaCs.RawManifest)
-		emit.Opcodes(w.BinWriter, opcode.LDSFLD0)
-		emit.Int(w.BinWriter, 3)
-		emit.Opcodes(w.BinWriter, opcode.PACK)
-		emit.AppCallNoArgs(w.BinWriter, ctrHash, updateMethodName, callflag.All)
-	}
-
-	if err := c.sendCommitteeTx(w.Bytes(), false); err != nil {
-		if !strings.Contains(err.Error(), common.ErrAlreadyUpdated) {
-			return err
-		}
-		c.Command.Println("Alphabet contracts are already updated.")
+	keysParam, err := c.deployAlphabetAccounts(nnsHash, w, alphaCs)
+	if err != nil {
+		return err
 	}

 	w.Reset()

+	if err = c.deployOrUpdateContracts(w, nnsHash, keysParam); err != nil {
+		return err
+	}
+
+	groupKey := c.ContractWallet.Accounts[0].PrivateKey().PublicKey()
+	_, _, err = c.emitUpdateNNSGroupScript(w, nnsHash, groupKey)
+	if err != nil {
+		return err
+	}
+	c.Command.Printf("NNS: Set %s -> %s\n", morphClient.NNSGroupKeyName, hex.EncodeToString(groupKey.Bytes()))
+
+	emit.Opcodes(w.BinWriter, opcode.LDSFLD0)
+	emit.Int(w.BinWriter, 1)
+	emit.Opcodes(w.BinWriter, opcode.PACK)
+	emit.AppCallNoArgs(w.BinWriter, nnsHash, "setPrice", callflag.All)
+
+	if err := c.sendCommitteeTx(w.Bytes(), false); err != nil {
+		return err
+	}
+	return c.awaitTx()
+}
+
+func (c *initializeContext) deployOrUpdateContracts(w *io2.BufBinWriter, nnsHash util.Uint160, keysParam []any) error {
 	emit.Instruction(w.BinWriter, opcode.INITSSLOT, []byte{1})
 	emit.AppCall(w.BinWriter, nnsHash, "getPrice", callflag.All)
 	emit.Opcodes(w.BinWriter, opcode.STSFLD0)
@ -227,7 +202,7 @@ func (c *initializeContext) updateContracts() error {
 		cs := c.getContract(ctrName)

 		method := updateMethodName
-		ctrHash, err := nnsResolveHash(c.ReadOnlyInvoker, nnsHash, ctrName+".frostfs")
+		ctrHash, err := nnsResolveHash(c.ReadOnlyInvoker, nnsHash, domainOf(ctrName))
 		if err != nil {
 			if errors.Is(err, errMissingNNSRecord) {
 				// if contract not found we deploy it instead of update
@ -247,7 +222,11 @@ func (c *initializeContext) updateContracts() error {
 			invokeHash = ctrHash
 		}

-		params := getContractDeployParameters(cs, c.getContractDeployData(ctrName, keysParam))
+		args, err := c.getContractDeployData(ctrName, keysParam, updateMethodName)
+		if err != nil {
+			return fmt.Errorf("%s: getting update params: %v", ctrName, err)
+		}
+		params := getContractDeployParameters(cs, args)
 		res, err := c.CommitteeAct.MakeCall(invokeHash, method, params...)
 		if err != nil {
 			if method != updateMethodName || !strings.Contains(err.Error(), common.ErrAlreadyUpdated) {
@ -277,23 +256,46 @@ func (c *initializeContext) updateContracts() error {
 			c.Command.Printf("NNS: Set %s -> %s\n", domain, cs.Hash.StringLE())
 		}
 	}
+	return nil
+}

-	groupKey := c.ContractWallet.Accounts[0].PrivateKey().PublicKey()
-	_, _, err = c.emitUpdateNNSGroupScript(w, nnsHash, groupKey)
-	if err != nil {
-		return err
+func (c *initializeContext) deployAlphabetAccounts(nnsHash util.Uint160, w *io2.BufBinWriter, alphaCs *contractState) ([]any, error) {
+	var keysParam []any
+
+	baseGroups := alphaCs.Manifest.Groups
+
+	// alphabet contracts should be deployed by individual nodes to get different hashes.
+	for i, acc := range c.Accounts {
+		ctrHash, err := nnsResolveHash(c.ReadOnlyInvoker, nnsHash, getAlphabetNNSDomain(i))
+		if err != nil {
+			return nil, fmt.Errorf("can't resolve hash for contract update: %w", err)
+		}
+
+		keysParam = append(keysParam, acc.PrivateKey().PublicKey().Bytes())
+
+		params := c.getAlphabetDeployItems(i, len(c.Wallets))
+		emit.Array(w.BinWriter, params...)
+
+		alphaCs.Manifest.Groups = baseGroups
+		err = c.addManifestGroup(ctrHash, alphaCs)
+		if err != nil {
+			return nil, fmt.Errorf("can't sign manifest group: %v", err)
+		}
+
+		emit.Bytes(w.BinWriter, alphaCs.RawManifest)
+		emit.Opcodes(w.BinWriter, opcode.LDSFLD0)
+		emit.Int(w.BinWriter, 3)
+		emit.Opcodes(w.BinWriter, opcode.PACK)
+		emit.AppCallNoArgs(w.BinWriter, ctrHash, updateMethodName, callflag.All)
 	}
-	c.Command.Printf("NNS: Set %s -> %s\n", morphClient.NNSGroupKeyName, hex.EncodeToString(groupKey.Bytes()))
-
-	emit.Opcodes(w.BinWriter, opcode.LDSFLD0)
-	emit.Int(w.BinWriter, 1)
-	emit.Opcodes(w.BinWriter, opcode.PACK)
-	emit.AppCallNoArgs(w.BinWriter, nnsHash, "setPrice", callflag.All)
-
 	if err := c.sendCommitteeTx(w.Bytes(), false); err != nil {
-		return err
+		if !strings.Contains(err.Error(), common.ErrAlreadyUpdated) {
+			return nil, err
+		}
+		c.Command.Println("Alphabet contracts are already updated.")
 	}
-	return c.awaitTx()
+
+	return keysParam, nil
 }

 func (c *initializeContext) deployContracts() error {
@ -347,7 +349,11 @@ func (c *initializeContext) deployContracts() error {
 			return fmt.Errorf("can't sign manifest group: %v", err)
 		}

-		params := getContractDeployParameters(cs, c.getContractDeployData(ctrName, keysParam))
+		args, err := c.getContractDeployData(ctrName, keysParam, deployMethodName)
+		if err != nil {
+			return fmt.Errorf("%s: getting deploy params: %v", ctrName, err)
+		}
+		params := getContractDeployParameters(cs, args)
 		res, err := c.CommitteeAct.MakeCall(management.Hash, deployMethodName, params...)
 		if err != nil {
 			return fmt.Errorf("can't deploy %s contract: %w", ctrName, err)
@ -362,8 +368,9 @@ func (c *initializeContext) deployContracts() error {
 }

 func (c *initializeContext) isUpdated(ctrHash util.Uint160, cs *contractState) bool {
-	realCs, err := c.Client.GetContractStateByHash(ctrHash)
-	return err == nil && realCs.NEF.Checksum == cs.NEF.Checksum
+	r := management.NewReader(c.ReadOnlyInvoker)
+	realCs, err := r.GetContract(ctrHash)
+	return err == nil && realCs != nil && realCs.NEF.Checksum == cs.NEF.Checksum
 }

 func (c *initializeContext) getContract(ctrName string) *contractState {
@ -393,11 +400,9 @@ func (c *initializeContext) readContracts(names []string) error {
 	} else {
 		var r io.ReadCloser
 		if c.ContractPath == "" {
-			c.Command.Println("Contracts flag is missing, latest release will be fetched from Github.")
-			r, err = downloadContractsFromGithub(c.Command)
-		} else {
-			r, err = os.Open(c.ContractPath)
+			return errors.New("contracts flag is missing")
 		}
+		r, err = os.Open(c.ContractPath)
 		if err != nil {
 			return fmt.Errorf("can't open contracts archive: %w", err)
 		}
@ -514,9 +519,8 @@ func getContractDeployParameters(cs *contractState, deployData []any) []any {
 	return []any{cs.RawNEF, cs.RawManifest, deployData}
 }

-func (c *initializeContext) getContractDeployData(ctrName string, keysParam []any) []any {
-	items := make([]any, 1, 6)
-	items[0] = false // notaryDisabled is false
+func (c *initializeContext) getContractDeployData(ctrName string, keysParam []any, method string) ([]any, error) {
+	items := make([]any, 0, 6)

 	switch ctrName {
 	case frostfsContract:
@ -526,9 +530,7 @@ func (c *initializeContext) getContractDeployData(ctrName string, keysParam []an
 			smartcontract.Parameter{})
 	case processingContract:
 		items = append(items, c.Contracts[frostfsContract].Hash)
-		return items[1:] // no notary info
-	case auditContract:
-		items = append(items, c.Contracts[netmapContract].Hash)
+		return items[1:], nil // no notary info
 	case balanceContract:
 		items = append(items,
 			c.Contracts[netmapContract].Hash,
@ -536,9 +538,10 @@ func (c *initializeContext) getContractDeployData(ctrName string, keysParam []an
 	case containerContract:
 		// In case if NNS is updated multiple times, we can't calculate
 		// it's actual hash based on local data, thus query chain.
-		nnsCs, err := c.Client.GetContractStateByID(1)
+		r := management.NewReader(c.ReadOnlyInvoker)
+		nnsCs, err := r.GetContractByID(1)
 		if err != nil {
-			panic("NNS is not yet deployed")
+			return nil, fmt.Errorf("get nns contract: %w", err)
 		}
 		items = append(items,
 			c.Contracts[netmapContract].Hash,
@ -547,24 +550,39 @@ func (c *initializeContext) getContractDeployData(ctrName string, keysParam []an
 			nnsCs.Hash,
 			"container")
 	case frostfsIDContract:
-		items = append(items,
-			c.Contracts[netmapContract].Hash,
-			c.Contracts[containerContract].Hash)
-	case netmapContract:
-		configParam := []any{
-			netmapEpochKey, viper.GetInt64(epochDurationInitFlag),
-			netmapMaxObjectSizeKey, viper.GetInt64(maxObjectSizeInitFlag),
-			netmapAuditFeeKey, viper.GetInt64(auditFeeInitFlag),
-			netmapContainerFeeKey, viper.GetInt64(containerFeeInitFlag),
-			netmapContainerAliasFeeKey, viper.GetInt64(containerAliasFeeInitFlag),
-			netmapEigenTrustIterationsKey, int64(defaultEigenTrustIterations),
-			netmapEigenTrustAlphaKey, defaultEigenTrustAlpha,
-			netmapBasicIncomeRateKey, viper.GetInt64(incomeRateInitFlag),
-			netmapInnerRingCandidateFeeKey, viper.GetInt64(candidateFeeInitFlag),
-			netmapWithdrawFeeKey, viper.GetInt64(withdrawFeeInitFlag),
-			netmapHomomorphicHashDisabledKey, viper.GetBool(homomorphicHashDisabledInitFlag),
-			netmapMaintenanceAllowedKey, viper.GetBool(maintenanceModeAllowedInitFlag),
+		var (
+			h     util.Uint160
+			found bool
+			err   error
+		)
+		if method == updateMethodName {
+			h, found, err = c.getFrostfsIDAdminFromContract()
 		}
+		if method != updateMethodName || err == nil && !found {
+			h, found, err = getFrostfsIDAdmin(viper.GetViper())
+		}
+		if err != nil {
+			return nil, err
+		}
+
+		if found {
+			items = append(items, h)
+		} else {
+			items = append(items, c.Contracts[proxyContract].Hash)
+		}
+	case netmapContract:
+		md := getDefaultNetmapContractConfigMap()
+		if method == updateMethodName {
+			if err := c.mergeNetmapConfig(md); err != nil {
+				return nil, err
+			}
+		}
+
+		var configParam []any
+		for k, v := range md {
+			configParam = append(configParam, k, v)
+		}
+
 		items = append(items,
 			c.Contracts[balanceContract].Hash,
 			c.Contracts[containerContract].Hash,
@ -572,21 +590,86 @@ func (c *initializeContext) getContractDeployData(ctrName string, keysParam []an
 			configParam)
 	case proxyContract:
 		items = nil
-	case reputationContract:
-	case subnetContract:
+	case policyContract:
+		items = append(items, c.Contracts[proxyContract].Hash)
 	default:
 		panic(fmt.Sprintf("invalid contract name: %s", ctrName))
 	}
-	return items
+	return items, nil
+}
+
+func (c *initializeContext) getFrostfsIDAdminFromContract() (util.Uint160, bool, error) {
+	r := management.NewReader(c.ReadOnlyInvoker)
+	cs, err := r.GetContractByID(1)
+	if err != nil {
+		return util.Uint160{}, false, fmt.Errorf("get nns contract: %w", err)
+	}
+	fidHash, err := nnsResolveHash(c.ReadOnlyInvoker, cs.Hash, domainOf(frostfsIDContract))
+	if err != nil {
+		return util.Uint160{}, false, fmt.Errorf("resolve frostfsid contract hash: %w", err)
+	}
+	item, err := unwrap.Item(c.ReadOnlyInvoker.Call(fidHash, "getAdmin"))
+	if err != nil {
+		return util.Uint160{}, false, fmt.Errorf("getAdmin: %w", err)
+	}
+	if _, ok := item.(stackitem.Null); ok {
+		return util.Uint160{}, false, nil
+	}
+
+	bs, err := item.TryBytes()
+	if err != nil {
+		return util.Uint160{}, true, fmt.Errorf("getAdmin: decode result: %w", err)
+	}
+	h, err := util.Uint160DecodeBytesBE(bs)
+	if err != nil {
+		return util.Uint160{}, true, fmt.Errorf("getAdmin: decode result: %w", err)
+	}
+	return h, true, nil
+}
+
+func (c *initializeContext) getNetConfigFromNetmapContract() ([]stackitem.Item, error) {
+	r := management.NewReader(c.ReadOnlyInvoker)
+	cs, err := r.GetContractByID(1)
+	if err != nil {
+		return nil, fmt.Errorf("get nns contract: %w", err)
+	}
+	nmHash, err := nnsResolveHash(c.ReadOnlyInvoker, cs.Hash, domainOf(netmapContract))
+	if err != nil {
+		return nil, fmt.Errorf("can't get netmap contract hash: %w", err)
+	}
+	arr, err := unwrap.Array(c.ReadOnlyInvoker.Call(nmHash, "listConfig"))
+	if err != nil {
+		return nil, fmt.Errorf("can't fetch list of network config keys from the netmap contract")
+	}
+	return arr, err
+}
+
+func (c *initializeContext) mergeNetmapConfig(md map[string]any) error {
+	arr, err := c.getNetConfigFromNetmapContract()
+	if err != nil {
+		return err
+	}
+	m, err := parseConfigFromNetmapContract(arr)
+	if err != nil {
+		return err
+	}
+	for k, v := range m {
+		for _, key := range netmapConfigKeys {
+			if k == key {
+				md[k] = v
+				break
+			}
+		}
+	}
+	return nil
 }

 func (c *initializeContext) getAlphabetDeployItems(i, n int) []any {
-	items := make([]any, 6)
-	items[0] = false
-	items[1] = c.Contracts[netmapContract].Hash
-	items[2] = c.Contracts[proxyContract].Hash
-	items[3] = innerring.GlagoliticLetter(i).String()
-	items[4] = int64(i)
-	items[5] = int64(n)
+	items := make([]any, 5)
+	items[0] = c.Contracts[netmapContract].Hash
+	items[1] = c.Contracts[proxyContract].Hash
+	items[2] = innerring.GlagoliticLetter(i).String()
+	items[3] = int64(i)
+	items[4] = int64(n)
 	return items
 }
--- a/cmd/frostfs-adm/internal/modules/morph/initialize_nns.go
+++ b/cmd/frostfs-adm/internal/modules/morph/initialize_nns.go
@ -7,14 +7,16 @@ import (
 	"strconv"
 	"time"

-	"github.com/TrueCloudLab/frostfs-contract/nns"
-	morphClient "github.com/TrueCloudLab/frostfs-node/pkg/morph/client"
+	"git.frostfs.info/TrueCloudLab/frostfs-contract/nns"
+	morphClient "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/client"
 	"github.com/nspcc-dev/neo-go/pkg/core/state"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
 	"github.com/nspcc-dev/neo-go/pkg/io"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/management"
+	nnsClient "github.com/nspcc-dev/neo-go/pkg/rpcclient/nns"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	"github.com/nspcc-dev/neo-go/pkg/util"
@ -26,8 +28,11 @@ import (

 const defaultExpirationTime = 10 * 365 * 24 * time.Hour / time.Second

+const frostfsOpsEmail = "ops@frostfs.info"
+
 func (c *initializeContext) setNNS() error {
-	nnsCs, err := c.Client.GetContractStateByID(1)
+	r := management.NewReader(c.ReadOnlyInvoker)
+	nnsCs, err := r.GetContractByID(1)
 	if err != nil {
 		return err
 	}
@ -39,7 +44,7 @@ func (c *initializeContext) setNNS() error {
 		bw := io.NewBufBinWriter()
 		emit.AppCall(bw.BinWriter, nnsCs.Hash, "register", callflag.All,
 			"frostfs", c.CommitteeAcc.Contract.ScriptHash(),
-			"ops@nspcc.ru", int64(3600), int64(600), int64(defaultExpirationTime), int64(3600))
+			frostfsOpsEmail, int64(3600), int64(600), int64(defaultExpirationTime), int64(3600))
 		emit.Opcodes(bw.BinWriter, opcode.ASSERT)
 		if err := c.sendCommitteeTx(bw.Bytes(), true); err != nil {
 			return fmt.Errorf("can't add domain root to NNS: %w", err)
@ -82,13 +87,13 @@ func (c *initializeContext) setNNS() error {

 func (c *initializeContext) updateNNSGroup(nnsHash util.Uint160, pub *keys.PublicKey) error {
 	bw := io.NewBufBinWriter()
-	needUpdate, needRegister, err := c.emitUpdateNNSGroupScript(bw, nnsHash, pub)
-	if !needUpdate || err != nil {
+	keyAlreadyAdded, domainRegCodeEmitted, err := c.emitUpdateNNSGroupScript(bw, nnsHash, pub)
+	if keyAlreadyAdded || err != nil {
 		return err
 	}

 	script := bw.Bytes()
-	if needRegister {
+	if domainRegCodeEmitted {
 		w := io.NewBufBinWriter()
 		emit.Instruction(w.BinWriter, opcode.INITSSLOT, []byte{1})
 		wrapRegisterScriptWithPrice(w, nnsHash, script)
@ -121,7 +126,7 @@ func (c *initializeContext) emitUpdateNNSGroupScript(bw *io.BufBinWriter, nnsHas
 	if isAvail {
 		emit.AppCall(bw.BinWriter, nnsHash, "register", callflag.All,
 			morphClient.NNSGroupKeyName, c.CommitteeAcc.Contract.ScriptHash(),
-			"ops@nspcc.ru", int64(3600), int64(600), int64(defaultExpirationTime), int64(3600))
+			frostfsOpsEmail, int64(3600), int64(600), int64(defaultExpirationTime), int64(3600))
 		emit.Opcodes(bw.BinWriter, opcode.ASSERT)
 	}

@ -169,7 +174,7 @@ func (c *initializeContext) nnsRegisterDomainScript(nnsHash, expectedHash util.U
 		bw := io.NewBufBinWriter()
 		emit.AppCall(bw.BinWriter, nnsHash, "register", callflag.All,
 			domain, c.CommitteeAcc.Contract.ScriptHash(),
-			"ops@nspcc.ru", int64(3600), int64(600), int64(defaultExpirationTime), int64(3600))
+			frostfsOpsEmail, int64(3600), int64(600), int64(defaultExpirationTime), int64(3600))
 		emit.Opcodes(bw.BinWriter, opcode.ASSERT)

 		if bw.Err != nil {
@ -228,20 +233,27 @@ func nnsResolve(inv *invoker.Invoker, nnsHash util.Uint160, domain string) (stac
 }

 func nnsResolveKey(inv *invoker.Invoker, nnsHash util.Uint160, domain string) (*keys.PublicKey, error) {
-	item, err := nnsResolve(inv, nnsHash, domain)
+	res, err := nnsResolve(inv, nnsHash, domain)
 	if err != nil {
 		return nil, err
 	}
-	v, ok := item.Value().(stackitem.Null)
-	if ok {
+	if _, ok := res.Value().(stackitem.Null); ok {
 		return nil, errors.New("NNS record is missing")
 	}
-	bs, err := v.TryBytes()
-	if err != nil {
-		return nil, errors.New("malformed response")
+	arr, ok := res.Value().([]stackitem.Item)
+	if !ok {
+		return nil, errors.New("API of the NNS contract method `resolve` has changed")
 	}
+	for i := range arr {
+		var bs []byte
+		bs, err = arr[i].TryBytes()
+		if err != nil {
+			continue
+		}

-	return keys.NewPublicKeyFromString(string(bs))
+		return keys.NewPublicKeyFromString(string(bs))
+	}
+	return nil, errors.New("no valid keys are found")
 }

 // parseNNSResolveResult parses the result of resolving NNS record.
@ -277,9 +289,11 @@ func parseNNSResolveResult(res stackitem.Item) (util.Uint160, error) {
 }

 func nnsIsAvailable(c Client, nnsHash util.Uint160, name string) (bool, error) {
-	switch ct := c.(type) {
+	switch c.(type) {
 	case *rpcclient.Client:
-		return ct.NNSIsAvailable(nnsHash, name)
+		inv := invoker.New(c, nil)
+		reader := nnsClient.NewReader(inv, nnsHash)
+		return reader.IsAvailable(name)
 	default:
 		b, err := unwrap.Bool(invokeFunction(c, nnsHash, "isAvailable", []any{name}, nil))
 		if err != nil {
--- a/cmd/frostfs-adm/internal/modules/morph/initialize_register.go
+++ b/cmd/frostfs-adm/internal/modules/morph/initialize_register.go
@ -3,13 +3,17 @@ package morph
 import (
 	"errors"
 	"fmt"
+	"math/big"

