diff --git a/docs/README.md b/docs/README.md
new file mode 100644
index 0000000..96f261b
--- /dev/null
+++ b/docs/README.md
@@ -0,0 +1,24 @@
+# BIOS Documentation
+
+This folder contains repository-level documentation for the recovered Lenovo
+HR650X / Intel Purley AMI UEFI BIOS tree.
+
+## Start Here
+
+- [Firmware Overview](firmware_overview.md) - high-level platform, package, and
+  subsystem orientation.
+- [Boot and Runtime Lifecycle](boot_and_runtime_lifecycle.md) - phase-by-phase
+  behavioural flow from PEI through DXE, SMM, setup, OS handoff, and runtime.
+- [Subsystem Behaviour Map](subsystem_behaviour_map.md) - navigation map from
+  externally visible behaviours to recovered module evidence.
+
+## Layout Evidence
+
+- [Original Source Layout Recovery](original_layout_recovery.md) - recovered
+  package/source-path grouping from debug/assert/PDB/source-path evidence.
+- [Original Layout Evidence](original_layout_evidence.json) - machine-readable
+  evidence generated by `tools/recover_original_layout.py`.
+
+These docs describe recovered firmware evidence, not pristine vendor source.
+Where behaviour is uncertain, prefer the module `.c`, `.h`, `.md`, and README
+files as the authoritative local evidence.
diff --git a/docs/boot_and_runtime_lifecycle.md b/docs/boot_and_runtime_lifecycle.md
new file mode 100644
index 0000000..6f7a92e
--- /dev/null
+++ b/docs/boot_and_runtime_lifecycle.md
@@ -0,0 +1,193 @@
+# Boot and Runtime Lifecycle
+
+This document describes the observed lifecycle of the recovered HR650X / Purley
+AMI UEFI firmware. It is based on the module evidence currently present in the
+tree, especially the PEI, DXE IPL, DXE Core, SMM IPL/Core, setup, security, and
+BMC module notes.
+
+## 1. Early PEI Dispatch
+
+`PeiCore` is the first major recovered phase anchor after SEC. Its notes describe
+the PEI dispatcher, PEI Services Table setup, firmware-volume discovery, memory
+initialization, PPI management, and HOB creation.
+
+Key behaviours:
+
+- Establishes PEI services and the PPI database.
+- Discovers firmware volumes and PEIMs.
+- Dispatches PEIMs according to PEI dependency rules.
+- Handles boot-mode and memory-initialization transitions.
+- Builds the HOB list that later phases consume.
+
+Evidence:
+
+- `MdeModulePkg/Core/Pei/PeiMain/PeiCore/README.md`
+
+## 2. Early Security and Platform State
+
+Some security and platform checks occur before DXE. The clearest recovered
+example is `BootGuardPei`, an IA32 PEI module that reads Boot Guard state from
+MSR 0x13A, installs a BootGuard PPI, skips FV verification on S3 resume, hashes
+FV segments with SHA-256, and sets a disabling PCD on mismatch according to its
+README.
+
+Other PEI-stage platform work includes TPM/TCG policy, IPMI/BMC initialization,
+CMOS/boot-mode handling, early video, and Purley silicon initialization.
+
+Evidence:
+
+- `PurleyPlatPkg/BootGuard/ExtendBtGSupportToDxe/Pei/BootGuardPei/README.md`
+- `AmiModulePkg/TCG2/Common/AmiTcgPlatformPei/AmiTpm20PlatformPei/README.md`
+- `AmiIpmiPkg/Ipmi/PeiIpmiInitialize/PeiIpmiBmcInitialize/PeiIpmiBmcInitialize/README.md`
+- `PurleySktPkg/SouthClusterLbg/SiInit/Pei/SiInitPreMem/README.md`
+- `PurleyPlatPkg/Platform/Pei/EarlyVideoPei/README.md`
+
+## 3. PEI-to-DXE Handoff
+
+`DxeIpl` bridges PEI and DXE. The README and function table show DXE Core
+discovery, firmware-volume section reading, LZMA decompression, x64 page-table
+creation, HOB handoff, boot-mode handling, and transfer to the DXE Core entry
+point.
+
+Key behaviours:
+
+- Finds the DXE Foundation in firmware volumes.
+- Extracts/decompresses sections where required.
+- Builds identity-mapped page tables for x64 DXE execution.
+- Carries PEI HOB state forward.
+- Calls into the DXE Core.
