diff --git a/lib/init/nomad/vault-engines.sh b/lib/init/nomad/vault-engines.sh
index fec0959..f4e9be2 100644
--- a/lib/init/nomad/vault-engines.sh
+++ b/lib/init/nomad/vault-engines.sh
@@ -55,7 +55,10 @@ EOF
     ;;
   --dry-run)
     # Dry-run: just echo what would happen
-    if vault secrets list -format=json | jq -e '."kv/"' >/dev/null 2>&1; then
+    # Use curl directly instead of vault CLI to avoid dependency on vault binary
+    if curl -sS -H "X-Vault-Token: ${VAULT_TOKEN:-}" \
+      "${VAULT_ADDR:-http://127.0.0.1:8200}/v1/sys/secrets-list" 2>/dev/null | \
+      jq -e '."kv/"' >/dev/null 2>&1; then
       log "[dry-run] kv-v2 at kv/ already enabled"
     else
       log "[dry-run] would run: vault secrets enable -path=kv -version=2 kv"