diff --git a/next/kernel/nx_kernel.erl b/next/kernel/nx_kernel.erl
new file mode 100644
index 00000000..6c41b203
--- /dev/null
+++ b/next/kernel/nx_kernel.erl
@@ -0,0 +1,82 @@
+-module(nx_kernel).
+-export([new/3, publish/2,
+         actor_id/1, log_state/1, log_tip/1,
+         key_spec/1, actor_state/1, projections/1,
+         next_published/1, with_projections/2]).
+
+%% Kernel orchestrator — the long-lived runtime state held by the
+%% running fed-sx instance. The HTTP layer (Step 8c-post-publish
+%% follow-up) will park this in a gen_server and dispatch the POST
+%% /activity request through `publish/2`.
+%%
+%% State shape (property list):
+%%   [{actor_id, A},
+%%    {key_spec, KS},          % proplist: key_id / algorithm / value
+%%    {actor_state, AS},       % proplist: public_keys
+%%    {log, L},                % log:open/2 return value
+%%    {projections, [Name]},   % list of registered projection process names
+%%    {next_published, N}]     % monotonic counter we feed as :published
+%%
+%% Step 6c's stage_replay catches duplicates by `:id`; the `:id`
+%% is derived from the unsigned envelope contents. Same Request +
+%% same `:published` -> same CID, so the next_published counter
+%% gives every publish a distinct timestamp without needing a
+%% wall-clock BIF.
+
+new(ActorId, KeySpec, ActorStateProplist) ->
+    {ok, L0} = log:open(ActorId, base_stub()),
+    [{actor_id, ActorId},
+     {key_spec, KeySpec},
+     {actor_state, ActorStateProplist},
+     {log, L0},
+     {projections, []},
+     {next_published, 1}].
+
+%% publish/2 — pure state transition. Returns either:
+%%   {ok, Result, NewState}   — log + counter advanced
+%%   {error, Reason, State}   — state unchanged on validation halt
+publish(Request, State) ->
+    P   = field(next_published, State),
+    Ctx = [{actor_id,    field(actor_id, State)},
+           {published,   P},
+           {key_spec,    field(key_spec, State)},
+           {actor_state, field(actor_state, State)},
+           {log,         field(log, State)},
+           {projections, field(projections, State)}],
+    case outbox:publish(Request, Ctx) of
+        {ok, Result, NewLog} ->
+            State1 = set(log, NewLog, State),
+            State2 = set(next_published, P + 1, State1),
+            {ok, Result, State2};
+        {error, Reason, _} ->
+            {error, Reason, State}
+    end.
+
+%% Accessors
+
+actor_id(State)        -> field(actor_id, State).
+key_spec(State)        -> field(key_spec, State).
+actor_state(State)     -> field(actor_state, State).
+log_state(State)       -> field(log, State).
+log_tip(State)         -> log:tip(field(log, State)).
+projections(State)     -> field(projections, State).
+next_published(State)  -> field(next_published, State).
+
+%% with_projections — return a new state with :projections replaced.
+with_projections(Names, State) ->
+    set(projections, Names, State).
+
+%% Internal
+
+%% "base_stub" — placeholder base path for the in-memory log
+%% in v1 (the in-memory log ignores the base argument).
+base_stub() ->
+    <<98,97,115,101,95,115,116,117,98>>.
+
+field(K, [{K, V} | _]) -> V;
+field(K, [_ | Rest]) -> field(K, Rest);
+field(_, []) -> nil.
+
+set(K, V, []) -> [{K, V}];
+set(K, V, [{K, _} | Rest]) -> [{K, V} | Rest];
+set(K, V, [P | Rest]) -> [P | set(K, V, Rest)].
diff --git a/next/tests/nx_kernel_pure.sh b/next/tests/nx_kernel_pure.sh
new file mode 100755
index 00000000..f0ac67d2
--- /dev/null
+++ b/next/tests/nx_kernel_pure.sh
@@ -0,0 +1,130 @@
+#!/usr/bin/env bash
+# next/tests/nx_kernel_pure.sh — Step 8c-post-publish-pure tests.
+#
+# Exercises pure-functional nx_kernel:new/3, publish/2, and the
+# accessors. Verifies the state advances correctly across multiple
+# publishes and that the next_published counter prevents replay
+# collisions when the same Request is published twice. 11 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+# Shared prelude: key material + actor state + an initial nx_kernel
+# state bound to S0. Each test builds from S0.