 	"github.com/nspcc-dev/neo-go/pkg/core/native"
 	"github.com/nspcc-dev/neo-go/pkg/core/state"
 	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
 	"github.com/nspcc-dev/neo-go/pkg/io"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/neo"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/nep17"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	"github.com/nspcc-dev/neo-go/pkg/util"
@ -18,53 +22,48 @@ import (
 )

 // initialAlphabetNEOAmount represents the total amount of GAS distributed between alphabet nodes.
-const initialAlphabetNEOAmount = native.NEOTotalSupply
-
-func (c *initializeContext) registerCandidates() error {
-	neoHash := neo.Hash
-
-	cc, err := unwrap.Array(c.ReadOnlyInvoker.Call(neoHash, "getCandidates"))
-	if err != nil {
-		return fmt.Errorf("`getCandidates`: %w", err)
-	}
-
-	if len(cc) > 0 {
-		c.Command.Println("Candidates are already registered.")
-		return nil
-	}
+const (
+	initialAlphabetNEOAmount = native.NEOTotalSupply
+	registerBatchSize        = transaction.MaxAttributes - 1
+)

+func (c *initializeContext) registerCandidateRange(start, end int) error {
 	regPrice, err := c.getCandidateRegisterPrice()
 	if err != nil {
 		return fmt.Errorf("can't fetch registration price: %w", err)
 	}

 	w := io.NewBufBinWriter()
-	emit.AppCall(w.BinWriter, neoHash, "setRegisterPrice", callflag.States, 1)
-	for _, acc := range c.Accounts {
-		emit.AppCall(w.BinWriter, neoHash, "registerCandidate", callflag.States, acc.PrivateKey().PublicKey().Bytes())
+	emit.AppCall(w.BinWriter, neo.Hash, "setRegisterPrice", callflag.States, 1)
+	for _, acc := range c.Accounts[start:end] {
+		emit.AppCall(w.BinWriter, neo.Hash, "registerCandidate", callflag.States, acc.PrivateKey().PublicKey().Bytes())
 		emit.Opcodes(w.BinWriter, opcode.ASSERT)
 	}
-	emit.AppCall(w.BinWriter, neoHash, "setRegisterPrice", callflag.States, regPrice)
+	emit.AppCall(w.BinWriter, neo.Hash, "setRegisterPrice", callflag.States, regPrice)
 	if w.Err != nil {
 		panic(fmt.Sprintf("BUG: %v", w.Err))
 	}

-	signers := []rpcclient.SignerAccount{{
+	signers := []actor.SignerAccount{{
 		Signer:  c.getSigner(false, c.CommitteeAcc),
 		Account: c.CommitteeAcc,
 	}}
-	for i := range c.Accounts {
-		signers = append(signers, rpcclient.SignerAccount{
+	for _, acc := range c.Accounts[start:end] {
+		signers = append(signers, actor.SignerAccount{
 			Signer: transaction.Signer{
-				Account:          c.Accounts[i].Contract.ScriptHash(),
+				Account:          acc.Contract.ScriptHash(),
 				Scopes:           transaction.CustomContracts,
-				AllowedContracts: []util.Uint160{neoHash},
+				AllowedContracts: []util.Uint160{neo.Hash},
 			},
-			Account: c.Accounts[i],
+			Account: acc,
 		})
 	}

-	tx, err := c.Client.CreateTxFromScript(w.Bytes(), c.CommitteeAcc, -1, 0, signers)
+	act, err := actor.New(c.Client, signers)
+	if err != nil {
+		return fmt.Errorf("can't create actor: %w", err)
+	}
+	tx, err := act.MakeRun(w.Bytes())
 	if err != nil {
 		return fmt.Errorf("can't create tx: %w", err)
 	}
@ -73,8 +72,8 @@ func (c *initializeContext) registerCandidates() error {
 	}

 	network := c.CommitteeAct.GetNetwork()
-	for i := range c.Accounts {
-		if err := c.Accounts[i].SignTx(network, tx); err != nil {
+	for _, acc := range c.Accounts[start:end] {
+		if err := acc.SignTx(network, tx); err != nil {
 			return fmt.Errorf("can't sign a transaction: %w", err)
 		}
 	}
@ -82,6 +81,39 @@ func (c *initializeContext) registerCandidates() error {
 	return c.sendTx(tx, c.Command, true)
 }

+func (c *initializeContext) registerCandidates() error {
+	cc, err := unwrap.Array(c.ReadOnlyInvoker.Call(neo.Hash, "getCandidates"))
+	if err != nil {
+		return fmt.Errorf("`getCandidates`: %w", err)
+	}
+
+	need := len(c.Accounts)
+	have := len(cc)
+
+	if need == have {
+		c.Command.Println("Candidates are already registered.")
+		return nil
+	}
+
+	// Register candidates in batches in order to overcome the signers amount limit.
+	// See: https://github.com/nspcc-dev/neo-go/blob/master/pkg/core/transaction/transaction.go#L27
+	for i := 0; i < need; i += registerBatchSize {
+		start, end := i, i+registerBatchSize
+		if end > need {
+			end = need
+		}
+		// This check is sound because transactions are accepted/rejected atomically.
+		if have >= end {
+			continue
+		}
+		if err := c.registerCandidateRange(start, end); err != nil {
+			return fmt.Errorf("registering candidates %d..%d: %q", start, end-1, err)
+		}
+	}
+
+	return nil
+}
+
 func (c *initializeContext) transferNEOToAlphabetContracts() error {
 	neoHash := neo.Hash

@ -109,16 +141,19 @@ func (c *initializeContext) transferNEOToAlphabetContracts() error {
 }

 func (c *initializeContext) transferNEOFinished(neoHash util.Uint160) (bool, error) {
-	bal, err := c.Client.NEP17BalanceOf(neoHash, c.CommitteeAcc.Contract.ScriptHash())
-	return bal < native.NEOTotalSupply, err
+	r := nep17.NewReader(c.ReadOnlyInvoker, neoHash)
+	bal, err := r.BalanceOf(c.CommitteeAcc.Contract.ScriptHash())
+	return bal.Cmp(big.NewInt(native.NEOTotalSupply)) == -1, err
 }

 var errGetPriceInvalid = errors.New("`getRegisterPrice`: invalid response")

 func (c *initializeContext) getCandidateRegisterPrice() (int64, error) {
-	switch ct := c.Client.(type) {
+	switch c.Client.(type) {
 	case *rpcclient.Client:
-		return ct.GetCandidateRegisterPrice()
+		inv := invoker.New(c.Client, nil)
+		reader := neo.NewReader(inv)
+		return reader.GetRegisterPrice()
 	default:
 		neoHash := neo.Hash
 		res, err := invokeFunction(c.Client, neoHash, "getRegisterPrice", nil, nil)
--- a/cmd/frostfs-adm/internal/modules/morph/initialize_test.go
+++ b/cmd/frostfs-adm/internal/modules/morph/initialize_test.go
@ -2,12 +2,14 @@ package morph

 import (
 	"encoding/hex"
+	"fmt"
 	"os"
 	"path/filepath"
 	"strconv"
 	"testing"
+	"time"

-	"github.com/TrueCloudLab/frostfs-node/pkg/innerring"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/innerring"
 	"github.com/nspcc-dev/neo-go/pkg/config"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/vm"
@ -18,7 +20,7 @@ import (
 )

 const (
-	contractsPath = "../../../../../../frostfs-contract/frostfs-contract-v0.16.0.tar.gz"
+	contractsPath = "../../../../../../contract/frostfs-contract-v0.18.0.tar.gz"
 	protoFileName = "proto.yml"
 )

@ -36,18 +38,29 @@ func TestInitialize(t *testing.T) {
 	t.Run("7 nodes", func(t *testing.T) {
 		testInitialize(t, 7)
 	})
+	t.Run("16 nodes", func(t *testing.T) {
+		testInitialize(t, 16)
+	})
+	t.Run("max nodes", func(t *testing.T) {
+		testInitialize(t, maxAlphabetNodes)
+	})
+	t.Run("too many nodes", func(t *testing.T) {
+		require.ErrorIs(t, generateTestData(t, t.TempDir(), maxAlphabetNodes+1), ErrTooManyAlphabetNodes)
+	})
 }

 func testInitialize(t *testing.T, committeeSize int) {
 	testdataDir := t.TempDir()
 	v := viper.GetViper()

-	generateTestData(t, testdataDir, committeeSize)
+	require.NoError(t, generateTestData(t, testdataDir, committeeSize))
 	v.Set(protoConfigPath, filepath.Join(testdataDir, protoFileName))

 	// Set to the path or remove the next statement to download from the network.
 	require.NoError(t, initCmd.Flags().Set(contractsInitFlag, contractsPath))
-	v.Set(localDumpFlag, filepath.Join(testdataDir, "out"))
+
+	dumpPath := filepath.Join(testdataDir, "out")
+	require.NoError(t, initCmd.Flags().Set(localDumpFlag, dumpPath))
 	v.Set(alphabetWalletsFlag, testdataDir)
 	v.Set(epochDurationInitFlag, 1)
 	v.Set(maxObjectSizeInitFlag, 1024)
@ -56,12 +69,15 @@ func testInitialize(t *testing.T, committeeSize int) {
 	require.NoError(t, initializeSideChainCmd(initCmd, nil))

 	t.Run("force-new-epoch", func(t *testing.T) {
+		require.NoError(t, forceNewEpoch.Flags().Set(localDumpFlag, dumpPath))
 		require.NoError(t, forceNewEpochCmd(forceNewEpoch, nil))
 	})
 	t.Run("set-config", func(t *testing.T) {
+		require.NoError(t, setConfig.Flags().Set(localDumpFlag, dumpPath))
 		require.NoError(t, setConfigCmd(setConfig, []string{"MaintenanceModeAllowed=true"}))
 	})
 	t.Run("set-policy", func(t *testing.T) {
+		require.NoError(t, setPolicy.Flags().Set(localDumpFlag, dumpPath))
 		require.NoError(t, setPolicyCmd(setPolicy, []string{"ExecFeeFactor=1"}))
 	})
 	t.Run("remove-node", func(t *testing.T) {
@ -69,29 +85,38 @@ func testInitialize(t *testing.T, committeeSize int) {
 		require.NoError(t, err)

 		pub := hex.EncodeToString(pk.PublicKey().Bytes())
+		require.NoError(t, removeNodes.Flags().Set(localDumpFlag, dumpPath))
 		require.NoError(t, removeNodesCmd(removeNodes, []string{pub}))
 	})
 }

-func generateTestData(t *testing.T, dir string, size int) {
+func generateTestData(t *testing.T, dir string, size int) error {
 	v := viper.GetViper()
 	v.Set(alphabetWalletsFlag, dir)

 	sizeStr := strconv.FormatUint(uint64(size), 10)
-	require.NoError(t, generateAlphabetCmd.Flags().Set(alphabetSizeFlag, sizeStr))
+	if err := generateAlphabetCmd.Flags().Set(alphabetSizeFlag, sizeStr); err != nil {
+		return err
+	}

 	setTestCredentials(v, size)
-	require.NoError(t, generateAlphabetCreds(generateAlphabetCmd, nil))
+	if err := generateAlphabetCreds(generateAlphabetCmd, nil); err != nil {
+		return err
+	}

 	var pubs []string
 	for i := 0; i < size; i++ {
 		p := filepath.Join(dir, innerring.GlagoliticLetter(i).String()+".json")
 		w, err := wallet.NewWalletFromFile(p)
-		require.NoError(t, err, "wallet doesn't exist")
+		if err != nil {
+			return fmt.Errorf("wallet doesn't exist: %w", err)
+		}
 		for _, acc := range w.Accounts {
 			if acc.Label == singleAccountName {
 				pub, ok := vm.ParseSignatureContract(acc.Contract.Script)
-				require.True(t, ok)
+				if !ok {
+					return fmt.Errorf("could not parse signature script for %s", acc.Address)
+				}
 				pubs = append(pubs, hex.EncodeToString(pub))
 				continue
 			}
@ -100,17 +125,18 @@ func generateTestData(t *testing.T, dir string, size int) {

 	cfg := config.Config{}
 	cfg.ProtocolConfiguration.Magic = 12345
-	cfg.ProtocolConfiguration.ValidatorsCount = size
-	cfg.ProtocolConfiguration.SecondsPerBlock = 1
+	cfg.ProtocolConfiguration.ValidatorsCount = uint32(size)
+	cfg.ProtocolConfiguration.TimePerBlock = time.Second
 	cfg.ProtocolConfiguration.StandbyCommittee = pubs // sorted by glagolic letters
 	cfg.ProtocolConfiguration.P2PSigExtensions = true
 	cfg.ProtocolConfiguration.VerifyTransactions = true
-	cfg.ProtocolConfiguration.VerifyBlocks = true
 	data, err := yaml.Marshal(cfg)
-	require.NoError(t, err)
+	if err != nil {
+		return err
+	}

 	protoPath := filepath.Join(dir, protoFileName)
-	require.NoError(t, os.WriteFile(protoPath, data, os.ModePerm))
+	return os.WriteFile(protoPath, data, os.ModePerm)
 }

 func setTestCredentials(v *viper.Viper, size int) {
@ -119,3 +145,38 @@ func setTestCredentials(v *viper.Viper, size int) {
 	}
 	v.Set("credentials.contract", testContractPassword)
 }
+
+func TestNextPollInterval(t *testing.T) {
+	var pollInterval time.Duration
+	var iteration int
+
+	pollInterval, hasChanged := nextPollInterval(iteration, pollInterval)
+	require.True(t, hasChanged)
+	require.Equal(t, time.Second, pollInterval)
+
+	iteration = 4
+	pollInterval, hasChanged = nextPollInterval(iteration, pollInterval)
+	require.False(t, hasChanged)
+	require.Equal(t, time.Second, pollInterval)
+
+	iteration = 5
+	pollInterval, hasChanged = nextPollInterval(iteration, pollInterval)
+	require.True(t, hasChanged)
+	require.Equal(t, 2*time.Second, pollInterval)
+
+	iteration = 10
+	pollInterval, hasChanged = nextPollInterval(iteration, pollInterval)
+	require.True(t, hasChanged)
+	require.Equal(t, 4*time.Second, pollInterval)
+
+	iteration = 20
+	pollInterval = 32 * time.Second
+	pollInterval, hasChanged = nextPollInterval(iteration, pollInterval)
+	require.True(t, hasChanged) // from 32s to 16s
+	require.Equal(t, 16*time.Second, pollInterval)
+
+	pollInterval = 16 * time.Second
+	pollInterval, hasChanged = nextPollInterval(iteration, pollInterval)
+	require.False(t, hasChanged)
+	require.Equal(t, 16*time.Second, pollInterval)
+}
--- a/cmd/frostfs-adm/internal/modules/morph/initialize_transfer.go
+++ b/cmd/frostfs-adm/internal/modules/morph/initialize_transfer.go
@ -2,15 +2,18 @@ package morph

 import (
 	"fmt"
+	"math/big"

 	"github.com/nspcc-dev/neo-go/pkg/core/native"
 	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
 	"github.com/nspcc-dev/neo-go/pkg/io"
-	"github.com/nspcc-dev/neo-go/pkg/rpcclient"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/gas"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/neo"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/nep17"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	scContext "github.com/nspcc-dev/neo-go/pkg/smartcontract/context"
+	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
 	"github.com/nspcc-dev/neo-go/pkg/vm/opcode"
 	"github.com/nspcc-dev/neo-go/pkg/wallet"
@ -33,11 +36,11 @@ func (c *initializeContext) transferFunds() error {
 		return err
 	}

-	var transfers []rpcclient.TransferTarget
+	var transfers []transferTarget
 	for _, acc := range c.Accounts {
 		to := acc.Contract.ScriptHash()
 		transfers = append(transfers,
-			rpcclient.TransferTarget{
+			transferTarget{
 				Token:   gas.Hash,
 				Address: to,
 				Amount:  initialAlphabetGASAmount,
@ -47,25 +50,19 @@ func (c *initializeContext) transferFunds() error {

 	// It is convenient to have all funds at the committee account.
 	transfers = append(transfers,
-		rpcclient.TransferTarget{
+		transferTarget{
 			Token:   gas.Hash,
 			Address: c.CommitteeAcc.Contract.ScriptHash(),
 			Amount:  (gasInitialTotalSupply - initialAlphabetGASAmount*int64(len(c.Wallets))) / 2,
 		},
-		rpcclient.TransferTarget{
+		transferTarget{
 			Token:   neo.Hash,
 			Address: c.CommitteeAcc.Contract.ScriptHash(),
 			Amount:  native.NEOTotalSupply,
 		},
 	)

-	tx, err := createNEP17MultiTransferTx(c.Client, c.ConsensusAcc, 0, transfers, []rpcclient.SignerAccount{{
-		Signer: transaction.Signer{
-			Account: c.ConsensusAcc.Contract.ScriptHash(),
-			Scopes:  transaction.CalledByEntry,
-		},
-		Account: c.ConsensusAcc,
-	}})
+	tx, err := createNEP17MultiTransferTx(c.Client, c.ConsensusAcc, transfers)
 	if err != nil {
 		return fmt.Errorf("can't create transfer transaction: %w", err)
 	}
@ -80,8 +77,9 @@ func (c *initializeContext) transferFunds() error {
 func (c *initializeContext) transferFundsFinished() (bool, error) {
 	acc := c.Accounts[0]

-	res, err := c.Client.NEP17BalanceOf(gas.Hash, acc.Contract.ScriptHash())
-	return res > initialAlphabetGASAmount/2, err
+	r := nep17.NewReader(c.ReadOnlyInvoker, gas.Hash)
+	res, err := r.BalanceOf(acc.Contract.ScriptHash())
+	return res.Cmp(big.NewInt(initialAlphabetGASAmount/2)) == 1, err
 }

 func (c *initializeContext) multiSignAndSend(tx *transaction.Transaction, accType string) error {
@ -93,12 +91,13 @@ func (c *initializeContext) multiSignAndSend(tx *transaction.Transaction, accTyp
 }

 func (c *initializeContext) multiSign(tx *transaction.Transaction, accType string) error {
-	network, err := c.Client.GetNetwork()
+	version, err := c.Client.GetVersion()
 	if err != nil {
 		// error appears only if client
 		// has not been initialized
 		panic(err)
 	}
+	network := version.Protocol.Network

 	// Use parameter context to avoid dealing with signature order.
 	pc := scContext.NewParameterContext("", network, tx)
@ -146,16 +145,17 @@ func (c *initializeContext) multiSign(tx *transaction.Transaction, accType strin
 func (c *initializeContext) transferGASToProxy() error {
 	proxyCs := c.getContract(proxyContract)

-	bal, err := c.Client.NEP17BalanceOf(gas.Hash, proxyCs.Hash)
-	if err != nil || bal > 0 {
+	r := nep17.NewReader(c.ReadOnlyInvoker, gas.Hash)
+	bal, err := r.BalanceOf(proxyCs.Hash)
+	if err != nil || bal.Sign() > 0 {
 		return err
 	}

-	tx, err := createNEP17MultiTransferTx(c.Client, c.CommitteeAcc, 0, []rpcclient.TransferTarget{{
+	tx, err := createNEP17MultiTransferTx(c.Client, c.CommitteeAcc, []transferTarget{{
 		Token:   gas.Hash,
 		Address: proxyCs.Hash,
 		Amount:  initialProxyGASAmount,
-	}}, nil)
+	}})
 	if err != nil {
 		return err
 	}
@ -167,8 +167,14 @@ func (c *initializeContext) transferGASToProxy() error {
 	return c.awaitTx()
 }

-func createNEP17MultiTransferTx(c Client, acc *wallet.Account, netFee int64,
-	recipients []rpcclient.TransferTarget, cosigners []rpcclient.SignerAccount) (*transaction.Transaction, error) {
+type transferTarget struct {
+	Token   util.Uint160
+	Address util.Uint160
+	Amount  int64
+	Data    any
+}
+
+func createNEP17MultiTransferTx(c Client, acc *wallet.Account, recipients []transferTarget) (*transaction.Transaction, error) {
 	from := acc.Contract.ScriptHash()

 	w := io.NewBufBinWriter()
@ -180,11 +186,18 @@ func createNEP17MultiTransferTx(c Client, acc *wallet.Account, netFee int64,
 	if w.Err != nil {
 		return nil, fmt.Errorf("failed to create transfer script: %w", w.Err)
 	}
-	return c.CreateTxFromScript(w.Bytes(), acc, -1, netFee, append([]rpcclient.SignerAccount{{
+
+	signers := []actor.SignerAccount{{
 		Signer: transaction.Signer{
-			Account: from,
+			Account: acc.Contract.ScriptHash(),
 			Scopes:  transaction.CalledByEntry,
 		},
 		Account: acc,
-	}}, cosigners...))
+	}}
+
+	act, err := actor.New(c, signers)
+	if err != nil {
+		return nil, fmt.Errorf("can't create actor: %w", err)
+	}
+	return act.MakeRun(w.Bytes())
 }
--- a/cmd/frostfs-adm/internal/modules/morph/internal/types.go
+++ b/cmd/frostfs-adm/internal/modules/morph/internal/types.go
@ -1,65 +0,0 @@
-package internal
-
-import (
-	"fmt"
-	"strconv"
-
-	"google.golang.org/protobuf/proto"
-)
-
-// StringifySubnetClientGroupID returns string representation of SubnetClientGroupID using MarshalText.
-// Returns a string with a message on error.
-func StringifySubnetClientGroupID(id *SubnetClientGroupID) string {
-	text, err := id.MarshalText()
-	if err != nil {
-		return fmt.Sprintf("<invalid> %v", err)
-	}
-
-	return string(text)
-}
-
-// MarshalText encodes SubnetClientGroupID into text format according to FrostFS API V2 protocol:
-// value in base-10 integer string format.
-//
-// It implements encoding.TextMarshaler.
-func (x *SubnetClientGroupID) MarshalText() ([]byte, error) {
-	num := x.GetValue() // NPE safe, returns zero on nil
-
-	return []byte(strconv.FormatUint(uint64(num), 10)), nil
-}
-
-// UnmarshalText decodes the SubnetID from the text according to FrostFS API V2 protocol:
-// should be base-10 integer string format with bitsize = 32.
-//
-// Returns strconv.ErrRange if integer overflows uint32.
-//
-// Must not be called on nil.
-//
-// Implements encoding.TextUnmarshaler.
-func (x *SubnetClientGroupID) UnmarshalText(txt []byte) error {
-	num, err := strconv.ParseUint(string(txt), 10, 32)
-	if err != nil {
-		return fmt.Errorf("invalid numeric value: %w", err)
-	}
-
-	x.SetNumber(uint32(num))
-
-	return nil
-}
-
-// Marshal encodes the SubnetClientGroupID into a binary format of FrostFS API V2 protocol
-// (Protocol Buffers with direct field order).
-func (x *SubnetClientGroupID) Marshal() ([]byte, error) {
-	return proto.Marshal(x)
-}
-
-// Unmarshal decodes the SubnetClientGroupID from FrostFS API V2 binary format (see Marshal). Must not be called on nil.
-func (x *SubnetClientGroupID) Unmarshal(data []byte) error {
-	return proto.Unmarshal(data, x)
-}
-
-// SetNumber sets SubnetClientGroupID value in uint32 format. Must not be called on nil.
-// By default, number is 0.
-func (x *SubnetClientGroupID) SetNumber(num uint32) {
-	x.Value = num
-}
--- a/cmd/frostfs-adm/internal/modules/morph/internal/types.pb.go
+++ b/cmd/frostfs-adm/internal/modules/morph/internal/types.pb.go
--- a/cmd/frostfs-adm/internal/modules/morph/internal/types.proto
+++ b/cmd/frostfs-adm/internal/modules/morph/internal/types.proto
@ -1,15 +0,0 @@
-syntax = "proto3";
-
-package neo.fs.v2.refs;
-
-option go_package = "github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph/internal";
-
-// Client group identifier in the FrostFS subnet.
-//
-// String representation of a value is base-10 integer.
-//
-// JSON representation is an object containing single `value` number field.
-message SubnetClientGroupID {
-  // 4-byte integer identifier of the subnet client group.
-  fixed32 value = 1 [json_name = "value"];
-}
--- a/cmd/frostfs-adm/internal/modules/morph/local_client.go
+++ b/cmd/frostfs-adm/internal/modules/morph/local_client.go
@ -10,33 +10,28 @@ import (

