AFAIU, you can go in both directions, though in one of the directions (I think X25519 -> Ed25519) you have to discover or choose one among equivalent keys.

I've implemented some ciphers, and many more security protocols, but I won't pretend to understand the math well enough to directly address your question. But I believe schemes sharing keys between Ed25519 and X25519 generally rest on this paper: https://eprint.iacr.org/2021/509.pdf That paper describes the process in both directions, IIUC. See page 4,

> In this case the recipient translates the public key from edwards25519 to an X25519 public key using the map from [17]

and page 6,

> We will retrieve the two candidates for the v-coordinate from the curve equation and choose one of them uniformly at random. We then change coordinates to edwards25519 using the map in [17, 4.1]. This change of coordinates preserves addition on the curve and the basepoint of curve25519 is mapped to the basepoint on edwards255196.

See https://libsodium.gitbook.io/doc/advanced/ed25519-curve25519 for an actual implementation converting Ed25519 to X25519 keys. See also https://www.rfc-editor.org/rfc/rfc7748.html#section-4.1 (citation reference 17, above) for the mapping function(s), though it sounds like you may have already been familiar with it.

Maybe there's some nuance wrt converting public vs private key components I'm ignoring. But libsodium provides routines for converting both public and private Ed25519 keys to X25519 independently--i.e. doesn't require the private Ed25519 key to convert the public key. Because EdDSA is more common and widely deployed than X25519/X448 key exchange (or signing) schemes, Ed25519 -> X25519 is typically the direction you care about, permitting you to preserve or leverage existing public and private key management infrastructure.