+PRELUDE='KM = <<1,2,3,4>>, KS = [{key_id,k1},{algorithm,ed25519},{value,KM}], AS = [{public_keys,[[{id,k1},{created,0},{value,KM}]]}], S0 = nx_kernel:new(alice, KS, AS), Req = [{type,create},{object,nil}],'
+
+cat > "$TMPFILE" <<EPOCHS
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/envelope.erl\")) :name)")
+(epoch 3)
+(eval "(get (erlang-load-module (file-read \"next/kernel/log.erl\")) :name)")
+(epoch 4)
+(eval "(get (erlang-load-module (file-read \"next/kernel/pipeline.erl\")) :name)")
+(epoch 5)
+(eval "(get (erlang-load-module (file-read \"next/kernel/outbox.erl\")) :name)")
+(epoch 6)
+(eval "(get (erlang-load-module (file-read \"next/kernel/nx_kernel.erl\")) :name)")
+
+;; new/3 — fresh state has log_tip 0 and next_published 1
+(epoch 10)
+(eval "(erlang-eval-ast \"${PRELUDE} nx_kernel:log_tip(S0)\")")
+(epoch 11)
+(eval "(erlang-eval-ast \"${PRELUDE} nx_kernel:next_published(S0)\")")
+
+;; Accessors return the expected values
+(epoch 12)
+(eval "(get (erlang-eval-ast \"${PRELUDE} nx_kernel:actor_id(S0) =:= alice\") :name)")
+(epoch 13)
+(eval "(get (erlang-eval-ast \"${PRELUDE} nx_kernel:key_spec(S0) =:= KS\") :name)")
+(epoch 14)
+(eval "(get (erlang-eval-ast \"${PRELUDE} nx_kernel:actor_state(S0) =:= AS\") :name)")
+(epoch 15)
+(eval "(get (erlang-eval-ast \"${PRELUDE} nx_kernel:projections(S0) =:= []\") :name)")
+
+;; publish/2 happy path: log_tip advances to 1, next_published to 2
+(epoch 20)
+(eval "(get (erlang-eval-ast \"${PRELUDE} {ok, _, S1} = nx_kernel:publish(Req, S0), {nx_kernel:log_tip(S1), nx_kernel:next_published(S1)} =:= {1, 2}\") :name)")
+
+;; Two sequential publishes (same Request) succeed because the
+;; next_published counter makes each canonical envelope distinct
+(epoch 21)
+(eval "(erlang-eval-ast \"${PRELUDE} {ok, _, S1} = nx_kernel:publish(Req, S0), {ok, _, S2} = nx_kernel:publish(Req, S1), nx_kernel:log_tip(S2)\")")
+
+;; Two publishes also bump next_published to 3
+(epoch 22)
+(eval "(erlang-eval-ast \"${PRELUDE} {ok, _, S1} = nx_kernel:publish(Req, S0), {ok, _, S2} = nx_kernel:publish(Req, S1), nx_kernel:next_published(S2)\")")
+
+;; Bad key in state -> publish fails, state unchanged
+(epoch 23)
+(eval "(get (erlang-eval-ast \"${PRELUDE} OtherKM = <<9,9,9,9>>, BadKS = [{key_id,k1},{algorithm,ed25519},{value,OtherKM}], BadS = nx_kernel:new(alice, BadKS, AS), case nx_kernel:publish(Req, BadS) of {error, bad_signature, S} -> nx_kernel:log_tip(S) =:= 0; _ -> false end\") :name)")
+
+;; with_projections replaces the :projections list
+(epoch 24)
+(eval "(get (erlang-eval-ast \"${PRELUDE} S = nx_kernel:with_projections([p_count], S0), nx_kernel:projections(S) =:= [p_count]\") :name)")
+EPOCHS
+
+OUTPUT=$(timeout 240 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  6  "nx_kernel module loaded"           "nx_kernel"
+check 10  "fresh log_tip = 0"                 "0"
+check 11  "next_published starts at 1"        "1"
+check 12  "actor_id accessor"                 "true"
+check 13  "key_spec accessor"                 "true"
+check 14  "actor_state accessor"              "true"
+check 15  "projections defaults to []"        "true"
+check 20  "publish advances tip + counter"    "true"
+check 21  "two publishes advance tip to 2"    "2"
+check 22  "two publishes -> counter = 3"      "3"
+check 23  "bad key fails, state unchanged"    "true"
+check 24  "with_projections sets list"        "true"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/nx_kernel_pure.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]
diff --git a/plans/fed-sx-milestone-1.md b/plans/fed-sx-milestone-1.md
index d98c12e0..56944f29 100644
--- a/plans/fed-sx-milestone-1.md
+++ b/plans/fed-sx-milestone-1.md
@@ -514,7 +514,8 @@ publish(ActorId, ActivityRequest) ->
 - [x] **8c-art** — Route GET `/artifacts/{cid}` via `match_prefix`. Stub body echoes the cid (`artifact: <cid>\n`); real content store lookup deferred. `next/tests/http_artifacts.sh` (9 cases).