+
+Evidence:
+
+- `MdeModulePkg/Core/DxeIplPeim/README.md`
+- `MdeModulePkg/Core/DxeIplPeim/DxeIpl.md`
+- `MdeModulePkg/Core/DxeIplPeim/DxeIplDiscoverDxeCore.c`
+- `MdeModulePkg/Core/DxeIplPeim/DxeIplTransferToDxeCore.c`
+
+## 4. DXE Foundation
+
+The recovered DXE Core evidence is located at
+`MdeModulePkg/Core/Dxe/SectionExtraction/CoreSectionExtraction`. Its README
+describes the central DXE services:
+
+- Protocol database and handle database management.
+- Boot and runtime service table initialization.
+- DXE Services and Global Coherency Domain services.
+- Page and pool allocation.
+- Image loading, start, unload, and driver dispatch.
+- Event, timer, TPL, and notification handling.
+- Firmware-volume and section-extraction services.
+- Memory protection table construction.
+
+Evidence:
+
+- `MdeModulePkg/Core/Dxe/SectionExtraction/CoreSectionExtraction/README.md`
+
+## 5. DXE Platform Services
+
+After the DXE Core starts dispatching drivers, the firmware builds the server
+platform environment. The recovered tree shows several major DXE service groups:
+
+- PCI, storage, NVMe, AHCI, SCSI, FAT, shell, CSM, terminal, and network boot.
+- SMBIOS and system inventory.
+- ACPI table updates.
+- Lenovo setup and platform policy.
+- Intel SPS/ME communication.
+- BMC/IPMI setup, self-test, SEL/status reporting, and management tables.
+- Secure Boot and TPM 2.0 protocols.
+- Flash, NVRAM, runtime, and SMM bridge services.
+
+Evidence examples:
+
+- `AmiModulePkg/PCI/PciBus/README.md`
+- `AmiModulePkg/Nvme/Nvme/README.md`
+- `AmiNetworkPkg/UefiNetworkStack/PxeBcDxe/README.md`
+- `LenovoServerPkg/SystemInventory/SystemInventory/README.md`
+- `PurleySktPkg/Me/Sps/Dxe/SpsDxe/README.md`
+- `AmiIpmiPkg/Ipmi/IpmiInitialize/DxeIpmiBmcInitialize/DxeIpmiBmcInitialize/README.md`
+- `AmiModulePkg/SecureBoot/SecureBootDXE/README.md`
+- `AmiModulePkg/TCG2/Common/TcgDxe/Tcg2Dxe/README.md`
+
+## 6. SMM Bring-up
+
+SMM is established from DXE through `PiSmmIpl`, which opens/configures SMRAM,
+loads SMM Core into SMRAM, exposes SMM access/control/communication protocols,
+and bridges S3 boot-script and runtime pointer conversion work. `PiSmmCore` then
+provides SMST services and dispatches registered SMI handlers.
+
+Key behaviours:
+
+- Enumerates and prepares SMRAM ranges.
+- Loads SMM Core into SMRAM.
+- Provides software SMI triggering and SMM communication.
+- Initializes SMM system table services.
+- Registers and dispatches GUID-keyed SMI handlers.
+- Validates SMM communication buffers through AMI buffer-validation support.
+
+Evidence:
+
+- `MdeModulePkg/Core/PiSmmCore/PiSmmIpl/README.md`
+- `MdeModulePkg/Core/PiSmmCore/PiSmmCore/README.md`
+- `PurleySktPkg/Override/IA32FamilyCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm/README.md`
+
+## 7. Setup and Boot Policy
+
+AMI TSE and Lenovo setup modules control interactive firmware configuration and
+boot-option policy. The AMITSE notes describe menu database parsing, HII package
+installation, graphics/text rendering, boot-option management, language and
+hotkey initialization, and storage-security policy hooks. Lenovo setup modules
+handle HR650X-specific setup variables, defaults, server-management forms, and
+socket/platform options.
+
+Key behaviours:
+
+- Reads and writes setup variables.
+- Publishes HII forms and setup callbacks.
+- Manages `Boot####`, `BootOrder`, `BootNext`, and `Timeout`.
+- Applies platform setup defaults and SKU-specific setup updates.
+- Exposes server-management and socket/platform configuration screens.
+
+Evidence:
+
+- `AmiTsePkg/EDK/MiniSetup/AMITSE/README.md`
+- `LenovoServerPkg/Setup/README.md`
+- `LenovoServerPkg/ServerMgmtSetup/README.md`
+- `LenovoServerPkg/SetupDefaults/SetupDefaultLoad/README.md`
+- `LenovoServerPkg/SocketSetup/README.md`
+
+## 8. Ready-to-Boot and OS Handoff
+
+Near the end of boot-service time, ready-to-boot and platform hooks finalize
+platform tables, inventory, boot policy, and BMC/SMBIOS state. Runtime services
+and SMM handlers remain available after `ExitBootServices`, while ACPI/SMBIOS
+tables describe platform capabilities to the OS.
