datalog: aggregate validates that agg-var appears in goal

`count(N, Y, p(X))` silently returned `N = 1` because `Y` was never
bound by the goal — every match contributed the same unbound symbol
which dl-val-member? deduped to a single entry. Similarly:

  sum(S, Y, p(X))    => raises "expected number, got symbol"
  findall(L, Y, p(X)) => L = (Y)  (a list containing the unbound symbol)
  count(N, Y, p(X))   => N = 1    (silent garbage)

Added a third validator in dl-eval-aggregate: the agg-var must
syntactically appear among the goal's variables. Error names the
variable and the goal and explains why the result would be
meaningless.

1 new test; conformance 263/263.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

plans/datalog-on-sx.md

@@ -15,7 +15,7 @@ for rose-ash data (e.g. federation graph, content relationships).
 
 ## Status (rolling)
 
-`bash lib/datalog/conformance.sh` → **262/262 across 11 suites**
+`bash lib/datalog/conformance.sh` → **263/263 across 11 suites**
 (tokenize, parse, unify, eval, builtins, semi_naive, negation, aggregates,
 api, magic, demo). Source is ~3100 LOC, tests ~2900 LOC, public API
 documented in `lib/datalog/datalog.sx`.
@@ -320,6 +320,15 @@ large graphs.
 
 _Newest first._
 
+- 2026-05-11 — Aggregate variable validation: `count(N, Y, p(X))`
+  silently returned `N = 1` because `Y` was never bound in `p(X)` —
+  every match contributed the same unbound symbol, which dl-val-member?
+  deduped to a single entry. Similarly `sum(S, Y, p(X))` raised a
+  confusing "expected number" error from the underlying `+`. Added
+  a third validator in `dl-eval-aggregate`: the agg-var must appear
+  in the goal literal. Error names the variable and the goal and
+  explains the consequence. 1 new test; 263/263.
+
 - 2026-05-11 — `dl-retract!` was silently destroying EDB facts in
   "mixed" relations (those with BOTH user-asserted facts AND a rule
   defining the same head). The retract pass wiped every rule-head