diff --git a/.github/workflows/phase3-tests.yml b/.github/workflows/phase3-tests.yml
index b5b1585..c1ba90c 100644
--- a/.github/workflows/phase3-tests.yml
+++ b/.github/workflows/phase3-tests.yml
@@ -22,4 +22,11 @@ jobs:
       - name: Lint
         run: ruff check services/memory/ libs/schemas/memory.py
       - name: Test (no Redis required — uses fakeredis)
-        run: pytest tests/test_memory.py -v --tb=short --cov=services/memory --cov-report=term-missing
\ No newline at end of file
+        run: pytest tests/test_memory.py -v --tb=short --cov=services/memory --cov-report=term-missing
+      - name: Run Trivy Vulnerability Scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: fs
+          scan-ref: .
+          exit-code: 1  # Fail the build if vulnerabilities are found
+          severity: CRITICAL,HIGH  # Focus on actionable vulnerabilities
\ No newline at end of file
diff --git a/services/__init__.py b/services/__init__.py
index 21054fe..db5ea16 100644
--- a/services/__init__.py
+++ b/services/__init__.py
@@ -1,2 +1,7 @@
-# services package
-__all__ = []
+"""Top-level service package.
+
+Subpackages are intentionally not imported eagerly so focused test suites do
+not need optional dependencies from unrelated services.
+"""
+
+__all__ = ["tracking", "memory", "detection", "reasoning"]
diff --git a/services/tracking/tracker.py b/services/tracking/tracker.py
index fa38f89..db4a769 100644
--- a/services/tracking/tracker.py
+++ b/services/tracking/tracker.py
@@ -18,7 +18,7 @@
 import time
 from pathlib import Path
 
-from libs.config import settings
+from libs.config.settings import settings
 import cv2
 import numpy as np
 from deep_sort_realtime.deepsort_tracker import DeepSort
@@ -455,4 +455,4 @@ def _interpolate_trajectory(
     return interpolated_points
 
 if __name__ == "__main__":
-    main()
\ No newline at end of file
+    main()