BE-455: HashQL: Introduce evaluation orchestrator

[indietyp]

🌟 What is the purpose of this PR?

Introduce the evaluation orchestrator: the runtime layer that drives HashQL query execution across the interpreter and PostgreSQL, handling suspension fulfillment, row hydration, continuation decoding, and result assembly.

When the MIR interpreter suspends on a GraphRead, it yields a description of the data it needs but can't fetch itself. The orchestrator takes that suspension, looks up the pre-compiled SQL, encodes parameters, executes the query, hydrates each result row into a typed Value tree, runs any client-side filter chains (which may themselves interleave interpreter and postgres execution), decodes continuation state for multi-island queries, and packages the result into a Continuation that resumes the interpreter.

🔍 What does this change?

Orchestrator (eval/src/orchestrator/)

• mod.rs: top-level Orchestrator that owns the database client and query registry. Provides run_in for full query execution and fulfill_in for resolving a single suspension.
• request/graph_read.rs: per-suspension handler that drives the query-execute-hydrate-filter-collect loop for GraphRead suspensions.
• partial.rs: three-state hydration (Skipped/Null/Value) that assembles flat result columns into nested vertex value trees matching the HashQL type hierarchy.
• codec/decode: deserializes JSON column values from tokio_postgres rows into typed Values, guided by the HashQL type system.
• codec/encode: serializes runtime Values and query parameters into forms tokio_postgres can send to the database.
• postgres.rs: continuation state for multi-island execution. When a compiled query returns continuation columns (target block, locals, serialized values), this hydrates and validates them, then flushes the decoded state into the interpreter's callstack.
• events.rs: opt-in event tracing with zero-cost () sink. AppendEventLog collects events into a Vec for test assertions.
• tail.rs: result accumulation strategies (currently Collect into a List).
• error.rs: structured bridge errors. All variants use Severity::Bug because if the bridge fails, the compiler or runtime produced something invalid.
• seed.rs, inputs.rs, directives.rs: test infrastructure for constructing orchestrator inputs from J-Expr test files.

Postgres extensions (eval/src/postgres/)

• types.rs: recursive type-tree navigation for resolving struct fields to concrete types.
• continuation.rs: naming conventions and expression helpers for continuation LATERAL subqueries.
• parameters.rs: new parameter kinds for temporal axes and continuation locals.
• traverse.rs: mapping from EntityPath to physical PostgreSQL columns (temporal ranges decomposed to JSONB intervals, edition/identity columns).
• filter/: client-side filter chain changes for multi-island filter bodies.

Compilation pipeline (compiletest/src/pipeline.rs)

• New Pipeline struct that drives the full J-Expr to prepared-SQL compilation sequence with staged access to intermediate results. Used by the orchestrator test harness and compiletest.

Test harness (eval/tests/orchestrator/)

• Integration test binary that spins up a PostgreSQL container, compiles J-Expr queries through the full pipeline, and executes them against the orchestrator.
• Discovers test cases from both .jsonc UI test files and programmatic Rust builders.
• Supports directives for temporal axis configuration and expected output comparison.

Pre-Merge Checklist 🚀

🚢 Has this modified a publishable library?

This PR:

• does not modify any publishable blocks or libraries, or modifications do not need publishing

📜 Does this require a change to the docs?

The changes in this PR:

• are internal and do not require a docs change

🕸️ Does this require a change to the Turbo Graph?

The changes in this PR:

• do not affect the execution graph

🐾 Next steps

• Wire the orchestrator into the hash-graph API service for live query execution.
• Additional GraphRead tail strategies beyond Collect (e.g. streaming, pagination).

🛡 What tests cover this?

• Orchestrator integration tests (eval/tests/orchestrator/): end-to-end tests against a real PostgreSQL instance covering simple reads, filtered reads, diamond CFG filters, link data, metadata fields, let bindings, sequential filters, and entity type projections.
• Codec unit tests (orchestrator/codec/decode/tests.rs, codec/encode/tests.rs): round-trip encoding/decoding of values, parameters, and edge cases.
• Existing postgres UI tests (eval/tests/ui/postgres/): snapshot tests for SQL output.

❓ How to test this?

1. cargo nextest run --package hashql-eval
2. cargo test --package hashql-eval --doc
3. The orchestrator tests require Docker for the PostgreSQL testcontainer.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
hash	Ready	Preview, Comment	May 4, 2026 11:47am
petrinaut	Ready	Preview	May 4, 2026 11:47am

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
hashdotdesign	Ignored	Preview	May 4, 2026 11:47am
hashdotdesign-tokens	Ignored	Preview	May 4, 2026 11:47am

