diff --git a/source/client-side-encryption/client-side-encryption.md b/source/client-side-encryption/client-side-encryption.md
index 9cda038837..b81ebadeea 100644
--- a/source/client-side-encryption/client-side-encryption.md
+++ b/source/client-side-encryption/client-side-encryption.md
@@ -540,35 +540,35 @@ automatic credentials results in a runtime error from [libmongocrypt](#libmongoc
 > [!NOTE]
 > Drivers MUST NOT eagerly fill an empty KMS options property.
 
-Once requested, drivers MUST create a new [KMSProviders](#kmsproviders) `$P$` according to the following process:
+Once requested, drivers MUST create a new [KMSProviders](#kmsproviders) $P$ according to the following process:
 
-1. Let `$K$` be the [kmsProviders](#kmsproviders) value provided by the user as part of the original
+1. Let $K$ be the [kmsProviders](#kmsproviders) value provided by the user as part of the original
    [ClientEncryptionOpts](#ClientEncryptionOpts) or [AutoEncryptionOpts](#AutoEncryptionOpts).
-2. Initialize `$P$` to an empty [KMSProviders](#kmsproviders) object.
-3. If `$K$` contains an `aws` property, and that property is an empty map:
-   1. Attempt to obtain credentials `$C$` from the environment using similar logic as is detailed in
+2. Initialize $P$ to an empty [KMSProviders](#kmsproviders) object.
+3. If $K$ contains an `aws` property, and that property is an empty map:
+   1. Attempt to obtain credentials $C$ from the environment using similar logic as is detailed in
       [the obtaining-AWS-credentials section from the Driver Authentication specification](../auth/auth.md#obtaining-credentials),
       but ignoring the case of loading the credentials from a URI
-   2. If credentials `$C$` were successfully loaded, create a new [AWSKMSOptions](#AWSKMSOptions) map from `$C$` and
-      insert that map onto `$P$` as the `aws` property.
-4. If `$K$` contains an `gcp` property, and that property is an empty map:
-   1. Attempt to obtain credentials `$C$` from the environment logic as is detailed in
+   2. If credentials $C$ were successfully loaded, create a new [AWSKMSOptions](#AWSKMSOptions) map from $C$ and insert
+      that map onto $P$ as the `aws` property.
+4. If $K$ contains an `gcp` property, and that property is an empty map:
+   1. Attempt to obtain credentials $C$ from the environment logic as is detailed in
       [Obtaining GCP Credentials](#obtaining-gcp-credentials).
-   2. If credentials `$C$` were successfully loaded, create a new [GCPKMSOptions](#GCPKMSOptions) map from `$C$` and
-      insert that map onto `$P$` as the `gcp` property.
-5. If `$K$` contains an `azure` property, and that property is an empty map:
+   2. If credentials $C$ were successfully loaded, create a new [GCPKMSOptions](#GCPKMSOptions) map from $C$ and insert
+      that map onto $P$ as the `gcp` property.
+5. If $K$ contains an `azure` property, and that property is an empty map:
    1. If there is a `cachedAzureAccessToken` AND the duration until `azureAccessTokenExpireTime` is greater than one
-      minute, insert `cachedAzureAccessToken` as the `azure` property on `$P$`.
+      minute, insert `cachedAzureAccessToken` as the `azure` property on $P$.
    2. Otherwise:
-      1. Let `$t_0$` be the current time.
-      2. Attempt to obtain an Azure VM Managed Identity Access Token `$T$` as detailed in
+      1. Let $t_0$ be the current time.
+      2. Attempt to obtain an Azure VM Managed Identity Access Token $T$ as detailed in
          [Obtaining an Access Token for Azure Key Vault](#obtaining-an-access-token-for-azure-key-vault).
-      3. If a token `$T$` with expire duration `$d\_{exp}$` were obtained successfully, create a new
-         [AzureAccessToken](#AzureAccessToken) object with `$T$` as the `accessToken` property. Insert that
-         [AzureAccessToken](#AzureAccessToken) object into `$P$` as the `azure` property. Record the generated
+      3. If a token $T$ with expire duration $d\_{exp}$ were obtained successfully, create a new
+         [AzureAccessToken](#AzureAccessToken) object with $T$ as the `accessToken` property. Insert that
+         [AzureAccessToken](#AzureAccessToken) object into $P$ as the `azure` property. Record the generated
          [AzureAccessToken](#AzureAccessToken) in `cachedAzureAccessToken`. Record the `azureAccessTokenExpireTime` as
-         `$t_0 + d\_{exp}$`.
-6. Return `$P$` as the additional KMS providers to [libmongocrypt](#libmongocrypt).
+         $t_0 + d\_{exp}$.
+6. Return $P$ as the additional KMS providers to [libmongocrypt](#libmongocrypt).
 
