Drop bincode 1.x (RUSTSEC-2025-0141) by swapping hnsw_rs in the benchmark crate

[Fieldnote-Echo]

Scope: dev-only — the unpublished benchmark crate ONLY

This concerns benchmarks/beir-bench exclusively — a workspace member with
publish = false that is excluded from the published ordvec crate and the
ordvec PyPI wheel. The shipped artifacts are not affected:
cargo tree -p ordvec --all-features --edges normal,build,dev is clean of
bincode. No public API, crate consumer, or wheel user is touched by this issue.

Problem

benchmarks/beir-bench depends on hnsw_rs 0.3.x (the pure-Rust HNSW comparator
in the BEIR benchmark), which transitively pulls bincode 1.x. That trips
RUSTSEC-2025-0141, which is an unmaintained advisory (informational — not
a vulnerability). OSV / OpenSSF-Scorecard counts it repo-wide.

PR #240 triaged it with a documented deny.toml ignore (cargo-deny is configured
to error on unmaintained crates, so the ignore keeps CI green). This issue tracks
the clean elimination so the ignore can be removed and the Scorecard count
reaches zero.

Proposed fix

Swap hnsw_rs for a maintained pure-Rust HNSW crate that does not depend on
bincode 1.x — e.g. evaluate instant-distance, or move to a future hnsw_rs
release that drops bincode 1.x — in the benchmark crate only.

This overlaps naturally with the sublinear-candidate-gen research (the
HNSW-over-codes direction): if a better/maintained HNSW crate is adopted there,
bincode disappears for free.

Done when

• cargo audit / OSV shows no RUSTSEC-2025-0141 in the dependency tree
• the benchmark still builds and produces equivalent HNSW baseline results
• the RUSTSEC-2025-0141 ignore is removed from deny.toml
• no change to the published crate, wheel, or public API (verify cargo tree -p ordvec stays clean)