Enter a public URL. The browser calls a same-origin MCP-style JSON-RPC endpoint, invokes the audit_url tool, fetches the page server-side, runs accessibility checks, and — when a protected server token is configured — sends the page summary to ChatGPT for a design review.
Private, localhost, and internal network URLs are blocked. ChatGPT credentials stay server-side in chatgpt-config.php or environment variables; they are never placed in browser JavaScript.
mcp.php instead of showing only a canned fixture.