Parley - the agent that can say no

Parley is the trust primitive missing from cross-org agent collaboration: an agent you can be turned down for. Regulated collaborations stall when raw data legally can't move - two hospitals sharing cohort analytics under HIPAA, or a bank and a fintech exchanging KYC/AML aggregates. Today those deals take weeks of legal/DPO review, or die. Parley fixes this with a recruited agent from the OTHER organization. Across two real orgs in one Band room (four agents - coordinator, modeler, checker on the requester side; a vault on the owner side), the owner's vault uses its own model to: consent-to-join (it can refuse the job), counter-offer a safe alternative ("no raw rows - I'll run it in place and return only k-anonymous aggregates"), and release nothing until a first-party human at the data owner approves. An agent's APPROVE is rejected by construction. Governance is structural code, not prompts, so a hijacked or swapped model can't disable it: every capability exports zero raw rows; a composing differential-privacy budget (Rényi-DP accountant) mechanically forces a decline when exhausted; consent is purpose-bound (GDPR Art. 5(1)(b)); the owner's policy can only tighten the LLM; and every step is Ed25519-signed and hash-chained, so a third party re-attests nine invariants against a pinned key with zero trust — uv run python -m parley.verify exits 0, or 1 if a single byte is flipped. It's heterogeneous by design: any agent in either org can run on any provider (Claude, Groq, OpenRouter, OpenAI, or any /v1) - Claude is the default, not a requirement; the refusal was demonstrated live on Groq and OpenRouter. One kernel ships four domains (clinical/HIPAA, customer data, code review, HR) - deploy your own by editing one scenario file. 124 tests; real runs in proof/.