diff --git a/scripts/backfill_hashes.php b/scripts/backfill_hashes.php
new file mode 100644
index 0000000..5f0ff45
--- /dev/null
+++ b/scripts/backfill_hashes.php
@@ -0,0 +1,68 @@
+<?php
+/**
+ * Phase 2 Backfill: Generate hashes for existing invoices
+ * Run: php scripts/backfill_hashes.php
+ */
+
+require_once __DIR__ . '/../app/bootstrap/init.php';
+
+use App\Core\Database;
+use App\Core\Encryption;
+
+$db = Database::getInstance();
+
+echo "═══════════════════════════════════════════\n";
+echo "  مُصادَق — Backfill Invoice Hashes\n";
+echo "═══════════════════════════════════════════\n\n";
+
+// 1. Fetch all invoices without a hash
+$stmt = $db->query("SELECT id, company_id, supplier_tin, invoice_number, invoice_date FROM invoices WHERE invoice_hash IS NULL");
+$invoices = $stmt->fetchAll();
+
+if (empty($invoices)) {
+    echo "✅ No invoices found needing a hash update.\n";
+    exit;
+}
+
+echo "📦 Found " . count($invoices) . " invoices to process...\n";
+
+$updated = 0;
+$skipped = 0;
+
+foreach ($invoices as $inv) {
+    // Decrypt supplier_tin if it's encrypted (assuming it is based on upload logic)
+    $rawTin = Encryption::decrypt($inv['supplier_tin'] ?? '') ?: ($inv['supplier_tin'] ?? '');
+    
+    $invoiceNum  = $inv['invoice_number'] ?? '';
+    $invoiceDate = $inv['invoice_date'] ?? '';
+
+    if (empty($rawTin) || empty($invoiceNum) || empty($invoiceDate)) {
+        echo "  ⚠️  Skipping invoice [{$inv['id']}]: Missing critical data for hash calculation.\n";
+        $skipped++;
+        continue;
+    }
+
+    // Generate Hash
+    $rawHashString = $inv['company_id'] . '_' . $rawTin . '_' . $invoiceNum . '_' . $invoiceDate;
+    $invoiceHash = hash('sha256', strtolower($rawHashString));
+
+    try {
+        $updateStmt = $db->prepare("UPDATE invoices SET invoice_hash = ? WHERE id = ?");
+        $updateStmt->execute([$invoiceHash, $inv['id']]);
+        $updated++;
+        echo "  ✅ Updated invoice [{$inv['id']}] | Hash: " . substr($invoiceHash, 0, 8) . "...\n";
+    } catch (\PDOException $e) {
+        if (str_contains($e->getMessage(), 'Duplicate entry')) {
+            echo "  🚫 Duplicate hash found for invoice [{$inv['id']}]. Skipping update.\n";
+            $skipped++;
+        } else {
+            echo "  ❌ Failed to update [{$inv['id']}]: " . $e->getMessage() . "\n";
+            $skipped++;
+        }
+    }
+}
+
+echo "\n═══════════════════════════════════════════\n";
+echo "  Backfill Complete!\n";
+echo "  ✅ Updated: {$updated} | ⏭️ Skipped/Failed: {$skipped}\n";
+echo "═══════════════════════════════════════════\n";