WanderCar Family — Decisions Log

Running log of every keep / swap / drop decision with citation. Per SOP v2.4 Stage 1 deliverable, maintained across all stages.

Format: [DATE] [STAGE] [DECISION-ID] Decision — Rationale — Source/citation

---

2026-04-24

Stage 0 — Feature scoping + competitive audit

• [D-000] Position this as a separate family from WanderCar Screen (original WANDERCAR-BUILD-SPEC.md). Rationale: different customer (buyer of $199 OBD puck vs $1,500+ head-unit); different hardware (MCU-class vs SoC-class); different install (plug-in vs dash-install). Reference: Michael's scope brief for this SOP run. No conflict with existing spec — the two products are complementary, both keep the WanderCar name, footer cross-links them.

• [D-001] Ship three tiers + feature layer, not more, not fewer. Basic / Plus / Pro covers the observed market gaps; WanderLoJack as free feature-across-all-tiers covers the theft-recovery anti-subscription story. Rationale: tier-count discipline per _FAMILY-EXPANSION-REVIEW.md; fewer tiers = simpler configurator + lower inventory complexity. More tiers = fragmentation. Source: Michael's scope brief; WanderBand 4-tier precedent informs.

• [D-002] Compete on 10 axes, concede 3 axes deliberately (fleet SaaS dashboards, OEM ADAS, in-dash infotainment). Rationale: sharp positioning beats diffuse; the 3 conceded areas are not our customer. Source: _COMPETITIVE-AUDIT-2026-04-24.md.

Stage 1 — Intake + freeze

• [D-010] Device IDs assigned: WV-AUTO-CAR-BASIC, WV-AUTO-CAR-PLUS, WV-AUTO-CAR-PRO, WV-AUTO-LOJACK-FEATURE. Chassis: Auto-OBD + Auto-Dash. Source: SOP v2.4 naming convention.

Stage 2 — Normalize + classify

• [D-100] MCU: STMicro STM32H723VGT6 (all tiers), with AEC-Q100-Grade-2 variant (STM32H723ZGT6-A) as Pro-Fleet configurator option. Rationale: per _HARDWARE-TOOLCHAIN.md automotive reference menu ("For WanderCar / WanderRescue first ship: STM32H7"); Cortex-M7 @ 550 MHz + dual CAN-FD + Ethernet MAC + 1 MB Flash + 564 KB RAM is adequate for OBD parse + IMU crash algorithm + LoRa stack + BLE + cellular management simultaneously. AEC-Q100 path reserved for explicit fleet buyers requiring it. Source: _HARDWARE-TOOLCHAIN.md lines 94-102.

• [D-101] CAN-FD: MCP2518FD + TJA1463 as the CAN-FD reference pattern. Rationale: toolchain menu names these explicitly as CAN-FD reference parts (_HARDWARE-TOOLCHAIN.md lines 106-108). MCP2518FD is SPI-controlled CAN-FD controller (takes load off STM32H7 dual-CAN-FD if needed); TJA1463 is signal-improvement transceiver variant with automotive qualification. Alternative: on-chip CAN-FD on STM32H7 + standalone TJA1463. Decision: use MCP2518FD for CAN-FD1 (OBD / primary diagnostic bus) to match toolchain reference exactly; on-chip STM32H7 CAN-FD for secondary bus (manufacturer-specific / LIN-gateway / EV-specific).

• [D-102] GNSS: u-blox MAX-M10S (Basic/Plus), ZED-F9P (Pro). Rationale: MAX-M10S is the toolchain reference for GNSS and handles GPS L1 + Galileo E1 + BeiDou B1 + GLONASS L1 + dead-reckoning fusion with IMU. ZED-F9P adds multi-band L1/L2/L5 + RTK support for Pro-tier precision positioning (centimeter-level with corrections, ~1 m standalone). Source: _HARDWARE-TOOLCHAIN.md line 127.

• [D-103] IMU: TDK InvenSense ICM-42688-P. Rationale: toolchain reference (line 128); 6-axis 32 kHz ODR ±16 g ±2000 dps matches crash-detection algorithm needs; widely available; WanderBand + WanderCar use the same part → supply-chain diversification benefit.