+
+Evidence:
+
+- `LenovoServerPkg/OemReadyToBootDxe/OemReadyToBootDxe/README.md`
+- `LenovoServerPkg/OemSaveSmbiosDxe/README.md`
+- `LenovoServerPkg/SmbiosType11/SmbiosType11/README.md`
+- `LenovoServerPkg/SmbiosType39/README.md`
+- `AmiModulePkg/RuntimeDxe/RuntimeDxe/README.md`
+- `AmiModulePkg/RuntimeSmm/RuntimeSmm/README.md`
+
+## 9. Runtime and Management After Boot
+
+After OS handoff, the relevant remaining firmware behaviours are primarily:
+
+- UEFI runtime variable and time services.
+- SMM communication and software SMI handlers.
+- Flash and secure-flash update handlers.
+- BMC/IPMI event logging and management paths.
+- WHEA/RAS error logging and SMI-based recovery paths.
+- ACPI methods and tables installed during DXE.
+
+Evidence:
+
+- `AmiModulePkg/NVRAM/NvramSmm/README.md`
+- `AmiModulePkg/SmiVariable/SmiVariable/README.md`
+- `AmiModulePkg/Flash/SmiFlash/README.md`
+- `AmiModulePkg/SecureFlash/SecSMIFlash/README.md`
+- `AmiIpmiPkg/Ipmi/SmmBmcElog/README.md`
+- `CpPlatPkg/Whea/WheaElog/README.md`
+- `PurleySktPkg/Smm/Ras/QuiesceSupport/QuiesceSupport/README.md`
diff --git a/docs/firmware_overview.md b/docs/firmware_overview.md
new file mode 100644
index 0000000..80d7f8c
--- /dev/null
+++ b/docs/firmware_overview.md
@@ -0,0 +1,171 @@
+# Firmware Overview
+
+This repository is a recovered source-oriented view of a Lenovo HR650X server
+BIOS built on AMI Aptio V and Intel Purley platform code. It is not a pristine
+vendor source tree. The current layout combines decompiled C, reconstructed
+headers, generated function inventories, IDA artifacts, and analyst notes that
+were regrouped by package path where debug/assert/PDB/source-path evidence was
+available.
+
+Use this document as the top-level map for the firmware. For provenance of the
+package layout itself, see [original_layout_recovery.md](original_layout_recovery.md)
+and [original_layout_evidence.json](original_layout_evidence.json).
+
+## Platform Identity
+
+- System family: Lenovo HR650X server firmware.
+- Silicon generation: Intel Purley server platform.
+- Firmware framework: AMI Aptio V / UEFI PI.
+- Build evidence visible across modules: `HR6N0XMLK`, `DEBUG_VS2015`, IA32 PEI
+  modules, and X64 DXE/SMM modules.
+- Source status: recovered/decompiled module source. Function names, types, and
+  structures are a mixture of original symbols, debug-path hints, EDK II/AMI
+  conventions, and analyst reconstruction.
+
+## Major Package Areas
+
+| Package | Role in this tree |
+| --- | --- |
+| `MdePkg`, `MdeModulePkg`, `UefiCpuPkg` | UEFI PI core services, DXE/PEI/SMM infrastructure, CPU and common library code. |
+| `AmiModulePkg` | AMI platform services: setup, NVRAM, flash, secure boot, TCG, CSM, PCI, terminal, storage, generic event log, and runtime support. |
+| `AmiIpmiPkg` | IPMI and BMC integration across PEI, DXE, and SMM. |
+| `AmiNetworkPkg` | UEFI network stack, PXE/HTTP/iSCSI, BMC LAN setup, and Redfish-related modules. |
+| `AmiTsePkg` | AMI text/setup environment and Aptio setup UI. |
+| `AmiCryptoPkg` | Crypto service initialization in PEI/DXE/SMM-facing components. |
+| `LenovoServerPkg` | Lenovo HR650X server integration: setup defaults, POST/status handling, system inventory, SMBIOS updates, ready-to-boot hooks, and OEM platform policy. |
+| `PurleyPlatPkg`, `PurleySktPkg`, `PurleyRpPkg` | Intel Purley platform, socket, south-cluster, ME/SPS, RAS, FPGA, SKU, board, and riser/platform-update logic. |
+| `CpPlatPkg`, `CpRcPkg` | Configuration/register access, WHEA, and platform support code used by the Purley server stack. |
+| `Build/GuidArtifacts` | GUID-named recovered artifacts whose original module identity remains incomplete or ambiguous. |
+
+## Execution Model
+
+The firmware follows the standard UEFI PI boot shape:
+
+1. SEC transfers into PEI.
