portal: fix dead set-password link (rename controller to underscore)

Root cause of the 'Link invalid' onboarding link: Frappe's TemplatePage
resolves a www page's Python controller by converting hyphens to underscores
(see frappe/website/page_renderers/template_page.py set_pymodule: it looks for
'set_password.py' next to 'set-password.html'). Our controller was named
'set-password.py' (hyphen), so os.path.exists() missed it, pymodule_name stayed
None, get_context never ran over HTTP, and the template rendered with no
context -> raw {{ email }}, title 'Link invalid', token never verified. (It
worked under bench/in-process only because we called get_context directly.)

Fix: rename www/set-password.py -> www/set_password.py (route stays
/set-password, driven by the .html filename) and update the whitelisted submit
endpoint path in set-password.html to ...www.set_password.submit.

NOTE: the sibling legacy CRTC/CDR admin pages (admin-filings.py,
admin-resellers.py, cdr-*.py) have the same latent hyphen bug; left as-is since
they're outside the compliance portal, but they are silently controller-less.

performancewest_erpnext/performancewest_erpnext/www/set-password.html

@@ -86,7 +86,7 @@
 
       try {
         const resp = await fetch(
-          "/api/method/performancewest_erpnext.www.set-password.submit",
+          "/api/method/performancewest_erpnext.www.set_password.submit",
           {
             method: "POST",
             headers: { "Content-Type": "application/x-www-form-urlencoded" },