Add optional strict mode for duplicate YAML keys

[salignatmoandal]

🚀 What

• Extend the custom YAML loader in truss/util/yaml_utils.py to support an optional strict mode when loading configs.
• By default, the behaviour remains unchanged: duplicate keys emit a warning and the last value wins.
• When strict=True is passed to safe_load_yaml_with_no_duplicates, a ValueError is raised as soon as a duplicate key is detected.

This prepares the future breaking change mentioned in the TODO comment (around ~7/2026) where duplicate keys should become an error instead of a warning.

💻 How

• Added a strict: bool = False flag on _SafeLoaderWarnDuplicateKeys, the custom yaml.SafeLoader subclass used for Truss configs.
• Updated construct_mapping to:
  • Collect seen keys in a set.
  • When encountering a duplicate:
    • If strict is True, raise ValueError("Duplicate key in YAML mapping").
    • Otherwise, keep the existing behaviour and emit a warnings.warn(...) while still using the last value.
• Updated safe_load_yaml_with_no_duplicates to:
  • Accept a new strict: bool = False parameter.
  • Set _SafeLoaderWarnDuplicateKeys.strict = strict for the current call.
  • Delegate to yaml.load(stream, Loader=_SafeLoaderWarnDuplicateKeys).

This keeps the current default behaviour fully backwards compatible while allowing callers (e.g. CLI validation) to opt into strict duplicate-key checking when desired.

🔬 Testing

• Verified that existing behaviour is preserved when strict=False:
  • Duplicate keys emit a warning and the YAML is still loaded with the last value winning.
• (If you add tests, mention them here, for example:)
• Added unit tests for safe_load_yaml_with_no_duplicates:
  • test_duplicate_keys_warn_in_non_strict_mode – ensures a warning is emitted and loading succeeds when strict=False.
  • test_duplicate_keys_raise_in_strict_mode – ensures a ValueError is raised when strict=True.