Expand rule actions for per-repo tasks

Add safe action interpolation and for_each binding for rule fan-out, update the weekly SBOM definition, cover the new evaluation path, and reconcile activity-core scope/workplans for the State Hub sync.

activity-definitions/weekly-sbom-staleness.md

@@ -28,21 +28,17 @@ SBOM staleness and flags any repository whose SBOM is older than 30 days.
 
 ```rule
 id: flag-stale-sbom
-condition: 'context.repos.sbom_age_days > 30'
+for_each: context.repos.repos
+bind_as: repo
+condition: 'context.repo.sbom_age_days > 30'
 action:
-  task_template: tasks/sbom-rescan.md
-  target_repo: context.repos.repo_slug
+  task_template: Run SBOM rescan for {context.repo.repo_slug}
+  target_repo: context.repo.repo_slug
   priority: medium
   labels: ["sbom", "security", "automated"]
 ```
 
-NOTE: in the production bulk-mode resolver path the condition matches against
-the **worst** repo's age (the resolver hoists the worst entry's
-`sbom_age_days`, `repo_slug`, `last_sbom_at`, `has_sbom` to the top of
-`context.repos` alongside the per-repo list and summary counts). The rule
-therefore fires at most once per workflow run, not once per stale repo. The
-aspirational per-stale-repo task fan-out is exercised by the integration
-tests' simulated pipeline but is not delivered by the current workflow —
-landing it requires (a) per-iteration context binding in the workflow and
-(b) `context.*` interpolation in rule action fields. Both are tracked as
-`ADHOC-2026-06-01-T02`.
+The bulk resolver exposes the per-repo entries under `context.repos.repos`.
+The rule uses explicit `for_each` binding so the workflow evaluates the
+condition once per repository and emits one task per stale repo. Action fields
+may reference the bound item with `context.repo.*`.