• [D-104] Cellular: Quectel BG95-M3. Rationale: toolchain reference mentions Quectel BG95-M3 specifically for LTE Cat-M1 + NB-IoT + GNSS-redundancy + GSM fallback. FCC + PTCRB + GCF pre-certified module. Carrier approvals (T-Mobile, Verizon, AT&T) well-documented. 5G RedCap upgrade path via pin-compatible Quectel RG620Q. Source: Michael's scope brief + toolchain menu.

• [D-105] LoRa: Semtech SX1262 on M.2 2230 sub-module. Rationale: industry-standard LoRa transceiver; Meshtastic + LoRaWAN compatible; low-power (~10 mA RX, ~120 mA TX at +22 dBm). Module form factor allows easy swap to SX1302 concentrator for Pro mesh-relay duty cycle. Decision: single module across all tiers, firmware-locked duty cycle for regional compliance.

• [D-106] BLE: Nordic nRF52840. Rationale: toolchain reference (line 126) names it for BLE mesh / sensor nodes. Dedicated BLE MCU (not shared with host STM32H7) allows wake-on-BLE at <10 µA without waking the main MCU — critical for <10 mA total quiescent budget.

• [D-107] Secure element: NXP SE051. Rationale: toolchain reference (line 129) names it explicitly ("NXP SE051 / A700x — AutoPi uses it"). EAL6+ certified, I²C interface, stores device keys + signs telemetry + subpoena-proof architecture baseline.

• [D-108] 12V protection: SM8S30CA TVS + IPB072N15N3 reverse-polarity + Littelfuse 1.5A PTC + LM5166 wide-input buck. Rationale: toolchain reference (lines 112-117) specifies "SMBJ / SM8S series" TVS for automotive load dump. SM8S30CA is the standard 30 V automotive TVS with 8.5 kW peak pulse capability (survives ISO 7637-2 pulse 5a). Reverse-polarity MOSFET per reference pattern. LM5166 wide-input (7.5-42 V) buck covers 12 V + 24 V vehicles + load-dump transients + crank brownout. Source: toolchain + ISO 7637-2 + reference circuits from Infineon + TI app notes.

Stage 2b — Configurator axes

• [D-150] Color options: 3 per tier, not configurator-explosion. Rationale: discipline from Bridge Mini family — tight axis count keeps inventory manageable. Black / Champagne / Deep-Teal uniform across all tiers, mirror WanderBand. Source: family-expansion discipline, WanderBand CONFIGURATOR precedent.

• [D-151] LoRa region: firmware-locked by buyer selection at order, not SKU-per-region. Rationale: same hardware ships globally; firmware enforces TX power + frequency hop table per regional profile (US 915 / EU 868 / AU 915). Advantage: single inventory SKU reduces MOQ pressure. Regulatory: each region's profile is certified separately, signed-firmware enforcement required. Source: LoRaWAN regional compliance pattern; WanderBand precedent for multi-region wearable.

Stage 3 — Compatibility

• [D-200] OBD-II physical fitment — 15° angled body as primary, tether-cable option for edge cases. Rationale: forum + field-report evidence shows 80-85% of vehicles accept straight or 15° angled OBD dongles without obstruction. ~15% (esp. 2020+ Teslas with low knee airbag clearance, some Porsche / BMW) need tether-cable. Ship tether as $12 option, listed per-vehicle compatibility in GUIDE. Source: OBD-II form-factor surveys (Bouncie + OBDLink field reports 2023-2025).

• [D-201] CAN-bus compatibility — claim support for 1996+ OBD-II (US), 2001+ EOBD (EU), 2005+ JOBD (Japan). Rationale: EPA Clean Air Act Amendment mandated OBD-II on all 1996+ vehicles; universal standard. Pre-1996 vehicles use OBD-I (manufacturer-specific, out of scope). Source: 40 CFR Part 86 Subpart A.

• [D-202] EV-specific compatibility — Pro tier only ships EV modes at v1 (Tesla CAN, Nissan Leaf CAN, Ford Mustang Mach-E / F-150 Lightning). Rationale: EV OBD implementations vary significantly; full EV support is a 30+ vehicle compatibility matrix per OEM. Ship Pro with 4 tested EV models at v1.0; expand via firmware update (WanderOS-Car) for additional models post-ship. Source: EV + OBD state-of-research 2026; OEM-variability papers.

