Function validate_consumer_against_cluster_repo 

pub fn validate_consumer_against_cluster_repo(
    consumer_namespace: &str,
    repo_name: &str,
    allowed: &AllowedNamespaces,
    labels: Option<&BTreeMap<String, String>>,
) -> ValidationResult

A consumer namespace is permitted by a ClusterRepository’s tenancy gate (ADR §3.2/§4.3).

• List → membership test.
• All(true)→ always allowed; All(false) is meaningless and denies.
• Selector → matched against labels (the consumer namespace’s labels). The crates/api crate cannot fetch a Namespace object, so the caller (webhook) must supply the labels. If labels is None we fail closed with ValidationError::SelectorLabelsUnavailable rather than guess — the webhook never trusts unfiltered input (ADR §3.2). Selector matching here is a simple matchLabels superset test (the common case); matchExpressions is treated as “no constraint” for now and documented as such.