 <span id="obtaining-gcp-credentials" />
 
@@ -601,37 +601,37 @@ the VM, an identity can be used by obtaining an access token via HTTP from the *
 
 The below steps should be taken:
 
-01. Let `$U$` be a new URL, initialized from the URL string `"http://169.254.169.254/metadata/identity/oauth2/token"`
+01. Let $U$ be a new URL, initialized from the URL string `"http://169.254.169.254/metadata/identity/oauth2/token"`
 
-02. Add a query parameter `api-version=2018-02-01` to `$U$`.
+02. Add a query parameter `api-version=2018-02-01` to $U$.
 
-03. Add a query parameter `resource=https://vault.azure.net/` to `$U$`.
+03. Add a query parameter `resource=https://vault.azure.net/` to $U$.
 
-04. Prepare an HTTP GET request `$Req$` based on `$U$`.
+04. Prepare an HTTP GET request $Req$ based on $U$.
 
     > [!NOTE]
-    > All query parameters on `$U$` should be appropriately percent-encoded
+    > All query parameters on $U$ should be appropriately percent-encoded
 
-05. Add HTTP headers `Metadata: true` and `Accept: application/json` to `$Req$`.
+05. Add HTTP headers `Metadata: true` and `Accept: application/json` to $Req$.
 
-06. Issue `$Req$` to the Azure IMDS server `169.254.169.254:80`. Let `$Resp$` be the response from the server. If the
-    HTTP response is not completely received within ten seconds, consider the request to have timed out, and return an
-    error instead of an access token.
+06. Issue $Req$ to the Azure IMDS server `169.254.169.254:80`. Let $Resp$ be the response from the server. If the HTTP
+    response is not completely received within ten seconds, consider the request to have timed out, and return an error
+    instead of an access token.
 
-07. If `$Resp_{status} ≠ 200$`, obtaining the access token has failed, and the HTTP response body of `$Resp$` encodes
+07. If $Resp\_{status} ≠ 200$, obtaining the access token has failed, and the HTTP response body of $Resp$ encodes
     information about the error that occurred. Return an error including the HTTP response body instead of an access
     token.
 
-08. Otherwise, let `$J$` be the JSON document encoded in the HTTP response body of `$Resp$`.
+08. Otherwise, let $J$ be the JSON document encoded in the HTTP response body of $Resp$.
 
-09. The result access token `$T$` is given as the `access_token` string property of `$J$`. Return `$T$` as the resulting
+09. The result access token $T$ is given as the `access_token` string property of $J$. Return $T$ as the resulting
     access token.
 
-10. The resulting "expires in" duration `$d_{exp}$` is a count of seconds given as an ASCII-encoded integer string
-    `expires_in` property of `$J$`.
+10. The resulting "expires in" duration $d\_{exp}$ is a count of seconds given as an ASCII-encoded integer string
+    `expires_in` property of $J$.
 
 > [!NOTE]
-> If JSON decoding of `$Resp$` fails, or the `access_token` property is absent from `$J$`, this is a protocol error from
+> If JSON decoding of $Resp$ fails, or the `access_token` property is absent from $J$, this is a protocol error from
 > IMDS. Indicate this error to the requester of the access token.
 
 > [!NOTE]
@@ -809,19 +809,19 @@ A collection supporting Queryable Encryption requires an index and three additio
 The convenience methods support the following lookup process for finding the `encryptedFields` associated with a
 collection.
 
