Add FOR610 tool/workflow knowledge base and data pipeline

Build comprehensive malware analysis knowledge base from 3 sources:
- SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes
- REMnux salt-states: 340 packages parsed from GitHub
- REMnux docs: 280+ tools scraped from docs.remnux.org

Master inventory merges all sources into 447 tools with help tiers
(rich/standard/basic). Pipeline generates: tools.db (397 entries),
397 cheatsheets with multi-tool recipes, 15 workflow guides, 224
TLDR pages, and coverage reports.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

data/generated/workflows/android-analysis-workflow.txt

@@ -0,0 +1,68 @@
+============================================================
+  Android Malware Analysis
+============================================================
+
+  Analyze suspicious Android APK files using static and dynamic techniques available in REMnux.
+
+────────────────────────────────────────────────────────────
+
+  Step 1: APK Triage
+  Tools: file, apkid
+  Verify file type and check for packers/obfuscators.
+  APKiD detects: known packers (DexGuard, Bangcle),
+  obfuscators, anti-debug techniques.
+
+    $ file specimen.exe
+
+  Step 2: Manifest Analysis
+  Tools: apktool
+  Decompile APK: apktool d <apk> -o output/. Examine
+  AndroidManifest.xml for: excessive permissions,
+  receivers, services, exported components, intent
+  filters.
+
+    $ apktool d <app.apk> -o output/
+
+  Step 3: Source Code Recovery
+  Tools: jadx
+  Decompile DEX to Java: jadx <apk> -d output/. Review
+  source code for: C2 URLs, crypto operations, SMS
+  interception, data exfiltration, root checks.
+
+    $ jadx <app.apk> -d output/
+
+  Step 4: Static Analysis
+  Tools: androguard, droidlysis
+  androguard: analyze APK structure, permissions,
+  activities. droidlysis: automated static analysis with
+  IOC extraction. Check for: hardcoded keys, URLs,
+  suspicious API usage.
+
+    $ androguard analyze <app.apk>
+
+  Step 5: Native Library Analysis
+  Tools: strings, radare2
+  If APK contains .so libraries: extract from lib/
+  directory. Analyze with strings and radare2. Native
+  code often hides C2 logic and crypto.
+
+    $ strings binary.exe
+    $ r2 specimen.exe
+
+  Step 6: Dynamic Instrumentation
+  Tools: frida
+  Hook suspicious functions at runtime: frida -U -l
+  hook.js <package>. Intercept: crypto operations,
+  network calls, file access, SMS operations.
+
+    $ frida -l hook.js <process_name>
+
+  Step 7: Document Findings
+  Record: package name, permissions abused, C2
+  infrastructure, data exfiltrated, persistence
+  mechanism, targeted user data (SMS, contacts,
+  location).
+
+────────────────────────────────────────────────────────────
+  Tip: 'fhelp cheat <tool>' for full examples
+       'Ctrl+G' for interactive cheatsheet browser