Indeed, your javascript should be in a public directory, or people won't be able to access it.

There's a useful view helper for including scripts on demand called HeadScript.

You can add scripts in your view (or controller, of course) and then your layout or view script calls the helper to display them.