• [D-203] OBD secure-gateway lock-out (Tesla 2025+, BMW 2026+) — standard PIDs remain mandatory-accessible (EPA), secure-gateway-mediated UDS 0x22 extensions may require OEM partnership. Rationale: standards-track read-only PIDs are mandated by EPA; they cannot be locked. OEM-specific extensions may need Autel-class diagnostic-authentication scheme. Decision: ship without secure-gateway bypass (legal grey area); document limitations per-vehicle; pursue OEM-partner agreements 2028+ for full diagnostic parity on newer vehicles. Source: SAE J3138 + manufacturer service-info portals.

• [D-204] Cellular SAR in-vehicle exposure — target <0.3 W/kg averaged over 10 g, well below FCC 1.6 W/kg limit. Rationale: OBD-port location is under-dash, close to driver's leg (~20-40 cm). BG95-M3 peak TX is ~2 W EIRP (LTE power class 3); with internal antenna + chassis attenuation, calculated averaged exposure is ~0.2 W/kg. Compliant with FCC OET 65 + CE SAR limits. Auto-Dash puck (Plus/Pro) is further from body (dash-mounted), even lower exposure. Source: FCC 47 CFR 2.1093 + OET 65 + SAR-simulation tool at Stage 7.

Stage 4 — Sourcing + lifecycle

• [D-300] Quectel BG95-M3 as primary cellular — second source: Sequans Monarch 2 GM02S. Rationale: BG95-M3 is primary (toolchain-ref, carrier-approved, widely available). Supply risk mitigation: Sequans Monarch 2 is pin-compatible enough on a module-adapter board; adds $3-5 BOM vs primary. Tertiary fallback: Telit ME910G1-WW (downgraded from WanderBand sourcing audit — still available but less preferred).

• [D-301] Production origin: US contract manufacturer (Arrow EMS NC, MacroFab TX, Bittele, US PCB Mfg) for FCC DA-26-278 positioning. Rationale: Bridge Mini precedent; favorable FCC treatment; premium pricing acceptable given automotive-grade buyer willingness-to-pay. Second-source Taiwan CM (Qisda, Inventec) for volume scaling post-DVT. Source: FCC DA-26-278 + Bridge Mini sourcing review.

• [D-302] OBD-II cable + connector sourcing — Molex 51206 OBD-II Type A male header + locally-molded PC/ABS connector shell. Rationale: Molex is a tier-1 auto-grade connector vendor; 51206 series is the automotive standard OBD connector. Local molding on the connector shell (vs imported) simplifies US-origin compliance. Source: Molex auto-grade catalog + Protolabs bridge-tooling quotes.

Stage 5 — DFM / DFA / DFT

• [D-400] PCB: 6-layer ENIG for Auto-OBD main (RF + mixed-signal + high-speed USB), 4-layer ENIG for Auto-Dash (signal-majority). Rationale: 6-layer needed for RF ground-plane + cellular + LoRa + BLE + GNSS isolation (avoid radio coupling). Auto-Dash has lower RF density (cameras are CSI-2 + NVMe is PCIe; both are high-speed but not RF); 4-layer sufficient. Source: PCB design rules for mixed-signal RF boards (Altium + reference designs from NXP AutoPi + Quectel BG95 eval kit).

• [D-401] DFT: 100% end-of-line test coverage on OBD CAN continuity, cellular attach, LoRa TX, GNSS lock, IMU self-test, crash-algorithm simulation, BLE advertise. Rationale: automotive-grade buyer expectation. Add specific OBD-CAN-loopback fixture (injects CAN frames, verifies device responds correctly). Source: Bridge Mini DFT precedent + automotive OEM expectations.

• [D-402] Shock + vibration test (Stage 5 pre-EVT): EN 60068-2-6 5-2000 Hz sweep + ISO 16750-3 random vibration + IEC 60068-2-27 shock pulse. Rationale: real automotive environment. 5 prototype units per tier subjected to full test suite. Source: ISO 16750-3 + automotive supplier expectations.

