Add FOR610 tool/workflow knowledge base and data pipeline

Build comprehensive malware analysis knowledge base from 3 sources:
- SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes
- REMnux salt-states: 340 packages parsed from GitHub
- REMnux docs: 280+ tools scraped from docs.remnux.org

Master inventory merges all sources into 447 tools with help tiers
(rich/standard/basic). Pipeline generates: tools.db (397 entries),
397 cheatsheets with multi-tool recipes, 15 workflow guides, 224
TLDR pages, and coverage reports.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

data/generated/workflows/index.txt

@@ -0,0 +1,95 @@
+============================================================
+  Available Analysis Workflows
+============================================================
+
+  static-analysis-workflow
+    Static Properties Analysis
+    Systematic static examination of a suspicious file
+    without executing it. Works for PE, ELF, .NET,
+    scripts, and documents.
+
+  behavioral-analysis-workflow
+    Behavioral Analysis
+    Monitor runtime behavior in an isolated environment.
+    Applicable to any executable or script on Linux
+    (REMnux) or Windows.
+
+  network-interception-workflow
+    Network Traffic Interception
+    Redirect and analyze malware network traffic in an
+    isolated REMnux environment. Covers DNS, HTTP,
+    HTTPS, and raw IP interception.
+
+  document-analysis-workflow
+    Malicious Document Analysis
+    Analyze suspicious documents (PDF, Office, RTF,
+    OneNote) for embedded malware, macros, and exploits.
+    Follows Zeltser's 6-step methodology.
+
+  javascript-deobfuscation-workflow
+    JavaScript Deobfuscation
+    Deobfuscate and analyze malicious JavaScript from
+    web pages, email attachments, or document macros.
+
+  unpacking-workflow
+    Unpacking Packed Executables
+    Unpack compressed, encrypted, or obfuscated
+    executables to reveal the original code. Covers
+    automated and manual techniques.
+
+  code-injection-workflow
+    Code Injection Analysis
+    Identify and analyze process injection techniques
+    including DLL injection, process hollowing, and
+    reflective loading.
+
+  dotnet-analysis-workflow
+    .NET Malware Analysis
+    Analyze .NET malware using decompilation, debugging,
+    and deobfuscation. Works for .NET Framework, .NET
+    Core, and mixed-mode assemblies.
+
+  shellcode-analysis-workflow
+    Shellcode Analysis
+    Analyze extracted shellcode from documents,
+    exploits, or injected processes. Covers detection,
+    emulation, and payload identification.
+
+  string-deobfuscation-workflow
+    String & Data Deobfuscation
+    Decode obfuscated strings and data in malware.
+    Covers XOR, Base64, stack strings, custom
+    algorithms, and multi-layer encoding.
+
+  memory-forensics-workflow
+    Memory Forensics
+    Analyze memory dumps to find malware artifacts,
+    injected code, and hidden processes. Uses Volatility
+    3 framework on REMnux.
+
+  android-analysis-workflow
+    Android Malware Analysis
+    Analyze suspicious Android APK files using static
+    and dynamic techniques available in REMnux.
+
+  java-analysis-workflow
+    Java Malware Analysis
+    Analyze malicious Java archives (JAR), applets, and
+    compiled classes. Covers decompilation and code
+    analysis.
+
+  email-analysis-workflow
+    Email & Phishing Analysis
+    Analyze suspicious email messages for phishing
+    indicators, malicious attachments, and weaponized
+    links.
+
+  cobalt-strike-workflow
+    Cobalt Strike Analysis
+    Analyze Cobalt Strike beacons, configurations, and
+    network traffic using Didier Stevens' CS toolkit on
+    REMnux.
+
+────────────────────────────────────────────────────────────
+  Usage: fhelp workflow <name>
+  Example: fhelp workflow static-analysis