Protecting the sources of HTML5 game
"You can't" is the answer to all 3 questions. The only thing you can do is to slow down whoever's interested in your code by ofuscating it, but ultimately, if somebody wants to use your code, there's nothing you can do about it.
i personally use Google Closure Compiler with advanced compression to obfuscate my code (download the Java-file, don't use the online-version!). It takes some extra effort to prepare the code but it's all very well docmented and once you understood how the compiler works it's really easy to comply with its rules. It not only obfuscates your code but actually optimizes it for execution speed and file size as well.
to be clear - yes the other guys are right, no ultimate protection... bla bla. BUT: ever tried to make heads or tails of googles JavaScript? I tried and failed. If you use obfuscated class-names and very few strings in your code it will be very hard to read, meaning it might takes months depending on the complexity of your code.
For API-calls things are different. encryption won't work as the decryption code will be visible within the javascript - even with obfuscation that part will be hard to hide as AJAX code always looks a bit alike... Also encryption uses up CPU time which you probably need elsewhere. Deferring is one way but in the end, API-calls will be more or less readable.
Obfuscating your javascript code could be one important step. Obfuscation can make the code so complex that no sane person would try to hack it.
I have been using jscrambler.com with good results. That said, obfuscation will not solve every problem. Users will still be able to view all the traffic exchanged between the browser and the server. So they will know how the API works and how to use it.
To avoid this you can use encryption of messages using javascript. This could be helpful in securing the content. I found a post on stackoverflow that discuss encryption using javascript: Javascript AES encryption. There are a few implementations that can be used that have a low performance impact.
Last but not least, all inputs should be thoroughly checked on the server side. All logic that can be implemented on the server side should remain there.