-Assume an exposition-only function `$GetEncryptedFields(opts, collName, dbName, askDb)$`, where `$opts$` is a set of
-options, `$collName$` is the name of the collection, `$dbName$` is the name of the database associated with that
-collection, and `$askDb$` is a boolean value. The resulting `encryptedFields` `$EF$` is found by:
+Assume an exposition-only function $GetEncryptedFields(opts, collName, dbName, askDb)$, where $opts$ is a set of
+options, $collName$ is the name of the collection, $dbName$ is the name of the database associated with that collection,
+and $askDb$ is a boolean value. The resulting `encryptedFields` $EF$ is found by:
 
-1. Let `$QualName$` be the string formed by joining`$dbName$` and `$collName$` with an ASCII dot `"."`.
-2. If `$opts$` contains an `"encryptedFields"` property, then `$EF$` is the value of that property.
-3. Otherwise, if `AutoEncryptionOptions.encryptedFieldsMap` contains an element named by `$QualName$`, then `$EF$` is
-   the value of that element.
-4. Otherwise, if `$askDb$` is `true`:
+1. Let $QualName$ be the string formed by joining$dbName$ and $collName$ with an ASCII dot `"."`.
+2. If $opts$ contains an `"encryptedFields"` property, then $EF$ is the value of that property.
+3. Otherwise, if `AutoEncryptionOptions.encryptedFieldsMap` contains an element named by $QualName$, then $EF$ is the
+   value of that element.
+4. Otherwise, if $askDb$ is `true`:
    1. Issue a `listCollections` command against the database named by $dbName$, filtered by `{name: <collName>}`. Let
-      the result be the document `$L$`.
-   2. If `$L$` contains an `options` document element, and that element contains an `encryptedFields` document element,
-      `$EF$` is `$L$` `["options"]["encryptedFields"]`.
+      the result be the document $L$.
+   2. If $L$ contains an `options` document element, and that element contains an `encryptedFields` document element,
+      $EF$ is $L$ `["options"]["encryptedFields"]`.
    3. Otherwise, $EF$ is *not-found*
 5. Otherwise, $EF$ is considered *not-found*.
 
@@ -843,8 +843,8 @@ Drivers MUST support a BSON document option named `encryptedFields` for any
 > Drivers MUST NOT document the `escCollection` and `ecocCollection` options.
 
 For a helper function, `CreateCollection(collectionName, collectionOptions)` with the name of the database associated as
-`$dbName$`, look up the encrypted fields `encryptedFields` for the collection as
-`$GetEncryptedFields(collectionOptions, collectionName, dbName, false)$` ([See here](#GetEncryptedFields)).
+$dbName$, look up the encrypted fields `encryptedFields` for the collection as $GetEncryptedFields(collectionOptions,
+collectionName, dbName, false)$ ([See here](#GetEncryptedFields)).
 
 If a set of `encryptedFields` was found, then do the following operations. If any of the following operations error, the
 remaining operations are not attempted:
@@ -867,33 +867,33 @@ remaining operations are not attempted:
 
