docs: clarify that marimo run does not send code to the client

[mokashang]

📝 Summary

Closes #9489

The previous wording in the deploying guide and the --include-code CLI help could be read as "the code is hidden by default, but maybe still sent to the browser and accessible via dev tools." That ambiguity matters when the notebook source is confidential.

Without --include-code, marimo run blanks the cell source before sending the kernel-ready message over the WebSocket (see tests/_server/api/endpoints/test_ws.py::test_kernel_ready_sends_names_but_not_code_when_include_code_false), so the source is not retrievable from the client. This PR makes that explicit in two places:

• docs/guides/deploying/index.md — expand the "Including code in your application" section to state that by default the source is hidden and not sent to the client.
• marimo/_cli/cli.py — update the --include-code help text (which feeds the auto-generated CLI reference at docs/cli.md via mkdocs-click) with the same clarification.

No behavior change; docs only.

📋 Pre-Review Checklist

• For large changes, or changes that affect the public API: this change was discussed or approved through an issue, on Discord, or the community discussions (Please provide a link if applicable). — Linked to Documentation does not specify that marimo run never sends the code to the client #9489.
• Any AI generated code has been reviewed line-by-line by the human PR author, who stands by it.
• Video or media evidence is provided for any visual changes (optional).

✅ Merge Checklist

• I have read the contributor guidelines.
• Documentation has been updated where applicable, including docstrings for API changes.
• Tests have been added for the changes made. — Existing test test_kernel_ready_sends_names_but_not_code_when_include_code_false already covers the underlying behavior.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
marimo-docs	Ready	Preview, Comment	May 13, 2026 0:56am

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[cubic-dev-ai]

No issues found across 2 files

Architecture diagram

sequenceDiagram
    participant User as User (Browser)
    participant WSS as WebSocket Server
    participant K as Kernel
    participant NB as Notebook Source

    Note over User,NB: Default behavior (--include-code not set)

    User->>WSS: Connect WebSocket
    WSS->>K: Trigger kernel ready
    K->>NB: Read notebook source
    K->>K: Blank cell source code
    K-->>WSS: NEW: kernel-ready message (cell names only, no code)
    WSS-->>User: Forward kernel-ready (no source)
    User->>User: Attempt dev tools inspection
    Note over User: Source not retrievable<br/>from client side

    Note over User,NB: With --include-code

    User->>WSS: Connect WebSocket (include-code flag set)
    WSS->>K: Trigger kernel ready
    K->>NB: Read notebook source
    K-->>WSS: kernel-ready message (cell names + source code)
    WSS-->>User: Forward kernel-ready (includes source)

Loading

[mokashang]

I have read the CLA Document and I hereby sign the CLA