 	"github.com/google/uuid"
 	"github.com/nspcc-dev/neo-go/pkg/config"
-	"github.com/nspcc-dev/neo-go/pkg/config/netmode"
 	"github.com/nspcc-dev/neo-go/pkg/core"
 	"github.com/nspcc-dev/neo-go/pkg/core/block"
 	"github.com/nspcc-dev/neo-go/pkg/core/chaindump"
-	"github.com/nspcc-dev/neo-go/pkg/core/fee"
 	"github.com/nspcc-dev/neo-go/pkg/core/native/noderoles"
 	"github.com/nspcc-dev/neo-go/pkg/core/state"
 	"github.com/nspcc-dev/neo-go/pkg/core/storage"
 	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
-	"github.com/nspcc-dev/neo-go/pkg/crypto/hash"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
-	"github.com/nspcc-dev/neo-go/pkg/encoding/fixedn"
 	"github.com/nspcc-dev/neo-go/pkg/io"
 	"github.com/nspcc-dev/neo-go/pkg/neorpc/result"
-	"github.com/nspcc-dev/neo-go/pkg/network/payload"
-	"github.com/nspcc-dev/neo-go/pkg/rpcclient"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
+	"github.com/nspcc-dev/neo-go/pkg/smartcontract/manifest"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/trigger"
 	"github.com/nspcc-dev/neo-go/pkg/util"
+	"github.com/nspcc-dev/neo-go/pkg/vm"
 	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
 	"github.com/nspcc-dev/neo-go/pkg/vm/opcode"
 	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
-	"github.com/nspcc-dev/neo-go/pkg/vm/vmstate"
 	"github.com/nspcc-dev/neo-go/pkg/wallet"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
@ -51,7 +46,7 @@ type localClient struct {
 	maxGasInvoke int64
 }

-func newLocalClient(cmd *cobra.Command, v *viper.Viper, wallets []*wallet.Wallet) (*localClient, error) {
+func newLocalClient(cmd *cobra.Command, v *viper.Viper, wallets []*wallet.Wallet, dumpPath string) (*localClient, error) {
 	cfg, err := config.LoadFile(v.GetString(protoConfigPath))
 	if err != nil {
 		return nil, err
@ -62,7 +57,7 @@ func newLocalClient(cmd *cobra.Command, v *viper.Viper, wallets []*wallet.Wallet
 		return nil, err
 	}

-	m := smartcontract.GetDefaultHonestNodeCount(cfg.ProtocolConfiguration.ValidatorsCount)
+	m := smartcontract.GetDefaultHonestNodeCount(int(cfg.ProtocolConfiguration.ValidatorsCount))
 	accounts := make([]*wallet.Account, len(wallets))
 	for i := range accounts {
 		accounts[i], err = getWalletAccount(wallets[i], consensusAccountName)
@ -87,9 +82,8 @@ func newLocalClient(cmd *cobra.Command, v *viper.Viper, wallets []*wallet.Wallet

 	go bc.Run()

-	dumpPath := v.GetString(localDumpFlag)
 	if cmd.Name() != "init" {
-		f, err := os.OpenFile(dumpPath, os.O_RDONLY, 0600)
+		f, err := os.OpenFile(dumpPath, os.O_RDONLY, 0o600)
 		if err != nil {
 			return nil, fmt.Errorf("can't open local dump: %w", err)
 		}
@ -120,29 +114,10 @@ func (l *localClient) GetBlockCount() (uint32, error) {
 	return l.bc.BlockHeight(), nil
 }

-func (l *localClient) GetContractStateByID(id int32) (*state.Contract, error) {
-	h, err := l.bc.GetContractScriptHash(id)
-	if err != nil {
-		return nil, err
-	}
-	return l.GetContractStateByHash(h)
-}
-
-func (l *localClient) GetContractStateByHash(h util.Uint160) (*state.Contract, error) {
-	if cs := l.bc.GetContractState(h); cs != nil {
-		return cs, nil
-	}
-	return nil, storage.ErrKeyNotFound
-}
-
 func (l *localClient) GetNativeContracts() ([]state.NativeContract, error) {
 	return l.bc.GetNatives(), nil
 }

-func (l *localClient) GetNetwork() (netmode.Magic, error) {
-	return l.bc.GetConfig().Magic, nil
-}
-
 func (l *localClient) GetApplicationLog(h util.Uint256, t *trigger.Type) (*result.ApplicationLog, error) {
 	aer, err := l.bc.GetAppExecResults(h, *t)
 	if err != nil {
@ -153,34 +128,6 @@ func (l *localClient) GetApplicationLog(h util.Uint256, t *trigger.Type) (*resul
 	return &a, nil
 }

-func (l *localClient) CreateTxFromScript(script []byte, acc *wallet.Account, sysFee int64, netFee int64, cosigners []rpcclient.SignerAccount) (*transaction.Transaction, error) {
-	signers, accounts, err := getSigners(acc, cosigners)
-	if err != nil {
-		return nil, fmt.Errorf("failed to construct tx signers: %w", err)
-	}
-	if sysFee < 0 {
-		res, err := l.InvokeScript(script, signers)
-		if err != nil {
-			return nil, fmt.Errorf("can't add system fee to transaction: %w", err)
-		}
-		if res.State != "HALT" {
-			return nil, fmt.Errorf("can't add system fee to transaction: bad vm state: %s due to an error: %s", res.State, res.FaultException)
-		}
-		sysFee = res.GasConsumed
-	}
-
-	tx := transaction.New(script, sysFee)
-	tx.Signers = signers
-	tx.ValidUntilBlock = l.bc.BlockHeight() + 2
-
-	err = l.AddNetworkFee(tx, netFee, accounts...)
-	if err != nil {
-		return nil, fmt.Errorf("failed to add network fee: %w", err)
-	}
-
-	return tx, nil
-}
-
 func (l *localClient) GetCommittee() (keys.PublicKeys, error) {
 	// not used by `morph init` command
 	panic("unexpected call")
@ -201,21 +148,6 @@ func (l *localClient) InvokeFunction(h util.Uint160, method string, sPrm []smart
 	return invokeFunction(l, h, method, pp, ss)
 }

-func (l *localClient) CalculateNotaryFee(_ uint8) (int64, error) {
-	// not used by `morph init` command
-	panic("unexpected call")
-}
-
-func (l *localClient) SignAndPushP2PNotaryRequest(_ *transaction.Transaction, _ []byte, _ int64, _ int64, _ uint32, _ *wallet.Account) (*payload.P2PNotaryRequest, error) {
-	// not used by `morph init` command
-	panic("unexpected call")
-}
-
-func (l *localClient) SignAndPushInvocationTx(_ []byte, _ *wallet.Account, _ int64, _ fixedn.Fixed8, _ []rpcclient.SignerAccount) (util.Uint256, error) {
-	// not used by `morph init` command
-	panic("unexpected call")
-}
-
 func (l *localClient) TerminateSession(_ uuid.UUID) (bool, error) {
 	// not used by `morph init` command
 	panic("unexpected call")
@ -248,117 +180,83 @@ func (l *localClient) GetVersion() (*result.Version, error) {
 	}, nil
 }

-func (l *localClient) InvokeContractVerify(contract util.Uint160, params []smartcontract.Parameter, signers []transaction.Signer, witnesses ...transaction.Witness) (*result.Invoke, error) {
+func (l *localClient) InvokeContractVerify(util.Uint160, []smartcontract.Parameter, []transaction.Signer, ...transaction.Witness) (*result.Invoke, error) {
 	// not used by `morph init` command
 	panic("unexpected call")
 }

 // CalculateNetworkFee calculates network fee for the given transaction.
 // Copied from neo-go with minor corrections (no need to support non-notary mode):
-// https://github.com/nspcc-dev/neo-go/blob/v0.99.2/pkg/services/rpcsrv/server.go#L744
+// https://github.com/nspcc-dev/neo-go/blob/v0.103.0/pkg/services/rpcsrv/server.go#L911
 func (l *localClient) CalculateNetworkFee(tx *transaction.Transaction) (int64, error) {
-	hashablePart, err := tx.EncodeHashableFields()
-	if err != nil {
-		return 0, fmt.Errorf("failed to compute tx size: %w", err)
-	}
-
-	size := len(hashablePart) + io.GetVarSize(len(tx.Signers))
-	ef := l.bc.GetBaseExecFee()
-
-	var netFee int64
-	for i, signer := range tx.Signers {
-		var verificationScript []byte
-		for _, w := range tx.Scripts {
-			if w.VerificationScript != nil && hash.Hash160(w.VerificationScript).Equals(signer.Account) {
-				verificationScript = w.VerificationScript
-				break
-			}
-		}
-		if verificationScript == nil {
-			gasConsumed, err := l.bc.VerifyWitness(signer.Account, tx, &tx.Scripts[i], l.maxGasInvoke)
-			if err != nil {
-				return 0, fmt.Errorf("invalid signature: %w", err)
-			}
-			netFee += gasConsumed
-			size += io.GetVarSize([]byte{}) + io.GetVarSize(tx.Scripts[i].InvocationScript)
-			continue
-		}
-
-		fee, sizeDelta := fee.Calculate(ef, verificationScript)
-		netFee += fee
-		size += sizeDelta
-	}
-
-	fee := l.bc.FeePerByte()
-	netFee += int64(size) * fee
-
-	return netFee, nil
-}
-
-// AddNetworkFee adds network fee for each witness script and optional extra
-// network fee to transaction. `accs` is an array signer's accounts.
-// Copied from neo-go with minor corrections (no need to support contract signers):
-// https://github.com/nspcc-dev/neo-go/blob/6ff11baa1b9e4c71ef0d1de43b92a8c541ca732c/pkg/rpc/client/rpc.go#L960
-func (l *localClient) AddNetworkFee(tx *transaction.Transaction, extraFee int64, accs ...*wallet.Account) error {
-	if len(tx.Signers) != len(accs) {
-		return errors.New("number of signers must match number of scripts")
-	}
-
-	size := io.GetVarSize(tx)
-	ef := l.bc.GetBaseExecFee()
-	for i := range tx.Signers {
-		netFee, sizeDelta := fee.Calculate(ef, accs[i].Contract.Script)
-		tx.NetworkFee += netFee
-		size += sizeDelta
-	}
-
-	tx.NetworkFee += int64(size)*l.bc.FeePerByte() + extraFee
-	return nil
-}
-
-// getSigners returns an array of transaction signers and corresponding accounts from
-// given sender and cosigners. If cosigners list already contains sender, the sender
-// will be placed at the start of the list.
-// Copied from neo-go with minor corrections:
-// https://github.com/nspcc-dev/neo-go/blob/6ff11baa1b9e4c71ef0d1de43b92a8c541ca732c/pkg/rpc/client/rpc.go#L735
-func getSigners(sender *wallet.Account, cosigners []rpcclient.SignerAccount) ([]transaction.Signer, []*wallet.Account, error) {
-	var (
-		signers  []transaction.Signer
-		accounts []*wallet.Account
-	)
-
-	from := sender.Contract.ScriptHash()
-	s := transaction.Signer{
-		Account: from,
-		Scopes:  transaction.None,
-	}
-	for _, c := range cosigners {
-		if c.Signer.Account == from {
-			s = c.Signer
-			continue
-		}
-		signers = append(signers, c.Signer)
-		accounts = append(accounts, c.Account)
-	}
-	signers = append([]transaction.Signer{s}, signers...)
-	accounts = append([]*wallet.Account{sender}, accounts...)
-	return signers, accounts, nil
-}
-
-func (l *localClient) NEP17BalanceOf(h util.Uint160, acc util.Uint160) (int64, error) {
-	res, err := invokeFunction(l, h, "balanceOf", []any{acc}, nil)
+	// Avoid setting hash for this tx: server code doesn't touch client transaction.
+	data := tx.Bytes()
+	tx, err := transaction.NewTransactionFromBytes(data)
 	if err != nil {
 		return 0, err
 	}
-	if res.State != vmstate.Halt.String() || len(res.Stack) == 0 {
-		return 0, fmt.Errorf("`balance`: invalid response (empty: %t): %s",
-			len(res.Stack) == 0, res.FaultException)
+
+	hashablePart, err := tx.EncodeHashableFields()
+	if err != nil {
+		return 0, err
 	}
-	bi, err := res.Stack[0].TryInteger()
-	if err != nil || !bi.IsInt64() {
-		return 0, fmt.Errorf("`balance`: invalid response")
+	size := len(hashablePart) + io.GetVarSize(len(tx.Signers))
+	var (
+		netFee int64
+		// Verification GAS cost can't exceed this policy.
+		gasLimit = l.bc.GetMaxVerificationGAS()
+	)
+	for i, signer := range tx.Signers {
+		w := tx.Scripts[i]
+		if len(w.InvocationScript) == 0 { // No invocation provided, try to infer one.
+			var paramz []manifest.Parameter
+			if len(w.VerificationScript) == 0 { // Contract-based verification
+				cs := l.bc.GetContractState(signer.Account)
+				if cs == nil {
+					return 0, fmt.Errorf("signer %d has no verification script and no deployed contract", i)
+				}
+				md := cs.Manifest.ABI.GetMethod(manifest.MethodVerify, -1)
+				if md == nil || md.ReturnType != smartcontract.BoolType {
+					return 0, fmt.Errorf("signer %d has no verify method in deployed contract", i)
+				}
+				paramz = md.Parameters // Might as well have none params and it's OK.
+			} else { // Regular signature verification.
+				if vm.IsSignatureContract(w.VerificationScript) {
+					paramz = []manifest.Parameter{{Type: smartcontract.SignatureType}}
+				} else if nSigs, _, ok := vm.ParseMultiSigContract(w.VerificationScript); ok {
+					paramz = make([]manifest.Parameter, nSigs)
+					for j := 0; j < nSigs; j++ {
+						paramz[j] = manifest.Parameter{Type: smartcontract.SignatureType}
+					}
+				}
+			}
+			inv := io.NewBufBinWriter()
+			for _, p := range paramz {
+				p.Type.EncodeDefaultValue(inv.BinWriter)
+			}
+			if inv.Err != nil {
+				return 0, fmt.Errorf("failed to create dummy invocation script (signer %d): %s", i, inv.Err.Error())
+			}
+			w.InvocationScript = inv.Bytes()
+		}
+		gasConsumed, err := l.bc.VerifyWitness(signer.Account, tx, &w, gasLimit)
+		if err != nil && !errors.Is(err, core.ErrInvalidSignature) {
+			return 0, err
+		}
+		gasLimit -= gasConsumed
+		netFee += gasConsumed
+		size += io.GetVarSize(w.VerificationScript) + io.GetVarSize(w.InvocationScript)
 	}
-	return bi.Int64(), nil
+	if l.bc.P2PSigExtensionsEnabled() {
+		attrs := tx.GetAttributes(transaction.NotaryAssistedT)
+		if len(attrs) != 0 {
+			na := attrs[0].Value.(*transaction.NotaryAssisted)
+			netFee += (int64(na.NKeys) + 1) * l.bc.GetNotaryServiceFeePerKey()
+		}
+	}
+	fee := l.bc.FeePerByte()
+	netFee += int64(size) * fee
+	return netFee, nil
 }

 func (l *localClient) InvokeScript(script []byte, signers []transaction.Signer) (*result.Invoke, error) {
--- a/cmd/frostfs-adm/internal/modules/morph/n3client.go
+++ b/cmd/frostfs-adm/internal/modules/morph/n3client.go
@ -6,13 +6,10 @@ import (
 	"fmt"
 	"time"

-	"github.com/nspcc-dev/neo-go/pkg/config/netmode"
 	"github.com/nspcc-dev/neo-go/pkg/core/state"
 	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
-	"github.com/nspcc-dev/neo-go/pkg/encoding/fixedn"
 	"github.com/nspcc-dev/neo-go/pkg/neorpc/result"
-	"github.com/nspcc-dev/neo-go/pkg/network/payload"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
@ -29,21 +26,12 @@ type Client interface {
 	invoker.RPCInvoke

 	GetBlockCount() (uint32, error)
-	GetContractStateByID(int32) (*state.Contract, error)
-	GetContractStateByHash(util.Uint160) (*state.Contract, error)
 	GetNativeContracts() ([]state.NativeContract, error)
-	GetNetwork() (netmode.Magic, error)
 	GetApplicationLog(util.Uint256, *trigger.Type) (*result.ApplicationLog, error)
 	GetVersion() (*result.Version, error)
-	CreateTxFromScript([]byte, *wallet.Account, int64, int64, []rpcclient.SignerAccount) (*transaction.Transaction, error)
-	NEP17BalanceOf(util.Uint160, util.Uint160) (int64, error)
 	SendRawTransaction(*transaction.Transaction) (util.Uint256, error)
 	GetCommittee() (keys.PublicKeys, error)
-	CalculateNotaryFee(uint8) (int64, error)
 	CalculateNetworkFee(tx *transaction.Transaction) (int64, error)
-	AddNetworkFee(*transaction.Transaction, int64, ...*wallet.Account) error
-	SignAndPushInvocationTx([]byte, *wallet.Account, int64, fixedn.Fixed8, []rpcclient.SignerAccount) (util.Uint256, error)
-	SignAndPushP2PNotaryRequest(*transaction.Transaction, []byte, int64, int64, uint32, *wallet.Account) (*payload.P2PNotaryRequest, error)
 }

 type hashVUBPair struct {
@ -85,13 +73,7 @@ func getN3Client(v *viper.Viper) (Client, error) {
 }

 func defaultClientContext(c Client, committeeAcc *wallet.Account) (*clientContext, error) {
-	commAct, err := actor.New(c, []actor.SignerAccount{{
-		Signer: transaction.Signer{
-			Account: committeeAcc.Contract.ScriptHash(),
-			Scopes:  transaction.Global,
-		},
-		Account: committeeAcc,
-	}})
+	commAct, err := newActor(c, committeeAcc)
 	if err != nil {
 		return nil, err
 	}
--- a/cmd/frostfs-adm/internal/modules/morph/netmap_candidates.go
+++ b/cmd/frostfs-adm/internal/modules/morph/netmap_candidates.go
@ -1,10 +1,11 @@
 package morph

 import (
-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/commonflags"
-	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
-	"github.com/TrueCloudLab/frostfs-node/pkg/morph/client/netmap"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/commonflags"
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/client/netmap"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/management"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
@ -14,11 +15,12 @@ func listNetmapCandidatesNodes(cmd *cobra.Command, _ []string) {
 	commonCmd.ExitOnErr(cmd, "can't create N3 client: %w", err)

 	inv := invoker.New(c, nil)
+	r := management.NewReader(inv)

-	cs, err := c.GetContractStateByID(1)
+	cs, err := r.GetContractByID(1)
 	commonCmd.ExitOnErr(cmd, "can't get NNS contract info: %w", err)

