I've read through the code in agessh.go which wraps ssh-ed25519 keys as age identities and recipients, and while there's a reference to Filippo's article about using Ed25519 signing keys for encryption by converting them into X25519 keys, the age implementation uses a more complex construction than just the bare key exchange shown in the article.

In particular, there is a "tweak" derived from the recipient public (SSH) key using an HKDF which is then used in a further round of Curve25519 multiplication. This is somewhat opaque, as I'm not cryptography-literate enough to infer why the tweak is there (or why it uses an HKDF with a salt but no input key material). I've read through some of the libsodium documentation, which links to this paper on the page about turning Ed25519 keys into X25519 keys, which describes a construction using an HMAC to defang some of the dragons related to reusing signing keys for encryption, but this doesn't quite line up with what age does.

It would be great if the cryptography for the ssh-ed25519 key derivation could be documented, and explain the purpose of the tweak and why it's built the way it is.