docs: clarify that marimo run hides source code by default

[Light2Dark]

📝 Summary

Closes #9489.

Clarifies in three places that marimo run does not send notebook source code to the browser by default:

• docs/guides/deploying/index.md: expands the "Including code in your application" section to state that the default makes marimo run suitable for deploying notebooks with confidential source code, and that viewers cannot read it via browser dev tools.
• docs/index.md: rewords the landing page so "hidden and uneditable" is explained by the source not being sent to the browser, rather than implying a UI-only restriction.
• marimo/_cli/cli.py: updates the --include-code flag help text to describe both the effect of the flag and the default behavior.

No behavior change; documentation/help-text only.

📋 Pre-Review Checklist

• For large changes, or changes that affect the public API: this change was discussed or approved through an issue, on Discord, or the community discussions (Please provide a link if applicable).
• Any AI generated code has been reviewed line-by-line by the human PR author, who stands by it.
• Video or media evidence is provided for any visual changes (optional).

✅ Merge Checklist

• I have read the contributor guidelines.
• Documentation has been updated where applicable, including docstrings for API changes.
• Tests have been added for the changes made.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
marimo-docs	Ready	Preview, Comment	May 12, 2026 9:40pm

[cubic-dev-ai]

No issues found across 3 files

Architecture diagram

sequenceDiagram
    participant User as End User (Browser)
    participant MarimoRun as marimo run (Server)
    participant Config as --include-code Flag
    participant Notebook as Notebook Source (.py)

    Note over User,Notebook: Default Deployment Flow (documented behavior)

    User->>MarimoRun: HTTP GET /app-page
    MarimoRun->>Config: Check --include-code flag
    alt Default (--include-code not set)
        Config-->>MarimoRun: false
        MarimoRun->>Notebook: Execute notebook (server-side)
        MarimoRun-->>User: Send rendered output HTML (NO source code)
        Note over User,MarimoRun: Viewer cannot read code via browser dev tools
    else --include-code flag set
        Config-->>MarimoRun: true
        MarimoRun->>Notebook: Execute notebook (server-side)
        MarimoRun-->>User: Send rendered output + source code
    end

    Note over User,Notebook: CLI help text provides guidance
    User->>MarimoRun: marimo run --help
    MarimoRun-->>User: Shows updated description of --include-code flag

Loading

[Copilot]

Pull request overview

This PR updates user-facing documentation and CLI help text to clarify that marimo run does not send notebook source code to the browser by default, making the default “hidden code” behavior a transport-level guarantee (not merely a UI restriction).

Changes:

• Expands the deploying guide to explicitly state that notebook source code is not sent to the client by default (and explains the role of --include-code).
• Rewords the docs landing page to explain “hidden and uneditable” as a consequence of the source not reaching the browser by default.
• Updates marimo run --include-code help text to describe both what the flag does and what the default behavior is.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
marimo/_cli/cli.py	Refines --include-code help text to explain client-side source availability and the default behavior.
docs/index.md	Clarifies the quickstart “Run apps” description to reflect that source is not sent by default.
docs/guides/deploying/index.md	Expands deployment guidance to explain default source-code non-exposure and when to use --include-code.