fix: pin go directive to 1.20, add user ownership check on GetPDFTask

- Downgrade go directive in go.mod from 1.23.0 back to 1.20 to match
  Docker builder image (golang:1.20-alpine); re-run go mod tidy with
  go1.20 (via gvm) to keep go.sum consistent
- GetPDFTask now verifies callerUserID matches task.UserID to prevent
  cross-user data exposure of PDF page content

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/v1/pdf/handler.go

@@ -81,7 +81,7 @@ func (e *PDFEndpoint) GetTaskStatus(c *gin.Context) {
 		return
 	}
 
-	resp, err := e.pdfService.GetPDFTask(c, req.TaskNo)
+	resp, err := e.pdfService.GetPDFTask(c, req.TaskNo, c.GetInt64(constant.ContextUserID))
 	if err != nil {
 		if bizErr, ok := err.(*common.BusinessError); ok {
 			c.JSON(http.StatusOK, common.ErrorResponse(c, int(bizErr.Code), bizErr.Message))