diff --git a/docs/reference/cmdlets/Invoke-IdlePlan.md b/docs/reference/cmdlets/Invoke-IdlePlan.md
index b152e300..fed4e598 100644
--- a/docs/reference/cmdlets/Invoke-IdlePlan.md
+++ b/docs/reference/cmdlets/Invoke-IdlePlan.md
@@ -32,7 +32,7 @@ Provider resolution:
 ### EXAMPLE 1
 ```
 # Default: plan built with providers, execution uses Plan.Providers
-$providers = @{ Identity = $provider; AuthSessionBroker = $broker }
+$providers = @{ Identity = $provider; AuthSessionBroker = $authSessionBroker }
 $plan = New-IdlePlan -WorkflowPath ./joiner.psd1 -Request $req -Providers $providers
 Invoke-IdlePlan -Plan $plan
 ```
diff --git a/docs/reference/cmdlets/New-IdleAuthSession.md b/docs/reference/cmdlets/New-IdleAuthSession.md
index c8a04cbe..31b5d475 100644
--- a/docs/reference/cmdlets/New-IdleAuthSession.md
+++ b/docs/reference/cmdlets/New-IdleAuthSession.md
@@ -29,13 +29,13 @@ This is a thin wrapper that delegates to IdLE.Core\New-IdleAuthSessionBroker.
 ### EXAMPLE 1
 ```
 # Simple broker with single credential
-$broker = New-IdleAuthSession -DefaultAuthSession $credential -AuthSessionType 'Credential'
+$authSessionBroker = New-IdleAuthSession -DefaultAuthSession $credential -AuthSessionType 'Credential'
 ```
 
 ### EXAMPLE 2
 ```
 # Mixed-type broker for AD + EXO
-$broker = New-IdleAuthSession -SessionMap @{
+$authSessionBroker = New-IdleAuthSession -SessionMap @{
     @{ AuthSessionName = 'AD' } = @{ AuthSessionType = 'Credential'; Credential = $adCred }
     @{ AuthSessionName = 'EXO' } = @{ AuthSessionType = 'OAuth'; Credential = $token }
 }
diff --git a/docs/use/walkthrough/05-providers-authentication.md b/docs/use/walkthrough/05-providers-authentication.md
index 0ff7abd7..ba0d1420 100644
--- a/docs/use/walkthrough/05-providers-authentication.md
+++ b/docs/use/walkthrough/05-providers-authentication.md
@@ -131,7 +131,7 @@ A minimal broker for a single credential:
 ```powershell
 $cred = Get-Credential
 