+2. PEI Core dispatches PEIMs, publishes PPIs, builds HOBs, discovers firmware
+   volumes, and initializes memory.
+3. DXE IPL discovers and loads the DXE Core, creates the x64 handoff context,
+   and transfers the HOB list into DXE.
+4. DXE Core installs the boot-service execution environment: protocol database,
+   handle database, memory services, image loading, events, timers, firmware
+   volume services, and driver dispatch.
+5. DXE drivers initialize platform, storage, network, setup, security, BMC,
+   ME/SPS, SMBIOS, ACPI, and runtime services.
+6. SMM IPL loads the SMM Core into SMRAM. SMM drivers then register SMI
+   handlers for flash, NVRAM, IPMI, storage, RAS, chipset, and runtime work.
+7. BDS and setup select boot policy, maintain `Boot####` variables, and launch
+   the selected boot option.
+8. Runtime services, ACPI tables, SMBIOS tables, SMM handlers, and BMC/ME
+   interfaces remain relevant after `ExitBootServices`.
+
+The recovered core anchors are:
+
+- `MdeModulePkg/Core/Pei/PeiMain/PeiCore/README.md` for PEI dispatch, PPIs,
+  HOB creation, memory initialization, and firmware-volume discovery.
+- `MdeModulePkg/Core/DxeIplPeim/README.md` and
+  `MdeModulePkg/Core/DxeIplPeim/DxeIpl.md` for DXE core discovery, LZMA
+  decompression, page table creation, and transfer to DXE.
+- `MdeModulePkg/Core/Dxe/SectionExtraction/CoreSectionExtraction/README.md` for
+  the recovered DXE Core evidence.
+- `MdeModulePkg/Core/PiSmmCore/PiSmmIpl/README.md` and
+  `MdeModulePkg/Core/PiSmmCore/PiSmmCore/README.md` for SMM loading, SMRAM
+  management, SMM communication, and SMI dispatch.
+- `PurleySktPkg/Override/IA32FamilyCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm/README.md`
+  for the CPU-side SMM execution component.
+
+## Behavioural Themes
+
+### Platform Bring-up
+
+Purley PEI/DXE modules initialize CPU, memory, PCH, GPIO, PCIe/IIO, FPGA, ME/SPS,
+watchdog, and board-specific SKU data. The tree contains both generic Intel/AMI
+infrastructure and Lenovo/Purley board overlays. Important areas include:
+
+- `PurleySktPkg/SouthClusterLbg/SiInit/Pei/SiInitPreMem`
+- `PurleySktPkg/SouthClusterLbg/SiInit/Pei/SiInit`
+- `PurleySktPkg/Me/Heci/*`
+- `PurleySktPkg/Me/Sps/*`
+- `PurleySktPkg/Smm/*`
+- `PurleyRpPkg/Uba/UbaMain/Dxe/Type*`
+- `LenovoServerPkg/POSTStatus/*`
+- `LenovoServerPkg/OemPlatformEarlyPhasePei`
+- `LenovoServerPkg/OemPlatformDxePhase`
+
+### Security and Measured Boot
+
+The firmware contains multiple security layers:
+
+- Boot Guard PEI support validates FV Main hash material early in PEI and can
+  set a PCD to block boot on mismatch.
+- TCG/TPM modules initialize TPM 2.0, expose `EFI_TCG2_PROTOCOL`, extend PCRs,
+  manage event logs, and update TPM ACPI objects.
+- Secure Boot DXE reads `SecureBootSetup`, provisions PK/KEK/db/dbx/dbt/dbr
+  variables from firmware-volume data, and sets `SetupMode`.
+- SMM and secure-flash modules provide privileged update paths and runtime
+  handlers that should be treated as high-impact code.
+
+Primary evidence:
+
+- `PurleyPlatPkg/BootGuard/ExtendBtGSupportToDxe/Pei/BootGuardPei/README.md`
+- `AmiModulePkg/TCG2/Common/TcgDxe/Tcg2Dxe/README.md`
+- `AmiModulePkg/SecureBoot/SecureBootDXE/README.md`
+- `AmiModulePkg/Flash/SmiFlash/README.md`
+- `AmiModulePkg/SecureFlash/SecSMIFlash/README.md`
+
+### Management Controller Integration
+
+BMC/IPMI behaviour is a first-class part of the firmware. The IPMI stack spans
+PEI, DXE, and SMM:
+
+- PEI initializes BMC access early enough for watchdog, boot flags, and status
+  reporting.
