I'm interested in any solutions for building a commercial OpenSocial app that has protected source. Links to detailed solutions or hacks is perfectly acceptable. Obviously being XML and JavaScript, there is a high likelihood this just isn't possible, but I'm curious if anyone has explored this angle.
The best you can do is use javascript obfuscation and minification. Obfuscation reduces the ability to reverse-engineer the code into something that is human readable, but doesn't make it impossible. Reading the documentation of the obfuscation tool you use will show you the coding style and techniques you will need to use to help the obfuscator make your code more or less obfuscated. A google search will bring up plenty of tools http://www.google.com/search?q=javascript+obfuscation
OpenSocial supports a RESTful API, so you could move a bunch of your logic to the server.
Of course, you'd still need to push some Javascript to the client; for this, as another poster said, you could use an obfuscator. But the more of your logic is on the server, the less that matters (for instance, StackOverflow doesn't seem to obfuscate its source, but nobody's gonna "steal" it, it wouldn't be very useful).
EDIT: I realized that getting to the RESTful APIs from your server may be impossible due to authentication but I haven't fully grokked the model. In any event, my point stands: the more your logic exists on the server one way or another (the client could make the call, do some processing, and push data to the server), the less value there is in only the client code.
There are several client libraries that allow you use the sever-to-server APIs using the language of your choice. The added bonus is that you can keep your code on your server. You will still need a bit of JavaScript to pull all the pieces together, but most of the logic can be hidden on your server.
Check out the post from the OpenSocial API Blog: OpenSocial now friends with PHP, Java, Ruby, and Python