// Corpus attestation

Goblin House — Corpus Merkle root, 2026-05-13

Daily cryptographic attestation over every sources row in the platform's archive. Anyone can rebuild this root from the platform's public source receipts and verify that the corpus on that date hashed to exactly this string. If it doesn't match, the corpus has been altered.

Date (UTC)	2026-05-13
Merkle root	`eaac44f4c9082ee6393ed52c8129e8616a6eb1dac812d4cd8969fbda44061bcd`
Total sources covered	10,466
Max source id	49,066
Signature	`a9dc2973bffa4ee4c5cd506c020eee342b5db31beda875fe47e0828d292180c2`
Signature algorithm	HMAC-SHA256(date \| root \| total_sources)
External publish URL	(not yet pinned externally)
Computed at	2026-05-13T05:20:20.022Z

How to verify this attestation

Pull every source receipt for id in [1..49,066]:

for id in 1..49066; do
  curl -s https://www.goblinhouse.net/source/$id/receipt.json | jq -r '.custody.contentHash // empty'
done > leaves.txt

Compute the Merkle root over the resulting hex hashes — sorted ascending by source.id, hashed as raw hex strings (no decoding), Bitcoin-style odd-level duplication. Reference implementation:

function pairHash(l, r) { return sha256(l + r) }
function root(level) {
  while (level.length > 1) {
    const next = []
    for (let i = 0; i < level.length; i += 2)
      next.push(pairHash(level[i], level[i + 1] ?? level[i]))
    level = next
  }
  return level[0]
}

Compare the computed root to eaac44f4c9082ee6393ed52c… above. If they match, the corpus on 2026-05-13 contained exactly the documents whose hashes you fetched. If they don't, one or more documents have been altered, removed, or added since the attestation was published.

The signature is a server-side HMAC — it prevents one curator from silently swapping the row, but it does NOT prove third-party-verifiable integrity (we hold the key). For that, future versions will swap to an asymmetric signature with a publicly-pinned verification key.

Machine-readable: JSON