-	nmHash, err := nnsResolveHash(inv, cs.Hash, netmapContract+".frostfs")
+	nmHash, err := nnsResolveHash(inv, cs.Hash, domainOf(netmapContract))
 	commonCmd.ExitOnErr(cmd, "can't get netmap contract hash: %w", err)

 	res, err := inv.Call(nmHash, "netmapCandidates")
--- a/cmd/frostfs-adm/internal/modules/morph/netmap_util.go
+++ b/cmd/frostfs-adm/internal/modules/morph/netmap_util.go
@ -0,0 +1,44 @@
+package morph
+
+import (
+	"errors"
+
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/client/netmap"
+	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
+	"github.com/spf13/viper"
+)
+
+func getDefaultNetmapContractConfigMap() map[string]any {
+	m := make(map[string]any)
+	m[netmap.EpochDurationConfig] = viper.GetInt64(epochDurationInitFlag)
+	m[netmap.MaxObjectSizeConfig] = viper.GetInt64(maxObjectSizeInitFlag)
+	m[netmap.ContainerFeeConfig] = viper.GetInt64(containerFeeInitFlag)
+	m[netmap.ContainerAliasFeeConfig] = viper.GetInt64(containerAliasFeeInitFlag)
+	m[netmap.IrCandidateFeeConfig] = viper.GetInt64(candidateFeeInitFlag)
+	m[netmap.WithdrawFeeConfig] = viper.GetInt64(withdrawFeeInitFlag)
+	m[netmap.HomomorphicHashingDisabledKey] = viper.GetBool(homomorphicHashDisabledInitFlag)
+	m[netmap.MaintenanceModeAllowedConfig] = viper.GetBool(maintenanceModeAllowedInitFlag)
+	return m
+}
+
+func parseConfigFromNetmapContract(arr []stackitem.Item) (map[string][]byte, error) {
+	m := make(map[string][]byte, len(arr))
+	for _, param := range arr {
+		tuple, ok := param.Value().([]stackitem.Item)
+		if !ok || len(tuple) != 2 {
+			return nil, errors.New("invalid ListConfig response from netmap contract")
+		}
+
+		k, err := tuple[0].TryBytes()
+		if err != nil {
+			return nil, errors.New("invalid config key from netmap contract")
+		}
+
+		v, err := tuple[1].TryBytes()
+		if err != nil {
+			return nil, invalidConfigValueErr(string(k))
+		}
+		m[string(k)] = v
+	}
+	return m, nil
+}
--- a/cmd/frostfs-adm/internal/modules/morph/notary.go
+++ b/cmd/frostfs-adm/internal/modules/morph/notary.go
@ -9,10 +9,12 @@ import (
 	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
+	"github.com/nspcc-dev/neo-go/pkg/encoding/fixedn"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/gas"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/nep17"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/notary"
+	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/nspcc-dev/neo-go/pkg/wallet"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
@ -23,16 +25,9 @@ import (
 const defaultNotaryDepositLifetime = 5760

 func depositNotary(cmd *cobra.Command, _ []string) error {
-	p, err := cmd.Flags().GetString(storageWalletFlag)
+	w, err := openWallet(cmd)
 	if err != nil {
 		return err
-	} else if p == "" {
-		return fmt.Errorf("missing wallet path (use '--%s <out.json>')", storageWalletFlag)
-	}
-
-	w, err := wallet.NewWalletFromFile(p)
-	if err != nil {
-		return fmt.Errorf("can't open wallet: %v", err)
 	}

 	accHash := w.GetChangeAddress()
@ -80,6 +75,10 @@ func depositNotary(cmd *cobra.Command, _ []string) error {
 		}
 	}

+	return transferGas(cmd, acc, accHash, gasAmount, till)
+}
+
+func transferGas(cmd *cobra.Command, acc *wallet.Account, accHash util.Uint160, gasAmount fixedn.Fixed8, till int64) error {
 	c, err := getN3Client(viper.GetViper())
 	if err != nil {
 		return err
@ -119,3 +118,18 @@ func depositNotary(cmd *cobra.Command, _ []string) error {

 	return awaitTx(cmd, c, []hashVUBPair{{hash: txHash, vub: vub}})
 }
+
+func openWallet(cmd *cobra.Command) (*wallet.Wallet, error) {
+	p, err := cmd.Flags().GetString(storageWalletFlag)
+	if err != nil {
+		return nil, err
+	} else if p == "" {
+		return nil, fmt.Errorf("missing wallet path (use '--%s <out.json>')", storageWalletFlag)
+	}
+
+	w, err := wallet.NewWalletFromFile(p)
+	if err != nil {
+		return nil, fmt.Errorf("can't open wallet: %v", err)
+	}
+	return w, nil
+}
--- a/cmd/frostfs-adm/internal/modules/morph/policy.go
+++ b/cmd/frostfs-adm/internal/modules/morph/policy.go
@ -1,11 +1,15 @@
 package morph

 import (
+	"bytes"
 	"fmt"
 	"strconv"
 	"strings"
+	"text/tabwriter"

+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
 	"github.com/nspcc-dev/neo-go/pkg/io"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/policy"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
@ -52,3 +56,32 @@ func setPolicyCmd(cmd *cobra.Command, args []string) error {

 	return wCtx.awaitTx()
 }
+
+func dumpPolicyCmd(cmd *cobra.Command, _ []string) error {
+	c, err := getN3Client(viper.GetViper())
+	commonCmd.ExitOnErr(cmd, "can't create N3 client:", err)
+
+	inv := invoker.New(c, nil)
+	policyContract := policy.NewReader(inv)
+
+	execFee, err := policyContract.GetExecFeeFactor()
+	commonCmd.ExitOnErr(cmd, "can't get execution fee factor:", err)
+
+	feePerByte, err := policyContract.GetFeePerByte()
+	commonCmd.ExitOnErr(cmd, "can't get fee per byte:", err)
+
+	storagePrice, err := policyContract.GetStoragePrice()
+	commonCmd.ExitOnErr(cmd, "can't get storage price:", err)
+
+	buf := bytes.NewBuffer(nil)
+	tw := tabwriter.NewWriter(buf, 0, 2, 2, ' ', 0)
+
+	_, _ = tw.Write([]byte(fmt.Sprintf("Execution Fee Factor:\t%d (int)\n", execFee)))
+	_, _ = tw.Write([]byte(fmt.Sprintf("Fee Per Byte:\t%d (int)\n", feePerByte)))
+	_, _ = tw.Write([]byte(fmt.Sprintf("Storage Price:\t%d (int)\n", storagePrice)))
+
+	_ = tw.Flush()
+	cmd.Print(buf.String())
+
+	return nil
+}
--- a/cmd/frostfs-adm/internal/modules/morph/proxy.go
+++ b/cmd/frostfs-adm/internal/modules/morph/proxy.go
@ -0,0 +1,68 @@
+package morph
+
+import (
+	"fmt"
+
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
+	"github.com/nspcc-dev/neo-go/pkg/io"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/management"
+	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
+	"github.com/nspcc-dev/neo-go/pkg/util"
+	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+const (
+	accountAddressFlag = "account"
+)
+
+func addProxyAccount(cmd *cobra.Command, _ []string) {
+	acc, _ := cmd.Flags().GetString(accountAddressFlag)
+	addr, err := address.StringToUint160(acc)
+	commonCmd.ExitOnErr(cmd, "invalid account: %w", err)
+	err = processAccount(cmd, addr, "addAccount")
+	commonCmd.ExitOnErr(cmd, "processing error: %w", err)
+}
+
+func removeProxyAccount(cmd *cobra.Command, _ []string) {
+	acc, _ := cmd.Flags().GetString(accountAddressFlag)
+	addr, err := address.StringToUint160(acc)
+	commonCmd.ExitOnErr(cmd, "invalid account: %w", err)
+	err = processAccount(cmd, addr, "removeAccount")
+	commonCmd.ExitOnErr(cmd, "processing error: %w", err)
+}
+
+func processAccount(cmd *cobra.Command, addr util.Uint160, method string) error {
+	wCtx, err := newInitializeContext(cmd, viper.GetViper())
+	if err != nil {
+		return fmt.Errorf("can't to initialize context: %w", err)
+	}
+
+	r := management.NewReader(wCtx.ReadOnlyInvoker)
+	cs, err := r.GetContractByID(1)
+	if err != nil {
+		return fmt.Errorf("can't get NNS contract info: %w", err)
+	}
+
+	proxyHash, err := nnsResolveHash(wCtx.ReadOnlyInvoker, cs.Hash, domainOf(proxyContract))
+	if err != nil {
+		return fmt.Errorf("can't get proxy contract hash: %w", err)
+	}
+
+	bw := io.NewBufBinWriter()
+	emit.AppCall(bw.BinWriter, proxyHash, method, callflag.All, addr)
+
+	if err := wCtx.sendConsensusTx(bw.Bytes()); err != nil {
+		return err
+	}
+
+	if err = wCtx.awaitTx(); err != nil {
+		return err
+	}
+
+	cmd.Println("Proxy contract has been updated")
+
+	return nil
+}
--- a/cmd/frostfs-adm/internal/modules/morph/remove_node.go
+++ b/cmd/frostfs-adm/internal/modules/morph/remove_node.go
@ -4,9 +4,10 @@ import (
 	"errors"
 	"fmt"

-	netmapcontract "github.com/TrueCloudLab/frostfs-contract/netmap"
+	netmapcontract "git.frostfs.info/TrueCloudLab/frostfs-contract/netmap"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/io"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/management"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
 	"github.com/spf13/cobra"
@ -33,12 +34,13 @@ func removeNodesCmd(cmd *cobra.Command, args []string) error {
 	}
 	defer wCtx.close()

-	cs, err := wCtx.Client.GetContractStateByID(1)
+	r := management.NewReader(wCtx.ReadOnlyInvoker)
+	cs, err := r.GetContractByID(1)
 	if err != nil {
 		return fmt.Errorf("can't get NNS contract info: %w", err)
 	}

-	nmHash, err := nnsResolveHash(wCtx.ReadOnlyInvoker, cs.Hash, netmapContract+".frostfs")
+	nmHash, err := nnsResolveHash(wCtx.ReadOnlyInvoker, cs.Hash, domainOf(netmapContract))
 	if err != nil {
 		return fmt.Errorf("can't get netmap contract hash: %w", err)
 	}
--- a/cmd/frostfs-adm/internal/modules/morph/root.go
+++ b/cmd/frostfs-adm/internal/modules/morph/root.go
@ -7,8 +7,11 @@ import (

 const (
 	alphabetWalletsFlag             = "alphabet-wallets"
+	alphabetWalletsFlagDesc         = "Path to alphabet wallets dir"
 	alphabetSizeFlag                = "size"
 	endpointFlag                    = "rpc-endpoint"
+	endpointFlagDesc                = "N3 RPC node endpoint"
+	endpointFlagShort               = "r"
 	storageWalletFlag               = "storage-wallet"
 	storageWalletLabelFlag          = "label"
 	storageGasCLIFlag               = "initial-gas"
@ -18,10 +21,6 @@ const (
 	maxObjectSizeCLIFlag            = "max-object-size"
 	epochDurationInitFlag           = "network.epoch_duration"
 	epochDurationCLIFlag            = "epoch-duration"
-	incomeRateInitFlag              = "network.basic_income_rate"
-	incomeRateCLIFlag               = "basic-income-rate"
-	auditFeeInitFlag                = "network.fee.audit"
-	auditFeeCLIFlag                 = "audit-fee"
 	containerFeeInitFlag            = "network.fee.container"
 	containerAliasFeeInitFlag       = "network.fee.container_alias"
 	containerFeeCLIFlag             = "container-fee"
@ -69,15 +68,12 @@ var (
 			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
 			_ = viper.BindPFlag(epochDurationInitFlag, cmd.Flags().Lookup(epochDurationCLIFlag))
 			_ = viper.BindPFlag(maxObjectSizeInitFlag, cmd.Flags().Lookup(maxObjectSizeCLIFlag))
-			_ = viper.BindPFlag(incomeRateInitFlag, cmd.Flags().Lookup(incomeRateCLIFlag))
 			_ = viper.BindPFlag(homomorphicHashDisabledInitFlag, cmd.Flags().Lookup(homomorphicHashDisabledCLIFlag))
-			_ = viper.BindPFlag(auditFeeInitFlag, cmd.Flags().Lookup(auditFeeCLIFlag))
 			_ = viper.BindPFlag(candidateFeeInitFlag, cmd.Flags().Lookup(candidateFeeCLIFlag))
 			_ = viper.BindPFlag(containerFeeInitFlag, cmd.Flags().Lookup(containerFeeCLIFlag))
 			_ = viper.BindPFlag(containerAliasFeeInitFlag, cmd.Flags().Lookup(containerAliasFeeCLIFlag))
 			_ = viper.BindPFlag(withdrawFeeInitFlag, cmd.Flags().Lookup(withdrawFeeCLIFlag))
 			_ = viper.BindPFlag(protoConfigPath, cmd.Flags().Lookup(protoConfigPath))
-			_ = viper.BindPFlag(localDumpFlag, cmd.Flags().Lookup(localDumpFlag))
 		},
 		RunE: initializeSideChainCmd,
 	}
@ -153,6 +149,15 @@ var (
 		},
 	}

+	dumpPolicy = &cobra.Command{
+		Use:   "dump-policy",
+		Short: "Dump FrostFS policy",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+		},
+		RunE: dumpPolicyCmd,
+	}
+
 	dumpContractHashesCmd = &cobra.Command{
 		Use:   "dump-hashes",
 		Short: "Dump deployed contract hashes",
@ -236,17 +241,208 @@ var (
 		},
 		Run: listNetmapCandidatesNodes,
 	}
+
+	proxyAddAccountCmd = &cobra.Command{
+		Use:   "proxy-add-account",
+		Short: "Adds account to proxy contract",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+		},
+		Run: addProxyAccount,
+	}
+
+	proxyRemoveAccountCmd = &cobra.Command{
+		Use:   "proxy-remove-account",
+		Short: "Remove from proxy contract",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+		},
+		Run: removeProxyAccount,
+	}
 )

 func init() {
-	RootCmd.AddCommand(generateAlphabetCmd)
-	generateAlphabetCmd.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
-	generateAlphabetCmd.Flags().Uint(alphabetSizeFlag, 7, "Amount of alphabet wallets to generate")
+	initGenerateAlphabetCmd()
+	initInitCmd()
+	initDeployCmd()
+	initGenerateStorageCmd()
+	initForceNewEpochCmd()
+	initRemoveNodesCmd()
+	initSetPolicyCmd()
+	initDumpPolicyCmd()
+	initDumpContractHashesCmd()
+	initDumpNetworkConfigCmd()
+	initSetConfigCmd()
+	initDumpBalancesCmd()
+	initUpdateContractsCmd()
+	initDumpContainersCmd()
+	initRestoreContainersCmd()
+	initListContainersCmd()
+	initRefillGasCmd()
+	initDepositoryNotaryCmd()
+	initNetmapCandidatesCmd()

+	RootCmd.AddCommand(apeCmd)
+	initAddRuleChainCmd()
+	initRemoveRuleChainCmd()
+	initListRuleChainsCmd()
+	initSetAdminCmd()
+	initGetAdminCmd()
+
+	initProxyAddAccount()
+	initProxyRemoveAccount()
+
+	RootCmd.AddCommand(frostfsidCmd)
+	initFrostfsIDCreateNamespaceCmd()
+	initFrostfsIDListNamespacesCmd()
+	initFrostfsIDCreateSubjectCmd()
+	initFrostfsIDDeleteSubjectCmd()
+	initFrostfsIDListSubjectsCmd()
+	initFrostfsIDCreateGroupCmd()
+	initFrostfsIDDeleteGroupCmd()
+	initFrostfsIDListGroupsCmd()
+	initFrostfsIDAddSubjectToGroupCmd()
+	initFrostfsIDRemoveSubjectFromGroupCmd()
+	initFrostfsIDListGroupSubjectsCmd()
+}
+
+func initProxyAddAccount() {
+	RootCmd.AddCommand(proxyAddAccountCmd)
+	proxyAddAccountCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	proxyAddAccountCmd.Flags().String(accountAddressFlag, "", "Wallet address string")
+}
+
+func initProxyRemoveAccount() {
+	RootCmd.AddCommand(proxyRemoveAccountCmd)
+	proxyRemoveAccountCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	proxyRemoveAccountCmd.Flags().String(accountAddressFlag, "", "Wallet address string")
+}
+
+func initNetmapCandidatesCmd() {
+	RootCmd.AddCommand(netmapCandidatesCmd)
+	netmapCandidatesCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+}
+
+func initDepositoryNotaryCmd() {
+	RootCmd.AddCommand(depositNotaryCmd)
+	depositNotaryCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	depositNotaryCmd.Flags().String(storageWalletFlag, "", "Path to storage node wallet")
+	depositNotaryCmd.Flags().String(walletAccountFlag, "", "Wallet account address")
+	depositNotaryCmd.Flags().String(refillGasAmountFlag, "", "Amount of GAS to deposit")
+	depositNotaryCmd.Flags().String(notaryDepositTillFlag, "", "Notary deposit duration in blocks")
+}
+
+func initRefillGasCmd() {
+	RootCmd.AddCommand(refillGasCmd)
+	refillGasCmd.Flags().String(alphabetWalletsFlag, "", alphabetWalletsFlagDesc)
+	refillGasCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	refillGasCmd.Flags().String(storageWalletFlag, "", "Path to storage node wallet")
+	refillGasCmd.Flags().String(walletAddressFlag, "", "Address of wallet")
+	refillGasCmd.Flags().String(refillGasAmountFlag, "", "Additional amount of GAS to transfer")
+	refillGasCmd.MarkFlagsMutuallyExclusive(walletAddressFlag, storageWalletFlag)
+}
+
+func initListContainersCmd() {
+	RootCmd.AddCommand(listContainersCmd)
+	listContainersCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	listContainersCmd.Flags().String(containerContractFlag, "", "Container contract hash (for networks without NNS)")
+}
+
+func initRestoreContainersCmd() {
+	RootCmd.AddCommand(restoreContainersCmd)
+	restoreContainersCmd.Flags().String(alphabetWalletsFlag, "", alphabetWalletsFlagDesc)
+	restoreContainersCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	restoreContainersCmd.Flags().String(containerDumpFlag, "", "File to restore containers from")
+	restoreContainersCmd.Flags().StringSlice(containerIDsFlag, nil, "Containers to restore")
+}
+
+func initDumpContainersCmd() {
+	RootCmd.AddCommand(dumpContainersCmd)
+	dumpContainersCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	dumpContainersCmd.Flags().String(containerDumpFlag, "", "File where to save dumped containers")
+	dumpContainersCmd.Flags().String(containerContractFlag, "", "Container contract hash (for networks without NNS)")
+	dumpContainersCmd.Flags().StringSlice(containerIDsFlag, nil, "Containers to dump")
+}
+
+func initUpdateContractsCmd() {
+	RootCmd.AddCommand(updateContractsCmd)
+	updateContractsCmd.Flags().String(alphabetWalletsFlag, "", alphabetWalletsFlagDesc)
+	updateContractsCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	updateContractsCmd.Flags().String(contractsInitFlag, "", "Path to archive with compiled FrostFS contracts")
+	_ = updateContractsCmd.MarkFlagRequired(contractsInitFlag)
+}
+
+func initDumpBalancesCmd() {
+	RootCmd.AddCommand(dumpBalancesCmd)
+	dumpBalancesCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	dumpBalancesCmd.Flags().BoolP(dumpBalancesStorageFlag, "s", false, "Dump balances of storage nodes from the current netmap")
+	dumpBalancesCmd.Flags().BoolP(dumpBalancesAlphabetFlag, "a", false, "Dump balances of alphabet contracts")
+	dumpBalancesCmd.Flags().BoolP(dumpBalancesProxyFlag, "p", false, "Dump balances of the proxy contract")
+	dumpBalancesCmd.Flags().Bool(dumpBalancesUseScriptHashFlag, false, "Use script-hash format for addresses")
+}
+
+func initSetConfigCmd() {
+	RootCmd.AddCommand(setConfig)
+	setConfig.Flags().String(alphabetWalletsFlag, "", alphabetWalletsFlagDesc)
+	setConfig.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	setConfig.Flags().Bool(forceConfigSet, false, "Force setting not well-known configuration key")
+	setConfig.Flags().String(localDumpFlag, "", "Path to the blocks dump file")
+}
+
+func initDumpNetworkConfigCmd() {
+	RootCmd.AddCommand(dumpNetworkConfigCmd)
+	dumpNetworkConfigCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+}
+
+func initDumpContractHashesCmd() {
+	RootCmd.AddCommand(dumpContractHashesCmd)
+	dumpContractHashesCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	dumpContractHashesCmd.Flags().String(customZoneFlag, "", "Custom zone to search.")
+}
+
+func initSetPolicyCmd() {
+	RootCmd.AddCommand(setPolicy)
+	setPolicy.Flags().String(alphabetWalletsFlag, "", alphabetWalletsFlagDesc)
+	setPolicy.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	setPolicy.Flags().String(localDumpFlag, "", "Path to the blocks dump file")
+}
+
+func initDumpPolicyCmd() {
+	RootCmd.AddCommand(dumpPolicy)
+	dumpPolicy.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+}
+
+func initRemoveNodesCmd() {
+	RootCmd.AddCommand(removeNodes)
+	removeNodes.Flags().String(alphabetWalletsFlag, "", alphabetWalletsFlagDesc)
+	removeNodes.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	removeNodes.Flags().String(localDumpFlag, "", "Path to the blocks dump file")
+}
+
+func initForceNewEpochCmd() {
+	RootCmd.AddCommand(forceNewEpoch)
+	forceNewEpoch.Flags().String(alphabetWalletsFlag, "", alphabetWalletsFlagDesc)
+	forceNewEpoch.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	forceNewEpoch.Flags().String(localDumpFlag, "", "Path to the blocks dump file")
+}
+
+func initGenerateStorageCmd() {
+	RootCmd.AddCommand(generateStorageCmd)
+	generateStorageCmd.Flags().String(alphabetWalletsFlag, "", alphabetWalletsFlagDesc)
+	generateStorageCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	generateStorageCmd.Flags().String(storageWalletFlag, "", "Path to new storage node wallet")
+	generateStorageCmd.Flags().String(storageGasCLIFlag, "", "Initial amount of GAS to transfer")
+	generateStorageCmd.Flags().StringP(storageWalletLabelFlag, "l", "", "Wallet label")
+}
+
+func initInitCmd() {
 	RootCmd.AddCommand(initCmd)
-	initCmd.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
-	initCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
-	initCmd.Flags().String(contractsInitFlag, "", "Path to archive with compiled FrostFS contracts (default fetched from latest github release)")
+	initCmd.Flags().String(alphabetWalletsFlag, "", alphabetWalletsFlagDesc)
+	initCmd.Flags().StringP(endpointFlag, endpointFlagShort, "", endpointFlagDesc)
+	initCmd.Flags().String(contractsInitFlag, "", "Path to archive with compiled FrostFS contracts")
+	_ = initCmd.MarkFlagRequired(contractsInitFlag)
 	initCmd.Flags().Uint(epochDurationCLIFlag, 240, "Amount of side chain blocks in one FrostFS epoch")
 	initCmd.Flags().Uint(maxObjectSizeCLIFlag, 67108864, "Max single object size in bytes")
 	initCmd.Flags().Bool(homomorphicHashDisabledCLIFlag, false, "Disable object homomorphic hashing")
@ -255,85 +451,14 @@ func init() {
 	initCmd.Flags().Uint64(containerAliasFeeCLIFlag, 500, "Container alias fee")
 	initCmd.Flags().String(protoConfigPath, "", "Path to the consensus node configuration")
 	initCmd.Flags().String(localDumpFlag, "", "Path to the blocks dump file")
-
-	RootCmd.AddCommand(deployCmd)
-
-	RootCmd.AddCommand(generateStorageCmd)
-	generateStorageCmd.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
-	generateStorageCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
-	generateStorageCmd.Flags().String(storageWalletFlag, "", "Path to new storage node wallet")
-	generateStorageCmd.Flags().String(storageGasCLIFlag, "", "Initial amount of GAS to transfer")
-	generateStorageCmd.Flags().StringP(storageWalletLabelFlag, "l", "", "Wallet label")
-
-	RootCmd.AddCommand(forceNewEpoch)
-	forceNewEpoch.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
-	forceNewEpoch.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
-
-	RootCmd.AddCommand(removeNodes)
-	removeNodes.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
-	removeNodes.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
-
-	RootCmd.AddCommand(setPolicy)
-	setPolicy.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
-	setPolicy.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
-
-	RootCmd.AddCommand(dumpContractHashesCmd)
-	dumpContractHashesCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
-	dumpContractHashesCmd.Flags().String(customZoneFlag, "", "Custom zone to search.")
-
-	RootCmd.AddCommand(dumpNetworkConfigCmd)
-	dumpNetworkConfigCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
-
-	RootCmd.AddCommand(setConfig)
-	setConfig.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
-	setConfig.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
-	setConfig.Flags().Bool(forceConfigSet, false, "Force setting not well-known configuration key")
-
-	RootCmd.AddCommand(dumpBalancesCmd)
-	dumpBalancesCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
-	dumpBalancesCmd.Flags().BoolP(dumpBalancesStorageFlag, "s", false, "Dump balances of storage nodes from the current netmap")
-	dumpBalancesCmd.Flags().BoolP(dumpBalancesAlphabetFlag, "a", false, "Dump balances of alphabet contracts")
-	dumpBalancesCmd.Flags().BoolP(dumpBalancesProxyFlag, "p", false, "Dump balances of the proxy contract")
-	dumpBalancesCmd.Flags().Bool(dumpBalancesUseScriptHashFlag, false, "Use script-hash format for addresses")
-
-	RootCmd.AddCommand(updateContractsCmd)
-	updateContractsCmd.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
-	updateContractsCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
-	updateContractsCmd.Flags().String(contractsInitFlag, "", "Path to archive with compiled FrostFS contracts (default fetched from latest github release)")
-
-	RootCmd.AddCommand(dumpContainersCmd)
-	dumpContainersCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
-	dumpContainersCmd.Flags().String(containerDumpFlag, "", "File where to save dumped containers")
-	dumpContainersCmd.Flags().String(containerContractFlag, "", "Container contract hash (for networks without NNS)")
-	dumpContainersCmd.Flags().StringSlice(containerIDsFlag, nil, "Containers to dump")
-
-	RootCmd.AddCommand(restoreContainersCmd)
-	restoreContainersCmd.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
-	restoreContainersCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
-	restoreContainersCmd.Flags().String(containerDumpFlag, "", "File to restore containers from")
-	restoreContainersCmd.Flags().StringSlice(containerIDsFlag, nil, "Containers to restore")
-
-	RootCmd.AddCommand(listContainersCmd)
-	listContainersCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
-	listContainersCmd.Flags().String(containerContractFlag, "", "Container contract hash (for networks without NNS)")
-
-	RootCmd.AddCommand(refillGasCmd)
-	refillGasCmd.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
-	refillGasCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
-	refillGasCmd.Flags().String(storageWalletFlag, "", "Path to storage node wallet")
-	refillGasCmd.Flags().String(walletAddressFlag, "", "Address of wallet")
-	refillGasCmd.Flags().String(refillGasAmountFlag, "", "Additional amount of GAS to transfer")
-	refillGasCmd.MarkFlagsMutuallyExclusive(walletAddressFlag, storageWalletFlag)
-
-	RootCmd.AddCommand(cmdSubnet)
-
-	RootCmd.AddCommand(depositNotaryCmd)
-	depositNotaryCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
-	depositNotaryCmd.Flags().String(storageWalletFlag, "", "Path to storage node wallet")
-	depositNotaryCmd.Flags().String(walletAccountFlag, "", "Wallet account address")
-	depositNotaryCmd.Flags().String(refillGasAmountFlag, "", "Amount of GAS to deposit")
-	depositNotaryCmd.Flags().String(notaryDepositTillFlag, "", "Notary deposit duration in blocks")
-
-	RootCmd.AddCommand(netmapCandidatesCmd)
-	netmapCandidatesCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
+}
+
+func initGenerateAlphabetCmd() {
+	RootCmd.AddCommand(generateAlphabetCmd)
+	generateAlphabetCmd.Flags().String(alphabetWalletsFlag, "", alphabetWalletsFlagDesc)
+	generateAlphabetCmd.Flags().Uint(alphabetSizeFlag, 7, "Amount of alphabet wallets to generate")
+}
+
+func initDeployCmd() {
+	RootCmd.AddCommand(deployCmd)
 }
--- a/cmd/frostfs-adm/internal/modules/morph/subnet.go
+++ b/cmd/frostfs-adm/internal/modules/morph/subnet.go
--- a/cmd/frostfs-adm/internal/modules/morph/util.go
+++ b/cmd/frostfs-adm/internal/modules/morph/util.go
@ -0,0 +1,86 @@
+package morph
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/config"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/innerring"
+	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
+	"github.com/nspcc-dev/neo-go/pkg/wallet"
+	"github.com/spf13/viper"
+)
+
+func getAlphabetWallets(v *viper.Viper, walletDir string) ([]*wallet.Wallet, error) {
+	wallets, err := openAlphabetWallets(v, walletDir)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(wallets) > maxAlphabetNodes {
+		return nil, ErrTooManyAlphabetNodes
+	}
+	return wallets, nil
+}
+
+func openAlphabetWallets(v *viper.Viper, walletDir string) ([]*wallet.Wallet, error) {
+	walletFiles, err := os.ReadDir(walletDir)
+	if err != nil {
+		return nil, fmt.Errorf("can't read alphabet wallets dir: %w", err)
+	}
+
+	var size int
+loop:
+	for i := 0; i < len(walletFiles); i++ {
+		name := innerring.GlagoliticLetter(i).String() + ".json"
+		for j := range walletFiles {
+			if walletFiles[j].Name() == name {
+				size++
+				continue loop
+			}
+		}
+		break
+	}
+	if size == 0 {
+		return nil, errors.New("alphabet wallets dir is empty (run `generate-alphabet` command first)")
+	}
+
+	wallets := make([]*wallet.Wallet, size)
+	for i := 0; i < size; i++ {
+		letter := innerring.GlagoliticLetter(i).String()
+		p := filepath.Join(walletDir, letter+".json")
+		w, err := wallet.NewWalletFromFile(p)
+		if err != nil {
+			return nil, fmt.Errorf("can't open wallet: %w", err)
+		}
+
+		password, err := config.GetPassword(v, letter)
+		if err != nil {
+			return nil, fmt.Errorf("can't fetch password: %w", err)
+		}
+
+		for i := range w.Accounts {
+			if err := w.Accounts[i].Decrypt(password, keys.NEP2ScryptParams()); err != nil {
+				return nil, fmt.Errorf("can't unlock wallet: %w", err)
+			}
+		}
+
+		wallets[i] = w
+	}
+
+	return wallets, nil
+}
+
+func newActor(c actor.RPCActor, committeeAcc *wallet.Account) (*actor.Actor, error) {
+	return actor.New(c, []actor.SignerAccount{{
+		Signer: transaction.Signer{
+			Account: committeeAcc.Contract.ScriptHash(),
+			Scopes:  transaction.Global,
+		},
+		Account: committeeAcc,
+	}})
+}
--- a/cmd/frostfs-adm/internal/modules/root.go
+++ b/cmd/frostfs-adm/internal/modules/root.go
@ -3,28 +3,26 @@ package modules
 import (
 	"os"

