Forms: Allow submitting form previews as test responses

[enejb]

Fixes FORMS-638

Proposed changes

• Form preview submissions are now allowed. The PHP and JS guards that blocked submission from ?jetpack_form_preview=… previews have been replaced with a form-id-scoped nonce verification, so editors can submit the form to verify the entire pipeline (validation, success state, email delivery).
• Test feedback is stored on Feedback_Source. When the submission comes from preview, the feedback is flagged via a new is_test field on Feedback_Source that travels inside the serialized v3 post content. Storage uses the normal publish post status — no new post status, no new post meta.
• Akismet is bypassed for test submissions and the unread counter is not bumped (test responses are created already-read).
• Notification email is annotated. Test submissions always send the email (gated by a new jetpack_forms_send_test_feedback_email filter), the subject is prefixed with [TEST] (filterable via jetpack_forms_test_subject_prefix), and the email body gets a prominent banner. The "Mark as spam" footer link is dropped for test entries.
• Dashboard surfaces test responses.
  • List, From column: small Test badge (intent="informational") rendered before the respondent name.
  • List, Source column: linked Form Preview badge in place of the source URL.
  • Detail panel: Test badge as the first line above the respondent block, and the Source row renders a Form Preview link to the regenerated preview URL.
• REST endpoint exposes is_test and preview_url. Schema gets two new read-only properties; prepare_item_for_response() populates them. preview_url is generated via Form_Preview::generate_preview_url() against the feedback's parent form id, only for test responses.
• CSV export auto-handles test responses.
  • No selection → test responses are excluded automatically; the export modal shows an info notice at the bottom.
  • Selection contains test rows → the modal shows a warning notice at the top stating they will be included.
  • No checkbox, no opt-in clicks. The "include" decision is derived purely from whether the user provided an explicit selection.

Related product discussion/links

• N/A

Does this pull request change what data or activity we track or use?

No. The new is_test flag lives in the existing serialized feedback content; no new tables, no new tracks events, no new tracking surfaces. Notification emails go to the same recipients they always have.

Testing instructions

1. Open the editor for any page that contains a Contact Form block (or open a jetpack_form directly).
2. Click the form's Preview action — this opens a server-side preview at ?jetpack_form_preview=<id>&preview_nonce=…. Confirm the banner now reads "This is a preview. Submissions are saved as test responses."
3. Fill out the form and submit it.
   • Expect the standard confirmation screen (no "submissions are disabled" error).
   • Expect a notification email to land in the form owner's inbox with a [TEST] subject prefix and an amber Test submission from form preview banner at the top of the body.
4. Open the responses dashboard and confirm:
   • The new row appears in the Inbox.
   • The From column shows a small blue Test badge before the respondent name.
   • The Source column shows a linked Form Preview badge instead of an external URL.
   • Clicking the row's detail panel shows a Test badge above the gravatar/name block, and the Source: row reads Form Preview linked to the preview URL.
5. Open the Export responses modal with no rows selected → expect an info notice at the bottom: "Test responses from form preview are excluded from this export…". Download the CSV → confirm the test row is absent.
6. In the responses list, tick the test row's checkbox, then re-open the export modal → expect a warning notice at the top: "Your selection includes 1 test response from form preview…". Download the CSV → confirm the test row is now present.
7. From the dashboard, mark the test entry as spam → it should move to the Spam view like any other spam entry.
8. Adversarial: open a fresh preview URL while logged out (or DevTools-tamper the hidden jetpack_form_preview_nonce) and submit → expect the submission to be rejected.
9. Run the package test suites:

   cd projects/packages/forms
   composer test-php
   pnpm test
   

Dashboard:

Email:

Export modal (default)

Export modal (with test responses selected)

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WoA dev site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin (Jetpack), and enable the add/submit-preview-forms branch.
• To test on Simple, run the following command on your sandbox:

bin/jetpack-downloader test jetpack add/submit-preview-forms

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Review, ...).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

Follow this PR Review Process:

1. Ensure all required checks appearing at the bottom of this PR are passing.
2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
3. You can use GitHub's Reviewers functionality to request a review.
4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!

[jp-launch-control]

Code Coverage Summary

Coverage changed in 13 files. Only the first 5 are listed here.

File	Coverage	Δ%	Δ Uncovered
projects/packages/forms/src/contact-form/class-contact-form-endpoint.php	921/1099 (83.80%)	-0.54%	15 💔
projects/packages/forms/src/contact-form/class-feedback-email-renderer.php	311/351 (88.60%)	-3.49%	14 💔
projects/packages/forms/src/dashboard/components/inspector/response-meta/index.tsx	0/25 (0.00%)	0.00%	9 💔
projects/packages/forms/src/dashboard/inbox/stage/index.js	0/202 (0.00%)	0.00%	8 💔
projects/packages/forms/src/dashboard/components/export-responses/modal.tsx	0/13 (0.00%)	0.00%	6 💔

Full summary · PHP report · JS report

_{If appropriate, add one of these labels to override the failing coverage check: Covered by non-unit tests Use to ignore the Code coverage requirement check when E2Es or other non-unit tests cover the code Coverage tests to be added later Use to ignore the Code coverage requirement check when tests will be added in a follow-up PR I don't care about code coverage for this PR Use this label to ignore the check for insufficient code coveage.}

[simison]

Wondering if “previewing unpublished posts” type capability would be more suitable here :thinking_face:

[simison]

We should think about how to improve the "test" badge:

• Visually looks clunky, especially in the row.

• Sidebar is better, though spacing feels off by being inconsistent in every direction: adding bottom padding might help?

• How does it look with variation without name, without email, or with just IP?

• Link for a different action (preview form) within within name area which also is a link (to see response) is surprising. It's also not clear that "test" would lead to previewing the form.

For the "preview" link/badge:

Let's keep links looking like links rather than badges, and ↗ there to indicate links opening new tabs.

I think we could just not have this notice at all — from reading code it looks like it appears even if user doesn't have any test responses?

[simison]

Suggested change

	const label = __( 'Form Preview', 'jetpack-forms' );
	const label = __( 'Form preview', 'jetpack-forms' );

We should always use sentence case.

[ilonagl]

This is great work, @enejb! So glad you're working on this. 🙌

The badge placement pushes the whole row down, which isn't ideal. Could we use the same white badge as in the dataViews, but place it in the same row (centered) with name and email, just place it on the other side (right)?

I'd place the warning outside the content, and above the content card at the top.

The warning makes it feel like something is wrong, but test data is nothing dangerous. I wonder if we even need to announce/share this?

I feel like the source should still be the actual name of the form.

The badge in the front breaks the flow, let's add at in the end. And also I'd consider the badge to be either blue or white, one of them, because two of them clashes together.

I hope this is helpful. 😅

[ilonagl]

Maybe it's enough just a simple heading that this is a test data?

[enejb]

@ilonagl and @simison thanks for all the feedback.
Will try to get address the feedback soon. If you have any more suggestions please let me know.

[enejb]

Email:

Dashboard:

Export modal (default)

Export modal (with test responses selected)

[simison]

It's a bummer that injecting the badge into the name now doesn't allow filtering just tests to easily remove them. Any way around it? E.g. filtrable/sortable but without its own column?

[simison]

Wouldn't the VStack take care of the spacing if Notice would go inside it?

[simison]

Let's use the modern notice styles here instead of the deprecated component?