feat: show AWS account names in multi-account connector

[c1-dev-bot]

Summary

• Add aws_account_name to account resource profiles (previously only had aws_account_arn and aws_account_id)
• Include account name in entitlement display names: "MyAccount - AdminAccess Permission Set" instead of "AdminAccess Permission Set"
• Add aws_account_id and aws_account_name to IAM user profiles when listing users in multi-account (Organizations) mode, enabling per-account filtering and identification in reports/exports
• Cache account name lookups via organizations:DescribeAccount to minimize API calls

Test Plan

• Verify that account resources include aws_account_name in their profile
• Verify entitlement display names now include the account name prefix
• Verify IAM users in multi-account mode have aws_account_id and aws_account_name in their profile
• Verify single-account mode (no Organizations) still works correctly (no account name fields added when parentId is nil)
• Verify account name caching works correctly across pagination pages

Fixes: CXH-1524

---

Automated PR Notice

This PR was automatically created by c1-dev-bot as a potential implementation.

This code requires:

• Human review of the implementation approach
• Manual testing to verify correctness
• Approval from the appropriate team before merging

[linear-code]

CXH-1524

[github-actions]

🟡 Suggestion: This silently swallows the DescribeAccount error, making it hard to diagnose why account names are missing. A debug-level log here would turn this into a proper skip-and-continue pattern.

Suggested change

	})
	if err != nil || resp.Account == nil {
	return ""
	if err != nil || resp.Account == nil {
	ctxzap.Extract(ctx).Debug("baton-aws: failed to describe account", zap.String("account_id", accountID), zap.Error(err))
	return ""
	}

[github-actions]

Connector PR Review: feat: show AWS account names in multi-account connector

Blocking Issues: 0 | Suggestions: 1 | Threads Resolved: 0
Review mode: full
View review run

Review Summary

This PR adds AWS account name display to account resource profiles, entitlement display names, and IAM user profiles in multi-account mode. The entitlement display name change is safe because the entitlement ID and slug are independently set on lines 258-259 of account.go. The new organizations:DescribeAccount call degrades gracefully when permissions are missing, and the permission is already documented in the README. One suggestion to add debug logging for failed account name lookups.

Security Issues

None found.

Correctness Issues

None found.

Suggestions

• pkg/connector/iam_user.go:153-155: getAccountName silently swallows DescribeAccount errors — add a debug log for diagnosability.

Prompt for AI agents

Verify each finding against the current code and only fix it if needed.

## Suggestions

In `pkg/connector/iam_user.go`:
- Around line 153-155: The `getAccountName` method silently returns an empty string when `DescribeAccount` fails. Add a debug-level log line before the return so operators can diagnose missing account names. Use `ctxzap.Extract(ctx).Debug("baton-aws: failed to describe account", zap.String("account_id", accountID), zap.Error(err))`. This requires importing `"go.uber.org/zap"` and ensuring `ctxzap` is already imported.

[github-actions]

No blocking issues found.