Further to the aside at the end of T36:
At present, a primary instance is treated as a special kind of relay; a complete agreement is considered to have been satisfactorily received if only the primary instance has received it. This allows the possibility that an untrusted mischievous actor could send the primary instance (and none of its relays) a copy of a complete agreement before the deadline, and then take that instance offline (through a denial-of-service attack, or something). The instance might then disagree with either of its neighbours about whether the transaction is being executed.
Perhaps it would be better to separate the concept of relay from the primary instance entirely, so that the primary instance can choose not to be its own relay, and if it does act as its own relay, it counts as just another one of the many, instead of a special one with special responsibilities. That way, any minority of relays could be taken offline or start acting maliciously without causing disagreements about the execution of a transaction — as long as it's a minority of an instance's relays, and a minority of each of its neighbours' sets of relays that's misbehaving when any one transaction's execution is in doubt.