[indietyp]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• BE-513: HashQL: Rework dynamic aggregate size estimation #8697
• BE-512: HashQL: Allow cross-backend transitions for SwitchInt terminators #8696
• BE-524: HashQL: Remove island schedule module #8694
• BE-525: HashQL: Remove implicit type-widening from Integer operations, and make comparison size aware #8693
• BE-515: HashQL: Remove OFFSET 0 materialization fence from generated query #8650
• BE-514: HashQL: implement iterative adjustment passes in placement solver #8635
• BE-500, BE-501: HashQL: Unify mixed parameter resolution in data dependency analysis #8607
• BE-494: HashQL: Loop-breaker selection for recursive inlining #8600
• BE-482: HashQL: Remove logical not from MIR and fix postgres boolean lowering #8595
• BE-474: HashQL: Take into account terminator target eligibility in execution backend placement #8587
• BE-455: HashQL: Introduce evaluation orchestrator #8586 👈 (View in Graphite)
• BE-523: HashQL: Suspendable interpreter with structured values and input system #8675
• BE-522: HashQL: Expand stdlib type system with temporal types #8674
• BE-306: HashQL: PostgreSQL translation #8526
• BE-457: HashQL: MIR execution pipeline extensions for postgres compilation #8525
• BE-456: HashQL: Entity type model enrichment and graph store query extensions #8524
• BE-429: HashQL: Add island dependency graph with data requirement resolution #8501
• BE-428: HashQL: Simplify traversal tracking to path recording #8498
• BE-434: HashQL: Refactor entity storage path resolution with centralized schema mapping #8496
• BE-427: Add hashql-macros crate with procedural macros for ID types and symbols #8495
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[codecov]

Codecov Report

❌ Patch coverage is 73.35053% with 723 lines in your changes missing coverage. Please review.
✅ Project coverage is 63.46%. Comparing base (4cc8b7a) to head (6a40e25).

Files with missing lines	Patch %	Lines
libs/@local/hashql/eval/src/orchestrator/error.rs	0.00%	249 Missing ⚠️
libs/@local/hashql/compiletest/src/pipeline.rs	0.00%	123 Missing ⚠️
...ibs/@local/hashql/eval/src/orchestrator/partial.rs	88.32%	66 Missing and 1 partial ⚠️
...bs/@local/hashql/eval/src/orchestrator/postgres.rs	66.17%	46 Missing ⚠️
...src/store/postgres/query/expression/conditional.rs	0.00%	41 Missing ⚠️
...hashql/eval/src/orchestrator/request/graph_read.rs	87.16%	31 Missing and 3 partials ⚠️
...l/hashql/eval/src/orchestrator/codec/decode/mod.rs	83.58%	24 Missing and 9 partials ⚠️
libs/@local/hashql/eval/src/postgres/types.rs	51.02%	21 Missing and 3 partials ⚠️
libs/@local/hashql/eval/src/orchestrator/mod.rs	78.21%	22 Missing ⚠️
...hashql/eval/src/orchestrator/codec/decode/tests.rs	94.47%	10 Missing and 10 partials ⚠️
... and 7 more

Additional details and impacted files

@@                                           Coverage Diff                                           @@
##           bm/be-523-hashql-suspendable-interpreter-with-structured-values-and    #8586      +/-   ##
=======================================================================================================
- Coverage                                                                71.84%   63.46%   -8.39%     
=======================================================================================================
  Files                                                                      899     1270     +371     
  Lines                                                                    84167   136782   +52615     
  Branches                                                                  4581     5476     +895     
=======================================================================================================
+ Hits                                                                     60470    86809   +26339     
- Misses                                                                   23093    49065   +25972     
- Partials                                                                   604      908     +304     

Flag	Coverage Δ
apps.hash-ai-worker-ts	1.41% <ø> (ø)
apps.hash-api	0.00% <ø> (ø)
blockprotocol.type-system	40.84% <ø> (?)
local.claude-hooks	0.00% <ø> (?)
local.harpc-client	51.24% <ø> (?)
local.hash-backend-utils	0.00% <ø> (ø)
local.hash-graph-sdk	9.63% <ø> (ø)
local.hash-isomorphic-utils	0.00% <ø> (ø)
rust.antsi	0.00% <ø> (?)
rust.error-stack	90.87% <ø> (?)
rust.harpc-codec	84.70% <ø> (?)
rust.harpc-net	96.21% <ø> (?)
rust.harpc-tower	67.03% <ø> (?)
rust.harpc-types	0.00% <ø> (?)
rust.harpc-wire-protocol	92.23% <ø> (?)
rust.hash-codec	72.76% <ø> (?)
rust.hash-graph-api	2.52% <ø> (?)
rust.hash-graph-authorization	62.34% <ø> (?)
rust.hash-graph-postgres-store	26.74% <0.00%> (?)
rust.hash-graph-store	37.76% <ø> (?)
rust.hash-graph-temporal-versioning	47.95% <ø> (?)
rust.hash-graph-types	0.00% <ø> (?)
rust.hash-graph-validation	83.45% <ø> (?)
rust.hashql-ast	87.23% <ø> (ø)
rust.hashql-compiletest	28.26% <0.00%> (-1.38%)	⬇️
rust.hashql-core	82.17% <ø> (ø)
rust.hashql-diagnostics	72.53% <ø> (ø)
rust.hashql-eval	79.69% <78.16%> (-1.40%)	⬇️
rust.hashql-hir	89.06% <ø> (ø)
rust.hashql-mir	91.58% <ø> (ø)
rust.hashql-syntax-jexpr	94.05% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[codspeed-hq]

Merging this PR will not alter performance

✅ 80 untouched benchmarks

---

_{Comparing bm/be-455-hashql-create-evaluation-target-coordinator (6a40e25) with bm/be-523-hashql-suspendable-interpreter-with-structured-values-and (b2d61fe)¹}

Footnotes

1. No successful run was found on bm/be-523-hashql-suspendable-interpreter-with-structured-values-and (4cc8b7a) during the generation of this report, so c95c15f was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩

[vercel]

Deployment failed with the following error:

Invalid request: `attribution.gitUser` should NOT have additional property `isBot`.