-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/commonflags"
-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/config"
-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph"
-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/storagecfg"
-	"github.com/TrueCloudLab/frostfs-node/misc"
-	"github.com/TrueCloudLab/frostfs-node/pkg/util/autocomplete"
-	utilConfig "github.com/TrueCloudLab/frostfs-node/pkg/util/config"
-	"github.com/TrueCloudLab/frostfs-node/pkg/util/gendoc"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/commonflags"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/config"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/storagecfg"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/misc"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/autocomplete"
+	utilConfig "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/config"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/gendoc"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )

-var (
-	rootCmd = &cobra.Command{
-		Use:   "frostfs-adm",
-		Short: "FrostFS Administrative Tool",
-		Long: `FrostFS Administrative Tool provides functions to setup and
+var rootCmd = &cobra.Command{
+	Use:   "frostfs-adm",
+	Short: "FrostFS Administrative Tool",
+	Long: `FrostFS Administrative Tool provides functions to setup and
 manage FrostFS network deployment.`,
-		RunE:         entryPoint,
-		SilenceUsage: true,
-	}
-)
+	RunE:         entryPoint,
+	SilenceUsage: true,
+}

 func init() {
 	cobra.OnInitialize(func() { initConfig(rootCmd) })
@ -45,14 +43,14 @@ func init() {
 	rootCmd.AddCommand(storagecfg.RootCmd)

 	rootCmd.AddCommand(autocomplete.Command("frostfs-adm"))
-	rootCmd.AddCommand(gendoc.Command(rootCmd))
+	rootCmd.AddCommand(gendoc.Command(rootCmd, gendoc.Options{}))
 }

 func Execute() error {
 	return rootCmd.Execute()
 }

-func entryPoint(cmd *cobra.Command, args []string) error {
+func entryPoint(cmd *cobra.Command, _ []string) error {
 	printVersion, _ := cmd.Flags().GetBool("version")
 	if printVersion {
 		cmd.Print(misc.BuildInfo("FrostFS Adm"))
--- a/cmd/frostfs-adm/internal/modules/storagecfg/config.go
+++ b/cmd/frostfs-adm/internal/modules/storagecfg/config.go
@ -12,9 +12,6 @@ node:
    - {{ .AnnouncedAddress }}
  attribute_0: UN-LOCODE:{{ .Attribute.Locode }}
  relay: {{ .Relay }}  # start Storage node in relay mode without bootstrapping into the Network map
-  subnet:
-    exit_zero: false # toggle entrance to zero subnet (overrides corresponding attribute and occurrence in entries)
-    entries: [] # list of IDs of subnets to enter in a text format of FrostFS API protocol (overrides corresponding attributes)

 grpc:
  num: 1  # total number of listener endpoints
@ -64,6 +61,7 @@ storage:
          depth: 1  # max depth of object tree storage in key-value DB
          width: 4   # max width of object tree storage in key-value DB
          opened_cache_capacity: 50  # maximum number of opened database files
+          opened_cache_ttl: 5m  # ttl for opened database file

      gc:
        remover_batch_size: 200  # number of objects to be removed by the garbage collector
--- a/cmd/frostfs-adm/internal/modules/storagecfg/root.go
+++ b/cmd/frostfs-adm/internal/modules/storagecfg/root.go
@ -16,7 +16,7 @@ import (
 	"text/template"
 	"time"

-	netutil "github.com/TrueCloudLab/frostfs-node/pkg/network"
+	netutil "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/network"
 	"github.com/chzyer/readline"
 	"github.com/nspcc-dev/neo-go/cli/flags"
 	"github.com/nspcc-dev/neo-go/cli/input"
@ -80,15 +80,7 @@ type config struct {
 }

 func storageConfig(cmd *cobra.Command, args []string) {
-	var outPath string
-	if len(args) != 0 {
-		outPath = args[0]
-	} else {
-		outPath = getPath("File to write config at [./config.yml]: ")
-		if outPath == "" {
-			outPath = "./config.yml"
-		}
-	}
+	outPath := getOutputPath(args)

 	historyPath := filepath.Join(os.TempDir(), "frostfs-adm.history")
 	readline.SetHistoryPath(historyPath)
@ -103,14 +95,7 @@ func storageConfig(cmd *cobra.Command, args []string) {
 	w, err := wallet.NewWalletFromFile(c.Wallet.Path)
 	fatalOnErr(err)

-	c.Wallet.Account, _ = cmd.Flags().GetString(accountFlag)
-	if c.Wallet.Account == "" {
-		addr := address.Uint160ToString(w.GetChangeAddress())
-		c.Wallet.Account = getWalletAccount(w, fmt.Sprintf("Wallet account [%s]: ", addr))
-		if c.Wallet.Account == "" {
-			c.Wallet.Account = addr
-		}
-	}
+	fillWalletAccount(cmd, &c, w)

 	accH, err := flags.ParseAddress(c.Wallet.Account)
 	fatalOnErr(err)
@ -128,32 +113,51 @@ func storageConfig(cmd *cobra.Command, args []string) {

 	c.AuthorizedKeys = append(c.AuthorizedKeys, hex.EncodeToString(acc.PrivateKey().PublicKey().Bytes()))

-	var network string
-	for {
-		network = getString("Choose network [mainnet]/testnet: ")
-		switch network {
-		case "":
-			network = "mainnet"
-		case "testnet", "mainnet":
-		default:
-			cmd.Println(`Network must be either "mainnet" or "testnet"`)
-			continue
-		}
-		break
-	}
+	network := readNetwork(cmd)

 	c.MorphRPC = n3config[network].MorphRPC

 	depositGas(cmd, acc, network)

 	c.Attribute.Locode = getString("UN-LOCODE attribute in [XX YYY] format: ")
+
+	endpoint := getDefaultEndpoint(cmd, &c)
+	c.Endpoint = getString(fmt.Sprintf("Listening address [%s]: ", endpoint))
+	if c.Endpoint == "" {
+		c.Endpoint = endpoint
+	}
+
+	c.ControlEndpoint = getString(fmt.Sprintf("Listening address (control endpoint) [%s]: ", defaultControlEndpoint))
+	if c.ControlEndpoint == "" {
+		c.ControlEndpoint = defaultControlEndpoint
+	}
+
+	c.TLSCert = getPath("TLS Certificate (optional): ")
+	if c.TLSCert != "" {
+		c.TLSKey = getPath("TLS Key: ")
+	}
+
+	c.Relay = getConfirmation(false, "Use node as a relay? yes/[no]: ")
+	if !c.Relay {
+		p := getPath("Path to the storage directory (all available storage will be used): ")
+		c.BlobstorPath = filepath.Join(p, "blob")
+		c.MetabasePath = filepath.Join(p, "meta")
+	}
+
+	out := applyTemplate(c)
+	fatalOnErr(os.WriteFile(outPath, out, 0o644))
+
+	cmd.Println("Node is ready for work! Run `frostfs-node -config " + outPath + "`")
+}
+
+func getDefaultEndpoint(cmd *cobra.Command, c *config) string {
 	var addr, port string
 	for {
 		c.AnnouncedAddress = getString("Publicly announced address: ")
 		validator := netutil.Address{}
 		err := validator.FromString(c.AnnouncedAddress)
 		if err != nil {
-			cmd.Println("Incorrect address format. See https://github.com/TrueCloudLab/frostfs-node/blob/master/pkg/network/address.go for details.")
+			cmd.Println("Incorrect address format. See https://git.frostfs.info/TrueCloudLab/frostfs-node/src/branch/master/pkg/network/address.go for details.")
 			continue
 		}
 		uriAddr, err := url.Parse(validator.URIAddr())
@ -182,34 +186,46 @@ func storageConfig(cmd *cobra.Command, args []string) {

 		break
 	}
+	return net.JoinHostPort(defaultDataEndpoint, port)
+}

-	defaultAddr := net.JoinHostPort(defaultDataEndpoint, port)
-	c.Endpoint = getString(fmt.Sprintf("Listening address [%s]: ", defaultAddr))
-	if c.Endpoint == "" {
-		c.Endpoint = defaultAddr
+func fillWalletAccount(cmd *cobra.Command, c *config, w *wallet.Wallet) {
+	c.Wallet.Account, _ = cmd.Flags().GetString(accountFlag)
+	if c.Wallet.Account == "" {
+		addr := address.Uint160ToString(w.GetChangeAddress())
+		c.Wallet.Account = getWalletAccount(w, fmt.Sprintf("Wallet account [%s]: ", addr))
+		if c.Wallet.Account == "" {
+			c.Wallet.Account = addr
+		}
 	}
+}

-	c.ControlEndpoint = getString(fmt.Sprintf("Listening address (control endpoint) [%s]: ", defaultControlEndpoint))
-	if c.ControlEndpoint == "" {
-		c.ControlEndpoint = defaultControlEndpoint
+func readNetwork(cmd *cobra.Command) string {
+	var network string
+	for {
+		network = getString("Choose network [mainnet]/testnet: ")
+		switch network {
+		case "":
+			network = "mainnet"
+		case "testnet", "mainnet":
+		default:
+			cmd.Println(`Network must be either "mainnet" or "testnet"`)
+			continue
+		}
+		break
 	}
+	return network
+}

-	c.TLSCert = getPath("TLS Certificate (optional): ")
-	if c.TLSCert != "" {
-		c.TLSKey = getPath("TLS Key: ")
+func getOutputPath(args []string) string {
+	if len(args) != 0 {
+		return args[0]
 	}
-
-	c.Relay = getConfirmation(false, "Use node as a relay? yes/[no]: ")
-	if !c.Relay {
-		p := getPath("Path to the storage directory (all available storage will be used): ")
-		c.BlobstorPath = filepath.Join(p, "blob")
-		c.MetabasePath = filepath.Join(p, "meta")
+	outPath := getPath("File to write config at [./config.yml]: ")
+	if outPath == "" {
+		outPath = "./config.yml"
 	}
-
-	out := applyTemplate(c)
-	fatalOnErr(os.WriteFile(outPath, out, 0644))
-
-	cmd.Println("Node is ready for work! Run `frostfs-node -config " + outPath + "`")
+	return outPath
 }

 func getWalletAccount(w *wallet.Wallet, prompt string) string {
--- a/cmd/frostfs-adm/main.go
+++ b/cmd/frostfs-adm/main.go
@ -3,7 +3,7 @@ package main
 import (
 	"os"

-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules"
 )

 func main() {
--- a/cmd/frostfs-cli/docs/policy.md
+++ b/cmd/frostfs-cli/docs/policy.md
@ -0,0 +1,115 @@
+# How manage local Access Policy Engine (APE) override of the node
+
+## Overview
+APE is a replacement for eACL. Each rule can restrict somehow access to the object/container or list of them.
+Here is a simple representation for the rule:
+`<status>[:status_detail] <action>... <condition>... <resource>...`
+
+Rule start with `status`(with or without details), contains list of actions(which this rule regulate) or conditions
+(which can be under resource or request) and ends with list of resources.
+
+Resource is the combination of namespace, identificator of the FrostFS container/object and wildcard `*`.
+
+For object it can be represented as:
+- `namespace/cid/oid` object in the container of the namespace
+- `namespace/cid/*` all objects in the container of the namespace
+- `namespace/*` all objects in the namespace
+- `*` all objects
+- `/*` all object in the `root` namespace
+- `/cid/*` all objects in the container of the `root` namespace
+- `/cid/oid` object in the container of the `root` namespace
+
+For container it can be represented as:
+- `namespace/cid` container in the namespace
+- `namespace/*` all containers in the namespace
+- `*` all containers
+- `/cid` container in the `root` namespace
+- `/*` all containers in the `root` namespace
+
+Actions is a regular operations upon FrostFS containers/objects. Like `Object.Put`, `Container.Get` etc.
+
+In status section it is possible to use `allow`, `deny` or `deny:QuotaLimitReached` actions.
+
+It is prohibited to mix operation under FrostFS container and object in one rule.
+The same statement is equal for conditions and resources - one rule is for one type of items.
+
+## Add rule
+Local rule can be added with the command `frostfs-cli control add-rule`:
+```shell
+@:~$ frostfs-cli control add-rule --endpoint s04.frostfs.devenv:8081 -c cnt_create_cfg.yml \
+--address NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM --cid SeHNpifDH2Fc4scNBphrbmrKi96QXj2HzYJkhSGuytH \
+--chain-id TestPolicy \
+--rule "allow Object.Get Object.Head /*" --rule "deny Container.Put *"
+Parsed chain:
+Chain ID: TestPolicy
+     HEX: 54657374506f6c696379
+Rules:
+
+	Status: Allowed
+	Any: false
+	Conditions:
+	Actions:	Inverted:false
+		GetObject
+		HeadObject
+	Resources:	Inverted:false
+		native:object//*
+
+	Status: Access denied
+	Any: false
+	Conditions:
+	Actions:	Inverted:false
+		PutContainer
+	Resources:	Inverted:false
+		native:container/*
+
+Rule has been added.
+@:~$
+```
+## List rules
+Local rules can be listed with command `frostfs-cli control list-rules`:
+```shell
+@:~$ frostfs-cli control list-rules --endpoint s04.frostfs.devenv:8081 --address NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM \
+--cid SeHNpifDH2Fc4scNBphrbmrKi96QXj2HzYJkhSGuytH -w wallets/wallet.json
+Enter password >
+Chain ID: TestPolicy
+     HEX: 54657374506f6c696379
+Rules:
+
+	Status: Allowed
+	Any: false
+...
+@:~$
+```
+
+## Get rule
+Rules can be retrieved with `frostfs-cli control get-rule`:
+```shell
+@:~$ frostfs-cli control get-rule --endpoint s04.frostfs.devenv:8081 -c cnt_create_cfg.yml \
+--address NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM --cid SeHNpifDH2Fc4scNBphrbmrKi96QXj2HzYJkhSGuytH \
+--chain-id TestPolicy
+Parsed chain (chain id hex: '54657374506f6c696379'):
+Chain ID: TestPolicy
+     HEX: 54657374506f6c696379
+Rules:
+
+	Status: Allowed
+	Any: false
+...
+@:~$
+```
+
+## Remove rule
+To remove rule need to use command `frostfs-cli control remove-rule`:
+```shell
+@:~$ frostfs-cli control remove-rule --endpoint s04.frostfs.devenv:8081 -c cnt_create_cfg.yml \
+--address NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM --cid SeHNpifDH2Fc4scNBphrbmrKi96QXj2HzYJkhSGuytH --chain-id TestPolicy
+Rule has been removed.
+@:~$ frostfs-cli control get-rule --endpoint s04.frostfs.devenv:8081 -c cnt_create_cfg.yml \
+--address NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM --cid SeHNpifDH2Fc4scNBphrbmrKi96QXj2HzYJkhSGuytH --chain-id TestPolicy
+rpc error: rpc error: code = NotFound desc = chain not found
+@:~$ frostfs-cli control list-rules --endpoint s04.frostfs.devenv:8081 \
+--address NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM --cid SeHNpifDH2Fc4scNBphrbmrKi96QXj2HzYJkhSGuytH -w wallets/wallet.json
+Enter password >
+Local overrides are not defined for the container.
+@:~$
+```
--- a/cmd/frostfs-cli/docs/storage-node-xheaders.md
+++ b/cmd/frostfs-cli/docs/storage-node-xheaders.md
@ -9,16 +9,16 @@ duplicated header names or headers with empty values are considered invalid.

