Username reserved for the account owner. Real AWS treats root
as the account-creator identity that exists outside the IAM
principal hierarchy; AWSim materializes it as a regular IAM user
at bootstrap so the existing storage and login flows can be
reused, but applies the same protections.
Refuse any mutation that targets the root user unless the
caller is an internal server-side flow (bootstrap, background
task). Real AWS keeps root unreachable from the IAM API: an IAM
admin cannot delete the root user, swap its password, attach a
policy, or rotate its access keys. Apply this guard at the top
of every operation in operations::users, operations::policies,
operations::groups, operations::mfa, etc. that takes a
UserName parameter and mutates state.
Re-export the password-verification helper so the operator-auth
flow in the awsim binary can authenticate IAM users against the
bcrypt hash stored on their LoginProfile without each caller
having to depend on the private operations module layout.
Verify a user-supplied plaintext password against the stored
bcrypt hash for user_name. Returns Ok(()) on match,
AccessDeniedException on no profile / no hash / bad password.