Create a CrossGuard policy pack directory and run `pulumi policy new aws-typescript` to scaffold a TypeScript policy pack with a `PulumiPolicy.yaml` and `index.ts`.
In `index.ts` define a `ResourceValidationPolicy` that targets `aws.s3.BucketV2` and checks that `serverSideEncryptionConfiguration` is set, calling `reportViolation` if absent.
Run `npm install` in the policy pack directory, then test locally with `pulumi preview --policy-pack .` from a Pulumi stack directory.
Publish the policy pack to the Pulumi Cloud with `pulumi policy publish`; it becomes available for organization-wide enforcement.
Enforce the published policy pack on a specific stack group in the Pulumi Cloud UI under Policies, or at the org level to apply to all stacks.
Use `pulumi policy ls` to list published policy packs and their versions, and `pulumi policy enable <org>/<pack> <version>` to set the active enforced version.
Known gotchas
CrossGuard policies are evaluated during `pulumi preview` and `pulumi up`; they do not scan existing cloud resources unless run as part of a Pulumi update against live state.
The `@pulumi/policy` NPM package version must be compatible with the installed Pulumi CLI version; mismatches cause runtime evaluation failures.
Pulumi CrossGuard also supports Python and OPA/Rego policy packs; the runtime is selected based on the policy pack language field in `PulumiPolicy.yaml`.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp