diff --git a/internal/app/finalise.go b/internal/app/finalise.go
index df2f0fb..f5ae398 100644
--- a/internal/app/finalise.go
+++ b/internal/app/finalise.go
@@ -102,14 +102,22 @@ func (k *outcome) finalise(ctx context.Context, msg container.Msg, id *state.ID,
 		}
 	}
 
+	s := outcomeState{
+		ID:        id,
+		Identity:  config.Identity,
+		UserID:    (&Hsu{k: k}).MustIDMsg(msg),
+		EnvPaths:  copyPaths(k.syscallDispatcher),
+		Container: config.Container,
+	}
+
 	// permissive defaults
-	if config.Container == nil {
+	if s.Container == nil {
 		msg.Verbose("container configuration not supplied, PROCEED WITH CAUTION")
 
 		if config.Shell == nil {
 			config.Shell = container.AbsFHSRoot.Append("bin", "sh")
-			s, _ := k.lookupEnv("SHELL")
-			if a, err := container.NewAbs(s); err == nil {
+			shell, _ := k.lookupEnv("SHELL")
+			if a, err := container.NewAbs(shell); err == nil {
 				config.Shell = a
 			}
 		}
@@ -166,7 +174,7 @@ func (k *outcome) finalise(ctx context.Context, msg container.Msg, id *state.ID,
 			}},
 		)
 
-		config.Container = conf
+		s.Container = conf
 	}
 
 	// late nil checks for pd behaviour
@@ -179,23 +187,14 @@ func (k *outcome) finalise(ctx context.Context, msg container.Msg, id *state.ID,
 
 	// enforce bounds and default early
 	kp.waitDelay = shimWaitTimeout
-	if config.Container.WaitDelay <= 0 {
+	if s.Container.WaitDelay <= 0 {
 		kp.waitDelay += DefaultShimWaitDelay
-	} else if config.Container.WaitDelay > MaxShimWaitDelay {
+	} else if s.Container.WaitDelay > MaxShimWaitDelay {
 		kp.waitDelay += MaxShimWaitDelay
 	} else {
-		kp.waitDelay += config.Container.WaitDelay
+		kp.waitDelay += s.Container.WaitDelay
 	}
 
-	s := outcomeState{
-		ID:       id,
-		Identity: config.Identity,
-		UserID:   (&Hsu{k: k}).MustIDMsg(msg),
-		EnvPaths: copyPaths(k.syscallDispatcher),
-
-		// TODO(ophestra): apply pd behaviour here instead of clobbering hst.Config
-		Container: config.Container,
-	}
 	if s.Container.MapRealUID {
 		s.Mapuid, s.Mapgid = k.getuid(), k.getgid()
 	} else {
diff --git a/internal/app/spx11.go b/internal/app/spx11.go
index 2e515cd..0d287e0 100644
--- a/internal/app/spx11.go
+++ b/internal/app/spx11.go
@@ -20,7 +20,7 @@ type spX11Op struct {
 	Display string
 }
 
-func (s *spX11Op) toSystem(state *outcomeStateSys, config *hst.Config) error {
+func (s *spX11Op) toSystem(state *outcomeStateSys, _ *hst.Config) error {
 	if d, ok := state.k.lookupEnv("DISPLAY"); !ok {
 		return newWithMessage("DISPLAY is not set")
 	} else {
@@ -46,7 +46,7 @@ func (s *spX11Op) toSystem(state *outcomeStateSys, config *hst.Config) error {
 			}
 		} else {
 			state.sys.UpdatePermType(hst.EX11, socketPath, acl.Read, acl.Write, acl.Execute)
-			if !config.Container.HostAbstract {
+			if !state.Container.HostAbstract {
 				s.Display = "unix:" + socketPath.String()
 			}
 		}