Synthesized _max aux can shadow user-authored variables

[bpowers]

Problem

In src/simlin-engine/src/systems/translate.rs (around line 505), the translator synthesizes standalone max auxiliary variables named {stock_canon}_max for stocks that have a non-infinite max but are not flow destinations. This creates a reserved identifier pattern that can silently shadow a user-authored variable.

For example, in a model with stock A(10, 20) and a separate user-authored stock named a_max, the synthesized aux a_max collides with the user's stock. The result is silent, incorrect behavior -- the user's variable is effectively replaced by the synthesized one without any error or warning.

Why it matters

• Correctness: A valid user model can produce silently wrong simulation results due to name collision.
• Developer experience: There is no diagnostic or error message alerting the user to the conflict, making the bug very difficult to track down.
• Maintainability: The implicit namespace reservation of *_max is not documented and not enforced at the model validation layer.

Component(s) affected

• simlin-engine -- specifically src/simlin-engine/src/systems/translate.rs

Possible approaches

1. Namespace the synthesized aux: Use a name that cannot collide with user identifiers (e.g., a prefix like __synth_ or a character not valid in user identifiers).
2. Collision detection: Check whether a variable with the synthesized name already exists and emit a diagnostic error if so.
3. Avoid synthesizing a separate variable: Inline the max constraint directly into the stock's update logic rather than creating a named aux.

Context

Identified during review related to PR #436. This is pre-existing code from commit 0ad8fa9, not introduced by that PR.