Dev:WorkflowKit.framework

WorkflowKit is the framework that acts as a backend to the Shortcuts app. It provides around 80% functionality of the Shortcuts app including (but not limited to) actions (though ActionKit also powers a lot of them), handles how shortcuts are imported, how they're stored, etc. It is noted that while it is technically added in 12.0, most of its functionality came in iOS 13.0. (Some classes from iOS 13.0+ WorkflowKit are similar in the WorkflowAppKit.framework that's embedded in the iOS 12 Shortcuts app).

For examples on how to use this framework, see the Example Code section of this page.

WFWorkflowRecord
WFWorkflowRecord is how shortcuts are stored. The biggest thing is actions: Every action has an action identifier to identify an action (WFWorkflowActionIdentifier), and some have parameters of what is in said action (WFWorkflowActionParameters). However, it also handles other data about the shortcut, such as its name and minimum client version it can be imported on.

WFBundledActionProvider
WFBundledActionProvider is what provides WorkflowKit with what actions it loads. It loads actions from WFActions.plist inside of WorkflowKit - those actions have ActionClass which determine the class of the action (WFBundledActionProvider does NSClassFromString on the class specified - most of which are in ActionKit.framework), as well as other info.

WFAction
WFAction is basically the class that every shortcuts action uses. It should be noted that actions aren't all WFAction, but rather their own class that inherit from it (For example, WFExitShortcut in ActionKit).

WFShortcutExtractor
WFShortcutExtractor is a brand new class in iOS 15 dedicated to exporting shortcuts.

The -(void)extractShortcutFile:(id)arg0 completion:(id)arg1 method checks if first four characters are AEA1, if so it detects the file being imported as an unsigned shortcut file and calls -(void)extractSignedShortcutFile:(id)arg0 completion:(id)arg1, if not, it detects it as an unsigned shortcut file and calls -(void)extractWorkflowFile:(id)arg0 completion:(id)arg1. -(void)extractWorkflowFile:(id)arg0 completion:(id)arg1 will check for if the allowsOldFormatFile BOOL is true (normally never true), if not, then if it is an internal build of VoiceShortcutsClient, will also check WFShortcutsFileSharingEnabled from the shortcuts preferences plist. If none of these are true it will show an error, but if one is true it calls -(void)extractWorkflowFile:(id)arg0 shortcutName:(id)arg1 shortcutFileContentType:(NSInteger)arg2 iCloudIdentifier:(id)arg3 completion:(id)arg4, with an icloud identifier and shortcut file content type of 0x0. extractSignedShortcutFile determines the shortcut file type and proceeds to call -(void)extractWorkflowFile:(id)arg0 shortcutName:(id)arg1 shortcutFileContentType:(NSInteger)arg2 iCloudIdentifier:(id)arg3 completion:(id)arg4.

WFGallerySessionManager
WFGallerySessionManager handles various gallery things, such as uploading shortcuts to iCloud. Be aware that some methods in here do not have any code in release builds, such as deleteCollection/deleteBanner.

WFP2PSignedShortcutFileExporter
WFP2PSignedShortcutFileExporter is a brand new class in iOS 15 dedicated to signing contact signed shortcuts.

WFiCloudShortcutFileExporter
WFiCloudShortcutFileExporter is a brand new class in iOS 15 dedicated to signing iCloud signed shortcuts. It's noted that while it is new to iOS 15, all it does is upload the shortcut to iCloud using WFGallerySessionManager methods and get the signed shortcut from iCloud; since the WFGallerySessionManager methods also exist on iOS 13/14, this class can easily be backported.

WFShortcutiCloudLinkExporter
WFiCloudShortcutFileExporter is a brand new class in iOS 15 dedicated to signing iCloud signed shortcuts. It has the same functionality as WFiCloudShortcutFileExporter, it just returns an iCloud URL to the shortcut instead of a file URL to the signed shortcut. While it was added in iOS 15+, it can easily be backported to iOS 13/14, check the example code below.

WFShortcutSigningContext
WFiCloudShortcutFileExporter is a brand new class in iOS 15 dedicated to the content of the signed shortcut file. The method -(void)validateAppleIDValidationRecordWithCompletion:(id)arg0 is responsible for verifying that contact-signed shortcuts imported are related to the user or their contacts. It first preforms [[[SFAppleIDClient alloc]init]myAccountWithError:nil]altDSID]isEqualToString:[self appleIDValidationRecord to check if the DSID inside of the shortcut being imported matches up with the DSID in the shortcut- if not, it checks if private sharing is enabled, and if so, checks that the SHA256 email hash / phone hash in the shortcut match up with any on the user's contacts.

WFShortcutPackageFile
WFShortcutPackageFile is another brand new class in iOS 15. To be honest I'm not 100% knowledgeable on everything this class does, but it appears to handle a lot of AEA handling, as well as some stuff dealing with signing. I should note that its preformShortcutDataExtractionWithCompletion: method (and I could be wrong about this and I just overlooked where it frees it, but I overlooked it a couple times and I can't seem to find the 2nd free anywhere) is that there is a memory leak, since it only frees a blob when it fails to extract info in a specific way. The generateSignedShortcutFileRepresentationWithAccount:error: method is what generates the private signing key (kSecAttrKeyTypeECSECPrimeRandom) and calls the generateSignedShortcutFileRepresentationWithPrivateKey:signingContext:error: with this.

Importing an unsigned shortcut from a file path (iOS 15+)
(Note: I tested this while injecting into Shortcuts, however if you are using this outside the shortcuts process, then [WFDatabase defaultDatabase] may return NULL since WFInitializeProcess will set it, if you want to initialize it like how WFInitializeProcess handles it without calling it, call [[WFDatabase alloc initWithStoreDescription:[NSPersistentStoreDescription wf_shortcutsConfiguration] runMigrationsIfNecessary:YES useLockFile:YES error:err] which should give you the shortcuts database).

libshortcutsign
libshortcutsign is a library by Snoolie K / 0xilis that replicates WorkflowKit's behavior for contact signing, allowing you to contact sign a shortcut without needing to link WorkflowKit (assuming you have already managed to extract your Apple ID Validation Record certificates; you may want to use https://github.com/seemoo-lab/airdrop-keychain-extractor ), and even sign in a regular jailed application. It also allows you to extract the auth data from a contact signed shortcut, extract/decrypt an unsigned shortcut from a contact signed shortcut, and verify a contact signed shortcut. Be aware if you want to use it to sign, you'll need to construct the auth data yourself; you can try extracting the auth data from another contact signed shortcut to get a better understanding. Another helpful resource you may also want to look at the decompilation for WorkflowKit shortcut signing, especially WFShortcutPackageFile and WFShortcutSigningContext in it; WorkflowKit uses contextWithAppleIDAccount:signingKey: to generate the auth data which you can find in the decomp. Directly copy and pasting the decomplication shouldn't be done, at least for public projects as it might get you into some hot water with Apple's legal team, but it is great to use as a reference for how you could build your own method to do this. Probably the best resource though would be Snoolie K's paper on contact signed shortcuts, https://github.com/0xilis/blog/blob/main/shortcuts/ReversingContactSignedShortcuts.md. You can find libshortcutsign here: https://github.com/0xilis/libshortcutsign.