 - [x] **8c-proj** — Routes GET `/projections` (list stub) + GET `/projections/{name}` (state stub) via `match_prefix`. Bare-path list endpoint dispatches before the prefix clause. `next/tests/http_projections.sh` (11 cases). Registry-backed implementation deferred.
 - [x] **8c-post-auth** — `route/2(Req, Cfg)` adds POST `/activity` with bearer-token check. Cfg `:publish_token` is the expected token; missing / wrong / malformed Authorization all return 401. Authorized requests get a stub 200 ("published (stub)"). `next/tests/http_post_activity.sh` (13 cases).
-- [ ] **8c-post-publish** — Wire authorized POST `/activity` to `outbox:publish` with a server-state context (needs a stateful kernel orchestrator passing logs / actor keys / projection list).
+- [x] **8c-post-publish-pure** — `next/kernel/nx_kernel.erl` — pure-functional kernel orchestrator. `new/3(ActorId, KeySpec, ActorState)` builds the runtime state; `publish/2(Request, State)` calls `outbox:publish` with a Context derived from state, advances log + next_published on success. `next/tests/nx_kernel_pure.sh` (12 cases).
+- [ ] **8c-post-publish-srv** — gen_server wrapper around nx_kernel that the HTTP layer can call from POST `/activity` handler.
 - [ ] **8d** — Content negotiation by Accept header: application/activity+json (default), application/cbor, application/json, application/sx.
 
 **Deliverables:**
@@ -989,6 +990,7 @@ A few things still under-specified; resolve as work begins.
 Newest first. One line per sub-deliverable commit. Erlang conformance gate
 (`bash lib/erlang/conformance.sh`) must remain 729/729 on every entry.
 
+- **2026-05-28** — Step 8c-post-publish-pure: `next/kernel/nx_kernel.erl` — pure-functional kernel orchestrator that wraps `outbox:publish/2` with a long-lived runtime state. `new/3(ActorId, KeySpec, ActorState)` initialises state with an empty log + monotonic `:next_published` counter. `publish/2(Request, State)` builds the publish Context from state, calls outbox:publish, and on success advances `:log` and increments `:next_published`. The counter solves the "same Request published twice" replay collision — each call gets a distinct `:published` timestamp, so the canonical-bytes CID differs and stage_replay doesn't halt. On failure (e.g. bad key), state is returned unchanged. Step 8c-post-publish split into pure (done) + srv (gen_server wrapper) sub-deliverables. `next/tests/nx_kernel_pure.sh` 12/12. Erlang conformance 729/729.
 - **2026-05-28** — Step 8c-post-auth: POST `/activity` route + bearer-token auth via new `route/2(Req, Cfg)` variant. Cfg's `:publish_token` is the expected bearer; mismatched / missing / malformed (no "Bearer " prefix) / empty-token Authorization all surface as 401 `unauthorized_response/0`. `route/1` is a backwards-compatible wrapper with empty Cfg — any POST `/activity` over `route/1` is 401 by design (no token configured). `Bearer ` prefix stripped via the same `match_prefix` helper used elsewhere. Real publish wiring deferred to `8c-post-publish` (needs the kernel orchestrator that holds logs / actor keys / projection list). `next/tests/http_post_activity.sh` 13/13. Erlang conformance 729/729.
 - **2026-05-28** — Step 8c-proj: routes GET `/projections` (list stub returning `projections: (empty)\n`) + GET `/projections/{name}` (state stub returning `projection: <name>\n`). Bare-path list clause dispatches before the prefix clause so `/projections` and `/projections/{name}` are distinguishable. All three dynamic-prefix routes (actors / artifacts / projections) compose cleanly — verified by a single combined-route test asserting all return 200 with distinct prefixes. Registry-backed implementation deferred — needs a running registry process at route time. `next/tests/http_projections.sh` 11/11. Erlang conformance 729/729.
 - **2026-05-28** — Step 8c-art: GET `/artifacts/{cid}` route added on top of `match_prefix`. Single GET dispatch clause now tries `actors_prefix` first, falls through to `artifacts_prefix` — no path collision (different leading bytes). Stub body echoes the CID with `artifact: ` prefix; real artifact-store lookup deferred to later (will key into the registry / genesis bundle). `next/tests/http_artifacts.sh` 9/9 covers happy path, empty-cid 404, POST 404, actor/artifact non-collision, static-route regression. Erlang conformance 729/729.