submit
Submission is an upload, not a negotiation.
The CLI is the first-class path (certiv submit paper.pdf receipt.certiv --tier T1); this form is the same API endpoint. Either way the rules are identical and fail closed: a receipt that does not verify structurally, a tier that does not match, or an input whose hash has drifted is refused with the reason named.
Pack and check locally first: the five steps. Nothing here can bless a receipt your own machine has not already confirmed.