diff --git a/hst/container.go b/hst/container.go
index 6990938..08fb8fa 100644
--- a/hst/container.go
+++ b/hst/container.go
@@ -24,11 +24,18 @@ const (
 	IdentityMin = 0
 	// IdentityMax is the maximum value of [Config.Identity]. This is enforced by cmd/hsu.
 	IdentityMax = 9999
+)
+
+const (
+	// ShimExitFailure is returned if the container fails to start.
+	ShimExitFailure = iota + 1
+	// ShimExitCancel is returned if the container is terminated by a shim-directed signal which cancels its context.
+	ShimExitCancel
+	// ShimExitOrphan is returned when the shim is orphaned before priv side delivers a signal.
+	ShimExitOrphan
 
 	// ShimExitRequest is returned when the priv side process requests shim exit.
 	ShimExitRequest = 254
-	// ShimExitOrphan is returned when the shim is orphaned before priv side delivers a signal.
-	ShimExitOrphan = 3
 )
 
 const (
diff --git a/internal/app/outcome.go b/internal/app/outcome.go
index 87bb1fb..6f688b8 100644
--- a/internal/app/outcome.go
+++ b/internal/app/outcome.go
@@ -14,6 +14,10 @@ import (
 	"hakurei.app/system/acl"
 )
 
+// envAllocSize is the initial size of the env map pre-allocated when the configured env map is nil.
+// It should be large enough to fit all insertions by outcomeOp.toContainer.
+const envAllocSize = 1 << 6
+
 func newInt(v int) *stringPair[int] { return &stringPair[int]{v, strconv.Itoa(v)} }
 
 // stringPair stores a value and its string representation.
diff --git a/internal/app/shim.go b/internal/app/shim.go
index 1fdedd3..992215f 100644
--- a/internal/app/shim.go
+++ b/internal/app/shim.go
@@ -23,14 +23,11 @@ import (
 //#include "shim-signal.h"
 import "C"
 
-const (
-	// setup pipe fd for [container.Receive]
-	shimEnv = "HAKUREI_SHIM"
-
-	// only used for a nil configured env map
-	envAllocSize = 1 << 6
-)
+// shimEnv is the name of the environment variable storing decimal representation of
+// setup pipe fd for [container.Receive].
+const shimEnv = "HAKUREI_SHIM"
 
+// shimParams is embedded in outcomeState and transmitted from priv side to shim.
 type shimParams struct {
 	// Priv side pid, checked against ppid in signal handler for the syscall.SIGCONT hack.
 	PrivPID int
@@ -172,7 +169,7 @@ func ShimMain() {
 
 	if err := z.Start(); err != nil {
 		printMessageError("cannot start container:", err)
-		os.Exit(1)
+		os.Exit(hst.ShimExitFailure)
 	}
 	if err := z.Serve(); err != nil {
 		printMessageError("cannot configure container:", err)
@@ -189,7 +186,7 @@ func ShimMain() {
 		var exitError *exec.ExitError
 		if !errors.As(err, &exitError) {
 			if errors.Is(err, context.Canceled) {
-				os.Exit(2)
+				os.Exit(hst.ShimExitCancel)
 			}
 			log.Printf("wait: %v", err)
 			os.Exit(127)