I think there are two questions here:
- how do you correlate the change with a command
- how you prove where the command originated
For the first question, the Ledger API gives you some support; there will be a transaction entry on the transaction stream of the submitting party that contains both the change (selling 10% of the holding) and the command ID. Other parties (who are not the submitting party) don’t get to learn the command ID, because it could in principle be confidential.
If this is not enough, the participant node where the submitting party is hosted might also provide you with some logs, but how these are configured and where to find them depends on your ledger. If that won’t cut it either, then you’ll need to build some logging/correlation mechanisms of your own.
For the second question, the ledger should provide some kind of cryptographic evidence that the transaction that changed the holding was authorized by the participant hosting the party. The evidence is necessarily ledger-specific, though we can come up with tools and APIs that allow you to verify the evidence (we’ve had plans around this, but to the best of my knowledge that work hasn’t been scheduled). However, there’s by design no general way to ensure that it was really a certain party that issued the command - if the party is hosted on a malicious participant node, that node (but no other nodes) can issue transactions in the name of that party as they please. That is to say, in our trust model, the parties must trust the participants that they are hosted on.