fix(pipelock): validate yaml render config

docs/prds/0037-pipelock-yaml-render-contract.md

@@ -73,6 +73,15 @@ rendering a section, validate that required keys exist with the expected
 primitive/list/dict types. Missing or unsupported shapes should raise a clear
 `ValueError` naming the section and key.
 
+The supported top-level shape is `version`, `mode`, `enforce`,
+`api_allowlist`, `seed_phrase_detection`, `forward_proxy`, `dlp`,
+`request_body_scanning`, `tls_interception`, and `ssrf`. Required sections are
+validated before rendering; optional sections keep the current omission
+behavior. `request_body_scanning.scan_headers`,
+`request_body_scanning.header_mode`, and
+`tls_interception.passthrough_domains` remain optional for compatibility with
+parsed running configs that only contain the older rendered subset.
+
 Tests should cover both normal output and failure cases. Because the project is
 stdlib-only, semantic tests can use a small purpose-built parser for the exact
 rendered shape or compare rendered lines to values from the structured config
@@ -101,6 +110,4 @@ Run:
 
 ## Open Questions
 
-- Should malformed config errors be `ValueError`, matching current
-  `pipelock_build_config` validation, or a new internal exception type? Prefer
-  `ValueError` unless a caller needs to distinguish serializer errors.
+None.