Feature idea: @review tag.

[Fraser Scott]

See https://github.com/threatspec/specifications/issues/2 but in summary:

Let's say you've seen some code that you don't fully understand, but could be an exposure, or perhaps a failed mitigation or something. Rather than committing yourself to an @exposes or @mitigates, it could be flagged using @review (or whatever). This would then be included in threat model reports, and could help guide investigations into areas of uncertainty for further review.

I'm thinking something like

@review COMMENT [for BOUNDARY:COMPONENT] [(REFS)]

e.g.

@review calling a validation but not sure this meets the requirements for Web:LoginForm (#123)