 ## Existing headers

-There are some "well-known" headers starting with `__FROSTFS__` prefix that
+There are some "well-known" headers starting with `__SYSTEM__` prefix that
 affect system behaviour. For backward compatibility, the same set of
 "well-known" headers may also use `__NEOFS__` prefix:

-* `__FROSTFS__NETMAP_EPOCH` - netmap epoch to use for object placement calculation. The `value` is string
+* `__SYSTEM__NETMAP_EPOCH` - netmap epoch to use for object placement calculation. The `value` is string
 encoded `uint64` in decimal presentation. If set to '0' or omitted, the
 current epoch only will be used.
-* `__FROSTFS__NETMAP_LOOKUP_DEPTH` - if object can't be found using current epoch's netmap, this header limits
+* `__SYSTEM__NETMAP_LOOKUP_DEPTH` - if object can't be found using current epoch's netmap, this header limits
 how many past epochs the node can look up through. Depth is applied to a current epoch or the value
-of `__FROSTFS__NETMAP_EPOCH` attribute. The `value` is string encoded `uint64` in decimal presentation.
+of `__SYSTEM__NETMAP_EPOCH` attribute. The `value` is string encoded `uint64` in decimal presentation.
 If set to '0' or not set, only the current epoch is used.

 ## `frostfs-cli` commands with `--xhdr`
@ -26,9 +26,8 @@ If set to '0' or not set, only the current epoch is used.
 List of commands with support of extended headers:
 * `container list-objects`
 * `object delete/get/hash/head/lock/put/range/search`
-* `storagegroup delete/get/list/put`

 Example:
 ```shell
-$ frostfs-cli object put -r s01.frostfs.devenv:8080 -w wallet.json --cid CID --file FILE --xhdr "__FROSTFS__NETMAP_EPOCH=777"
+$ frostfs-cli object put -r s01.frostfs.devenv:8080 -w wallet.json --cid CID --file FILE --xhdr "__SYSTEM__NETMAP_EPOCH=777"
 ```
--- a/cmd/frostfs-cli/internal/client/client.go
+++ b/cmd/frostfs-cli/internal/client/client.go
@ -6,16 +6,19 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"sort"
+	"strings"

-	"github.com/TrueCloudLab/frostfs-sdk-go/accounting"
-	"github.com/TrueCloudLab/frostfs-sdk-go/client"
-	containerSDK "github.com/TrueCloudLab/frostfs-sdk-go/container"
-	cid "github.com/TrueCloudLab/frostfs-sdk-go/container/id"
-	"github.com/TrueCloudLab/frostfs-sdk-go/eacl"
-	"github.com/TrueCloudLab/frostfs-sdk-go/netmap"
-	"github.com/TrueCloudLab/frostfs-sdk-go/object"
-	oid "github.com/TrueCloudLab/frostfs-sdk-go/object/id"
-	"github.com/TrueCloudLab/frostfs-sdk-go/version"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/accounting"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/checksum"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
+	containerSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container"
+	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/netmap"
+	objectSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
+	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/version"
 )

 // BalanceOfPrm groups parameters of BalanceOf operation.
@ -37,8 +40,8 @@ func (x BalanceOfRes) Balance() accounting.Decimal {
 // BalanceOf requests the current balance of a FrostFS user.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
-func BalanceOf(prm BalanceOfPrm) (res BalanceOfRes, err error) {
-	res.cliRes, err = prm.cli.BalanceGet(context.Background(), prm.PrmBalanceGet)
+func BalanceOf(ctx context.Context, prm BalanceOfPrm) (res BalanceOfRes, err error) {
+	res.cliRes, err = prm.cli.BalanceGet(ctx, prm.PrmBalanceGet)

 	return
 }
@ -62,16 +65,26 @@ func (x ListContainersRes) IDList() []cid.ID {
 // ListContainers requests a list of FrostFS user's containers.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
-func ListContainers(prm ListContainersPrm) (res ListContainersRes, err error) {
-	res.cliRes, err = prm.cli.ContainerList(context.Background(), prm.PrmContainerList)
+func ListContainers(ctx context.Context, prm ListContainersPrm) (res ListContainersRes, err error) {
+	res.cliRes, err = prm.cli.ContainerList(ctx, prm.PrmContainerList)

 	return
 }

+// SortedIDList returns sorted list of identifiers of user's containers.
+func (x ListContainersRes) SortedIDList() []cid.ID {
+	list := x.cliRes.Containers()
+	sort.Slice(list, func(i, j int) bool {
+		lhs, rhs := list[i].EncodeToString(), list[j].EncodeToString()
+		return strings.Compare(lhs, rhs) < 0
+	})
+	return list
+}
+
 // PutContainerPrm groups parameters of PutContainer operation.
 type PutContainerPrm struct {
-	commonPrm
-	client.PrmContainerPut
+	Client       *client.Client
+	ClientParams client.PrmContainerPut
 }

 // PutContainerRes groups the resulting values of PutContainer operation.
@ -92,8 +105,8 @@ func (x PutContainerRes) ID() cid.ID {
 // Success can be verified by reading by identifier.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
-func PutContainer(prm PutContainerPrm) (res PutContainerRes, err error) {
-	cliRes, err := prm.cli.ContainerPut(context.Background(), prm.PrmContainerPut)
+func PutContainer(ctx context.Context, prm PutContainerPrm) (res PutContainerRes, err error) {
+	cliRes, err := prm.Client.ContainerPut(ctx, prm.ClientParams)
 	if err == nil {
 		res.cnr = cliRes.ID()
 	}
@ -103,13 +116,15 @@ func PutContainer(prm PutContainerPrm) (res PutContainerRes, err error) {

 // GetContainerPrm groups parameters of GetContainer operation.
 type GetContainerPrm struct {
-	commonPrm
-	cliPrm client.PrmContainerGet
+	Client       *client.Client
+	ClientParams client.PrmContainerGet
 }

 // SetContainer sets identifier of the container to be read.
+//
+// Deprecated: Use GetContainerPrm.ClientParams.ContainerID instead.
 func (x *GetContainerPrm) SetContainer(id cid.ID) {
-	x.cliPrm.SetContainer(id)
+	x.ClientParams.ContainerID = &id
 }

 // GetContainerRes groups the resulting values of GetContainer operation.
@ -125,20 +140,23 @@ func (x GetContainerRes) Container() containerSDK.Container {
 // GetContainer reads a container from FrostFS by ID.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
-func GetContainer(prm GetContainerPrm) (res GetContainerRes, err error) {
-	res.cliRes, err = prm.cli.ContainerGet(context.Background(), prm.cliPrm)
+func GetContainer(ctx context.Context, prm GetContainerPrm) (res GetContainerRes, err error) {
+	res.cliRes, err = prm.Client.ContainerGet(ctx, prm.ClientParams)

 	return
 }

 // IsACLExtendable checks if ACL of the container referenced by the given identifier
 // can be extended. Client connection MUST BE correctly established in advance.
-func IsACLExtendable(c *client.Client, cnr cid.ID) (bool, error) {
-	var prm GetContainerPrm
-	prm.SetClient(c)
-	prm.SetContainer(cnr)
+func IsACLExtendable(ctx context.Context, c *client.Client, cnr cid.ID) (bool, error) {
+	prm := GetContainerPrm{
+		Client: c,
+		ClientParams: client.PrmContainerGet{
+			ContainerID: &cnr,
+		},
+	}

-	res, err := GetContainer(prm)
+	res, err := GetContainer(ctx, prm)
 	if err != nil {
 		return false, fmt.Errorf("get container from the FrostFS: %w", err)
 	}
@ -148,8 +166,8 @@ func IsACLExtendable(c *client.Client, cnr cid.ID) (bool, error) {

 // DeleteContainerPrm groups parameters of DeleteContainerPrm operation.
 type DeleteContainerPrm struct {
-	commonPrm
-	client.PrmContainerDelete
+	Client       *client.Client
+	ClientParams client.PrmContainerDelete
 }

 // DeleteContainerRes groups the resulting values of DeleteContainer operation.
@ -163,16 +181,16 @@ type DeleteContainerRes struct{}
 // Success can be verified by reading by identifier.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
-func DeleteContainer(prm DeleteContainerPrm) (res DeleteContainerRes, err error) {
-	_, err = prm.cli.ContainerDelete(context.Background(), prm.PrmContainerDelete)
+func DeleteContainer(ctx context.Context, prm DeleteContainerPrm) (res DeleteContainerRes, err error) {
+	_, err = prm.Client.ContainerDelete(ctx, prm.ClientParams)

 	return
 }

 // EACLPrm groups parameters of EACL operation.
 type EACLPrm struct {
-	commonPrm
-	client.PrmContainerEACL
+	Client       *client.Client
+	ClientParams client.PrmContainerEACL
 }

 // EACLRes groups the resulting values of EACL operation.
@ -188,16 +206,16 @@ func (x EACLRes) EACL() eacl.Table {
 // EACL reads eACL table from FrostFS by container ID.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
-func EACL(prm EACLPrm) (res EACLRes, err error) {
-	res.cliRes, err = prm.cli.ContainerEACL(context.Background(), prm.PrmContainerEACL)
+func EACL(ctx context.Context, prm EACLPrm) (res EACLRes, err error) {
+	res.cliRes, err = prm.Client.ContainerEACL(ctx, prm.ClientParams)

 	return
 }

 // SetEACLPrm groups parameters of SetEACL operation.
 type SetEACLPrm struct {
-	commonPrm
-	client.PrmContainerSetEACL
+	Client       *client.Client
+	ClientParams client.PrmContainerSetEACL
 }

 // SetEACLRes groups the resulting values of SetEACL operation.
@ -211,16 +229,16 @@ type SetEACLRes struct{}
 // Success can be verified by reading by container identifier.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
-func SetEACL(prm SetEACLPrm) (res SetEACLRes, err error) {
-	_, err = prm.cli.ContainerSetEACL(context.Background(), prm.PrmContainerSetEACL)
+func SetEACL(ctx context.Context, prm SetEACLPrm) (res SetEACLRes, err error) {
+	_, err = prm.Client.ContainerSetEACL(ctx, prm.ClientParams)

 	return
 }

 // NetworkInfoPrm groups parameters of NetworkInfo operation.
 type NetworkInfoPrm struct {
-	commonPrm
-	client.PrmNetworkInfo
+	Client       *client.Client
+	ClientParams client.PrmNetworkInfo
 }

 // NetworkInfoRes groups the resulting values of NetworkInfo operation.
@ -236,16 +254,16 @@ func (x NetworkInfoRes) NetworkInfo() netmap.NetworkInfo {
 // NetworkInfo reads information about the FrostFS network.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
-func NetworkInfo(prm NetworkInfoPrm) (res NetworkInfoRes, err error) {
-	res.cliRes, err = prm.cli.NetworkInfo(context.Background(), prm.PrmNetworkInfo)
+func NetworkInfo(ctx context.Context, prm NetworkInfoPrm) (res NetworkInfoRes, err error) {
+	res.cliRes, err = prm.Client.NetworkInfo(ctx, prm.ClientParams)

 	return
 }

 // NodeInfoPrm groups parameters of NodeInfo operation.
 type NodeInfoPrm struct {
-	commonPrm
-	client.PrmEndpointInfo
+	Client       *client.Client
+	ClientParams client.PrmEndpointInfo
 }

 // NodeInfoRes groups the resulting values of NodeInfo operation.
@ -266,8 +284,8 @@ func (x NodeInfoRes) LatestVersion() version.Version {
 // NodeInfo requests information about the remote server from FrostFS netmap.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
-func NodeInfo(prm NodeInfoPrm) (res NodeInfoRes, err error) {
-	res.cliRes, err = prm.cli.EndpointInfo(context.Background(), prm.PrmEndpointInfo)
+func NodeInfo(ctx context.Context, prm NodeInfoPrm) (res NodeInfoRes, err error) {
+	res.cliRes, err = prm.Client.EndpointInfo(ctx, prm.ClientParams)

 	return
 }
@ -290,8 +308,8 @@ func (x NetMapSnapshotRes) NetMap() netmap.NetMap {
 // NetMapSnapshot requests current network view of the remote server.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
-func NetMapSnapshot(prm NetMapSnapshotPrm) (res NetMapSnapshotRes, err error) {
-	res.cliRes, err = prm.cli.NetMapSnapshot(context.Background(), client.PrmNetMapSnapshot{})
+func NetMapSnapshot(ctx context.Context, prm NetMapSnapshotPrm) (res NetMapSnapshotRes, err error) {
+	res.cliRes, err = prm.cli.NetMapSnapshot(ctx, client.PrmNetMapSnapshot{})
 	return
 }

@ -319,8 +337,8 @@ func (x CreateSessionRes) SessionKey() []byte {
 // CreateSession opens a new unlimited session with the remote node.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
-func CreateSession(prm CreateSessionPrm) (res CreateSessionRes, err error) {
-	res.cliRes, err = prm.cli.SessionCreate(context.Background(), prm.PrmSessionCreate)
+func CreateSession(ctx context.Context, prm CreateSessionPrm) (res CreateSessionRes, err error) {
+	res.cliRes, err = prm.cli.SessionCreate(ctx, prm.PrmSessionCreate)

 	return
 }
@ -329,15 +347,19 @@ func CreateSession(prm CreateSessionPrm) (res CreateSessionRes, err error) {
 type PutObjectPrm struct {
 	commonObjectPrm

-	hdr *object.Object
+	copyNum []uint32
+
+	hdr *objectSDK.Object

 	rdr io.Reader

-	headerCallback func(*object.Object)
+	headerCallback func(*objectSDK.Object)
+
+	prepareLocally bool
 }

 // SetHeader sets object header.
-func (x *PutObjectPrm) SetHeader(hdr *object.Object) {
+func (x *PutObjectPrm) SetHeader(hdr *objectSDK.Object) {
 	x.hdr = hdr
 }

@ -348,10 +370,44 @@ func (x *PutObjectPrm) SetPayloadReader(rdr io.Reader) {

 // SetHeaderCallback sets callback which is called on the object after the header is received
 // but before the payload is written.
-func (x *PutObjectPrm) SetHeaderCallback(f func(*object.Object)) {
+func (x *PutObjectPrm) SetHeaderCallback(f func(*objectSDK.Object)) {
 	x.headerCallback = f
 }

+// SetCopiesNumberByVectors sets ordered list of minimal required object copies numbers
+// per placement vector.
+func (x *PutObjectPrm) SetCopiesNumberByVectors(copiesNumbers []uint32) {
+	x.copyNum = copiesNumbers
+}
+
+// PrepareLocally generate object header on the client side.
+// For big object - split locally too.
+func (x *PutObjectPrm) PrepareLocally() {
+	x.prepareLocally = true
+}
+
+func (x *PutObjectPrm) convertToSDKPrm(ctx context.Context) (client.PrmObjectPutInit, error) {
+	putPrm := client.PrmObjectPutInit{
+		XHeaders:     x.xHeaders,
+		BearerToken:  x.bearerToken,
+		Local:        x.local,
+		CopiesNumber: x.copyNum,
+	}
+
+	if x.prepareLocally {
+		res, err := x.cli.NetworkInfo(ctx, client.PrmNetworkInfo{})
+		if err != nil {
+			return client.PrmObjectPutInit{}, err
+		}
+		putPrm.MaxSize = res.Info().MaxObjectSize()
+		putPrm.EpochSource = epochSource(res.Info().CurrentEpoch())
+		putPrm.WithoutHomomorphHash = res.Info().HomomorphicHashingDisabled()
+	} else {
+		putPrm.Session = x.sessionToken
+	}
+	return putPrm, nil
+}
+
 // PutObjectRes groups the resulting values of PutObject operation.
 type PutObjectRes struct {
 	id oid.ID
@ -362,32 +418,26 @@ func (x PutObjectRes) ID() oid.ID {
 	return x.id
 }

+type epochSource uint64
+
+func (s epochSource) CurrentEpoch() uint64 {
+	return uint64(s)
+}
+
 // PutObject saves the object in FrostFS network.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
-func PutObject(prm PutObjectPrm) (*PutObjectRes, error) {
-	var putPrm client.PrmObjectPutInit
-
-	if prm.sessionToken != nil {
-		putPrm.WithinSession(*prm.sessionToken)
+func PutObject(ctx context.Context, prm PutObjectPrm) (*PutObjectRes, error) {
+	sdkPrm, err := prm.convertToSDKPrm(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("unable to create parameters of object put operation: %w", err)
 	}
-
-	if prm.bearerToken != nil {
-		putPrm.WithBearerToken(*prm.bearerToken)
-	}
-
-	if prm.local {
-		putPrm.MarkLocal()
-	}
-
-	putPrm.WithXHeaders(prm.xHeaders...)
-
-	wrt, err := prm.cli.ObjectPutInit(context.Background(), putPrm)
+	wrt, err := prm.cli.ObjectPutInit(ctx, sdkPrm)
 	if err != nil {
 		return nil, fmt.Errorf("init object writing: %w", err)
 	}

-	if wrt.WriteHeader(*prm.hdr) {
+	if wrt.WriteHeader(ctx, *prm.hdr) {
 		if prm.headerCallback != nil {
 			prm.headerCallback(prm.hdr)
 		}
@ -417,7 +467,7 @@ func PutObject(prm PutObjectPrm) (*PutObjectRes, error) {
 			for {
 				n, err = prm.rdr.Read(buf)
 				if n > 0 {
-					if !wrt.WritePayloadChunk(buf[:n]) {
+					if !wrt.WritePayloadChunk(ctx, buf[:n]) {
 						break
 					}

@ -433,7 +483,7 @@ func PutObject(prm PutObjectPrm) (*PutObjectRes, error) {
 		}
 	}

-	cliRes, err := wrt.Close()
+	cliRes, err := wrt.Close(ctx)
 	if err != nil { // here err already carries both status and client errors
 		return nil, fmt.Errorf("client failure: %w", err)
 	}
@ -462,22 +512,19 @@ func (x DeleteObjectRes) Tombstone() oid.ID {
 // DeleteObject marks an object to be removed from FrostFS through tombstone placement.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
-func DeleteObject(prm DeleteObjectPrm) (*DeleteObjectRes, error) {
-	var delPrm client.PrmObjectDelete
-	delPrm.FromContainer(prm.objAddr.Container())
-	delPrm.ByID(prm.objAddr.Object())
+func DeleteObject(ctx context.Context, prm DeleteObjectPrm) (*DeleteObjectRes, error) {
+	cnr := prm.objAddr.Container()
+	obj := prm.objAddr.Object()

-	if prm.sessionToken != nil {
-		delPrm.WithinSession(*prm.sessionToken)
+	delPrm := client.PrmObjectDelete{
+		XHeaders:    prm.xHeaders,
+		ContainerID: &cnr,
+		ObjectID:    &obj,
+		Session:     prm.sessionToken,
+		BearerToken: prm.bearerToken,
 	}

-	if prm.bearerToken != nil {
-		delPrm.WithBearerToken(*prm.bearerToken)
-	}
-
-	delPrm.WithXHeaders(prm.xHeaders...)
-
-	cliRes, err := prm.cli.ObjectDelete(context.Background(), delPrm)
+	cliRes, err := prm.cli.ObjectDelete(ctx, delPrm)
 	if err != nil {
 		return nil, fmt.Errorf("remove object via client: %w", err)
 	}
@ -493,22 +540,22 @@ type GetObjectPrm struct {
 	objectAddressPrm
 	rawPrm
 	payloadWriterPrm
-	headerCallback func(*object.Object)
+	headerCallback func(*objectSDK.Object)
 }

 // SetHeaderCallback sets callback which is called on the object after the header is received
 // but before the payload is written.
-func (p *GetObjectPrm) SetHeaderCallback(f func(*object.Object)) {
+func (p *GetObjectPrm) SetHeaderCallback(f func(*objectSDK.Object)) {
 	p.headerCallback = f
 }

 // GetObjectRes groups the resulting values of GetObject operation.
 type GetObjectRes struct {
-	hdr *object.Object
+	hdr *objectSDK.Object
 }

 // Header returns the header of the request object.
-func (x GetObjectRes) Header() *object.Object {
+func (x GetObjectRes) Header() *objectSDK.Object {
 	return x.hdr
 }

@ -518,35 +565,26 @@ func (x GetObjectRes) Header() *object.Object {
 //
 // Returns any error which prevented the operation from completing correctly in error return.
 // For raw reading, returns *object.SplitInfoError error if object is virtual.
-func GetObject(prm GetObjectPrm) (*GetObjectRes, error) {
-	var getPrm client.PrmObjectGet
-	getPrm.FromContainer(prm.objAddr.Container())
-	getPrm.ByID(prm.objAddr.Object())
+func GetObject(ctx context.Context, prm GetObjectPrm) (*GetObjectRes, error) {
+	cnr := prm.objAddr.Container()
+	obj := prm.objAddr.Object()

-	if prm.sessionToken != nil {
-		getPrm.WithinSession(*prm.sessionToken)
+	getPrm := client.PrmObjectGet{
+		XHeaders:    prm.xHeaders,
+		BearerToken: prm.bearerToken,
+		Session:     prm.sessionToken,
+		Raw:         prm.raw,
+		Local:       prm.local,
+		ContainerID: &cnr,
+		ObjectID:    &obj,
 	}

-	if prm.bearerToken != nil {
-		getPrm.WithBearerToken(*prm.bearerToken)
-	}
-
-	if prm.raw {
-		getPrm.MarkRaw()
-	}
-
-	if prm.local {
-		getPrm.MarkLocal()
-	}
-
-	getPrm.WithXHeaders(prm.xHeaders...)
-
-	rdr, err := prm.cli.ObjectGetInit(context.Background(), getPrm)
+	rdr, err := prm.cli.ObjectGetInit(ctx, getPrm)
 	if err != nil {
 		return nil, fmt.Errorf("init object reading on client: %w", err)
 	}