[github-actions]

Dependency Review

The following issues were found:

• ❌ 1 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.
• ⚠️ 1 packages with OpenSSF Scorecard issues.

See the Details below.

Vulnerabilities

Cargo.lock

Name	Version	Vulnerability	Severity	Patched Version
astral-tokio-tar	0.5.6	astral-tokio-tar insufficiently validates PAX extensions during extraction	moderate	N/A

License Issues

libs/@local/hashql/eval/Cargo.toml

Package	Version	License	Issue Type
futures-lite	>= 2.6.1, < 3.0.0	Null	Unknown License

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
cargo/astral-tokio-tar	0.5.6	Unknown	Unknown
cargo/async-stream	0.3.5	🟢 4.2	Details Check Score Reason Maintained ⚠️ 0 0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found License 🟢 9 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/async-stream-impl	0.3.5	🟢 4.2	Details Check Score Reason Maintained ⚠️ 0 0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found License 🟢 9 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/base64	0.21.7	🟢 4.4	Details Check Score Reason Dangerous-Workflow ⚠️ -1 no workflows found Code-Review 🟢 5 Found 7/14 approved changesets -- score normalized to 5 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ -1 No tokens found Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ -1 no dependencies found CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/bollard	0.20.2	🟢 4.5	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ -1 No tokens found Dangerous-Workflow ⚠️ -1 no workflows found Maintained 🟢 10 16 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 5 Found 13/25 approved changesets -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/bollard-buildkit-proto	0.7.0	🟢 4.5	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ -1 No tokens found Dangerous-Workflow ⚠️ -1 no workflows found Maintained 🟢 10 16 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 5 Found 13/25 approved changesets -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/bollard-stubs	1.52.1-rc.29.1.3	Unknown	Unknown
cargo/docker_credential	1.3.2	🟢 3.2	Details Check Score Reason Code-Review 🟢 4 Found 13/30 approved changesets -- score normalized to 4 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/etcetera	0.11.0	Unknown	Unknown
cargo/ferroid	0.8.9	Unknown	Unknown
cargo/filetime	0.2.27	🟢 3.9	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 6 Found 18/30 approved changesets -- score normalized to 6 Maintained ⚠️ 1 2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/home	0.5.5	🟢 7.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 10 security policy file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/hyper-named-pipe	0.1.0	Unknown	Unknown
cargo/hyperlocal	0.9.1	🟢 3.3	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Code-Review 🟢 5 Found 9/17 approved changesets -- score normalized to 5 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/num	0.4.3	🟢 3.9	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 7 Found 7/10 approved changesets -- score normalized to 7 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/num-complex	0.4.6	🟢 3.3	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 2 Found 2/10 approved changesets -- score normalized to 2 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/num-iter	0.1.45	🟢 3.4	Details Check Score Reason Code-Review 🟢 3 Found 3/8 approved changesets -- score normalized to 3 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/num-rational	0.4.2	🟢 3.7	Details Check Score Reason Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Code-Review 🟢 5 Found 5/10 approved changesets -- score normalized to 5 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/parse-display	0.9.0	🟢 3	Details Check Score Reason Code-Review ⚠️ 0 Found 1/29 approved changesets -- score normalized to 0 Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/parse-display-derive	0.9.0	🟢 3	Details Check Score Reason Code-Review ⚠️ 0 Found 1/29 approved changesets -- score normalized to 0 Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/plain	0.2.3	⚠️ 2.1	Details Check Score Reason Dangerous-Workflow ⚠️ -1 no workflows found Token-Permissions ⚠️ -1 No tokens found Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ -1 no dependencies found Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review ⚠️ 1 Found 3/24 approved changesets -- score normalized to 1 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/redox_syscall	0.7.3	Unknown	Unknown
cargo/serde_repr	0.1.20	🟢 4.3	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review ⚠️ 0 Found 0/29 approved changesets -- score normalized to 0 Maintained 🟢 3 4 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 3 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy 🟢 3 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/testcontainers	0.27.1	🟢 4.8	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 17 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 5 Found 7/12 approved changesets -- score normalized to 5 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
cargo/testcontainers-modules	0.15.0	Unknown	Unknown
cargo/xattr	1.6.1	🟢 3.2	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 1 Found 4/29 approved changesets -- score normalized to 1 Packaging ⚠️ -1 packaging workflow not detected Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/futures-lite	>= 2.6.1, < 3.0.0	Unknown	Unknown

Scanned Files

• Cargo.lock
• libs/@local/hashql/eval/Cargo.toml

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit aba337d. Configure here.}