v2026.6.2

What's Changed

• [AAP-68669] Allows OAuth tokens to start with "Token" by @huffmanca in #966
• [AAP-69161] Fix TOCTOU race in RBAC caching causing FK violations under concurrency by @john-westcott-iv in #967
• AAP-65871 Fix openapi spec for ATF by @bhavenst in #969
• AAP-70750 Apply optimization of skipping RoleEvaluation object materialization by @AlanCoding in #971
• AAP-65871: Fix openapi spec for oauth2 algorithms by @bhavenst in #975
• AAP-65871 fix resource_data for openapi spec by @bhavenst in #976
• [AAP-71514] Address deletion with partially completed requests in resource_sync by @huffmanca in #977
• [AAP-68463] fix: recurring error with RoleDefinition sync by @ttuffin in #978
• AAP-69542 Remove unnecessary global declaration by @AlanCoding in #955
• AAP-65739 Update cryptography for CVE-2026-26007 by @bhavenst in #981
• [AAP-70480] Introduces a profiling middleware to obtain performance data from endpoint calls by @huffmanca in #974
• [AAP-72703] - Add FEATURE_DASHBOARD_COLLECTION_ENABLED flag and migration by @cshiels-ie in #983
• [AAP-71476] Improve SonarCloud metrics by @lucasc017 in #987
• [AAP-68023] Use direct JOINs instead of nested IN subqueries in RBAC evaluation by @djyasin in #985
• [AAP-72703] Update FEATURE_DASHBOARD_COLLECTION_ENABLED flag toggle type by @cshiels-ie in #988
• [AAP-71476] Fix SonarCloud reliability and security issues by @lucasc017 in #989
• [AAP-73775] Add Hub to DAB consumers by @jerabekjiri in #986
• [AAP-72504] Add configurable page_size and jwt_expiration for resource sync by @huffmanca in #991
• AAP-72278 Fix token visibility by @bhavenst in #990
• [AAP-72446] [devel backport] CVE-2026-6266: Email change policy enforcement and ALLOW_USER_EMAIL_SELF_EDIT by @john-westcott-iv in #994
• [AAP-74692] Rename UI for FEATURE_DASHBOARD_COLLECTION_ENABLED by @cshiels-ie in #997
• [AAP-69617] Optimize related_fields() and get_summary_fields() to avoid N+1 FK queries by @huffmanca in #992
• Fix O(n) correlated subquery in get_object_by_ansible_id() by @djulich in #993
• [AAP-74442] Fix email enforcement edge cases from CVE-2026-6266 backport by @john-westcott-iv in #1001
• [AAP-45394 AAP-45047] Fix: allow maps can now recover access after an earlier deny by @bhavenst in #995
• [AAP-71149] Bump jwcrypto>=1.5.7 for CVE-2026-39373 by @bmclaughlin in #1003
• [AAP-61226] Remove FEATURE_CASE_INSENSITIVE_AUTH_MAPS_ENABLED feature flag by @Dostonbek1 in #1004
• [AAP-55298] Fix OAuth2 scope mutation causing spurious activity stream entries by @bhavenst in #998
• [AAP-59804] Extract shared resource type strings into constants by @huffmanca in #1005
• [AAP-73651] Fix cross-service RBAC sync for non-existent remote objects by @bhavenst in #1006
• [AAP-73865] Add observability app by @chrismeyersfsu in #982
• [AAP-72137] [oauth2_provider] Add RP-initiated logout support by @BrennanPaciorek in #984
• [AAP-56519] Fix: Move capture_oauth_email_pipeline after associate_user by @bhavenst in #1008
• AAP-72039 Introduce partial-recomputation of team permissions by @AlanCoding in #980
• [AAP-74082] Fix TypeError when API returns null results by @Funi1234 in #1011
• [AAP-65882] Migrate AWX Redis cache driver to DAB by @tznamena in #1015
• AAP-77154: Disable warnings-as-errors for downstream consumer tests by @AlanCoding in #1013
• AAP-65883: Add shared cache invalidation utility by @bhavenst in #1014
• [AAP-74899] Add Codecov integration for coverage tracking by @Funi1234 in #1016

New Contributors

• @ttuffin made their first contribution in #978
• @cshiels-ie made their first contribution in #983
• @lucasc017 made their first contribution in #987
• @djulich made their first contribution in #993
• @bmclaughlin made their first contribution in #1003
• @Funi1234 made their first contribution in #1011

Full Changelog: 2026.3.19...2026.6.2