+- DXE initializes KCS transport, runs BMC self-test, checks BMC firmware,
+  installs SMBIOS Type 42/SPMI records, and coordinates BMC setup options.
+- SEL/status-code modules forward platform health and POST events.
+- SMM modules keep BMC event-log and IPMI command paths available after boot.
+- Lenovo inventory modules collect platform data and likely report it to BMC
+  and SMBIOS consumers.
+
+Primary evidence:
+
+- `AmiIpmiPkg/Ipmi/PeiIpmiInitialize/PeiIpmiBmcInitialize/PeiIpmiBmcInitialize/README.md`
+- `AmiIpmiPkg/Ipmi/IpmiInitialize/DxeIpmiBmcInitialize/DxeIpmiBmcInitialize/README.md`
+- `AmiIpmiPkg/Ipmi/SmmIpmiBmcInitialize/README.md`
+- `AmiIpmiPkg/Ipmi/DxeSelStatusCode/README.md`
+- `AmiIpmiPkg/Ipmi/SmmBmcElog/README.md`
+- `LenovoServerPkg/SystemInventory/SystemInventory/README.md`
+
+### Setup, Policy, and Boot Selection
+
+Setup behaviour is split between AMI UI infrastructure, Lenovo setup forms and
+defaults, platform setup-update modules, and BDS boot-option handling:
+
+- `AmiTsePkg/EDK/MiniSetup/AMITSE` implements the Aptio setup UI, menu database
+  parsing, boot-option management, HDD/security policy hooks, and display/input
+  interaction.
+- `LenovoServerPkg/Setup`, `ServerMgmtSetup`, `SocketSetup`, and
+  `SetupDefaults` define HR650X-specific setup variables and defaults.
+- `PurleyRpPkg/Uba/UbaMain/Dxe/Type*/SetupConfigUpdateDxe` modules specialize
+  setup data by board/riser/SKU type.
+- Boot policy is represented through UEFI variables such as `Boot####`,
+  `BootOrder`, `BootNext`, `Timeout`, and setup variables.
+
+Primary evidence:
+
+- `AmiTsePkg/EDK/MiniSetup/AMITSE/README.md`
+- `LenovoServerPkg/Setup/README.md`
+- `LenovoServerPkg/ServerMgmtSetup/README.md`
+- `LenovoServerPkg/SetupDefaults/SetupDefaultLoad/README.md`
+- `PurleyRpPkg/Uba/UbaMain/Dxe/TypeNeonCityEPRP/SetupConfigUpdateDxe/README.md`
+
+## Reading Guidance
+
+- Treat module READMEs as summaries of recovered evidence, not as independent
+  proof of vendor intent.
+- Prefer claims supported by function names, strings, GUIDs, protocols,
+  variables, source paths, or multiple module notes.
+- Keep PEI, DXE, SMM, BDS, and runtime behaviours separate. Similar module names
+  often describe different execution contexts.
+- For sensitive areas such as flash, variable services, secure boot, TPM, BMC,
+  SMM communication, and RAS error handling, inspect the `.c`, `.h`, and sidecar
+  `.md` files before making security conclusions.
diff --git a/docs/subsystem_behaviour_map.md b/docs/subsystem_behaviour_map.md
new file mode 100644
index 0000000..3b39a09
--- /dev/null
+++ b/docs/subsystem_behaviour_map.md
@@ -0,0 +1,132 @@
+# Subsystem Behaviour Map
+
+This map groups the recovered BIOS modules by externally visible behaviour. It
+is intended as a navigation aid for analysis, not as a claim that every module
+in the firmware has been fully reconstructed.