-	var hdr object.Object
+	var hdr objectSDK.Object

 	if !rdr.ReadHeader(&hdr) {
 		_, err = rdr.Close()
@ -582,11 +620,11 @@ func (x *HeadObjectPrm) SetMainOnlyFlag(v bool) {

 // HeadObjectRes groups the resulting values of HeadObject operation.
 type HeadObjectRes struct {
-	hdr *object.Object
+	hdr *objectSDK.Object
 }

 // Header returns the requested object header.
-func (x HeadObjectRes) Header() *object.Object {
+func (x HeadObjectRes) Header() *objectSDK.Object {
 	return x.hdr
 }

@ -594,35 +632,26 @@ func (x HeadObjectRes) Header() *object.Object {
 //
 // Returns any error which prevented the operation from completing correctly in error return.
 // For raw reading, returns *object.SplitInfoError error if object is virtual.
-func HeadObject(prm HeadObjectPrm) (*HeadObjectRes, error) {
-	var cliPrm client.PrmObjectHead
-	cliPrm.FromContainer(prm.objAddr.Container())
-	cliPrm.ByID(prm.objAddr.Object())
+func HeadObject(ctx context.Context, prm HeadObjectPrm) (*HeadObjectRes, error) {
+	cnr := prm.objAddr.Container()
+	obj := prm.objAddr.Object()

-	if prm.sessionToken != nil {
-		cliPrm.WithinSession(*prm.sessionToken)
+	headPrm := client.PrmObjectHead{
+		XHeaders:    prm.xHeaders,
+		BearerToken: prm.bearerToken,
+		Session:     prm.sessionToken,
+		Raw:         prm.raw,
+		Local:       prm.local,
+		ContainerID: &cnr,
+		ObjectID:    &obj,
 	}

-	if prm.bearerToken != nil {
-		cliPrm.WithBearerToken(*prm.bearerToken)
-	}
-
-	if prm.raw {
-		cliPrm.MarkRaw()
-	}
-
-	if prm.local {
-		cliPrm.MarkLocal()
-	}
-
-	cliPrm.WithXHeaders(prm.xHeaders...)
-
-	res, err := prm.cli.ObjectHead(context.Background(), cliPrm)
+	res, err := prm.cli.ObjectHead(ctx, headPrm)
 	if err != nil {
 		return nil, fmt.Errorf("read object header via client: %w", err)
 	}

-	var hdr object.Object
+	var hdr objectSDK.Object

 	if !res.ReadHeader(&hdr) {
 		return nil, fmt.Errorf("missing header in response")
@ -638,11 +667,11 @@ type SearchObjectsPrm struct {
 	commonObjectPrm
 	containerIDPrm

-	filters object.SearchFilters
+	filters objectSDK.SearchFilters
 }

 // SetFilters sets search filters.
-func (x *SearchObjectsPrm) SetFilters(filters object.SearchFilters) {
+func (x *SearchObjectsPrm) SetFilters(filters objectSDK.SearchFilters) {
 	x.filters = filters
 }

@ -659,26 +688,17 @@ func (x SearchObjectsRes) IDList() []oid.ID {
 // SearchObjects selects objects from the container which match the filters.
 //
 // Returns any error which prevented the operation from completing correctly in error return.
-func SearchObjects(prm SearchObjectsPrm) (*SearchObjectsRes, error) {
-	var cliPrm client.PrmObjectSearch
-	cliPrm.InContainer(prm.cnrID)
-	cliPrm.SetFilters(prm.filters)
-
-	if prm.sessionToken != nil {
-		cliPrm.WithinSession(*prm.sessionToken)
+func SearchObjects(ctx context.Context, prm SearchObjectsPrm) (*SearchObjectsRes, error) {
+	cliPrm := client.PrmObjectSearch{
+		XHeaders:    prm.xHeaders,
+		Local:       prm.local,
+		BearerToken: prm.bearerToken,
+		Session:     prm.sessionToken,
+		ContainerID: &prm.cnrID,
+		Filters:     prm.filters,
 	}

-	if prm.bearerToken != nil {
-		cliPrm.WithBearerToken(*prm.bearerToken)
-	}
-
-	if prm.local {
-		cliPrm.MarkLocal()
-	}
-
-	cliPrm.WithXHeaders(prm.xHeaders...)
-
-	rdr, err := prm.cli.ObjectSearchInit(context.Background(), cliPrm)
+	rdr, err := prm.cli.ObjectSearchInit(ctx, cliPrm)
 	if err != nil {
 		return nil, fmt.Errorf("init object search: %w", err)
 	}
@ -703,6 +723,11 @@ func SearchObjects(prm SearchObjectsPrm) (*SearchObjectsRes, error) {
 		return nil, fmt.Errorf("read object list: %w", err)
 	}

+	sort.Slice(list, func(i, j int) bool {
+		lhs, rhs := list[i].EncodeToString(), list[j].EncodeToString()
+		return strings.Compare(lhs, rhs) < 0
+	})
+
 	return &SearchObjectsRes{
 		ids: list,
 	}, nil
@ -715,7 +740,7 @@ type HashPayloadRangesPrm struct {

 	tz bool

-	rngs []*object.Range
+	rngs []objectSDK.Range

 	salt []byte
 }
@ -726,7 +751,7 @@ func (x *HashPayloadRangesPrm) TZ() {
 }

 // SetRanges sets a list of payload ranges to hash.
-func (x *HashPayloadRangesPrm) SetRanges(rngs []*object.Range) {
+func (x *HashPayloadRangesPrm) SetRanges(rngs []objectSDK.Range) {
 	x.rngs = rngs
 }

@ -749,41 +774,27 @@ func (x HashPayloadRangesRes) HashList() [][]byte {
 //
 // Returns any error which prevented the operation from completing correctly in error return.
 // Returns an error if number of received hashes differs with the number of requested ranges.
-func HashPayloadRanges(prm HashPayloadRangesPrm) (*HashPayloadRangesRes, error) {
-	var cliPrm client.PrmObjectHash
-	cliPrm.FromContainer(prm.objAddr.Container())
-	cliPrm.ByID(prm.objAddr.Object())
-
-	if prm.local {
-		cliPrm.MarkLocal()
-	}
-
-	cliPrm.UseSalt(prm.salt)
-
-	rngs := make([]uint64, 2*len(prm.rngs))
-
-	for i := range prm.rngs {
-		rngs[2*i] = prm.rngs[i].GetOffset()
-		rngs[2*i+1] = prm.rngs[i].GetLength()
-	}
-
-	cliPrm.SetRangeList(rngs...)
-
+func HashPayloadRanges(ctx context.Context, prm HashPayloadRangesPrm) (*HashPayloadRangesRes, error) {
+	cs := checksum.SHA256
 	if prm.tz {
-		cliPrm.TillichZemorAlgo()
+		cs = checksum.TZ
 	}

-	if prm.sessionToken != nil {
-		cliPrm.WithinSession(*prm.sessionToken)
+	cnr := prm.objAddr.Container()
+	obj := prm.objAddr.Object()
+	cliPrm := client.PrmObjectHash{
+		ContainerID:  &cnr,
+		ObjectID:     &obj,
+		Local:        prm.local,
+		Salt:         prm.salt,
+		Ranges:       prm.rngs,
+		ChecksumType: cs,
+		Session:      prm.sessionToken,
+		BearerToken:  prm.bearerToken,
+		XHeaders:     prm.xHeaders,
 	}

-	if prm.bearerToken != nil {
-		cliPrm.WithBearerToken(*prm.bearerToken)
-	}
-
-	cliPrm.WithXHeaders(prm.xHeaders...)
-
-	res, err := prm.cli.ObjectHash(context.Background(), cliPrm)
+	res, err := prm.cli.ObjectHash(ctx, cliPrm)
 	if err != nil {
 		return nil, fmt.Errorf("read payload hashes via client: %w", err)
 	}
@ -800,11 +811,11 @@ type PayloadRangePrm struct {
 	rawPrm
 	payloadWriterPrm

-	rng *object.Range
+	rng *objectSDK.Range
 }

 // SetRange sets payload range to read.
-func (x *PayloadRangePrm) SetRange(rng *object.Range) {
+func (x *PayloadRangePrm) SetRange(rng *objectSDK.Range) {
 	x.rng = rng
 }

@ -817,33 +828,23 @@ type PayloadRangeRes struct{}
 //
 // Returns any error which prevented the operation from completing correctly in error return.
 // For raw reading, returns *object.SplitInfoError error if object is virtual.
-func PayloadRange(prm PayloadRangePrm) (*PayloadRangeRes, error) {
-	var cliPrm client.PrmObjectRange
-	cliPrm.FromContainer(prm.objAddr.Container())
-	cliPrm.ByID(prm.objAddr.Object())
+func PayloadRange(ctx context.Context, prm PayloadRangePrm) (*PayloadRangeRes, error) {
+	cnr := prm.objAddr.Container()
+	obj := prm.objAddr.Object()

-	if prm.sessionToken != nil {
-		cliPrm.WithinSession(*prm.sessionToken)
+	rangePrm := client.PrmObjectRange{
+		XHeaders:    prm.xHeaders,
+		BearerToken: prm.bearerToken,
+		Session:     prm.sessionToken,
+		Raw:         prm.raw,
+		Local:       prm.local,
+		ContainerID: &cnr,
+		ObjectID:    &obj,
+		Offset:      prm.rng.GetOffset(),
+		Length:      prm.rng.GetLength(),
 	}

-	if prm.bearerToken != nil {
-		cliPrm.WithBearerToken(*prm.bearerToken)
-	}
-
-	if prm.raw {
-		cliPrm.MarkRaw()
-	}
-
-	if prm.local {
-		cliPrm.MarkLocal()
-	}
-
-	cliPrm.SetOffset(prm.rng.GetOffset())
-	cliPrm.SetLength(prm.rng.GetLength())
-
-	cliPrm.WithXHeaders(prm.xHeaders...)
-
-	rdr, err := prm.cli.ObjectRangeInit(context.Background(), cliPrm)
+	rdr, err := prm.cli.ObjectRangeInit(ctx, rangePrm)
 	if err != nil {
 		return nil, fmt.Errorf("init payload reading: %w", err)
 	}
@ -877,12 +878,12 @@ type SyncContainerRes struct{}
 // Interrupts on any writer error.
 //
 // Panics if a container passed as a parameter is nil.
-func SyncContainerSettings(prm SyncContainerPrm) (*SyncContainerRes, error) {
+func SyncContainerSettings(ctx context.Context, prm SyncContainerPrm) (*SyncContainerRes, error) {
 	if prm.c == nil {
 		panic("sync container settings with the network: nil container")
 	}

-	err := client.SyncContainerWithNetwork(context.Background(), prm.c, prm.cli)
+	err := client.SyncContainerWithNetwork(ctx, prm.c, prm.cli)
 	if err != nil {
 		return nil, err
 	}
--- a/cmd/frostfs-cli/internal/client/prm.go
+++ b/cmd/frostfs-cli/internal/client/prm.go
@ -3,11 +3,11 @@ package internal
 import (
 	"io"

-	"github.com/TrueCloudLab/frostfs-sdk-go/bearer"
-	"github.com/TrueCloudLab/frostfs-sdk-go/client"
-	cid "github.com/TrueCloudLab/frostfs-sdk-go/container/id"
-	oid "github.com/TrueCloudLab/frostfs-sdk-go/object/id"
-	"github.com/TrueCloudLab/frostfs-sdk-go/session"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
+	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
+	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
 )

 // here are small structures with public setters to share between parameter structures
--- a/cmd/frostfs-cli/internal/client/sdk.go
+++ b/cmd/frostfs-cli/internal/client/sdk.go
@ -8,13 +8,15 @@ import (
 	"errors"
 	"fmt"

-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
-	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
-	"github.com/TrueCloudLab/frostfs-node/pkg/network"
-	"github.com/TrueCloudLab/frostfs-sdk-go/client"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/network"
+	tracing "git.frostfs.info/TrueCloudLab/frostfs-observability/tracing/grpc"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
+	"google.golang.org/grpc"
 )

 var errInvalidEndpoint = errors.New("provided RPC endpoint is incorrect")
@ -32,37 +34,45 @@ func GetSDKClientByFlag(cmd *cobra.Command, key *ecdsa.PrivateKey, endpointFlag
 func getSDKClientByFlag(cmd *cobra.Command, key *ecdsa.PrivateKey, endpointFlag string) (*client.Client, error) {
 	var addr network.Address

+	if len(viper.GetString(endpointFlag)) == 0 {
+		return nil, fmt.Errorf("%s is not defined", endpointFlag)
+	}
+
 	err := addr.FromString(viper.GetString(endpointFlag))
 	if err != nil {
 		return nil, fmt.Errorf("%v: %w", errInvalidEndpoint, err)
 	}
-	return GetSDKClient(cmd, key, addr)
+	return GetSDKClient(cmd.Context(), cmd, key, addr)
 }

 // GetSDKClient returns default frostfs-sdk-go client.
-func GetSDKClient(cmd *cobra.Command, key *ecdsa.PrivateKey, addr network.Address) (*client.Client, error) {
-	var (
-		c       client.Client
-		prmInit client.PrmInit
-		prmDial client.PrmDial
-	)
+func GetSDKClient(ctx context.Context, cmd *cobra.Command, key *ecdsa.PrivateKey, addr network.Address) (*client.Client, error) {
+	var c client.Client

-	prmInit.SetDefaultPrivateKey(*key)
-	prmInit.ResolveNeoFSFailures()
-	prmDial.SetServerURI(addr.URIAddr())
+	prmInit := client.PrmInit{
+		Key: *key,
+	}
+
+	prmDial := client.PrmDial{
+		Endpoint: addr.URIAddr(),
+		GRPCDialOptions: []grpc.DialOption{
+			grpc.WithChainUnaryInterceptor(tracing.NewUnaryClientInteceptor()),
+			grpc.WithChainStreamInterceptor(tracing.NewStreamClientInterceptor()),
+		},
+	}
 	if timeout := viper.GetDuration(commonflags.Timeout); timeout > 0 {
 		// In CLI we can only set a timeout for the whole operation.
 		// By also setting stream timeout we ensure that no operation hands
 		// for too long.
-		prmDial.SetTimeout(timeout)
-		prmDial.SetStreamTimeout(timeout)
+		prmDial.DialTimeout = timeout
+		prmDial.StreamTimeout = timeout

 		common.PrintVerbose(cmd, "Set request timeout to %s.", timeout)
 	}

 	c.Init(prmInit)

-	if err := c.Dial(prmDial); err != nil {
+	if err := c.Dial(ctx, prmDial); err != nil {
 		return nil, fmt.Errorf("can't init SDK client: %w", err)
 	}

@ -82,7 +92,7 @@ func GetCurrentEpoch(ctx context.Context, cmd *cobra.Command, endpoint string) (
 		return 0, fmt.Errorf("can't generate key to sign query: %w", err)
 	}

-	c, err := GetSDKClient(cmd, key, addr)
+	c, err := GetSDKClient(ctx, cmd, key, addr)
 	if err != nil {
 		return 0, err
 	}
--- a/cmd/frostfs-cli/internal/common/eacl.go
+++ b/cmd/frostfs-cli/internal/common/eacl.go
@ -4,10 +4,10 @@ import (
 	"errors"
 	"os"

-	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
-	"github.com/TrueCloudLab/frostfs-node/pkg/core/version"
-	"github.com/TrueCloudLab/frostfs-sdk-go/eacl"
-	versionSDK "github.com/TrueCloudLab/frostfs-sdk-go/version"
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/version"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
+	versionSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/version"
 	"github.com/spf13/cobra"
 )

--- a/cmd/frostfs-cli/internal/common/token.go
+++ b/cmd/frostfs-cli/internal/common/token.go
@ -6,8 +6,8 @@ import (
 	"fmt"
 	"os"

-	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
-	"github.com/TrueCloudLab/frostfs-sdk-go/bearer"
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
 	"github.com/spf13/cobra"
 )

--- a/cmd/frostfs-cli/internal/common/tracing.go
+++ b/cmd/frostfs-cli/internal/common/tracing.go
@ -0,0 +1,62 @@
+package common
+
+import (
+	"context"
+	"sort"
+	"strings"
+
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/misc"
+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
+	"github.com/spf13/cobra"
+	"go.opentelemetry.io/otel/trace"
+)
+
+type spanKey struct{}
+
+// StopClientCommandSpan stops tracing span for the command and prints trace ID on the standard output.
+func StopClientCommandSpan(cmd *cobra.Command, _ []string) {
+	span, ok := cmd.Context().Value(spanKey{}).(trace.Span)
+	if !ok {
+		return
+	}
+
+	span.End()
+
+	// Noop provider cannot fail on flush.
+	_ = tracing.Shutdown(cmd.Context())
+
+	cmd.PrintErrf("Trace ID: %s\n", span.SpanContext().TraceID())
+}
+
+// StartClientCommandSpan starts tracing span for the command.
+func StartClientCommandSpan(cmd *cobra.Command) {
+	enableTracing, err := cmd.Flags().GetBool(commonflags.TracingFlag)
+	if err != nil || !enableTracing {
+		return
+	}
+
+	_, err = tracing.Setup(cmd.Context(), tracing.Config{
+		Enabled:  true,
+		Exporter: tracing.NoOpExporter,
+		Service:  "frostfs-cli",
+		Version:  misc.Version,
+	})
+	commonCmd.ExitOnErr(cmd, "init tracing: %w", err)
+
+	var components sort.StringSlice
+	for c := cmd; c != nil; c = c.Parent() {
+		components = append(components, c.Name())
+	}
+	for i, j := 0, len(components)-1; i < j; {
+		components.Swap(i, j)
+		i++
+		j--
+	}
+
+	operation := strings.Join(components, ".")
+	ctx, span := tracing.StartSpanFromContext(cmd.Context(), operation)
+	ctx = context.WithValue(ctx, spanKey{}, span)
+	cmd.SetContext(ctx)
+}
--- a/cmd/frostfs-cli/internal/common/verbose.go
+++ b/cmd/frostfs-cli/internal/common/verbose.go
@ -5,8 +5,8 @@ import (
 	"strconv"
 	"time"

-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
-	"github.com/TrueCloudLab/frostfs-sdk-go/checksum"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/checksum"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
--- a/cmd/frostfs-cli/internal/commonflags/flags.go
+++ b/cmd/frostfs-cli/internal/commonflags/flags.go
@ -47,6 +47,9 @@ const (

 	OIDFlag      = "oid"
 	OIDFlagUsage = "Object ID."
+
+	TracingFlag      = "trace"
+	TracingFlagUsage = "Generate trace ID and print it."
 )

 // Init adds common flags to the command:
@ -54,12 +57,14 @@ const (
 // - WalletPath,
 // - Account,
 // - RPC,
+// - Tracing,
 // - Timeout.
 func Init(cmd *cobra.Command) {
 	InitWithoutRPC(cmd)

 	ff := cmd.Flags()
 	ff.StringP(RPC, RPCShorthand, RPCDefault, RPCUsage)
+	ff.Bool(TracingFlag, false, TracingFlagUsage)
 	ff.DurationP(Timeout, TimeoutShorthand, TimeoutDefault, TimeoutUsage)
 }

--- a/cmd/frostfs-cli/internal/key/key_test.go
+++ b/cmd/frostfs-cli/internal/key/key_test.go
@ -7,7 +7,7 @@ import (
 	"path/filepath"
 	"testing"

-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
 	"github.com/nspcc-dev/neo-go/cli/input"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/wallet"
--- a/cmd/frostfs-cli/internal/key/raw.go
+++ b/cmd/frostfs-cli/internal/key/raw.go
@ -6,8 +6,8 @@ import (
 	"fmt"
 	"os"

-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
-	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/wallet"
 	"github.com/spf13/cobra"
--- a/cmd/frostfs-cli/internal/key/wallet.go
+++ b/cmd/frostfs-cli/internal/key/wallet.go
@ -4,7 +4,7 @@ import (
 	"crypto/ecdsa"
 	"errors"

-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
 	"github.com/nspcc-dev/neo-go/cli/flags"
 	"github.com/nspcc-dev/neo-go/cli/input"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
--- a/cmd/frostfs-cli/main.go
+++ b/cmd/frostfs-cli/main.go
@ -1,6 +1,6 @@
 package main

-import cmd "github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules"
+import cmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules"

 func main() {
 	cmd.Execute()
--- a/cmd/frostfs-cli/modules/accounting/balance.go
+++ b/cmd/frostfs-cli/modules/accounting/balance.go
@ -3,13 +3,13 @@ package accounting
 import (
 	"math/big"

-	internalclient "github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
-	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
-	"github.com/TrueCloudLab/frostfs-node/pkg/util/precision"
-	"github.com/TrueCloudLab/frostfs-sdk-go/accounting"
-	"github.com/TrueCloudLab/frostfs-sdk-go/user"
+	internalclient "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/precision"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/accounting"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
 	"github.com/nspcc-dev/neo-go/pkg/encoding/fixedn"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
@ -39,9 +39,9 @@ var accountingBalanceCmd = &cobra.Command{

 		var prm internalclient.BalanceOfPrm
 		prm.SetClient(cli)
-		prm.SetAccount(idUser)
+		prm.Account = idUser

-		res, err := internalclient.BalanceOf(prm)
+		res, err := internalclient.BalanceOf(cmd.Context(), prm)
 		commonCmd.ExitOnErr(cmd, "rpc error: %w", err)

 		// print to stdout
--- a/cmd/frostfs-cli/modules/accounting/root.go
+++ b/cmd/frostfs-cli/modules/accounting/root.go
@ -1,7 +1,7 @@
 package accounting

 import (
-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
--- a/cmd/frostfs-cli/modules/acl/basic/print.go
+++ b/cmd/frostfs-cli/modules/acl/basic/print.go
@ -1,9 +1,9 @@
 package basic

 import (
-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
-	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
-	"github.com/TrueCloudLab/frostfs-sdk-go/container/acl"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
 	"github.com/spf13/cobra"
 )

--- a/cmd/frostfs-cli/modules/acl/extended/create.go
+++ b/cmd/frostfs-cli/modules/acl/extended/create.go
@ -6,11 +6,11 @@ import (
 	"os"
 	"strings"

-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
-	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
-	cid "github.com/TrueCloudLab/frostfs-sdk-go/container/id"
-	"github.com/TrueCloudLab/frostfs-sdk-go/eacl"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
 	"github.com/spf13/cobra"
 )

@ -26,18 +26,18 @@ Action is 'allow' or 'deny'.
 Operation is an object service verb: 'get', 'head', 'put', 'search', 'delete', 'getrange', or 'getrangehash'.