-$broker = New-IdleAuthSession -DefaultAuthSession $cred -AuthSessionType 'Credential'
+$authSessionBroker = New-IdleAuthSession -DefaultAuthSession $cred -AuthSessionType 'Credential'
 ```
 
 A broker that supports named routing (example: `AD` and `EXO`):
@@ -140,7 +140,7 @@ A broker that supports named routing (example: `AD` and `EXO`):
 $adCred  = Get-Credential
 $exoToken = '<token-or-object-from-your-exo-login-flow>'
 
-$broker = New-IdleAuthSession -SessionMap @{
+$authSessionBroker = New-IdleAuthSession -SessionMap @{
   @{ AuthSessionName = 'AD' }  = @{ AuthSessionType = 'Credential'; Credential = $adCred }
   @{ AuthSessionName = 'EXO' } = @{ AuthSessionType = 'OAuth';       Credential = $exoToken }
 }
@@ -161,7 +161,7 @@ To make the broker available at runtime, add it to the provider registry under t
 ```powershell
 $providers = @{
   Identity         = New-IdleMockIdentityProvider
-  AuthSessionBroker = $broker
+  AuthSessionBroker = $authSessionBroker
 }
 ```
 
diff --git a/src/IdLE.Core/Public/New-IdleAuthSessionBroker.ps1 b/src/IdLE.Core/Public/New-IdleAuthSessionBroker.ps1
index 8db50910..8a29b9dc 100644
--- a/src/IdLE.Core/Public/New-IdleAuthSessionBroker.ps1
+++ b/src/IdLE.Core/Public/New-IdleAuthSessionBroker.ps1
@@ -48,44 +48,44 @@ function New-IdleAuthSessionBroker {
 
     .EXAMPLE
     # Simple single-credential broker (with AuthSessionType)
-    $broker = New-IdleAuthSessionBroker -DefaultAuthSession $admCred -AuthSessionType 'Credential'
+    $authSessionBroker = New-IdleAuthSessionBroker -DefaultAuthSession $admCred -AuthSessionType 'Credential'
 
     .EXAMPLE
     # AuthSessionName-based routing with roles (with AuthSessionType)
-    $broker = New-IdleAuthSessionBroker -SessionMap @{
+    $authSessionBroker = New-IdleAuthSessionBroker -SessionMap @{
         @{ AuthSessionName = 'AD'; Role = 'ADAdm' } = $tier0Credential
         @{ AuthSessionName = 'AD'; Role = 'ADRead' } = $readOnlyCredential
     } -DefaultAuthSession $adminCredential -AuthSessionType 'Credential'
 
     .EXAMPLE
     # OAuth broker with token strings (with AuthSessionType)
-    $broker = New-IdleAuthSessionBroker -SessionMap @{
+    $authSessionBroker = New-IdleAuthSessionBroker -SessionMap @{
         @{ Role = 'Admin' } = $graphToken
     } -DefaultAuthSession $graphToken -AuthSessionType 'OAuth'
 
     .EXAMPLE
     # Domain-based broker for multi-forest scenarios (with AuthSessionType)
-    $broker = New-IdleAuthSessionBroker -SessionMap @{
+    $authSessionBroker = New-IdleAuthSessionBroker -SessionMap @{
         @{ Domain = 'SourceAD' } = $sourceCred
         @{ Domain = 'TargetAD' } = $targetCred
     } -AuthSessionType 'Credential'
 
     .EXAMPLE
     # PSRemoting broker for Entra Connect directory sync (with AuthSessionType)
-    $broker = New-IdleAuthSessionBroker -SessionMap @{
+    $authSessionBroker = New-IdleAuthSessionBroker -SessionMap @{
         @{ Server = 'AADConnect01' } = $remoteSessionCred
     } -AuthSessionType 'PSRemoting'
 
     .EXAMPLE
     # Environment-based routing (with AuthSessionType)
-    $broker = New-IdleAuthSessionBroker -SessionMap @{
+    $authSessionBroker = New-IdleAuthSessionBroker -SessionMap @{
         @{ Environment = 'Production' } = $prodCred
         @{ Environment = 'Test' } = $testCred
     } -DefaultAuthSession $devCred -AuthSessionType 'Credential'
 
     .EXAMPLE
     # Mixed-type broker for AD (Credential) + EXO (OAuth) - typed descriptors
-    $broker = New-IdleAuthSessionBroker -SessionMap @{
+    $authSessionBroker = New-IdleAuthSessionBroker -SessionMap @{
         @{ AuthSessionName = 'AD' } = @{ AuthSessionType = 'Credential'; Credential = $adCred }
         @{ AuthSessionName = 'EXO' } = @{ AuthSessionType = 'OAuth'; Credential = $exoToken }
     }
diff --git a/src/IdLE.Provider.AD/Public/New-IdleADIdentityProvider.ps1 b/src/IdLE.Provider.AD/Public/New-IdleADIdentityProvider.ps1
index af595630..53a21cf2 100644
--- a/src/IdLE.Provider.AD/Public/New-IdleADIdentityProvider.ps1
+++ b/src/IdLE.Provider.AD/Public/New-IdleADIdentityProvider.ps1
@@ -70,7 +70,7 @@ function New-IdleADIdentityProvider {
     $tier0Credential = Get-Credential -Message "Enter Tier0 admin credentials"
     $adminCredential = Get-Credential -Message "Enter regular admin credentials"
 
-    $broker = New-IdleAuthSessionBroker -SessionMap @{
+    $authSessionBroker = New-IdleAuthSessionBroker -SessionMap @{
         @{ Role = 'Tier0' } = $tier0Credential
         @{ Role = 'Admin' } = $adminCredential
     } -DefaultCredential $adminCredential
@@ -78,7 +78,7 @@ function New-IdleADIdentityProvider {
     $provider = New-IdleADIdentityProvider
     $plan = New-IdlePlan -WorkflowPath './workflow.psd1' -Request $request -Providers @{
         Identity = $provider
-        AuthSessionBroker = $broker
+        AuthSessionBroker = $authSessionBroker
     }
 
     # Workflow steps can specify different auth contexts:
@@ -87,8 +87,8 @@ function New-IdleADIdentityProvider {
 
     .EXAMPLE
     # Custom broker for advanced scenarios (vault integration, MFA)
-    $broker = [pscustomobject]@{}
-    $broker | Add-Member -MemberType ScriptMethod -Name AcquireAuthSession -Value {
+    $authSessionBroker = [pscustomobject]@{}
+    $authSessionBroker | Add-Member -MemberType ScriptMethod -Name AcquireAuthSession -Value {
         param($Name, $Options)
         if ($Options.Role -eq 'Tier0') {
             return Get-SecretFromVault -Name 'AD-Tier0'
@@ -99,7 +99,7 @@ function New-IdleADIdentityProvider {
     $provider = New-IdleADIdentityProvider
     $plan = New-IdlePlan -WorkflowPath './workflow.psd1' -Request $request -Providers @{
         Identity = $provider
-        AuthSessionBroker = $broker
+        AuthSessionBroker = $authSessionBroker
     }
     #>
     [CmdletBinding()]
diff --git a/src/IdLE.Provider.EntraID/Public/New-IdleEntraIDIdentityProvider.ps1 b/src/IdLE.Provider.EntraID/Public/New-IdleEntraIDIdentityProvider.ps1
index 43c3d2dc..9fa90933 100644
--- a/src/IdLE.Provider.EntraID/Public/New-IdleEntraIDIdentityProvider.ps1
+++ b/src/IdLE.Provider.EntraID/Public/New-IdleEntraIDIdentityProvider.ps1
@@ -43,14 +43,14 @@ function New-IdleEntraIDIdentityProvider {
     # Basic usage with delegated auth
     # Host obtains token via secure method (not shown here - see provider documentation)
     $accessToken = Get-SecureGraphToken
-    $broker = New-IdleAuthSessionBroker -SessionMap @{
+    $authSessionBroker = New-IdleAuthSessionBroker -SessionMap @{
         @{} = $accessToken
     } -DefaultCredential $accessToken
 
     $provider = New-IdleEntraIDIdentityProvider
     $plan = New-IdlePlan -WorkflowPath './workflow.psd1' -Request $request -Providers @{
         Identity = $provider
-        AuthSessionBroker = $broker
+        AuthSessionBroker = $authSessionBroker
     }
 
     .EXAMPLE
@@ -58,7 +58,7 @@ function New-IdleEntraIDIdentityProvider {
     $tier0Token = Get-GraphTokenForTier0  # host-managed auth
     $adminToken = Get-GraphTokenForAdmin
 
-    $broker = New-IdleAuthSessionBroker -SessionMap @{
+    $authSessionBroker = New-IdleAuthSessionBroker -SessionMap @{
         @{ Role = 'Tier0' } = $tier0Token
         @{ Role = 'Admin' } = $adminToken
     } -DefaultCredential $adminToken
@@ -66,7 +66,7 @@ function New-IdleEntraIDIdentityProvider {
     $provider = New-IdleEntraIDIdentityProvider
     $plan = New-IdlePlan -WorkflowPath './workflow.psd1' -Request $request -Providers @{
         Identity = $provider
-        AuthSessionBroker = $broker
+        AuthSessionBroker = $authSessionBroker
     }
 
     # Workflow steps specify: With.AuthSessionOptions = @{ Role = 'Tier0' }
diff --git a/src/IdLE.Provider.EntraID/README.md b/src/IdLE.Provider.EntraID/README.md
index 96eb61c2..bf0a0146 100644
--- a/src/IdLE.Provider.EntraID/README.md
+++ b/src/IdLE.Provider.EntraID/README.md
@@ -12,7 +12,7 @@ Import-Module IdLE
 $token = Get-GraphToken
 
 # Create broker for auth routing
-$broker = New-IdleAuthSessionBroker -SessionMap @{
+$authSessionBroker = New-IdleAuthSessionBroker -SessionMap @{
     @{} = $token
 } -DefaultCredential $token
 
@@ -22,7 +22,7 @@ $provider = New-IdleEntraIDIdentityProvider
 # Use in workflows
 $providers = @{
     Identity = $provider
-    AuthSessionBroker = $broker
+    AuthSessionBroker = $authSessionBroker
 }
 $plan = New-IdlePlan -WorkflowPath '.\joiner.psd1' -Request $request -Providers $providers
 ```
diff --git a/src/IdLE/Public/Invoke-IdlePlan.ps1 b/src/IdLE/Public/Invoke-IdlePlan.ps1
index 2fc5e5f8..cc4229ba 100644
--- a/src/IdLE/Public/Invoke-IdlePlan.ps1
+++ b/src/IdLE/Public/Invoke-IdlePlan.ps1
@@ -29,7 +29,7 @@ function Invoke-IdlePlan {
 
