diff --git a/CLAUDE.md b/CLAUDE.md
index 3c2ce5b..ca70fda 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -262,7 +262,7 @@ export async function GET(request: Request) {
 
 ### Current Security Status (May 2026)
 
-- **RLS (Row-Level Security):** DISABLED on family_members and children tables (was blocking INSERTs)
+- **RLS (Row-Level Security):** DISABLED on family_members, children, and growth tables (app-level security via requireOwnership)
 - **App-level security:** All routes use `requireFamily()` and `requireOwnership()` checks
 - **This is secure because:** All API routes validate session before returning data
 - **To re-enable RLS later:** Add proper INSERT bypass policy, keep RLS for SELECT only