I like where you are going. We could treat this like I do with bad actors. In this case, create a bunch of stuff to reduce the chance of code to be shared.
1. some legal agreement,
2. your user account idea.
3. within the code it does a urlFetch to verify the user (or google group of user accounts) are allowed to run the add-on (web app).
4. -- any other ideas to reduce the chance of source code being shared?
Another thought is the source code has "/edit" URL suffix. To run the add-on (web app), the "/exe" suffix is used. Is it possible to just share the "exe" portion? I'm not aware of any, but thought I would ask :)
Kind Regards,
Steve Webster
SW gApps LLC, President
Google Product Expert in: Google Apps Script, Drive, and Docs
Google Vendor (2012-2013) || Google Apps Developer Blog Guest Blogger
Add-ons: Text gBlaster and Remove Blank Rows