+
+## Boot Core and Dispatch
+
+| Behaviour | Evidence |
+| --- | --- |
+| PEI dispatcher, PEI services, PPI database, HOB creation, memory init | `MdeModulePkg/Core/Pei/PeiMain/PeiCore/README.md` |
+| PEI-to-DXE transfer, DXE Core discovery, LZMA decompression, x64 page tables | `MdeModulePkg/Core/DxeIplPeim/README.md` |
+| DXE services, protocol/handle database, memory, image loading, event/timer, dispatcher | `MdeModulePkg/Core/Dxe/SectionExtraction/CoreSectionExtraction/README.md` |
+| SMM IPL, SMRAM allocation, SMM communication, SMM Core loading | `MdeModulePkg/Core/PiSmmCore/PiSmmIpl/README.md` |
+| SMM Core SMST services and SMI handler dispatch | `MdeModulePkg/Core/PiSmmCore/PiSmmCore/README.md` |
+
+## Security, Measurement, and Update Control
+
+| Behaviour | Evidence |
+| --- | --- |
+| Intel Boot Guard PEI hash verification of firmware-volume segments | `PurleyPlatPkg/BootGuard/ExtendBtGSupportToDxe/Pei/BootGuardPei/README.md` |
+| TPM 2.0 DXE protocol, PCR extend, event log, TPM ACPI update | `AmiModulePkg/TCG2/Common/TcgDxe/Tcg2Dxe/README.md` |
+| TPM/TCG PEI and platform setup policy | `AmiModulePkg/TCG2/Common/TcgPei/TcgPei/README.md`, `AmiModulePkg/TCG2/Common/TcgPlatformSetupPolicy/README.md` |
+| Secure Boot variable provisioning and `SetupMode` handling | `AmiModulePkg/SecureBoot/SecureBootDXE/README.md` |
+| SMM TCG storage-security path | `AmiModulePkg/TcgStorageSecurity/SmmTcgStorageSec/README.md` |
+| Flash and secure-flash update paths | `AmiModulePkg/Flash/SmiFlash/README.md`, `AmiModulePkg/SecureFlash/SecSMIFlash/README.md` |
+| Crypto service initialization | `AmiCryptoPkg/CryptoLib/CryptLibInitRun/README.md`, `AmiCryptoPkg/CryptoSMM/README.md` |
+
+## BMC, IPMI, and Out-of-Band Management
+
+| Behaviour | Evidence |
+| --- | --- |
+| PEI BMC/IPMI initialization | `AmiIpmiPkg/Ipmi/PeiIpmiInitialize/PeiIpmiBmcInitialize/PeiIpmiBmcInitialize/README.md` |
+| DXE KCS transport, BMC self-test, Type 42/SPMI records, boot flags | `AmiIpmiPkg/Ipmi/IpmiInitialize/DxeIpmiBmcInitialize/DxeIpmiBmcInitialize/README.md` |
+| SMM IPMI initialization | `AmiIpmiPkg/Ipmi/SmmIpmiBmcInitialize/README.md` |
+| SEL/status-code forwarding | `AmiIpmiPkg/Ipmi/DxeSelStatusCode/README.md`, `AmiIpmiPkg/Ipmi/PeiSelStatusCode/PeiSelStatusCode/README.md` |
+| BMC event-log handling | `AmiIpmiPkg/Ipmi/BmcElog/BmcElog/README.md`, `AmiIpmiPkg/Ipmi/SmmBmcElog/README.md` |
+| BMC LAN/IPMI network setup | `AmiNetworkPkg/UefiNetworkStack/Ipv4/BmcLanConfig/README.md`, `AmiNetworkPkg/UefiNetworkStack/Ipv6/Ip6BmcLanConfig/README.md` |
+| Lenovo inventory collection for management consumers | `LenovoServerPkg/SystemInventory/SystemInventory/README.md`, `LenovoServerPkg/InventoryApp/README.md` |
+
+## Setup, HII, and Boot Option Policy
+
+| Behaviour | Evidence |
+| --- | --- |
+| AMI Aptio setup UI, menu database parsing, rendering, hotkeys | `AmiTsePkg/EDK/MiniSetup/AMITSE/README.md` |
+| Boot-option management and UEFI boot variables | `AmiTsePkg/EDK/MiniSetup/AMITSE/README.md` |
+| Lenovo setup variable and HII infrastructure | `LenovoServerPkg/Setup/README.md` |
+| Server management setup pages | `LenovoServerPkg/ServerMgmtSetup/README.md` |
+| Socket setup pages | `LenovoServerPkg/SocketSetup/README.md` |
+| Setup defaults | `LenovoServerPkg/SetupDefaults/SetupDefaultLoad/README.md` |