     .EXAMPLE
     # Default: plan built with providers, execution uses Plan.Providers
-    $providers = @{ Identity = $provider; AuthSessionBroker = $broker }
+    $providers = @{ Identity = $provider; AuthSessionBroker = $authSessionBroker }
     $plan = New-IdlePlan -WorkflowPath ./joiner.psd1 -Request $req -Providers $providers
     Invoke-IdlePlan -Plan $plan
 
diff --git a/src/IdLE/Public/New-IdleAuthSession.ps1 b/src/IdLE/Public/New-IdleAuthSession.ps1
index f708d9e5..502a2e2a 100644
--- a/src/IdLE/Public/New-IdleAuthSession.ps1
+++ b/src/IdLE/Public/New-IdleAuthSession.ps1
@@ -35,11 +35,11 @@ function New-IdleAuthSession {
 
     .EXAMPLE
     # Simple broker with single credential
-    $broker = New-IdleAuthSession -DefaultAuthSession $credential -AuthSessionType 'Credential'
+    $authSessionBroker = New-IdleAuthSession -DefaultAuthSession $credential -AuthSessionType 'Credential'
 
     .EXAMPLE
     # Mixed-type broker for AD + EXO
-    $broker = New-IdleAuthSession -SessionMap @{
+    $authSessionBroker = New-IdleAuthSession -SessionMap @{
         @{ AuthSessionName = 'AD' } = @{ AuthSessionType = 'Credential'; Credential = $adCred }
         @{ AuthSessionName = 'EXO' } = @{ AuthSessionType = 'OAuth'; Credential = $token }
     }