@ a convenient place for newbies
  @ to download a ZIP archive or a tarball of the project.  By default,
  @ the latest trunk check-in is downloaded.  Change this tag to something
  @ else (ex: release) to alter the behavior of the /download page.
  @ (Property: "download-tag")
  @ </p>
  @ <hr />
  entry_attribute("Main URL", 60, "main-url", "exturl", "", 0);
  @ <p>Enter the canonical URL used to access this repository from the
  @ internet.  If this repository is not set up as a server, leave this
  @ entry blank.
  @
  @ <p>This entry is not required. It is informational only. Inaccurate
  @ entries here will cause goofy URLs to appear under the /urllist page
  @ of sync partners, but are otherwise harmless.
  @ (Property: "main-url")
  @ <hr />
  entry_attribute("Index Page", 60, "index-page", "idxpg", "/home", 0);
  @ <p>Enter the pathname of the page to display when the "Home" menu
  @ option is selected and when no pathname is
  @ specified in the URL.  For example, if you visit the url:</p>
  @
  @ <blockquote><p>%h(g.zBaseURL)</p></blockquote>
  @

      if( blob_eq(&xfer.aToken[1], "send-private") ){
        login_check_credentials();
        if( !g.perm.Private ){
          server_private_xfer_not_authorized();
        }else{
          xfer.syncPrivate = 1;
        }
      }else


      /*   pragma send-catalog
      **
      ** The client wants to see igot cards for all known artifacts.
      ** This is used as part of "sync --verily" to help ensure that
      ** no artifacts have been missed on prior syncs.
      */
      if( blob_eq(&xfer.aToken[1], "send-catalog") ){
        xfer.resync = 0x7fffffff;
      }else


      /*   pragma client-version VERSION ?DATE? ?TIME?
      **
      ** The client announces to the server what version of Fossil it
      ** is running.  The DATE and TIME are a pure numeric ISO8601 time
      ** for the specific check-in of the client.
      */
      if( xfer.nToken>=3 && blob_eq(&xfer.aToken[1], "client-version") ){
        xfer.remoteVersion = atoi(blob_str(&xfer.aToken[2]));
        if( xfer.nToken>=5 ){
          xfer.remoteDate = atoi(blob_str(&xfer.aToken[3]));
          xfer.remoteTime = atoi(blob_str(&xfer.aToken[4]));
          @ pragma server-version %d(RELEASE_VERSION_NUMBER) \
          @ %d(MANIFEST_NUMERIC_DATE) %d(MANIFEST_NUMERIC_TIME)
        }
      }else


      /*   pragma uv-hash HASH
      **
      ** The client wants to make sure that unversioned files are all synced.
      ** If the HASH does not match, send a complete catalog of
      ** "uvigot" cards.
      */

            @ pragma uv-push-ok
          }else if( g.perm.Read ){
            @ pragma uv-pull-only
          }
          send_unversioned_catalog(&xfer);
        }
        uvCatalogSent = 1;
      }else


      /*   pragma ci-lock CHECKIN-HASH CLIENT-ID
      **
      ** The client wants to make non-branch commit against the check-in
      ** identified by CHECKIN-HASH.  The server will remember this and
      ** subsequent ci-lock requests from different clients will generate
      ** a ci-lock-fail pragma in the reply.

            blob_str(&xfer.aToken[3])
          );
          db_protect_pop();
        }
        if( db_get_boolean("forbid-delta-manifests",0) ){
          @ pragma avoid-delta-manifests
        }
      }else


      /*   pragma ci-unlock CLIENT-ID
      **
      ** Remove any locks previously held by CLIENT-ID.  Clients send this
      ** pragma with their own ID whenever they know that they no longer
      ** have any commits pending.
      */
      if( blob_eq(&xfer.aToken[1], "ci-unlock")
       && xfer.nToken==3
       && blob_is_hname(&xfer.aToken[2])
      ){
        db_unprotect(PROTECT_CONFIG);
        db_multi_exec(
          "DELETE FROM config"
          " WHERE name GLOB 'ci-lock-*'"
          "   AND json_extract(value,'$.clientid')=%Q",
          blob_str(&xfer.aToken[2])
        );
        db_protect_pop();
      }else

      /*   pragma from-url URL
      **
      ** By this pragma, the client proclaims that it can be reached
      ** as a server located at URL.
      **
      ** If the user has write permission, then record the URL as a sync
      ** partner so that it shows up in /urllist pages.
      */
      if( blob_eq(&xfer.aToken[1], "from-url") ){
        if( xfer.nToken==3
         && blob_size(&xfer.aToken[2])>4
         && g.perm.Write
        ){
          db_unprotect(PROTECT_CONFIG);
          db_multi_exec(
            "REPLACE INTO config(name,value,mtime)"
            "VALUES('syncwith:%q',1,now())",
            blob_str(&xfer.aToken[2])
          );
          db_protect_pop();
        }
      }
    }else

    /* Unknown message
    */
    {
      cgi_reset_content();
      @ error bad\scommand:\s%F(blob_str(&xfer.line))

      }
      blob_appendf(&send, "pragma ci-lock %s %s\n", zCkinLock, zClientId);
      zCkinLock = 0;
    }else if( zClientId ){
      blob_appendf(&send, "pragma ci-unlock %s\n", zClientId);
    }

    /* If this repository has a main-url, let the other side know about
    ** it.
    */
    if( (syncFlags && SYNC_PUSH)!=0  && nCycle==0 ){
      const char *zSelfUrl = db_get("main-url",0);
      if( zSelfUrl && zSelfUrl[0]!=0 ){
        blob_appendf(&send, "pragma from-url %s\n", zSelfUrl);
      }
    }

    /* Append randomness to the end of the uplink message.  This makes all
    ** messages unique so that that the login-card nonce will always
    ** be unique.
    */
    zRandomness = db_text(0, "SELECT hex(randomblob(20))");
    blob_appendf(&send, "# %s\n", zRandomness);
    free(zRandomness);