fix: AppProject destination restrictions allow deployment to non-allowed namespace when using negated namespaces

[aryasoni98]

Closes #26743

When using AppProject destination restrictions with a whitelist namespace and negated namespaces (e.g. allowed-ns + !kyverno + !argocd), Argo CD incorrectly allowed resources to be deployed into namespaces not explicitly allowed (e.g. not-allowed-ns). Deny rules were being treated as allow rules and expanded permissions instead of restricting them.

Per the documentation, a destination is valid only if: (1) an allow rule matches, and (2) no deny rule rejects it. This fix ensures deny rules can only reject destinations and never permit them.

Issue: In isDestinationMatched, when a deny pattern like !kyverno was checked against a non-matching namespace like not-allowed-ns, globMatch returned true (because the destination doesn't match the denied pattern). The code incorrectly treated this as an allow match and set anyDestinationMatched = true.

Fix: Only set anyDestinationMatched when the matched rule has a non-deny namespace pattern. Deny rules can now only reject, never permit.

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Title of the PR
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.
• Optional. My organization is added to USERS.md.
• Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

[bunnyshell]

🔴 Preview Environment stopped on Bunnyshell

See: Environment Details | Pipeline Logs

Available commands (reply to this comment):

• 🔵 /bns:start to start the environment
• 🚀 /bns:deploy to redeploy the environment
• ❌ /bns:delete to remove the environment

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 62.98%. Comparing base (6df1a5b) to head (75d6d0a).

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #26772      +/-   ##
==========================================
+ Coverage   62.97%   62.98%   +0.01%     
==========================================
  Files         414      414              
  Lines       56154    56156       +2     
==========================================
+ Hits        35362    35371       +9     
+ Misses      17420    17416       -4     
+ Partials     3372     3369       -3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[pjiang-dev]

Thanks for the PR

I think we'll also need some doc updates

We need to call out the behavior change with something like this

Note: When combining allow rules and deny rules, deny rules can only restrict destinations already permitted by allow rules — they cannot expand the allowlist. For example, if you have allowed-ns as an allow rule and !kyverno as a deny rule, the deny entry will not grant access to namespaces other than allowed-ns. If you want to allow everything except specific namespaces, use an explicit wildcard allow rule paired with deny rules:
Ex.
destinations:

• {server: "", namespace: ""} # allow all
• {server: "*", namespace: "!kyverno"} # except kyverno

in docs/user-guide/projects.md