 #### Create Encrypted Collection Helper
 
-To support automatic generation of encryption data keys, a helper
-`$CreateEncryptedCollection(CE, database, collName, collOpts, kmsProvider, masterKey)$` is defined, where `$CE$` is a
-[ClientEncryption](#clientencryption-1) object, `$kmsProvider$` is a [KMSProvider](#KMSProvider) and `$masterKey$` is
-equivalent to the `$masterKey$` defined in [DataKeyOpts](#datakeyopts). It has the following behavior:
-
-- If `$collOpts$` contains an `"encryptedFields"` property, then `$EF$` is the value of that property. Otherwise, report
-  an error that there are no `encryptedFields` defined for the collection.
-- Let `$EF'$` be a copy of `$EF$`. Update `$EF'$` in the following manner:
-  - Let `$Fields$` be the `"fields"` element within `$EF'$`.
-  - If `$Fields$` is present and is an array value, then for each element `$F$` of `Fields`:
-    - If `$F$` is not a document element, skip it.
-    - Otherwise, if `$F$` has a `"keyId"` named element `$K$` and `$K$` is a `null` value:
-      - Create a [DataKeyOpts](#datakeyopts) named `$dkOpts$` with the `$masterKey$` argument.
-      - Let `$D$` be the result of `CE.createDataKey(kmsProvider, dkOpts)`.
-      - If generating `$D$` resulted in an error `$E$`, the entire `$CreateEncryptedCollection$` must now fail with
-        error `$E$`. Return the partially-formed `$EF'$` with the error so that the caller may know what datakeys have
-        already been created by the helper.
-      - Replace `$K$` in `$F$` with `$D$`.
-- Create a new set of options `$collOpts'$` duplicating `$collOpts$`. Set the `"encryptedFields"` named element of
-  `$collOpts'$` to `$EF'$`.
-- Invoke the `CreateCollection` helper as `$CreateCollection(database, collName, collOpts')$`. Return the resulting
-  collection and the generated `$EF'$`. If an error occurred, return the resulting `$EF$` with the error so that the
-  caller may know what datakeys have already been created by the helper.
-
-Drivers MUST document that `$createEncryptedCollection$` does not affect any auto encryption settings on existing
+To support automatic generation of encryption data keys, a helper $CreateEncryptedCollection(CE, database, collName,
+collOpts, kmsProvider, masterKey)$ is defined, where $CE$ is a [ClientEncryption](#clientencryption-1) object,
+$kmsProvider$ is a [KMSProvider](#KMSProvider) and $masterKey$ is equivalent to the $masterKey$ defined in
+[DataKeyOpts](#datakeyopts). It has the following behavior:
+
+- If $collOpts$ contains an `"encryptedFields"` property, then $EF$ is the value of that property. Otherwise, report an
+  error that there are no `encryptedFields` defined for the collection.
+- Let $EF'$ be a copy of $EF$. Update $EF'$ in the following manner:
+  - Let $Fields$ be the `"fields"` element within $EF'$.
+  - If $Fields$ is present and is an array value, then for each element $F$ of `Fields`:
+    - If $F$ is not a document element, skip it.
+    - Otherwise, if $F$ has a `"keyId"` named element $K$ and $K$ is a `null` value:
+      - Create a [DataKeyOpts](#datakeyopts) named $dkOpts$ with the $masterKey$ argument.
+      - Let $D$ be the result of `CE.createDataKey(kmsProvider, dkOpts)`.
+      - If generating $D$ resulted in an error $E$, the entire $CreateEncryptedCollection$ must now fail with error $E$.
+        Return the partially-formed $EF'$ with the error so that the caller may know what datakeys have already been
+        created by the helper.
+      - Replace $K$ in $F$ with $D$.
+- Create a new set of options $collOpts'$ duplicating $collOpts$. Set the `"encryptedFields"` named element of
+  $collOpts'$ to $EF'$.
+- Invoke the `CreateCollection` helper as $CreateCollection(database, collName, collOpts')$. Return the resulting
+  collection and the generated $EF'$. If an error occurred, return the resulting $EF$ with the error so that the caller
+  may know what datakeys have already been created by the helper.
+
+Drivers MUST document that $createEncryptedCollection$ does not affect any auto encryption settings on existing
 MongoClients that are already configured with auto encryption. Users must configure auto encryption after creating the
-encrypted collection with the `$createEncryptedCollection$` helper.
+encrypted collection with the $createEncryptedCollection$ helper.
 
 #### Drop Collection Helper
 
@@ -912,9 +912,9 @@ Drivers MUST support a BSON document option named `encryptedFields` for any
 >
 > Drivers SHOULD NOT document the `escCollection` and `ecocCollection` options.
 
-For a helper function `DropCollection(dropOptions)` with associated collection named `$collName$` and database named
-`$dbName$`, look up the encrypted fields `encryptedFields` as
-`$GetEncryptedFields(dropOptions, collName, dbname, true)$` ([See here](#GetEncryptedFields)).
+For a helper function `DropCollection(dropOptions)` with associated collection named $collName$ and database named
+$dbName$, look up the encrypted fields `encryptedFields` as $GetEncryptedFields(dropOptions, collName, dbname, true)$
+([See here](#GetEncryptedFields)).
 
 If a set of `encryptedFields` was found, then perform the following operations. If any of the following operations
 error, the remaining operations are not attempted. A `namespace not found` error returned from the server (server error
diff --git a/source/client-side-encryption/tests/README.md b/source/client-side-encryption/tests/README.md
index 1b6b1ab2f9..2877fbb964 100644
--- a/source/client-side-encryption/tests/README.md
+++ b/source/client-side-encryption/tests/README.md
@@ -32,8 +32,8 @@ The spec tests format is an extension of the
 - An `encrypted_fields` to set on the collection used for operations.
 - A `key_vault_data` of data that should be inserted in the key vault collection before each test.
 - Introduction `autoEncryptOpts` to `clientOptions`
-- Addition of `$db` to command in `command_started_event`
-- Addition of `$$type` to command_started_event and outcome.
+- Addition of `$db`to command in`command_started_event`
+- Addition of `$$type` to `command_started_event` and outcome.
 