Stage 6 — Thermal / EMC / ESD

• [D-500] Thermal budget: worst-case 1.8 W dissipation (cellular TX + CPU full + LoRa TX + GNSS lock + IMU), chassis-aluminum heat path + thermal pad between MCU and chassis base. Rationale: automotive cabin interior can reach +85°C; MCU junction derated to <105°C. Chassis base (Auto-OBD) is thermally conductive to OBD-connector metal shield = secondary heat path. Source: STM32H723 datasheet + BG95-M3 thermal spec + real-world OBDLink MX+ thermal benchmark.

• [D-501] Automotive EMC: CISPR 25 (radiated emissions from vehicle device) + ISO 11452-2/-4 (immunity to vehicle transients) + IEC 61000-4-4 EFT at ±4 kV + IEC 61000-4-2 ESD at ±8 kV contact / ±15 kV air. Rationale: automotive-product baseline. CISPR 25 Class 5 target (most stringent) for emissions; ISO 11452 Class IV for immunity. Source: automotive-OEM requirements baseline + Automotive EMC Design Guide (NXP app note AN2321).

Stage 7 — Compliance

• [D-600] FMVSS scope review — WanderCar is NOT a safety-critical actuator; does NOT trigger FMVSS 208/209/301. Rationale: device is passive-diagnostic + telemetry + alerting; does not actuate steering, braking, airbag, or fuel systems. Pre-emptive counsel review by automotive-regulatory attorney at Stage 7 to confirm. Source: 49 CFR 571 FMVSS standards.

• [D-601] AEC-Q100 posture — commercial-grade silicon default (STM32H723 commercial); automotive-grade variant (STM32H723ZGT6-A Grade 2) available for strict-fleet SKU. Rationale: AEC-Q100-Grade-2 is 40-60% more expensive and 16-week lead; commercial-grade STM32H7 operates within our temp range (-40°C to +85°C qualified by STMicro extended temp). Decision: commercial-grade for retail; Grade-2 for fleet variant. Source: STMicro product datasheet + AEC-Q100 qualification documents.

• [D-602] OBD-II PHY compliance — SAE J1962 connector geometry + SAE J1850 + ISO 15765-4 CAN electrical. Rationale: mandatory for any OBD-II-branded product sold in US. Certification at Stage 7 via accredited automotive EMC lab. Source: SAE standards + 40 CFR Part 86.

Stage 8 — Canonical BOM + GUIDE + STLs

• [D-700] Publish BOMs as text CSVs in git for v1.0; graduate to Duro/OpenBOM PLM by Device #3 (if WanderCar-Family is device #3, this IS the graduation point). Rationale: toolchain guidance — startup-phase CSVs ok, growth-phase requires PLM. WanderCar-Family is likely the Device #3 threshold given Bridge Mini + WanderBand precede. Evaluate Duro vs OpenBOM at Stage 8 close-out. Source: _HARDWARE-TOOLCHAIN.md line 85.

• [D-701] Open STL: publish Auto-OBD + Auto-Dash enclosure + antenna-mount accessories CC BY-SA 4.0. Rationale: community customization + Framework-laptop-level open philosophy. PCB Gerbers NOT published at v1.0 (WanderBand precedent — revisit at v2 post-market-validation). Source: Standard 2 + Standard 17 + STL-OPEN-FILES/README.md manifest.

Stage 9 — HW ↔ FW binding

• [D-800] RTOS: Zephyr 3.7 LTS as base; FreeRTOS available as deep-embedded alternative for Ambassador-level contributors who want a smaller footprint. Rationale: toolchain reference (line 163); Zephyr has first-tier STM32H7 + nRF52840 support + LoRaMAC-node + BLE + Bluetooth-Mesh. WanderOS-Car overlay MIT-licensed on top. Source: toolchain + Nordic Zephyr support matrix.

• [D-801] Dual-partition OTA with rollback + Restic-to-Hub sync. Rationale: Bridge Mini pattern. Zephyr MCUboot handles dual-partition. Failed boot triggers rollback within 30 seconds. Source: MCUboot docs + Bridge Mini HW-FW precedent.

• [D-802] MISRA-C compliance on safety-critical paths (crash detection + duress wipe + LoJack broadcast); not pursued family-wide at v1.0. Rationale: MISRA-C overhead (tooling, training, code review cycles) is cost-prohibitive for full family v1.0. Safety-critical paths (crash detection, duress response) warrant it; non-safety paths don't. Full ISO 26262 reserved for future OEM-partnered variant on NXP S32K3. Source: MISRA-C 2023 + ISO 26262 scoping.