+| SKU/riser/board-specific setup updates | `PurleyRpPkg/Uba/UbaMain/Dxe/TypeNeonCityEPRP/SetupConfigUpdateDxe/README.md` and sibling `Type*/SetupConfigUpdateDxe` modules |
+| Network, NVMe, PCI, TPM, FPGA setup pages | `AmiNetworkPkg/UefiNetworkStack/Common/NetworkStackSetupScreen/README.md`, `AmiModulePkg/Nvme/NvmeDynamicSetup/README.md`, `AmiModulePkg/PCI/PciOutOfResourceSetupPage/README.md`, `PurleySktPkg/Dxe/FpgaInit/FpgaSocketSetup/README.md` |
+
+## Silicon, Board, and SKU Initialization
+
+| Behaviour | Evidence |
+| --- | --- |
+| PCH/south-cluster PEI silicon init | `PurleySktPkg/SouthClusterLbg/SiInit/Pei/SiInitPreMem/README.md`, `PurleySktPkg/SouthClusterLbg/SiInit/Pei/SiInit/README.md` |
+| PCH DXE/SMM init | `PurleySktPkg/SouthClusterLbg/PchInit/Dxe/PchInitDxe/README.md`, `PurleySktPkg/SouthClusterLbg/PchInit/Smm/PchInitSmm/README.md` |
+| GPIO init and unlock paths | `PurleySktPkg/SouthClusterLbg/Gpio/Pei/GpioInit/README.md`, `PurleySktPkg/SouthClusterLbg/Gpio/Smm/PchGpioUnlockSmm/README.md` |
+| SMBus DXE/SMM support | `PurleySktPkg/SouthClusterLbg/Smbus/Dxe/PchSmbusDxe/README.md`, `PurleySktPkg/SouthClusterLbg/Smbus/Smm/PchSmbusSmm/README.md` |
+| ME/HECI communication | `PurleySktPkg/Me/Heci/Pei/HeciInit/README.md`, `PurleySktPkg/Me/Heci/Dxe/HeciInitDxe/README.md`, `PurleySktPkg/Me/Heci/Smm/HeciSmm/README.md` |
+| Intel SPS integration | `PurleySktPkg/Me/Sps/Pei/SpsPei/README.md`, `PurleySktPkg/Me/Sps/Dxe/SpsDxe/README.md`, `PurleySktPkg/Me/Sps/Smm/SpsSmm/README.md` |
+| FPGA configuration and error handling | `PurleyRpPkg/Uba/UbaMain/Dxe/TypeNeonCityFPGA/FpgaConfigDataDxe/README.md`, `PurleyPlatPkg/Ras/Smm/ErrHandling/FpgaErrorHandler/FpgaErrorHandler/README.md` |
+| Board/SKU data update modules | `PurleyRpPkg/Uba/UbaMain/Dxe/Type*/StaticSkuDataDxe`, `Type*/SlotDataUpdateDxe`, `Type*/SmbiosDataUpdateDxe`, `Type*/IioCfgUpdateDxe` |
+
+## Inventory, SMBIOS, ACPI, and OS-Facing Tables
+
+| Behaviour | Evidence |
+| --- | --- |
+| Hardware inventory collection during POST | `LenovoServerPkg/SystemInventory/SystemInventory/README.md` |
+| SMBIOS base support and DMI edit | `AmiCompatibilityPkg/Smbios/Smbios/README.md`, `AmiCompatibilityPkg/Smbios/SmbiosDmiEdit/README.md` |
+| Lenovo SMBIOS type updates | `LenovoServerPkg/SmbiosType11/SmbiosType11/README.md`, `LenovoServerPkg/SmbiosType39/README.md`, `LenovoServerPkg/SmbiosRpTable/README.md` |
+| Save SMBIOS data to platform/BMC consumers | `LenovoServerPkg/OemSaveSmbiosDxe/README.md` |
+| ACPI and BMC ACPI integration | `AmiModulePkg/ACPI/ACPI/README.md`, `AmiIpmiPkg/Ipmi/BmcAcpi/BmcAcpi/README.md` |
+| TPM ACPI update | `AmiModulePkg/TCG2/Common/Tpm20Acpi/README.md`, `AmiModulePkg/TCG2/Common/TcgDxe/Tcg2Dxe/README.md` |
+
+## Storage, Boot Devices, and Legacy Compatibility
+
+| Behaviour | Evidence |
+| --- | --- |
+| AHCI/SATA and SMM AHCI support | `AmiModulePkg/AHCI/Ahci/README.md`, `AmiModulePkg/AHCI/AhciSmm/README.md` |
+| NVMe and dynamic NVMe setup | `AmiModulePkg/Nvme/Nvme/README.md`, `AmiModulePkg/Nvme/NvmeDynamicSetup/README.md` |
+| SCSI disk/bus and FAT filesystem | `MdeModulePkg/Bus/Scsi/ScsiDiskDxe/README.md`, `MdeModulePkg/Bus/Scsi/ScsiBusDxe/README.md`, `FatPkg/EnhancedFatDxe/README.md` |
+| ATA pass-through, HDD security, SMART | `AmiModulePkg/AtaPassThru/AtaPassThru/README.md`, `AmiModulePkg/HddSecurity/HddSecurity/README.md`, `AmiModulePkg/HddSmart/HddSMART/README.md` |