 The semantics of `$$type` is that any actual value matching one of the types indicated by either a BSON type string or
 an array of BSON type strings is considered a match.
@@ -2249,7 +2249,7 @@ for the field `cursor.firstBatch.encrypted`.
 These tests require valid AWS credentials. Refer:
 [Automatic AWS Credentials](../client-side-encryption.rst#automatic-aws-credentials).
 
-For these cases, create a [ClientEncryption](../client-side-encryption.rst#clientencryption) object `$C$` with the
+For these cases, create a [ClientEncryption](../client-side-encryption.rst#clientencryption) object $C$ with the
 following options:
 
 ```typescript
@@ -2265,7 +2265,7 @@ class ClientEncryptionOpts {
 Do not run this test case in an environment where AWS credentials are available (e.g. via environment variables or a
 metadata URL). (Refer: [Obtaining credentials for AWS](../../auth/auth.rst#obtaining-credentials))
 
-Attempt to create a datakey with `$C$` using the `"aws"` KMS provider. Expect this to fail due to a lack of KMS provider
+Attempt to create a datakey with $C$ using the `"aws"` KMS provider. Expect this to fail due to a lack of KMS provider
 credentials.
 
 #### Case 2: Success
@@ -2410,7 +2410,7 @@ impossible by design to omit `RewrapManyDataKeyOpts.provider` when `RewrapManyDa
 
 Refer: [Automatic GCP Credentials](../client-side-encryption.rst#automatic-gcp-credentials).
 
-For these cases, create a [ClientEncryption](../client-side-encryption.rst#clientencryption) object `$C$` with the
+For these cases, create a [ClientEncryption](../client-side-encryption.rst#clientencryption) object $C$ with the
 following options:
 
 ```typescript
@@ -2426,7 +2426,7 @@ class ClientEncryptionOpts {
 Do not run this test case in an environment with a GCP service account is attached (e.g. any
 [GCE equivalent runtime](https://google.aip.dev/auth/4115)). This may be run in an AWS EC2 instance.
 
-Attempt to create a datakey with `$C$` using the `"gcp"` KMS provider and following `DataKeyOpts`:
+Attempt to create a datakey with $C$ using the `"gcp"` KMS provider and following `DataKeyOpts`:
 
 ```typescript
 class DataKeyOpts {
@@ -2448,7 +2448,7 @@ This test case must run in a Google Compute Engine (GCE) Virtual Machine with a
 for scripts to create a GCE instance for testing. The Evergreen task SHOULD set a `batchtime` of 14 days to reduce how
 often this test case runs.
 
-Attempt to create a datakey with `$C$` using the `"gcp"` KMS provider and following `DataKeyOpts`:
+Attempt to create a datakey with $C$ using the `"gcp"` KMS provider and following `DataKeyOpts`:
 
 ```typescript
 class DataKeyOpts {
@@ -2575,7 +2575,7 @@ a timeout.
 
 Refer: [Automatic Azure Credentials](../client-side-encryption.rst#obtaining-an-access-token-for-azure-key-vault)
 
-For these cases, create a [ClientEncryption](../client-side-encryption.rst#clientencryption) object `$C$` with the
+For these cases, create a [ClientEncryption](../client-side-encryption.rst#clientencryption) object $C$ with the
 following options:
 
 ```typescript
@@ -2590,7 +2590,7 @@ class ClientEncryptionOpts {
 
 Do not run this test case in an Azure environment with an attached identity. This may be run in an AWS EC2 instance.
 
-Attempt to create a datakey with `$C$` using the `"azure"` KMS provider and following `DataKeyOpts`:
+Attempt to create a datakey with $C$ using the `"azure"` KMS provider and following `DataKeyOpts`:
 
 ```typescript
 class DataKeyOpts {
@@ -2610,7 +2610,7 @@ This test case must run in an Azure environment with an attached identity. See
 for scripts to create a Azure instance for testing. The Evergreen task SHOULD set a `batchtime` of 14 days to reduce how
 often this test case runs.
 
