API changes to enable new types of policies (i.e. validating all resource in a stack) and passing additional information to validation functions (https://github.com/pulumi/pulumi-policy/pull/131).
- Policy.rules is now ResourceValidationPolicy.validateResource.
- typedRule is now validateTypedResource.
- Policy violations are now reported through a reportViolation callback, rather than using asserts.
- A new StackValidationPolicy policy type is available for defining policies that check all resources in a stack.
- Validation functions can now be async and return Promise<void>.
Example:
```
new PolicyPack("aws-policy-pack", {
    policies: [{
        name: "s3-no-public-read",
        description: "Prohibits setting the publicRead or publicReadWrite permission on AWS S3 buckets.",
        enforcementLevel: "mandatory",
        validateResource: validateTypedResource(aws.s3.Bucket, (bucket, args, reportViolation) => {
            if (bucket.acl === "public-read" || bucket.acl === "public-read-write") {
                reportViolation(
                    "You cannot set public-read or public-read-write on an S3 bucket. " +
                    "Read more about ACLs here: https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html");
            }
        }),
    }],
});
```
Allow policies to deal with Pulumi secret values (https://github.com/pulumi/pulumi-policy/pull/115).