 Filter consists of <typ>:<key><match><value>
-  Typ is 'obj' for object applied filter or 'req' for request applied filter. 
-  Key is a valid unicode string corresponding to object or request header key. 
+  Typ is 'obj' for object applied filter or 'req' for request applied filter.
+  Key is a valid unicode string corresponding to object or request header key.
    Well-known system object headers start with '$Object:' prefix.
    User defined headers start without prefix.
-    Read more about filter keys at github.com/TrueCloudLab/frostfs-api/blob/master/proto-docs/acl.md#message-eaclrecordfilter
+    Read more about filter keys at git.frostfs.info.com/TrueCloudLab/frostfs-api/src/branch/master/proto-docs/acl.md#message-eaclrecordfilter
  Match is '=' for matching and '!=' for non-matching filter.
  Value is a valid unicode string corresponding to object or request header value.

-Target is 
-  'user' for container owner, 
+Target is
+  'user' for container owner,
  'system' for Storage nodes in container and Inner Ring nodes,
-  'others' for all other request senders, 
+  'others' for all other request senders,
  'pubkey:<key1>,<key2>,...' for exact request sender, where <key> is a hex-encoded 33-byte public key.

 When both '--rule' and '--file' arguments are used, '--rule' records will be placed higher in resulting extended ACL table.
@ -106,7 +106,7 @@ func createEACL(cmd *cobra.Command, _ []string) {
 		return
 	}

-	err = os.WriteFile(outArg, buf.Bytes(), 0644)
+	err = os.WriteFile(outArg, buf.Bytes(), 0o644)
 	if err != nil {
 		cmd.PrintErrln(err)
 		os.Exit(1)
--- a/cmd/frostfs-cli/modules/acl/extended/create_test.go
+++ b/cmd/frostfs-cli/modules/acl/extended/create_test.go
@ -3,8 +3,8 @@ package extended
 import (
 	"testing"

-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
-	"github.com/TrueCloudLab/frostfs-sdk-go/eacl"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
 	"github.com/stretchr/testify/require"
 )

--- a/cmd/frostfs-cli/modules/acl/extended/print.go
+++ b/cmd/frostfs-cli/modules/acl/extended/print.go
@ -4,9 +4,9 @@ import (
 	"os"
 	"strings"

-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
-	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
-	"github.com/TrueCloudLab/frostfs-sdk-go/eacl"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
 	"github.com/spf13/cobra"
 )

--- a/cmd/frostfs-cli/modules/acl/root.go
+++ b/cmd/frostfs-cli/modules/acl/root.go
@ -1,8 +1,8 @@
 package acl

 import (
-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/acl/basic"
-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/acl/extended"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/acl/basic"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/acl/extended"
 	"github.com/spf13/cobra"
 )

--- a/cmd/frostfs-cli/modules/bearer/create.go
+++ b/cmd/frostfs-cli/modules/bearer/create.go
@ -7,13 +7,13 @@ import (
 	"os"
 	"time"

-	internalclient "github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
-	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
-	"github.com/TrueCloudLab/frostfs-sdk-go/bearer"
-	eaclSDK "github.com/TrueCloudLab/frostfs-sdk-go/eacl"
-	"github.com/TrueCloudLab/frostfs-sdk-go/user"
+	internalclient "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
+	eaclSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
 	"github.com/spf13/cobra"
 )

@ -24,6 +24,7 @@ const (
 	ownerFlag          = "owner"
 	outFlag            = "out"
 	jsonFlag           = commonflags.JSON
+	impersonateFlag    = "impersonate"
 )

 var createCmd = &cobra.Command{
@ -39,19 +40,20 @@ is set to current epoch + n.
 }

 func init() {
-	createCmd.Flags().StringP(eaclFlag, "e", "", "Path to the extended ACL table")
-	createCmd.Flags().StringP(issuedAtFlag, "i", "", "Epoch to issue token at")
-	createCmd.Flags().StringP(notValidBeforeFlag, "n", "", "Not valid before epoch")
+	createCmd.Flags().StringP(eaclFlag, "e", "", "Path to the extended ACL table (mutually exclusive with --impersonate flag)")
+	createCmd.Flags().StringP(issuedAtFlag, "i", "+0", "Epoch to issue token at")
+	createCmd.Flags().StringP(notValidBeforeFlag, "n", "+0", "Not valid before epoch")
 	createCmd.Flags().StringP(commonflags.ExpireAt, "x", "", "The last active epoch for the token")
 	createCmd.Flags().StringP(ownerFlag, "o", "", "Token owner")
 	createCmd.Flags().String(outFlag, "", "File to write token to")
 	createCmd.Flags().Bool(jsonFlag, false, "Output token in JSON")
+	createCmd.Flags().Bool(impersonateFlag, false, "Mark token as impersonate to consider the token signer as the request owner (mutually exclusive with --eacl flag)")
 	createCmd.Flags().StringP(commonflags.RPC, commonflags.RPCShorthand, commonflags.RPCDefault, commonflags.RPCUsage)

+	createCmd.MarkFlagsMutuallyExclusive(eaclFlag, impersonateFlag)
+
 	_ = cobra.MarkFlagFilename(createCmd.Flags(), eaclFlag)

-	_ = cobra.MarkFlagRequired(createCmd.Flags(), issuedAtFlag)
-	_ = cobra.MarkFlagRequired(createCmd.Flags(), notValidBeforeFlag)
 	_ = cobra.MarkFlagRequired(createCmd.Flags(), commonflags.ExpireAt)
 	_ = cobra.MarkFlagRequired(createCmd.Flags(), ownerFlag)
 	_ = cobra.MarkFlagRequired(createCmd.Flags(), outFlag)
@ -68,10 +70,14 @@ func createToken(cmd *cobra.Command, _ []string) {
 	commonCmd.ExitOnErr(cmd, "can't parse --"+notValidBeforeFlag+" flag: %w", err)

 	if iatRelative || expRelative || nvbRelative {
+		endpoint, _ := cmd.Flags().GetString(commonflags.RPC)
+		if len(endpoint) == 0 {
+			commonCmd.ExitOnErr(cmd, "can't fetch current epoch: %w", fmt.Errorf("'%s' flag value must be specified", commonflags.RPC))
+		}
+
 		ctx, cancel := context.WithTimeout(context.Background(), time.Second*30)
 		defer cancel()

-		endpoint, _ := cmd.Flags().GetString(commonflags.RPC)
 		currEpoch, err := internalclient.GetCurrentEpoch(ctx, cmd, endpoint)
 		commonCmd.ExitOnErr(cmd, "can't fetch current epoch: %w", err)

@ -101,6 +107,9 @@ func createToken(cmd *cobra.Command, _ []string) {
 	b.SetIat(iat)
 	b.ForUser(ownerID)

+	impersonate, _ := cmd.Flags().GetBool(impersonateFlag)
+	b.SetImpersonate(impersonate)
+
 	eaclPath, _ := cmd.Flags().GetString(eaclFlag)
 	if eaclPath != "" {
 		table := eaclSDK.NewTable()
@ -121,6 +130,6 @@ func createToken(cmd *cobra.Command, _ []string) {
 	}

 	out, _ := cmd.Flags().GetString(outFlag)
-	err = os.WriteFile(out, data, 0644)
+	err = os.WriteFile(out, data, 0o644)
 	commonCmd.ExitOnErr(cmd, "can't write token to file: %w", err)
 }
--- a/cmd/frostfs-cli/modules/completion.go
+++ b/cmd/frostfs-cli/modules/completion.go
@ -1,7 +1,7 @@
 package cmd

 import (
-	"github.com/TrueCloudLab/frostfs-node/pkg/util/autocomplete"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/autocomplete"
 )

 func init() {
--- a/cmd/frostfs-cli/modules/container/create.go
+++ b/cmd/frostfs-cli/modules/container/create.go
@ -7,17 +7,17 @@ import (
 	"strings"
 	"time"

-	containerApi "github.com/TrueCloudLab/frostfs-api-go/v2/container"
-	internalclient "github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
-	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
-	"github.com/TrueCloudLab/frostfs-sdk-go/container"
-	"github.com/TrueCloudLab/frostfs-sdk-go/container/acl"
-	"github.com/TrueCloudLab/frostfs-sdk-go/netmap"
-	subnetid "github.com/TrueCloudLab/frostfs-sdk-go/subnet/id"
-	"github.com/TrueCloudLab/frostfs-sdk-go/user"
+	containerApi "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/container"
+	internalclient "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/netmap"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
 	"github.com/spf13/cobra"
 )

@ -30,14 +30,13 @@ var (
 	containerNnsName     string
 	containerNnsZone     string
 	containerNoTimestamp bool
-	containerSubnet      string
 	force                bool
 )

 var createContainerCmd = &cobra.Command{
 	Use:   "create",
 	Short: "Create new container",
-	Long: `Create new container and register it in the FrostFS. 
+	Long: `Create new container and register it in the FrostFS.
 It will be stored in sidechain when inner ring will accepts it.`,
 	Run: func(cmd *cobra.Command, args []string) {
 		placementPolicy, err := parseContainerPolicy(cmd, containerPolicy)
@ -50,7 +49,7 @@ It will be stored in sidechain when inner ring will accepts it.`,
 			var prm internalclient.NetMapSnapshotPrm
 			prm.SetClient(cli)

-			resmap, err := internalclient.NetMapSnapshot(prm)
+			resmap, err := internalclient.NetMapSnapshot(cmd.Context(), prm)
 			commonCmd.ExitOnErr(cmd, "unable to get netmap snapshot to validate container placement, "+
 				"use --force option to skip this check: %w", err)

@ -70,15 +69,6 @@ It will be stored in sidechain when inner ring will accepts it.`,
 			}
 		}

-		if containerSubnet != "" {
-			var subnetID subnetid.ID
-
-			err = subnetID.DecodeString(containerSubnet)
-			commonCmd.ExitOnErr(cmd, "could not parse subnetID: %w", err)
-
-			placementPolicy.RestrictSubnet(subnetID)
-		}
-
 		var cnr container.Container
 		cnr.Init()

@ -107,35 +97,38 @@ It will be stored in sidechain when inner ring will accepts it.`,
 		syncContainerPrm.SetClient(cli)
 		syncContainerPrm.SetContainer(&cnr)

-		_, err = internalclient.SyncContainerSettings(syncContainerPrm)
+		_, err = internalclient.SyncContainerSettings(cmd.Context(), syncContainerPrm)
 		commonCmd.ExitOnErr(cmd, "syncing container's settings rpc error: %w", err)

-		var putPrm internalclient.PutContainerPrm
-		putPrm.SetClient(cli)
-		putPrm.SetContainer(cnr)
-
-		if tok != nil {
-			putPrm.WithinSession(*tok)
+		putPrm := internalclient.PutContainerPrm{
+			Client: cli,
+			ClientParams: client.PrmContainerPut{
+				Container: &cnr,
+				Session:   tok,
+			},
 		}

-		res, err := internalclient.PutContainer(putPrm)
+		res, err := internalclient.PutContainer(cmd.Context(), putPrm)
 		commonCmd.ExitOnErr(cmd, "put container rpc error: %w", err)

 		id := res.ID()

-		cmd.Println("container ID:", id)
+		cmd.Println("CID:", id)

 		if containerAwait {
 			cmd.Println("awaiting...")

-			var getPrm internalclient.GetContainerPrm
-			getPrm.SetClient(cli)
-			getPrm.SetContainer(id)
+			getPrm := internalclient.GetContainerPrm{
+				Client: cli,
+				ClientParams: client.PrmContainerGet{
+					ContainerID: &id,
+				},
+			}

 			for i := 0; i < awaitTimeout; i++ {
 				time.Sleep(1 * time.Second)

-				_, err := internalclient.GetContainer(getPrm)
+				_, err := internalclient.GetContainer(cmd.Context(), getPrm)
 				if err == nil {
 					cmd.Println("container has been persisted on sidechain")
 					return
@ -152,6 +145,7 @@ func initContainerCreateCmd() {

 	// Init common flags
 	flags.StringP(commonflags.RPC, commonflags.RPCShorthand, commonflags.RPCDefault, commonflags.RPCUsage)
+	flags.Bool(commonflags.TracingFlag, false, commonflags.TracingFlagUsage)
 	flags.DurationP(commonflags.Timeout, commonflags.TimeoutShorthand, commonflags.TimeoutDefault, commonflags.TimeoutUsage)
 	flags.StringP(commonflags.WalletPath, commonflags.WalletPathShorthand, commonflags.WalletPathDefault, commonflags.WalletPathUsage)
 	flags.StringP(commonflags.Account, commonflags.AccountShorthand, commonflags.AccountDefault, commonflags.AccountUsage)
@ -166,7 +160,6 @@ func initContainerCreateCmd() {
 	flags.StringVar(&containerNnsName, "nns-name", "", "Container nns name attribute")
 	flags.StringVar(&containerNnsZone, "nns-zone", "", "Container nns zone attribute")
 	flags.BoolVar(&containerNoTimestamp, "disable-timestamp", false, "Disable timestamp container attribute")
-	flags.StringVar(&containerSubnet, "subnet", "", "String representation of container subnetwork")
 	flags.BoolVarP(&force, commonflags.ForceFlag, commonflags.ForceFlagShorthand, false,
 		"Skip placement validity check")
 }
@ -192,12 +185,12 @@ func parseContainerPolicy(cmd *cobra.Command, policyString string) (*netmap.Plac
 		return &result, nil
 	}

-	if err = result.UnmarshalJSON([]byte(policyString)); err == nil {
+	if err := result.UnmarshalJSON([]byte(policyString)); err == nil {
 		common.PrintVerbose(cmd, "Parsed JSON encoded policy")
 		return &result, nil
 	}

-	return nil, errors.New("can't parse placement policy")
+	return nil, fmt.Errorf("can't parse placement policy: %w", err)
 }

 func parseAttributes(dst *container.Container, attributes []string) error {
--- a/cmd/frostfs-cli/modules/container/delete.go
+++ b/cmd/frostfs-cli/modules/container/delete.go
@ -4,20 +4,21 @@ import (
 	"fmt"
 	"time"

-	internalclient "github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
-	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
-	objectSDK "github.com/TrueCloudLab/frostfs-sdk-go/object"
-	"github.com/TrueCloudLab/frostfs-sdk-go/user"
+	internalclient "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
+	objectSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
 	"github.com/spf13/cobra"
 )

 var deleteContainerCmd = &cobra.Command{
 	Use:   "delete",
 	Short: "Delete existing container",
-	Long: `Delete existing container. 
+	Long: `Delete existing container.
 Only owner of the container has a permission to remove container.`,
 	Run: func(cmd *cobra.Command, args []string) {
 		id := parseContainerID(cmd)
@ -30,11 +31,14 @@ Only owner of the container has a permission to remove container.`,
 		if force, _ := cmd.Flags().GetBool(commonflags.ForceFlag); !force {
 			common.PrintVerbose(cmd, "Reading the container to check ownership...")

-			var getPrm internalclient.GetContainerPrm
-			getPrm.SetClient(cli)
-			getPrm.SetContainer(id)
+			getPrm := internalclient.GetContainerPrm{
+				Client: cli,
+				ClientParams: client.PrmContainerGet{
+					ContainerID: &id,
+				},
+			}

-			resGet, err := internalclient.GetContainer(getPrm)
+			resGet, err := internalclient.GetContainer(cmd.Context(), getPrm)
 			commonCmd.ExitOnErr(cmd, "can't get the container: %w", err)

 			owner := resGet.Container().Owner()
@ -72,26 +76,26 @@ Only owner of the container has a permission to remove container.`,

 				common.PrintVerbose(cmd, "Searching for LOCK objects...")

-				res, err := internalclient.SearchObjects(searchPrm)
+				res, err := internalclient.SearchObjects(cmd.Context(), searchPrm)
 				commonCmd.ExitOnErr(cmd, "can't search for LOCK objects: %w", err)

 				if len(res.IDList()) != 0 {
 					commonCmd.ExitOnErr(cmd, "",
-						fmt.Errorf("Container wasn't removed because LOCK objects were found.\n"+
-							"Use --%s flag to remove anyway.", commonflags.ForceFlag))
+						fmt.Errorf("container wasn't removed because LOCK objects were found, "+
+							"use --%s flag to remove anyway", commonflags.ForceFlag))
 				}
 			}
 		}

-		var delPrm internalclient.DeleteContainerPrm
-		delPrm.SetClient(cli)
-		delPrm.SetContainer(id)
-
-		if tok != nil {
-			delPrm.WithinSession(*tok)
+		delPrm := internalclient.DeleteContainerPrm{
+			Client: cli,
+			ClientParams: client.PrmContainerDelete{
+				ContainerID: &id,
+				Session:     tok,
+			},
 		}

-		_, err := internalclient.DeleteContainer(delPrm)
+		_, err := internalclient.DeleteContainer(cmd.Context(), delPrm)
 		commonCmd.ExitOnErr(cmd, "rpc error: %w", err)

 		cmd.Println("container delete method invoked")
@ -99,14 +103,17 @@ Only owner of the container has a permission to remove container.`,
 		if containerAwait {
 			cmd.Println("awaiting...")

-			var getPrm internalclient.GetContainerPrm
-			getPrm.SetClient(cli)
-			getPrm.SetContainer(id)
+			getPrm := internalclient.GetContainerPrm{
+				Client: cli,
+				ClientParams: client.PrmContainerGet{
+					ContainerID: &id,
+				},
+			}

 			for i := 0; i < awaitTimeout; i++ {
 				time.Sleep(1 * time.Second)

-				_, err := internalclient.GetContainer(getPrm)
+				_, err := internalclient.GetContainer(cmd.Context(), getPrm)
 				if err != nil {
 					cmd.Println("container has been removed:", containerID)
 					return
@ -124,6 +131,7 @@ func initContainerDeleteCmd() {
 	flags.StringP(commonflags.WalletPath, commonflags.WalletPathShorthand, commonflags.WalletPathDefault, commonflags.WalletPathUsage)
 	flags.StringP(commonflags.Account, commonflags.AccountShorthand, commonflags.AccountDefault, commonflags.AccountUsage)
 	flags.StringP(commonflags.RPC, commonflags.RPCShorthand, commonflags.RPCDefault, commonflags.RPCUsage)
+	flags.Bool(commonflags.TracingFlag, false, commonflags.TracingFlagUsage)

 	flags.StringVar(&containerID, commonflags.CIDFlag, "", commonflags.CIDFlagUsage)
 	flags.BoolVar(&containerAwait, "await", false, "Block execution until container is removed")
--- a/cmd/frostfs-cli/modules/container/get.go
+++ b/cmd/frostfs-cli/modules/container/get.go
@ -4,15 +4,16 @@ import (
 	"crypto/ecdsa"
 	"os"

-	internalclient "github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
-	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
-	"github.com/TrueCloudLab/frostfs-sdk-go/container"
-	"github.com/TrueCloudLab/frostfs-sdk-go/container/acl"
-	cid "github.com/TrueCloudLab/frostfs-sdk-go/container/id"
+	internalclient "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
+	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	"github.com/spf13/cobra"
 )

@ -50,7 +51,7 @@ var getContainerInfoCmd = &cobra.Command{
 				data = cnr.Marshal()
 			}

-			err = os.WriteFile(containerPathTo, data, 0644)
+			err = os.WriteFile(containerPathTo, data, 0o644)
 			commonCmd.ExitOnErr(cmd, "can't write container to file: %w", err)
 		}
 	},
@ -82,7 +83,7 @@ func prettyPrintContainer(cmd *cobra.Command, cnr container.Container, jsonEncod

 	var id cid.ID
 	container.CalculateID(&id, cnr)
-	cmd.Println("container ID:", id)
+	cmd.Println("CID:", id)

 	cmd.Println("owner ID:", cnr.Owner())

@ -147,11 +148,14 @@ func getContainer(cmd *cobra.Command) (container.Container, *ecdsa.PrivateKey) {
 		pk = key.GetOrGenerate(cmd)
 		cli := internalclient.GetSDKClientByFlag(cmd, pk, commonflags.RPC)

-		var prm internalclient.GetContainerPrm
-		prm.SetClient(cli)
-		prm.SetContainer(id)
+		prm := internalclient.GetContainerPrm{
+			Client: cli,
+			ClientParams: client.PrmContainerGet{
+				ContainerID: &id,
+			},
+		}

-		res, err := internalclient.GetContainer(prm)
+		res, err := internalclient.GetContainer(cmd.Context(), prm)
 		commonCmd.ExitOnErr(cmd, "rpc error: %w", err)

 		cnr = res.Container()
--- a/cmd/frostfs-cli/modules/container/get_eacl.go
+++ b/cmd/frostfs-cli/modules/container/get_eacl.go
@ -3,11 +3,12 @@ package container
 import (
 	"os"

-	internalclient "github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
-	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
-	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
+	internalclient "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
+	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
 	"github.com/spf13/cobra"
 )

@ -20,11 +21,14 @@ var getExtendedACLCmd = &cobra.Command{
 		pk := key.GetOrGenerate(cmd)
 		cli := internalclient.GetSDKClientByFlag(cmd, pk, commonflags.RPC)

-		var eaclPrm internalclient.EACLPrm
-		eaclPrm.SetClient(cli)
-		eaclPrm.SetContainer(id)
+		eaclPrm := internalclient.EACLPrm{
+			Client: cli,
+			ClientParams: client.PrmContainerEACL{
+				ContainerID: &id,
+			},
+		}

-		res, err := internalclient.EACL(eaclPrm)
+		res, err := internalclient.EACL(cmd.Context(), eaclPrm)
 		commonCmd.ExitOnErr(cmd, "rpc error: %w", err)

 		eaclTable := res.EACL()
@ -48,7 +52,7 @@ var getExtendedACLCmd = &cobra.Command{

 		cmd.Println("dumping data to file:", containerPathTo)

-		err = os.WriteFile(containerPathTo, data, 0644)
+		err = os.WriteFile(containerPathTo, data, 0o644)
 		commonCmd.ExitOnErr(cmd, "could not write eACL to file: %w", err)
 	},
 }
--- a/Show more
+++ b/Show more
				`@ -1 +0,0 @@`
				`* @TrueCloudLab/storage-core @TrueCloudLab/committers`