# Portable Audit Pack Parquet Profile (Optional)

Status: Optional profile contract for implementation handoff (2026-02-10).

## Positioning
`components.parquet` is optional and must not be required for baseline pack verification.

## Manifest integration
When present, `manifest.files["components.parquet"]` must include:
- `sha256`
- `size`
- `content_type` = `application/x-parquet`
- `compression` = `snappy`
- `schema_fingerprint`

## Recommended schema columns
- `package_name` (STRING)
- `package_version` (STRING)
- `purl` (STRING)
- `license` (STRING)
- `component_hash_sha256` (STRING)
- `artifact_digest_sha256` (STRING)
- `cve_id` (STRING, nullable)
- `vex_status` (STRING, nullable)
- `introduced_range` (STRING, nullable)
- `fixed_version` (STRING, nullable)
- `source_bom_sha256` (STRING)

## Determinism rules
- Stable row ordering: `(artifact_digest_sha256, package_name, package_version, purl)`.
- Stable column ordering exactly as listed above.
- Stable Parquet writer settings pinned by version and compression codec.
- `schema_fingerprint` must be reproducible from logical schema definition.

## Feature gating
- Default profile: disabled.
- Enable only with explicit profile flag.
- Verification ignores Parquet content when absent.
- Verification fails with `ERR_PARQUET_FINGERPRINT_MISMATCH` when present but invalid.

## Operator guidance
- Use Parquet profile for fleet-level offline analytics.
- Keep analytics ingestion separate from baseline release gate verification.