Summary

• Adds a "Running with host Max Plan auth in Docker (Linux)" subsection under the existing Claude Code Setup docs in hindsight-docs/docs/developer/models.mdx.
• Documents the full bind-mount surface required to run HINDSIGHT_API_LLM_PROVIDER=claude-code inside the standalone image: host claude CLI, single-file credential mounts (~/.claude.json + ~/.claude/.credentials.json), v2.1.128+ binary override for the bundled-binary protocol issue in claude-agent-sdk 0.5.x, and the post-docker run chown/symlink one-time setup.
• Calls out the subtle gotchas explicitly: whole-directory :ro mounts of ~/.claude silently break the CLI (must be single-file mounts); the host directory bind-mounted at /home/hindsight/.pg0 must be writable by UID 1000 or the host UID under --user.
• Restates the personal-use-only constraint from the parent section inline so the Docker recipe isn't read as a production pattern.
• Cross-references Dockerfile: chmod 755 /home/hindsight to support --user UID:GID host-uid-matching #1481 (chmod 755 fix, already shipped) and README: document persistent volume host-uid ownership requirement #1483 (bind-mount UID note for .pg0).
• Linux-only for now since that's what was verified in the source report. macOS Docker Desktop and Windows host paths differ and are noted as not yet covered, with an invitation to contribute verified recipes.

Closes #1480

Test plan

• npm run build in hindsight-docs/ succeeds (no broken anchors, no MDX parse errors)
• On a Linux host with claude auth login previously run, the documented docker run invocation + post-run setup brings up Hindsight successfully
• curl http://127.0.0.1:8888/v1/default/banks/test/reflect -X POST -H "Content-Type: application/json" -d '{"query":"hello"}' returns a 200 with text generated via the Max Plan subscription
• Whole-directory :ro mount of ~/.claude (anti-example) reproduces the silent CLI breakage as described