-Attempt to create a datakey with `$C$` using the `"azure"` KMS provider and following `DataKeyOpts`:
+Attempt to create a datakey with $C$ using the `"azure"` KMS provider and following `DataKeyOpts`:
 
 ```typescript
 class DataKeyOpts {
@@ -2706,7 +2706,7 @@ This test is the most basic to verify that
 [CreateEncryptedCollection](../client-side-encryption.rst#create-encrypted-collection-helper) created a collection with
 queryable encryption enabled. It verifies that the server rejects an attempt to insert plaintext in an encrypted fields.
 
-1. Create a new create-collection options `$Opts$` including the following:
+1. Create a new create-collection options $Opts$ including the following:
 
    ```typescript
    {
@@ -2720,8 +2720,8 @@ queryable encryption enabled. It verifies that the server rejects an attempt to
    }
    ```
 
-2. Invoke `$CreateEncryptedCollection(CE, DB, "testing1", Opts, kmsProvider, masterKey)$` to obtain a new collection
-   `$Coll$`. Expect success.
+2. Invoke $CreateEncryptedCollection(CE, DB, "testing1", Opts, kmsProvider, masterKey)$ to obtain a new collection
+   $Coll$. Expect success.
 
 3. Attempt to insert the following document into `Coll`:
 
@@ -2741,8 +2741,8 @@ The [CreateEncryptedCollection](../client-side-encryption.rst#create-encrypted-c
 create a regular collection if there are no `encryptedFields` for the collection being created. Instead, it should
 generate an error indicated that the `encryptedFields` option is missing.
 
-1. Create a new empty create-collection options `$Opts$`. (i.e. it must not contain any `encryptedFields` options.)
-2. Invoke `$CreateEncryptedCollection(CE, DB, "testing1", Opts, kmsProvider, masterKey)$`.
+1. Create a new empty create-collection options $Opts$. (i.e. it must not contain any `encryptedFields` options.)
+2. Invoke $CreateEncryptedCollection(CE, DB, "testing1", Opts, kmsProvider, masterKey)$.
 3. Expect the invocation to fail with an error indicating that `encryptedFields` is not defined for the collection, and
    expect that no collection was created within the database. It would be *incorrect* for
    [CreateEncryptedCollection](../client-side-encryption.rst#create-encrypted-collection-helper) to create a regular
@@ -2760,7 +2760,7 @@ with such invalid settings.
 > This test is not required if the type system of the driver has a compile-time check that fields' `keyId`s are of the
 > correct type.
 
-1. Create a new create-collection options `$Opts$` including the following:
+1. Create a new create-collection options $Opts$ including the following:
 
    ```typescript
    {
@@ -2774,7 +2774,7 @@ with such invalid settings.
    }
    ```
 
-2. Invoke `$CreateEncryptedCollection(CE, DB, "testing1", Opts, kmsProvider, masterKey)$`.
+2. Invoke $CreateEncryptedCollection(CE, DB, "testing1", Opts, kmsProvider, masterKey)$.
 
 3. Expect an error from the server indicating a validation error at `create.encryptedFields.fields.keyId`, which must be
    a UUID and not a boolean value.
@@ -2783,7 +2783,7 @@ with such invalid settings.
 
 This test is continuation of the case 1 and provides a way to complete inserting with encrypted value.
 
-1. Create a new create-collection options `$Opts$` including the following:
+1. Create a new create-collection options $Opts$ including the following:
 
    ```typescript
    {
@@ -2797,11 +2797,11 @@ This test is continuation of the case 1 and provides a way to complete inserting
    }
    ```
 
-2. Invoke `$CreateEncryptedCollection(CE, DB, "testing1", Opts, kmsProvider, masterKey)$` to obtain a new collection
+2. Invoke $CreateEncryptedCollection(CE, DB, "testing1", Opts, kmsProvider, masterKey)$ to obtain a new collection
    $Coll$ and data key $key1$. Expect success.
 
-3. Use `$CE$` to explicitly encrypt the string "123-45-6789" using algorithm $Unindexed$ and data key `$key1$`. Refer
-   result as `$encryptedPayload$`.
+3. Use $CE$ to explicitly encrypt the string "123-45-6789" using algorithm $Unindexed$ and data key $key1$. Refer result
+   as $encryptedPayload$.
 
 4. Attempt to insert the following document into `Coll`: