datalog: reject malformed dict body literals

A dict in a rule body that isn't `{:neg <positive-lit>}` (the only
recognised dict shape) used to silently fall through every dispatch
clause in dl-rule-check-safety, contributing zero bound variables.
The user would then see a confusing "head variable(s) X do not
appear in any positive body literal" pointing at the head — not at
the actual bug in the body. Typos like `{:negs ...}` are the typical
trigger.

dl-process-lit! now flags both:

  - a dict that lacks :neg
  - a bare number / string / symbol used as a body lit

with a clear error naming the offending literal.

1 new regression test; conformance 265/265.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

plans/datalog-on-sx.md

@@ -15,7 +15,7 @@ for rose-ash data (e.g. federation graph, content relationships).
 
 ## Status (rolling)
 
-`bash lib/datalog/conformance.sh` → **264/264 across 11 suites**
+`bash lib/datalog/conformance.sh` → **265/265 across 11 suites**
 (tokenize, parse, unify, eval, builtins, semi_naive, negation, aggregates,
 api, magic, demo). Source is ~3100 LOC, tests ~2900 LOC, public API
 documented in `lib/datalog/datalog.sx`.
@@ -320,6 +320,15 @@ large graphs.
 
 _Newest first._
 
+- 2026-05-11 — Body literal shape validation in
+  `dl-rule-check-safety`: a dict that isn't `{:neg ...}` (e.g. typo'd
+  `{:negs ...}`) used to silently fall through every dispatch clause,
+  contributing zero bound vars; the user would then see a confusing
+  "head var X unbound" error pointing at the head, not the malformed
+  body. Same for body lits that are bare numbers / strings / symbols.
+  Both shapes now raise a clear error naming the offending lit. 1 new
+  regression test; 265/265.
+
 - 2026-05-11 — Division by zero in `is` silently produced IEEE
   infinity instead of raising. `is(R, /(X, 0))` returned `R = inf`,
   which then flowed through comparisons and aggregations to produce