Stage 10 — Gate review + service flow

• [D-900] EVT test fleet: 5 vehicles covering archetype coverage — Toyota Camry (mass-market sedan), Ford F-150 (pickup), Tesla Model 3 (EV), Honda Civic (small sedan), RAM 1500 (HD pickup). Rationale: EPA + insurance-industry data shows these 5 cover 60%+ of US vehicle sales; archetype diversity (sedan / pickup / EV / small / heavy-duty). Expand to 15 vehicles at DVT, 30 at PVT. Source: BEA vehicle sales 2024-2025; EPA vehicle-emissions database.

• [D-901] Ambassador assembly time per unit: 18-25 min (Basic), 35-45 min (Plus), 45-55 min (Pro). Rationale: benchmark against WanderBand (25-40 min per band, smaller components) and Bridge Mini (7-12 min per unit). WanderCar has larger components than WanderBand + CAN/OBD validation step but fewer micro-components. Source: internal time-motion study at Stage 10 mock-assembly.

---

Decisions pending / deferred

• [P-001] Exact Z-Wave 800 + Matter-over-Thread silicon for Pro — Silicon Labs ZGM230S + ZGM130S named in spec as likely; actual Stage 4 sourcing RFQ confirms. Alt: Nordic nRF5340 (Matter-over-Thread native) + separate Z-Wave radio. Decide 2026-Q3.

• [P-002] mmWave cabin radar module — TI IWR6843 vs Infineon BGT60TR13C. Both mentioned in original WANDERCAR-BUILD-SPEC.md at Layer 2. Decision deferred to Plus Stage 4 post-Basic-EVT. Pro-tier decision might differ based on fleet-buyer feedback.

• [P-003] eSIM RSP partner — Airalo + Holafly + Nomad multi-profile support requires partnership commitment by Stage 4. Same challenge as WanderBand. Shared commitment across families reduces per-product cost. Decide 2026-Q4 (with WanderBand).

• [P-004] RTK corrections service integration — ship with NTRIP multi-caster support; list compatible services (SAPOS, Trimble RTX, Point One, Swift Skylark); no WanderVerse-hosted service. Verify user-onboarding UX at Pro EVT.

• [P-005] Insurance-partnership pilots — outreach to Lemonade, Root, Hippo for opt-in anonymized driving-score discount + referral-fee revenue stream (Standards 11.4 compliant). Deferred to 2027-Q2 post-Basic-ship.

• [P-006] Inward-camera IPV threat-model review — Stage 10 pre-ship mandatory review with WanderShield + IPV-survivor advisory board. Confirms hardware switch + software defaults are adequate. Pre-ship blocker.

• [P-007] Fleet-SaaS integration partners — decision on which (if any) enterprise fleet APIs to integrate with (non-Samsara / non-Geotab options include Motive / KeepTruckin / Fleetio). Deferred to 2028-Q2 post-Plus-ship.

---

Referenced standards + specs

• _HARDWARE-TOOLCHAIN.md — automotive reference menu (MCU/CAN/power/GNSS/IMU/BLE/SE) — drives most Stage-2 silicon choices
• _STANDALONE-AND-PLATFORM-INTEGRATION.md — dual-mode principle — drives companion-app architecture
• _FAMILY-EXPANSION-REVIEW.md — 17-category superset adapted for vehicle devices
• ~/Downloads/Claude/wandersafe/specs/WANDERCAR-BUILD-SPEC.md — complementary in-dash product (unchanged; this family adds the OBD puck)
• ~/Downloads/Claude/wandersafe/specs/WANDERVERSE-PLATFORM-STANDARDS.md — 16 platform standards (this SOP enforces)
• ~/Downloads/Claude/wandersafe/specs/WANDERVERSE-COMMUNITY-POOL-SPEC.md — 60/30/10 revenue split, Ambassador placement rules
• Bridge Mini + WanderBand precedent — sourcing + DFT + PLM pattern

---

All decisions above subject to revision at next SOP iteration. ECO log begins post-PVT ship.