diff --git a/tests/unit/test_manifest_egress.py b/tests/unit/test_manifest_egress.py
index caf6cc4..6803a15 100644
--- a/tests/unit/test_manifest_egress.py
+++ b/tests/unit/test_manifest_egress.py
@@ -225,7 +225,7 @@ class TestPipelockPolicy(unittest.TestCase):
             "host": "api.openai.com",
             "pipelock": {"tls_passthrough": True},
         }])
-        self.assertTrue(b.egress.routes[0].Pipelock.TlsPassthrough)
+        self.assertTrue(b.egress.routes[0].Pipelock.Config["tls_passthrough"])
 
     def test_ssrf_ip_allowlist_route_policy(self):
         b = _bottle([{
@@ -233,44 +233,28 @@ class TestPipelockPolicy(unittest.TestCase):
             "pipelock": {"ssrf_ip_allowlist": ["100.78.141.42/32"]},
         }])
         self.assertEqual(
-            ("100.78.141.42/32",),
-            b.egress.routes[0].Pipelock.SsrfIpAllowlist,
+            ["100.78.141.42/32"],
+            b.egress.routes[0].Pipelock.Config["ssrf_ip_allowlist"],
         )
 
-    def test_tls_passthrough_defaults_false(self):
+    def test_skip_scan_for_extensions_route_policy(self):
+        b = _bottle([{
+            "host": "files.pythonhosted.org",
+            "pipelock": {"skip_scan_for_extensions": [".whl", ".tar.gz"]},
+        }])
+        self.assertEqual(
+            [".whl", ".tar.gz"],
+            b.egress.routes[0].Pipelock.Config["skip_scan_for_extensions"],
+        )
+
+    def test_empty_config_when_pipelock_omitted(self):
         b = _bottle([{"host": "api.openai.com"}])
-        self.assertFalse(b.egress.routes[0].Pipelock.TlsPassthrough)
-        self.assertEqual((), b.egress.routes[0].Pipelock.SsrfIpAllowlist)
+        self.assertEqual({}, b.egress.routes[0].Pipelock.Config)
 
     def test_pipelock_policy_must_be_object(self):
         with self.assertRaises(ManifestError):
             _bottle([{"host": "x.example", "pipelock": True}])
 
-    def test_tls_passthrough_must_be_bool(self):
-        with self.assertRaises(ManifestError):
-            _bottle([{
-                "host": "x.example",
-                "pipelock": {"tls_passthrough": "yes"},
-            }])
-
-    def test_ssrf_ip_allowlist_must_be_array(self):
-        with self.assertRaises(ManifestError):
-            _bottle([{
-                "host": "x.example",
-                "pipelock": {"ssrf_ip_allowlist": "100.78.141.42/32"},
-            }])
-
-    def test_ssrf_ip_allowlist_items_must_be_cidr_or_ip(self):
-        with self.assertRaises(ManifestError):
-            _bottle([{
-                "host": "x.example",
-                "pipelock": {"ssrf_ip_allowlist": ["not-an-ip"]},
-            }])
-
-    def test_unknown_pipelock_key_rejected(self):
-        with self.assertRaises(ManifestError):
-            _bottle([{"host": "x.example", "pipelock": {"wat": True}}])
-
 
 class TestRouteValidation(unittest.TestCase):
     def test_duplicate_hosts_rejected(self):