+| Opal/TCG storage security | `AmiModulePkg/OpalSecurity/OpalSecurity/README.md`, `AmiModulePkg/TcgStorageSecurity/TcgStorageSecurity/README.md` |
+| CSM and legacy INT13/video paths | `AmiModulePkg/CSM/CsmDxe/README.md`, `AmiModulePkg/CSM/Aint13/README.md`, `AmiModulePkg/CSM/CsmVideo/README.md` |
+
+## Network and Remote Boot
+
+| Behaviour | Evidence |
+| --- | --- |
+| SNP/MNP/IP stack base | `AmiNetworkPkg/UefiNetworkStack/SnpDxe/README.md`, `PcAtChipsetPkg/PcatRealTimeClockSmm/PcatRealTimeClockSmm/MnpDxe/README.md` |
+| PXE boot | `AmiNetworkPkg/UefiNetworkStack/PxeBcDxe/README.md` |
+| HTTP boot | `AmiNetworkPkg/UefiNetworkStack/HttpBootDxe/README.md` |
+| iSCSI boot | `AmiNetworkPkg/IScsiDxe/IScsiDxe/README.md` |
+| DNS/DHCP/IP protocol modules | `MdeModulePkg` and `AmiNetworkPkg/UefiNetworkStack` protocol subtrees |
+| Redfish API support | `AmiNetworkPkg/Redfish/AmiRedFishApi/README.md` |
+
+## POST, Logging, RAS, and Error Handling
+
+| Behaviour | Evidence |
+| --- | --- |
+| Lenovo PEI/DXE POST status-code paths | `LenovoServerPkg/POSTStatus/LnvPeiStatusCode/README.md`, `LenovoServerPkg/POSTStatus/LnvDxeStatusCode/README.md` |
+| POST data transfer and screen information | `LenovoServerPkg/POSTDataTransfer/README.md`, `LenovoServerPkg/PostScreenInfo/PostScreenInfo/README.md` |
+| Lenovo OOB/status drivers | `LenovoServerPkg/POSTStatus/LnvOobDriverDxe/README.md`, `LenovoServerPkg/POSTStatus/LnvDriverDxe/README.md` |
+| Generic and BMC event logs | `AmiModulePkg/GenericElog/GenericElog/README.md`, `AmiModulePkg/GenericElog/SmmGenericElog/README.md`, `AmiIpmiPkg/Ipmi/SmmBmcElog/README.md` |
+| WHEA boot and error logging | `CpPlatPkg/Whea/WheaPlatformBoot/README.md`, `CpPlatPkg/Whea/WheaElog/README.md`, `CpPlatPkg/Whea/WheaErrorLog/README.md` |
+| Purley RAS and SMM recovery | `PurleyPlatPkg/Ras/Smm/ErrHandling`, `PurleySktPkg/Smm/Ras` |
+
+## Runtime, Variables, and SMM Services
+
+| Behaviour | Evidence |
+| --- | --- |
+| Runtime services DXE/SMM bridge | `AmiModulePkg/RuntimeDxe/RuntimeDxe/README.md`, `AmiModulePkg/RuntimeSmm/RuntimeSmm/README.md` |
+| NVRAM PEI/SMM and SMI variable services | `AmiModulePkg/NVRAM/NvramPei/README.md`, `AmiModulePkg/NVRAM/NvramSmm/README.md`, `AmiModulePkg/SmiVariable/SmiVariable/README.md` |
+| S3 NVRAM/save-state support | `AmiModulePkg/NVRAM/S3NvramSave/README.md`, `AmiModulePkg/SmmS3SaveState/S3SaveStateDxe/README.md`, `AmiModulePkg/SmmS3SaveState/SmmS3SaveState/README.md` |
+| RTC runtime and SMM services | `PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcRtc/README.md`, `PcAtChipsetPkg/PcatRealTimeClockSmm/PcatRealTimeClockSmm/PcRtcSmm/README.md` |
+| Register access services | `CpRcPkg/Universal/RegAccess/Pei/RegAccessPeim/README.md`, `CpRcPkg/Universal/RegAccess/Dxe/RegAccessDxe/README.md`, `CpRcPkg/Universal/RegAccess/Smm/RegAccessSMM/README.md` |
+
+## High-Risk Analysis Areas
+
+Prioritize direct source inspection before drawing conclusions in these areas:
+
+- SMM communication and buffer validation.
+- Flash and secure-flash update handlers.
+- Runtime variable services and setup-variable policy.
+- Secure Boot database provisioning.
+- TPM physical-presence, MOR, and PCR event-log handling.
+- BMC/IPMI command transport and SEL/status-code forwarding.
+- RAS/WHEA SMI handlers and error-injection paths.
+- CSM/legacy boot and storage-security paths.