The Portis client-side code consists of two parts - the SDK, which runs inside the DApp domain, and the client code, which runs inside the portis domain iframe. As the SDK runs in the DApp domain, it is completely open source. However, it isn't as "interesting", as it is simply a proxy between the web3 method calls in the DApp to the iframe which will actually process them.
The code which runs in the portis.io domain iframe is the "interesting" part, since it is the one responsible for encrypting/decrypting wallets, signing transaction, recovering accounts and more. As it runs in the browser, the code is available for inspection, but it is uglified and minified. For a better understanding on how it works check out our whitepaper: https://portis.io/whitepaper.